From tdudgeon.ml at gmail.com Fri Jan 1 05:52:53 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Fri, 1 Jan 2016 10:52:53 +0000 Subject: [keycloak-user] propagating authentication to REST layer Message-ID: <56865A85.7030808@gmail.com> The user docs (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) describe exactly what I'm looking for: > Signed access tokens can also be propagated by REST client requests > within an|Authorization|header. This is great for distributed > integration as applications can request a login from a client to > obtain an access token, then invoke any aggregated REST invocations to > other services using that access token. I have a web app (in Tomcat) that uses the Keycloak adapter for user authentication. This web app needs to access a REST service, running in a different Tomcat container and I want the REST service to use the same user authentication, but I'm not totally sure about how to go about this. Do I just grab the keycloak token in the header in the web app and add that as a header when calling the REST service, and set the REST service up to use the same Keycloak adapter configuration as the web app? What if I want to have other ways to authenticate the REST service (e.g. access from multiple clients)? Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/d1478ea6/attachment-0001.html From amaeztu at tesicnor.com Fri Jan 1 13:01:11 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Fri, 01 Jan 2016 19:01:11 +0100 Subject: [keycloak-user] RestTemplate support for service account access In-Reply-To: References: <56823DC3.6040200@tesicnor.com> Message-ID: <4mgevi11s30tn59s1esk82sb.1451671271723@email.android.com> Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts. In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access. The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service). Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter! Nire Sony Xperia? telefonotik bidalita ---- Scott Rossillo igorleak idatzi du ---- >Take a look at these Spring samples. It's set up automatically: > >https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java > >On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu wrote: > >At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo seems to do it manually. > >Regards > >-- > >Aritz Maeztu Ota?o >Departamento Desarrollo de Software ? ? > >Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >Telf.: 948 21 40 40 >Fax.: 948 21 40 41 > >Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. > >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/a6387d2c/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/a6387d2c/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/a6387d2c/attachment.png -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/a6387d2c/attachment-0001.png From srossillo at smartling.com Sat Jan 2 10:32:08 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Sat, 02 Jan 2016 15:32:08 +0000 Subject: [keycloak-user] Spring Security annotation problem In-Reply-To: References: Message-ID: You still have to configure Spring Security using Keycloak. See the documentation for an annotation based configuration. Once that's set up your another annotations will work. PS - make sure to follow Spring Security naming conventions for roles. For the example above that would be ROLE_ADMIN On Fri, Jan 1, 2016 at 4:44 AM Andrey Saroul wrote: > Hello! I'm just a begginer in Spring Security, but I would like to know is > it possible to configure keycloak in a way that I can use @PreAuthorize, > @PostAuthorize, @Secured and other annotations. > For example, I've configured the keycloak-spring-security-adapter and > Spring Security in my simple Spring Rest webapp so that I have access to > Principal object in my controller, like this: > > @RestController > public class TMSRestController { > > @RequestMapping("/greeting") > public Greeting greeting(Principal principal, > @RequestParam(value="name") String name) { > return new Greeting(String.format(template, name)); > } > ... > } > > But when I try this (just an example, actually I want to execute custom EL > expression before authorization): > > @RestController > public class TMSRestController { > > @RequestMapping("/greeting") > @PreAuthorize("hasRole('ADMIN')") > public Greeting greeting(Principal principal, > @RequestParam(value="name") String name) { > return new Greeting(String.format(template, name)); > } > ... > } > > ... I get > exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > An Authentication object was not found in the SecurityContext > > What do I need to make this spring security annotations work? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/1b35f8be/attachment.html From Mahantesh.Katti at Indecomm.net Sat Jan 2 13:12:53 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Sat, 2 Jan 2016 18:12:53 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/e509e90d/attachment-0001.html From johan.bos at c6.eu Sat Jan 2 14:32:55 2016 From: johan.bos at c6.eu (Johan B.) Date: Sat, 2 Jan 2016 20:32:55 +0100 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> Message-ID: Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti < Mahantesh.Katti at indecomm.net> a ?crit : > Hi All, > > > > I have some web application deployed in glassfish. And we are trying to > implement SSO using keycloak. I wanted to understand if keycloak secures > and provides sso support for applications deployed on glassfish or if it is > applicable to applications deployed on jboss only? I tried to secure a > glassfish web application using keycloak [specifying the keycloak pom > dependanies, keycloak.json and related entries in web.xml]. but I could not > see the direction happening to keycloak for authentication. Am I missing > something here? Appreciate any pointers. > > > > Regards > > Prasad > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/7babd41a/attachment.html From Mahantesh.Katti at Indecomm.net Sat Jan 2 14:40:18 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Sat, 2 Jan 2016 19:40:18 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/c1d28d0d/attachment.html From johan.bos at c6.eu Sat Jan 2 14:43:41 2016 From: johan.bos at c6.eu (Johan B.) Date: Sat, 2 Jan 2016 20:43:41 +0100 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Message-ID: Whaoou you know the latest version is 1.7.0, right? Find the doc from the keycloak website directly. There is a pdf version avail. Le samedi 2 janvier 2016, Mahantesh Prasad Katti < Mahantesh.Katti at indecomm.net> a ?crit : > Thanks Johan for the info. I could not find any documentation for adapter > for glassfish on the official links. > https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation > > > > -Prasad > > > > *From:* Johan B. [mailto:johan.bos at gmail.com > ] > *Sent:* Sunday, January 03, 2016 1:00 AM > *To:* Mahantesh Prasad Katti > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Hi > > You are missing the adapter installation. > > Each app server must have the adapter configured so the security ctx > KEYCLOAK has some meaning to your app server. > > See the documentation part about the adapter installation. Depending on > the server type you have either lib only to provide to your server lib or > some more configuration to do. For tomcat I only had to copy some jars > > > > On the download section there is an adapter folder in which you will find > an archive with the things to install on your server type. > > > > Hope this help > > Le samedi 2 janvier 2016, Mahantesh Prasad Katti < > Mahantesh.Katti at indecomm.net > > a ?crit : > > Hi All, > > > > I have some web application deployed in glassfish. And we are trying to > implement SSO using keycloak. I wanted to understand if keycloak secures > and provides sso support for applications deployed on glassfish or if it is > applicable to applications deployed on jboss only? I tried to secure a > glassfish web application using keycloak [specifying the keycloak pom > dependanies, keycloak.json and related entries in web.xml]. but I could not > see the direction happening to keycloak for authentication. Am I missing > something here? Appreciate any pointers. > > > > Regards > > Prasad > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/b3873afa/attachment.html From johan.bos at c6.eu Sat Jan 2 14:46:31 2016 From: johan.bos at c6.eu (Johan B.) Date: Sat, 2 Jan 2016 20:46:31 +0100 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Message-ID: https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti < Mahantesh.Katti at indecomm.net> a ?crit : > Thanks Johan for the info. I could not find any documentation for adapter > for glassfish on the official links. > https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation > > > > -Prasad > > > > *From:* Johan B. [mailto:johan.bos at gmail.com > ] > *Sent:* Sunday, January 03, 2016 1:00 AM > *To:* Mahantesh Prasad Katti > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Hi > > You are missing the adapter installation. > > Each app server must have the adapter configured so the security ctx > KEYCLOAK has some meaning to your app server. > > See the documentation part about the adapter installation. Depending on > the server type you have either lib only to provide to your server lib or > some more configuration to do. For tomcat I only had to copy some jars > > > > On the download section there is an adapter folder in which you will find > an archive with the things to install on your server type. > > > > Hope this help > > Le samedi 2 janvier 2016, Mahantesh Prasad Katti < > Mahantesh.Katti at indecomm.net > > a ?crit : > > Hi All, > > > > I have some web application deployed in glassfish. And we are trying to > implement SSO using keycloak. I wanted to understand if keycloak secures > and provides sso support for applications deployed on glassfish or if it is > applicable to applications deployed on jboss only? I tried to secure a > glassfish web application using keycloak [specifying the keycloak pom > dependanies, keycloak.json and related entries in web.xml]. but I could not > see the direction happening to keycloak for authentication. Am I missing > something here? Appreciate any pointers. > > > > Regards > > Prasad > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/be2f4056/attachment-0001.html From Mahantesh.Katti at Indecomm.net Sat Jan 2 14:52:48 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Sat, 2 Jan 2016 19:52:48 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4E9@INBLRMBX002.INDECOMM.LOCAL> Ok. I hope to hear from them soon. Thanks. From: johan.bos at gmail.com [mailto:johan.bos at gmail.com] On Behalf Of Johan B. Sent: Sunday, January 03, 2016 1:17 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/88d6bd6d/attachment.html From johan.bos at c6.eu Sat Jan 2 14:56:02 2016 From: johan.bos at c6.eu (Johan B.) Date: Sat, 2 Jan 2016 20:56:02 +0100 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Message-ID: Forget about jetty. The doc does not provide any support for glass fish nor the download section You will have to wait from support answer. Sorry Le samedi 2 janvier 2016, Johan B. a ?crit : > https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > You may have to wait from one of the keycloak support to give you details > on which part is applying to you. To me probably jetty part is your best try > > Le samedi 2 janvier 2016, Mahantesh Prasad Katti < > Mahantesh.Katti at indecomm.net > > a ?crit : > >> Thanks Johan for the info. I could not find any documentation for adapter >> for glassfish on the official links. >> https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation >> >> >> >> -Prasad >> >> >> >> *From:* Johan B. [mailto:johan.bos at gmail.com] >> *Sent:* Sunday, January 03, 2016 1:00 AM >> *To:* Mahantesh Prasad Katti >> *Cc:* keycloak-user at lists.jboss.org >> *Subject:* Re: [keycloak-user] Keycloak to secure web applications >> deployed in glassfish >> >> >> >> Hi >> >> You are missing the adapter installation. >> >> Each app server must have the adapter configured so the security ctx >> KEYCLOAK has some meaning to your app server. >> >> See the documentation part about the adapter installation. Depending on >> the server type you have either lib only to provide to your server lib or >> some more configuration to do. For tomcat I only had to copy some jars >> >> >> >> On the download section there is an adapter folder in which you will find >> an archive with the things to install on your server type. >> >> >> >> Hope this help >> >> Le samedi 2 janvier 2016, Mahantesh Prasad Katti < >> Mahantesh.Katti at indecomm.net> a ?crit : >> >> Hi All, >> >> >> >> I have some web application deployed in glassfish. And we are trying to >> implement SSO using keycloak. I wanted to understand if keycloak secures >> and provides sso support for applications deployed on glassfish or if it is >> applicable to applications deployed on jboss only? I tried to secure a >> glassfish web application using keycloak [specifying the keycloak pom >> dependanies, keycloak.json and related entries in web.xml]. but I could not >> see the direction happening to keycloak for authentication. Am I missing >> something here? Appreciate any pointers. >> >> >> >> Regards >> >> Prasad >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/ecc43f00/attachment.html From Mahantesh.Katti at Indecomm.net Sat Jan 2 15:03:47 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Sat, 2 Jan 2016 20:03:47 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> Np. I assume the support team is also part of this mailing list [making sure I don?t need to post this message on another forum]. From: johan.bos at gmail.com [mailto:johan.bos at gmail.com] On Behalf Of Johan B. Sent: Sunday, January 03, 2016 1:26 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Forget about jetty. The doc does not provide any support for glass fish nor the download section You will have to wait from support answer. Sorry Le samedi 2 janvier 2016, Johan B. > a ?crit : https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160102/1a8b723c/attachment-0001.html From Mahantesh.Katti at Indecomm.net Sun Jan 3 07:00:36 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Sun, 3 Jan 2016 12:00:36 +0000 Subject: [keycloak-user] creating groups in keycloak Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F52B@INBLRMBX002.INDECOMM.LOCAL> Hi, I came across a section in the keycloak user guide that dwells upon groups. However, there was no detail on how to create and use one. Just wanted to know if you have any other pointers on the same? thanks Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160103/8a1c81d4/attachment.html From zhangjin at easemob.com Sun Jan 3 21:56:39 2016 From: zhangjin at easemob.com (zhangjin) Date: Mon, 4 Jan 2016 10:56:39 +0800 Subject: [keycloak-user] HELP: how many realms does keycloak can support Message-ID: Hi, I found that the response time of the create realm request increases linearly, from 0.5 second to tens of second when I created hundreds of realms. It perhaps caused by: when I create a new realm(exmpale test), keycloak will add a test-realm client into the admin-realm's client and add test-realm's roles into ADMIN composite role. I test it by using java sdk keycloak-admin-client (1.7.0.Final), datasource: h2/mysql/mongodb. So how many realms does keycloak can support or is there any solution? From sthorger at redhat.com Mon Jan 4 03:35:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 09:35:06 +0100 Subject: [keycloak-user] [keycloak-dev] Login Rest Service Service Delay In-Reply-To: References: Message-ID: Not sure what you mean about fetching token id. Are you talking about the code -> token exchange? We'd certainly need a lot more information to have any chance on reproducing this. How are you reproducing this? How many realms, client, users, etc.. do you have? What db do you have? On 29 December 2015 at 10:13, Satyajit Das wrote: > Hi Team, > > We are using login restful service of 1.4.0 final version. > > Sometimes the login takes quite some time(around 15 secs) to fetch the > token id given back by login service. > > On subsequent call for login rest service takes very less time(75 milisecs) > > This is a complete random behavior. > > Kindly let me know how to overcome this issue. > below is the snap of Token timeouts. > > > [image: Inline image 1] > > Regards, > Satya. > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bff07a93/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 23676 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bff07a93/attachment-0001.png From kalinga at leapset.com Mon Jan 4 03:58:31 2016 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Mon, 4 Jan 2016 14:28:31 +0530 (IST) Subject: [keycloak-user] Get user by username on version 1.7.0 Message-ID: <1451897911.43423811@apps.rackspace.com> I have a simple requirement. I need to check if a user is already present on IDM before allowing the user to register himself. I basically use the admin rest apis offered by keycloak for all my user activities. I was able to do this before 1.6.0, since there was an api to get user by username. I believe that this has been deprecated (removed completely) and replaced by get user by userId. If there any way to fulfill my need in idm 1.7.0? Regards, Kalinga -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/fa25e9c4/attachment.html From kalinga at leapset.com Mon Jan 4 04:03:38 2016 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Mon, 4 Jan 2016 14:33:38 +0530 (IST) Subject: [keycloak-user] Get user by username on version 1.7.0 In-Reply-To: <1451897911.43423811@apps.rackspace.com> References: <1451897911.43423811@apps.rackspace.com> Message-ID: <1451898218.692219187@apps.rackspace.com> Oh wait! I think I can send the username in the getUsers call as a query parameter. If thats the case, I can manage it. Let me confirm. Regards, Kalinga[ ]( http://www.leapset.com ) -----Original Message----- From: "Kalinga Dissanayake" Sent: Monday, January 4, 2016 2:28pm To: keycloak-user at lists.jboss.org, keycloak-dev at lists.jboss.org Cc: "Stian Thorgersen" Subject: Get user by username on version 1.7.0 I have a simple requirement. I need to check if a user is already present on IDM before allowing the user to register himself. I basically use the admin rest apis offered by keycloak for all my user activities. I was able to do this before 1.6.0, since there was an api to get user by username. I believe that this has been deprecated (removed completely) and replaced by get user by userId. If there any way to fulfill my need in idm 1.7.0? Regards, Kalinga -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/0c457982/attachment.html From mposolda at redhat.com Mon Jan 4 04:46:59 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Jan 2016 10:46:59 +0100 Subject: [keycloak-user] retrieving group membership info from LDAP/AD In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <568A3F93.2050007@redhat.com> On 30/12/15 18:42, Mahantesh Prasad Katti wrote: > > Hi All, > > In our application, we integrate with Microsoft AD for authenticating > users. As part of the authentication result, we also fetch group > information for the user authenticated. We also have a pre-defined > group-role mapping defined in the application server [This is a JEE > configuration file]. This helps decide whether a particular user based > on the role he belongs to can access a resource or not. I read another > thread ?Apply group membership filter on ldap login > ? > on similar lines. Couple of clarifications. > > 1.Based on what I read there is no feature to get roles and map them > to specific roles in keycloak and would be available in a future > release. I just wanted to understand if my reading of this is on the > right lines. Also, wanted to know if there?s a workaround for this in > the short term. > The feature to get LDAP roles and map them to specific roles in Keycloak is available. We have LDAP Role Mapper (See documentation http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers and our ldap example for details). The thread "Apply group membership filter on ldap login" is more about restricting that some LDAP users are not able to login at all (For example, specify that just users, which are members of LDAP group "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the other users are filtered). This will be available from 1.8 release (it's in master already). > > 2.Also does keycloak provide fine grained access control on the lines > of apache shiro? > Keycloak provides SSO and authentication. Once you authenticate, your application will receive access token with the roles of user from Keycloak (We have stuff like scope, protocol mappers etc, which allows better control under what exactly will go to access token. See docs and examples for details). Then it's up to the application how it interprets roles from accessToken . The authorization needs to be actually done by application itself (unless it's JEE application where we have mapping of accessToken roles to JEE roles. Again see examples). We have separate subproject under development (no official release yet available), which will allow more authorization possibilities. Marek > Thanks > > Prasad > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/a7688190/attachment.html From giovanni.baruzzi at syntlogo.de Mon Jan 4 06:23:47 2016 From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi) Date: Mon, 4 Jan 2016 12:23:47 +0100 Subject: [keycloak-user] Relationship of Groups to Roles? Message-ID: I?m very glad about the discussion here about roles and groups, since granting access to user is the core of access management. This said, we had been forced to look forward the group object 8or a similar role object) to managing access entitlements because these run out of gas at about 100.000 users and we are targeting millions of users. We had even to go further on the ?role?: the current definition describe an entitlement just with the name of a role (or a group) and we needed something more. At the end we come up with a simple concept. 1. the Roles are modeled by an attribute in the user object itself. Of course the Attribute is multivalued. This gives us the capability to retrieve all the needed information with a single LDAP operation. No more group search, cascading groups: which are cumbersome and time consuming. 2. This Attribute contains a structured value of the type: . WE are playing with the idea to store this in a son structure. In the future, given the sensitivity of the access, we may think to have this signed (like in a JWT), to ensure reliability of the information. 3. A separate identity management system will take care of the management of this attribute, AMS has only the task to pass over the values to the application. We are going to implement that with our resources, extending KeyCloak where needed, but I would like to share this ideas to have an open discussion on this. Further it would be nice to see some aspects of this implemented in KeyCloak. We may decide to share the code. Regards, Giovanni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bd4e1fe7/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5133 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/bd4e1fe7/attachment-0001.bin From sthorger at redhat.com Mon Jan 4 06:27:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 12:27:52 +0100 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: I strongly disagree. With Keycloak you are logging in to a SSO realm, not an individual application. With that in mind it's important that the login screen reflects that. Users need to know the difference as it's an important distinction. It just doesn't make any sense that I'm logged-in to the SSO with a login screen that is themed to look like the login screen for an individual application. Adding an option on clients to set the theme just doesn't make any sense. If we added the option to create SSO "zones" or disable SSO for individual applications then it would make sense to be able to set theme on a per-zone or apps that doesn't have SSO enabled. On 31 December 2015 at 09:46, Travis De Silva wrote: > Hi, > > My vote is to provide this feature at a client level as per the original > request. > > I think realms should be used for completely different domains when we > want to isolate users etc. Should not try and use it for something that it > was not intended in the design. > > The reason why you might need theming at client level is iif you really > think that clients which are essentially different applications most of the > time and each of these applications might have different look and feel > themes (either due to different development teams or vendors building > different applications). > > So when someone logins via KeyCloak, its true that we are logging into a > realm but for an end user, it is really logging into a application and > there is a need for the login page theme to look similar to the application > look and feel. > > Also I have a use case where I have a back office application that > requires login for admin users and then I have the front office of this > application where in addition to the admin users, you also can have other > users as well who can self register and login to the front end which is a > consumer facing site. > > How I handle this is by having two clients in the same realm. This works > fine if you are happy with the same backend login theme to be there for the > consumer facing frontend. But we cannot do that as the front end is a > consumer facing SaaS site, so each front end needs to have the client's > website theme. This becomes very hard to do if we don't have theming at a > client level. > > I came across this post from Bill a few months ago > http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html > > I am thinking to make use of the client variable that is available in > login.ftl and load different freemarker fragments that will then theme it > differently for each client. As mentioned by Bill, having many if > conditions might not be ideal but it might meet the requirement. > > Cheers > Travis > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/b8e137d1/attachment.html From mstrukel at redhat.com Mon Jan 4 07:16:43 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 4 Jan 2016 13:16:43 +0100 Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy In-Reply-To: References: Message-ID: The error 'org.apache.http.conn.HttpHostConnectException: Connection to https://sso2.domain.com refused' means that either there is a server side problem - your Nginx isn't started and listening on port 443, a firewall preventing incoming connections - or there is a client side problem - a DNS issue improperly resolving sso2.domain.com into IP on the host where Tomcat is running. At this point no SSL handshaking was attempted yet. If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443' from the server running your Tomcat you'll see the same issue. Once that starts to work, only then will any SSL / proxying related configuration issues start to manifest themselves. On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace wrote: > Community, I have spent a decent amount of time attempting to get KEYCLOAK > behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work > without the proxy, but I need the proxy to handle certificates. I think I > am pretty close to having it working, but somethings seems to be missing... > I have done the following. I appreciate any insight you may have as I think > I have exhausted other resources. > > *1. Configure a server in NGINX* > > server { > > listen 443; > > > ssl on; > > ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; > > ssl_certificate_key /etc/ssl/certs/*.domain.key; > > > server_name sso2. domain.com; > > access_log /var/log/nginx/nginx.sso.access.log; > > error_log /var/log/nginx/nginx.sso.error.log; > > location / { > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Forwarded-Proto $scheme; > > proxy_set_header X-Forwarded-Port 443; > > proxy_pass http://internalip:8080; > > } > > } > > *2. Enable SSL on a Reverse Proxy* > > First add proxy-address-forwarding and redirect-socket to the > http-listener element: > > > ... > > ... > > > Then add a new socket-binding element to the socket-binding-group element: > > > ... > > ... > > > > *RECIVE THE FOLLOWING ERROR in TOMCAT:* > > 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - > failed to turn code into token > > org.apache.http.conn.HttpHostConnectException: Connection to > https://sso2.domain.com refused > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) > ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) > [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) > [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) > [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) > [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) > [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) > [lib/:na] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) > [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) > [lib/:na] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > [lib/:na] > > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) > [lib/:na] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) > [lib/:na] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) > [lib/:na] > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) > [tomcat-coyote.jar:8.0.18] > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) > [tomcat-coyote.jar:8.0.18] > > at > org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) > [tomcat-coyote.jar:8.0.18] > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) > [tomcat-coyote.jar:8.0.18] > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) > [tomcat-coyote.jar:8.0.18] > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [na:1.8.0_25] > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [na:1.8.0_25] > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-util.jar:8.0.18] > > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] > > Caused by: java.net.ConnectException: Connection timed out > > at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] > > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) > ~[na:1.8.0_25] > > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) > ~[na:1.8.0_25] > > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > ~[na:1.8.0_25] > > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > ~[na:1.8.0_25] > > at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] > > at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) > ~[na:1.8.0_25] > > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) > ~[httpclient-4.2.1.jar:4.2.1] > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > ~[httpclient-4.2.1.jar:4.2.1] > > ... 29 common frames omitted > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/a1b6a974/attachment-0001.html From traviskds at gmail.com Mon Jan 4 08:25:02 2016 From: traviskds at gmail.com (Travis De Silva) Date: Mon, 04 Jan 2016 13:25:02 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: HI Stian, Adding SSO zones just to address the theming issue looks a bit overkill to me as it will eventually come down to doing some theming at a level below the realm. I was going on the basis that if theming is not set at a client level, then it will default to the realm level theming which is basically your SSO enabled zone. Also my other point was with regard to SaaS based applications where we have a backoffice system which is themed as per our SaaS product but the consumer facing front end needs to be themed to be aligned with the customer's web site. In this case, we cannot go with what KeyCloak has at present. What I am doing is as suggested by Bill sometime back, adding "if/else" statements into the freemarker templates and based on the client id loading different freemarker templates which is not ideal but does the job. In any case, since what we are discussing is in general edge cases, Therefore instead of complicating the core KeyCloak platform, why don't you just expose the various links/flows that is currently available in the login process (forgot password/reset credentials, required actions (update password, verify email, configure OTP, etc.), user account mgmt, registration, social login etc. Then we are still using the core of keycloak but for the frontend themes/UI, we use our own. I also haven't explored the Login SPI which as per the KeyCloak docs which says "The Login SPI allows implementing the login forms using whatever web framework or templating engine you want". Wonder if this will give us what we are after. Cheers Travis On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen wrote: > I strongly disagree. With Keycloak you are logging in to a SSO realm, not > an individual application. With that in mind it's important that the login > screen reflects that. Users need to know the difference as it's an > important distinction. It just doesn't make any sense that I'm logged-in to > the SSO with a login screen that is themed to look like the login screen > for an individual application. > > Adding an option on clients to set the theme just doesn't make any sense. > If we added the option to create SSO "zones" or disable SSO for individual > applications then it would make sense to be able to set theme on a per-zone > or apps that doesn't have SSO enabled. > > On 31 December 2015 at 09:46, Travis De Silva wrote: > >> Hi, >> >> My vote is to provide this feature at a client level as per the original >> request. >> >> I think realms should be used for completely different domains when we >> want to isolate users etc. Should not try and use it for something that it >> was not intended in the design. >> >> The reason why you might need theming at client level is iif you really >> think that clients which are essentially different applications most of the >> time and each of these applications might have different look and feel >> themes (either due to different development teams or vendors building >> different applications). >> >> So when someone logins via KeyCloak, its true that we are logging into a >> realm but for an end user, it is really logging into a application and >> there is a need for the login page theme to look similar to the application >> look and feel. >> > >> Also I have a use case where I have a back office application that >> requires login for admin users and then I have the front office of this >> application where in addition to the admin users, you also can have other >> users as well who can self register and login to the front end which is a >> consumer facing site. >> >> How I handle this is by having two clients in the same realm. This works >> fine if you are happy with the same backend login theme to be there for the >> consumer facing frontend. But we cannot do that as the front end is a >> consumer facing SaaS site, so each front end needs to have the client's >> website theme. This becomes very hard to do if we don't have theming at a >> client level. >> >> I came across this post from Bill a few months ago >> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >> >> I am thinking to make use of the client variable that is available in >> login.ftl and load different freemarker fragments that will then theme it >> differently for each client. As mentioned by Bill, having many if >> conditions might not be ideal but it might meet the requirement. >> >> Cheers >> Travis >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/5620f977/attachment.html From Mahantesh.Katti at Indecomm.net Mon Jan 4 08:43:49 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Mon, 4 Jan 2016 13:43:49 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E16412836@INBLRMBX002.INDECOMM.LOCAL> Keycloak support team, I need some inputs on this use case. Could you please throw some light on the same. -Prasad From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mahantesh Prasad Katti Sent: Sunday, January 03, 2016 1:34 AM To: Johan B. Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Np. I assume the support team is also part of this mailing list [making sure I don?t need to post this message on another forum]. From: johan.bos at gmail.com [mailto:johan.bos at gmail.com] On Behalf Of Johan B. Sent: Sunday, January 03, 2016 1:26 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Forget about jetty. The doc does not provide any support for glass fish nor the download section You will have to wait from support answer. Sorry Le samedi 2 janvier 2016, Johan B. > a ?crit : https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/229937c5/attachment-0001.html From adrianmatei at gmail.com Mon Jan 4 09:32:25 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 4 Jan 2016 15:32:25 +0100 Subject: [keycloak-user] how to clear server caches... Message-ID: Hi everyone, how can i clear the server caches without using the Admin Console. If I add the *"realmCache": {* * "provider": "${keycloak.realm.cache.provider:none}"* * },* * "userCache": {* * "provider": "${keycloak.user.cache.provider:none}"* * }* to *keycloak-server.json* as mentioned in the documentation won't work. The values are not even present "anymore" in the file... Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/f39d207c/attachment.html From sthorger at redhat.com Mon Jan 4 10:01:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 16:01:36 +0100 Subject: [keycloak-user] how to clear server caches... In-Reply-To: References: Message-ID: What specifically are you trying to achieve? Re-starting the server would obviously clear the cache. Or you can clear it through the admin console. On 4 January 2016 at 15:32, Adrian Matei wrote: > Hi everyone, > > how can i clear the server caches without using the Admin Console. If I > add the > > *"realmCache": {* > * "provider": "${keycloak.realm.cache.provider:none}"* > * },* > * "userCache": {* > * "provider": "${keycloak.user.cache.provider:none}"* > * }* > > to *keycloak-server.json* as mentioned in the documentation won't work. > The values are not even present "anymore" in the file... > > > Thanks, > Adrian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/3635038f/attachment.html From sthorger at redhat.com Mon Jan 4 10:06:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 16:06:18 +0100 Subject: [keycloak-user] Adapter 1.3.1 on EAP 6.3.2 In-Reply-To: <5682A833.3090202@efos.si> References: <5682A833.3090202@efos.si> Message-ID: EAP 6.3.2 should work just fine, but there's a separate adapter for EAP 6.3. On 29 December 2015 at 16:35, Mitja Strojan?ek wrote: > We have REST services on EAP 6.3.2 with adapter 1.3.1 and gateway server > WF 8.2 with 1.3.1 server. This configuration doesn't work. Our test case > works on WF 8.2 server with adapter 1.3.1. > Does anybody has idea, why it shouldn't work also with EAP 6.3.2? Are > there any incompatibilities? > -- > *Mitja* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/49acbcaf/attachment.html From adrianmatei at gmail.com Mon Jan 4 10:10:24 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 4 Jan 2016 16:10:24 +0100 Subject: [keycloak-user] how to clear server caches... In-Reply-To: References: Message-ID: hi Stian, Just after the installation I wanted to be able access the Admin Console without SSL for our dev environment. I thought if I hacked the value of the column SSLRequired from table REALM for the master realm would work - unfortunately I used "none" instead of "NONE" and when I try to access now the admin console am getting the following: *JBWEB000289: Servlet Keycloak REST Interface threw load() exception: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.enums.SslRequired.none* Thanks, Adrian On Mon, Jan 4, 2016 at 4:01 PM, Stian Thorgersen wrote: > What specifically are you trying to achieve? > > Re-starting the server would obviously clear the cache. Or you can clear > it through the admin console. > > On 4 January 2016 at 15:32, Adrian Matei wrote: > >> Hi everyone, >> >> how can i clear the server caches without using the Admin Console. If I >> add the >> >> *"realmCache": {* >> * "provider": "${keycloak.realm.cache.provider:none}"* >> * },* >> * "userCache": {* >> * "provider": "${keycloak.user.cache.provider:none}"* >> * }* >> >> to *keycloak-server.json* as mentioned in the documentation won't work. >> The values are not even present "anymore" in the file... >> >> >> Thanks, >> Adrian >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/751355ea/attachment.html From sthorger at redhat.com Mon Jan 4 10:14:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 16:14:39 +0100 Subject: [keycloak-user] how to clear server caches... In-Reply-To: References: Message-ID: In that case you'll need to change it to NONE and restart the server On 4 January 2016 at 16:10, Adrian Matei wrote: > hi Stian, > > Just after the installation I wanted to be able access the Admin Console > without SSL for our dev environment. I thought if I hacked the value of the > column SSLRequired from table REALM for the master realm would work - > unfortunately I used "none" instead of "NONE" and when I try to access now > the admin console am getting the following: > > *JBWEB000289: Servlet Keycloak REST Interface threw load() exception: > java.lang.IllegalArgumentException: No enum constant > org.keycloak.common.enums.SslRequired.none* > > > Thanks, > Adrian > > On Mon, Jan 4, 2016 at 4:01 PM, Stian Thorgersen > wrote: > >> What specifically are you trying to achieve? >> >> Re-starting the server would obviously clear the cache. Or you can clear >> it through the admin console. >> >> On 4 January 2016 at 15:32, Adrian Matei wrote: >> >>> Hi everyone, >>> >>> how can i clear the server caches without using the Admin Console. If I >>> add the >>> >>> *"realmCache": {* >>> * "provider": "${keycloak.realm.cache.provider:none}"* >>> * },* >>> * "userCache": {* >>> * "provider": "${keycloak.user.cache.provider:none}"* >>> * }* >>> >>> to *keycloak-server.json* as mentioned in the documentation won't >>> work. The values are not even present "anymore" in the file... >>> >>> >>> Thanks, >>> Adrian >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/7b52ba18/attachment.html From TBarcia at wfscorp.com Mon Jan 4 10:43:50 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Mon, 4 Jan 2016 15:43:50 +0000 Subject: [keycloak-user] Token audience doesn't match domain. Message-ID: I have my keycloak 1.6.1-final cluster running behind a Netscaler that terminates the SSL connections, therefore communication from the Netscaler to Keycloak is http but from the Internet to the Netscaler is https. We've managed the rewrites so that logging in works however we're now getting an error that the token audience doesn't match the domain because the issuer is http://keycloakserver but the URL from configuration is https://keycloakserver. Is there a way to make this configuration work? When the error says "URL from configuration" does it mean the java app configuration or the Keycloak configuration? Thank you. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/150b607f/attachment-0001.html From juraci at kroehling.de Mon Jan 4 10:56:51 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Mon, 4 Jan 2016 16:56:51 +0100 Subject: [keycloak-user] Token audience doesn't match domain. In-Reply-To: References: Message-ID: <568A9643.7070103@kroehling.de> Are you sending the HTTP header X-Forwarded-Proto to Keycloak? On 04.01.2016 16:43, Thomas Barcia wrote: > I have my keycloak 1.6.1-final cluster running behind a Netscaler that > terminates the SSL connections, therefore communication from the > Netscaler to Keycloak is http but from the Internet to the Netscaler is > https. We?ve managed the rewrites so that logging in works however > we?re now getting an error that the token audience doesn?t match the > domain because the issuer is http://keycloakserver but the URL from > configuration is https://keycloakserver. Is there a way to make this > configuration work? When the error says ?URL from configuration? does it > mean the java app configuration or the Keycloak configuration? > > Thank you. > > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adrianmatei at gmail.com Mon Jan 4 11:02:06 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 4 Jan 2016 17:02:06 +0100 Subject: [keycloak-user] how to clear server caches... In-Reply-To: References: Message-ID: hi Stian, Yes I had tried that many times with no use - the problem was that my DB client seems to not have committed initially the value in DB. After committing it again, it worked. Thanks, Adrian On Mon, Jan 4, 2016 at 4:14 PM, Stian Thorgersen wrote: > In that case you'll need to change it to NONE and restart the server > > On 4 January 2016 at 16:10, Adrian Matei wrote: > >> hi Stian, >> >> Just after the installation I wanted to be able access the Admin Console >> without SSL for our dev environment. I thought if I hacked the value of the >> column SSLRequired from table REALM for the master realm would work - >> unfortunately I used "none" instead of "NONE" and when I try to access now >> the admin console am getting the following: >> >> *JBWEB000289: Servlet Keycloak REST Interface threw load() exception: >> java.lang.IllegalArgumentException: No enum constant >> org.keycloak.common.enums.SslRequired.none* >> >> >> Thanks, >> Adrian >> >> On Mon, Jan 4, 2016 at 4:01 PM, Stian Thorgersen >> wrote: >> >>> What specifically are you trying to achieve? >>> >>> Re-starting the server would obviously clear the cache. Or you can clear >>> it through the admin console. >>> >>> On 4 January 2016 at 15:32, Adrian Matei wrote: >>> >>>> Hi everyone, >>>> >>>> how can i clear the server caches without using the Admin Console. If I >>>> add the >>>> >>>> *"realmCache": {* >>>> * "provider": "${keycloak.realm.cache.provider:none}"* >>>> * },* >>>> * "userCache": {* >>>> * "provider": "${keycloak.user.cache.provider:none}"* >>>> * }* >>>> >>>> to *keycloak-server.json* as mentioned in the documentation won't >>>> work. The values are not even present "anymore" in the file... >>>> >>>> >>>> Thanks, >>>> Adrian >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/d70f4d65/attachment.html From giovanni.baruzzi at syntlogo.de Mon Jan 4 13:04:14 2016 From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi) Date: Mon, 4 Jan 2016 19:04:14 +0100 Subject: [keycloak-user] Question about Realm and Client (Resource) Roles Message-ID: Dear All, In the documentation I read about the Realm and Resource Roles Under "2.2.1. Permission scopes? you can read: "The role mappings contained within the token are the intersection between the set of user role mappings and the permission scope of the client. So, access tokens are tailor made for each client and contain only the information required for by them.? Further, under "8.1. General Adapter Configuration?, you read "use-resource-role-mappings? If set to true, the adapter will look inside the token for application level role mappings for the user. If false, it will look at the realm level for user role mappings. This is OPTIONAL. The default value is false I would like to understand how to use it and how to configure it, but I cannot find anything in the documentation nor in the tips of the Console. Can anybody give me a pointer to more information? Thank you, Giovanni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/7c72a008/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5133 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/7c72a008/attachment.bin From TBarcia at wfscorp.com Mon Jan 4 13:42:07 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Mon, 4 Jan 2016 18:42:07 +0000 Subject: [keycloak-user] Token audience doesn't match domain. In-Reply-To: <568A9643.7070103@kroehling.de> References: <568A9643.7070103@kroehling.de> Message-ID: We weren't but we are now and are getting the "Failed to verify token; Token is not active" error. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Juraci Paix?o Kr?hling Sent: Monday, January 04, 2016 10:57 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Token audience doesn't match domain. Are you sending the HTTP header X-Forwarded-Proto to Keycloak? On 04.01.2016 16:43, Thomas Barcia wrote: > I have my keycloak 1.6.1-final cluster running behind a Netscaler that > terminates the SSL connections, therefore communication from the > Netscaler to Keycloak is http but from the Internet to the Netscaler > is https. We've managed the rewrites so that logging in works however > we're now getting an error that the token audience doesn't match the > domain because the issuer is http://keycloakserver but the URL from > configuration is https://keycloakserver. Is there a way to make this > configuration work? When the error says "URL from configuration" does > it mean the java app configuration or the Keycloak configuration? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** From helder.jaspion at gmail.com Mon Jan 4 14:11:04 2016 From: helder.jaspion at gmail.com (Helder dos S. Alves) Date: Mon, 4 Jan 2016 17:11:04 -0200 Subject: [keycloak-user] Ajax login Message-ID: Hi everybody. I'm new to Keycloak and I wonder if is possible to login via ajax without redirecting to a login page. Maybe anyone has already asked it (and others answered it, I hope), but I could not find a way to search on older topics. Thanks in advance. Helder Alves -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/3a664bd1/attachment.html From sthorger at redhat.com Mon Jan 4 14:33:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 4 Jan 2016 20:33:20 +0100 Subject: [keycloak-user] Token audience doesn't match domain. In-Reply-To: References: <568A9643.7070103@kroehling.de> Message-ID: Token is not active is either due to the token being expired or the time on your Keycloak server and applications not being in sync On 4 January 2016 at 19:42, Thomas Barcia wrote: > We weren't but we are now and are getting the "Failed to verify token; > Token is not active" error. > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] On Behalf Of Juraci Paix?o Kr?hling > Sent: Monday, January 04, 2016 10:57 AM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Token audience doesn't match domain. > > Are you sending the HTTP header X-Forwarded-Proto to Keycloak? > > On 04.01.2016 16:43, Thomas Barcia wrote: > > I have my keycloak 1.6.1-final cluster running behind a Netscaler that > > terminates the SSL connections, therefore communication from the > > Netscaler to Keycloak is http but from the Internet to the Netscaler > > is https. We've managed the rewrites so that logging in works however > > we're now getting an error that the token audience doesn't match the > > domain because the issuer is http://keycloakserver but the URL from > > configuration is https://keycloakserver. Is there a way to make this > > configuration work? When the error says "URL from configuration" does > > it mean the java app configuration or the Keycloak configuration? > > > > Thank you. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/2cfb83a9/attachment.html From guydavis.ca at gmail.com Mon Jan 4 15:49:35 2016 From: guydavis.ca at gmail.com (Guy Davis) Date: Mon, 4 Jan 2016 13:49:35 -0700 Subject: [keycloak-user] Basic authentication - adapter not using backend-url for HttpPost? Message-ID: Good day, I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a HAProxy instance. A REST service is deployed (as .war) on another server (also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak adapter. The deployment is protected as follows in standalone.xml of the JBoss instance: MyRealm my-resource true true true MIIB...QAB /auth http://proxy:8080/auth NONE preferred_username Here is relevant section of mytest.war's web.xml: All Admin /* my-admins NONE KEYCLOAK this is ignored currently Admin access for admins. my-admins Due to the use of the old JBoss EAP 6.1 server, I've had to add the following to mytest.war's jboss-web.xml to support proxying, with proxy headers added by HAProxy: keycloak-web mytest org.apache.catalina.valves.RemoteIpValve protocolHeader x-forwarded-proto The hostname "proxy" is resolvable within the cluster behind HAProxy and will result in direct access to the Keycloak instance. From outside the cluster, all the services are mapped to the same HTTP namespace by HAProxy. So an external request to http://[external_haproxy]/auth will be proxied to Keycloak in the cluster. The 'my-resource' Keycloak client has direct access grants enabled and is set to Public access. In testing, where the entire cluster is launched in Vagrant running on Windows, if I access http://localhost/mytest/api/... in a browser, I am shown the Keycloak login and get the REST service result as expected. This tells me that the majority of my configuration above is good. However, if I use a client like curl or JMeter to send a similar HTTP request with the Basic authentication header added: Authorization: Basic YWRtaW46YWRtaW4= Then the following is observed in the JBoss log from Keycloak adapter: 2016-01-04 20:03:49,295 DEBUG [org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Failed to obtain token: java.net.ConnectException: Connection refused Upon debugging through the Keycloak adapter code to watch the basic authentication process, I found myself in BasicAuthRequestAuthenticator,getToken() where I find that *deployment.getAuthServerBaseUrl()* == "http://localhost/auth" which is not valid on the JBoss EAP system. This tells me that the external hostname (Vagrant host) is being used to build the URI for contacting the internal Keycloak host. In particular, the provided value for is not being used. Since this Basic Auth code uses this URI to issue a "backend" request, I would have expected the value to be used. So my question is whether I am missing a basic authentication specific configuration step or whether I've encountered a defect in URI handling for basic auth + backend requests. Interestingly, in the attached Eclipse screenshot, the deployment object is aware of the http://proxy:8080 URI backend but it is not being used for authServerBaseUrl. Note, the scope of this problem is more than my Vagrant/localhost example. I expect the same problem to manifest in our AWS test environment where external hostnames don't resolve for cluster members identified by internal hostnames only. I'm hoping to find a solution before this hits our test environment. Thanks in advance, Guy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/96c61231/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 2016-01-04_134423.png Type: image/png Size: 32320 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/96c61231/attachment-0001.png From pblair at clearme.com Mon Jan 4 16:05:31 2016 From: pblair at clearme.com (Paul Blair) Date: Mon, 4 Jan 2016 21:05:31 +0000 Subject: [keycloak-user] Can add-user.sh be used to change the admin user password? Message-ID: I'm running keycloak 1.7.0.Final and tried to use the add-user.sh script to change the admin default password after deployment. The password didn't seem to take. If I go to the admin console and log in as admin with a password of "admin" I am prompted to change the password. My understanding was that the purpose of the script was to get away from having an admin user with a default password. Is this not supported yet? Before trying to change the admin user with the script, I had already brought up the server once and tried to log in as admin. After that I realized I wanted to use the script, and shut everything down before running the script; not sure if that's relevant or not. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160104/ac07e663/attachment.html From pblair at clearme.com Mon Jan 4 19:16:36 2016 From: pblair at clearme.com (Paul Blair) Date: Tue, 5 Jan 2016 00:16:36 +0000 Subject: [keycloak-user] "Invalid parameter: redirect_uri" Message-ID: I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), I get redirected to the following URL: https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true Keycloak then displays the error "We're Sorry... Invalid parameter: redirect_uri" In the Keycloak log I see: DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with: https://[KeycloakLoadBalancer]/apimanui/* WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/e0acceb4/attachment.html From pblair at clearme.com Mon Jan 4 19:32:54 2016 From: pblair at clearme.com (Paul Blair) Date: Tue, 5 Jan 2016 00:32:54 +0000 Subject: [keycloak-user] "Invalid parameter: redirect_uri" In-Reply-To: Message-ID: I should mention that this happens whether or not I have https://[apimanLoadBalancer] in the Root URL field for the Apimanui client, or whether or not I have https://[apimanLoadBalancer]/apimanui/* in the Valid Redirect URIs, or both. However, if they are present I no longer see the DEBUG line "replacing relative valid redirect with..."; I only see the WARN message with the failure. Also, it appears that the URL encoding is a non-issue; at least, I see the URLs encoded properly in the browser URL bar even if the "inspect" formats them with slashes and colons. From: "pblair at clearme.com" > Date: Tue, 5 Jan 2016 00:16:36 +0000 To: keycloak-user > Subject: [keycloak-user] "Invalid parameter: redirect_uri" I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), I get redirected to the following URL: https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true Keycloak then displays the error "We're Sorry... Invalid parameter: redirect_uri" In the Keycloak log I see: DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with: https://[KeycloakLoadBalancer]/apimanui/* WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/648246d1/attachment.html From pblair at clearme.com Mon Jan 4 19:40:51 2016 From: pblair at clearme.com (Paul Blair) Date: Tue, 5 Jan 2016 00:40:51 +0000 Subject: [keycloak-user] "Invalid parameter: redirect_uri" In-Reply-To: Message-ID: Figured it out - it's a case-sensitivity issue: https://ApimanLoadBalancer.elb.amazonaws.com/apimanui/* Fails to match https://apimanloadbalancer.elb.amazonaws.com/apimanui/* I believe subdomains are case-insensitive. Should I raise an issue on this? From: "pblair at clearme.com" > Date: Mon, 4 Jan 2016 19:32:54 -0500 To: "pblair at clearme.com" >, keycloak-user > Subject: Re: [keycloak-user] "Invalid parameter: redirect_uri" I should mention that this happens whether or not I have https://[apimanLoadBalancer] in the Root URL field for the Apimanui client, or whether or not I have https://[apimanLoadBalancer]/apimanui/* in the Valid Redirect URIs, or both. However, if they are present I no longer see the DEBUG line "replacing relative valid redirect with..."; I only see the WARN message with the failure. Also, it appears that the URL encoding is a non-issue; at least, I see the URLs encoded properly in the browser URL bar even if the "inspect" formats them with slashes and colons. From: "pblair at clearme.com" > Date: Tue, 5 Jan 2016 00:16:36 +0000 To: keycloak-user > Subject: [keycloak-user] "Invalid parameter: redirect_uri" I am using Keycloak with the apiman API manager. Both are on AWS and are behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), I get redirected to the following URL: https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true Keycloak then displays the error "We're Sorry... Invalid parameter: redirect_uri" In the Keycloak log I see: DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-7) replacing relative valid redirect with: https://[KeycloakLoadBalancer]/apimanui/* WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], error=invalid_redirect_uri, response_type=code, redirect_uri=https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query This looks to me as though Keycloak thinks that the redirect URI is a relative path. I also notice that the query string parameters for redirect_uri are not URL encoded by apiman. Would this be the source of the problem? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/f3382f44/attachment-0001.html From prabhalar at yahoo.com Mon Jan 4 20:10:56 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Tue, 5 Jan 2016 01:10:56 +0000 (UTC) Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: <376288232.49188.1451956256906.JavaMail.yahoo@mail.yahoo.com> I second all of Travis' suggestions and ideas. We currently use a very well known commercial product that doesn't support the below feature and hence are looking at other options. ?Even we just need the capability to customize the themes for each client application that includes password reset, multi factor authentication etc. Moreover, depending upon the division and region, type of application (internet or intranet), we will have to display additional text (legal requirements) on the login screens. Ideally we should be able to create custom templates upfront and make them available during the client registration. While most of the client applications would use the default login template, a few applications would select different login templates but the underlying authentication, single signon realm etc will remain the same.? From: Travis De Silva To: stian at redhat.com Cc: keycloak-user Sent: Monday, January 4, 2016 8:25 AM Subject: Re: [keycloak-user] Different theme for each client HI Stian, Adding SSO zones just to address the theming issue looks a bit overkill to me as it will eventually come down to doing some theming at a level below the realm. I was going on the basis that if theming is not set at a client level, then it will default to the realm level theming which is basically your SSO enabled zone. Also my other point was with regard to SaaS based applications where we have a backoffice system which is themed as per our SaaS product but the consumer facing front end needs to be themed to be aligned with the customer's web site. In this case, we cannot go with what KeyCloak has at present. What I am doing is as suggested by Bill sometime back, adding "if/else" statements into the freemarker templates and based on the client id loading different freemarker templates which is not ideal but does the job. In any case, since what we are discussing is in general edge cases, Therefore instead of complicating the core KeyCloak platform, why don't you just expose the various links/flows that is currently available in the login process (forgot password/reset credentials,?required actions (update password, verify email, configure OTP, etc.),?user account mgmt, registration, social login etc. Then we are still using the core of keycloak but for the frontend themes/UI, we use our own. I also haven't explored the?Login SPI which as per the KeyCloak docs which says "The Login SPI allows implementing the login forms using whatever web framework or templating engine you want". Wonder if this will give us what we are after. CheersTravis On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen wrote: I strongly disagree. With Keycloak you are logging in to a SSO realm, not an individual application. With that in mind it's important that the login screen reflects that. Users need to know the difference as it's an important distinction. It just doesn't make any sense that I'm logged-in to the SSO with a login screen that is themed to look like the login screen for an individual application. Adding an option on clients to set the theme just doesn't make any sense. If we added the option to create SSO "zones" or disable SSO for individual applications then it would make sense to be able to set theme on a per-zone or apps that doesn't have SSO enabled. On 31 December 2015 at 09:46, Travis De Silva wrote: Hi, My vote is to provide this feature at a client level as per the original request. I think realms should be used for completely different domains when we want to isolate users etc. Should not try and use it for something that it was not intended in the design. The reason why you might need theming at client level is iif you really think that clients which are essentially different applications most of the time and each of these applications might have different look and feel themes (either due to different development teams or vendors building different applications).? So when someone logins via KeyCloak, its true that we are logging into a realm but for an end user, it is really logging into a application and there is a need for the login page theme to look similar to the application look and feel. Also I have a use case where I have a back office application that requires login for admin users and then I have the front office of this application where in addition to the admin users, you also can have other users as well who can self register and login to the front end which is a consumer facing site. How I handle this is by having two clients in the same realm. This works fine if you are happy with the same backend login theme to be there for the consumer facing frontend. But we cannot do that as the front end is a consumer facing SaaS site, so each front end needs to have the client's website theme. This becomes very hard to do if we don't have theming at a client level. I came across this post from Bill a few months ago?http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html I am thinking to make use of the client variable that is available in login.ftl and load different freemarker?fragments that will then theme it differently for each client. As mentioned by Bill, having many if conditions might not be ideal but it might meet the requirement. CheersTravis ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/2cd5f91f/attachment.html From subhrajyotim at gmail.com Mon Jan 4 23:08:39 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Tue, 5 Jan 2016 09:38:39 +0530 Subject: [keycloak-user] Application/Client specific "permission" resolution ability in keycloak Message-ID: Hello, Is there an ability in Keycloak to manage application/client "permissions", similar to what Shiro has using WildCardPermissions. http://shiro.apache.org/permissions.html I understand that this is very domain and application specific, but is there some generic way to manage these for specific Keycloak clients? Currently trying to implement permissions for a couple of keycloak clients in custom way; roles are stored in keycloak, the applications manages the permission mapping with the specific roles. Any pointers to the same would be very helpful. Thanks and regards, Subhro. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/9136adf4/attachment.html From Mahantesh.Katti at Indecomm.net Tue Jan 5 00:52:02 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Tue, 5 Jan 2016 05:52:02 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E16412836@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E16412836@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E16412A86@INBLRMBX002.INDECOMM.LOCAL> I was wondering if we need to write some JASPIC module for glassfish in order for this to work? Or if there?s an adapter SDK that can be used? Thanks Prasad From: Mahantesh Prasad Katti Sent: Monday, January 04, 2016 7:14 PM To: Mahantesh Prasad Katti; Johan B. Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Keycloak to secure web applications deployed in glassfish Keycloak support team, I need some inputs on this use case. Could you please throw some light on the same. -Prasad From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mahantesh Prasad Katti Sent: Sunday, January 03, 2016 1:34 AM To: Johan B. Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Np. I assume the support team is also part of this mailing list [making sure I don?t need to post this message on another forum]. From: johan.bos at gmail.com [mailto:johan.bos at gmail.com] On Behalf Of Johan B. Sent: Sunday, January 03, 2016 1:26 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Forget about jetty. The doc does not provide any support for glass fish nor the download section You will have to wait from support answer. Sorry Le samedi 2 janvier 2016, Johan B. > a ?crit : https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/f887e0b6/attachment-0001.html From pkkamos at gmail.com Tue Jan 5 01:51:17 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Tue, 5 Jan 2016 06:51:17 +0000 Subject: [keycloak-user] Setting Password for Users. Message-ID: <568b67c5.0f811c0a.ae6fe.ffff9e10@mx.google.com> Hello. I am using Keycloak admin client version 1.7.0. Final to create users from an external application. I am able to create Users (with user.setEnabled set to true)and set the password as well. However, when I try to login it fails. Please can anyone show me a sample code for password reset? This is what I have so far: URL: http://localhost:8888/auth/admin/realms/crusadersterling/users/ public void resetPassword(String userId, String token) throws IOException, Failure { CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("123456"); credential.setTemporary(true); HttpClient client = HttpClientBuilder.create().build(); ObjectMapper mapper = new ObjectMapper(); String json = null; try { String usesUrl = PropertiesUtil.getValue("reset_password"); HttpPut put = new HttpPut(usesUrl + userId + "/reset-password"); put.addHeader("Authorization", "Bearer " + token); put.setHeader("Content-Type", "application/json"); put.setHeader("Accept", "application/json"); json = mapper.writeValueAsString(credential); StringEntity entity = new StringEntity(json); put.setEntity(entity); try { HttpResponse response = client.execute(put); if (!String.valueOf(response.getStatusLine().getStatusCode()).startsWith("20")) { System.err.println(response.getStatusLine().getReasonPhrase()); throw new Failure(response.getStatusLine().getStatusCode()); } } catch (IOException | Failure | IllegalStateException e) { throw e; } } catch (IOException e) { throw new RuntimeException(e); } finally { client.getConnectionManager().shutdown(); } } Sent from Mail for Windows 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/45ea9998/attachment.html From sthorger at redhat.com Tue Jan 5 02:20:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:20:05 +0100 Subject: [keycloak-user] "Invalid parameter: redirect_uri" In-Reply-To: References: Message-ID: Pleased you found out what's going on. Please create an issue. On 5 January 2016 at 01:40, Paul Blair wrote: > Figured it out ? it's a case-sensitivity issue: > > https://ApimanLoadBalancer.elb.amazonaws.com/apimanui/* > > Fails to match > > https://apimanloadbalancer.elb.amazonaws.com/apimanui > /* > > I believe subdomains are case-insensitive. Should I raise an issue on this? > > > From: "pblair at clearme.com" > Date: Mon, 4 Jan 2016 19:32:54 -0500 > To: "pblair at clearme.com" , keycloak-user < > keycloak-user at lists.jboss.org> > Subject: Re: [keycloak-user] "Invalid parameter: redirect_uri" > > I should mention that this happens whether or not I have > https://[apimanLoadBalancer] in the Root URL field for the Apimanui > client, or whether or not I have https://[apimanLoadBalancer]/apimanui/* > in the Valid Redirect URIs, or both. However, if they are present I no > longer see the DEBUG line "replacing relative valid redirect with?"; I only > see the WARN message with the failure. > > Also, it appears that the URL encoding is a non-issue; at least, I see the > URLs encoded properly in the browser URL bar even if the "inspect" formats > them with slashes and colons. > > > > From: "pblair at clearme.com" > Date: Tue, 5 Jan 2016 00:16:36 +0000 > To: keycloak-user > Subject: [keycloak-user] "Invalid parameter: redirect_uri" > > I am using Keycloak with the apiman API manager. Both are on AWS and are > behind Elastic Load Balancers (Keycloak is clustered using JDBC_PING). When > I request the apiman admin UI page (https://[apimanLoadBalancer]/apimanui), > I get redirected to the following URL: > > > https://[KeycloakLoadBalancer]/auth/realms/apiman/protocol/openid-connect/auth?response_type=code&client_id=apimanui&redirect_uri= > https://[apimanLoadBalancer]/apimanui/index.html&state=3/c48eec70-0fe9-44bf-9802-a351353f7600&login=true > > Keycloak then displays the error "We're Sorry? Invalid parameter: > redirect_uri" > > In the Keycloak log I see: > > DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default > task-7) replacing relative valid redirect with: > https://[KeycloakLoadBalancer]/apimanui/* > WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, > realmId=apiman, clientId=apimanui, userId=null, ipAddress=[IP], > error=invalid_redirect_uri, response_type=code, redirect_uri= > https://[apimanLoadBalancer]/apimanui/index.html, response_mode=query > > This looks to me as though Keycloak thinks that the redirect URI is a > relative path. I also notice that the query string parameters for > redirect_uri are not URL encoded by apiman. Would this be the source of the > problem? > _______________________________________________ keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/ee663e9f/attachment.html From sthorger at redhat.com Tue Jan 5 02:29:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:29:46 +0100 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: On 4 January 2016 at 14:25, Travis De Silva wrote: > HI Stian, > > Adding SSO zones just to address the theming issue looks a bit overkill to > me as it will eventually come down to doing some theming at a level below > the realm. I was going on the basis that if theming is not set at a client > level, then it will default to the realm level theming which is basically > your SSO enabled zone. > > Also my other point was with regard to SaaS based applications where we > have a backoffice system which is themed as per our SaaS product but the > consumer facing front end needs to be themed to be aligned with the > customer's web site. In this case, we cannot go with what KeyCloak has at > present. What I am doing is as suggested by Bill sometime back, adding > "if/else" statements into the freemarker templates and based on the client > id loading different freemarker templates which is not ideal but does the > job. > > In any case, since what we are discussing is in general edge cases, > Therefore instead of complicating the core KeyCloak platform, why don't you > just expose the various links/flows that is currently available in the > login process (forgot password/reset credentials, required actions > (update password, verify email, configure OTP, etc.), user account mgmt, > registration, social login etc. Then we are still using the core of > keycloak but for the frontend themes/UI, we use our own. > > I also haven't explored the Login SPI which as per the KeyCloak docs which > says "The Login SPI allows implementing the login forms using whatever web > framework or templating engine you want". Wonder if this will give us what > we are after. > Sounds like an SSO zone is exactly what you'd want, so I'm not sure why you are so against that. I really don't want to have a theme option on a client, as I've said it just doesn't make any sense. I'd be happy with introducing an SPI or adding to the Theme SPI to let you choose yourself what theme is selected. The Login SPI is rather low-level so it would be better to do something else. > > Cheers > Travis > > > > > > > > On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen wrote: > >> I strongly disagree. With Keycloak you are logging in to a SSO realm, not >> an individual application. With that in mind it's important that the login >> screen reflects that. Users need to know the difference as it's an >> important distinction. It just doesn't make any sense that I'm logged-in to >> the SSO with a login screen that is themed to look like the login screen >> for an individual application. >> >> Adding an option on clients to set the theme just doesn't make any sense. >> If we added the option to create SSO "zones" or disable SSO for individual >> applications then it would make sense to be able to set theme on a per-zone >> or apps that doesn't have SSO enabled. >> >> On 31 December 2015 at 09:46, Travis De Silva >> wrote: >> >>> Hi, >>> >>> My vote is to provide this feature at a client level as per the original >>> request. >>> >>> I think realms should be used for completely different domains when we >>> want to isolate users etc. Should not try and use it for something that it >>> was not intended in the design. >>> >>> The reason why you might need theming at client level is iif you really >>> think that clients which are essentially different applications most of the >>> time and each of these applications might have different look and feel >>> themes (either due to different development teams or vendors building >>> different applications). >>> >>> So when someone logins via KeyCloak, its true that we are logging into a >>> realm but for an end user, it is really logging into a application and >>> there is a need for the login page theme to look similar to the application >>> look and feel. >>> >> >>> Also I have a use case where I have a back office application that >>> requires login for admin users and then I have the front office of this >>> application where in addition to the admin users, you also can have other >>> users as well who can self register and login to the front end which is a >>> consumer facing site. >>> >>> How I handle this is by having two clients in the same realm. This works >>> fine if you are happy with the same backend login theme to be there for the >>> consumer facing frontend. But we cannot do that as the front end is a >>> consumer facing SaaS site, so each front end needs to have the client's >>> website theme. This becomes very hard to do if we don't have theming at a >>> client level. >>> >>> I came across this post from Bill a few months ago >>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>> >>> I am thinking to make use of the client variable that is available in >>> login.ftl and load different freemarker fragments that will then theme it >>> differently for each client. As mentioned by Bill, having many if >>> conditions might not be ideal but it might meet the requirement. >>> >>> Cheers >>> Travis >>> >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/51f24b5b/attachment-0001.html From sthorger at redhat.com Tue Jan 5 02:32:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:32:32 +0100 Subject: [keycloak-user] Can add-user.sh be used to change the admin user password? In-Reply-To: References: Message-ID: The script only adds new users so if the user already exists it won't do anything. You need to create the admin user prior to starting the server in the first place. In the next release we will remove the built-in admin user completely. Instead we'll have a initial page (or add-user script) that can only be accessed from localhost that allows creating an initial user. On 4 January 2016 at 22:05, Paul Blair wrote: > I'm running keycloak 1.7.0.Final and tried to use the add-user.sh script > to change the admin default password after deployment. The password didn't > seem to take. > > If I go to the admin console and log in as admin with a password of > "admin" I am prompted to change the password. > > My understanding was that the purpose of the script was to get away from > having an admin user with a default password. Is this not supported yet? > > Before trying to change the admin user with the script, I had already > brought up the server once and tried to log in as admin. After that I > realized I wanted to use the script, and shut everything down before > running the script; not sure if that's relevant or not. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/63cc9bc8/attachment.html From sthorger at redhat.com Tue Jan 5 02:33:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:33:56 +0100 Subject: [keycloak-user] Setting Password for Users. In-Reply-To: <568b67c5.0f811c0a.ae6fe.ffff9e10@mx.google.com> References: <568b67c5.0f811c0a.ae6fe.ffff9e10@mx.google.com> Message-ID: That looks correct to me. What status code do you get back? Any errors in the log? On 5 January 2016 at 07:51, PAA KOJO KONDUAH AMOS wrote: > Hello. > > > > I am using Keycloak admin client version 1.7.0. Final to create users from > an external application. I am able to create Users (with user.setEnabled > set to true)and set the password as well. However, when I try to login it > fails. > > > > Please can anyone show me a sample code for password reset? > > > > This is what I have so far: > > > > *URL: http://localhost:8888/auth/admin/realms/crusadersterling/users/ > * > > > > public void resetPassword(String userId, String token) throws IOException, > Failure { > > > > *CredentialRepresentation credential = new > CredentialRepresentation();* > > * > credential.setType(CredentialRepresentation.PASSWORD);* > > * credential.setValue("123456");* > > * credential.setTemporary(true);* > > > > HttpClient client = > HttpClientBuilder.create().build(); > > ObjectMapper mapper = new ObjectMapper(); > > String json = null; > > try { > > String usesUrl = > PropertiesUtil.getValue("reset_password"); > > HttpPut put = new > HttpPut(usesUrl + userId + "/reset-password"); > > > put.addHeader("Authorization", "Bearer " + token); > > put.setHeader("Content-Type", > "application/json"); > > put.setHeader("Accept", > "application/json"); > > json = > mapper.writeValueAsString(credential); > > StringEntity entity = new > StringEntity(json); > > put.setEntity(entity); > > try { > > HttpResponse > response = client.execute(put); > > > > > > > > if > (!String.valueOf(response.getStatusLine().getStatusCode()).startsWith("20")) > { > > > System.err.println(response.getStatusLine().getReasonPhrase()); > > > throw new Failure(response.getStatusLine().getStatusCode()); > > } > > > > } catch (IOException | > Failure | IllegalStateException e) { > > > > throw e; > > } > > } catch (IOException e) { > > throw new RuntimeException(e); > > } finally { > > > client.getConnectionManager().shutdown(); > > } > > > > } > > > > Sent from Mail for > Windows 10 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3b7543b7/attachment.html From sthorger at redhat.com Tue Jan 5 02:36:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:36:31 +0100 Subject: [keycloak-user] propagating authentication to REST layer In-Reply-To: <56865A85.7030808@gmail.com> References: <56865A85.7030808@gmail.com> Message-ID: On 1 January 2016 at 11:52, Tim Dudgeon wrote: > The user docs ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) > describe exactly what I'm looking for: > > Signed access tokens can also be propagated by REST client requests within > an Authorization header. This is great for distributed integration as > applications can request a login from a client to obtain an access token, > then invoke any aggregated REST invocations to other services using that > access token. > > I have a web app (in Tomcat) that uses the Keycloak adapter for user > authentication. > This web app needs to access a REST service, running in a different Tomcat > container and I want the REST service to use the same user authentication, > but I'm not totally sure about how to go about this. > Do I just grab the keycloak token in the header in the web app and add > that as a header when calling the REST service, and set the REST service up > to use the same Keycloak adapter configuration as the web app? > You could or you can get the token from the adapter. Take a look at: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48 > > What if I want to have other ways to authenticate the REST service (e.g. > access from multiple clients)? > Not sure what you mean about this > > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/2c33dd01/attachment-0001.html From sthorger at redhat.com Tue Jan 5 02:39:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:39:25 +0100 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E16412A86@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E16412836@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E16412A86@INBLRMBX002.INDECOMM.LOCAL> Message-ID: Hi, Afraid we don't have an adapter for Glassfish (we'd love to have one though if anyone wants to contribute). We had considered a JASPIC adapter in the past, but not sure what happened to it. We do have a plain filter based adapter: https://github.com/keycloak/keycloak/tree/master/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet On 5 January 2016 at 06:52, Mahantesh Prasad Katti < Mahantesh.Katti at indecomm.net> wrote: > > > I was wondering if we need to write some JASPIC module for glassfish in > order for this to work? Or if there?s an adapter SDK that can be used? > > > > Thanks > > Prasad > > > > *From:* Mahantesh Prasad Katti > *Sent:* Monday, January 04, 2016 7:14 PM > *To:* Mahantesh Prasad Katti; Johan B. > *Cc:* keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Keycloak support team, I need some inputs on this use case. Could you > please throw some light on the same. > > > > -Prasad > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Mahantesh Prasad > Katti > *Sent:* Sunday, January 03, 2016 1:34 AM > *To:* Johan B. > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Np. I assume the support team is also part of this mailing list [making > sure I don?t need to post this message on another forum]. > > > > *From:* johan.bos at gmail.com [mailto:johan.bos at gmail.com] *On Behalf Of *Johan > B. > *Sent:* Sunday, January 03, 2016 1:26 AM > *To:* Mahantesh Prasad Katti > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Forget about jetty. > > The doc does not provide any support for glass fish nor the download > section > > > > You will have to wait from support answer. Sorry > > Le samedi 2 janvier 2016, Johan B. a ?crit : > > https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > > You may have to wait from one of the keycloak support to give you details > on which part is applying to you. To me probably jetty part is your best try > > Le samedi 2 janvier 2016, Mahantesh Prasad Katti < > Mahantesh.Katti at indecomm.net> a ?crit : > > Thanks Johan for the info. I could not find any documentation for adapter > for glassfish on the official links. > https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation > > > > -Prasad > > > > *From:* Johan B. [mailto:johan.bos at gmail.com] > *Sent:* Sunday, January 03, 2016 1:00 AM > *To:* Mahantesh Prasad Katti > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak to secure web applications > deployed in glassfish > > > > Hi > > You are missing the adapter installation. > > Each app server must have the adapter configured so the security ctx > KEYCLOAK has some meaning to your app server. > > See the documentation part about the adapter installation. Depending on > the server type you have either lib only to provide to your server lib or > some more configuration to do. For tomcat I only had to copy some jars > > > > On the download section there is an adapter folder in which you will find > an archive with the things to install on your server type. > > > > Hope this help > > Le samedi 2 janvier 2016, Mahantesh Prasad Katti < > Mahantesh.Katti at indecomm.net> a ?crit : > > Hi All, > > > > I have some web application deployed in glassfish. And we are trying to > implement SSO using keycloak. I wanted to understand if keycloak secures > and provides sso support for applications deployed on glassfish or if it is > applicable to applications deployed on jboss only? I tried to secure a > glassfish web application using keycloak [specifying the keycloak pom > dependanies, keycloak.json and related entries in web.xml]. but I could not > see the direction happening to keycloak for authentication. Am I missing > something here? Appreciate any pointers. > > > > Regards > > Prasad > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/7005d113/attachment.html From sthorger at redhat.com Tue Jan 5 02:44:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 08:44:15 +0100 Subject: [keycloak-user] Ajax login In-Reply-To: References: Message-ID: You can use the Resource Owner Password Credentials (we call it direct grant) flow from OAuth2 with Keycloak. That let's you exchange a username/password for a token. We highly recommend you stick with the redirect based login though. It's more secure and you get a lot of extra features that way (required actions, totp, reset password, SSO, etc, etc) On 4 January 2016 at 20:11, Helder dos S. Alves wrote: > Hi everybody. > > I'm new to Keycloak and I wonder if is possible to login via ajax without > redirecting to a login page. > Maybe anyone has already asked it (and others answered it, I hope), but I > could not find a way to search on older topics. > > Thanks in advance. > > Helder Alves > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/74931fd6/attachment.html From satyajit.das at spire2grow.com Tue Jan 5 02:47:54 2016 From: satyajit.das at spire2grow.com (Satyajit Das) Date: Tue, 5 Jan 2016 13:17:54 +0530 Subject: [keycloak-user] Additional Required functionalities Message-ID: Hi Team, Can you guys please incorporate the below functionalities in subsequent releases. 1)Bulk User creation via restful services(for a particular realm) 2)Reset password/ Forgot password functionality for a particular user via restful services. 3)Social network ids registration and login via restful services eg: google or facebook registering to keycloak. Regards, Satya. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/69893eba/attachment.html From sthorger at redhat.com Tue Jan 5 03:06:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 09:06:00 +0100 Subject: [keycloak-user] [keycloak-dev] Additional Required functionalities In-Reply-To: References: Message-ID: On 5 January 2016 at 08:47, Satyajit Das wrote: > Hi Team, > > Can you guys please incorporate the below functionalities in subsequent > releases. > > 1)Bulk User creation via restful services(for a particular realm) > Should be coming soon through partial import/export feature we're adding > 2)Reset password/ Forgot password functionality for a particular user via > restful services. > We have this for admin endpoints > 3)Social network ids registration and login via restful services eg: > google or facebook registering to keycloak. > Not sure what you mean, but you can create users and register social links through the admin endpoints > > > Regards, > Satya. > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3f6a21cc/attachment-0001.html From alex_orl1079 at yahoo.it Tue Jan 5 03:24:00 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 5 Jan 2016 08:24:00 +0000 (UTC) Subject: [keycloak-user] spring security integration example References: <2041853853.145597.1451982240990.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2041853853.145597.1451982240990.JavaMail.yahoo@mail.yahoo.com> hi to all,i was looking for a complete example of integration of a spring-sercured-application with keycloak sso. Is it availble?thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/470f77e4/attachment.html From andrey.saroul at gmail.com Tue Jan 5 03:35:19 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 5 Jan 2016 11:35:19 +0300 Subject: [keycloak-user] Spring Security annotation problem In-Reply-To: References: Message-ID: Scott, thanks for your replay! Finally, I came about your examples https://github.com/Smartling/spring-security-keycloak and tried to run it on latest keycloak versions (1.7.0.Final) and it worked like a charm on Tomcat embed server. But when I tried to deploy it on my WildFly 9.0.2 server I encountered few problems (now I'm forcing to resovle them). The main question I have is this: I'm wondering how did you manage your login-config auth metod to be Keycloak without even having web.xml. Nevertheless, your app is working correct. Is it "magic" of Spring Boot config? Or there is no mandatory auth method you have to specify now? Though docs say that you have to have this section in web.xml: KEYCLOAK tms 2016-01-02 18:32 GMT+03:00 Scott Rossillo : > You still have to configure Spring Security using Keycloak. See the > documentation for an annotation based configuration. Once that's set up > your another annotations will work. > > PS - make sure to follow Spring Security naming conventions for roles. For > the example above that would be ROLE_ADMIN > On Fri, Jan 1, 2016 at 4:44 AM Andrey Saroul > wrote: > >> Hello! I'm just a begginer in Spring Security, but I would like to know >> is it possible to configure keycloak in a way that I can use @PreAuthorize, >> @PostAuthorize, @Secured and other annotations. >> For example, I've configured the keycloak-spring-security-adapter and >> Spring Security in my simple Spring Rest webapp so that I have access to >> Principal object in my controller, like this: >> >> @RestController >> public class TMSRestController { >> >> @RequestMapping("/greeting") >> public Greeting greeting(Principal principal, >> @RequestParam(value="name") String name) { >> return new Greeting(String.format(template, name)); >> } >> ... >> } >> >> But when I try this (just an example, actually I want to execute custom >> EL expression before authorization): >> >> @RestController >> public class TMSRestController { >> >> @RequestMapping("/greeting") >> @PreAuthorize("hasRole('ADMIN')") >> public Greeting greeting(Principal principal, >> @RequestParam(value="name") String name) { >> return new Greeting(String.format(template, name)); >> } >> ... >> } >> >> ... I get >> exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: >> An Authentication object was not found in the SecurityContext >> >> What do I need to make this spring security annotations work? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/5002cce6/attachment.html From pkkamos at gmail.com Tue Jan 5 04:08:48 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Tue, 5 Jan 2016 09:08:48 +0000 Subject: [keycloak-user] Setting Password for Users. In-Reply-To: References: <568b67c5.0f811c0a.ae6fe.ffff9e10@mx.google.com> Message-ID: <568b8800.2269c20a.7eae7.5063@mx.google.com> There are no errors at all. The user gets created nicely. It is the credentials part which doesn?t take effect. So when I log in. it says Invalid Username/Password. Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Tuesday, January 5, 2016 7:33 AM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Setting Password for Users. That looks correct to me. What status code do you get back? Any errors in the log? On 5 January 2016 at 07:51, PAA KOJO KONDUAH AMOS wrote: Hello. ? I am using Keycloak admin client version 1.7.0. Final to create users from an external application. I am able to create Users (with user.setEnabled set to true)and set the password as well. However, when I try to login it fails. ? Please can anyone show me a sample code for password reset? ? This is what I have so far: ? URL: http://localhost:8888/auth/admin/realms/crusadersterling/users/ ? public void resetPassword(String userId, String token) throws IOException, Failure { ? ????????????????????????????? CredentialRepresentation credential = new CredentialRepresentation(); ????????????????????????????? credential.setType(CredentialRepresentation.PASSWORD); ????????????????????????????? credential.setValue("123456"); ????????????????????????????? credential.setTemporary(true); ? ????????????????????????????? HttpClient client = HttpClientBuilder.create().build(); ????????????????????????????? ObjectMapper mapper = new ObjectMapper(); ????????????????????????????? String json = null; ????????????????????????????? try { ???????????????????????????????????????????? String usesUrl = PropertiesUtil.getValue("reset_password"); ???????????????????????????????????????????? HttpPut put = new HttpPut(usesUrl + userId + "/reset-password"); ???????????????????????????????????????????? put.addHeader("Authorization", "Bearer " + token); ???????????????????????????????????????????? put.setHeader("Content-Type", "application/json"); ???????????????????????????????????????????? put.setHeader("Accept", "application/json"); ???????????????????????????????????????????? json = mapper.writeValueAsString(credential); ???????????????????????????????????????????? StringEntity entity = new StringEntity(json); ???????????????????????????????????????????? put.setEntity(entity); ???????????????????????????????????????????? try { ??????????????????????????????????????????????????????????? HttpResponse response = client.execute(put); ? ??????????????????????????????????????????????????????????? ? ??????????????????????????????????????????????????????????? if (!String.valueOf(response.getStatusLine().getStatusCode()).startsWith("20")) { ??????????????????????????????????????????????????????????? ?????????????? System.err.println(response.getStatusLine().getReasonPhrase()); ?????????????????????????????????????????????????????????????????????????? throw new Failure(response.getStatusLine().getStatusCode()); ??????????????????????????????????????????????????????????? } ? ???????????????????????????????????????????? } catch (IOException | Failure | IllegalStateException e) { ? ??????????????????????????????????????????????????????????? throw e; ???????????????????????????????????????????? } ????????????????????????????? } catch (IOException e) { ???????????????????????????????????????????? throw new RuntimeException(e); ????????????????????????????? } finally { ???????????????????????????????????????????? client.getConnectionManager().shutdown(); ????????????????????????????? } ????????????????????????????? ?????????????? } ? Sent from Mail for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3f6d126b/attachment-0001.html From tdudgeon.ml at gmail.com Tue Jan 5 04:19:33 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Tue, 5 Jan 2016 09:19:33 +0000 Subject: [keycloak-user] propagating authentication to REST layer In-Reply-To: References: <56865A85.7030808@gmail.com> Message-ID: <568B8AA5.3070001@gmail.com> On 05/01/2016 07:36, Stian Thorgersen wrote: > > > On 1 January 2016 at 11:52, Tim Dudgeon > wrote: > > The user docs > (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) > describe exactly what I'm looking for: >> Signed access tokens can also be propagated by REST client >> requests within an|Authorization|header. This is great for >> distributed integration as applications can request a login from >> a client to obtain an access token, then invoke any aggregated >> REST invocations to other services using that access token. > I have a web app (in Tomcat) that uses the Keycloak adapter for > user authentication. > This web app needs to access a REST service, running in a > different Tomcat container and I want the REST service to use the > same user authentication, but I'm not totally sure about how to go > about this. > Do I just grab the keycloak token in the header in the web app and > add that as a header when calling the REST service, and set the > REST service up to use the same Keycloak adapter configuration as > the web app? > > > You could or you can get the token from the adapter. Take a look at: > > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48 Thanks. That's useful. > > What if I want to have other ways to authenticate the REST service > (e.g. access from multiple clients)? > > > Not sure what you mean about this For example, lets assume we have 2 apps, authenticating against the same Keycloak realm, but as separate clients. Both hit the same REST service and pass through their token to that service. How is the REST service to authenticate the requests? All it really needs to to is check that the tokens are valid and come from the expected (keycloak) source, even though the tokens were generated for different clients. Is there an adapter that handles this? Tim > > > > Tim > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/f12c186a/attachment.html From traviskds at gmail.com Tue Jan 5 06:22:22 2016 From: traviskds at gmail.com (Travis De Silva) Date: Tue, 05 Jan 2016 11:22:22 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: Hi Stian, SSO zones will not help in my use case because I actually want SSO between clients. For example lets say I have following clients Client1 Client2 and have following users User1 User2 User3 and I want User1 to be able to login to Client1 using its own application theme, User2 to login to Client2 using its own application theme and User3 can login to either Client1 or Client2 and they get SSO across the two clients. How can we do this with your proposed SSO zones? The more I think of this, its would be better to just give access to various end points in the login process. (e.g. forgot password, social login, register user etc) This I believe will be more flexible as we can then use it for these edge cases. Any thoughts on this? Cheers Travis On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen wrote: > On 4 January 2016 at 14:25, Travis De Silva wrote: > >> HI Stian, >> >> Adding SSO zones just to address the theming issue looks a bit overkill >> to me as it will eventually come down to doing some theming at a level >> below the realm. I was going on the basis that if theming is not set at a >> client level, then it will default to the realm level theming which is >> basically your SSO enabled zone. >> > >> Also my other point was with regard to SaaS based applications where we >> have a backoffice system which is themed as per our SaaS product but the >> consumer facing front end needs to be themed to be aligned with the >> customer's web site. In this case, we cannot go with what KeyCloak has at >> present. What I am doing is as suggested by Bill sometime back, adding >> "if/else" statements into the freemarker templates and based on the client >> id loading different freemarker templates which is not ideal but does the >> job. >> >> In any case, since what we are discussing is in general edge cases, >> Therefore instead of complicating the core KeyCloak platform, why don't you >> just expose the various links/flows that is currently available in the >> login process (forgot password/reset credentials, required actions >> (update password, verify email, configure OTP, etc.), user account mgmt, >> registration, social login etc. Then we are still using the core of >> keycloak but for the frontend themes/UI, we use our own. >> >> I also haven't explored the Login SPI which as per the KeyCloak docs >> which says "The Login SPI allows implementing the login forms using >> whatever web framework or templating engine you want". Wonder if this will >> give us what we are after. >> > > Sounds like an SSO zone is exactly what you'd want, so I'm not sure why > you are so against that. > > I really don't want to have a theme option on a client, as I've said it > just doesn't make any sense. I'd be happy with introducing an SPI or adding > to the Theme SPI to let you choose yourself what theme is selected. The > Login SPI is rather low-level so it would be better to do something else. > > >> >> Cheers >> Travis >> >> >> >> >> >> >> >> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen wrote: >> >>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>> not an individual application. With that in mind it's important that the >>> login screen reflects that. Users need to know the difference as it's an >>> important distinction. It just doesn't make any sense that I'm logged-in to >>> the SSO with a login screen that is themed to look like the login screen >>> for an individual application. >>> >>> Adding an option on clients to set the theme just doesn't make any >>> sense. If we added the option to create SSO "zones" or disable SSO for >>> individual applications then it would make sense to be able to set theme on >>> a per-zone or apps that doesn't have SSO enabled. >>> >>> On 31 December 2015 at 09:46, Travis De Silva >>> wrote: >>> >>>> Hi, >>>> >>>> My vote is to provide this feature at a client level as per the >>>> original request. >>>> >>>> I think realms should be used for completely different domains when we >>>> want to isolate users etc. Should not try and use it for something that it >>>> was not intended in the design. >>>> >>>> The reason why you might need theming at client level is iif you >>>> really think that clients which are essentially different applications most >>>> of the time and each of these applications might have different look and >>>> feel themes (either due to different development teams or vendors building >>>> different applications). >>>> >>>> So when someone logins via KeyCloak, its true that we are logging into >>>> a realm but for an end user, it is really logging into a application and >>>> there is a need for the login page theme to look similar to the application >>>> look and feel. >>>> >>> >>>> Also I have a use case where I have a back office application that >>>> requires login for admin users and then I have the front office of this >>>> application where in addition to the admin users, you also can have other >>>> users as well who can self register and login to the front end which is a >>>> consumer facing site. >>>> >>>> How I handle this is by having two clients in the same realm. This >>>> works fine if you are happy with the same backend login theme to be there >>>> for the consumer facing frontend. But we cannot do that as the front end is >>>> a consumer facing SaaS site, so each front end needs to have the client's >>>> website theme. This becomes very hard to do if we don't have theming at a >>>> client level. >>>> >>>> I came across this post from Bill a few months ago >>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>> >>>> I am thinking to make use of the client variable that is available in >>>> login.ftl and load different freemarker fragments that will then theme it >>>> differently for each client. As mentioned by Bill, having many if >>>> conditions might not be ideal but it might meet the requirement. >>>> >>>> Cheers >>>> Travis >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/1a519dfe/attachment-0001.html From malmi.suh at gmail.com Tue Jan 5 06:47:07 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Tue, 5 Jan 2016 17:17:07 +0530 Subject: [keycloak-user] Keycloak User Registration Flow Message-ID: Hi All, I am currently working on registering a user with user realm role and client role assignment. Steps followed 1/ create user (retrieve the user ID from Location header) 2/ get user details 3/ update password 4/ create realm role 5/ retrieve all realm roles and filter the ones which needs to be assigned (since the assignment of roles requires the role ID) 6/ assign realm role 7/ same for the application roles as well, which also has multiple iterations for each client With all the API calls the user registration seems to have 8+ API calls and I would like to know if there are any other alternatives/suggestions to get the user registration flow working more efficiently. Is there any plan to give a consolidated user registration API in the future? Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/e20bc264/attachment.html From Mahantesh.Katti at Indecomm.net Tue Jan 5 07:26:03 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Tue, 5 Jan 2016 12:26:03 +0000 Subject: [keycloak-user] Keycloak to secure web applications deployed in glassfish In-Reply-To: References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F4A6@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F4CE@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E1640F502@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E16412836@INBLRMBX002.INDECOMM.LOCAL> <83FA22EE27AA7949A5F616D4DD6AF71E16412A86@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E16412BAE@INBLRMBX002.INDECOMM.LOCAL> Thanks Stian. Appreciate your taking to respond. I will take a look at the filter based adapter that you have mentioned. Prasad From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, January 05, 2016 1:09 PM To: Mahantesh Prasad Katti Cc: Johan B.; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi, Afraid we don't have an adapter for Glassfish (we'd love to have one though if anyone wants to contribute). We had considered a JASPIC adapter in the past, but not sure what happened to it. We do have a plain filter based adapter: https://github.com/keycloak/keycloak/tree/master/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet On 5 January 2016 at 06:52, Mahantesh Prasad Katti > wrote: I was wondering if we need to write some JASPIC module for glassfish in order for this to work? Or if there?s an adapter SDK that can be used? Thanks Prasad From: Mahantesh Prasad Katti Sent: Monday, January 04, 2016 7:14 PM To: Mahantesh Prasad Katti; Johan B. Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Keycloak to secure web applications deployed in glassfish Keycloak support team, I need some inputs on this use case. Could you please throw some light on the same. -Prasad From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mahantesh Prasad Katti Sent: Sunday, January 03, 2016 1:34 AM To: Johan B. Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Np. I assume the support team is also part of this mailing list [making sure I don?t need to post this message on another forum]. From: johan.bos at gmail.com [mailto:johan.bos at gmail.com] On Behalf Of Johan B. Sent: Sunday, January 03, 2016 1:26 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Forget about jetty. The doc does not provide any support for glass fish nor the download section You will have to wait from support answer. Sorry Le samedi 2 janvier 2016, Johan B. > a ?crit : https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html You may have to wait from one of the keycloak support to give you details on which part is applying to you. To me probably jetty part is your best try Le samedi 2 janvier 2016, Mahantesh Prasad Katti a ?crit : Thanks Johan for the info. I could not find any documentation for adapter for glassfish on the official links. https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter-installation -Prasad From: Johan B. [mailto:johan.bos at gmail.com] Sent: Sunday, January 03, 2016 1:00 AM To: Mahantesh Prasad Katti Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak to secure web applications deployed in glassfish Hi You are missing the adapter installation. Each app server must have the adapter configured so the security ctx KEYCLOAK has some meaning to your app server. See the documentation part about the adapter installation. Depending on the server type you have either lib only to provide to your server lib or some more configuration to do. For tomcat I only had to copy some jars On the download section there is an adapter folder in which you will find an archive with the things to install on your server type. Hope this help Le samedi 2 janvier 2016, Mahantesh Prasad Katti > a ?crit : Hi All, I have some web application deployed in glassfish. And we are trying to implement SSO using keycloak. I wanted to understand if keycloak secures and provides sso support for applications deployed on glassfish or if it is applicable to applications deployed on jboss only? I tried to secure a glassfish web application using keycloak [specifying the keycloak pom dependanies, keycloak.json and related entries in web.xml]. but I could not see the direction happening to keycloak for authentication. Am I missing something here? Appreciate any pointers. Regards Prasad _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/773bf8ca/attachment-0001.html From alex_orl1079 at yahoo.it Tue Jan 5 07:25:04 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 5 Jan 2016 12:25:04 +0000 (UTC) Subject: [keycloak-user] AdapterDeploymentContextBean no default constructor References: <401896812.396749.1451996704708.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <401896812.396749.1451996704708.JavaMail.yahoo@mail.yahoo.com> I'm working on kyecloak 1.7.0 final.I'm trying to integrate a new spring secured web application with keycloak sso mechanism.Following the last guide reference, specifically the chapter 8.10 i wrote a keycloak-security-context.xml containing the specified configuration.When i deploy application i get this error: Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.() Effectively AdapterDeploymentContextBean https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java doesn't declare the default constructor.What am i missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/d22b23ae/attachment.html From thomas.raehalme at aitiofinland.com Tue Jan 5 07:35:14 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Tue, 5 Jan 2016 14:35:14 +0200 Subject: [keycloak-user] AdapterDeploymentContextBean no default constructor In-Reply-To: <401896812.396749.1451996704708.JavaMail.yahoo@mail.yahoo.com> References: <401896812.396749.1451996704708.JavaMail.yahoo.ref@mail.yahoo.com> <401896812.396749.1451996704708.JavaMail.yahoo@mail.yahoo.com> Message-ID: Hi! I think the documentation is a bit out of date on this one. You should provide path to keycloak.json as the constructor argument, eg: Also, please note that in the upcoming version 1.8.0.Final there will be a change regarding this configuration. The documentation has been updated to match the new code. Best regards, Thomas On Tue, Jan 5, 2016 at 2:25 PM, alex orl wrote: > > I'm working on kyecloak 1.7.0 final. > I'm trying to integrate a new spring secured web application with keycloak > sso mechanism. > Following the last guide reference, specifically the chapter 8.10 i wrote > a keycloak-security-context.xml containing the specified configuration. > When i deploy application i get this error: > > > Caused by: org.springframework.beans.BeanInstantiationException: Could not > instantiate bean class > [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No > default constructor found; nested exception is > java.lang.NoSuchMethodException: > org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.() > > > > Effectively AdapterDeploymentContextBean > > > > > https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java > > doesn't declare the default constructor. > What am i missing? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/84cf6dcf/attachment.html From jayblanc at gmail.com Tue Jan 5 08:18:14 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Tue, 05 Jan 2016 13:18:14 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <5679AE36.8060701@redhat.com> References: <5679AE36.8060701@redhat.com> Message-ID: Hi Bill, Thanks for your answer regarding transient and temporary ids. I understand the problem due to keycloak account creation and binding to the IdP. Renarter is using Shibboleth ; Is there is any work on shibboleth integration for keycloak ? If I look into the idps entities descriptors of renater, I found that it uses also another nameid format based on shibboleth namesapce : urn:mace:shibboleth:1.0:nameIdentifier urn:oasis:names:tc:SAML:2.0:nameid-format:transient Do you think it is possible to patch the saml idp provider (or to create another one dedicated to shibboleth) in order to integrate keycloak to our identity federation (renater) ? Best whiches for this upcoming year and thanks for your great work around keycloak. J?r?me. Le mar. 22 d?c. 2015 ? 21:10, Bill Burke a ?crit : > Our brokering doesn't support temporary user ids from the "parent" IDP. > Transient Ids in SAML or temporary ids. > > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: > > Hi, > > > > I'm trying to integrate keycloak into a the french research federation > > of identity (renater) and I'm facing some problems. > > Actually, when IdP respond to keycloak i'm getting the following error : > > PL00084: Writer: Unsupported Attribute > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType > > > > It seems that this IdP is using transient NameID policy only and using > > the unspecified field in the idp config in keycloak generate this > > exception as a return. > > > > Log of the keycloak server is joined. > > > > I have no idea of what happening because when I was using the test > > federation, everything was working but no I'm in the production > > federation, login fails. > > > > The renater federation is using Shibolleth and keycloak is not supported > > by federation moderators so I'm alone in the dark now... > > > > Renater provides an IdP list that I have to parse and synchronized with > > IdP in keycloak. As a return I provide a list of all endpoints for each > > keycloak registered IdP to allow federation IdP to answear correctly to > > the right endpoint. All of this is done by a small web app deployed > > aside keycloak and using REST API to synchronize all the IdP. > > > > One of the IdP entity descriptor is joined. As you can see, only > > transient nameid policy is supported and if I configure keycloak to use > > email or persistent, I received a response saying that the nameid is not > > supported : > > > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > AssertionConsumerServiceURL=" > https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint > " > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > Version="2.0"> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> > https://demo-auth.ortolang.fr/auth/realms/ortolang > > AllowCreate="true" > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> > > > > > > > Destination=" > https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint > " > > ID="_9d03761957aade819b6823c35bbab278" > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> > https://janus.cnrs.fr/idp > Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> > > Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required > > NameID format not > > supported > > > > > > Any help would be gracefully appreciated. > > > > Thanks a lot, J?r?me. > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/8fd0a44c/attachment.html From alex_orl1079 at yahoo.it Tue Jan 5 08:47:17 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 5 Jan 2016 13:47:17 +0000 (UTC) Subject: [keycloak-user] AdapterDeploymentContextBean no default constructor In-Reply-To: References: Message-ID: <1836275380.477098.1452001637796.JavaMail.yahoo@mail.yahoo.com> thanks for answering...are there other out-of-date configuration instructions?thanks Il Marted? 5 Gennaio 2016 13:35, Thomas Raehalme ha scritto: Hi! I think the documentation is a bit out of date on this one. You should provide path to keycloak.json as the constructor argument, eg: ? ? Also, please note that in the upcoming version 1.8.0.Final there will be a change regarding this configuration. The documentation has been updated to match the new code. Best regards,Thomas On Tue, Jan 5, 2016 at 2:25 PM, alex orl wrote: I'm working on kyecloak 1.7.0 final.I'm trying to integrate a new spring secured web application with keycloak sso mechanism.Following the last guide reference, specifically the chapter 8.10 i wrote a keycloak-security-context.xml containing the specified configuration.When i deploy application i get this error: Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.() Effectively AdapterDeploymentContextBean https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java doesn't declare the default constructor.What am i missing? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/83202498/attachment-0001.html From thomas.raehalme at aitiofinland.com Tue Jan 5 09:45:04 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Tue, 5 Jan 2016 16:45:04 +0200 Subject: [keycloak-user] AdapterDeploymentContextBean no default constructor In-Reply-To: <1836275380.477098.1452001637796.JavaMail.yahoo@mail.yahoo.com> References: <1836275380.477098.1452001637796.JavaMail.yahoo@mail.yahoo.com> Message-ID: On Jan 5, 2016 15:47, "alex orl" wrote: > > thanks for answering... > are there other out-of-date configuration instructions? > thanks Not that I know of. Best regards, Thomas > Il Marted? 5 Gennaio 2016 13:35, Thomas Raehalme < thomas.raehalme at aitiofinland.com> ha scritto: > > > Hi! > > I think the documentation is a bit out of date on this one. You should provide path to keycloak.json as the constructor argument, eg: > > > > > > Also, please note that in the upcoming version 1.8.0.Final there will be a change regarding this configuration. The documentation has been updated to match the new code. > > Best regards, > Thomas > > > On Tue, Jan 5, 2016 at 2:25 PM, alex orl wrote: >> >> >> I'm working on kyecloak 1.7.0 final. >> I'm trying to integrate a new spring secured web application with keycloak sso mechanism. >> Following the last guide reference, specifically the chapter 8.10 i wrote a keycloak-security-context.xml containing the specified configuration. >> When i deploy application i get this error: >> >> >> Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.() >> >> >> >> Effectively AdapterDeploymentContextBean >> >> https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java >> >> doesn't declare the default constructor. >> What am i missing? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/ece86d25/attachment.html From srossillo at smartling.com Tue Jan 5 09:52:48 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 5 Jan 2016 09:52:48 -0500 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> Isn?t this whole idea of client specific themes just going to confuse users? Think about logging into Google. Mail, calendar, drive, etc., all share the same login screen and are all SSO clients. Wouldn?t you be confused if it looked different for each app? Either way you?re authenticating with Google. If you want to customize the consent screen for external clients, that makes a bit more sense but it should be done in a very standard way, like allowing a custom logo per external client you?re authorizing. If you completely re-theme the consent screen even, you?re going to confuse users IMO. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 5, 2016, at 6:22 AM, Travis De Silva wrote: > > Hi Stian, > > SSO zones will not help in my use case because I actually want SSO between clients. For example lets say I have following clients > > Client1 > Client2 > > and have following users > > User1 > User2 > User3 > > and I want User1 to be able to login to Client1 using its own application theme, User2 to login to Client2 using its own application theme and User3 can login to either Client1 or Client2 and they get SSO across the two clients. > > How can we do this with your proposed SSO zones? > > The more I think of this, its would be better to just give access to various end points in the login process. (e.g. forgot password, social login, register user etc) This I believe will be more flexible as we can then use it for these edge cases. Any thoughts on this? > > Cheers > Travis > > On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen > wrote: > On 4 January 2016 at 14:25, Travis De Silva > wrote: > HI Stian, > > Adding SSO zones just to address the theming issue looks a bit overkill to me as it will eventually come down to doing some theming at a level below the realm. I was going on the basis that if theming is not set at a client level, then it will default to the realm level theming which is basically your SSO enabled zone. > > Also my other point was with regard to SaaS based applications where we have a backoffice system which is themed as per our SaaS product but the consumer facing front end needs to be themed to be aligned with the customer's web site. In this case, we cannot go with what KeyCloak has at present. What I am doing is as suggested by Bill sometime back, adding "if/else" statements into the freemarker templates and based on the client id loading different freemarker templates which is not ideal but does the job. > > In any case, since what we are discussing is in general edge cases, Therefore instead of complicating the core KeyCloak platform, why don't you just expose the various links/flows that is currently available in the login process (forgot password/reset credentials, required actions (update password, verify email, configure OTP, etc.), user account mgmt, registration, social login etc. Then we are still using the core of keycloak but for the frontend themes/UI, we use our own. > > I also haven't explored the Login SPI which as per the KeyCloak docs which says "The Login SPI allows implementing the login forms using whatever web framework or templating engine you want". Wonder if this will give us what we are after. > > Sounds like an SSO zone is exactly what you'd want, so I'm not sure why you are so against that. > > I really don't want to have a theme option on a client, as I've said it just doesn't make any sense. I'd be happy with introducing an SPI or adding to the Theme SPI to let you choose yourself what theme is selected. The Login SPI is rather low-level so it would be better to do something else. > > > Cheers > Travis > > > > > > > > On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen > wrote: > I strongly disagree. With Keycloak you are logging in to a SSO realm, not an individual application. With that in mind it's important that the login screen reflects that. Users need to know the difference as it's an important distinction. It just doesn't make any sense that I'm logged-in to the SSO with a login screen that is themed to look like the login screen for an individual application. > > Adding an option on clients to set the theme just doesn't make any sense. If we added the option to create SSO "zones" or disable SSO for individual applications then it would make sense to be able to set theme on a per-zone or apps that doesn't have SSO enabled. > > On 31 December 2015 at 09:46, Travis De Silva > wrote: > Hi, > > My vote is to provide this feature at a client level as per the original request. > > I think realms should be used for completely different domains when we want to isolate users etc. Should not try and use it for something that it was not intended in the design. > > The reason why you might need theming at client level is iif you really think that clients which are essentially different applications most of the time and each of these applications might have different look and feel themes (either due to different development teams or vendors building different applications). > > So when someone logins via KeyCloak, its true that we are logging into a realm but for an end user, it is really logging into a application and there is a need for the login page theme to look similar to the application look and feel. > > Also I have a use case where I have a back office application that requires login for admin users and then I have the front office of this application where in addition to the admin users, you also can have other users as well who can self register and login to the front end which is a consumer facing site. > > How I handle this is by having two clients in the same realm. This works fine if you are happy with the same backend login theme to be there for the consumer facing frontend. But we cannot do that as the front end is a consumer facing SaaS site, so each front end needs to have the client's website theme. This becomes very hard to do if we don't have theming at a client level. > > I came across this post from Bill a few months ago > http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html > > I am thinking to make use of the client variable that is available in login.ftl and load different freemarker fragments that will then theme it differently for each client. As mentioned by Bill, having many if conditions might not be ideal but it might meet the requirement. > > Cheers > Travis > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/6af23608/attachment-0001.html From sthorger at redhat.com Tue Jan 5 10:08:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Jan 2016 16:08:18 +0100 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: On 5 January 2016 at 12:22, Travis De Silva wrote: > Hi Stian, > > SSO zones will not help in my use case because I actually want SSO between > clients. For example lets say I have following clients > > Client1 > Client2 > > and have following users > > User1 > User2 > User3 > > and I want User1 to be able to login to Client1 using its own application > theme, User2 to login to Client2 using its own application theme and User3 > can login to either Client1 or Client2 and they get SSO across the two > clients. > > How can we do this with your proposed SSO zones? > I didn't expect a client to belong to multiple zones. That would complicate things quite a bit I think. However, what you're asking for with client specific themes still makes no sense. How is User3 going to know that he's logged in to Client1 as well if the login screen is themed to match Client2. > > The more I think of this, its would be better to just give access to > various end points in the login process. (e.g. forgot password, social > login, register user etc) This I believe will be more flexible as we can > then use it for these edge cases. Any thoughts on this? > Not sure what you mean about that. I was thinking about just exposing something that let you select the theme to use yourself and have everything else work as it is currently. > > Cheers > Travis > > On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen wrote: > >> On 4 January 2016 at 14:25, Travis De Silva wrote: >> >>> HI Stian, >>> >>> Adding SSO zones just to address the theming issue looks a bit overkill >>> to me as it will eventually come down to doing some theming at a level >>> below the realm. I was going on the basis that if theming is not set at a >>> client level, then it will default to the realm level theming which is >>> basically your SSO enabled zone. >>> >> >>> Also my other point was with regard to SaaS based applications where we >>> have a backoffice system which is themed as per our SaaS product but the >>> consumer facing front end needs to be themed to be aligned with the >>> customer's web site. In this case, we cannot go with what KeyCloak has at >>> present. What I am doing is as suggested by Bill sometime back, adding >>> "if/else" statements into the freemarker templates and based on the client >>> id loading different freemarker templates which is not ideal but does the >>> job. >>> >>> In any case, since what we are discussing is in general edge cases, >>> Therefore instead of complicating the core KeyCloak platform, why don't you >>> just expose the various links/flows that is currently available in the >>> login process (forgot password/reset credentials, required actions >>> (update password, verify email, configure OTP, etc.), user account >>> mgmt, registration, social login etc. Then we are still using the core of >>> keycloak but for the frontend themes/UI, we use our own. >>> >>> I also haven't explored the Login SPI which as per the KeyCloak docs >>> which says "The Login SPI allows implementing the login forms using >>> whatever web framework or templating engine you want". Wonder if this will >>> give us what we are after. >>> >> >> Sounds like an SSO zone is exactly what you'd want, so I'm not sure why >> you are so against that. >> >> I really don't want to have a theme option on a client, as I've said it >> just doesn't make any sense. I'd be happy with introducing an SPI or adding >> to the Theme SPI to let you choose yourself what theme is selected. The >> Login SPI is rather low-level so it would be better to do something else. >> >> >>> >>> Cheers >>> Travis >>> >>> >>> >>> >>> >>> >>> >>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>> wrote: >>> >>>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>>> not an individual application. With that in mind it's important that the >>>> login screen reflects that. Users need to know the difference as it's an >>>> important distinction. It just doesn't make any sense that I'm logged-in to >>>> the SSO with a login screen that is themed to look like the login screen >>>> for an individual application. >>>> >>>> Adding an option on clients to set the theme just doesn't make any >>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>> individual applications then it would make sense to be able to set theme on >>>> a per-zone or apps that doesn't have SSO enabled. >>>> >>>> On 31 December 2015 at 09:46, Travis De Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> My vote is to provide this feature at a client level as per the >>>>> original request. >>>>> >>>>> I think realms should be used for completely different domains when we >>>>> want to isolate users etc. Should not try and use it for something that it >>>>> was not intended in the design. >>>>> >>>>> The reason why you might need theming at client level is iif you >>>>> really think that clients which are essentially different applications most >>>>> of the time and each of these applications might have different look and >>>>> feel themes (either due to different development teams or vendors building >>>>> different applications). >>>>> >>>>> So when someone logins via KeyCloak, its true that we are logging into >>>>> a realm but for an end user, it is really logging into a application and >>>>> there is a need for the login page theme to look similar to the application >>>>> look and feel. >>>>> >>>> >>>>> Also I have a use case where I have a back office application that >>>>> requires login for admin users and then I have the front office of this >>>>> application where in addition to the admin users, you also can have other >>>>> users as well who can self register and login to the front end which is a >>>>> consumer facing site. >>>>> >>>>> How I handle this is by having two clients in the same realm. This >>>>> works fine if you are happy with the same backend login theme to be there >>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>> client level. >>>>> >>>>> I came across this post from Bill a few months ago >>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>> >>>>> I am thinking to make use of the client variable that is available in >>>>> login.ftl and load different freemarker fragments that will then theme it >>>>> differently for each client. As mentioned by Bill, having many if >>>>> conditions might not be ideal but it might meet the requirement. >>>>> >>>>> Cheers >>>>> Travis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/03f236f0/attachment.html From bburke at redhat.com Tue Jan 5 10:13:56 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 5 Jan 2016 10:13:56 -0500 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> Message-ID: <568BDDB4.90903@redhat.com> We won't be able to support temporary ids (transient) for awhile as it requires temporary user creation which requires some rearchitecting. As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a JIRA and it is simple enough to implement support for, we may be able to get it in. On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: > Hi Bill, > > Thanks for your answer regarding transient and temporary ids. I > understand the problem due to keycloak account creation and binding to > the IdP. > Renarter is using Shibboleth ; Is there is any work on shibboleth > integration for keycloak ? > If I look into the idps entities descriptors of renater, I found that it > uses also another nameid format based on shibboleth namesapce : > urn:mace:shibboleth:1.0:nameIdentifier > urn:oasis:names:tc:SAML:2.0:nameid-format:transient > > Do you think it is possible to patch the saml idp provider (or to create > another one dedicated to shibboleth) in order to integrate keycloak to > our identity federation (renater) ? > > Best whiches for this upcoming year and thanks for your great work > around keycloak. > > J?r?me. > > > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke > a ?crit : > > Our brokering doesn't support temporary user ids from the "parent" IDP. > Transient Ids in SAML or temporary ids. > > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: > > Hi, > > > > I'm trying to integrate keycloak into a the french research > federation > > of identity (renater) and I'm facing some problems. > > Actually, when IdP respond to keycloak i'm getting the following > error : > > PL00084: Writer: Unsupported Attribute > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType > > > > It seems that this IdP is using transient NameID policy only and > using > > the unspecified field in the idp config in keycloak generate this > > exception as a return. > > > > Log of the keycloak server is joined. > > > > I have no idea of what happening because when I was using the test > > federation, everything was working but no I'm in the production > > federation, login fails. > > > > The renater federation is using Shibolleth and keycloak is not > supported > > by federation moderators so I'm alone in the dark now... > > > > Renater provides an IdP list that I have to parse and > synchronized with > > IdP in keycloak. As a return I provide a list of all endpoints > for each > > keycloak registered IdP to allow federation IdP to answear > correctly to > > the right endpoint. All of this is done by a small web app deployed > > aside keycloak and using REST API to synchronize all the IdP. > > > > One of the IdP entity descriptor is joined. As you can see, only > > transient nameid policy is supported and if I configure keycloak > to use > > email or persistent, I received a response saying that the nameid > is not > > supported : > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > > AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > Version="2.0"> > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang > AllowCreate="true" > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> > > > > > > > > Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" > > ID="_9d03761957aade819b6823c35bbab278" > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp > > Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> > > Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required > > NameID format not > > supported > > > > > > Any help would be gracefully appreciated. > > > > Thanks a lot, J?r?me. > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Tue Jan 5 10:17:58 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 5 Jan 2016 10:17:58 -0500 Subject: [keycloak-user] Keycloak User Registration Flow In-Reply-To: References: Message-ID: <568BDEA6.3050006@redhat.com> You want a better REST API that takes one document and sets up everything? Log a jira and spec it out. I think this is something we should improve. I know there's been a lot of talk about improving user import. On 1/5/2016 6:47 AM, Malmi Samarasinghe wrote: > Hi All, > > I am currently working on registering a user with user realm role and > client role assignment. > > Steps followed > 1/ create user (retrieve the user ID from Location header) > 2/ get user details > 3/ update password > 4/ create realm role > 5/ retrieve all realm roles and filter the ones which needs to be > assigned (since the assignment of roles requires the role ID) > 6/ assign realm role > 7/ same for the application roles as well, which also has multiple > iterations for each client > > With all the API calls the user registration seems to have 8+ API calls > and I would like to know if there are any other alternatives/suggestions > to get the user registration flow working more efficiently. > > Is there any plan to give a consolidated user registration API in the > future? > > Regards, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From amaeztu at tesicnor.com Tue Jan 5 10:30:40 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Tue, 05 Jan 2016 16:30:40 +0100 Subject: [keycloak-user] RestTemplate support for service account access In-Reply-To: References: <56823DC3.6040200@tesicnor.com> Message-ID: Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts. In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access. The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service). Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter! Nire Sony Xperia? telefonotik bidalita ---- Scott Rossillo igorleak idatzi du ---- >Take a look at these Spring samples. It's set up automatically: > >https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java > >On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu wrote: > >At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo seems to do it manually. > >Regards > >-- > >Aritz Maeztu Ota?o >Departamento Desarrollo de Software ? ? > >Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >Telf.: 948 21 40 40 >Fax.: 948 21 40 41 > >Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. > >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3b79308f/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3b79308f/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3b79308f/attachment.png -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/3b79308f/attachment-0001.png From ornot2008 at yahoo.com Tue Jan 5 10:46:33 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Tue, 5 Jan 2016 15:46:33 +0000 (UTC) Subject: [keycloak-user] Is it mandatory for adapter version to be same as the keycloak version? References: <1768634302.388639.1452008793167.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1768634302.388639.1452008793167.JavaMail.yahoo@mail.yahoo.com> Hi, there,?Suppose we have a wildfly app server with adapter 1.11 version, will ?talk to keyclok 1.7.0 final , ?is it possible ? In other words, do we need to upgrade the adapter to ?1.7.0 ? If this case , our wildfly is 8.0, it is safe to use the latest 1.7.0 adapter? TIA. Mai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/5fac6d17/attachment.html From bburke at redhat.com Tue Jan 5 10:58:52 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 5 Jan 2016 10:58:52 -0500 Subject: [keycloak-user] Is it mandatory for adapter version to be same as the keycloak version? In-Reply-To: <1768634302.388639.1452008793167.JavaMail.yahoo@mail.yahoo.com> References: <1768634302.388639.1452008793167.JavaMail.yahoo.ref@mail.yahoo.com> <1768634302.388639.1452008793167.JavaMail.yahoo@mail.yahoo.com> Message-ID: <568BE83C.2010306@redhat.com> At this time we do not test backward compatibility so I can't guarantee anything. On 1/5/2016 10:46 AM, Mai Zi wrote: > Hi, there, > Suppose we have a wildfly app server with adapter 1.11 version, will > talk to keyclok 1.7.0 final , is it possible ? > > In other words, do we need to upgrade the adapter to 1.7.0 ? > > If this case , our wildfly is 8.0, it is safe to use the latest 1.7.0 > adapter? > > > TIA. > > Mai > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Jan 5 11:04:35 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 5 Jan 2016 17:04:35 +0100 Subject: [keycloak-user] Is it mandatory for adapter version to be same as the keycloak version? In-Reply-To: <1768634302.388639.1452008793167.JavaMail.yahoo@mail.yahoo.com> References: <1768634302.388639.1452008793167.JavaMail.yahoo.ref@mail.yahoo.com> <1768634302.388639.1452008793167.JavaMail.yahoo@mail.yahoo.com> Message-ID: <568BE993.1090507@redhat.com> On 05/01/16 16:46, Mai Zi wrote: > Hi, there, > Suppose we have a wildfly app server with adapter 1.11 version, will > talk to keyclok 1.7.0 final , is it possible ? Not sure I understand. 1.11 Keycloak version is not released yet, the latest keycloak version is 1.7.0. And adapters are released together with Keycloak server, so latest adapter version is 1.7.0 as well. > > In other words, do we need to upgrade the adapter to 1.7.0 ? Theoretically it will work and you will be able to use Keycloak 1.6.0 adapter with Keycloak 1.7.0 server. However we are not testing this scenario AFAIK. There might be some fixes in protocol, token format etc, which will cause that adapter version X won't work with Keycloak server version X+1 . In other words, it's always safer to use same version of keycloak server and keycloak adapter. > > If this case , our wildfly is 8.0, it is safe to use the latest 1.7.0 > adapter? Yes, we have wildfly8 adapter. See "keycloak-wf8-adapter-dist-1.7.0.Final.zip " under http://keycloak.jboss.org/keycloak/downloads.html?dir=0%3Dadapters/keycloak-oidc%3B Marek > > > TIA. > > Mai > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/0ccb6574/attachment-0001.html From srossillo at smartling.com Tue Jan 5 13:14:39 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 5 Jan 2016 13:14:39 -0500 Subject: [keycloak-user] RestTemplate support for service account access In-Reply-To: References: <56823DC3.6040200@tesicnor.com> Message-ID: If you want the database service to redirect users to the login page, it must be changed to confidential. If the front end itself is a client of Keycloak, then leaving the service as bearer only is fine. The example is obviously a bit contrived but the idea was that no user, even an admin, would authenticate directly to the database service. If there were to be an admin interface for the database, it would be another client in the same realm. Ultimately it?s a design decision you have to make when you consider what works well for your organization. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 5, 2016, at 10:30 AM, Amaeztu wrote: > > Well, this example answers the asked question, so many thanks Scott. However, I still have some doubts. > > In the given code, the database service can only be accessed from another client (bearer only). However, let's suppose I also want to have access to its endpoints from a Web browser, for pure administrative purpose and only with the ADMIN role. I should change the access to confidential. Then I want to access the service from the customer app, but, since the current user role might not be ADMIN, I wouldn't be authorized for the remote access. > > The only solution I can think for this is to keep the database service access bearer only and implement a specific database-ui service, which should replicate all the original endpoints (this involves adding a new endpoint to the ui service everytime I do it in the db service). > > Is there a way for solving this which avoids having an specific ui service implemented? Sorry about all questions I'm still a starter! > > Nire Sony Xperia? telefonotik bidalita > > > > ---- Scott Rossillo igorleak idatzi du ---- > > Take a look at these Spring samples. It's set up automatically: > > https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java > On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu > wrote: > At this moment there's a KeycloakRestTemplate to use it in Spring which allows an end user to retrieve data from other keycloak clients. However, a client might also be interested in accessing data with its own permissions and with no user interaction. Is there any implementation of a RestTemplate to utilize client service accounts and, if not, are there any plans to write it? This demo seems to do it manually. > > Regards > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/289d41f4/attachment.html From srossillo at smartling.com Tue Jan 5 18:04:53 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 5 Jan 2016 18:04:53 -0500 Subject: [keycloak-user] AdapterDeploymentContextBean no default constructor In-Reply-To: References: <1836275380.477098.1452001637796.JavaMail.yahoo@mail.yahoo.com> Message-ID: The documentation should be correct for current release builds. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 5, 2016, at 9:45 AM, Thomas Raehalme wrote: > > > On Jan 5, 2016 15:47, "alex orl" > wrote: > > > > thanks for answering... > > are there other out-of-date configuration instructions? > > thanks > > Not that I know of. > > Best regards, > Thomas > > > > > > Il Marted? 5 Gennaio 2016 13:35, Thomas Raehalme > ha scritto: > > > > > > Hi! > > > > I think the documentation is a bit out of date on this one. You should provide path to keycloak.json as the constructor argument, eg: > > > > > > > > > > > > Also, please note that in the upcoming version 1.8.0.Final there will be a change regarding this configuration. The documentation has been updated to match the new code. > > > > Best regards, > > Thomas > > > > > > On Tue, Jan 5, 2016 at 2:25 PM, alex orl > wrote: > >> > >> > >> I'm working on kyecloak 1.7.0 final. > >> I'm trying to integrate a new spring secured web application with keycloak sso mechanism. > >> Following the last guide reference, specifically the chapter 8.10 i wrote a keycloak-security-context.xml containing the specified configuration. > >> When i deploy application i get this error: > >> > >> > >> Caused by: org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean]: No default constructor found; nested exception is java.lang.NoSuchMethodException: org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean.() > >> > >> > >> > >> Effectively AdapterDeploymentContextBean > >> > >> https://github.com/keycloak/keycloak/blob/1.7.x/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/AdapterDeploymentContextBean.java > >> > >> doesn't declare the default constructor. > >> What am i missing? > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160105/094bc145/attachment.html From hcamp at muerte.net Tue Jan 5 19:00:37 2016 From: hcamp at muerte.net (Harold Campbell) Date: Tue, 05 Jan 2016 18:00:37 -0600 Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation via database In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: <1452038437.11135.11.camel@muerte.net> On Wed, 2015-11-11 at 14:12 +0100, Stian Thorgersen wrote: > At the moment when the provider is specified in keycloak-server.json > we only load that one provider. If you only need to use the > EntityManagerFactory within your user federation provider you don't > need a JpaConnectionProvider at all. Just create the > EntityManagerFactory within your UserFederationProviderFactory.? I'm trying to do exactly that, but can't for the life of me get the EntityManagerFactory to create. It fails with: Caused by: javax.persistence.PersistenceException: No Persistence provider for EntityManager named XXXXX Before that, I also see this warning even if I explicitly pass the suggested provider as a property: 17:43:57,250 WARN??[org.hibernate.ejb.HibernatePersistence] (default task-53) HHH015016: Encountered a deprecated javax.persistence.spi.PersistenceProvider [org.hibernate.ejb.HibernatePersistence]; use [org.hibernate.jpa.HibernatePersistenceProvider] instead. The persistence.xml is in META-INF. I also tried META-INF/classes/META- INF. My init code: private void lazyInit() { Map props = new HashMap<>(); props.put(AvailableSettings.PROVIDER, "org.hibernate.jpa.HibernatePersistenceProvider"); props.put(AvailableSettings.TRANSACTION_TYPE, "RESOURCE_LOCAL"); props.put("jboss.as.jpa.managed", "false"); emFactory = Persistence.createEntityManagerFactory("XXXXX", props); } This same persistence unit works just fine when bundled on it's own within a normal JEE EAR. Any idea what I'm doing wrong? Keycloak 1.7.0.Final -- Harold Campbell A farmer with extremely prolific hens posted the following sign. "Free Chickens. Our Coop Runneth Over." From DSzeto at investlab.com Tue Jan 5 20:47:08 2016 From: DSzeto at investlab.com (Doug Szeto) Date: Wed, 6 Jan 2016 01:47:08 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: +1 to the feature. When a user is directed to login, they need to specify {clientId, realm, url}: https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L166 Currently the theme is 1-1 attached to the realm. Would an easier solution be to attach the theme to a clientId so we can support different themes on the same realm? ?Doug From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, January 5, 2016 at 11:08 PM To: Travis De Silva > Cc: keycloak-user > Subject: Re: [keycloak-user] Different theme for each client On 5 January 2016 at 12:22, Travis De Silva > wrote: Hi Stian, SSO zones will not help in my use case because I actually want SSO between clients. For example lets say I have following clients Client1 Client2 and have following users User1 User2 User3 and I want User1 to be able to login to Client1 using its own application theme, User2 to login to Client2 using its own application theme and User3 can login to either Client1 or Client2 and they get SSO across the two clients. How can we do this with your proposed SSO zones? I didn't expect a client to belong to multiple zones. That would complicate things quite a bit I think. However, what you're asking for with client specific themes still makes no sense. How is User3 going to know that he's logged in to Client1 as well if the login screen is themed to match Client2. The more I think of this, its would be better to just give access to various end points in the login process. (e.g. forgot password, social login, register user etc) This I believe will be more flexible as we can then use it for these edge cases. Any thoughts on this? Not sure what you mean about that. I was thinking about just exposing something that let you select the theme to use yourself and have everything else work as it is currently. Cheers Travis On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen > wrote: On 4 January 2016 at 14:25, Travis De Silva > wrote: HI Stian, Adding SSO zones just to address the theming issue looks a bit overkill to me as it will eventually come down to doing some theming at a level below the realm. I was going on the basis that if theming is not set at a client level, then it will default to the realm level theming which is basically your SSO enabled zone. Also my other point was with regard to SaaS based applications where we have a backoffice system which is themed as per our SaaS product but the consumer facing front end needs to be themed to be aligned with the customer's web site. In this case, we cannot go with what KeyCloak has at present. What I am doing is as suggested by Bill sometime back, adding "if/else" statements into the freemarker templates and based on the client id loading different freemarker templates which is not ideal but does the job. In any case, since what we are discussing is in general edge cases, Therefore instead of complicating the core KeyCloak platform, why don't you just expose the various links/flows that is currently available in the login process (forgot password/reset credentials, required actions (update password, verify email, configure OTP, etc.), user account mgmt, registration, social login etc. Then we are still using the core of keycloak but for the frontend themes/UI, we use our own. I also haven't explored the Login SPI which as per the KeyCloak docs which says "The Login SPI allows implementing the login forms using whatever web framework or templating engine you want". Wonder if this will give us what we are after. Sounds like an SSO zone is exactly what you'd want, so I'm not sure why you are so against that. I really don't want to have a theme option on a client, as I've said it just doesn't make any sense. I'd be happy with introducing an SPI or adding to the Theme SPI to let you choose yourself what theme is selected. The Login SPI is rather low-level so it would be better to do something else. Cheers Travis On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen > wrote: I strongly disagree. With Keycloak you are logging in to a SSO realm, not an individual application. With that in mind it's important that the login screen reflects that. Users need to know the difference as it's an important distinction. It just doesn't make any sense that I'm logged-in to the SSO with a login screen that is themed to look like the login screen for an individual application. Adding an option on clients to set the theme just doesn't make any sense. If we added the option to create SSO "zones" or disable SSO for individual applications then it would make sense to be able to set theme on a per-zone or apps that doesn't have SSO enabled. On 31 December 2015 at 09:46, Travis De Silva > wrote: Hi, My vote is to provide this feature at a client level as per the original request. I think realms should be used for completely different domains when we want to isolate users etc. Should not try and use it for something that it was not intended in the design. The reason why you might need theming at client level is iif you really think that clients which are essentially different applications most of the time and each of these applications might have different look and feel themes (either due to different development teams or vendors building different applications). So when someone logins via KeyCloak, its true that we are logging into a realm but for an end user, it is really logging into a application and there is a need for the login page theme to look similar to the application look and feel. Also I have a use case where I have a back office application that requires login for admin users and then I have the front office of this application where in addition to the admin users, you also can have other users as well who can self register and login to the front end which is a consumer facing site. How I handle this is by having two clients in the same realm. This works fine if you are happy with the same backend login theme to be there for the consumer facing frontend. But we cannot do that as the front end is a consumer facing SaaS site, so each front end needs to have the client's website theme. This becomes very hard to do if we don't have theming at a client level. I came across this post from Bill a few months ago http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html I am thinking to make use of the client variable that is available in login.ftl and load different freemarker fragments that will then theme it differently for each client. As mentioned by Bill, having many if conditions might not be ideal but it might meet the requirement. Cheers Travis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/c1f7ca80/attachment.html From traviskds at gmail.com Tue Jan 5 21:07:11 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 06 Jan 2016 02:07:11 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: Message-ID: On Wed, 6 Jan 2016 at 02:08 Stian Thorgersen wrote: > On 5 January 2016 at 12:22, Travis De Silva wrote: > >> Hi Stian, >> >> SSO zones will not help in my use case because I actually want SSO >> between clients. For example lets say I have following clients >> >> Client1 >> Client2 >> >> and have following users >> >> User1 >> User2 >> User3 >> >> and I want User1 to be able to login to Client1 using its own application >> theme, User2 to login to Client2 using its own application theme and User3 >> can login to either Client1 or Client2 and they get SSO across the two >> clients. >> >> How can we do this with your proposed SSO zones? >> > > I didn't expect a client to belong to multiple zones. That would > complicate things quite a bit I think. > > However, what you're asking for with client specific themes still makes no > sense. How is User3 going to know that he's logged in to Client1 as well if > the login screen is themed to match Client2. > When User3 logs into Client2, and then they navigate to Client1, it just automagically logs them in due to SSO. When User3 logs into Client2, he does not need to be aware what other clients he has got auto logged in as at that time he might not even know he needs to access other clients. This is sort of a "poor man's" Kerberos, when you log in to the first application it gives you login access to other applications. You may ask why can't they then just login to the realm theme. That is because in corporate environments, you have users who access only one primary application and for them, the login theme should be like their own application. As I mentioned since these are edge cases, I think if we can address my request below which I have explained a bit more, that might be the best rather than focusing about client level theming or theming via SSO zones. > >> >> The more I think of this, its would be better to just give access to >> various end points in the login process. (e.g. forgot password, social >> login, register user etc) This I believe will be more flexible as we can >> then use it for these edge cases. Any thoughts on this? >> > > Not sure what you mean about that. I was thinking about just exposing > something that let you select the theme to use yourself and have everything > else work as it is currently. > What would be ideal is if we can host the themes within our own applications and use KeyCloak for the authentication flows. For example instead of using the Freemarker theming, can we for example do the login, forgot password, register new user, social login links etc using our front-end framework (e.g. AngularJS) and make rest calls to KeyCloak for the authentication flow. I am trying to avoid the direct grant but use what KeyCloak currently has in its authentication flow. I am aware (and use) various KeyCloak admin rest endpoints such as create new user, change password, add social links etc but if I am to use this for the auth flows, then I will be duplicating functionality that has already been done just because of the theming. If there is a way we can call the same auth flows but replace the page displayed with our own directly from the application, in my opinion it would make KeyCloak more "embeddable" is external applications. Maybe this is already possible with the Login SPI which I will have a look. But I suspect that I will end up having to do all the auth flows again. I maybe wrong. KeyCloak is really great and one of the best open source platforms out there. Even the FreeMarker theming is a fantastic feature. But when it comes to UI, you can never satisfy everyone and if we can extend the auth flows to applications/teams outside the group that manages the KeyCloak instance, then that opens up a lot of new possibilities. For example in its simplest form we can offer KeyCloak as a SaaS platform where external applications not within our control can use it for Authentication and theme the login page etc the way they want without we having to do any theme development. > > >> >> Cheers >> Travis >> >> On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen wrote: >> >>> On 4 January 2016 at 14:25, Travis De Silva wrote: >>> >>>> HI Stian, >>>> >>>> Adding SSO zones just to address the theming issue looks a bit overkill >>>> to me as it will eventually come down to doing some theming at a level >>>> below the realm. I was going on the basis that if theming is not set at a >>>> client level, then it will default to the realm level theming which is >>>> basically your SSO enabled zone. >>>> >>> >>>> Also my other point was with regard to SaaS based applications where we >>>> have a backoffice system which is themed as per our SaaS product but the >>>> consumer facing front end needs to be themed to be aligned with the >>>> customer's web site. In this case, we cannot go with what KeyCloak has at >>>> present. What I am doing is as suggested by Bill sometime back, adding >>>> "if/else" statements into the freemarker templates and based on the client >>>> id loading different freemarker templates which is not ideal but does the >>>> job. >>>> >>>> In any case, since what we are discussing is in general edge cases, >>>> Therefore instead of complicating the core KeyCloak platform, why don't you >>>> just expose the various links/flows that is currently available in the >>>> login process (forgot password/reset credentials, required actions >>>> (update password, verify email, configure OTP, etc.), user account >>>> mgmt, registration, social login etc. Then we are still using the core of >>>> keycloak but for the frontend themes/UI, we use our own. >>>> >>>> I also haven't explored the Login SPI which as per the KeyCloak docs >>>> which says "The Login SPI allows implementing the login forms using >>>> whatever web framework or templating engine you want". Wonder if this will >>>> give us what we are after. >>>> >>> >>> Sounds like an SSO zone is exactly what you'd want, so I'm not sure why >>> you are so against that. >>> >>> I really don't want to have a theme option on a client, as I've said it >>> just doesn't make any sense. I'd be happy with introducing an SPI or adding >>> to the Theme SPI to let you choose yourself what theme is selected. The >>> Login SPI is rather low-level so it would be better to do something else. >>> >>> >>>> >>>> Cheers >>>> Travis >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>>> wrote: >>>> >>>>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>>>> not an individual application. With that in mind it's important that the >>>>> login screen reflects that. Users need to know the difference as it's an >>>>> important distinction. It just doesn't make any sense that I'm logged-in to >>>>> the SSO with a login screen that is themed to look like the login screen >>>>> for an individual application. >>>>> >>>>> Adding an option on clients to set the theme just doesn't make any >>>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>>> individual applications then it would make sense to be able to set theme on >>>>> a per-zone or apps that doesn't have SSO enabled. >>>>> >>>>> On 31 December 2015 at 09:46, Travis De Silva >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> My vote is to provide this feature at a client level as per the >>>>>> original request. >>>>>> >>>>>> I think realms should be used for completely different domains when >>>>>> we want to isolate users etc. Should not try and use it for something that >>>>>> it was not intended in the design. >>>>>> >>>>>> The reason why you might need theming at client level is iif you >>>>>> really think that clients which are essentially different applications most >>>>>> of the time and each of these applications might have different look and >>>>>> feel themes (either due to different development teams or vendors building >>>>>> different applications). >>>>>> >>>>>> So when someone logins via KeyCloak, its true that we are logging >>>>>> into a realm but for an end user, it is really logging into a application >>>>>> and there is a need for the login page theme to look similar to the >>>>>> application look and feel. >>>>>> >>>>> >>>>>> Also I have a use case where I have a back office application that >>>>>> requires login for admin users and then I have the front office of this >>>>>> application where in addition to the admin users, you also can have other >>>>>> users as well who can self register and login to the front end which is a >>>>>> consumer facing site. >>>>>> >>>>>> How I handle this is by having two clients in the same realm. This >>>>>> works fine if you are happy with the same backend login theme to be there >>>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>>> client level. >>>>>> >>>>>> I came across this post from Bill a few months ago >>>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>>> >>>>>> I am thinking to make use of the client variable that is available in >>>>>> login.ftl and load different freemarker fragments that will then theme it >>>>>> differently for each client. As mentioned by Bill, having many if >>>>>> conditions might not be ideal but it might meet the requirement. >>>>>> >>>>>> Cheers >>>>>> Travis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/a13b974c/attachment-0001.html From traviskds at gmail.com Tue Jan 5 21:25:28 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 06 Jan 2016 02:25:28 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> References: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> Message-ID: On Wed, 6 Jan 2016 at 01:52 Scott Rossillo wrote: > Isn?t this whole idea of client specific themes just going to confuse > users? Think about logging into Google. Mail, calendar, drive, etc., all > share the same login screen and are all SSO clients. Wouldn?t you be > confused if it looked different for each app? Either way you?re > authenticating with Google. If you want to customize the consent screen > for external clients, that makes a bit more sense but it should be done in > a very standard way, like allowing a custom logo per external client you?re > authorizing. If you completely re-theme the consent screen even, you?re > going to confuse users IMO. > > If the suite of applications/products as per your Google example is provided from one vendor/development group, then yes. In that case we can use what KeyCloak has at present. But in corporate environments, you have hundreds and sometimes thousands of applications built by different groups/teams/vendors and they all don't look the same. In these environments, users most of the time use one or two as their primary application and occasionally might want to access another one in which case SSO will kick in and they don't need to login again. So there is really no confusion as they will always login to their primary application which is themed as per their application and when they go across to another application, it just automagically logs them in due to SSO. Another point is that when new application projects are kicked off in the corporate world, they will want to style/theme UI's as per the latest design standards or features. In such cases, if we go and theme it using the new standard, that will also change the existing applications that are running on KeyCloak and anyone who has worked in a corporate world knows how much of a pain point that is as you need to then engage various business owners of the exiting applications, come up with end user communication plans and so on. If we have theming at a client level, then we can progressively or to use the current buzz word "in an Agile" manner, ensure that new applications look new with new UI standards and not have to worry about existing applications at least until those applications are migrated. Apart from the above "corporate world" example, there are examples where this can be useful in consumer facing SaaS type of applications as well. It just gives more flexibility to end developers of applications that utilise KeyCloak. > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > [image: Powered by Sigstr] > > On Jan 5, 2016, at 6:22 AM, Travis De Silva wrote: > > Hi Stian, > > SSO zones will not help in my use case because I actually want SSO between > clients. For example lets say I have following clients > > Client1 > Client2 > > and have following users > > User1 > User2 > User3 > > and I want User1 to be able to login to Client1 using its own application > theme, User2 to login to Client2 using its own application theme and User3 > can login to either Client1 or Client2 and they get SSO across the two > clients. > > How can we do this with your proposed SSO zones? > > The more I think of this, its would be better to just give access to > various end points in the login process. (e.g. forgot password, social > login, register user etc) This I believe will be more flexible as we can > then use it for these edge cases. Any thoughts on this? > > Cheers > Travis > > On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen wrote: > >> On 4 January 2016 at 14:25, Travis De Silva wrote: >> >>> HI Stian, >>> >>> Adding SSO zones just to address the theming issue looks a bit overkill >>> to me as it will eventually come down to doing some theming at a level >>> below the realm. I was going on the basis that if theming is not set at a >>> client level, then it will default to the realm level theming which is >>> basically your SSO enabled zone. >>> >> >>> Also my other point was with regard to SaaS based applications where we >>> have a backoffice system which is themed as per our SaaS product but the >>> consumer facing front end needs to be themed to be aligned with the >>> customer's web site. In this case, we cannot go with what KeyCloak has at >>> present. What I am doing is as suggested by Bill sometime back, adding >>> "if/else" statements into the freemarker templates and based on the client >>> id loading different freemarker templates which is not ideal but does the >>> job. >>> >>> In any case, since what we are discussing is in general edge cases, >>> Therefore instead of complicating the core KeyCloak platform, why don't you >>> just expose the various links/flows that is currently available in the >>> login process (forgot password/reset credentials, required actions >>> (update password, verify email, configure OTP, etc.), user account >>> mgmt, registration, social login etc. Then we are still using the core of >>> keycloak but for the frontend themes/UI, we use our own. >>> >>> I also haven't explored the Login SPI which as per the KeyCloak docs >>> which says "The Login SPI allows implementing the login forms using >>> whatever web framework or templating engine you want". Wonder if this will >>> give us what we are after. >>> >> >> Sounds like an SSO zone is exactly what you'd want, so I'm not sure why >> you are so against that. >> >> I really don't want to have a theme option on a client, as I've said it >> just doesn't make any sense. I'd be happy with introducing an SPI or adding >> to the Theme SPI to let you choose yourself what theme is selected. The >> Login SPI is rather low-level so it would be better to do something else. >> >> >>> >>> Cheers >>> Travis >>> >>> >>> >>> >>> >>> >>> >>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>> wrote: >>> >>>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>>> not an individual application. With that in mind it's important that the >>>> login screen reflects that. Users need to know the difference as it's an >>>> important distinction. It just doesn't make any sense that I'm logged-in to >>>> the SSO with a login screen that is themed to look like the login screen >>>> for an individual application. >>>> >>>> Adding an option on clients to set the theme just doesn't make any >>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>> individual applications then it would make sense to be able to set theme on >>>> a per-zone or apps that doesn't have SSO enabled. >>>> >>>> On 31 December 2015 at 09:46, Travis De Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> My vote is to provide this feature at a client level as per the >>>>> original request. >>>>> >>>>> I think realms should be used for completely different domains when we >>>>> want to isolate users etc. Should not try and use it for something that it >>>>> was not intended in the design. >>>>> >>>>> The reason why you might need theming at client level is iif you >>>>> really think that clients which are essentially different applications most >>>>> of the time and each of these applications might have different look and >>>>> feel themes (either due to different development teams or vendors building >>>>> different applications). >>>>> >>>>> So when someone logins via KeyCloak, its true that we are logging into >>>>> a realm but for an end user, it is really logging into a application and >>>>> there is a need for the login page theme to look similar to the application >>>>> look and feel. >>>>> >>>> >>>>> Also I have a use case where I have a back office application that >>>>> requires login for admin users and then I have the front office of this >>>>> application where in addition to the admin users, you also can have other >>>>> users as well who can self register and login to the front end which is a >>>>> consumer facing site. >>>>> >>>>> How I handle this is by having two clients in the same realm. This >>>>> works fine if you are happy with the same backend login theme to be there >>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>> client level. >>>>> >>>>> I came across this post from Bill a few months ago >>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>> >>>>> I am thinking to make use of the client variable that is available in >>>>> login.ftl and load different freemarker fragments that will then theme it >>>>> differently for each client. As mentioned by Bill, having many if >>>>> conditions might not be ideal but it might meet the requirement. >>>>> >>>>> Cheers >>>>> Travis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/058a5638/attachment.html From eugene.chow.ct at gmail.com Wed Jan 6 01:47:43 2016 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 6 Jan 2016 14:47:43 +0800 Subject: [keycloak-user] Clustering without the use of multicast Message-ID: <9A9E8C94-7C7F-4965-995F-539942F1FD41@gmail.com> Hi guys, Is it possible for clustering to work without the use of multicast traffic? My provider blocks multicast traffic by default and refuses to budge. Can I manually supply (the IP addresses of) all the nodes in the cluster to each Keycloak instance, so that they are aware of each other? Thanks and happy new year to the Keycloak team! From mposolda at redhat.com Wed Jan 6 03:28:52 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 6 Jan 2016 09:28:52 +0100 Subject: [keycloak-user] Clustering without the use of multicast In-Reply-To: <9A9E8C94-7C7F-4965-995F-539942F1FD41@gmail.com> References: <9A9E8C94-7C7F-4965-995F-539942F1FD41@gmail.com> Message-ID: <568CD044.10901@redhat.com> Yes, you can do that. You will need to reconfigure JGroups stack inside Wildfly to use TCP protocol instead of default UDP and to use TCPPING for discovery (TCPPING allows to list all cluster members as you mentioned). See Wildfly and JGroups documentation for details how to configure stack. Marek On 06/01/16 07:47, Eugene Chow wrote: > Hi guys, > > Is it possible for clustering to work without the use of multicast traffic? My provider blocks multicast traffic by default and refuses to budge. > > Can I manually supply (the IP addresses of) all the nodes in the cluster to each Keycloak instance, so that they are aware of each other? > > > Thanks and happy new year to the Keycloak team! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jayblanc at gmail.com Wed Jan 6 03:31:24 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Wed, 06 Jan 2016 08:31:24 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <568BDDB4.90903@redhat.com> References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> Message-ID: Hi Bill, all, In the case of a transient only nameid, would it be possible to create a dedicated attribute mapper in order to use for exemple the email attribute as name identifier ? PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML v1 for request a nameid that is transient also... so there is no solution in this way. Best regards, J?r?me. Le mar. 5 janv. 2016 ? 16:13, Bill Burke a ?crit : > We won't be able to support temporary ids (transient) for awhile as it > requires temporary user creation which requires some rearchitecting. > > As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a > JIRA and it is simple enough to implement support for, we may be able to > get it in. > > On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: > > Hi Bill, > > > > Thanks for your answer regarding transient and temporary ids. I > > understand the problem due to keycloak account creation and binding to > > the IdP. > > Renarter is using Shibboleth ; Is there is any work on shibboleth > > integration for keycloak ? > > If I look into the idps entities descriptors of renater, I found that it > > uses also another nameid format based on shibboleth namesapce : > > urn:mace:shibboleth:1.0:nameIdentifier > > > urn:oasis:names:tc:SAML:2.0:nameid-format:transient > > > > Do you think it is possible to patch the saml idp provider (or to create > > another one dedicated to shibboleth) in order to integrate keycloak to > > our identity federation (renater) ? > > > > Best whiches for this upcoming year and thanks for your great work > > around keycloak. > > > > J?r?me. > > > > > > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke > > a ?crit : > > > > Our brokering doesn't support temporary user ids from the "parent" > IDP. > > Transient Ids in SAML or temporary ids. > > > > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: > > > Hi, > > > > > > I'm trying to integrate keycloak into a the french research > > federation > > > of identity (renater) and I'm facing some problems. > > > Actually, when IdP respond to keycloak i'm getting the following > > error : > > > PL00084: Writer: Unsupported Attribute > > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType > > > > > > It seems that this IdP is using transient NameID policy only and > > using > > > the unspecified field in the idp config in keycloak generate this > > > exception as a return. > > > > > > Log of the keycloak server is joined. > > > > > > I have no idea of what happening because when I was using the test > > > federation, everything was working but no I'm in the production > > > federation, login fails. > > > > > > The renater federation is using Shibolleth and keycloak is not > > supported > > > by federation moderators so I'm alone in the dark now... > > > > > > Renater provides an IdP list that I have to parse and > > synchronized with > > > IdP in keycloak. As a return I provide a list of all endpoints > > for each > > > keycloak registered IdP to allow federation IdP to answear > > correctly to > > > the right endpoint. All of this is done by a small web app > deployed > > > aside keycloak and using REST API to synchronize all the IdP. > > > > > > One of the IdP entity descriptor is joined. As you can see, only > > > transient nameid policy is supported and if I configure keycloak > > to use > > > email or persistent, I received a response saying that the nameid > > is not > > > supported : > > > > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > > > > AssertionConsumerServiceURL=" > https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint > " > > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" > > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" > > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > > Version="2.0"> > > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> > https://demo-auth.ortolang.fr/auth/realms/ortolang > > > AllowCreate="true" > > > > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> > > > > > > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > > > > > Destination=" > https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint > " > > > ID="_9d03761957aade819b6823c35bbab278" > > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > > IssueInstant="2015-12-22T16:13:16.420Z" > Version="2.0"> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> > https://janus.cnrs.fr/idp > > > > > Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> > > > > > Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required > > > NameID format not > > > supported > > > > > > > > > Any help would be gracefully appreciated. > > > > > > Thanks a lot, J?r?me. > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/72e8785a/attachment.html From eugene.chow.ct at gmail.com Wed Jan 6 04:04:19 2016 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 6 Jan 2016 17:04:19 +0800 Subject: [keycloak-user] Clustering without the use of multicast In-Reply-To: <568CD044.10901@redhat.com> References: <9A9E8C94-7C7F-4965-995F-539942F1FD41@gmail.com> <568CD044.10901@redhat.com> Message-ID: Thanks Marek. I?ll give it a try :) > On 6 Jan 2016, at 16:28, Marek Posolda wrote: > > Yes, you can do that. You will need to reconfigure JGroups stack inside Wildfly to use TCP protocol instead of default UDP and to use TCPPING for discovery (TCPPING allows to list all cluster members as you mentioned). See Wildfly and JGroups documentation for details how to configure stack. > > Marek > > On 06/01/16 07:47, Eugene Chow wrote: >> Hi guys, >> >> Is it possible for clustering to work without the use of multicast traffic? My provider blocks multicast traffic by default and refuses to budge. >> >> Can I manually supply (the IP addresses of) all the nodes in the cluster to each Keycloak instance, so that they are aware of each other? >> >> >> Thanks and happy new year to the Keycloak team! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Jan 6 09:04:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Jan 2016 15:04:58 +0100 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> Message-ID: In theory you should be able to create your own screens using the Login SPI, but you will have to do a fair bit of development as you'll pretty much have to replace the whole login frontend. You can't host the login pages from your apps either as you'll then loose the ability to do SSO, so it will still have to be redirect based login as it is now. As you say your use-case is not quite the common-case so it's not something that I want to support directly in Keycloak. However, we do strive to make Keycloak customizable for corner-cases so if you can achieve what you want with our current SPIs that would be great. Otherwise we could discuss what's needed. At the moment we're pretty swamped though so changes to Keycloak would most likely have to be contributions from you. On 6 January 2016 at 03:25, Travis De Silva wrote: > > > On Wed, 6 Jan 2016 at 01:52 Scott Rossillo > wrote: > >> Isn?t this whole idea of client specific themes just going to confuse >> users? Think about logging into Google. Mail, calendar, drive, etc., all >> share the same login screen and are all SSO clients. Wouldn?t you be >> confused if it looked different for each app? Either way you?re >> authenticating with Google. If you want to customize the consent screen >> for external clients, that makes a bit more sense but it should be done in >> a very standard way, like allowing a custom logo per external client you?re >> authorizing. If you completely re-theme the consent screen even, you?re >> going to confuse users IMO. >> >> > If the suite of applications/products as per your Google example is > provided from one vendor/development group, then yes. In that case we can > use what KeyCloak has at present. > > But in corporate environments, you have hundreds and sometimes thousands > of applications built by different groups/teams/vendors and they all don't > look the same. In these environments, users most of the time use one or two > as their primary application and occasionally might want to access another > one in which case SSO will kick in and they don't need to login again. So > there is really no confusion as they will always login to their primary > application which is themed as per their application and when they go > across to another application, it just automagically logs them in due to > SSO. > > Another point is that when new application projects are kicked off in the > corporate world, they will want to style/theme UI's as per the latest > design standards or features. In such cases, if we go and theme it using > the new standard, that will also change the existing applications that are > running on KeyCloak and anyone who has worked in a corporate world knows > how much of a pain point that is as you need to then engage various > business owners of the exiting applications, come up with end user > communication plans and so on. If we have theming at a client level, then > we can progressively or to use the current buzz word "in an Agile" manner, > ensure that new applications look new with new UI standards and not have to > worry about existing applications at least until those applications are > migrated. > > Apart from the above "corporate world" example, there are examples where > this can be useful in consumer facing SaaS type of applications as well. It > just gives more flexibility to end developers of applications that utilise > KeyCloak. > > > >> Scott Rossillo >> Smartling | Senior Software Engineer >> srossillo at smartling.com >> >> [image: Powered by Sigstr] >> >> On Jan 5, 2016, at 6:22 AM, Travis De Silva wrote: >> >> Hi Stian, >> >> SSO zones will not help in my use case because I actually want SSO >> between clients. For example lets say I have following clients >> >> Client1 >> Client2 >> >> and have following users >> >> User1 >> User2 >> User3 >> >> and I want User1 to be able to login to Client1 using its own application >> theme, User2 to login to Client2 using its own application theme and User3 >> can login to either Client1 or Client2 and they get SSO across the two >> clients. >> >> How can we do this with your proposed SSO zones? >> >> The more I think of this, its would be better to just give access to >> various end points in the login process. (e.g. forgot password, social >> login, register user etc) This I believe will be more flexible as we can >> then use it for these edge cases. Any thoughts on this? >> >> Cheers >> Travis >> >> On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen wrote: >> >>> On 4 January 2016 at 14:25, Travis De Silva wrote: >>> >>>> HI Stian, >>>> >>>> Adding SSO zones just to address the theming issue looks a bit overkill >>>> to me as it will eventually come down to doing some theming at a level >>>> below the realm. I was going on the basis that if theming is not set at a >>>> client level, then it will default to the realm level theming which is >>>> basically your SSO enabled zone. >>>> >>> >>>> Also my other point was with regard to SaaS based applications where we >>>> have a backoffice system which is themed as per our SaaS product but the >>>> consumer facing front end needs to be themed to be aligned with the >>>> customer's web site. In this case, we cannot go with what KeyCloak has at >>>> present. What I am doing is as suggested by Bill sometime back, adding >>>> "if/else" statements into the freemarker templates and based on the client >>>> id loading different freemarker templates which is not ideal but does the >>>> job. >>>> >>>> In any case, since what we are discussing is in general edge cases, >>>> Therefore instead of complicating the core KeyCloak platform, why don't you >>>> just expose the various links/flows that is currently available in the >>>> login process (forgot password/reset credentials, required actions >>>> (update password, verify email, configure OTP, etc.), user account >>>> mgmt, registration, social login etc. Then we are still using the core of >>>> keycloak but for the frontend themes/UI, we use our own. >>>> >>>> I also haven't explored the Login SPI which as per the KeyCloak docs >>>> which says "The Login SPI allows implementing the login forms using >>>> whatever web framework or templating engine you want". Wonder if this will >>>> give us what we are after. >>>> >>> >>> Sounds like an SSO zone is exactly what you'd want, so I'm not sure why >>> you are so against that. >>> >>> I really don't want to have a theme option on a client, as I've said it >>> just doesn't make any sense. I'd be happy with introducing an SPI or adding >>> to the Theme SPI to let you choose yourself what theme is selected. The >>> Login SPI is rather low-level so it would be better to do something else. >>> >>> >>>> >>>> Cheers >>>> Travis >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>>> wrote: >>>> >>>>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>>>> not an individual application. With that in mind it's important that the >>>>> login screen reflects that. Users need to know the difference as it's an >>>>> important distinction. It just doesn't make any sense that I'm logged-in to >>>>> the SSO with a login screen that is themed to look like the login screen >>>>> for an individual application. >>>>> >>>>> Adding an option on clients to set the theme just doesn't make any >>>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>>> individual applications then it would make sense to be able to set theme on >>>>> a per-zone or apps that doesn't have SSO enabled. >>>>> >>>>> On 31 December 2015 at 09:46, Travis De Silva >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> My vote is to provide this feature at a client level as per the >>>>>> original request. >>>>>> >>>>>> I think realms should be used for completely different domains when >>>>>> we want to isolate users etc. Should not try and use it for something that >>>>>> it was not intended in the design. >>>>>> >>>>>> The reason why you might need theming at client level is iif you >>>>>> really think that clients which are essentially different applications most >>>>>> of the time and each of these applications might have different look and >>>>>> feel themes (either due to different development teams or vendors building >>>>>> different applications). >>>>>> >>>>>> So when someone logins via KeyCloak, its true that we are logging >>>>>> into a realm but for an end user, it is really logging into a application >>>>>> and there is a need for the login page theme to look similar to the >>>>>> application look and feel. >>>>>> >>>>> >>>>>> Also I have a use case where I have a back office application that >>>>>> requires login for admin users and then I have the front office of this >>>>>> application where in addition to the admin users, you also can have other >>>>>> users as well who can self register and login to the front end which is a >>>>>> consumer facing site. >>>>>> >>>>>> How I handle this is by having two clients in the same realm. This >>>>>> works fine if you are happy with the same backend login theme to be there >>>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>>> client level. >>>>>> >>>>>> I came across this post from Bill a few months ago >>>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>>> >>>>>> I am thinking to make use of the client variable that is available in >>>>>> login.ftl and load different freemarker fragments that will then theme it >>>>>> differently for each client. As mentioned by Bill, having many if >>>>>> conditions might not be ideal but it might meet the requirement. >>>>>> >>>>>> Cheers >>>>>> Travis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/6c0b312a/attachment-0001.html From sthorger at redhat.com Wed Jan 6 09:16:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Jan 2016 15:16:23 +0100 Subject: [keycloak-user] Application/Client specific "permission" resolution ability in keycloak In-Reply-To: References: Message-ID: Currently Keycloak is limited to roles only. We are looking into expanding on that in the future though. On 5 January 2016 at 05:08, Subhrajyoti Moitra wrote: > Hello, > > Is there an ability in Keycloak to manage application/client > "permissions", similar to what Shiro has using WildCardPermissions. > http://shiro.apache.org/permissions.html > > I understand that this is very domain and application specific, but is > there some generic way to manage these for specific Keycloak clients? > > Currently trying to implement permissions for a couple of keycloak clients > in custom way; roles are stored in keycloak, the applications manages the > permission mapping with the specific roles. > > Any pointers to the same would be very helpful. > > Thanks and regards, > Subhro. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/fdcc1279/attachment.html From sthorger at redhat.com Wed Jan 6 09:18:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Jan 2016 15:18:15 +0100 Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation via database In-Reply-To: <1452038437.11135.11.camel@muerte.net> References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <1452038437.11135.11.camel@muerte.net> Message-ID: Are you deploying it as a module or by dropping it into standalone/configuration/providers? The latter will pick up the persistence.xml from Keycloak classloader so that's probably why it doesn't work. Try deploying as a module instead as that's the only way you can get full control of the classpath On 6 January 2016 at 01:00, Harold Campbell wrote: > On Wed, 2015-11-11 at 14:12 +0100, Stian Thorgersen wrote: > > At the moment when the provider is specified in keycloak-server.json > > we only load that one provider. If you only need to use the > > EntityManagerFactory within your user federation provider you don't > > need a JpaConnectionProvider at all. Just create the > > EntityManagerFactory within your UserFederationProviderFactory. > > I'm trying to do exactly that, but can't for the life of me get the > EntityManagerFactory to create. It fails with: > > Caused by: javax.persistence.PersistenceException: No Persistence provider > for EntityManager named XXXXX > > Before that, I also see this warning even if I explicitly pass the > suggested provider as a property: > > 17:43:57,250 WARN [org.hibernate.ejb.HibernatePersistence] (default > task-53) HHH015016: Encountered a deprecated > javax.persistence.spi.PersistenceProvider > [org.hibernate.ejb.HibernatePersistence]; use > [org.hibernate.jpa.HibernatePersistenceProvider] instead. > > The persistence.xml is in META-INF. I also tried META-INF/classes/META- > INF. > > My init code: > > private void lazyInit() { > Map props = new HashMap<>(); > props.put(AvailableSettings.PROVIDER, > "org.hibernate.jpa.HibernatePersistenceProvider"); > props.put(AvailableSettings.TRANSACTION_TYPE, > "RESOURCE_LOCAL"); > props.put("jboss.as.jpa.managed", "false"); > emFactory = > Persistence.createEntityManagerFactory("XXXXX", props); > } > > This same persistence unit works just fine when bundled on it's own > within a normal JEE EAR. > > Any idea what I'm doing wrong? Keycloak 1.7.0.Final > > -- > Harold Campbell > > A farmer with extremely prolific hens posted the following sign. > "Free > Chickens. Our Coop Runneth Over." > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/8adb09fd/attachment.html From sthorger at redhat.com Wed Jan 6 09:24:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Jan 2016 15:24:14 +0100 Subject: [keycloak-user] Question about Realm and Client (Resource) Roles In-Reply-To: References: Message-ID: In the admin console you can manage realm roles from the "Roles" link in the menu on the left hand side. Further you can manage roles for a client (service) by finding the client first, it then has a tab for roles. For clients (front-ends) there's a scope tab that let's you control what roles the client is allowed to obtain. Once you've done that a client that receives a token will contain the roles the user and client is permitted to have. When this token is sent to the service the adapter then checks if the token contains the required roles. The service can either use realm roles (global roles) or roles specific to itself (client roles, which is enabled by setting use-resource-role-mappings to true in the keycloak.json file for the service). Does that answer your questions? On 4 January 2016 at 19:04, Giovanni Baruzzi wrote: > Dear All, > > In the documentation I read about the Realm and Resource Roles > > Under "2.2.1. Permission scopes? you can read: > "The role mappings contained within the token are the intersection > between the set of user role mappings and the permission scope > of the client. So, access tokens are tailor made for each client and > contain only the information required for by them.? > > Further, under "8.1. General Adapter Configuration?, you read > "use-resource-role-mappings? If set to true, the adapter will look inside > the token for application level role mappings for the user. > If false, it will look at the realm level for user role mappings. This is > OPTIONAL. The default value is false > > I would like to understand how to use it and how to configure it, but I > cannot find anything in the documentation nor in the tips of the Console. > > Can anybody give me a pointer to more information? > > Thank you, > > Giovanni > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/0a056690/attachment.html From sthorger at redhat.com Wed Jan 6 09:28:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Jan 2016 15:28:57 +0100 Subject: [keycloak-user] Basic authentication - adapter not using backend-url for HttpPost? In-Reply-To: References: Message-ID: Seems like there's two issues here: #1 auth-server-url is set to localhost - are you doing login from the same box as Keycloak is running on? #2 auth-server-url-for-backend-requests is not being used by BasicAuthRequestAuthenticator - this is a bug, feel free to raise a jira for this one On 4 January 2016 at 21:49, Guy Davis wrote: > Good day, > > I'm working with Keycloak 1.7.0.Final (in it's own Wildfly) behind a > HAProxy instance. A REST service is deployed (as .war) on another server > (also behind HAProxy) in a JBoss EAP instance, protected using the Keycloak > adapter. > > The deployment is protected as follows in standalone.xml of the JBoss > instance: > > > MyRealm > my-resource > > true > true > true > MIIB...QAB > /auth > > http://proxy:8080/auth > NONE > > preferred_username > > > Here is relevant section of mytest.war's web.xml: > > > > All Admin > /* > > > my-admins > > > NONE > > > > > KEYCLOAK > this is ignored currently > > > Admin access for admins. > my-admins > > > Due to the use of the old JBoss EAP 6.1 server, I've had to add the > following to mytest.war's jboss-web.xml to support proxying, with proxy > headers added by HAProxy: > > > > keycloak-web > mytest > > org.apache.catalina.valves.RemoteIpValve > > protocolHeader > x-forwarded-proto > > > > > The hostname "proxy" is resolvable within the cluster behind HAProxy and > will result in direct access to the Keycloak instance. From outside the > cluster, all the services are mapped to the same HTTP namespace by > HAProxy. So an external request to http://[external_haproxy]/auth will > be proxied to Keycloak in the cluster. The 'my-resource' Keycloak client > has direct access grants enabled and is set to Public access. > > In testing, where the entire cluster is launched in Vagrant running on > Windows, if I access http://localhost/mytest/api/... in a browser, I am > shown the Keycloak login and get the REST service result as expected. This > tells me that the majority of my configuration above is good. > > However, if I use a client like curl or JMeter to send a similar HTTP > request with the Basic authentication header added: > Authorization: Basic YWRtaW46YWRtaW4= > > Then the following is observed in the JBoss log from Keycloak adapter: > > 2016-01-04 20:03:49,295 DEBUG > [org.keycloak.adapters.BasicAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) > Failed to obtain token: java.net.ConnectException: Connection refused > > Upon debugging through the Keycloak adapter code to watch the basic > authentication process, I found myself > in BasicAuthRequestAuthenticator,getToken() where I find that > *deployment.getAuthServerBaseUrl()* == "http://localhost/auth" which is > not valid on the JBoss EAP system. This tells me that the external > hostname (Vagrant host) is being used to build the URI for contacting the > internal Keycloak host. In particular, the provided value for > is not being used. Since this Basic > Auth code uses this URI to issue a "backend" request, I would have expected > the value to be used. > > So my question is whether I am missing a basic authentication specific > configuration step or whether I've encountered a defect in URI handling for > basic auth + backend requests. Interestingly, in the attached Eclipse > screenshot, the deployment object is aware of the http://proxy:8080 URI > backend but it is not being used for authServerBaseUrl. > > Note, the scope of this problem is more than my Vagrant/localhost > example. I expect the same problem to manifest in our AWS test environment > where external hostnames don't resolve for cluster members identified by > internal hostnames only. I'm hoping to find a solution before this hits > our test environment. > > Thanks in advance, > Guy > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/4ce9e681/attachment-0001.html From hcamp at muerte.net Wed Jan 6 10:16:39 2016 From: hcamp at muerte.net (Harold Campbell) Date: Wed, 06 Jan 2016 09:16:39 -0600 Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation via database In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <1452038437.11135.11.camel@muerte.net> Message-ID: <1452093399.3118.2.camel@muerte.net> On Wed, 2016-01-06 at 15:18 +0100, Stian Thorgersen wrote: > Are you deploying it as a module or by dropping it into > standalone/configuration/providers? The latter will pick up the > persistence.xml from Keycloak classloader so that's probably why it > doesn't work. Try deploying as a module instead as that's the only > way you can get full control of the classpath > I'm already deploying as a module. When I tried deploying into providers/ I didn't get the Persistence classes in my classpath. -- Harold Campbell There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS in a $200,000 MALIBU BEACH HOUSE!! From subhrajyotim at gmail.com Wed Jan 6 12:04:55 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Wed, 6 Jan 2016 22:34:55 +0530 Subject: [keycloak-user] Application/Client specific "permission" resolution ability in keycloak In-Reply-To: References: Message-ID: Thanks Stian for replying, Yes, we are implementing something like WIldCardPermissions and managing permissions at a application level , rather than on Keycloak. each app maintains its own role to permission mappings. thanks and regards, Subhro. On Wed, Jan 6, 2016 at 7:46 PM, Stian Thorgersen wrote: > Currently Keycloak is limited to roles only. We are looking into expanding > on that in the future though. > > On 5 January 2016 at 05:08, Subhrajyoti Moitra > wrote: > >> Hello, >> >> Is there an ability in Keycloak to manage application/client >> "permissions", similar to what Shiro has using WildCardPermissions. >> http://shiro.apache.org/permissions.html >> >> I understand that this is very domain and application specific, but is >> there some generic way to manage these for specific Keycloak clients? >> >> Currently trying to implement permissions for a couple of keycloak >> clients in custom way; roles are stored in keycloak, the applications >> manages the permission mapping with the specific roles. >> >> Any pointers to the same would be very helpful. >> >> Thanks and regards, >> Subhro. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/0959dbe9/attachment.html From traviskds at gmail.com Wed Jan 6 17:59:10 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 06 Jan 2016 22:59:10 +0000 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> Message-ID: Yes I understand. Let me check out the Login SPI. Also thank you for not getting mad with this prolonged conversation :) As always you guys have been very responsive and willing to listen to the community and that is a great sign for the future of KeyCloak. On Thu, 7 Jan 2016 at 01:04 Stian Thorgersen wrote: > In theory you should be able to create your own screens using the Login > SPI, but you will have to do a fair bit of development as you'll pretty > much have to replace the whole login frontend. You can't host the login > pages from your apps either as you'll then loose the ability to do SSO, so > it will still have to be redirect based login as it is now. > > As you say your use-case is not quite the common-case so it's not > something that I want to support directly in Keycloak. However, we do > strive to make Keycloak customizable for corner-cases so if you can achieve > what you want with our current SPIs that would be great. Otherwise we could > discuss what's needed. At the moment we're pretty swamped though so changes > to Keycloak would most likely have to be contributions from you. > > On 6 January 2016 at 03:25, Travis De Silva wrote: > >> >> >> On Wed, 6 Jan 2016 at 01:52 Scott Rossillo >> wrote: >> >>> Isn?t this whole idea of client specific themes just going to confuse >>> users? Think about logging into Google. Mail, calendar, drive, etc., all >>> share the same login screen and are all SSO clients. Wouldn?t you be >>> confused if it looked different for each app? Either way you?re >>> authenticating with Google. If you want to customize the consent screen >>> for external clients, that makes a bit more sense but it should be done in >>> a very standard way, like allowing a custom logo per external client you?re >>> authorizing. If you completely re-theme the consent screen even, you?re >>> going to confuse users IMO. >>> >>> >> If the suite of applications/products as per your Google example is >> provided from one vendor/development group, then yes. In that case we can >> use what KeyCloak has at present. >> >> But in corporate environments, you have hundreds and sometimes thousands >> of applications built by different groups/teams/vendors and they all don't >> look the same. In these environments, users most of the time use one or two >> as their primary application and occasionally might want to access another >> one in which case SSO will kick in and they don't need to login again. So >> there is really no confusion as they will always login to their primary >> application which is themed as per their application and when they go >> across to another application, it just automagically logs them in due to >> SSO. >> >> Another point is that when new application projects are kicked off in the >> corporate world, they will want to style/theme UI's as per the latest >> design standards or features. In such cases, if we go and theme it using >> the new standard, that will also change the existing applications that are >> running on KeyCloak and anyone who has worked in a corporate world knows >> how much of a pain point that is as you need to then engage various >> business owners of the exiting applications, come up with end user >> communication plans and so on. If we have theming at a client level, then >> we can progressively or to use the current buzz word "in an Agile" manner, >> ensure that new applications look new with new UI standards and not have to >> worry about existing applications at least until those applications are >> migrated. >> >> Apart from the above "corporate world" example, there are examples where >> this can be useful in consumer facing SaaS type of applications as well. It >> just gives more flexibility to end developers of applications that utilise >> KeyCloak. >> >> >> >>> Scott Rossillo >>> Smartling | Senior Software Engineer >>> srossillo at smartling.com >>> >>> [image: Powered by Sigstr] >>> >>> On Jan 5, 2016, at 6:22 AM, Travis De Silva wrote: >>> >>> Hi Stian, >>> >>> SSO zones will not help in my use case because I actually want SSO >>> between clients. For example lets say I have following clients >>> >>> Client1 >>> Client2 >>> >>> and have following users >>> >>> User1 >>> User2 >>> User3 >>> >>> and I want User1 to be able to login to Client1 using its own >>> application theme, User2 to login to Client2 using its own application >>> theme and User3 can login to either Client1 or Client2 and they get SSO >>> across the two clients. >>> >>> How can we do this with your proposed SSO zones? >>> >>> The more I think of this, its would be better to just give access to >>> various end points in the login process. (e.g. forgot password, social >>> login, register user etc) This I believe will be more flexible as we can >>> then use it for these edge cases. Any thoughts on this? >>> >>> Cheers >>> Travis >>> >>> On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen >>> wrote: >>> >>>> On 4 January 2016 at 14:25, Travis De Silva >>>> wrote: >>>> >>>>> HI Stian, >>>>> >>>>> Adding SSO zones just to address the theming issue looks a bit >>>>> overkill to me as it will eventually come down to doing some theming at a >>>>> level below the realm. I was going on the basis that if theming is not set >>>>> at a client level, then it will default to the realm level theming which is >>>>> basically your SSO enabled zone. >>>>> >>>> >>>>> Also my other point was with regard to SaaS based applications where >>>>> we have a backoffice system which is themed as per our SaaS product but the >>>>> consumer facing front end needs to be themed to be aligned with the >>>>> customer's web site. In this case, we cannot go with what KeyCloak has at >>>>> present. What I am doing is as suggested by Bill sometime back, adding >>>>> "if/else" statements into the freemarker templates and based on the client >>>>> id loading different freemarker templates which is not ideal but does the >>>>> job. >>>>> >>>>> In any case, since what we are discussing is in general edge cases, >>>>> Therefore instead of complicating the core KeyCloak platform, why don't you >>>>> just expose the various links/flows that is currently available in the >>>>> login process (forgot password/reset credentials, required actions >>>>> (update password, verify email, configure OTP, etc.), user account >>>>> mgmt, registration, social login etc. Then we are still using the core of >>>>> keycloak but for the frontend themes/UI, we use our own. >>>>> >>>>> I also haven't explored the Login SPI which as per the KeyCloak docs >>>>> which says "The Login SPI allows implementing the login forms using >>>>> whatever web framework or templating engine you want". Wonder if this will >>>>> give us what we are after. >>>>> >>>> >>>> Sounds like an SSO zone is exactly what you'd want, so I'm not sure why >>>> you are so against that. >>>> >>>> I really don't want to have a theme option on a client, as I've said it >>>> just doesn't make any sense. I'd be happy with introducing an SPI or adding >>>> to the Theme SPI to let you choose yourself what theme is selected. The >>>> Login SPI is rather low-level so it would be better to do something else. >>>> >>>> >>>>> >>>>> Cheers >>>>> Travis >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>>>> wrote: >>>>> >>>>>> I strongly disagree. With Keycloak you are logging in to a SSO realm, >>>>>> not an individual application. With that in mind it's important that the >>>>>> login screen reflects that. Users need to know the difference as it's an >>>>>> important distinction. It just doesn't make any sense that I'm logged-in to >>>>>> the SSO with a login screen that is themed to look like the login screen >>>>>> for an individual application. >>>>>> >>>>>> Adding an option on clients to set the theme just doesn't make any >>>>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>>>> individual applications then it would make sense to be able to set theme on >>>>>> a per-zone or apps that doesn't have SSO enabled. >>>>>> >>>>>> On 31 December 2015 at 09:46, Travis De Silva >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> My vote is to provide this feature at a client level as per the >>>>>>> original request. >>>>>>> >>>>>>> I think realms should be used for completely different domains when >>>>>>> we want to isolate users etc. Should not try and use it for something that >>>>>>> it was not intended in the design. >>>>>>> >>>>>>> The reason why you might need theming at client level is iif you >>>>>>> really think that clients which are essentially different applications most >>>>>>> of the time and each of these applications might have different look and >>>>>>> feel themes (either due to different development teams or vendors building >>>>>>> different applications). >>>>>>> >>>>>>> So when someone logins via KeyCloak, its true that we are logging >>>>>>> into a realm but for an end user, it is really logging into a application >>>>>>> and there is a need for the login page theme to look similar to the >>>>>>> application look and feel. >>>>>>> >>>>>> >>>>>>> Also I have a use case where I have a back office application that >>>>>>> requires login for admin users and then I have the front office of this >>>>>>> application where in addition to the admin users, you also can have other >>>>>>> users as well who can self register and login to the front end which is a >>>>>>> consumer facing site. >>>>>>> >>>>>>> How I handle this is by having two clients in the same realm. This >>>>>>> works fine if you are happy with the same backend login theme to be there >>>>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>>>> client level. >>>>>>> >>>>>>> I came across this post from Bill a few months ago >>>>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>>>> >>>>>>> I am thinking to make use of the client variable that is available >>>>>>> in login.ftl and load different freemarker fragments that will then theme >>>>>>> it differently for each client. As mentioned by Bill, having many if >>>>>>> conditions might not be ideal but it might meet the requirement. >>>>>>> >>>>>>> Cheers >>>>>>> Travis >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160106/1348f1b9/attachment-0001.html From kga.official at gmail.com Wed Jan 6 22:38:33 2016 From: kga.official at gmail.com (Akshay Kini) Date: Thu, 7 Jan 2016 09:08:33 +0530 Subject: [keycloak-user] When using Keycloak as SP in SAML via filter i.e. SamlFilter, we get exception (details inside) Message-ID: Hi Folks, We have configured Keycloak as an SP via filter. Keycloak Version 1.7.0 We get this exception: ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[AppName]] Servlet.service() for servlet NasDefault threw exception: java.lang.RuntimeException: This method is not supported in a restored authenticated request at org.keycloak.adapters.servlet.FilterSessionStore$1.getDateHeader(FilterSessionStore.java:178) [:1.7.0.CR1] at org.apache.catalina.servlets.DefaultServlet.checkIfModifiedSince(DefaultServlet.java:1731) [:] at org.apache.catalina.servlets.DefaultServlet.checkIfHeaders(DefaultServlet.java:608) [:] at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:714) [:] at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:368) [:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [:1.0.0.Final] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [:1.0.0.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) [:] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:] ... (trimmed) ... at org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:125) [:1.7.0.CR1] ...(trimmed) ... etc. Any ideas on what this error means? Thanks, Regards, Akshay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/46528daa/attachment.html From malmi.suh at gmail.com Thu Jan 7 02:04:11 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Thu, 7 Jan 2016 12:34:11 +0530 Subject: [keycloak-user] Keycloak User Registration Flow In-Reply-To: <568BDEA6.3050006@redhat.com> References: <568BDEA6.3050006@redhat.com> Message-ID: Hi, I have created the below JIRA ticket for the above. Would be a great to have feature in a coming release. https://issues.jboss.org/browse/KEYCLOAK-2268 Regards, Malmi Samarasinghe On Tue, Jan 5, 2016 at 8:47 PM, Bill Burke wrote: > You want a better REST API that takes one document and sets up > everything? Log a jira and spec it out. I think this is something we > should improve. I know there's been a lot of talk about improving user > import. > > On 1/5/2016 6:47 AM, Malmi Samarasinghe wrote: > > Hi All, > > > > I am currently working on registering a user with user realm role and > > client role assignment. > > > > Steps followed > > 1/ create user (retrieve the user ID from Location header) > > 2/ get user details > > 3/ update password > > 4/ create realm role > > 5/ retrieve all realm roles and filter the ones which needs to be > > assigned (since the assignment of roles requires the role ID) > > 6/ assign realm role > > 7/ same for the application roles as well, which also has multiple > > iterations for each client > > > > With all the API calls the user registration seems to have 8+ API calls > > and I would like to know if there are any other alternatives/suggestions > > to get the user registration flow working more efficiently. > > > > Is there any plan to give a consolidated user registration API in the > > future? > > > > Regards, > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/db903e5d/attachment.html From sthorger at redhat.com Thu Jan 7 02:47:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Jan 2016 08:47:47 +0100 Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation via database In-Reply-To: <1452093399.3118.2.camel@muerte.net> References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <1452038437.11135.11.camel@muerte.net> <1452093399.3118.2.camel@muerte.net> Message-ID: What dependencies have you included in your module? On 6 January 2016 at 16:16, Harold Campbell wrote: > On Wed, 2016-01-06 at 15:18 +0100, Stian Thorgersen wrote: > > Are you deploying it as a module or by dropping it into > > standalone/configuration/providers? The latter will pick up the > > persistence.xml from Keycloak classloader so that's probably why it > > doesn't work. Try deploying as a module instead as that's the only > > way you can get full control of the classpath > > > > I'm already deploying as a module. When I tried deploying into > providers/ I didn't get the Persistence classes in my classpath. > > -- > Harold Campbell > > There's a little picture of ED MCMAHON doing BAD THINGS to JOAN RIVERS > in a $200,000 MALIBU BEACH HOUSE!! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/e372772f/attachment.html From pavel.masloff at gmail.com Thu Jan 7 03:13:23 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Thu, 7 Jan 2016 09:13:23 +0100 Subject: [keycloak-user] [Migration] 1.3.1 -> 1.7.0 Message-ID: Hi guys, I would like to migrate from 1.3.1 to the latest version. Will it be possible to just export a json file at Keycloak boot and then import it in the same way for the new version? *1.3.1* : $ /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=kc_1.3.1.json *1.7.0* : $ /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.import=kc_1.3.1.json Will this work? Thanks! Regards, Pavel Maslov, MS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/d144b599/attachment.html From sthorger at redhat.com Thu Jan 7 03:19:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Jan 2016 09:19:25 +0100 Subject: [keycloak-user] [Migration] 1.3.1 -> 1.7.0 In-Reply-To: References: Message-ID: If you're starting with a fresh database that will work. You can also keep the existing database as Keycloak will automatically update the schema for you. Obviously make sure you backup first On 7 January 2016 at 09:13, Pavel Maslov wrote: > Hi guys, > > > I would like to migrate from 1.3.1 to the latest version. Will it be > possible to just export a json file at Keycloak boot and then import it in > the same way for the new version? > > *1.3.1* : $ /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=kc_1.3.1.json > > *1.7.0* : $ /opt/jboss/keycloak/bin/standalone.sh > -Dkeycloak.import=kc_1.3.1.json > > > Will this work? > > Thanks! > > > Regards, > Pavel Maslov, MS > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/21f95ac3/attachment.html From olivier.lievre at altran.com Thu Jan 7 03:47:32 2016 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Thu, 7 Jan 2016 08:47:32 +0000 Subject: [keycloak-user] [reset-pasword] email with username Message-ID: <5E0EBD68B410924EADA89C5CBD233CD062FA0351@XMB-DCFR-35.europe.corp.altran.com> Hello, Is there a way to customize keycloak reset-password e-mail to add the username in the body? KR, Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/54be0242/attachment-0001.html From pavel.masloff at gmail.com Thu Jan 7 04:04:02 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Thu, 7 Jan 2016 10:04:02 +0100 Subject: [keycloak-user] [Migration] 1.3.1 -> 1.7.0 In-Reply-To: References: Message-ID: Does the second option require any extra steps beside database backup? Regards, Pavel Maslov, MS On Thu, Jan 7, 2016 at 9:19 AM, Stian Thorgersen wrote: > If you're starting with a fresh database that will work. You can also keep > the existing database as Keycloak will automatically update the schema for > you. > > Obviously make sure you backup first > > On 7 January 2016 at 09:13, Pavel Maslov wrote: > >> Hi guys, >> >> >> I would like to migrate from 1.3.1 to the latest version. Will it be >> possible to just export a json file at Keycloak boot and then import it in >> the same way for the new version? >> >> *1.3.1* : $ /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export >> -Dkeycloak.migration.provider=singleFile >> -Dkeycloak.migration.file=kc_1.3.1.json >> >> *1.7.0* : $ /opt/jboss/keycloak/bin/standalone.sh >> -Dkeycloak.import=kc_1.3.1.json >> >> >> Will this work? >> >> Thanks! >> >> >> Regards, >> Pavel Maslov, MS >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/274a3aa6/attachment.html From leo.nunes at gjccorp.com.br Thu Jan 7 05:32:02 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Thu, 7 Jan 2016 10:32:02 +0000 Subject: [keycloak-user] User Created Through API Not Logging In Message-ID: Hi, I'm using Keycloak admin client version 1.7.0. Final to create users from an external application. The user is being create without any errors. However, when I try to login the message "Invalid username or password." is shown. If I go to the console and change the password for the created user and try to login again, then it works. As you can see below i'm setting the password when creating the user. Why do I need to change the password for it to work? I'm also setting the realmRoles, but when I open the user at the console, the realmRoles is not defined for the user. Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth", "demo", "admin", "my-password", "admin-cli"); UserRepresentation user = new UserRepresentation(); user.setUsername("usertest"); user.setFirstName("firsttest"); user.setLastName("lasttest"); user.setEnabled(true); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("123456"); credential.setTemporary(false); user.setCredentials(Arrays.asList(credential)); List realmRoles = new ArrayList(); realmRoles.add("user"); user.setRealmRoles(realmRoles); UsersResource userResources = keycloak.realm("demo").users(); userResources.create(user); -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/6e76e080/attachment.html From hpeng at redhat.com Thu Jan 7 06:23:30 2016 From: hpeng at redhat.com (JasonPeng) Date: Thu, 07 Jan 2016 19:23:30 +0800 Subject: [keycloak-user] Adding captcha to Login Page In-Reply-To: References: Message-ID: Hi there, If we want to add captcha to Login Page, is that possible and how? Would that involve revising keycloak servlet? Many thanks, Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/49a1fd42/attachment.html From bburke at redhat.com Thu Jan 7 09:32:00 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 7 Jan 2016 09:32:00 -0500 Subject: [keycloak-user] Adding captcha to Login Page In-Reply-To: References: Message-ID: <568E76E0.6050003@redhat.com> You'll have to code it using the auth spi. Registration has it, you can borrow the code there. On 1/7/2016 6:23 AM, JasonPeng wrote: > Hi there, > > If we want to add captcha to Login Page, is that possible and how? > Would that involve revising keycloak servlet? > > Many thanks, > Jason > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/cc57bfd3/attachment.html From favez.steve at gmail.com Thu Jan 7 09:40:54 2016 From: favez.steve at gmail.com (Steve Favez) Date: Thu, 7 Jan 2016 15:40:54 +0100 Subject: [keycloak-user] keycloak training / consulting Message-ID: Hi, just wondering if 1. someone is providing / will provide some training for keycloak (so, please contact me asap) 2. if there're already some people providing consulting (dev and so on) on keycloak (also, please contact me asap) 3. is Jboss / redhat looking to provide some support for keycloak In my point of view, it would be the next step to get a "wider" adoption of this amazing SSO solution. Thanks Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160107/40be0692/attachment.html From bburke at redhat.com Thu Jan 7 11:24:05 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 7 Jan 2016 11:24:05 -0500 Subject: [keycloak-user] keycloak training / consulting In-Reply-To: References: Message-ID: <568E9125.4010404@redhat.com> On 1/7/2016 9:40 AM, Steve Favez wrote: > Hi, > > just wondering if > > 1. someone is providing / will provide some training for keycloak (so, > please contact me asap) > 2. if there're already some people providing consulting (dev and so > on) on keycloak (also, please contact me asap) > 3. is Jboss / redhat looking to provide some support for keycloak > #3 is coming in 2016. #2 and #1 should follow. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From juraci at kroehling.de Thu Jan 7 11:27:23 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Thu, 7 Jan 2016 17:27:23 +0100 Subject: [keycloak-user] Add users in integration tests Message-ID: <568E91EB.7020305@kroehling.de> I'm doing some integration tests for Hawkular and I want to add an user via this integration test, but I'm having some problems in doing it via the test itself. I'm using the Admin Client from org.keycloak:keycloak-admin-client , and it look like this: Keycloak adminClient = KeycloakBuilder .builder() .realm("master") .username("admin") .password("admin") .serverUrl("${baseURI}/auth") .clientId(Constants.ADMIN_CLI_CLIENT_ID) .build(); I then create an UserRepresentation (without credentials), and call: adminClient.realm("hawkular").users().create(userRepresentation) I then try to reset the password (or set it in a List of CredentialRepresentation to the UserRepresentation above): CredentialRepresentation pass = new CredentialRepresentation() pass.type = "password" pass.value = password pass.temporary = false adminClient.realm("hawkular").users().usersResource.get(userId).resetPassword(pass) But this password is not set. At this stage, I'm facing two problems: 1) The first admin request fails, as the admin has a pending action (reset the password). 2) The user's password is never correctly set. By that I mean that I try to use the password via the UI, and it reports that the password is invalid. I then login to the admin console, reset the password (setting the same as I used in the tests). After this, I can correctly login. So, my questions: - What is the recommended approach for adding users in the context of integration tests? - If Admin Client is the way to go, what's the correct way to add an user with a password? - Juca. From hcamp at muerte.net Thu Jan 7 12:21:34 2016 From: hcamp at muerte.net (Harold Campbell) Date: Thu, 07 Jan 2016 11:21:34 -0600 Subject: [keycloak-user] Additional jpaConnectionProvider for UserFederation via database In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723D36465@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <1452038437.11135.11.camel@muerte.net> <1452093399.3118.2.camel@muerte.net> Message-ID: <1452187294.2573.2.camel@muerte.net> On Thu, 2016-01-07 at 08:47 +0100, Stian Thorgersen wrote: > What dependencies have you included in your module? > The same as keycloak-connections-jpa + javax.xml.bind.api. ? ? ???????? ???? ???? ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???? -- Harold Campbell Most seminars have a happy ending. Everyone's glad when they're over. From tdudgeon.ml at gmail.com Fri Jan 8 02:22:01 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Fri, 8 Jan 2016 07:22:01 +0000 Subject: [keycloak-user] propagating authentication to REST layer In-Reply-To: References: <56865A85.7030808@gmail.com> <568B8AA5.3070001@gmail.com> Message-ID: <568F6399.6080602@gmail.com> So if I understand correctly, if the REST service is running in (for instance) Tomcat, then I can use the standard Tomcat adapter to protect it, but use: "bearer-only" : true as part of the configuration, as described here: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config Also, regarding those options, its not clear to me what public-client means. Does that mean that there is no authentication at all? e.g. bypass keycloak completely? Tim On 06/01/2016 08:23, Stian Thorgersen wrote: > > The rest service doesn't check what client obtained the token only the > realm/signature and that it contains the required roles. > > On 5 Jan 2016 10:20, "Tim Dudgeon" > wrote: > > On 05/01/2016 07:36, Stian Thorgersen wrote: >> >> >> On 1 January 2016 at 11:52, Tim Dudgeon > > wrote: >> >> The user docs >> (http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) >> describe exactly what I'm looking for: >>> Signed access tokens can also be propagated by REST client >>> requests within an|Authorization|header. This is great for >>> distributed integration as applications can request a login >>> from a client to obtain an access token, then invoke any >>> aggregated REST invocations to other services using that >>> access token. >> I have a web app (in Tomcat) that uses the Keycloak adapter >> for user authentication. >> This web app needs to access a REST service, running in a >> different Tomcat container and I want the REST service to >> use the same user authentication, but I'm not totally sure >> about how to go about this. >> Do I just grab the keycloak token in the header in the web >> app and add that as a header when calling the REST service, >> and set the REST service up to use the same Keycloak adapter >> configuration as the web app? >> >> >> You could or you can get the token from the adapter. Take a look at: >> >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48 > Thanks. That's useful. > >> >> What if I want to have other ways to authenticate the REST >> service (e.g. access from multiple clients)? >> >> >> Not sure what you mean about this > > For example, lets assume we have 2 apps, authenticating against > the same Keycloak realm, but as separate clients. > Both hit the same REST service and pass through their token to > that service. > How is the REST service to authenticate the requests? > All it really needs to to is check that the tokens are valid and > come from the expected (keycloak) source, even though the tokens > were generated for different clients. > Is there an adapter that handles this? > > Tim >> >> >> >> Tim >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/cc3e8360/attachment.html From helder.jaspion at gmail.com Fri Jan 8 07:47:56 2016 From: helder.jaspion at gmail.com (Helder dos S. Alves) Date: Fri, 8 Jan 2016 10:47:56 -0200 Subject: [keycloak-user] Logout multiple webapps of the same realm Message-ID: Hi. I have my Keycloak 1.7.0.Final running on port 8080. I also have an instance of Wildfly 9 running on 8180. On Wildfly (8180) I have 2 webapps which are clients of the same realm on Keycloak. When I logout from one webapp, the other webapp still acts like I'm logged in, the user data still in the 2nd app's session. The same happens on Tomcat 7 and 8. How can I get it to logout (and renew session) every application of the same realm? I tried deploying the same webapps on the keycloak wildfly instance (8080) and it works: When I log out from one app, the other gets its session renewed. Thanks in advance. Helder S. Alves -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/66a0ca73/attachment.html From sthorger at redhat.com Fri Jan 8 08:08:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 14:08:48 +0100 Subject: [keycloak-user] Add users in integration tests In-Reply-To: <568E91EB.7020305@kroehling.de> References: <568E91EB.7020305@kroehling.de> Message-ID: On 7 January 2016 at 17:27, Juraci Paix?o Kr?hling wrote: > I'm doing some integration tests for Hawkular and I want to add an user > via this integration test, but I'm having some problems in doing it via > the test itself. > > I'm using the Admin Client from org.keycloak:keycloak-admin-client , and > it look like this: > > Keycloak adminClient = KeycloakBuilder > .builder() > .realm("master") > .username("admin") > .password("admin") > .serverUrl("${baseURI}/auth") > .clientId(Constants.ADMIN_CLI_CLIENT_ID) > .build(); > > I then create an UserRepresentation (without credentials), and call: > > adminClient.realm("hawkular").users().create(userRepresentation) > > I then try to reset the password (or set it in a List of > CredentialRepresentation to the UserRepresentation above): > > CredentialRepresentation pass = new CredentialRepresentation() > pass.type = "password" > pass.value = password > pass.temporary = false > > adminClient.realm("hawkular").users().usersResource.get(userId).resetPassword(pass) > > But this password is not set. At this stage, I'm facing two problems: > > 1) The first admin request fails, as the admin has a pending action > (reset the password). > > 2) The user's password is never correctly set. By that I mean that I try > to use the password via the UI, and it reports that the password is > invalid. I then login to the admin console, reset the password (setting > the same as I used in the tests). After this, I can correctly login. > > So, my questions: > > - What is the recommended approach for adding users in the context of > integration tests? > > - If Admin Client is the way to go, what's the correct way to add an > user with a password? > If you want to add users while the server is running then the admin client is the way to go. Looks like there may be an issue with password reset though, so you can create an issue for it. In 1.7 the admin password can be set for a server with the add-user script so will no longer have the issue of having to reset admin password first. > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/ab3c3e88/attachment-0001.html From Mahantesh.Katti at Indecomm.net Fri Jan 8 09:02:57 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Fri, 8 Jan 2016 14:02:57 +0000 Subject: [keycloak-user] retrieving group membership info from LDAP/AD In-Reply-To: <568A3F93.2050007@redhat.com> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL> <568A3F93.2050007@redhat.com> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL> Thanks Marek. I looked at the built in example. I am looking for a couple of details. 1. What is the bind password for the embedded apache ds? 2. I had a quick look at the ldaprealm.json document. It turned out that group name and the realm role name are identical. Is that a requirement for role-group mapping to work in keycloak? 3. Also, is role to group mapping always one to one? In our application, one role is invariably mapped to multiple ldap groups. Regards, Prasad From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, January 04, 2016 3:17 PM To: Mahantesh Prasad Katti; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] retrieving group membership info from LDAP/AD On 30/12/15 18:42, Mahantesh Prasad Katti wrote: Hi All, In our application, we integrate with Microsoft AD for authenticating users. As part of the authentication result, we also fetch group information for the user authenticated. We also have a pre-defined group-role mapping defined in the application server [This is a JEE configuration file]. This helps decide whether a particular user based on the role he belongs to can access a resource or not. I read another thread "Apply group membership filter on ldap login " on similar lines. Couple of clarifications. 1. Based on what I read there is no feature to get roles and map them to specific roles in keycloak and would be available in a future release. I just wanted to understand if my reading of this is on the right lines. Also, wanted to know if there's a workaround for this in the short term. The feature to get LDAP roles and map them to specific roles in Keycloak is available. We have LDAP Role Mapper (See documentation http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers and our ldap example for details). The thread "Apply group membership filter on ldap login" is more about restricting that some LDAP users are not able to login at all (For example, specify that just users, which are members of LDAP group "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the other users are filtered). This will be available from 1.8 release (it's in master already). 2. Also does keycloak provide fine grained access control on the lines of apache shiro? Keycloak provides SSO and authentication. Once you authenticate, your application will receive access token with the roles of user from Keycloak (We have stuff like scope, protocol mappers etc, which allows better control under what exactly will go to access token. See docs and examples for details). Then it's up to the application how it interprets roles from accessToken . The authorization needs to be actually done by application itself (unless it's JEE application where we have mapping of accessToken roles to JEE roles. Again see examples). We have separate subproject under development (no official release yet available), which will allow more authorization possibilities. Marek Thanks Prasad _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/d9d0e876/attachment.html From sthorger at redhat.com Fri Jan 8 10:28:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 16:28:02 +0100 Subject: [keycloak-user] Add users in integration tests In-Reply-To: References: <568E91EB.7020305@kroehling.de> Message-ID: Just added a testcase for this and it works fine. Did you set enabled to true in UserRepresentation? On 8 January 2016 at 14:08, Stian Thorgersen wrote: > > > On 7 January 2016 at 17:27, Juraci Paix?o Kr?hling > wrote: > >> I'm doing some integration tests for Hawkular and I want to add an user >> via this integration test, but I'm having some problems in doing it via >> the test itself. >> >> I'm using the Admin Client from org.keycloak:keycloak-admin-client , and >> it look like this: >> >> Keycloak adminClient = KeycloakBuilder >> .builder() >> .realm("master") >> .username("admin") >> .password("admin") >> .serverUrl("${baseURI}/auth") >> .clientId(Constants.ADMIN_CLI_CLIENT_ID) >> .build(); >> >> I then create an UserRepresentation (without credentials), and call: >> >> adminClient.realm("hawkular").users().create(userRepresentation) >> >> I then try to reset the password (or set it in a List of >> CredentialRepresentation to the UserRepresentation above): >> >> CredentialRepresentation pass = new CredentialRepresentation() >> pass.type = "password" >> pass.value = password >> pass.temporary = false >> >> adminClient.realm("hawkular").users().usersResource.get(userId).resetPassword(pass) >> >> But this password is not set. At this stage, I'm facing two problems: >> >> 1) The first admin request fails, as the admin has a pending action >> (reset the password). >> >> 2) The user's password is never correctly set. By that I mean that I try >> to use the password via the UI, and it reports that the password is >> invalid. I then login to the admin console, reset the password (setting >> the same as I used in the tests). After this, I can correctly login. >> >> So, my questions: >> >> - What is the recommended approach for adding users in the context of >> integration tests? >> >> - If Admin Client is the way to go, what's the correct way to add an >> user with a password? >> > > If you want to add users while the server is running then the admin client > is the way to go. Looks like there may be an issue with password reset > though, so you can create an issue for it. > > In 1.7 the admin password can be set for a server with the add-user script > so will no longer have the issue of having to reset admin password first. > > >> >> - Juca. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/788395b0/attachment.html From sthorger at redhat.com Fri Jan 8 10:39:42 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 16:39:42 +0100 Subject: [keycloak-user] User Created Through API Not Logging In In-Reply-To: References: Message-ID: You need a separate request to set the users password: https://github.com/stianst/keycloak/blob/cf0eb1184a86c1d5b0851384e01fbae191eb2b99/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L596 On 7 January 2016 at 11:32, LEONARDO NUNES wrote: > Hi, > > I'm using Keycloak admin client version 1.7.0. Final to create users from > an external application. > The user is being create without any errors. However, when I try to login > the message "Invalid username or password." is shown. > If I go to the console and change the password for the created user and > try to login again, then it works. > As you can see below i'm setting the password when creating the user. > > Why do I need to change the password for it to work? > I'm also setting the realmRoles, but when I open the user at the console, > the realmRoles is not defined for the user. > > Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth", > "demo", "admin", "my-password", "admin-cli"); > > UserRepresentation user = new UserRepresentation(); > user.setUsername("usertest"); > user.setFirstName("firsttest"); > user.setLastName("lasttest"); > user.setEnabled(true); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("123456"); > credential.setTemporary(false); > user.setCredentials(Arrays.asList(credential)); > > List realmRoles = new ArrayList(); > realmRoles.add("user"); > user.setRealmRoles(realmRoles); > > UsersResource userResources = keycloak.realm("demo").users(); > userResources.create(user); > > > -- > Leonardo Nunes > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/b0278a01/attachment-0001.html From sthorger at redhat.com Fri Jan 8 10:44:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 16:44:29 +0100 Subject: [keycloak-user] [reset-pasword] email with username In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD062FA0351@XMB-DCFR-35.europe.corp.altran.com> References: <5E0EBD68B410924EADA89C5CBD233CD062FA0351@XMB-DCFR-35.europe.corp.altran.com> Message-ID: Yes, by changing the email theme. You can either just change [html|text]/password-reset.ftl directly and change the message there. Or you change the template to pass an additional attribute to msg and update the messages to add user to passwordResetBody value. On 7 January 2016 at 09:47, LIEVRE Olivier wrote: > Hello, > > > > Is there a way to customize keycloak reset-password e-mail to add the > username in the body? > > > > KR, > > Olivier > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/f920ec18/attachment.html From sthorger at redhat.com Fri Jan 8 10:45:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 16:45:44 +0100 Subject: [keycloak-user] Logout multiple webapps of the same realm In-Reply-To: References: Message-ID: For single sign out to work you need to configure the admin url for your clients. Did you do that? On 8 January 2016 at 13:47, Helder dos S. Alves wrote: > Hi. > > I have my Keycloak 1.7.0.Final running on port 8080. > I also have an instance of Wildfly 9 running on 8180. > > On Wildfly (8180) I have 2 webapps which are clients of the same realm on > Keycloak. > When I logout from one webapp, the other webapp still acts like I'm logged > in, the user data still in the 2nd app's session. > The same happens on Tomcat 7 and 8. > > How can I get it to logout (and renew session) every application of the > same realm? > > > I tried deploying the same webapps on the keycloak wildfly instance (8080) > and it works: When I log out from one app, the other gets its session > renewed. > > > Thanks in advance. > > Helder S. Alves > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/9942a15d/attachment.html From sthorger at redhat.com Fri Jan 8 10:47:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jan 2016 16:47:55 +0100 Subject: [keycloak-user] propagating authentication to REST layer In-Reply-To: <568F6399.6080602@gmail.com> References: <56865A85.7030808@gmail.com> <568B8AA5.3070001@gmail.com> <568F6399.6080602@gmail.com> Message-ID: On 8 January 2016 at 08:22, Tim Dudgeon wrote: > So if I understand correctly, if the REST service is running in (for > instance) Tomcat, then I can use the standard Tomcat adapter to protect it, > but use: > "bearer-only" : true > as part of the configuration, as described here: > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > Yes > > > Also, regarding those options, its not clear to me what public-client > means. Does that mean that there is no authentication at all? e.g. bypass > keycloak completely? > Public is for "public" clients. For example HTML5 applications. They can't use a secret to authenticate the client (as the secret would be publicly available in either case) so they rely on redirect-uri instead. > > > Tim > > > > On 06/01/2016 08:23, Stian Thorgersen wrote: > > The rest service doesn't check what client obtained the token only the > realm/signature and that it contains the required roles. > On 5 Jan 2016 10:20, "Tim Dudgeon" < > tdudgeon.ml at gmail.com> wrote: > >> On 05/01/2016 07:36, Stian Thorgersen wrote: >> >> >> >> On 1 January 2016 at 11:52, Tim Dudgeon < >> tdudgeon.ml at gmail.com> wrote: >> >>> The user docs ( >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Overview.html#d4e54) >>> describe exactly what I'm looking for: >>> >>> Signed access tokens can also be propagated by REST client requests >>> within an Authorization header. This is great for distributed >>> integration as applications can request a login from a client to obtain an >>> access token, then invoke any aggregated REST invocations to other services >>> using that access token. >>> >>> I have a web app (in Tomcat) that uses the Keycloak adapter for user >>> authentication. >>> This web app needs to access a REST service, running in a different >>> Tomcat container and I want the REST service to use the same user >>> authentication, but I'm not totally sure about how to go about this. >>> Do I just grab the keycloak token in the header in the web app and add >>> that as a header when calling the REST service, and set the REST service up >>> to use the same Keycloak adapter configuration as the web app? >>> >> >> You could or you can get the token from the adapter. Take a look at: >> >> >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L48 >> >> Thanks. That's useful. >> >> >> >>> >>> What if I want to have other ways to authenticate the REST service (e.g. >>> access from multiple clients)? >>> >> >> Not sure what you mean about this >> >> >> For example, lets assume we have 2 apps, authenticating against the same >> Keycloak realm, but as separate clients. >> Both hit the same REST service and pass through their token to that >> service. >> How is the REST service to authenticate the requests? >> All it really needs to to is check that the tokens are valid and come >> from the expected (keycloak) source, even though the tokens were generated >> for different clients. >> Is there an adapter that handles this? >> >> Tim >> >> >> >>> >>> >>> Tim >>> >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/f1701bf6/attachment.html From juraci at kroehling.de Fri Jan 8 11:33:15 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Fri, 8 Jan 2016 17:33:15 +0100 Subject: [keycloak-user] Add users in integration tests In-Reply-To: References: <568E91EB.7020305@kroehling.de> Message-ID: <568FE4CB.8020004@kroehling.de> On 08.01.2016 16:28, Stian Thorgersen wrote: > Just added a testcase for this and it works fine. Did you set enabled to > true in UserRepresentation? Yes, I'm setting it. Strange... Anyway, I'll take a look at your test and see if I can fix my side. The code I'm currently using is this: https://git.io/vuy6Z - Juca. From olivier.lievre at altran.com Fri Jan 8 11:40:23 2016 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Fri, 8 Jan 2016 16:40:23 +0000 Subject: [keycloak-user] [reset-pasword] email with username In-Reply-To: References: <5E0EBD68B410924EADA89C5CBD233CD062FA0351@XMB-DCFR-35.europe.corp.altran.com> Message-ID: <5E0EBD68B410924EADA89C5CBD233CD062FA0881@XMB-DCFR-35.europe.corp.altran.com> Thks a lot, I succed to do it by updating the ftl file adding user.username in parameter, and updated the corresponding message with adding the new parameter. Thks again, Olivier De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : vendredi 8 janvier 2016 16:44 ? : LIEVRE Olivier Cc : keycloak-user Objet : Re: [keycloak-user] [reset-pasword] email with username Yes, by changing the email theme. You can either just change [html|text]/password-reset.ftl directly and change the message there. Or you change the template to pass an additional attribute to msg and update the messages to add user to passwordResetBody value. On 7 January 2016 at 09:47, LIEVRE Olivier > wrote: Hello, Is there a way to customize keycloak reset-password e-mail to add the username in the body? KR, Olivier _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/7ede2982/attachment-0001.html From leo.nunes at gjccorp.com.br Fri Jan 8 14:08:34 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 8 Jan 2016 19:08:34 +0000 Subject: [keycloak-user] Generate Social Login Button Link Message-ID: Hi, I need to create a button for social login that behaves exactly like the one inside of Keycloak login page. Below is the Link that was generated for the Facebook button: http://localhost:8080/auth/realms/facebook-identity-provider-realm/broker/facebook/login?code=yK04T2nBA534MQZBJuUyrxLylZLLVva272s06gRjqAk.73604a88-2b05-46f4-a570-019445581d6b How can I generate this link? Is there an API I can call to generate the code parameter? Is there any other way to add the social login buttons outside of the Keycloak login page? -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/cede7358/attachment.html From bburke at redhat.com Fri Jan 8 17:11:02 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 8 Jan 2016 17:11:02 -0500 Subject: [keycloak-user] Generate Social Login Button Link In-Reply-To: References: Message-ID: <569033F6.6000700@redhat.com> You can't generate it now. I guess it might be interesting to do this though. Log a jira please. On 1/8/2016 2:08 PM, LEONARDO NUNES wrote: > Hi, > > I need to create a button for social login that behaves exactly like > the one inside of Keycloak login page. > Below is the Link that was generated for the Facebook button: > http://localhost:8080/auth/realms/facebook-identity-provider-realm/broker/facebook/login?code=yK04T2nBA534MQZBJuUyrxLylZLLVva272s06gRjqAk.73604a88-2b05-46f4-a570-019445581d6b > > How can I generate this link? > Is there an API I can call to generate the code parameter? > Is there any other way to add the social login buttons outside of the > Keycloak login page? > > > -- > Leonardo Nunes > ------------------------------------------------------------------------ > /Esta mensagem pode conter informa??o confidencial e/ou privilegiada. > Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta > mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela > contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? > recebeu esta mensagem por engano, por favor avise imediatamente o > remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua > coopera??o. > > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation/ > //// > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160108/f193d213/attachment.html From juraj.janosik77 at gmail.com Mon Jan 11 02:40:03 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Mon, 11 Jan 2016 08:40:03 +0100 Subject: [keycloak-user] Create A New Group (name is not unique) Message-ID: Hi, is it a correct and expected behaviour in the group concept, that the name of the group is not unique, that means, that it is possible to create a new group with the same name? The same behaviour occurs in Admin console and via REST API too. [ { "id": "150a8547-fd3f-4245-ab91-328d8afb83c2", "name": "group_tests", "path": "/group_tests", "subGroups": [ ] }, { "id": "bc7969e6-e7c9-4617-b03e-18665293636a", "name": "group_tests", "path": "/group_tests", "subGroups": [ ] }, { "id": "5447d305-a47e-4ad9-a29b-f478396accf6", "name": "group_tests", "path": "/group_tests", "subGroups": [ ] } ] Thanks. Best Regards, Juraj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/a359c001/attachment.html From sthorger at redhat.com Mon Jan 11 03:06:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 11 Jan 2016 09:06:29 +0100 Subject: [keycloak-user] Add users in integration tests In-Reply-To: <568FE4CB.8020004@kroehling.de> References: <568E91EB.7020305@kroehling.de> <568FE4CB.8020004@kroehling.de> Message-ID: I can't spot any difference. Mine works :/ My test is: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L596 On 8 January 2016 at 17:33, Juraci Paix?o Kr?hling wrote: > On 08.01.2016 16:28, Stian Thorgersen wrote: > >> Just added a testcase for this and it works fine. Did you set enabled to >> true in UserRepresentation? >> > > Yes, I'm setting it. Strange... Anyway, I'll take a look at your test and > see if I can fix my side. > > The code I'm currently using is this: > https://git.io/vuy6Z > > - Juca. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/a22b5975/attachment.html From sthorger at redhat.com Mon Jan 11 03:08:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 11 Jan 2016 09:08:45 +0100 Subject: [keycloak-user] Generate Social Login Button Link In-Reply-To: <569033F6.6000700@redhat.com> References: <569033F6.6000700@redhat.com> Message-ID: You can. Just add &kc_idp_hint=facebook to the login url and the login will redirect directly to Facebook On 8 January 2016 at 23:11, Bill Burke wrote: > You can't generate it now. I guess it might be interesting to do this > though. Log a jira please. > > > On 1/8/2016 2:08 PM, LEONARDO NUNES wrote: > > Hi, > > I need to create a button for social login that behaves exactly like the > one inside of Keycloak login page. > Below is the Link that was generated for the Facebook button: > > http://localhost:8080/auth/realms/facebook-identity-provider-realm/broker/facebook/login?code=yK04T2nBA534MQZBJuUyrxLylZLLVva272s06gRjqAk.73604a88-2b05-46f4-a570-019445581d6b > > How can I generate this link? > Is there an API I can call to generate the code parameter? > Is there any other way to add the social login buttons outside of the > Keycloak login page? > > > -- > Leonardo Nunes > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/7d879081/attachment-0001.html From kga.official at gmail.com Mon Jan 11 03:34:21 2016 From: kga.official at gmail.com (Akshay Kini) Date: Mon, 11 Jan 2016 14:04:21 +0530 Subject: [keycloak-user] When using Keycloak as SP in SAML via filter i.e. SamlFilter, we get exception (details inside) In-Reply-To: References: Message-ID: Hi, I did a bit more investigation and I believe the following code change should be made to Keycloak to handle this scenario: In FilterSessionStore.java we need to change the getDateHeader() method to (after cleanup of comments of course): @Override public long getDateHeader(String name) { if (!needRequestRestore) return super.getDateHeader(name); /*throw new RuntimeException("This method is not supported in a restored authenticated request");*/ return -1; //http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html specifies that if it isn't present, return -1. } This is because of the JEE spec that says that if an implementation cannot get the Date Header, it should return -1 http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getDateHeader-java.lang.String- Could someone look into this please? Thanks, Regards, Akshay On Thu, Jan 7, 2016 at 9:08 AM, Akshay Kini wrote: > Hi Folks, > > We have configured Keycloak as an SP via filter. > Keycloak Version 1.7.0 > > We get this exception: > ERROR > [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[AppName]] > Servlet.service() for servlet NasDefault threw exception: > java.lang.RuntimeException: This method is not supported in a restored > authenticated request > at > org.keycloak.adapters.servlet.FilterSessionStore$1.getDateHeader(FilterSessionStore.java:178) > [:1.7.0.CR1] > at > org.apache.catalina.servlets.DefaultServlet.checkIfModifiedSince(DefaultServlet.java:1731) > [:] > at > org.apache.catalina.servlets.DefaultServlet.checkIfHeaders(DefaultServlet.java:608) > [:] > at > org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:714) > [:] > at > org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:368) > [:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) > [:1.0.0.Final] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [:1.0.0.Final] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324) > [:] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) > [:] > ... (trimmed) > ... > at > org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:125) > [:1.7.0.CR1] > ...(trimmed) > ... > etc. > > Any ideas on what this error means? > > Thanks, > Regards, > Akshay > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/ed69e954/attachment.html From amaeztu at tesicnor.com Mon Jan 11 03:51:47 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Mon, 11 Jan 2016 09:51:47 +0100 Subject: [keycloak-user] RestTemplate support for service account access In-Reply-To: References: <56823DC3.6040200@tesicnor.com> Message-ID: <56936D23.2070807@tesicnor.com> OK, many thanks Scott! 05/01/2016 19:14(e)an, Scott Rossillo igorleak idatzi zuen: > If you want the database service to redirect users to the login page, > it must be changed to confidential. If the front end itself is a > client of Keycloak, then leaving the service as bearer only is fine. > > The example is obviously a bit contrived but the idea was that no > user, even an admin, would authenticate directly to the database > service. If there were to be an admin interface for the database, it > would be another client in the same realm. Ultimately it?s a design > decision you have to make when you consider what works well for your > organization. > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > > Powered by Sigstr > >> On Jan 5, 2016, at 10:30 AM, Amaeztu > > wrote: >> >> Well, this example answers the asked question, so many thanks Scott. >> However, I still have some doubts. >> >> In the given code, the database service can only be accessed from >> another client (bearer only). However, let's suppose I also want to >> have access to its endpoints from a Web browser, for pure >> administrative purpose and only with the ADMIN role. I should change >> the access to confidential. Then I want to access the service from >> the customer app, but, since the current user role might not be >> ADMIN, I wouldn't be authorized for the remote access. >> >> The only solution I can think for this is to keep the database >> service access bearer only and implement a specific database-ui >> service, which should replicate all the original endpoints (this >> involves adding a new endpoint to the ui service everytime I do it in >> the db service). >> >> Is there a way for solving this which avoids having an specific ui >> service implemented? Sorry about all questions I'm still a starter! >> >> Nire Sony Xperia? telefonotik bidalita >> >> >> >> ---- Scott Rossillo igorleak idatzi du ---- >> >> Take a look at these Spring samples. It's set up automatically: >> >> https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java >> On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu > > wrote: >> >> At this moment there's a KeycloakRestTemplate to use it in Spring >> which allows an end user to retrieve data from other keycloak >> clients. However, a client might also be interested in accessing >> data with its own permissions and with no user interaction. Is >> there any implementation of a RestTemplate to utilize client >> service accounts and, if not, are there any plans to write it? >> This demo >> seems >> to do it manually. >> >> Regards >> -- >> Aritz Maeztu Ota?o >> Departamento Desarrollo de Software >> >> >> >> >> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >> Telf.: 948 21 40 40 >> Fax.: 948 21 40 41 >> >> Antes de imprimir este e-mail piense bien si es necesario >> hacerlo: El medioambiente es cosa de todos. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8a09cadd/attachment-0001.png From juraj.janosik77 at gmail.com Mon Jan 11 04:05:04 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Mon, 11 Jan 2016 10:05:04 +0100 Subject: [keycloak-user] Create Group Child (subgroup) under existing group via REST API Message-ID: Hi, how it possible to setup parent group id in the Create Child (subgroup), if I want to create a child group under existing group via REST API? If I set the "id" with existing group in the request body (mentioned as parent), nothing happens. Behaviour in the Admin console is OK. Definition: http://keycloak.github.io/docs/rest-api/index.html#_create_or_add_a_top_level_realm_groupset_or_create_child Description: This will update the group and set the parent if it exists. Create it and set the parent if the group doesn?t exist. Body parameter: Group representation http://keycloak.github.io/docs/rest-api/index.html#_grouprepresentation Thanks. Best Regards, Juraj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/888e7cbd/attachment.html From kalc04 at gmail.com Mon Jan 11 04:08:53 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 11 Jan 2016 14:38:53 +0530 Subject: [keycloak-user] Different theme for each client In-Reply-To: References: <21D76280-2ACE-4405-BE8B-70722B3EB7FC@smartling.com> Message-ID: Just jumping in here... We managed to have different looks in our login / registration / password-reset / password-update screens based on the client by having a custom theme (no SPI) and injecting a different set of CSS and image collection. We took in the incoming Client ID and passed it on to the template.ftl file from where CSS and image files were loaded from a different path based on the client. So basically no changes to the FTLs, look and feel was changed only based on CSS and image changes. Although I agree with Stian's stance on having a uniform login screen across all clients, we have to come to a common ground with the product team, and make compensations accordingly. Basically in our case each product owner wanted differently looking login screens while maintaining SSO. Regards, Lohitha On Thu, Jan 7, 2016 at 4:29 AM, Travis De Silva wrote: > Yes I understand. Let me check out the Login SPI. > > Also thank you for not getting mad with this prolonged conversation :) > > As always you guys have been very responsive and willing to listen to the > community and that is a great sign for the future of KeyCloak. > > > On Thu, 7 Jan 2016 at 01:04 Stian Thorgersen wrote: > >> In theory you should be able to create your own screens using the Login >> SPI, but you will have to do a fair bit of development as you'll pretty >> much have to replace the whole login frontend. You can't host the login >> pages from your apps either as you'll then loose the ability to do SSO, so >> it will still have to be redirect based login as it is now. >> >> As you say your use-case is not quite the common-case so it's not >> something that I want to support directly in Keycloak. However, we do >> strive to make Keycloak customizable for corner-cases so if you can achieve >> what you want with our current SPIs that would be great. Otherwise we could >> discuss what's needed. At the moment we're pretty swamped though so changes >> to Keycloak would most likely have to be contributions from you. >> >> On 6 January 2016 at 03:25, Travis De Silva wrote: >> >>> >>> >>> On Wed, 6 Jan 2016 at 01:52 Scott Rossillo >>> wrote: >>> >>>> Isn?t this whole idea of client specific themes just going to confuse >>>> users? Think about logging into Google. Mail, calendar, drive, etc., all >>>> share the same login screen and are all SSO clients. Wouldn?t you be >>>> confused if it looked different for each app? Either way you?re >>>> authenticating with Google. If you want to customize the consent screen >>>> for external clients, that makes a bit more sense but it should be done in >>>> a very standard way, like allowing a custom logo per external client you?re >>>> authorizing. If you completely re-theme the consent screen even, you?re >>>> going to confuse users IMO. >>>> >>>> >>> If the suite of applications/products as per your Google example is >>> provided from one vendor/development group, then yes. In that case we can >>> use what KeyCloak has at present. >>> >>> But in corporate environments, you have hundreds and sometimes thousands >>> of applications built by different groups/teams/vendors and they all don't >>> look the same. In these environments, users most of the time use one or two >>> as their primary application and occasionally might want to access another >>> one in which case SSO will kick in and they don't need to login again. So >>> there is really no confusion as they will always login to their primary >>> application which is themed as per their application and when they go >>> across to another application, it just automagically logs them in due to >>> SSO. >>> >>> Another point is that when new application projects are kicked off in >>> the corporate world, they will want to style/theme UI's as per the latest >>> design standards or features. In such cases, if we go and theme it using >>> the new standard, that will also change the existing applications that are >>> running on KeyCloak and anyone who has worked in a corporate world knows >>> how much of a pain point that is as you need to then engage various >>> business owners of the exiting applications, come up with end user >>> communication plans and so on. If we have theming at a client level, then >>> we can progressively or to use the current buzz word "in an Agile" manner, >>> ensure that new applications look new with new UI standards and not have to >>> worry about existing applications at least until those applications are >>> migrated. >>> >>> Apart from the above "corporate world" example, there are examples where >>> this can be useful in consumer facing SaaS type of applications as well. It >>> just gives more flexibility to end developers of applications that utilise >>> KeyCloak. >>> >>> >>> >>>> Scott Rossillo >>>> Smartling | Senior Software Engineer >>>> srossillo at smartling.com >>>> >>>> [image: Powered by Sigstr] >>>> >>>> On Jan 5, 2016, at 6:22 AM, Travis De Silva >>>> wrote: >>>> >>>> Hi Stian, >>>> >>>> SSO zones will not help in my use case because I actually want SSO >>>> between clients. For example lets say I have following clients >>>> >>>> Client1 >>>> Client2 >>>> >>>> and have following users >>>> >>>> User1 >>>> User2 >>>> User3 >>>> >>>> and I want User1 to be able to login to Client1 using its own >>>> application theme, User2 to login to Client2 using its own application >>>> theme and User3 can login to either Client1 or Client2 and they get SSO >>>> across the two clients. >>>> >>>> How can we do this with your proposed SSO zones? >>>> >>>> The more I think of this, its would be better to just give access to >>>> various end points in the login process. (e.g. forgot password, social >>>> login, register user etc) This I believe will be more flexible as we can >>>> then use it for these edge cases. Any thoughts on this? >>>> >>>> Cheers >>>> Travis >>>> >>>> On Tue, 5 Jan 2016 at 18:29 Stian Thorgersen >>>> wrote: >>>> >>>>> On 4 January 2016 at 14:25, Travis De Silva >>>>> wrote: >>>>> >>>>>> HI Stian, >>>>>> >>>>>> Adding SSO zones just to address the theming issue looks a bit >>>>>> overkill to me as it will eventually come down to doing some theming at a >>>>>> level below the realm. I was going on the basis that if theming is not set >>>>>> at a client level, then it will default to the realm level theming which is >>>>>> basically your SSO enabled zone. >>>>>> >>>>> >>>>>> Also my other point was with regard to SaaS based applications where >>>>>> we have a backoffice system which is themed as per our SaaS product but the >>>>>> consumer facing front end needs to be themed to be aligned with the >>>>>> customer's web site. In this case, we cannot go with what KeyCloak has at >>>>>> present. What I am doing is as suggested by Bill sometime back, adding >>>>>> "if/else" statements into the freemarker templates and based on the client >>>>>> id loading different freemarker templates which is not ideal but does the >>>>>> job. >>>>>> >>>>>> In any case, since what we are discussing is in general edge cases, >>>>>> Therefore instead of complicating the core KeyCloak platform, why don't you >>>>>> just expose the various links/flows that is currently available in the >>>>>> login process (forgot password/reset credentials, required actions >>>>>> (update password, verify email, configure OTP, etc.), user account >>>>>> mgmt, registration, social login etc. Then we are still using the core of >>>>>> keycloak but for the frontend themes/UI, we use our own. >>>>>> >>>>>> I also haven't explored the Login SPI which as per the KeyCloak docs >>>>>> which says "The Login SPI allows implementing the login forms using >>>>>> whatever web framework or templating engine you want". Wonder if this will >>>>>> give us what we are after. >>>>>> >>>>> >>>>> Sounds like an SSO zone is exactly what you'd want, so I'm not sure >>>>> why you are so against that. >>>>> >>>>> I really don't want to have a theme option on a client, as I've said >>>>> it just doesn't make any sense. I'd be happy with introducing an SPI or >>>>> adding to the Theme SPI to let you choose yourself what theme is selected. >>>>> The Login SPI is rather low-level so it would be better to do something >>>>> else. >>>>> >>>>> >>>>>> >>>>>> Cheers >>>>>> Travis >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen >>>>>> wrote: >>>>>> >>>>>>> I strongly disagree. With Keycloak you are logging in to a SSO >>>>>>> realm, not an individual application. With that in mind it's important that >>>>>>> the login screen reflects that. Users need to know the difference as it's >>>>>>> an important distinction. It just doesn't make any sense that I'm logged-in >>>>>>> to the SSO with a login screen that is themed to look like the login screen >>>>>>> for an individual application. >>>>>>> >>>>>>> Adding an option on clients to set the theme just doesn't make any >>>>>>> sense. If we added the option to create SSO "zones" or disable SSO for >>>>>>> individual applications then it would make sense to be able to set theme on >>>>>>> a per-zone or apps that doesn't have SSO enabled. >>>>>>> >>>>>>> On 31 December 2015 at 09:46, Travis De Silva >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> My vote is to provide this feature at a client level as per the >>>>>>>> original request. >>>>>>>> >>>>>>>> I think realms should be used for completely different domains when >>>>>>>> we want to isolate users etc. Should not try and use it for something that >>>>>>>> it was not intended in the design. >>>>>>>> >>>>>>>> The reason why you might need theming at client level is iif you >>>>>>>> really think that clients which are essentially different applications most >>>>>>>> of the time and each of these applications might have different look and >>>>>>>> feel themes (either due to different development teams or vendors building >>>>>>>> different applications). >>>>>>>> >>>>>>>> So when someone logins via KeyCloak, its true that we are logging >>>>>>>> into a realm but for an end user, it is really logging into a application >>>>>>>> and there is a need for the login page theme to look similar to the >>>>>>>> application look and feel. >>>>>>>> >>>>>>> >>>>>>>> Also I have a use case where I have a back office application that >>>>>>>> requires login for admin users and then I have the front office of this >>>>>>>> application where in addition to the admin users, you also can have other >>>>>>>> users as well who can self register and login to the front end which is a >>>>>>>> consumer facing site. >>>>>>>> >>>>>>>> How I handle this is by having two clients in the same realm. This >>>>>>>> works fine if you are happy with the same backend login theme to be there >>>>>>>> for the consumer facing frontend. But we cannot do that as the front end is >>>>>>>> a consumer facing SaaS site, so each front end needs to have the client's >>>>>>>> website theme. This becomes very hard to do if we don't have theming at a >>>>>>>> client level. >>>>>>>> >>>>>>>> I came across this post from Bill a few months ago >>>>>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html >>>>>>>> >>>>>>>> I am thinking to make use of the client variable that is available >>>>>>>> in login.ftl and load different freemarker fragments that will then theme >>>>>>>> it differently for each client. As mentioned by Bill, having many if >>>>>>>> conditions might not be ideal but it might meet the requirement. >>>>>>>> >>>>>>>> Cheers >>>>>>>> Travis >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/1c60f3b1/attachment-0001.html From hamed at web-presence-in-china.com Mon Jan 11 04:23:12 2016 From: hamed at web-presence-in-china.com (ha.hamed@gmail.com) Date: Mon, 11 Jan 2016 17:23:12 +0800 Subject: [keycloak-user] Manage Keycloak token inside of the client applications. Message-ID: Hi, I made an app use bearer authentication with Keycloak . I have another app which wants to use this REST api. As I know until now, It needs to get token from Keycloak server (I use POST method), then add this token to the request It needs to send. But, there's one important issue. This client want to have assess hundreds time each minute. Is there any tools for Keycloak to help me update the token when it's required? I mean keep the token for example for 15 minutes (validation time) then renew it when it's required. I made a statefull class which get configuration and has getToken() method. Then when the other classes ask for new token, if it expired this method synchronously will get new one and return it (Direct grant). Is it right? Is there anything standard inside of the Keycloak lib already? Best regards, Hamed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/118615af/attachment.html From marcel.dullaart at gmail.com Mon Jan 11 06:26:42 2016 From: marcel.dullaart at gmail.com (Marcel Dullaart) Date: Mon, 11 Jan 2016 12:26:42 +0100 Subject: [keycloak-user] Keycloak as SAML IDP and Identity Broker Message-ID: Hello, For my current project I want to use Keycloak as identity broker to nicely decouple the applications from the authentication mechanism. In production the application will be secured with SAML 2.0, the IDP is based on E-Directoy. In our development environment we use keycloak in docker. My question is can I use Keycloak as IDP in our development enviroment as well as broker, by starting 2 seperated containers one named idp and the other named broker? If so what are the steps I need to take? Thanks in advance! Vriendelijke groet, Kind regards, Cordialement, Marcel Dullaart -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/b44a3a5d/attachment.html From pavel.masloff at gmail.com Mon Jan 11 06:50:40 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Mon, 11 Jan 2016 12:50:40 +0100 Subject: [keycloak-user] keycloak-jetty92-adapter & UriBuilder HTTP error 500 Message-ID: Hi, I am planning to migrate the Keycloak server from version 1.3.1 to 1.7.0. However, when trying to access a secured resource of our API I get the following error: HTTP ERROR 500 Problem accessing /v1/producers. Reason: Server Error java.lang.AbstractMethodError: javax.ws.rs.core.UriBuilder.uri(Ljava/lang/String;)Ljavax/ws/rs/core/UriBuilder; at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:119) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:292) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:165) at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:239) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:497) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) It used to work with the previous version of Keycloak + adapter (1.3.1). The only thing I did is I just changed dependency version 1.3.1 to 1.7.0 in my pom.xml: org.keycloak keycloak-core 1.7.0.Final org.keycloak keycloak-services 1.7.0.Final org.keycloak keycloak-jetty92-adapter-dist 1.7.0.Final pom Perhaps, something else is missing. Can it be web.xml or jetty-web.xml that I have to update in some way? Any ideas? Thanks. Regards, Pavel Maslov, MS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/d23c8c29/attachment.html From stuart.jacobs at symbiotics.co.za Mon Jan 11 06:56:04 2016 From: stuart.jacobs at symbiotics.co.za (Stuart Jacobs) Date: Mon, 11 Jan 2016 13:56:04 +0200 Subject: [keycloak-user] $urlRouterProvider Message-ID: Good Day, I currently have a angular application that uses $urlRouterProvider for it's routing, I can not get the application from performing a infinite loop on the landing page. Has anyone experienced this with $urlRouterProvider and is there a solution to the problem? Regards, Stuart Jacobs -- www.symbiotics.co.za ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/836c8de6/attachment-0001.html From sthorger at redhat.com Mon Jan 11 07:01:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 11 Jan 2016 13:01:25 +0100 Subject: [keycloak-user] $urlRouterProvider In-Reply-To: References: Message-ID: The easy fix is to bootstrap Angular after Keycloak has been initialized. Take a look at: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular-product-app/src/main/webapp/js/app.js#L23 It's not ideal, but otherwise Angular replaces the url after Keycloak strips off the code query param. On 11 January 2016 at 12:56, Stuart Jacobs wrote: > Good Day, > > I currently have a angular application that uses $urlRouterProvider for > it's routing, I can not get the application from performing a infinite loop > on the landing page. > > Has anyone experienced this with $urlRouterProvider and is there a > solution to the problem? > > Regards, > Stuart Jacobs > > > > > > > > www.symbiotics.co.za > > ******************************************************************************** > This email and any accompanying attachments may contain confidential and > proprietary information. This information is private and protected by law > and, accordingly, if you are not the intended recipient, you are requested > to delete this entire communication immediately and are notified that any > disclosure, copying or distribution of or taking any action based on this > information is prohibited. > > Emails cannot be guaranteed to be secure or free of errors or viruses. The > sender does not accept any liability or responsibility for any > interception, corruption, destruction, loss, late arrival or incompleteness > of or tampering or interference with any of the information contained in > this email or for its incorrect delivery or non-delivery for whatsoever > reason or for its effect on any electronic device of the recipient. > > > ******************************************************************************** > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/4faec93b/attachment.html From bburke at redhat.com Mon Jan 11 12:33:33 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Jan 2016 12:33:33 -0500 Subject: [keycloak-user] Create A New Group (name is not unique) In-Reply-To: References: Message-ID: <5693E76D.60003@redhat.com> Yeah, i was lazy about that and forgot to put a check in later on. On 1/11/2016 2:40 AM, Juraj Janosik wrote: > Hi, > > is it a correct and expected behaviour in the group concept, > that the name of the group is not unique, > that means, that it is possible to create a new group with the same name? > > The same behaviour occurs in Admin console and via REST API too. > > [ > { > "id": "150a8547-fd3f-4245-ab91-328d8afb83c2", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > }, > { > "id": "bc7969e6-e7c9-4617-b03e-18665293636a", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > }, > { > "id": "5447d305-a47e-4ad9-a29b-f478396accf6", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > } > ] > > Thanks. > > Best Regards, > Juraj > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/c81365c2/attachment.html From bburke at redhat.com Mon Jan 11 12:37:19 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Jan 2016 12:37:19 -0500 Subject: [keycloak-user] keycloak-jetty92-adapter & UriBuilder HTTP error 500 In-Reply-To: References: Message-ID: <5693E84F.6060607@redhat.com> Hmm, a resteasy dependency has stuck in maybe? Remove the jaxrs and resteasy jars that exist in the adapter distro for Jetty? Does that work? On 1/11/2016 6:50 AM, Pavel Maslov wrote: > Hi, > > > I am planning to migrate the Keycloak server from version 1.3.1 to > 1.7.0. However, when trying to access a secured resource of our API I > get the following error: > > |HTTP ERROR 500 Problem accessing /v1/producers. Reason: Server Error > java.lang.AbstractMethodError: > javax.ws.rs.core.UriBuilder.uri(Ljava/lang/String;)Ljavax/ws/rs/core/UriBuilder; > at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:119) at > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:292) > at > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222) > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) > at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:165) at > com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:239) at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) > at org.eclipse.jetty.server.Server.handle(Server.java:497) at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) > at > org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:745)| > > It used to work with the previous version of Keycloak + adapter > (1.3.1). The only thing I did is I just changed dependency version > 1.3.1 to 1.7.0 in my pom.xml: > > > org.keycloak > keycloak-core > 1.7.0.Final > > > org.keycloak > keycloak-services > 1.7.0.Final > > > org.keycloak > keycloak-jetty92-adapter-dist > 1.7.0.Final > pom > > > Perhaps, something else is missing. Can it be web.xml or jetty-web.xml > that I have to update in some way? Any ideas? > Thanks. > > > > > Regards, > Pavel Maslov, MS > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/8f2712c4/attachment-0001.html From juraj.janosik77 at gmail.com Mon Jan 11 12:48:15 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Mon, 11 Jan 2016 18:48:15 +0100 Subject: [keycloak-user] Create A New Group (name is not unique) In-Reply-To: <5693E76D.60003@redhat.com> References: <5693E76D.60003@redhat.com> Message-ID: Ok :-) Should I write a JIRA issue? Thanks, Best regards, Juraj 2016-01-11 18:33 GMT+01:00 Bill Burke : > Yeah, i was lazy about that and forgot to put a check in later on. > > > On 1/11/2016 2:40 AM, Juraj Janosik wrote: > > Hi, > > is it a correct and expected behaviour in the group concept, > that the name of the group is not unique, > that means, that it is possible to create a new group with the same name? > > The same behaviour occurs in Admin console and via REST API too. > > [ > { > "id": "150a8547-fd3f-4245-ab91-328d8afb83c2", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > }, > { > "id": "bc7969e6-e7c9-4617-b03e-18665293636a", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > }, > { > "id": "5447d305-a47e-4ad9-a29b-f478396accf6", > "name": "group_tests", > "path": "/group_tests", > "subGroups": > [ > ] > } > ] > > Thanks. > > Best Regards, > Juraj > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/a52cd990/attachment.html From robin1233 at gmail.com Mon Jan 11 13:15:59 2016 From: robin1233 at gmail.com (robinfernandes .) Date: Mon, 11 Jan 2016 13:15:59 -0500 Subject: [keycloak-user] SAML response logs Message-ID: Hi All, Is there a way that I can see the SAML response objects in the logs. I was checking the server logs and they are not showing up there for some reason. Any help would be appreciated. Thanks, Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/9d1302ff/attachment.html From srossillo at smartling.com Mon Jan 11 13:40:18 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Mon, 11 Jan 2016 13:40:18 -0500 Subject: [keycloak-user] Manage Keycloak token inside of the client applications. In-Reply-To: References: Message-ID: We have an open PR for early token refresh but it?s missing integration tests, thus not yet merged. https://github.com/keycloak/keycloak/pull/1796 > On Jan 11, 2016, at 4:23 AM, ha.hamed at gmail.com wrote: > > Hi, > I made an app use bearer authentication with Keycloak . I have another app which wants to use this REST api. > As I know until now, It needs to get token from Keycloak server (I use POST method), then add this token to the request It needs to send. > > But, there's one important issue. This client want to have assess hundreds time each minute. Is there any tools for Keycloak to help me update the token when it's required? I mean keep the token for example for 15 minutes (validation time) then renew it when it's required. I made a statefull class which get configuration and has getToken() method. Then when the other classes ask for new token, if it expired this method synchronously will get new one and return it (Direct grant). Is it right? Is there anything standard inside of the Keycloak lib already? > > Best regards, > Hamed > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Jan 11 13:48:34 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Jan 2016 13:48:34 -0500 Subject: [keycloak-user] SAML response logs In-Reply-To: References: Message-ID: <5693F902.5030209@redhat.com> ON server or adapter or both? We don't output saml response objects right now On 1/11/2016 1:15 PM, robinfernandes . wrote: > Hi All, > > Is there a way that I can see the SAML response objects in the logs. I > was checking the server logs and they are not showing up there for > some reason. > Any help would be appreciated. > > Thanks, > Robin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/0c4c5e79/attachment.html From helder.jaspion at gmail.com Mon Jan 11 13:52:56 2016 From: helder.jaspion at gmail.com (Helder dos S. Alves) Date: Mon, 11 Jan 2016 16:52:56 -0200 Subject: [keycloak-user] Error while linking 2 Identity Providers Message-ID: Hi. I'm using Keycloak 1.7.0.Final and I'm having some troubles: I logged in using my Facebook account, but when I try to log in using my Google account (whose email is the same as Facebook's) I am getting the error: 16:36:58,870 ERROR [io.undertow.request] (default task-54) UT005023: Exception handling request to /auth/realms/GJC-Websites/login-actions/first-broker-login: java.lang.RuntimeException: request path: /auth/realms/GJC-Websites/login-actions/first-broker-login at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) ... 29 more Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290) at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467) at org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43) at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301) at org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528) at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more Thanks in advance. Helder S. Alves -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/73f6d994/attachment-0001.html From robin1233 at gmail.com Mon Jan 11 13:54:38 2016 From: robin1233 at gmail.com (robinfernandes .) Date: Mon, 11 Jan 2016 13:54:38 -0500 Subject: [keycloak-user] SAML response logs In-Reply-To: <5693F902.5030209@redhat.com> References: <5693F902.5030209@redhat.com> Message-ID: Actually I setup a connection with an external IDP and I when I try to login the authentication fails. However I want to know whether the SAML response from the external IDP is correct. Checking the logs just gives me the error response and does not show the SAML response objects. Thanks, Robin On Mon, Jan 11, 2016 at 1:48 PM, Bill Burke wrote: > ON server or adapter or both? We don't output saml response objects right > now > > > On 1/11/2016 1:15 PM, robinfernandes . wrote: > > Hi All, > > Is there a way that I can see the SAML response objects in the logs. I was > checking the server logs and they are not showing up there for some reason. > Any help would be appreciated. > > Thanks, > Robin > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/d5e2ecda/attachment.html From sthorger at redhat.com Mon Jan 11 14:10:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 11 Jan 2016 20:10:10 +0100 Subject: [keycloak-user] Error while linking 2 Identity Providers In-Reply-To: References: Message-ID: Works fine here. How did you install it (standalone, into existing WildFly/EAP, etc.)? Did you do an upgrade from previous release? On 11 January 2016 at 19:52, Helder dos S. Alves wrote: > Hi. > > I'm using Keycloak 1.7.0.Final and I'm having some troubles: > I logged in using my Facebook account, but when I try to log in using my > Google account (whose email is the same as Facebook's) I am getting the > error: > > 16:36:58,870 ERROR [io.undertow.request] (default task-54) UT005023: > Exception handling request to > /auth/realms/GJC-Websites/login-actions/first-broker-login: > java.lang.RuntimeException: request path: > /auth/realms/GJC-Websites/login-actions/first-broker-login > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > > ... 29 more > > Caused by: java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > at > org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290) > > at > org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467) > > at > org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43) > > at > org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57) > > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) > > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97) > > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652) > > at > org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301) > > at > org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528) > > at > org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > > ... 37 more > > > Thanks in advance. > > Helder S. Alves > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/408167ca/attachment.html From sthorger at redhat.com Mon Jan 11 14:10:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 11 Jan 2016 20:10:38 +0100 Subject: [keycloak-user] Error while linking 2 Identity Providers In-Reply-To: References: Message-ID: BTW when an account with email exists you should get an option to change the profile or to link with existing account. On 11 January 2016 at 20:10, Stian Thorgersen wrote: > Works fine here. How did you install it (standalone, into existing > WildFly/EAP, etc.)? Did you do an upgrade from previous release? > > On 11 January 2016 at 19:52, Helder dos S. Alves > wrote: > >> Hi. >> >> I'm using Keycloak 1.7.0.Final and I'm having some troubles: >> I logged in using my Facebook account, but when I try to log in using my >> Google account (whose email is the same as Facebook's) I am getting the >> error: >> >> 16:36:58,870 ERROR [io.undertow.request] (default task-54) UT005023: >> Exception handling request to >> /auth/realms/GJC-Websites/login-actions/first-broker-login: >> java.lang.RuntimeException: request path: >> /auth/realms/GJC-Websites/login-actions/first-broker-login >> >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) >> >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext >> >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >> >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) >> >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> >> ... 29 more >> >> Caused by: java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext >> >> at >> org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290) >> >> at >> org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467) >> >> at >> org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43) >> >> at >> org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57) >> >> at >> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) >> >> at >> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97) >> >> at >> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652) >> >> at >> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301) >> >> at >> org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528) >> >> at >> org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> >> at java.lang.reflect.Method.invoke(Method.java:497) >> >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) >> >> ... 37 more >> >> >> Thanks in advance. >> >> Helder S. Alves >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/7f9ef073/attachment-0001.html From mposolda at redhat.com Mon Jan 11 15:56:25 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Jan 2016 21:56:25 +0100 Subject: [keycloak-user] Error while linking 2 Identity Providers In-Reply-To: References: Message-ID: <569416F9.8030208@redhat.com> This is known issue in 1.7 and should be already fixed : https://issues.jboss.org/browse/KEYCLOAK-2229 . AFAIK it happens just in environment like Keycloak running on Wildfly or EAP 6.4, not with KeycloakServer (which is what I tested and hence didn't find it before :( ) I will doublecheck it works in 1.8. As workaround for 1.7, you can get rid of this error by adding the line : into "modules" section into file $KEYCLOAK_HOME//modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml Marek On 11/01/16 20:10, Stian Thorgersen wrote: > Works fine here. How did you install it (standalone, into existing > WildFly/EAP, etc.)? Did you do an upgrade from previous release? > > On 11 January 2016 at 19:52, Helder dos S. Alves > > wrote: > > Hi. > > I'm using Keycloak 1.7.0.Final and I'm having some troubles: > I logged in using my Facebook account, but when I try to log in > using my Google account (whose email is the same as Facebook's) I > am getting the error: > > 16:36:58,870 ERROR [io.undertow.request] (default task-54) > UT005023: Exception handling request to > /auth/realms/GJC-Websites/login-actions/first-broker-login: > java.lang.RuntimeException: request path: > /auth/realms/GJC-Websites/login-actions/first-broker-login > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > > ... 29 more > > Caused by: java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > at > org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290) > > at > org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467) > > at > org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43) > > at > org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57) > > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) > > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97) > > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652) > > at > org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301) > > at > org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528) > > at > org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > > ... 37 more > > > > Thanks in advance. > > Helder S. Alves > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160111/1c73e3ed/attachment.html From psilva at redhat.com Mon Jan 11 18:24:13 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 11 Jan 2016 18:24:13 -0500 (EST) Subject: [keycloak-user] SAML response logs In-Reply-To: References: <5693F902.5030209@redhat.com> Message-ID: <180538904.8010037.1452554653645.JavaMail.zimbra@redhat.com> Maybe the SAML Tracer addon for Firefox can help you ... ----- Original Message ----- From: "robinfernandes ." To: "Bill Burke" Cc: keycloak-user at lists.jboss.org Sent: Monday, January 11, 2016 4:54:38 PM Subject: Re: [keycloak-user] SAML response logs Actually I setup a connection with an external IDP and I when I try to login the authentication fails. However I want to know whether the SAML response from the external IDP is correct. Checking the logs just gives me the error response and does not show the SAML response objects. Thanks, Robin On Mon, Jan 11, 2016 at 1:48 PM, Bill Burke < bburke at redhat.com > wrote: ON server or adapter or both? We don't output saml response objects right now On 1/11/2016 1:15 PM, robinfernandes . wrote: Hi All, Is there a way that I can see the SAML response objects in the logs. I was checking the server logs and they are not showing up there for some reason. Any help would be appreciated. Thanks, Robin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dirk.franssen at gmail.com Mon Jan 11 20:08:11 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Tue, 12 Jan 2016 02:08:11 +0100 Subject: [keycloak-user] programatically create user gives 400 bad request Message-ID: Hi, I have a standard keycloak 1.7.0-Final and a separate jax-rs service (both in docker) to create a simple test-user programatically with hardcoded params: @Path("users") @Stateless public class UsersResource { @POST public Response createTestUser() { Keycloak kc = Keycloak.getInstance( "http://192.168.99.100:8180/auth", "master", "admin", "password", "security-admin-console"); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); credential.setTemporary(false); / UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); user.setEnabled(true); user.setRealmRoles(Arrays.asList("admin")); Response result = kc.realm("master").users().create(user); return result; } } But calling the JAX-RS endpoint returns in a delegated 400 Bad request. The KC log states only: 00:40:23,436 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=172.17.0.1, error=not_allowed, grant_type=password, auth_method=oauth_credentials, client_auth_method=client-secret Any ideas? Kind regards, Dirk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/85733c78/attachment-0001.html From Sonia.Marginean at bazaarvoice.com Mon Jan 11 23:49:26 2016 From: Sonia.Marginean at bazaarvoice.com (Sonia Marginean) Date: Tue, 12 Jan 2016 04:49:26 +0000 Subject: [keycloak-user] KeyCloak Use Cases Message-ID: <9D9D54E9-4250-43DF-BF40-19F3E243FD02@bazaarvoice.com> Hello, My org is researching different open source solutions for IDP, SSO and Inbound Federation. We are looking into Okta and we?d like to ask a few questions: * Is there any support/training we can get for KeyCloak? * Are there any customer success stories anyone can share? * Does Keycloak provide and UI for inbound federation setup or Workflow * What are the limits of key cloak with respect to scaling? What is the largest DB key cloak can work with, that someone has tried? (In terms of number of users) * Do you provide any mechanism for adaptive authentication? Like requiring additional authentication steps based on authentication patterns (e.g. If a user logins from a different country than the one he has been logging in from usually, enforce a policy, like require MFA) Thanks, Sonia Marginean @Bazaarvoice -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/8692b7a3/attachment.html From sthorger at redhat.com Tue Jan 12 03:04:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Jan 2016 09:04:54 +0100 Subject: [keycloak-user] programatically create user gives 400 bad request In-Reply-To: References: Message-ID: You need a separate request to set the user credentials, same goes with role mappings. Take a look at: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L595 On 12 January 2016 at 02:08, Dirk Franssen wrote: > Hi, > > I have a standard keycloak 1.7.0-Final and a separate jax-rs service (both > in docker) to create a simple test-user programatically with hardcoded > params: > > @Path("users") > @Stateless > public class UsersResource { > > @POST > public Response createTestUser() { > Keycloak kc = Keycloak.getInstance( > "http://192.168.99.100:8180/auth", > "master", > "admin", "password", > "security-admin-console"); > > CredentialRepresentation credential = new > CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > credential.setTemporary(false); / > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(Arrays.asList(credential)); > user.setEnabled(true); > user.setRealmRoles(Arrays.asList("admin")); > Response result = kc.realm("master").users().create(user); > return result; > } > } > > But calling the JAX-RS endpoint returns in a delegated 400 Bad request. > The KC log states only: > > 00:40:23,436 WARN [org.keycloak.events] (default task-9) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=172.17.0.1, error=not_allowed, grant_type=password, > auth_method=oauth_credentials, client_auth_method=client-secret > > Any ideas? > > Kind regards, > > Dirk > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/e418d533/attachment.html From ramon at iqnomy.com Tue Jan 12 03:45:56 2016 From: ramon at iqnomy.com (Ramon Rockx) Date: Tue, 12 Jan 2016 09:45:56 +0100 Subject: [keycloak-user] keycloak-servlet-filter-adapter and bearer-only Message-ID: Hi all, Maybe someone can help me out with the following; I'm trying to secure my Jax-RS services with Keycloak 1.7.0.Final. I configured for this a client in Keycloak with access type 'bearer-only'. Since I am using GlassFish 3.1 (no adapter available), I use the 'keycloak-servlet-filter-adapter'. When accessing one of the Jax-RS services with a valid token, GlassFish will throw an exception (with no relevant info in it). I debugged it, and found out that the HttpServletRequestWrapper, which is returned by the servlet filter, has no account property in it (see also FilterSessionStore.buildWrapper(HttpSession, KeycloakAccount)). And when GlassFish will try to access, for example the wrapper's principal, this will cause a NPE. It seems that FilterRequestAuthenticator.completeBearerAuthentication(KeycloakPrincipal, String) does not store the account in the tokenStore. Should I use this feature differently? Or is access type 'bearer-only' simply not supported by the servlet filter? Thanks! Ramon Rockx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/210bd196/attachment.html From juraci at kroehling.de Tue Jan 12 04:08:39 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Tue, 12 Jan 2016 10:08:39 +0100 Subject: [keycloak-user] programatically create user gives 400 bad request In-Reply-To: References: Message-ID: <5694C297.9030705@kroehling.de> Make sure to use the Constants.ADMIN_CLI_CLIENT_ID (admin-cli) as the client, instead of Constants.ADMIN_CONSOLE_CLIENT_ID (security-admin-console). The second has direct grant disabled by default. Additionally, make sure that the admin account already had its password changed. - Juca. On 12.01.2016 09:04, Stian Thorgersen wrote: > You need a separate request to set the user credentials, same goes with > role mappings. Take a look at: > > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L595 > > On 12 January 2016 at 02:08, Dirk Franssen > wrote: > > Hi, > > I have a standard keycloak 1.7.0-Final and a separate jax-rs service > (both in docker) to create a simple test-user programatically with > hardcoded params: > > @Path("users") > @Stateless > public class UsersResource { > > @POST > public Response createTestUser() { > Keycloak kc = Keycloak.getInstance( > "http://192.168.99.100:8180/auth", > "master", > "admin", "password", > "security-admin-console"); > > CredentialRepresentation credential = new > CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > credential.setTemporary(false); / > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(Arrays.asList(credential)); > user.setEnabled(true); > user.setRealmRoles(Arrays.asList("admin")); > Response result = kc.realm("master").users().create(user); > return result; > } > } > > But calling the JAX-RS endpoint returns in a delegated 400 Bad > request. The KC log states only: > > 00:40:23,436 WARN [org.keycloak.events] (default task-9) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=172.17.0.1, error=not_allowed, > grant_type=password, auth_method=oauth_credentials, > client_auth_method=client-secret > > Any ideas? > > Kind regards, > > Dirk > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Jan 12 04:11:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Jan 2016 10:11:55 +0100 Subject: [keycloak-user] programatically create user gives 400 bad request In-Reply-To: <5694C297.9030705@kroehling.de> References: <5694C297.9030705@kroehling.de> Message-ID: That's better advice ;) I miss-read the email and thought the problem was the user couldn't login afterwards On 12 January 2016 at 10:08, Juraci Paix?o Kr?hling wrote: > Make sure to use the Constants.ADMIN_CLI_CLIENT_ID (admin-cli) as the > client, instead of Constants.ADMIN_CONSOLE_CLIENT_ID > (security-admin-console). The second has direct grant disabled by default. > > Additionally, make sure that the admin account already had its password > changed. > > - Juca. > > On 12.01.2016 09:04, Stian Thorgersen wrote: > > You need a separate request to set the user credentials, same goes with > > role mappings. Take a look at: > > > > > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L595 > > > > On 12 January 2016 at 02:08, Dirk Franssen > > wrote: > > > > Hi, > > > > I have a standard keycloak 1.7.0-Final and a separate jax-rs service > > (both in docker) to create a simple test-user programatically with > > hardcoded params: > > > > @Path("users") > > @Stateless > > public class UsersResource { > > > > @POST > > public Response createTestUser() { > > Keycloak kc = Keycloak.getInstance( > > "http://192.168.99.100:8180/auth", > > "master", > > "admin", "password", > > "security-admin-console"); > > > > CredentialRepresentation credential = new > > CredentialRepresentation(); > > credential.setType(CredentialRepresentation.PASSWORD); > > credential.setValue("test123"); > > credential.setTemporary(false); / > > UserRepresentation user = new UserRepresentation(); > > user.setUsername("testuser"); > > user.setFirstName("Test"); > > user.setLastName("User"); > > user.setCredentials(Arrays.asList(credential)); > > user.setEnabled(true); > > user.setRealmRoles(Arrays.asList("admin")); > > Response result = kc.realm("master").users().create(user); > > return result; > > } > > } > > > > But calling the JAX-RS endpoint returns in a delegated 400 Bad > > request. The KC log states only: > > > > 00:40:23,436 WARN [org.keycloak.events] (default task-9) > > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > > userId=null, ipAddress=172.17.0.1, error=not_allowed, > > grant_type=password, auth_method=oauth_credentials, > > client_auth_method=client-secret > > > > Any ideas? > > > > Kind regards, > > > > Dirk > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/e4032a7c/attachment-0001.html From revanth at arvindinternet.com Tue Jan 12 06:37:19 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Tue, 12 Jan 2016 17:07:19 +0530 Subject: [keycloak-user] Keycloak Clustering Message-ID: Hi, I have a few applications that are using Keycloak 1.5 and I now want to cluster it. I had followed this link ( https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) but i am not able to access this server from outside world and I also wanted to know how I can add nodes to my cluster. Could anyone please help me out in this respect. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/8030d227/attachment.html From sthorger at redhat.com Tue Jan 12 09:48:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Jan 2016 15:48:30 +0100 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: References: Message-ID: I don't know what you mean that you can't access from outside world, but if you're running a cluster you'll need a load balance in front. Apache, Nginx or even Undertow would do that for you. You add nodes by just running more nodes on the same subnet and they'll discover themselves. On 12 January 2016 at 12:37, Revanth Ayalasomayajula < revanth at arvindinternet.com> wrote: > Hi, > > I have a few applications that are using Keycloak 1.5 and I now want to > cluster it. I had followed this link ( > https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) > but i am not able to access this server from outside world and I also > wanted to know how I can add nodes to my cluster. Could anyone please help > me out in this respect. > > Thanks. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/af5530c2/attachment.html From revanth at arvindinternet.com Tue Jan 12 10:26:47 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Tue, 12 Jan 2016 20:56:47 +0530 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: References: Message-ID: I mean, i am not able to access it using it public ip. On Tue, Jan 12, 2016 at 8:18 PM, Stian Thorgersen wrote: > I don't know what you mean that you can't access from outside world, but > if you're running a cluster you'll need a load balance in front. Apache, > Nginx or even Undertow would do that for you. > > You add nodes by just running more nodes on the same subnet and they'll > discover themselves. > > On 12 January 2016 at 12:37, Revanth Ayalasomayajula < > revanth at arvindinternet.com> wrote: > >> Hi, >> >> I have a few applications that are using Keycloak 1.5 and I now want to >> cluster it. I had followed this link ( >> https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) >> but i am not able to access this server from outside world and I also >> wanted to know how I can add nodes to my cluster. Could anyone please help >> me out in this respect. >> >> Thanks. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/c9d0b3ab/attachment.html From bburke at redhat.com Tue Jan 12 10:37:44 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Jan 2016 10:37:44 -0500 Subject: [keycloak-user] KeyCloak Use Cases In-Reply-To: <9D9D54E9-4250-43DF-BF40-19F3E243FD02@bazaarvoice.com> References: <9D9D54E9-4250-43DF-BF40-19F3E243FD02@bazaarvoice.com> Message-ID: <56951DC8.2040905@redhat.com> On 1/11/2016 11:49 PM, Sonia Marginean wrote: > Hello, > > My org is researching different open source solutions for IDP, SSO and > Inbound Federation. > We are looking into Okta and we?d like to ask a few questions: > > * Is there any support/training we can get for KeyCloak? > 2016 It will be supported by Red Hat in product. > > * Are there any customer success stories anyone can share? > Yes, but I haven't put them on the website. Lack of time > > * Does Keycloak provide and UI for inbound federation setup or Workflow > Yes > > * What are the limits of key cloak with respect to scaling? What is > the largest DB key cloak can work with, that someone has tried? > (In terms of number of users) > Community will have to answer this. Keycloak is clusterable and backed by a distributed cache (Infinispan). We are currently working with performance team to get some good stress tests and benchmarks in place as we have fallen behind in keeping up with performance testing. > > * Do you provide any mechanism for adaptive authentication? Like > requiring additional authentication steps based on authentication > patterns (e.g. If a user logins from a different country than the > one he has been logging in from usually, enforce a policy, like > require MFA) > We have an Auth SPI where you can code whatever you want for login flow, registration flow, reset credentials flow, broker flow, etc.. > > Thanks, > Sonia Marginean > @Bazaarvoice > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/2c15bc8e/attachment.html From bburke at redhat.com Tue Jan 12 10:41:53 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Jan 2016 10:41:53 -0500 Subject: [keycloak-user] keycloak-servlet-filter-adapter and bearer-only In-Reply-To: References: Message-ID: <56951EC1.4090405@redhat.com> Probably a bug in our impl. On 1/12/2016 3:45 AM, Ramon Rockx wrote: > Hi all, > > Maybe someone can help me out with the following; > I'm trying to secure my Jax-RS services with Keycloak 1.7.0.Final. I > configured for this a client in Keycloak with access type 'bearer-only'. > Since I am using GlassFish 3.1 (no adapter available), I use the > 'keycloak-servlet-filter-adapter'. > When accessing one of the Jax-RS services with a valid token, > GlassFish will throw an exception (with no relevant info in it). I > debugged it, and found out that the HttpServletRequestWrapper, which > is returned by the servlet filter, has no account property in it (see > also FilterSessionStore.buildWrapper(HttpSession, KeycloakAccount)). > And when GlassFish will try to access, for example the wrapper's > principal, this will cause a NPE. > It seems that > FilterRequestAuthenticator.completeBearerAuthentication(KeycloakPrincipal, > String) does not store the account in the tokenStore. > Should I use this feature differently? Or is access type 'bearer-only' > simply not supported by the servlet filter? > > Thanks! > > Ramon Rockx > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/b9a41968/attachment-0001.html From hpeng at redhat.com Tue Jan 12 13:05:45 2016 From: hpeng at redhat.com (JasonPeng) Date: Wed, 13 Jan 2016 02:05:45 +0800 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example Message-ID: Hi there, Can someone give me some hint about how to correctly setup a client that can accept REST request from a httpclient in keycloak? For example, I use the admin-access example from keycloak source project and modify it to do a DELETE action through REST API, however I keep getting the request Forbidden 403 from keycloak server. I don?t change any setting of the admin-client imported from the json file and my code snippet of deleting user as below: public static void deleteUser(HttpServletRequest request, AccessTokenResponse res) throws Failure { HttpClient client = new DefaultHttpClient(); String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; try { HttpDelete delete = new HttpDelete(getBaseUrl(request) + "/admin/realms/demo/users/" + userId); delete.addHeader("Authorization", "Bearer " + res.getToken()); HttpResponse response = client.execute(delete); System.out.println(response.getStatusLine().getReasonPhrase()); if (response.getStatusLine().getStatusCode() != 200) { throw new Failure(response.getStatusLine().getStatusCode()); } HttpEntity entity = response.getEntity(); InputStream is = entity.getContent(); if (is != null) is.close(); } catch (IOException e) { throw new RuntimeException(e); } finally { client.getConnectionManager().shutdown(); } } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/af585408/attachment.html From sthorger at redhat.com Tue Jan 12 13:38:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Jan 2016 19:38:41 +0100 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: References: Message-ID: If you're saying you can only access it using localhost, then run it with "bin/standalone.sh -b 0.0.0.0" and it'll be bound to all interfaces. On 12 January 2016 at 16:26, Revanth Ayalasomayajula < revanth at arvindinternet.com> wrote: > I mean, i am not able to access it using it public ip. > > > > On Tue, Jan 12, 2016 at 8:18 PM, Stian Thorgersen > wrote: > >> I don't know what you mean that you can't access from outside world, but >> if you're running a cluster you'll need a load balance in front. Apache, >> Nginx or even Undertow would do that for you. >> >> You add nodes by just running more nodes on the same subnet and they'll >> discover themselves. >> >> On 12 January 2016 at 12:37, Revanth Ayalasomayajula < >> revanth at arvindinternet.com> wrote: >> >>> Hi, >>> >>> I have a few applications that are using Keycloak 1.5 and I now want to >>> cluster it. I had followed this link ( >>> https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) >>> but i am not able to access this server from outside world and I also >>> wanted to know how I can add nodes to my cluster. Could anyone please help >>> me out in this respect. >>> >>> Thanks. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/ab783e51/attachment.html From thomas.darimont at googlemail.com Tue Jan 12 14:26:08 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 12 Jan 2016 20:26:08 +0100 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example In-Reply-To: References: Message-ID: Hi Jason, do you really need to use the raw REST API or would it be an option to use the keycloak-admin-client API? here is an example for creating and deleting a user via the admin-client API: package de.tdlabs.training.keycloak; import static java.util.Arrays.asList; import javax.ws.rs.core.Response; import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.KeycloakBuilder; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.UserRepresentation; public class KeycloakAdminClientExample { public static void main(String[] args) throws Exception { Keycloak kc = KeycloakBuilder.builder() // .serverUrl("http://localhost:8081/auth") // .realm("rest-example")// .username("rest-user-admin") // .password("password") // .clientId("admin-cli") // .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) // .build(); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); credential.setTemporary(false); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(asList(credential)); user.setEnabled(true); user.setRealmRoles(asList("admin")); // Create testuser Response result = kc.realm("rest-example").users().create(user); if (result.getStatus() != 201) { System.err.println("Couldn't create user."); System.exit(0); } System.out.println("Testuser created.... verify in keycloak!"); System.out.println("Press any key..."); System.in.read(); // Delete testuser String locationHeader = result.getHeaderString("Location"); String userId = locationHeader.replaceAll(".*/(.*)$", "$1"); kc.realm("rest-example").users().get(userId).remove(); } } https://gist.github.com/thomasdarimont/43689aefb37540624e35 Cheers, Thomas 2016-01-12 19:05 GMT+01:00 JasonPeng : > Hi there, > > Can someone give me some hint about how to correctly setup a client that > can accept REST request from a httpclient in keycloak? > For example, I use the admin-access example from keycloak source project > and modify it to do a DELETE action through REST API, however I keep > getting the request Forbidden 403 from keycloak server. I don?t change any > setting of the admin-client imported from the json file and my code snippet > of deleting user as below: > > public static void deleteUser(HttpServletRequest request, > AccessTokenResponse res) throws Failure { > HttpClient client = new DefaultHttpClient(); > String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; > try { > HttpDelete delete = new HttpDelete(getBaseUrl(request) + > "/admin/realms/demo/users/" + userId); > delete.addHeader("Authorization", "Bearer " + res.getToken()); > HttpResponse response = client.execute(delete); > System.out.println(response.getStatusLine().getReasonPhrase()); > if (response.getStatusLine().getStatusCode() != 200) { > throw new Failure(response.getStatusLine().getStatusCode()); > } > HttpEntity entity = response.getEntity(); > InputStream is = entity.getContent(); > if (is != null) > is.close(); > } catch (IOException e) { > throw new RuntimeException(e); > } finally { > client.getConnectionManager().shutdown(); > } > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160112/d366d33f/attachment.html From aikeaguinea at xsmail.com Tue Jan 12 18:08:06 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Jan 2016 18:08:06 -0500 Subject: [keycloak-user] Any limit on number of clients? Message-ID: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> We have a number of devices that need to access APIs; for various reasons we need to use client certificates for this purpose. I have noticed that Keycloak will allow service accounts to authenticate using client certificates and that these certificates can be generated within Keycloak. This looks like it fits our needs well -- when we set up a new device we would need to set up a new client and service account for it in Keycloak. I've verified through testing that we can make this work. Ultimately we may have to manage a fairly large number of devices, say in the hundreds. Is there any reason that Keycloak would limit us in the number of clients we could create and manage in this way? -- http://www.fastmail.com - Same, same, but different... From bburke at redhat.com Tue Jan 12 18:57:06 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Jan 2016 18:57:06 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> Message-ID: <569592D2.2070304@redhat.com> How many devices you talking about? I think it may become an issue as we haven't really stressed and benched with tons (hundreds/thousands) of clients. On 1/12/2016 6:08 PM, Aikeaguinea wrote: > We have a number of devices that need to access APIs; for various > reasons we need to use client certificates for this purpose. > > I have noticed that Keycloak will allow service accounts to authenticate > using client certificates and that these certificates can be generated > within Keycloak. This looks like it fits our needs well -- when we set > up a new device we would need to set up a new client and service account > for it in Keycloak. I've verified through testing that we can make this > work. > > Ultimately we may have to manage a fairly large number of devices, say > in the hundreds. Is there any reason that Keycloak would limit us in the > number of clients we could create and manage in this way? > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From aikeaguinea at xsmail.com Tue Jan 12 19:18:04 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Jan 2016 19:18:04 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: <569592D2.2070304@redhat.com> References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> Message-ID: <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> I'd say we're talking on the order of a hundred to start with; this could ramp up to multiples of that within a year or two. I imagine the thing to do would be for us to do some stress testing of our own. On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: > How many devices you talking about? I think it may become an issue as > we haven't really stressed and benched with tons (hundreds/thousands) of > clients. > > On 1/12/2016 6:08 PM, Aikeaguinea wrote: > > We have a number of devices that need to access APIs; for various > > reasons we need to use client certificates for this purpose. > > > > I have noticed that Keycloak will allow service accounts to authenticate > > using client certificates and that these certificates can be generated > > within Keycloak. This looks like it fits our needs well -- when we set > > up a new device we would need to set up a new client and service account > > for it in Keycloak. I've verified through testing that we can make this > > work. > > > > Ultimately we may have to manage a fairly large number of devices, say > > in the hundreds. Is there any reason that Keycloak would limit us in the > > number of clients we could create and manage in this way? > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Or how I learned to stop worrying and love email again From ornot2008 at yahoo.com Tue Jan 12 21:00:44 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 13 Jan 2016 02:00:44 +0000 (UTC) Subject: [keycloak-user] There is no assertion error References: <653980898.4483221.1452650444988.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <653980898.4483221.1452650444988.JavaMail.yahoo@mail.yahoo.com> Hi, there, ? ?We take keycloak as a SP to talk to a ? SAML2.0 IDP . ? ?When we login into that idp,?? ?we get an internal server error. ? We check the log and find this lines: ?Caused by: org.keycloak.saml.common.exceptions.ProcessingException: No assertion from response. at org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.getAssertion(AssertionUtil.java:529) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:268) That is, No assertion from response. The idp is ADFS system. We are not sure where the root cause is from. If it is idp 's problem, what evidence can we show to IDP team ? Thanks alotMai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/491a1f5e/attachment.html From bl at onion.io Tue Jan 12 21:41:48 2016 From: bl at onion.io (Boken Lin) Date: Tue, 12 Jan 2016 21:41:48 -0500 Subject: [keycloak-user] Database migration error Message-ID: <81B05B78-9544-45E0-940E-0C39DBBEBD32@onion.io> Hi everyone, I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, encountered the following error while the system tries to update the database: 00:55:20,179 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 60) Change Set META-INF/jpa-changelog-1.3.0.xml::1.3.0::bburke at redhat.com fail ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig] I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the same error message was shown. Can someone point me in the right direction? Thank very much! Boken. From adrianmatei at gmail.com Wed Jan 13 00:28:53 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 13 Jan 2016 06:28:53 +0100 Subject: [keycloak-user] keycloak & tomcat on same host/domain + nginx reverse proxy server Message-ID: Can anyone help me with a configuration of keycloak (port 8180) and tomcat (port 8080) running on the same host/domain having nginx as reverse proxy server in front of it (new to nginx). Accessed on individual ports they run perfectly but when going over nginx, tomcat address (localhost) works but keycloak (localhost/auth) won't. Here's my nginx configuration: user www-data; worker_processes 4; pid /run/nginx.pid; events { worker_connections 1024; # multi_accept on; } http { server_tokens off; #hides nginx version and OS running on include /etc/nginx/mime.types; upstream tomcat_server { server localhost:8080; } upstream keycloak_server { server localhost:8180; } server { listen 80; server_name localhost; location / { try_files $uri $uri/index.hml /maintenance.html @tomcat; } location @tomcat { proxy_pass http://tomcat_server; proxy_set_header Host $host; } location /auth/ { proxy_pass http://keycloak_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/a6fba235/attachment-0001.html From sthorger at redhat.com Wed Jan 13 02:43:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Jan 2016 08:43:41 +0100 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> Message-ID: As Bill said we haven't tested with loads of clients, but we need to be able to scale to hundreds or probably thousand clients at least. So if you run into issues with it let us know and we'll look into it. On 13 January 2016 at 01:18, Aikeaguinea wrote: > I'd say we're talking on the order of a hundred to start with; this > could ramp up to multiples of that within a year or two. I imagine the > thing to do would be for us to do some stress testing of our own. > > On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: > > How many devices you talking about? I think it may become an issue as > > we haven't really stressed and benched with tons (hundreds/thousands) of > > clients. > > > > On 1/12/2016 6:08 PM, Aikeaguinea wrote: > > > We have a number of devices that need to access APIs; for various > > > reasons we need to use client certificates for this purpose. > > > > > > I have noticed that Keycloak will allow service accounts to > authenticate > > > using client certificates and that these certificates can be generated > > > within Keycloak. This looks like it fits our needs well -- when we set > > > up a new device we would need to set up a new client and service > account > > > for it in Keycloak. I've verified through testing that we can make this > > > work. > > > > > > Ultimately we may have to manage a fairly large number of devices, say > > > in the hundreds. Is there any reason that Keycloak would limit us in > the > > > number of clients we could create and manage in this way? > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > -- > http://www.fastmail.com - Or how I learned to stop worrying and > love email again > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/a713d531/attachment.html From sthorger at redhat.com Wed Jan 13 02:48:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Jan 2016 08:48:53 +0100 Subject: [keycloak-user] Database migration error In-Reply-To: <81B05B78-9544-45E0-940E-0C39DBBEBD32@onion.io> References: <81B05B78-9544-45E0-940E-0C39DBBEBD32@onion.io> Message-ID: What database are you using? On 13 January 2016 at 03:41, Boken Lin wrote: > Hi everyone, > > I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, encountered > the following error while the system tries to update the database: > > 00:55:20,179 ERROR > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 60) Change Set META-INF/ > jpa-changelog-1.3.0.xml::1.3.0::bburke at redhat.com fail > ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists [Failed > SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY > FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR > OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE > auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig] > > I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the same > error message was shown. > > Can someone point me in the right direction? > > Thank very much! > Boken. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/80f2ab8a/attachment.html From sthorger at redhat.com Wed Jan 13 05:52:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Jan 2016 11:52:41 +0100 Subject: [keycloak-user] Keycloak 1.8.0.CR1 Released Message-ID: Keycloak 1.8.0.CR1 has just been released. As usual we will follow with a final release next week as long as no major issues are reported. - *Default Admin User Removed* - we no longer have a built in admin account, instead a new account has to be created initially from http://localhost:8080/auth or with the bin/add-user[sh|bat] script - *Client Templates* - with the introduction of client templates it's now possible to share mappers and scope configuration between clients - *Partial Import* - it's now possible to import users, clients, identity brokers and user federators from a json file into an existing realm - *Truststore SPI* - we've introduced a Truststore SPI which provides a centralized place to manage the truststore for clients, email, user federation and identity brokering - *Password Hashing SPI* - if you want to import existing users into Keycloak you can implement a password hashing provider so existing hashed passwords can be used (thanks to tsudo for the contribution) - *Identity Brokering Login Flow* - this allows customizing the flow used when a user logs in through an identity broker - *SAML v2 Enhanced Client or Proxy Profile (ECP) * - this SAML profile is useful for non-browser based clients (for example a desktop application) - *OAuth2 Token Introspection * - the OAuth2 token introspection specification provides a standard way to obtain the active state of a token - *Conditional OTP* - requiring OTP used to be either enabled or disabled for a realm, it's now possible to conditionally choose which users require OTP based on for example a role or a request header (thanks to thomasdarimont for the contribution) - *Realm Display Name* - a display name has been added to realms, which makes it possible to set a human readable name to be shown on login screens, emails, etc. - *WildFly 10.0.0.CR5* - Keycloak is now built on top of WildFly 10.0.0.CR5. Deploying the server overlay to WildFly 9 is no longer supported For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/183f3341/attachment.html From mitja.strojansek at efos.si Wed Jan 13 07:53:14 2016 From: mitja.strojansek at efos.si (=?UTF-8?Q?Mitja_Strojan=c5=a1ek?=) Date: Wed, 13 Jan 2016 13:53:14 +0100 Subject: [keycloak-user] Adapter 1.3.1 on EAP 6.3.2 In-Reply-To: References: <5682A833.3090202@efos.si> Message-ID: <569648BA.6010703@efos.si> We have correct adapter. The solution is to add @SecurityDomain("keycloak") to the service and add with to the web.xml. Thx -- *Mitja* On 4.1.2016 16:06, Stian Thorgersen wrote: > EAP 6.3.2 should work just fine, but there's a separate adapter for > EAP 6.3. > > On 29 December 2015 at 16:35, Mitja Strojan?ek > > wrote: > > We have REST services on EAP 6.3.2 with adapter 1.3.1 and gateway > server WF 8.2 with 1.3.1 server. This configuration doesn't work. > Our test case works on WF 8.2 server with adapter 1.3.1. > Does anybody has idea, why it shouldn't work also with EAP 6.3.2? > Are there any incompatibilities? > -- > *Mitja* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/cfae692b/attachment.html From andyyar66 at gmail.com Wed Jan 13 08:27:21 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Wed, 13 Jan 2016 14:27:21 +0100 Subject: [keycloak-user] Behind a reverse proxy using context path Message-ID: Hello, I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy (nginx). The WildFly is configured for proxying according to the Keycloak guide and the proxy sends the needed custom HTTP headers. I have a public SSL secured domain and nginx proxying requests to internal WildFly server. I would like to use URL: https://domain.foo/sso/ to access the Keycloak (internal WildFly). I guess the context path (sso/) is important here. Accessing the address I can reach the Keycloak default welcome page. However, a GET https://domain.foo/sso/admin results in 302 to Location: https://domain.foo/admin/master/console/. Obviously this redirect fails because its Location misses the needed context path (sso/). Adding the context path to a request manually results in a 200 but following resources fail to download because of the missing context path part of URL. Is my configuration wrong? Is there a way how the original base URL can be set? Is it even possible to have it behind a reverse proxy not running at root context? Is the origin detection broken? Thanks in advance Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/bc416e31/attachment-0001.html From sthorger at redhat.com Wed Jan 13 08:44:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Jan 2016 14:44:13 +0100 Subject: [keycloak-user] Behind a reverse proxy using context path In-Reply-To: References: Message-ID: Looks like it may be a bug caused by context-path on the server being different than context-path on the reverse proxy. Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in standalone.xml to "sso". If that works please create a bug. On 13 January 2016 at 14:27, Andy Yar wrote: > Hello, > I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy > (nginx). The WildFly is configured for proxying according to the Keycloak > guide and the proxy sends the needed custom HTTP headers. > > I have a public SSL secured domain and nginx proxying requests to internal > WildFly server. I would like to use URL: https://domain.foo/sso/ to > access the Keycloak (internal WildFly). I guess the context path (sso/) is > important here. > > Accessing the address I can reach the Keycloak default welcome page. > However, a GET https://domain.foo/sso/admin results in 302 to Location: > https://domain.foo/admin/master/console/. Obviously this redirect fails > because its Location misses the needed context path (sso/). Adding the > context path to a request manually results in a 200 but following resources > fail to download because of the missing context path part of URL. > > Is my configuration wrong? Is there a way how the original base URL can be > set? Is it even possible to have it behind a reverse proxy not running at > root context? Is the origin detection broken? > > Thanks in advance > Andy > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/21455df8/attachment.html From bl at onion.io Wed Jan 13 08:45:57 2016 From: bl at onion.io (Boken Lin) Date: Wed, 13 Jan 2016 08:45:57 -0500 Subject: [keycloak-user] Database migration error In-Reply-To: References: <81B05B78-9544-45E0-940E-0C39DBBEBD32@onion.io> Message-ID: Hi Stian, thanks for your reply. The database we are using is MySQL on AWS. Boken. On Jan 13, 2016 2:48 AM, "Stian Thorgersen" wrote: > What database are you using? > > On 13 January 2016 at 03:41, Boken Lin wrote: > >> Hi everyone, >> >> I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, >> encountered the following error while the system tries to update the >> database: >> >> 00:55:20,179 ERROR >> [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] >> (ServerService Thread Pool -- 60) Change Set META-INF/ >> jpa-changelog-1.3.0.xml::1.3.0::bburke at redhat.com fail >> ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists >> [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY >> FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR >> OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE >> auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig] >> >> I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the >> same error message was shown. >> >> Can someone point me in the right direction? >> >> Thank very much! >> Boken. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/53f6a2c8/attachment.html From bburke at redhat.com Wed Jan 13 09:46:27 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Jan 2016 09:46:27 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> Message-ID: <56966343.4050703@redhat.com> I think you'd be better served having public clients and developing cert auth for users via our auth spi, as these are users aren't they? They aren't clients in the sense of what Keycloak thinks of as a client. A client in keycloak is really a service or web app. On 1/13/2016 2:43 AM, Stian Thorgersen wrote: > As Bill said we haven't tested with loads of clients, but we need to > be able to scale to hundreds or probably thousand clients at least. So > if you run into issues with it let us know and we'll look into it. > > On 13 January 2016 at 01:18, Aikeaguinea > wrote: > > I'd say we're talking on the order of a hundred to start with; this > could ramp up to multiples of that within a year or two. I imagine the > thing to do would be for us to do some stress testing of our own. > > On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: > > How many devices you talking about? I think it may become an > issue as > > we haven't really stressed and benched with tons > (hundreds/thousands) of > > clients. > > > > On 1/12/2016 6:08 PM, Aikeaguinea wrote: > > > We have a number of devices that need to access APIs; for various > > > reasons we need to use client certificates for this purpose. > > > > > > I have noticed that Keycloak will allow service accounts to > authenticate > > > using client certificates and that these certificates can be > generated > > > within Keycloak. This looks like it fits our needs well -- > when we set > > > up a new device we would need to set up a new client and > service account > > > for it in Keycloak. I've verified through testing that we can > make this > > > work. > > > > > > Ultimately we may have to manage a fairly large number of > devices, say > > > in the hundreds. Is there any reason that Keycloak would limit > us in the > > > number of clients we could create and manage in this way? > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > -- > http://www.fastmail.com - Or how I learned to stop worrying and > love email again > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/444bbf12/attachment.html From srossillo at smartling.com Wed Jan 13 10:41:09 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 13 Jan 2016 10:41:09 -0500 Subject: [keycloak-user] keycloak & tomcat on same host/domain + nginx reverse proxy server In-Reply-To: References: Message-ID: <6745EED2-4A37-4693-B32E-1406719CECD3@smartling.com> I believe you have to tell Wildfly to listen for proxied connections. In standalone/configuration/standalone.xml change: Hope that helps. If not, check your nginx error log. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 13, 2016, at 12:28 AM, Adrian Matei wrote: > > Can anyone help me with a configuration of keycloak (port 8180) and tomcat (port 8080) running on the same host/domain having nginx as reverse proxy server in front of it (new to nginx). > > Accessed on individual ports they run perfectly but when going over nginx, tomcat address (localhost) works but keycloak (localhost/auth) won't. > > Here's my nginx configuration: > > user www-data; > worker_processes 4; > pid /run/nginx.pid; > > events { > worker_connections 1024; > # multi_accept on; > } > > http { > server_tokens off; #hides nginx version and OS running on > include /etc/nginx/mime.types; > > upstream tomcat_server { > server localhost:8080; > } > upstream keycloak_server { > server localhost:8180; > } > > server { > listen 80; > server_name localhost; > > location / { > try_files $uri $uri/index.hml /maintenance.html @tomcat; > } > > location @tomcat { > proxy_pass http://tomcat_server ; > proxy_set_header Host $host; > } > > location /auth/ { > proxy_pass http://keycloak_server ; > > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > } > } > > > Thanks, > Adrian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/214ddf95/attachment-0001.html From amaeztu at tesicnor.com Wed Jan 13 12:20:59 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Wed, 13 Jan 2016 18:20:59 +0100 Subject: [keycloak-user] Login to keycloak from Android app Message-ID: <5696877B.5070104@tesicnor.com> Hello everybody, I'm struggling to implement a keycloak login from my Android app. What I want to do is to simulate what a browser does (request a resource, be redirected to keycloak login page and get an access token later on). From what I've seen from the OAuth2 protocol, I need to firstly get the authorization code and later on request the access token with that code. I wouldn't like my Android app to be registered as a client itself, so I've registered my web service as public. Here I start the intent to launch the Android browser pointing to the keycloak authorization address (/openid-connect/auth): Intent i = new Intent(Intent.ACTION_VIEW, Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); startActivity(i); When I enter the credentials successfully, I'm given a code in the redirection url, coming back to my app: Uri data = getIntent().getData(); if (data != null) { String accessCode= data.getQueryParameter("code"); System.out.println("Authorization code:" + accessCode); } The code looks like bC8OM0TwfbhYouM34M3RY2aZRYTywXZVAvKFABgvVRc.693363de-d6b5-4f88-b545-c6603023ee4c Then I would like to get an access token with that code! I use a Rest Template for that, making a POST request to the /openid-connect/token endpoint: ResponseEntity rssResponse = template.exchange( "http://192.168.0.230:8080/auth/realms/master/protocol/" + "openid-connect/token?grant_type=authoritation_code&client_id=web_service&code="+accessCode, HttpMethod.POST, null, Object.class); However, I'm given a 401 unauthorized exception. What am I doing wrong? Thanks in advanced ;-) -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/53e7abde/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/53e7abde/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/53e7abde/attachment.png From andyyar66 at gmail.com Wed Jan 13 13:07:06 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Wed, 13 Jan 2016 19:07:06 +0100 Subject: [keycloak-user] Behind a reverse proxy using context path In-Reply-To: References: Message-ID: OK, I forgot to mention I used to have the Keycloak set to run on the root context. So I removed the root context mapping set the "standalone.xml" to "sso" and customized the nginx settings accordingly. Now I am able to enter the admin/, although redirecting to the login form for the master realm ends with an error - "Invalid parameter: redirect_uri". Apparently the context path "sso/" is ignored by a security pattern. Log dump: 2016-01-13 17:06:21,858 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15) replacing relative valid redirect with: https://domain.foo/auth/admin/master/console/* 2016-01-13 17:06:21,876 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri, response_type=code, redirect_uri= https://domain.foo/sso/admin/master/console/, response_mode=fragment Thanks Tento email byl odesl?n z po??ta?e bez vir?, chr?n?n?ho programem Avast. www.avast.com <#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen wrote: > Looks like it may be a bug caused by context-path on the server being > different than context-path on the reverse proxy. > > Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in > standalone.xml to "sso". If that works please create a bug. > > On 13 January 2016 at 14:27, Andy Yar wrote: > >> Hello, >> I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy >> (nginx). The WildFly is configured for proxying according to the Keycloak >> guide and the proxy sends the needed custom HTTP headers. >> >> I have a public SSL secured domain and nginx proxying requests to >> internal WildFly server. I would like to use URL: https://domain.foo/sso/ >> to access the Keycloak (internal WildFly). I guess the context path (sso/) >> is important here. >> >> Accessing the address I can reach the Keycloak default welcome page. >> However, a GET https://domain.foo/sso/admin results in 302 to Location: >> https://domain.foo/admin/master/console/. Obviously this redirect fails >> because its Location misses the needed context path (sso/). Adding the >> context path to a request manually results in a 200 but following resources >> fail to download because of the missing context path part of URL. >> >> Is my configuration wrong? Is there a way how the original base URL can >> be set? Is it even possible to have it behind a reverse proxy not running >> at root context? Is the origin detection broken? >> >> Thanks in advance >> Andy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/03a72bb6/attachment.html From sthorger at redhat.com Wed Jan 13 13:22:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Jan 2016 19:22:31 +0100 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: <5696877B.5070104@tesicnor.com> References: <5696877B.5070104@tesicnor.com> Message-ID: Sadly we've got no one on the team that are clued up on mobile development. However, the AeroGear guys they know all about it, so take a look at https://aerogear.org/docs/guides/security/oauth2-guide/ they have OAuth2 adapters that work with Keycloak. On 13 January 2016 at 18:20, Aritz Maeztu wrote: > Hello everybody, > > I'm struggling to implement a keycloak login from my Android app. What I > want to do is to simulate what a browser does (request a resource, be > redirected to keycloak login page and get an access token later on). From > what I've seen from the OAuth2 protocol, I need to firstly get the > authorization code and later on request the access token with that code. I > wouldn't like my Android app to be registered as a client itself, so I've > registered my web service as public. > > Here I start the intent to launch the Android browser pointing to the > keycloak authorization address (/openid-connect/auth): > > Intent i = new Intent(Intent.ACTION_VIEW, Uri.parse( > "http://192.168.0.230:8080/auth/realms/master/protocol/" > + > > "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); > startActivity(i); > > When I enter the credentials successfully, I'm given a code in the > redirection url, coming back to my app: > > Uri data = getIntent().getData(); > if (data != null) { > String accessCode= data.getQueryParameter("code"); > System.out.println("Authorization code:" + accessCode); > } > > The code looks like > bC8OM0TwfbhYouM34M3RY2aZRYTywXZVAvKFABgvVRc.693363de-d6b5-4f88-b545-c6603023ee4c > > Then I would like to get an access token with that code! I use a Rest > Template for that, making a POST request to the /openid-connect/token > endpoint: > > ResponseEntity rssResponse = template.exchange( > "http://192.168.0.230:8080/auth/realms/master/protocol/" > + > > "openid-connect/token?grant_type=authoritation_code&client_id=web_service&code="+accessCode, > HttpMethod.POST, > null, > Object.class); > > However, I'm given a 401 unauthorized exception. What am I doing wrong? > Thanks in advanced ;-) > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/01cdbb6f/attachment-0001.html From adrianmatei at gmail.com Wed Jan 13 14:23:35 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 13 Jan 2016 20:23:35 +0100 Subject: [keycloak-user] keycloak & tomcat on same host/domain + nginx reverse proxy server In-Reply-To: <6745EED2-4A37-4693-B32E-1406719CECD3@smartling.com> References: <6745EED2-4A37-4693-B32E-1406719CECD3@smartling.com> Message-ID: Thank you very much Scott, you've saved me - that was the solution. Cheers, Adrian On Wed, Jan 13, 2016 at 4:41 PM, Scott Rossillo wrote: > I believe you have to tell Wildfly to listen for proxied connections. > In standalone/configuration/standalone.xml change: > > redirect-socket="https?/> > > to > > redirect-socket=?https? proxy-address-forwarding="true"/> > > Hope that helps. If not, check your nginx error log. > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > [image: Latest News + Events] > > [image: Powered by Sigstr] > > On Jan 13, 2016, at 12:28 AM, Adrian Matei wrote: > > Can anyone help me with a configuration of keycloak (port 8180) and tomcat > (port 8080) running on the same host/domain having nginx as reverse proxy > server in front of it (new to nginx). > > Accessed on individual ports they run perfectly but when going over nginx, > tomcat address (localhost) works but keycloak (localhost/auth) won't. > > Here's my nginx configuration: > > user www-data; > worker_processes 4; > pid /run/nginx.pid; > > events { > worker_connections 1024; > # multi_accept on; > } > > http { > server_tokens off; #hides nginx version and OS running on > include /etc/nginx/mime.types; > > upstream tomcat_server { > server localhost:8080; > } > upstream keycloak_server { > server localhost:8180; > } > > server { > listen 80; > server_name localhost; > > location / { > try_files $uri $uri/index.hml /maintenance.html @tomcat; > } > > location @tomcat { > proxy_pass http://tomcat_server; > proxy_set_header Host $host; > } > > location /auth/ { > proxy_pass http://keycloak_server; > > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > } > } > > > Thanks, > Adrian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/a8c9a3f7/attachment.html From Rajees.Patel at invenco.com Wed Jan 13 15:13:05 2016 From: Rajees.Patel at invenco.com (Rajees Patel) Date: Thu, 14 Jan 2016 09:13:05 +1300 Subject: [keycloak-user] Logging when in Impersonate mode Message-ID: Hi, For auditing reasons we have a requirement that all user actions are logged. If user X is impersonating user Y, is it possible that this be logged somewhere? i.e 13 Jan 2016 16:47:56 INFO User X is impersonating User Y We are concerned that user X may impersonate user Y and perform some malicious actions, and we will have no idea that this happened. Regards Raj Rajees Patel Product Architect Invenco Group Limited O: +64 9 905 5673 Rajees.Patel at invenco.com www.invenco.com Disclaimer: This email is confidential and may be legally privileged. If you are not the intended recipient you must not use any of the information in it and must delete the email immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/5d8bb10a/attachment.html From bburke at redhat.com Wed Jan 13 15:22:28 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Jan 2016 15:22:28 -0500 Subject: [keycloak-user] Logging when in Impersonate mode In-Reply-To: References: Message-ID: <5696B204.3080203@redhat.com> It should be logged. Search for IMPERSONATE in your log file. On 1/13/2016 3:13 PM, Rajees Patel wrote: > > Hi, > > For auditing reasons we have a requirement that all user actions are > logged. > > If user X is impersonating user Y, is it possible that this be logged > somewhere? i.e > > 13 Jan 2016 16:47:56 INFO User X is impersonating User Y > > We are concerned that user X may impersonate user Y and perform some > malicious actions, and we will have no idea that this happened. > > Regards > > Raj > > Rajees Patel > > Product Architect > > Invenco Group Limited > > O: +64 9 905 5673 > > Rajees.Patel at invenco.com > > *www.invenco.com * > > > > *Disclaimer: This email is confidential and may be legally > privileged. If you are not the intended recipient you must not use > any of the information in it and must delete the email immediately.* > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/cdd2578b/attachment-0001.html From traviskds at gmail.com Wed Jan 13 15:27:46 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 13 Jan 2016 20:27:46 +0000 Subject: [keycloak-user] Client Id and Timeout Message-ID: Hi, For theming the login for different clients within a realm, we are conditionally checking for the client ID in the freemarker templates and then accordingly including sub freemarker templates. This is working perfectly but the issue is for certain errors, such as "You took too long to login. Login process starting from beginning.", the clientid becomes null ( (sometimes). Is there anything I can do from the freemarker template to identify the client id so I can then accordingly handle these errors? Cheers Travis clientId=null -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/e6276861/attachment.html From bburke at redhat.com Wed Jan 13 15:50:24 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Jan 2016 15:50:24 -0500 Subject: [keycloak-user] Logging when in Impersonate mode In-Reply-To: <5696B204.3080203@redhat.com> References: <5696B204.3080203@redhat.com> Message-ID: <5696B890.4000102@redhat.com> I'm sorry. It isn't logged to console, but IMPERSONATE is an event. You can filter and view it in the admin console, or even create a custom listener to listen for impersonate events. Currently, to have it logged in the log file, you'll have to turn on debug mode for events "org.keycloak.events" . I think I may change this so its logged. Currently only errors are logged to log file. On 1/13/2016 3:22 PM, Bill Burke wrote: > It should be logged. Search for IMPERSONATE in your log file. > > On 1/13/2016 3:13 PM, Rajees Patel wrote: >> >> Hi, >> >> For auditing reasons we have a requirement that all user actions are >> logged. >> >> If user X is impersonating user Y, is it possible that this be logged >> somewhere? i.e >> >> 13 Jan 2016 16:47:56 INFO User X is impersonating User Y >> >> We are concerned that user X may impersonate user Y and perform some >> malicious actions, and we will have no idea that this happened. >> >> Regards >> >> Raj >> >> Rajees Patel >> >> Product Architect >> >> Invenco Group Limited >> >> O: +64 9 905 5673 >> >> Rajees.Patel at invenco.com >> >> *www.invenco.com* >> >> >> >> *Disclaimer: This email is confidential and may be legally >> privileged. If you are not the intended recipient you must not use >> any of the information in it and must delete the email immediately.* >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/0fc8eba2/attachment.html From mposolda at redhat.com Wed Jan 13 17:07:07 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 13 Jan 2016 23:07:07 +0100 Subject: [keycloak-user] retrieving group membership info from LDAP/AD In-Reply-To: <83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL> <568A3F93.2050007@redhat.com> <83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL> Message-ID: <5696CA8B.40101@redhat.com> On 08/01/16 15:02, Mahantesh Prasad Katti wrote: > > Thanks Marek. I looked at the built in example. I am looking for a > couple of details. > > 1.What is the bind password for the embedded apache ds? > secret See the property bindCredential in ldaprealm.json document > > 2.I had a quick look at the ldaprealm.json document. It turned out > that group name and the realm role name are identical. Is that a > requirement for role-group mapping to work in keycloak? > ATM yes. You may need to override RoleLDAPFederationMapper if you have more fancy requirements around this. > > 3.Also, is role to group mapping always one to one? In our > application, one role is invariably mapped to multiple ldap groups. > I think you can create multiple Role LDAP federation mappers for your federation provider. For example you can create mapper for 2 group trees "ou=roles1,dc=example,dc=com" and "ou=roles2,dc=example,dc=com" . In that case, if you create keycloak realm role "foo", it will be saved into LDAP into both "cn=foo,ou=roles1,dc=example,dc=com" and "cn=foo,ou=roles2,dc=example,dc=com" . If you assign some user into the "foo" role in Keycloak, he will be always added as member into both LDAP groups. The role mappings in Keycloak should be union of both LDAP groups. For example if user "john" is declared as member in any of "cn=foo,ou=roles1,dc=example,dc=com" or "cn=foo,ou=roles2,dc=example,dc=com", he will be member of this role in Keycloak. Marek > > Regards, > > Prasad > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Monday, January 04, 2016 3:17 PM > *To:* Mahantesh Prasad Katti; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] retrieving group membership info from > LDAP/AD > > On 30/12/15 18:42, Mahantesh Prasad Katti wrote: > > Hi All, > > In our application, we integrate with Microsoft AD for > authenticating users. As part of the authentication result, we > also fetch group information for the user authenticated. We also > have a pre-defined group-role mapping defined in the application > server [This is a JEE configuration file]. This helps decide > whether a particular user based on the role he belongs to can > access a resource or not. I read another thread ?Apply group > membership filter on ldap login > ? > on similar lines. Couple of clarifications. > > 1.Based on what I read there is no feature to get roles and map > them to specific roles in keycloak and would be available in a > future release. I just wanted to understand if my reading of this > is on the right lines. Also, wanted to know if there?s a > workaround for this in the short term. > > The feature to get LDAP roles and map them to specific roles in > Keycloak is available. We have LDAP Role Mapper (See documentation > http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers > and our ldap example for details). > > The thread "Apply group membership filter on ldap login" is more about > restricting that some LDAP users are not able to login at all (For > example, specify that just users, which are members of LDAP group > "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the > other users are filtered). This will be available from 1.8 release > (it's in master already). > > 2.Also does keycloak provide fine grained access control on the lines > of apache shiro? > > Keycloak provides SSO and authentication. Once you authenticate, your > application will receive access token with the roles of user from > Keycloak (We have stuff like scope, protocol mappers etc, which allows > better control under what exactly will go to access token. See docs > and examples for details). > > Then it's up to the application how it interprets roles from > accessToken . The authorization needs to be actually done by > application itself (unless it's JEE application where we have mapping > of accessToken roles to JEE roles. Again see examples). We have > separate subproject under development (no official release yet > available), which will allow more authorization possibilities. > > Marek > > > > Thanks > > Prasad > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/26b4492c/attachment-0001.html From srossillo at smartling.com Wed Jan 13 17:43:32 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 13 Jan 2016 17:43:32 -0500 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: <5696877B.5070104@tesicnor.com> References: <5696877B.5070104@tesicnor.com> Message-ID: <08DE4EA0-E95B-4F1D-8BF1-A07A79153C23@smartling.com> Looks like you?re close. Did you make your Android client (in Keycloak) public or private? There?s a slight difference in how the code to token request is invoked depending on this. Private client?s must authenticate to the token endpoint with HTTP basic authentication, public clients set the client ID as a form parameter. See: https://github.com/keycloak/keycloak/blob/1.7.x/integration/adapter-core/src/main/java/org/keycloak/adapters/authentication/ClientIdAndSecretCredentialsProvider.java#L38 See: https://github.com/keycloak/keycloak/blob/1.7.x/integration/admin-client/src/main/java/org/keycloak/admin/client/token/TokenManager.java#L51 Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 13, 2016, at 12:20 PM, Aritz Maeztu wrote: > > Hello everybody, > > I'm struggling to implement a keycloak login from my Android app. What I want to do is to simulate what a browser does (request a resource, be redirected to keycloak login page and get an access token later on). From what I've seen from the OAuth2 protocol, I need to firstly get the authorization code and later on request the access token with that code. I wouldn't like my Android app to be registered as a client itself, so I've registered my web service as public. > > Here I start the intent to launch the Android browser pointing to the keycloak authorization address (/openid-connect/auth): > > Intent i = new Intent(Intent.ACTION_VIEW, Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + > "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); > startActivity(i); > > When I enter the credentials successfully, I'm given a code in the redirection url, coming back to my app: > > Uri data = getIntent().getData(); > if (data != null) { > String accessCode= data.getQueryParameter("code"); > System.out.println("Authorization code:" + accessCode); > } > > The code looks like bC8OM0TwfbhYouM34M3RY2aZRYTywXZVAvKFABgvVRc.693363de-d6b5-4f88-b545-c6603023ee4c > > Then I would like to get an access token with that code! I use a Rest Template for that, making a POST request to the /openid-connect/token endpoint: > > ResponseEntity rssResponse = template.exchange( > "http://192.168.0.230:8080/auth/realms/master/protocol/" + > "openid-connect/token?grant_type=authoritation_code&client_id=web_service&code="+accessCode, > HttpMethod.POST, > null, > Object.class); > > However, I'm given a 401 unauthorized exception. What am I doing wrong? Thanks in advanced ;-) > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160113/38bd2433/attachment.html From Mahantesh.Katti at Indecomm.net Wed Jan 13 21:12:43 2016 From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti) Date: Thu, 14 Jan 2016 02:12:43 +0000 Subject: [keycloak-user] retrieving group membership info from LDAP/AD In-Reply-To: <5696CA8B.40101@redhat.com> References: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL> <568A3F93.2050007@redhat.com> <83FA22EE27AA7949A5F616D4DD6AF71E16413655@INBLRMBX002.INDECOMM.LOCAL> <5696CA8B.40101@redhat.com> Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1641433E@INBLRMBX002.INDECOMM.LOCAL> Thanks. Appreciate it. -Prasad From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Thursday, January 14, 2016 3:37 AM To: Mahantesh Prasad Katti; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] retrieving group membership info from LDAP/AD On 08/01/16 15:02, Mahantesh Prasad Katti wrote: Thanks Marek. I looked at the built in example. I am looking for a couple of details. 1. What is the bind password for the embedded apache ds? secret See the property bindCredential in ldaprealm.json document 2. I had a quick look at the ldaprealm.json document. It turned out that group name and the realm role name are identical. Is that a requirement for role-group mapping to work in keycloak? ATM yes. You may need to override RoleLDAPFederationMapper if you have more fancy requirements around this. 3. Also, is role to group mapping always one to one? In our application, one role is invariably mapped to multiple ldap groups. I think you can create multiple Role LDAP federation mappers for your federation provider. For example you can create mapper for 2 group trees "ou=roles1,dc=example,dc=com" and "ou=roles2,dc=example,dc=com" . In that case, if you create keycloak realm role "foo", it will be saved into LDAP into both "cn=foo,ou=roles1,dc=example,dc=com" and "cn=foo,ou=roles2,dc=example,dc=com" . If you assign some user into the "foo" role in Keycloak, he will be always added as member into both LDAP groups. The role mappings in Keycloak should be union of both LDAP groups. For example if user "john" is declared as member in any of "cn=foo,ou=roles1,dc=example,dc=com" or "cn=foo,ou=roles2,dc=example,dc=com", he will be member of this role in Keycloak. Marek Regards, Prasad From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, January 04, 2016 3:17 PM To: Mahantesh Prasad Katti; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] retrieving group membership info from LDAP/AD On 30/12/15 18:42, Mahantesh Prasad Katti wrote: Hi All, In our application, we integrate with Microsoft AD for authenticating users. As part of the authentication result, we also fetch group information for the user authenticated. We also have a pre-defined group-role mapping defined in the application server [This is a JEE configuration file]. This helps decide whether a particular user based on the role he belongs to can access a resource or not. I read another thread "Apply group membership filter on ldap login " on similar lines. Couple of clarifications. 1. Based on what I read there is no feature to get roles and map them to specific roles in keycloak and would be available in a future release. I just wanted to understand if my reading of this is on the right lines. Also, wanted to know if there's a workaround for this in the short term. The feature to get LDAP roles and map them to specific roles in Keycloak is available. We have LDAP Role Mapper (See documentation http://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#ldap_mappers and our ldap example for details). The thread "Apply group membership filter on ldap login" is more about restricting that some LDAP users are not able to login at all (For example, specify that just users, which are members of LDAP group "cn=mygroup,o=myorg,dc=example,dc=com" are able to login and all the other users are filtered). This will be available from 1.8 release (it's in master already). 2. Also does keycloak provide fine grained access control on the lines of apache shiro? Keycloak provides SSO and authentication. Once you authenticate, your application will receive access token with the roles of user from Keycloak (We have stuff like scope, protocol mappers etc, which allows better control under what exactly will go to access token. See docs and examples for details). Then it's up to the application how it interprets roles from accessToken . The authorization needs to be actually done by application itself (unless it's JEE application where we have mapping of accessToken roles to JEE roles. Again see examples). We have separate subproject under development (no official release yet available), which will allow more authorization possibilities. Marek Thanks Prasad _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/6b8a9ff5/attachment-0001.html From sthorger at redhat.com Thu Jan 14 02:56:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 08:56:39 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: Message-ID: Once the client session is removed (it's deleted at some point after the login has timed out) the client id is no longer available. We have to delete this session at some point as otherwise we'd be left with garbage from abandoned logins On 13 January 2016 at 21:27, Travis De Silva wrote: > Hi, > > For theming the login for different clients within a realm, we are > conditionally checking for the client ID in the freemarker templates and > then accordingly including sub freemarker templates. This is working > perfectly but the issue is for certain errors, such as "You took too long > to login. Login process starting from beginning.", the clientid becomes > null ( (sometimes). > > Is there anything I can do from the freemarker template to identify the > client id so I can then accordingly handle these errors? > > Cheers > Travis > > > > clientId=null > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/38f8aa50/attachment.html From sthorger at redhat.com Thu Jan 14 02:57:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 08:57:31 +0100 Subject: [keycloak-user] Logging when in Impersonate mode In-Reply-To: <5696B890.4000102@redhat.com> References: <5696B204.3080203@redhat.com> <5696B890.4000102@redhat.com> Message-ID: You can also enable log output for events, and also configure what events are logged On 13 January 2016 at 21:50, Bill Burke wrote: > I'm sorry. It isn't logged to console, but IMPERSONATE is an event. You > can filter and view it in the admin console, or even create a custom > listener to listen for impersonate events. Currently, to have it logged in > the log file, you'll have to turn on debug mode for events > "org.keycloak.events" . I think I may change this so its logged. > Currently only errors are logged to log file. > > On 1/13/2016 3:22 PM, Bill Burke wrote: > > It should be logged. Search for IMPERSONATE in your log file. > > On 1/13/2016 3:13 PM, Rajees Patel wrote: > > Hi, > > > > For auditing reasons we have a requirement that all user actions are > logged. > > If user X is impersonating user Y, is it possible that this be logged > somewhere? i.e > > > > 13 Jan 2016 16:47:56 INFO User X is impersonating User Y > > > > We are concerned that user X may impersonate user Y and perform some > malicious actions, and we will have no idea that this happened. > > > > Regards > > Raj > > > > > > Rajees Patel > > Product Architect > > Invenco Group Limited > > O: +64 9 905 5673 > > > Rajees.Patel at invenco.com > > > > * www.invenco.com > * > > > > *Disclaimer: This email is confidential and may be legally privileged. If > you are not the intended recipient you must not use any of the information > in it and must delete the email immediately.* > > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/6f55fd46/attachment.html From andyyar66 at gmail.com Thu Jan 14 03:19:40 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Thu, 14 Jan 2016 09:19:40 +0100 Subject: [keycloak-user] Behind a reverse proxy using context path In-Reply-To: References: Message-ID: Oh, I am sorry. I have overlooked the notice about the need of changing the root context manually in docs. The deployed Keycloak seems to be working smoothly now. I shall create issues for both problems I encountered. Thanks a lot for your support. On Wed, Jan 13, 2016 at 7:24 PM, Stian Thorgersen wrote: > The clients are created with the initial context path. If you change the > context path you currently have to manually go to the admin console and > change it first. Both issues you've encountered are not ideal and you can > create jira issues for those. > > On 13 January 2016 at 17:18, Andy Yar wrote: > >> OK, I forgot to mention I used to have the Keycloak set to run on the >> root context. So I removed the root context mapping set the >> "standalone.xml" to "sso" and customized the nginx settings accordingly. >> >> Now I am able to enter the admin/, although redirecting to the login form >> for the master realm ends with an error - "Invalid parameter: >> redirect_uri". Apparently the context path "sso/" is ignored by a security >> pattern. >> >> Log dump: >> 2016-01-13 17:06:21,858 DEBUG >> [org.keycloak.protocol.oidc.utils.RedirectUtils] (default task-15) >> replacing relative valid redirect with: >> https://domain.foo/auth/admin/master/console/* >> 2016-01-13 17:06:21,876 WARN [org.keycloak.events] (default task-15) >> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, >> userId=null, ipAddress=x.x.x.x, error=invalid_redirect_uri, >> response_type=code, redirect_uri= >> https://domain.foo/sso/admin/master/console/, response_mode=fragment >> >> Thanks >> >> >> On Wed, Jan 13, 2016 at 2:44 PM, Stian Thorgersen >> wrote: >> >>> Looks like it may be a bug caused by context-path on the server being >>> different than context-path on the reverse proxy. >>> >>> Try setting web-context for urn:jboss:domain:keycloak-server:1.1 in >>> standalone.xml to "sso". If that works please create a bug. >>> >>> On 13 January 2016 at 14:27, Andy Yar wrote: >>> >>>> Hello, >>>> I'm stuck with Keycloak 1.7.0 Final on WildFly 9 behind a reverse proxy >>>> (nginx). The WildFly is configured for proxying according to the Keycloak >>>> guide and the proxy sends the needed custom HTTP headers. >>>> >>>> I have a public SSL secured domain and nginx proxying requests to >>>> internal WildFly server. I would like to use URL: >>>> https://domain.foo/sso/ to access the Keycloak (internal WildFly). I >>>> guess the context path (sso/) is important here. >>>> >>>> Accessing the address I can reach the Keycloak default welcome page. >>>> However, a GET https://domain.foo/sso/admin results in 302 to Location: >>>> https://domain.foo/admin/master/console/. Obviously this redirect >>>> fails because its Location misses the needed context path (sso/). Adding >>>> the context path to a request manually results in a 200 but following >>>> resources fail to download because of the missing context path part of URL. >>>> >>>> Is my configuration wrong? Is there a way how the original base URL can >>>> be set? Is it even possible to have it behind a reverse proxy not running >>>> at root context? Is the origin detection broken? >>>> >>>> Thanks in advance >>>> Andy >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/0ebe43aa/attachment-0001.html From hpeng at redhat.com Thu Jan 14 03:55:05 2016 From: hpeng at redhat.com (JasonPeng) Date: Thu, 14 Jan 2016 16:55:05 +0800 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example In-Reply-To: References: Message-ID: Hi Thomas, Thank?s for the recommendation. However, I bumped into some clossloader issue when I tried it on my EAP 6.4+ Keycloak 1.1.7.Final environment. I keep get the class not found error against RestEasy Client, "java.lang.NoClassDefFoundError: org/jboss/resteasy/client/jaxrs/ResteasyClientBuilder?. Although I?d setup my jboss-deployment-structure.xml in my project under /WEB-INF/. The setting is like below: Thank you and best regards, ? Jason Peng Solution Architect, Taiwan Ret Hat Limited TEL: +886-2-7743-2972 FAX: +886-2-7743-2974 Mobile: +886-988-836-827 EMAIL: hpeng at redhat.com From: Thomas Darimont Date: Wednesday, January 13, 2016 at 3:26 AM To: JasonMacAir Cc: keycloak-user Subject: Re: [keycloak-user] How to correctly use REST API? delete user through REST API for example Hi Jason, do you really need to use the raw REST API or would it be an option to use the keycloak-admin-client API? here is an example for creating and deleting a user via the admin-client API: package de.tdlabs.training.keycloak; import static java.util.Arrays.asList; import javax.ws.rs.core.Response; import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.KeycloakBuilder; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.UserRepresentation; public class KeycloakAdminClientExample { public static void main(String[] args) throws Exception { Keycloak kc = KeycloakBuilder.builder() // .serverUrl("http://localhost:8081/auth") // .realm("rest-example")// .username("rest-user-admin") // .password("password") // .clientId("admin-cli") // .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) // .build(); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); credential.setTemporary(false); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(asList(credential)); user.setEnabled(true); user.setRealmRoles(asList("admin")); // Create testuser Response result = kc.realm("rest-example").users().create(user); if (result.getStatus() != 201) { System.err.println("Couldn't create user."); System.exit(0); } System.out.println("Testuser created.... verify in keycloak!"); System.out.println("Press any key..."); System.in.read(); // Delete testuser String locationHeader = result.getHeaderString("Location"); String userId = locationHeader.replaceAll(".*/(.*)$", "$1"); kc.realm("rest-example").users().get(userId).remove(); } } https://gist.github.com/thomasdarimont/43689aefb37540624e35 Cheers, Thomas 2016-01-12 19:05 GMT+01:00 JasonPeng : > Hi there, > > Can someone give me some hint about how to correctly setup a client that can > accept REST request from a httpclient in keycloak? > For example, I use the admin-access example from keycloak source project and > modify it to do a DELETE action through REST API, however I keep getting the > request Forbidden 403 from keycloak server. I don?t change any setting of the > admin-client imported from the json file and my code snippet of deleting user > as below: > > public static void deleteUser(HttpServletRequest request, AccessTokenResponse > res) throws Failure { > HttpClient client = new DefaultHttpClient(); > String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; > try { > HttpDelete delete = new HttpDelete(getBaseUrl(request) + > "/admin/realms/demo/users/" + userId); > delete.addHeader("Authorization", "Bearer " + res.getToken()); > HttpResponse response = client.execute(delete); > System.out.println(response.getStatusLine().getReasonPhrase()); > if (response.getStatusLine().getStatusCode() != 200) { > throw new Failure(response.getStatusLine().getStatusCode()); > } > HttpEntity entity = response.getEntity(); > InputStream is = entity.getContent(); > if (is != null) > is.close(); > } catch (IOException e) { > throw new RuntimeException(e); > } finally { > client.getConnectionManager().shutdown(); > } > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/d62c8213/attachment.html From sthorger at redhat.com Thu Jan 14 04:00:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 10:00:46 +0100 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example In-Reply-To: References: Message-ID: EAP 6.4 has an old version of RestEasy without the RestEasy client. Easiest option is probably to just include newer RestEasy jars in your WAR. On 14 January 2016 at 09:55, JasonPeng wrote: > Hi Thomas, > > Thank?s for the recommendation. However, I bumped into some clossloader > issue when I tried it on my EAP 6.4+ Keycloak 1.1.7.Final environment. > > I keep get the class not found error against RestEasy Client, > "java.lang.NoClassDefFoundError: > org/jboss/resteasy/client/jaxrs/ResteasyClientBuilder?. Although I?d setup > my jboss-deployment-structure.xml in my project under /WEB-INF/. The > setting is like below: > > > > > services="import"/> > > > > > > Thank you and best regards, > ? > Jason Peng > Solution Architect, Taiwan > Ret Hat Limited > TEL: +886-2-7743-2972 > FAX: +886-2-7743-2974 > Mobile: +886-988-836-827 > EMAIL: hpeng at redhat.com > > > > > From: Thomas Darimont > Date: Wednesday, January 13, 2016 at 3:26 AM > To: JasonMacAir > Cc: keycloak-user > Subject: Re: [keycloak-user] How to correctly use REST API? delete user > through REST API for example > > Hi Jason, > > do you really need to use the raw REST API or would it be an option to use > the keycloak-admin-client API? > > here is an example for creating and deleting a user via the admin-client > API: > > package de.tdlabs.training.keycloak; > > import static java.util.Arrays.asList; > > import javax.ws.rs.core.Response; > > import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; > import org.keycloak.admin.client.Keycloak; > import org.keycloak.admin.client.KeycloakBuilder; > import org.keycloak.representations.idm.CredentialRepresentation; > import org.keycloak.representations.idm.UserRepresentation; > > public class KeycloakAdminClientExample { > > public static void main(String[] args) throws Exception { > > Keycloak kc = KeycloakBuilder.builder() // > .serverUrl("http://localhost:8081/auth") // > .realm("rest-example")// > .username("rest-user-admin") // > .password("password") // > .clientId("admin-cli") // > .resteasyClient(new > ResteasyClientBuilder().connectionPoolSize(10).build()) // > .build(); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > credential.setTemporary(false); > > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(asList(credential)); > user.setEnabled(true); > user.setRealmRoles(asList("admin")); > > // Create testuser > Response result = kc.realm("rest-example").users().create(user); > if (result.getStatus() != 201) { > System.err.println("Couldn't create user."); > System.exit(0); > } > System.out.println("Testuser created.... verify in keycloak!"); > > System.out.println("Press any key..."); > System.in.read(); > > // Delete testuser > String locationHeader = result.getHeaderString("Location"); > String userId = locationHeader.replaceAll(".*/(.*)$", "$1"); > kc.realm("rest-example").users().get(userId).remove(); > } > } > > > https://gist.github.com/thomasdarimont/43689aefb37540624e35 > > Cheers, > Thomas > > 2016-01-12 19:05 GMT+01:00 JasonPeng : > >> Hi there, >> >> Can someone give me some hint about how to correctly setup a client that >> can accept REST request from a httpclient in keycloak? >> For example, I use the admin-access example from keycloak source project >> and modify it to do a DELETE action through REST API, however I keep >> getting the request Forbidden 403 from keycloak server. I don?t change any >> setting of the admin-client imported from the json file and my code snippet >> of deleting user as below: >> >> public static void deleteUser(HttpServletRequest request, >> AccessTokenResponse res) throws Failure { >> HttpClient client = new DefaultHttpClient(); >> String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; >> try { >> HttpDelete delete = new HttpDelete(getBaseUrl(request) + >> "/admin/realms/demo/users/" + userId); >> delete.addHeader("Authorization", "Bearer " + res.getToken()); >> HttpResponse response = client.execute(delete); >> System.out.println(response.getStatusLine().getReasonPhrase()); >> if (response.getStatusLine().getStatusCode() != 200) { >> throw new Failure(response.getStatusLine().getStatusCode()); >> } >> HttpEntity entity = response.getEntity(); >> InputStream is = entity.getContent(); >> if (is != null) >> is.close(); >> } catch (IOException e) { >> throw new RuntimeException(e); >> } finally { >> client.getConnectionManager().shutdown(); >> } >> } >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/62e99081/attachment-0001.html From mstrukel at redhat.com Thu Jan 14 05:08:47 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 14 Jan 2016 11:08:47 +0100 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: <5696877B.5070104@tesicnor.com> References: <5696877B.5070104@tesicnor.com> Message-ID: On Wed, Jan 13, 2016 at 6:20 PM, Aritz Maeztu wrote: > > ResponseEntity rssResponse = template.exchange( > "http://192.168.0.230:8080/auth/realms/master/protocol/" > + > > "openid-connect/token?grant_type=authoritation_code&client_id=web_service&code="+accessCode, > HttpMethod.POST, > null, > Object.class); > > It also looks like you have a typo in your URL. It should be: grant_type=authorization_code. And also I would suggest not to use master realm for your app, but create a new realm. Even for development. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/6717ad28/attachment.html From jayblanc at gmail.com Thu Jan 14 06:20:53 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Thu, 14 Jan 2016 11:20:53 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> Message-ID: Hi all, According to shibboleth specification, IdP of a federation usually use transient NameID which makes Shibboleth impossible to interface with keycloak, even if we manage the Discovery Service externally in order to maintain IdP list mapping between federation and keycloak. It's really annoying for me and I'm trying to investigate a way to solve this problem. In my federation, some doc say that if you need to manage personnal user information in your application, you have to rely on a dedicated attribute in order to retreive real user id and not the transient opaque one. In this case, an attribute called eduPersoneTargetedId exists and can be use by shibboleth. I am trying to patch the saml broker in order to take into consideration this attribute in a kind of attributeToNameIdMapper but I have to admit that I'm lost a bit in the code. Do you think this approach is good ? Best regards, J?r?me. Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard a ?crit : > Hi Bill, all, > > In the case of a transient only nameid, would it be possible to create a > dedicated attribute mapper in order to use for exemple the email attribute > as name identifier ? > > PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML v1 > for request a nameid that is transient also... so there is no solution in > this way. > > Best regards, J?r?me. > > Le mar. 5 janv. 2016 ? 16:13, Bill Burke a ?crit : > >> We won't be able to support temporary ids (transient) for awhile as it >> requires temporary user creation which requires some rearchitecting. >> >> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a >> JIRA and it is simple enough to implement support for, we may be able to >> get it in. >> >> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >> > Hi Bill, >> > >> > Thanks for your answer regarding transient and temporary ids. I >> > understand the problem due to keycloak account creation and binding to >> > the IdP. >> > Renarter is using Shibboleth ; Is there is any work on shibboleth >> > integration for keycloak ? >> > If I look into the idps entities descriptors of renater, I found that it >> > uses also another nameid format based on shibboleth namesapce : >> > >> urn:mace:shibboleth:1.0:nameIdentifier >> > >> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >> > >> > Do you think it is possible to patch the saml idp provider (or to create >> > another one dedicated to shibboleth) in order to integrate keycloak to >> > our identity federation (renater) ? >> > >> > Best whiches for this upcoming year and thanks for your great work >> > around keycloak. >> > >> > J?r?me. >> > >> > >> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke > > > a ?crit : >> > >> > Our brokering doesn't support temporary user ids from the "parent" >> IDP. >> > Transient Ids in SAML or temporary ids. >> > >> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >> > > Hi, >> > > >> > > I'm trying to integrate keycloak into a the french research >> > federation >> > > of identity (renater) and I'm facing some problems. >> > > Actually, when IdP respond to keycloak i'm getting the following >> > error : >> > > PL00084: Writer: Unsupported Attribute >> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >> > > >> > > It seems that this IdP is using transient NameID policy only and >> > using >> > > the unspecified field in the idp config in keycloak generate this >> > > exception as a return. >> > > >> > > Log of the keycloak server is joined. >> > > >> > > I have no idea of what happening because when I was using the >> test >> > > federation, everything was working but no I'm in the production >> > > federation, login fails. >> > > >> > > The renater federation is using Shibolleth and keycloak is not >> > supported >> > > by federation moderators so I'm alone in the dark now... >> > > >> > > Renater provides an IdP list that I have to parse and >> > synchronized with >> > > IdP in keycloak. As a return I provide a list of all endpoints >> > for each >> > > keycloak registered IdP to allow federation IdP to answear >> > correctly to >> > > the right endpoint. All of this is done by a small web app >> deployed >> > > aside keycloak and using REST API to synchronize all the IdP. >> > > >> > > One of the IdP entity descriptor is joined. As you can see, only >> > > transient nameid policy is supported and if I configure keycloak >> > to use >> > > email or persistent, I received a response saying that the nameid >> > is not >> > > supported : >> > > >> > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >> > > >> > AssertionConsumerServiceURL=" >> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >> " >> > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >> > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >> > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> > > Version="2.0">> > > >> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >> https://demo-auth.ortolang.fr/auth/realms/ortolang >> > > > AllowCreate="true" >> > > >> > >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >> > > >> > > >> > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> > > >> > Destination=" >> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >> " >> > > ID="_9d03761957aade819b6823c35bbab278" >> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >> > > IssueInstant="2015-12-22T16:13:16.420Z" >> Version="2.0">> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> > > >> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >> https://janus.cnrs.fr/idp> > > >> > >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">> > > >> > >> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >> > > NameID format not >> > > >> supported >> > > >> > > >> > > Any help would be gracefully appreciated. >> > > >> > > Thanks a lot, J?r?me. >> > > >> > > >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org> >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > >> > -- >> > Bill Burke >> > JBoss, a division of Red Hat >> > http://bill.burkecentral.com >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/e862cc57/attachment.html From lkrzyzan at redhat.com Thu Jan 14 07:37:54 2016 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Thu, 14 Jan 2016 13:37:54 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak 1.8.0.CR1 Released In-Reply-To: References: Message-ID: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> Appreciated the CR1 ! here is small improvement for Realm Display Name: https://issues.jboss.org/browse/KEYCLOAK-2313 Thanks, Libor Krzy?anek jboss.org Development Team > On Jan 13, 2016, at 11:52 AM, Stian Thorgersen wrote: > > Realm Display Name - a display name has been added to realms, which makes it possible to set a human readable name to be shown on login screens, emails, etc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/83cae024/attachment-0001.html From sthorger at redhat.com Thu Jan 14 08:00:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 14:00:39 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak 1.8.0.CR1 Released In-Reply-To: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> References: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> Message-ID: Do you need that for 1.8.Final or is it ok if we add it to 1.9? On 14 January 2016 at 13:37, Libor Krzyzanek wrote: > Appreciated the CR1 ! > > here is small improvement for Realm Display Name: > https://issues.jboss.org/browse/KEYCLOAK-2313 > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > On Jan 13, 2016, at 11:52 AM, Stian Thorgersen > wrote: > > > - *Realm Display Name* - a display name has been added to realms, > which makes it possible to set a human readable name to be shown on login > screens, emails, etc. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/a16ad7d3/attachment.html From helder.jaspion at gmail.com Thu Jan 14 08:31:21 2016 From: helder.jaspion at gmail.com (Helder dos S. Alves) Date: Thu, 14 Jan 2016 11:31:21 -0200 Subject: [keycloak-user] Property name not translated Message-ID: Hi. The "Account Already Exists" page is not translated correctly. The message: federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How do you want to continue? The {0} comes with the property name (email). The property name should come translated. Example: "E-mail" in portuguese and german, "Courriel" in french. Regards. Helder S. Alves -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/366d29ac/attachment.html From sthorger at redhat.com Thu Jan 14 08:40:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 14:40:29 +0100 Subject: [keycloak-user] Property name not translated In-Reply-To: References: Message-ID: Feel free to create a JIRA issue. The core Keycloak team only maintains the English translation. All other translations has to be maintained by community. On 14 January 2016 at 14:31, Helder dos S. Alves wrote: > Hi. > > The "Account Already Exists" page is not translated correctly. > The message: > federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How > do you want to continue? > > The {0} comes with the property name (email). > The property name should come translated. Example: "E-mail" in portuguese > and german, "Courriel" in french. > > > Regards. > > Helder S. Alves > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/f1a4d919/attachment.html From bburke at redhat.com Thu Jan 14 09:23:35 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Jan 2016 09:23:35 -0500 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> Message-ID: <5697AF67.50008@redhat.com> Shibboleth only supports transient name ids? I find that hard to believe. Remember Keycloak would just look like any other client. IMO you should go that route. Also though, I think you might be able to write a Broker Mapper, take a look at UsernameTemplateMapper. This SPI is undocumented and unsupported at the moment, but I hope to change that soon. On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: > Hi all, > > According to shibboleth specification, IdP of a federation usually use > transient NameID which makes Shibboleth impossible to interface with > keycloak, even if we manage the Discovery Service externally in order > to maintain IdP list mapping between federation and keycloak. > It's really annoying for me and I'm trying to investigate a way to > solve this problem. > In my federation, some doc say that if you need to manage personnal > user information in your application, you have to rely on a dedicated > attribute in order to retreive real user id and not the transient > opaque one. In this case, an attribute called eduPersoneTargetedId > exists and can be use by shibboleth. > I am trying to patch the saml broker in order to take into > consideration this attribute in a kind of attributeToNameIdMapper but > I have to admit that I'm lost a bit in the code. > Do you think this approach is good ? > > Best regards, J?r?me. > > > Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard > a ?crit : > > Hi Bill, all, > > In the case of a transient only nameid, would it be possible to > create a dedicated attribute mapper in order to use for exemple > the email attribute as name identifier ? > > PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in > SAML v1 for request a nameid that is transient also... so there is > no solution in this way. > > Best regards, J?r?me. > > Le mar. 5 janv. 2016 ? 16:13, Bill Burke > a ?crit : > > We won't be able to support temporary ids (transient) for > awhile as it > requires temporary user creation which requires some > rearchitecting. > > As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it > out in a > JIRA and it is simple enough to implement support for, we may > be able to > get it in. > > On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: > > Hi Bill, > > > > Thanks for your answer regarding transient and temporary ids. I > > understand the problem due to keycloak account creation and > binding to > > the IdP. > > Renarter is using Shibboleth ; Is there is any work on > shibboleth > > integration for keycloak ? > > If I look into the idps entities descriptors of renater, I > found that it > > uses also another nameid format based on shibboleth namesapce : > > > urn:mace:shibboleth:1.0:nameIdentifier > > > urn:oasis:names:tc:SAML:2.0:nameid-format:transient > > > > Do you think it is possible to patch the saml idp provider > (or to create > > another one dedicated to shibboleth) in order to integrate > keycloak to > > our identity federation (renater) ? > > > > Best whiches for this upcoming year and thanks for your > great work > > around keycloak. > > > > J?r?me. > > > > > > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke > > >> a ?crit : > > > > Our brokering doesn't support temporary user ids from > the "parent" IDP. > > Transient Ids in SAML or temporary ids. > > > > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: > > > Hi, > > > > > > I'm trying to integrate keycloak into a the french > research > > federation > > > of identity (renater) and I'm facing some problems. > > > Actually, when IdP respond to keycloak i'm getting > the following > > error : > > > PL00084: Writer: Unsupported Attribute > > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType > > > > > > It seems that this IdP is using transient NameID > policy only and > > using > > > the unspecified field in the idp config in keycloak > generate this > > > exception as a return. > > > > > > Log of the keycloak server is joined. > > > > > > I have no idea of what happening because when I was > using the test > > > federation, everything was working but no I'm in the > production > > > federation, login fails. > > > > > > The renater federation is using Shibolleth and > keycloak is not > > supported > > > by federation moderators so I'm alone in the dark now... > > > > > > Renater provides an IdP list that I have to parse and > > synchronized with > > > IdP in keycloak. As a return I provide a list of all > endpoints > > for each > > > keycloak registered IdP to allow federation IdP to > answear > > correctly to > > > the right endpoint. All of this is done by a small > web app deployed > > > aside keycloak and using REST API to synchronize all > the IdP. > > > > > > One of the IdP entity descriptor is joined. As you > can see, only > > > transient nameid policy is supported and if I > configure keycloak > > to use > > > email or persistent, I received a response saying > that the nameid > > is not > > > supported : > > > > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > > > > > > AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" > > > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" > > > ForceAuthn="false" > ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" > > > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > > > Version="2.0"> > > > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang > > AllowCreate="true" > > > > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> > > > > > > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > > > > > > Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" > > > ID="_9d03761957aade819b6823c35bbab278" > > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" > > > IssueInstant="2015-12-22T16:13:16.420Z" > Version="2.0"> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp > > > > > Value="urn:oasis:names:tc:SAML:2.0:status:Responder"> > > > > > Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required > > > NameID format not > > > > supported > > > > > > > > > Any help would be gracefully appreciated. > > > > > > Thanks a lot, J?r?me. > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/63418529/attachment-0001.html From jayblanc at gmail.com Thu Jan 14 09:37:27 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Thu, 14 Jan 2016 14:37:27 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <5697AF67.50008@redhat.com> References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> Message-ID: Thanks for your answer. In fact Shibboleth supports others saml nameid but in the renater federation, it only contains transient nameid. Here is a part of their doc (sorry it's in french) : Utilisation des identifiants utilisateur opaques Voir la description du eduPersonTargetedID Votre application a peut-?tre besoin de manipuler de identifiants utilisateur, dont la valeur est stable d'une session ? l'autre ; par exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de protection des donn?es personnelles, les fournisseurs d'identit?s ne peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des identifiants stables mais opaques, appel?s *eduPersonTargetedID*. Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de services Shibboleth comme indiqu? ci-dessous : L'attribut sera accessible pour l'application dans l'en-t?te HTTP *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur According to their doc, nameid are session based and not user based so if you want stable identifier, you have to ask for eduPersonTargetedID attribute !! I'm going to have a look at UsernameTemplateMapper. Thanks again, J?r?me. Le jeu. 14 janv. 2016 ? 15:23, Bill Burke a ?crit : > Shibboleth only supports transient name ids? I find that hard to > believe. Remember Keycloak would just look like any other client. IMO you > should go that route. > > Also though, I think you might be able to write a Broker Mapper, take a > look at UsernameTemplateMapper. This SPI is undocumented and unsupported > at the moment, but I hope to change that soon. > > > On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: > > Hi all, > > According to shibboleth specification, IdP of a federation usually use > transient NameID which makes Shibboleth impossible to interface with > keycloak, even if we manage the Discovery Service externally in order to > maintain IdP list mapping between federation and keycloak. > It's really annoying for me and I'm trying to investigate a way to solve > this problem. > In my federation, some doc say that if you need to manage personnal user > information in your application, you have to rely on a dedicated attribute > in order to retreive real user id and not the transient opaque one. In this > case, an attribute called eduPersoneTargetedId exists and can be use by > shibboleth. > I am trying to patch the saml broker in order to take into consideration > this attribute in a kind of attributeToNameIdMapper but I have to admit > that I'm lost a bit in the code. > Do you think this approach is good ? > > Best regards, J?r?me. > > > Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard a > ?crit : > >> Hi Bill, all, >> >> In the case of a transient only nameid, would it be possible to create a >> dedicated attribute mapper in order to use for exemple the email attribute >> as name identifier ? >> >> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML v1 >> for request a nameid that is transient also... so there is no solution in >> this way. >> >> Best regards, J?r?me. >> >> Le mar. 5 janv. 2016 ? 16:13, Bill Burke a ?crit : >> >>> We won't be able to support temporary ids (transient) for awhile as it >>> requires temporary user creation which requires some rearchitecting. >>> >>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a >>> JIRA and it is simple enough to implement support for, we may be able to >>> get it in. >>> >>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>> > Hi Bill, >>> > >>> > Thanks for your answer regarding transient and temporary ids. I >>> > understand the problem due to keycloak account creation and binding to >>> > the IdP. >>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>> > integration for keycloak ? >>> > If I look into the idps entities descriptors of renater, I found that >>> it >>> > uses also another nameid format based on shibboleth namesapce : >>> > >>> urn:mace:shibboleth:1.0:nameIdentifier >>> > >>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>> > >>> > Do you think it is possible to patch the saml idp provider (or to >>> create >>> > another one dedicated to shibboleth) in order to integrate keycloak to >>> > our identity federation (renater) ? >>> > >>> > Best whiches for this upcoming year and thanks for your great work >>> > around keycloak. >>> > >>> > J?r?me. >>> > >>> > >>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >> > > a ?crit : >>> > >>> > Our brokering doesn't support temporary user ids from the "parent" >>> IDP. >>> > Transient Ids in SAML or temporary ids. >>> > >>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>> > > Hi, >>> > > >>> > > I'm trying to integrate keycloak into a the french research >>> > federation >>> > > of identity (renater) and I'm facing some problems. >>> > > Actually, when IdP respond to keycloak i'm getting the following >>> > error : >>> > > PL00084: Writer: Unsupported Attribute >>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>> > > >>> > > It seems that this IdP is using transient NameID policy only and >>> > using >>> > > the unspecified field in the idp config in keycloak generate >>> this >>> > > exception as a return. >>> > > >>> > > Log of the keycloak server is joined. >>> > > >>> > > I have no idea of what happening because when I was using the >>> test >>> > > federation, everything was working but no I'm in the production >>> > > federation, login fails. >>> > > >>> > > The renater federation is using Shibolleth and keycloak is not >>> > supported >>> > > by federation moderators so I'm alone in the dark now... >>> > > >>> > > Renater provides an IdP list that I have to parse and >>> > synchronized with >>> > > IdP in keycloak. As a return I provide a list of all endpoints >>> > for each >>> > > keycloak registered IdP to allow federation IdP to answear >>> > correctly to >>> > > the right endpoint. All of this is done by a small web app >>> deployed >>> > > aside keycloak and using REST API to synchronize all the IdP. >>> > > >>> > > One of the IdP entity descriptor is joined. As you can see, only >>> > > transient nameid policy is supported and if I configure keycloak >>> > to use >>> > > email or persistent, I received a response saying that the >>> nameid >>> > is not >>> > > supported : >>> > > >>> > > >> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>> > > >>> > AssertionConsumerServiceURL=" >>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>> " >>> > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>> > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>> > > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> > > Version="2.0">>> > > >>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>> >> > > AllowCreate="true" >>> > > >>> > >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>> > > >>> > > >>> > > >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> > > >>> > Destination=" >>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>> " >>> > > ID="_9d03761957aade819b6823c35bbab278" >>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>> Version="2.0">>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>> > > >>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>> https://janus.cnrs.fr/idp >>> >> > > >>> > >>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>> > > >>> > >>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>> > > NameID format not >>> > > >>> supported >>> > > >>> > > >>> > > Any help would be gracefully appreciated. >>> > > >>> > > Thanks a lot, J?r?me. >>> > > >>> > > >>> > > >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >> keycloak-user at lists.jboss.org> >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > >>> > >>> > -- >>> > Bill Burke >>> > JBoss, a division of Red Hat >>> > http://bill.burkecentral.com >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >> keycloak-user at lists.jboss.org> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >> > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/5f2b1a87/attachment-0001.html From lkrzyzan at redhat.com Thu Jan 14 09:38:50 2016 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Thu, 14 Jan 2016 15:38:50 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak 1.8.0.CR1 Released In-Reply-To: References: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> Message-ID: <5C18173E-96F8-4AC2-8C2A-ED78FA8B8079@redhat.com> It?s small feature so I can live without it however 1.9 would not be easy to do because of ugprade to EAP 7 (it?s complicated for us beacuse we depends on other backend java libraries which exists only for eap 6 right now). in other words it?s not blocker for 1.8.final release for sure but nice to have. Thanks, Libor Krzy?anek jboss.org Development Team > On Jan 14, 2016, at 2:00 PM, Stian Thorgersen wrote: > > Do you need that for 1.8.Final or is it ok if we add it to 1.9? > > On 14 January 2016 at 13:37, Libor Krzyzanek > wrote: > Appreciated the CR1 ! > > here is small improvement for Realm Display Name: https://issues.jboss.org/browse/KEYCLOAK-2313 > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > >> On Jan 13, 2016, at 11:52 AM, Stian Thorgersen > wrote: >> >> Realm Display Name - a display name has been added to realms, which makes it possible to set a human readable name to be shown on login screens, emails, etc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/b76666d0/attachment.html From cjwallac at gmail.com Thu Jan 14 09:44:46 2016 From: cjwallac at gmail.com (Christopher Wallace) Date: Thu, 14 Jan 2016 14:44:46 +0000 Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy In-Reply-To: References: Message-ID: Marko, Thanks for your feedback! We have successfully pass that problem and are able to login to KEYCLOAK behind NGINX using HTTPS Proxy. Our challenge now is when our applications attempt to access we get the following error: 1. Request URL: https://sso2.company.com/auth/realms/master/tokens/access/codes 2. Request Method: POST 3. *Status Code: 400 Bad Request* 4. Remote Address: 99.99.99.99:443 1. Response Headersview source 1. Connection: keep-alive 2. Content-Type: application/json 3. Date: Thu, 14 Jan 2016 14:35:52 GMT 4. Server: nginx/1.4.6 (Ubuntu) 5. Transfer-Encoding: chunked 6. X-Powered-By: Undertow/1 2. Request Headersview source 1. Accept: */* 2. Accept-Encoding: gzip, deflate 3. Accept-Language: en-US,en;q=0.8 4. Authorization: Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ 5. Connection: keep-alive 6. Content-Length: 172 7. Content-type: application/x-www-form-urlencoded 8. Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k 9. DNT: 1 10. Host: sso2.company.com 11. Origin: http://app.local.company.com 12. Referer: http://app.local.company.com/App/ 13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 3. Form Dataview sourceview URL encoded 1. code: Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 2. redirect_uri: http://a pp.local.company.com/App/ Please do note that this same application is able KEYCLOAK using basically the same configuration without NGINX in the MIX. Have any thoughts was to what we should look to configure differently with NGIX in the mix? On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj wrote: > The error 'org.apache.http.conn.HttpHostConnectException: Connection to > https://sso2.domain.com refused' means that either there is a server side > problem - your Nginx isn't started and listening on port 443, a firewall > preventing incoming connections - or there is a client side problem - a DNS > issue improperly resolving sso2.domain.com into IP on the host where > Tomcat is running. > > At this point no SSL handshaking was attempted yet. > > If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443' > from the server running your Tomcat you'll see the same issue. Once that > starts to work, only then will any SSL / proxying related configuration > issues start to manifest themselves. > > On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace > wrote: > >> Community, I have spent a decent amount of time attempting to get >> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It >> does work without the proxy, but I need the proxy to handle certificates. I >> think I am pretty close to having it working, but somethings seems to be >> missing... I have done the following. I appreciate any insight you may have >> as I think I have exhausted other resources. >> >> *1. Configure a server in NGINX* >> >> server { >> >> listen 443; >> >> >> ssl on; >> >> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >> >> ssl_certificate_key /etc/ssl/certs/*.domain.key; >> >> >> server_name sso2. domain.com; >> >> access_log /var/log/nginx/nginx.sso.access.log; >> >> error_log /var/log/nginx/nginx.sso.error.log; >> >> location / { >> >> proxy_set_header Host $host; >> >> proxy_set_header X-Real-IP $remote_addr; >> >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> >> proxy_set_header X-Forwarded-Proto $scheme; >> >> proxy_set_header X-Forwarded-Port 443; >> >> proxy_pass http://internalip:8080; >> >> } >> >> } >> >> *2. Enable SSL on a Reverse Proxy* >> >> First add proxy-address-forwarding and redirect-socket to the >> http-listener element: >> >> >> ... >> >> ... >> >> >> Then add a new socket-binding element to the socket-binding-group >> element: >> >> >> ... >> >> ... >> >> >> >> *RECIVE THE FOLLOWING ERROR in TOMCAT:* >> >> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >> failed to turn code into token >> >> org.apache.http.conn.HttpHostConnectException: Connection to >> https://sso2.domain.com refused >> >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >> [lib/:na] >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >> [lib/:na] >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >> [lib/:na] >> >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >> [lib/:na] >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >> [lib/:na] >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >> [lib/:na] >> >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >> [tomcat-coyote.jar:8.0.18] >> >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >> [tomcat-coyote.jar:8.0.18] >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [na:1.8.0_25] >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [na:1.8.0_25] >> >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-util.jar:8.0.18] >> >> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >> >> Caused by: java.net.ConnectException: Connection timed out >> >> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >> ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >> ~[na:1.8.0_25] >> >> at >> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >> ~[na:1.8.0_25] >> >> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >> ~[na:1.8.0_25] >> >> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >> >> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >> ~[na:1.8.0_25] >> >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >> ~[httpclient-4.2.1.jar:4.2.1] >> >> ... 29 common frames omitted >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/53a46b22/attachment-0001.html From mstrukel at redhat.com Thu Jan 14 09:47:44 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 14 Jan 2016 15:47:44 +0100 Subject: [keycloak-user] Property name not translated In-Reply-To: References: Message-ID: To support this we would have to introduce additional syntax ... For example rather than calling: context.form() .setError(Messages.FEDERATED_IDENTITY_CONFIRM_LINK_MESSAGE, duplicationInfo.getDuplicateAttributeName(), duplicationInfo.getDuplicateAttributeValue()) we would have to do something like: context.form() .setError(Messages.FEDERATED_IDENTITY_CONFIRM_LINK_MESSAGE, "${" + duplicationInfo.getDuplicateAttributeName() + "}", duplicationInfo.getDuplicateAttributeValue()) And adjust localization part to check if value starts with ${ and first localize the value before passing it as parameter to localize the message. On Thu, Jan 14, 2016 at 2:40 PM, Stian Thorgersen wrote: > Feel free to create a JIRA issue. The core Keycloak team only maintains the > English translation. All other translations has to be maintained by > community. > > On 14 January 2016 at 14:31, Helder dos S. Alves > wrote: >> >> Hi. >> >> The "Account Already Exists" page is not translated correctly. >> The message: >> federatedIdentityConfirmLinkMessage=User with {0} {1} already exists. How >> do you want to continue? >> >> The {0} comes with the property name (email). >> The property name should come translated. Example: "E-mail" in portuguese >> and german, "Courriel" in french. >> >> >> Regards. >> >> Helder S. Alves >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Jan 14 09:54:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jan 2016 15:54:27 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak 1.8.0.CR1 Released In-Reply-To: <5C18173E-96F8-4AC2-8C2A-ED78FA8B8079@redhat.com> References: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> <5C18173E-96F8-4AC2-8C2A-ED78FA8B8079@redhat.com> Message-ID: As it has a small impact we'll add it to 1.8.0.Final then On 14 January 2016 at 15:38, Libor Krzyzanek wrote: > It?s small feature so I can live without it however 1.9 would not be easy > to do because of ugprade to EAP 7 (it?s complicated for us beacuse we > depends on other backend java libraries which exists only for eap 6 right > now). > > in other words it?s not blocker for 1.8.final release for sure but nice to > have. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > On Jan 14, 2016, at 2:00 PM, Stian Thorgersen wrote: > > Do you need that for 1.8.Final or is it ok if we add it to 1.9? > > On 14 January 2016 at 13:37, Libor Krzyzanek wrote: > >> Appreciated the CR1 ! >> >> here is small improvement for Realm Display Name: >> https://issues.jboss.org/browse/KEYCLOAK-2313 >> >> Thanks, >> >> Libor Krzy?anek >> jboss.org Development Team >> >> On Jan 13, 2016, at 11:52 AM, Stian Thorgersen >> wrote: >> >> >> - *Realm Display Name* - a display name has been added to realms, >> which makes it possible to set a human readable name to be shown on login >> screens, emails, etc. >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/d9a0e1e7/attachment.html From lkrzyzan at redhat.com Thu Jan 14 09:55:11 2016 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Thu, 14 Jan 2016 15:55:11 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak 1.8.0.CR1 Released In-Reply-To: References: <16B84D00-B232-4570-BC3A-6437673929F1@redhat.com> <5C18173E-96F8-4AC2-8C2A-ED78FA8B8079@redhat.com> Message-ID: <2BF3B6EC-CFE4-4C2B-A1B4-7E7541394839@redhat.com> Yeah it should copy&paste thing :-) Thank you! Appreciated. L. Libor Krzy?anek jboss.org Development Team > On Jan 14, 2016, at 3:54 PM, Stian Thorgersen wrote: > > As it has a small impact we'll add it to 1.8.0.Final then > > On 14 January 2016 at 15:38, Libor Krzyzanek > wrote: > It?s small feature so I can live without it however 1.9 would not be easy to do because of ugprade to EAP 7 (it?s complicated for us beacuse we depends on other backend java libraries which exists only for eap 6 right now). > > in other words it?s not blocker for 1.8.final release for sure but nice to have. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > >> On Jan 14, 2016, at 2:00 PM, Stian Thorgersen > wrote: >> >> Do you need that for 1.8.Final or is it ok if we add it to 1.9? >> >> On 14 January 2016 at 13:37, Libor Krzyzanek > wrote: >> Appreciated the CR1 ! >> >> here is small improvement for Realm Display Name: https://issues.jboss.org/browse/KEYCLOAK-2313 >> >> Thanks, >> >> Libor Krzy?anek >> jboss.org Development Team >> >>> On Jan 13, 2016, at 11:52 AM, Stian Thorgersen > wrote: >>> >>> Realm Display Name - a display name has been added to realms, which makes it possible to set a human readable name to be shown on login screens, emails, etc. >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/2a9f8cdd/attachment.html From mstrukel at redhat.com Thu Jan 14 10:06:07 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 14 Jan 2016 16:06:07 +0100 Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy In-Reply-To: References: Message-ID: Maybe take a look at advice in this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace wrote: > Marko, Thanks for your feedback! > > We have successfully pass that problem and are able to login to KEYCLOAK > behind NGINX using HTTPS Proxy. Our challenge now is when our applications > attempt to access we get the following error: > > Request URL: > https://sso2.company.com/auth/realms/master/tokens/access/codes > Request Method: > POST > Status Code: > 400 Bad Request > Remote Address: > 99.99.99.99:443 > > Response Headersview source > > Connection: > keep-alive > Content-Type: > application/json > Date: > Thu, 14 Jan 2016 14:35:52 GMT > Server: > nginx/1.4.6 (Ubuntu) > Transfer-Encoding: > chunked > X-Powered-By: > Undertow/1 > > Request Headersview source > > Accept: > */* > Accept-Encoding: > gzip, deflate > Accept-Language: > en-US,en;q=0.8 > Authorization: > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ > Connection: > keep-alive > Content-Length: > 172 > Content-type: > application/x-www-form-urlencoded > Cookie: > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k > DNT: > 1 > Host: > sso2.company.com > Origin: > http://app.local.company.com > Referer: > http://app.local.company.com/App/ > User-Agent: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/47.0.2526.106 Safari/537.36 > > Form Dataview sourceview URL encoded > > code: > Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 > redirect_uri: > http://app.local.company.com/App/ > > Please do note that this same application is able KEYCLOAK using basically > the same configuration without NGINX in the MIX. Have any thoughts was to > what we should look to configure differently with NGIX in the mix? > > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj wrote: >> >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to >> https://sso2.domain.com refused' means that either there is a server side >> problem - your Nginx isn't started and listening on port 443, a firewall >> preventing incoming connections - or there is a client side problem - a DNS >> issue improperly resolving sso2.domain.com into IP on the host where Tomcat >> is running. >> >> At this point no SSL handshaking was attempted yet. >> >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com 443' >> from the server running your Tomcat you'll see the same issue. Once that >> starts to work, only then will any SSL / proxying related configuration >> issues start to manifest themselves. >> >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace >> wrote: >>> >>> Community, I have spent a decent amount of time attempting to get >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT Application. It >>> does work without the proxy, but I need the proxy to handle certificates. I >>> think I am pretty close to having it working, but somethings seems to be >>> missing... I have done the following. I appreciate any insight you may have >>> as I think I have exhausted other resources. >>> >>> 1. Configure a server in NGINX >>> >>> server { >>> >>> listen 443; >>> >>> >>> ssl on; >>> >>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >>> >>> ssl_certificate_key /etc/ssl/certs/*.domain.key; >>> >>> >>> server_name sso2. domain.com; >>> >>> access_log /var/log/nginx/nginx.sso.access.log; >>> >>> error_log /var/log/nginx/nginx.sso.error.log; >>> >>> location / { >>> >>> proxy_set_header Host $host; >>> >>> proxy_set_header X-Real-IP $remote_addr; >>> >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>> >>> proxy_set_header X-Forwarded-Proto $scheme; >>> >>> proxy_set_header X-Forwarded-Port 443; >>> >>> proxy_pass http://internalip:8080; >>> >>> } >>> >>> } >>> >>> 2. Enable SSL on a Reverse Proxy >>> >>> First add proxy-address-forwarding and redirect-socket to the >>> http-listener element: >>> >>> >>> ... >>> >> proxy-address-forwarding="true" redirect-socket="proxy-https"/> >>> ... >>> >>> >>> Then add a new socket-binding element to the socket-binding-group >>> element: >>> >>> >> port-offset="${jboss.socket.binding.port-offset:0}"> >>> ... >>> >>> ... >>> >>> >>> >>> RECIVE THE FOLLOWING ERROR in TOMCAT: >>> >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >>> failed to turn code into token >>> >>> org.apache.http.conn.HttpHostConnectException: Connection to >>> https://sso2.domain.com refused >>> >>> at >>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >>> [lib/:na] >>> >>> at >>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>> >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>> [lib/:na] >>> >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>> [lib/:na] >>> >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>> [tomcat-coyote.jar:8.0.18] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> [na:1.8.0_25] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> [na:1.8.0_25] >>> >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> [tomcat-util.jar:8.0.18] >>> >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >>> >>> Caused by: java.net.ConnectException: Connection timed out >>> >>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] >>> >>> at >>> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >>> ~[na:1.8.0_25] >>> >>> at >>> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >>> ~[na:1.8.0_25] >>> >>> at >>> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >>> ~[na:1.8.0_25] >>> >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >>> ~[na:1.8.0_25] >>> >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >>> >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >>> ~[na:1.8.0_25] >>> >>> at >>> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> at >>> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >>> ~[httpclient-4.2.1.jar:4.2.1] >>> >>> ... 29 common frames omitted >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From amaeztu at tesicnor.com Thu Jan 14 10:29:12 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Thu, 14 Jan 2016 16:29:12 +0100 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: References: <5696877B.5070104@tesicnor.com> Message-ID: <5697BEC8.5060409@tesicnor.com> Many thanks to all of you for the help. I'm so close to achieve it, so I need some last tip (and think you can do even about not to have mobile knowledge). That's the steps I've followed to authenticate a user in a public client in the Android app: 1- Launch a browser app pointing to keycloak's authorization site for the client: Intent i = new Intent(Intent.ACTION_VIEW, Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); startActivity(i); 2- Retrieve the authorization code when coming back to my app and ask for an access token: RestTemplate template = new RestTemplate(); template.getMessageConverters().add(new FormHttpMessageConverter()); template.getMessageConverters().add(new MappingJackson2HttpMessageConverter()); MultiValueMap form = new LinkedMultiValueMap<>(); form.add("grant_type", "authorization_code"); form.add("client_id", "edge"); form.add("code", accessCode); form.add("redirect_uri", "tcheck://app"); ResponseEntity rssResponse = template.postForEntity( "http://192.168.0.230:8080/auth/realms/master/protocol/openid-connect/token", form, AccessToken.class); I'm passing the parameters in the request body as x-www-form-urlencoded and it works. I do get an access token, with this format: { "access_token" : "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg", "expires_in" : 60, "refresh_expires_in" : 1800, "refresh_token" : "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkOTBmNzY5Ni00NDIwLTQ3NDUtYmQ3NS01Y2Q4MDNlMWY0YjQiLCJleHAiOjE0NTI3NzY3ODQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6bnVsbCwic3ViIjoiYTcxNDcwMTUtMzVjNi00YWVhLWIzYzgtYTU2NWU0OWI3MmQ5IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwiY2xpZW50X3Nlc3Npb24iOiJkODYzNjU2Ny0zODYxLTQ2NTktODRmMi0wNmNiYzlhMjdhNTUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiU1VQRVJfQURNSU4iLCJjcmVhdGUtcmVhbG0iLCJWSUVXX09SR0FOSVpBVElPTiIsIlJPTEVfVENIRUNLX1NVUEVSX0FETUlOIiwiUk9MRV9UQ0hFQ0tfQURNSU4iLCJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJtYW5hZ2UtZXZlbnRzIiwidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJ2aWV3LWV2ZW50cyIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.OZkivKxU1HJecrqKb1KDSabakruHJLUaUpNOy_DY7UW1R-4Qv6kLnPy_3soeRPP0FwYNrjzNMw94S-naE8JNCD91LqTTEyJ6o6q_1LDiDbVbfsKeyRkJDZDAbHUYtY-r35z_21SqdHxzzMcero6DoCpFaGOZZFQ86FZD7NiRE3oVzCIz1VJAFBIsSjH0W5_UQa2CEEIOxDanPnhbtdB8XZ6oQeKPB15AvobCgukvWcDufmCeJpUMcIjaTcnBdXRz6MIOp6VjQ5SyqJzn7jja8ILs3zEd8eeocAIix8Gv1CRs6PWBtWZJDss_fh4A8R2guKRBcFwQIeoncFgQeFeaoA", "token_type" : "bearer", "id_token" : "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0OTUyOGQxNS1kZmEyLTQ1YTUtYjJiYy1hNzZhY2E2M2IwYjEiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJJRCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.yOs1HGLQyV33ihDIzL4CiKlKj58zlZzNpJizOlWXg59DkdnL1W5RIT4-Jw5VToy267gWv1o0XIwI2oCVHjbaXKgWZzt7NlVdGnNyGL19VQUPlISlMyyoOhaBGufC4JycQ6BrQh0fnMYUVQOvGE6HGnVwUbrLHiVL579AVhUSmVZ052fzN4VySpm03L7eQBt6BTKMo_7fmL39WvdwY2gEhoi6rz2P8cXp8vbidwqb4nNF7C1wfM7GYgbO-1yaMq_c4JiOoga9YswD68XvKpjjwVZs2WvHpvwZrQjfiqa6EtxkTeRYncMW-RutB8P09wJ3WRaBooDreVBMFB2Tw6nWnQ", "not-before-policy" : 1452694301, "session-state" : "7dd5ad7b-d0ab-4fba-b9cb-f3661a994e79" } I now finally want to access some resource. As docs state, the only thing I want to do is to pass that access token in the Authorization header, starting with the Bearer keyword: HttpHeaders headers = new HttpHeaders(); headers.set("Authorization", "Bearer " + token.getToken()); HttpEntity entity = new HttpEntity<>("parameters", headers); ResponseEntity rssResponse = template.exchange( "http://192.168.0.230:8765/organization/organizations", HttpMethod.GET, entity, OrganizationExchangeSet.class); But I get 401 Unauthorized from keycloak. If I do the GET request using Postman, I get the Unauthorized code too: Request: /Url:/ http://192.168.0.230:8765/organization/organizations /Headers:/ Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg /Response:/ { "timestamp": 1452784544622, "status": 401, "error": "Unauthorized", "message": "Unable to authenticate bearer token", "path": "/organization/organizations" } How to solve this? -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/7e7c8e9b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/7e7c8e9b/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/7e7c8e9b/attachment.png From ivan at akvo.org Thu Jan 14 10:38:21 2016 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Thu, 14 Jan 2016 16:38:21 +0100 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: <5697BEC8.5060409@tesicnor.com> References: <5696877B.5070104@tesicnor.com> <5697BEC8.5060409@tesicnor.com> Message-ID: <5697C0ED.8060001@akvo.org> Hi, I tried this code some months ago and managed to login from Android. https://github.com/learning-layers/android-openid-connect Cheers, On 01/14/2016 04:29 PM, Aritz Maeztu wrote: > Many thanks to all of you for the help. I'm so close to achieve it, so I > need some last tip (and think you can do even about not to have mobile > knowledge). That's the steps I've followed to authenticate a user in a > public client in the Android app: > > 1- Launch a browser app pointing to keycloak's authorization site for > the client: > > Intent i = new Intent(Intent.ACTION_VIEW, > Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + > > "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); > startActivity(i); > > 2- Retrieve the authorization code when coming back to my app and ask > for an access token: > > RestTemplate template = new RestTemplate(); > template.getMessageConverters().add(new > FormHttpMessageConverter()); > template.getMessageConverters().add(new > MappingJackson2HttpMessageConverter()); > MultiValueMap form = new > LinkedMultiValueMap<>(); > form.add("grant_type", "authorization_code"); > form.add("client_id", "edge"); > form.add("code", accessCode); > form.add("redirect_uri", "tcheck://app"); > ResponseEntity rssResponse = template.postForEntity( > > "http://192.168.0.230:8080/auth/realms/master/protocol/openid-connect/token", > form, > AccessToken.class); > > I'm passing the parameters in the request body as x-www-form-urlencoded > and it works. I do get an access token, with this format: > > { > "access_token" : > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmF! > nZS1jbGl > lbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg", > "expires_in" : 60, > "refresh_expires_in" : 1800, > "refresh_token" : > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkOTBmNzY5Ni00NDIwLTQ3NDUtYmQ3NS01Y2Q4MDNlMWY0YjQiLCJleHAiOjE0NTI3NzY3ODQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6bnVsbCwic3ViIjoiYTcxNDcwMTUtMzVjNi00YWVhLWIzYzgtYTU2NWU0OWI3MmQ5IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwiY2xpZW50X3Nlc3Npb24iOiJkODYzNjU2Ny0zODYxLTQ2NTktODRmMi0wNmNiYzlhMjdhNTUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiU1VQRVJfQURNSU4iLCJjcmVhdGUtcmVhbG0iLCJWSUVXX09SR0FOSVpBVElPTiIsIlJPTEVfVENIRUNLX1NVUEVSX0FETUlOIiwiUk9MRV9UQ0hFQ0tfQURNSU4iLCJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJtYW5hZ2UtZXZlbnRzIiwidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJ2aWV3LWV2ZW50cyIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQ! > iOnsicm9 > sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.OZkivKxU1HJecrqKb1KDSabakruHJLUaUpNOy_DY7UW1R-4Qv6kLnPy_3soeRPP0FwYNrjzNMw94S-naE8JNCD91LqTTEyJ6o6q_1LDiDbVbfsKeyRkJDZDAbHUYtY-r35z_21SqdHxzzMcero6DoCpFaGOZZFQ86FZD7NiRE3oVzCIz1VJAFBIsSjH0W5_UQa2CEEIOxDanPnhbtdB8XZ6oQeKPB15AvobCgukvWcDufmCeJpUMcIjaTcnBdXRz6MIOp6VjQ5SyqJzn7jja8ILs3zEd8eeocAIix8Gv1CRs6PWBtWZJDss_fh4A8R2guKRBcFwQIeoncFgQeFeaoA", > "token_type" : "bearer", > "id_token" : > "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0OTUyOGQxNS1kZmEyLTQ1YTUtYjJiYy1hNzZhY2E2M2IwYjEiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJJRCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.yOs1HGLQyV33ihDIzL4CiKlKj58zlZzNpJizOlWXg59DkdnL1W5RIT4-Jw5VToy267gWv1o0XIwI2oCVHjbaXKgWZzt7NlVdGnNyGL19VQUPlISlMyyoOhaBGufC4JycQ6BrQh0fnMYUVQOvGE6HGnVwUbrLHiVL579AVhUSmVZ052fzN4VySpm03L7eQBt6BTKMo_7fmL39WvdwY2gEhoi6rz2P8cXp8vbidwqb4nNF7C1wfM7GYgbO-1yaMq_c4JiOoga9YswD68XvKpjjwVZs2WvHpvwZrQjfiqa6EtxkTeRYncMW-RutB8P09wJ3WRaBooDreVBMFB2Tw6nWnQ", > "not-before-policy" : 1452694301, > "session-state" : "7dd5ad7b-d0ab-4fba-b9cb-f3661a994e79" > } > > I now finally want to access some resource. As docs state, the only > thing I want to do is to pass that access token in the Authorization > header, starting with the Bearer keyword: > > HttpHeaders headers = new HttpHeaders(); > headers.set("Authorization", "Bearer " + token.getToken()); > HttpEntity entity = new HttpEntity<>("parameters", > headers); > ResponseEntity rssResponse = template.exchange( > "http://192.168.0.230:8765/organization/organizations", > HttpMethod.GET, > entity, > OrganizationExchangeSet.class); > > But I get 401 Unauthorized from keycloak. If I do the GET request using > Postman, I get the Unauthorized code too: > > Request: > > /Url:/ > > http://192.168.0.230:8765/organization/organizations > > /Headers:/ > > Authorization: Bearer > eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFn! > ZS1jbGll > bnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg > > /Response:/ > > { > "timestamp": 1452784544622, > "status": 401, > "error": "Unauthorized", > "message": "Unable to authenticate bearer token", > "path": "/organization/organizations" > } > > How to solve this? > > > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/a73aaf92/attachment-0001.bin From mstrukel at redhat.com Thu Jan 14 11:27:51 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 14 Jan 2016 17:27:51 +0100 Subject: [keycloak-user] Login to keycloak from Android app In-Reply-To: <5697C0ED.8060001@akvo.org> References: <5696877B.5070104@tesicnor.com> <5697BEC8.5060409@tesicnor.com> <5697C0ED.8060001@akvo.org> Message-ID: Is the adapter for your 'organization' REST endpoint properly configured to use 'master' realm and 'edge' client? The keycloak.json config file in your organisation.war (or keycloak subsystem configuration) has to match that of 'edge' client configuration in your 'master' realm on Keycloak server. On Thu, Jan 14, 2016 at 4:38 PM, Iv?n Perdomo wrote: > Hi, > > I tried this code some months ago and managed to login from Android. > > https://github.com/learning-layers/android-openid-connect > > Cheers, > > On 01/14/2016 04:29 PM, Aritz Maeztu wrote: >> Many thanks to all of you for the help. I'm so close to achieve it, so I >> need some last tip (and think you can do even about not to have mobile >> knowledge). That's the steps I've followed to authenticate a user in a >> public client in the Android app: >> >> 1- Launch a browser app pointing to keycloak's authorization site for >> the client: >> >> Intent i = new Intent(Intent.ACTION_VIEW, >> Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + >> >> "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); >> startActivity(i); >> >> 2- Retrieve the authorization code when coming back to my app and ask >> for an access token: >> >> RestTemplate template = new RestTemplate(); >> template.getMessageConverters().add(new >> FormHttpMessageConverter()); >> template.getMessageConverters().add(new >> MappingJackson2HttpMessageConverter()); >> MultiValueMap form = new >> LinkedMultiValueMap<>(); >> form.add("grant_type", "authorization_code"); >> form.add("client_id", "edge"); >> form.add("code", accessCode); >> form.add("redirect_uri", "tcheck://app"); >> ResponseEntity rssResponse = template.postForEntity( >> >> "http://192.168.0.230:8080/auth/realms/master/protocol/openid-connect/token", >> form, >> AccessToken.class); >> >> I'm passing the parameters in the request body as x-www-form-urlencoded >> and it works. I do get an access token, with this format: >> >> { >> "access_token" : >> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmF! >> nZS1jbGl >> lbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg", >> "expires_in" : 60, >> "refresh_expires_in" : 1800, >> "refresh_token" : >> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkOTBmNzY5Ni00NDIwLTQ3NDUtYmQ3NS01Y2Q4MDNlMWY0YjQiLCJleHAiOjE0NTI3NzY3ODQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6bnVsbCwic3ViIjoiYTcxNDcwMTUtMzVjNi00YWVhLWIzYzgtYTU2NWU0OWI3MmQ5IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwiY2xpZW50X3Nlc3Npb24iOiJkODYzNjU2Ny0zODYxLTQ2NTktODRmMi0wNmNiYzlhMjdhNTUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiU1VQRVJfQURNSU4iLCJjcmVhdGUtcmVhbG0iLCJWSUVXX09SR0FOSVpBVElPTiIsIlJPTEVfVENIRUNLX1NVUEVSX0FETUlOIiwiUk9MRV9UQ0hFQ0tfQURNSU4iLCJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJtYW5hZ2UtZXZlbnRzIiwidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJ2aWV3LWV2ZW50cyIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291bnQ! >> iOnsicm9 >> sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.OZkivKxU1HJecrqKb1KDSabakruHJLUaUpNOy_DY7UW1R-4Qv6kLnPy_3soeRPP0FwYNrjzNMw94S-naE8JNCD91LqTTEyJ6o6q_1LDiDbVbfsKeyRkJDZDAbHUYtY-r35z_21SqdHxzzMcero6DoCpFaGOZZFQ86FZD7NiRE3oVzCIz1VJAFBIsSjH0W5_UQa2CEEIOxDanPnhbtdB8XZ6oQeKPB15AvobCgukvWcDufmCeJpUMcIjaTcnBdXRz6MIOp6VjQ5SyqJzn7jja8ILs3zEd8eeocAIix8Gv1CRs6PWBtWZJDss_fh4A8R2guKRBcFwQIeoncFgQeFeaoA", >> "token_type" : "bearer", >> "id_token" : >> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0OTUyOGQxNS1kZmEyLTQ1YTUtYjJiYy1hNzZhY2E2M2IwYjEiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJJRCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.yOs1HGLQyV33ihDIzL4CiKlKj58zlZzNpJizOlWXg59DkdnL1W5RIT4-Jw5VToy267gWv1o0XIwI2oCVHjbaXKgWZzt7NlVdGnNyGL19VQUPlISlMyyoOhaBGufC4JycQ6BrQh0fnMYUVQOvGE6HGnVwUbrLHiVL579AVhUSmVZ052fzN4VySpm03L7eQBt6BTKMo_7fmL39WvdwY2gEhoi6rz2P8cXp8vbidwqb4nNF7C1wfM7GYgbO-1yaMq_c4JiOoga9YswD68XvKpjjwVZs2WvHpvwZrQjfiqa6EtxkTeRYncMW-RutB8P09wJ3WRaBooDreVBMFB2Tw6nWnQ", >> "not-before-policy" : 1452694301, >> "session-state" : "7dd5ad7b-d0ab-4fba-b9cb-f3661a994e79" >> } >> >> I now finally want to access some resource. As docs state, the only >> thing I want to do is to pass that access token in the Authorization >> header, starting with the Bearer keyword: >> >> HttpHeaders headers = new HttpHeaders(); >> headers.set("Authorization", "Bearer " + token.getToken()); >> HttpEntity entity = new HttpEntity<>("parameters", >> headers); >> ResponseEntity rssResponse = template.exchange( >> "http://192.168.0.230:8765/organization/organizations", >> HttpMethod.GET, >> entity, >> OrganizationExchangeSet.class); >> >> But I get 401 Unauthorized from keycloak. If I do the GET request using >> Postman, I get the Unauthorized code too: >> >> Request: >> >> /Url:/ >> >> http://192.168.0.230:8765/organization/organizations >> >> /Headers:/ >> >> Authorization: Bearer >> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFn! >> ZS1jbGll >> bnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg >> >> /Response:/ >> >> { >> "timestamp": 1452784544622, >> "status": 401, >> "error": "Unauthorized", >> "message": "Unable to authenticate bearer token", >> "path": "/organization/organizations" >> } >> >> How to solve this? >> >> >> -- >> Aritz Maeztu Ota?o >> Departamento Desarrollo de Software >> >> >> >> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >> Telf.: 948 21 40 40 >> Fax.: 948 21 40 41 >> >> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El >> medioambiente es cosa de todos. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Iv?n > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cjwallac at gmail.com Thu Jan 14 12:28:10 2016 From: cjwallac at gmail.com (Christopher Wallace) Date: Thu, 14 Jan 2016 17:28:10 +0000 Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy In-Reply-To: References: Message-ID: Again Marko Thanks for the information! We did already configure our standalone server like this. What I did find is that we updated the .JS adapter script and enable CORS http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx Now we are getting to the TOKEN step in the life cycle 1. Request URL: https://sso2.company.com/auth/realms/master/protocol/openid-connect/token 2. Request Method: POST 3. Status Code: 400 Bad Request 4. Remote Address: 99.99.99.99:443 1. Response Headersview source 1. Connection: keep-alive 2. Content-Type: application/json 3. Date: Thu, 14 Jan 2016 17:10:45 GMT 4. Server: nginx/1.4.6 (Ubuntu) 5. Transfer-Encoding: chunked 6. X-Powered-By: Undertow/1 2. Request Headersview source 1. Accept: */* 2. Accept-Encoding: gzip, deflate 3. Accept-Language: en-US,en;q=0.8 4. Authorization: Basic bXByLXBsYXRmb3JtOmU1MGYxO 5. Connection: keep-alive 6. Content-Length: 202 7. Content-type: application/x-www-form-urlencoded 8. Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S 9. DNT: 1 10. Host: sso2.company.com 11. Origin: http://portal.app.company.local.medicalpayreview.com 12. Referer: http://portal.app.company.local.medicalpayreview.com/App/ 13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 3. Form Dataview sourceview URL encoded 1. code: Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be 2. grant_type: authorization_code 3. redirect_uri: http://portal.app.local.medicalpayreview.com/App/ We find the following WARNING in the KEYCLOAK logs 17:10:48,891 WARN [org.keycloak.events] (default task-13) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null, ipAddress=72.77.99.99, error=invalid_client_credentials, grant_type=authorization_code And and error the browser console: XMLHttpRequest cannot load https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://portal.app.company.local.medicalpayreview.com' is therefore not allowed access. The response had HTTP status code 400. We appreciate everyones input on getting over this challenge. On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj wrote: > Maybe take a look at advice in this thread: > http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html > > On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace > wrote: > > Marko, Thanks for your feedback! > > > > We have successfully pass that problem and are able to login to KEYCLOAK > > behind NGINX using HTTPS Proxy. Our challenge now is when our > applications > > attempt to access we get the following error: > > > > Request URL: > > https://sso2.company.com/auth/realms/master/tokens/access/codes > > Request Method: > > POST > > Status Code: > > 400 Bad Request > > Remote Address: > > 99.99.99.99:443 > > > > Response Headersview source > > > > Connection: > > keep-alive > > Content-Type: > > application/json > > Date: > > Thu, 14 Jan 2016 14:35:52 GMT > > Server: > > nginx/1.4.6 (Ubuntu) > > Transfer-Encoding: > > chunked > > X-Powered-By: > > Undertow/1 > > > > Request Headersview source > > > > Accept: > > */* > > Accept-Encoding: > > gzip, deflate > > Accept-Language: > > en-US,en;q=0.8 > > Authorization: > > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ > > Connection: > > keep-alive > > Content-Length: > > 172 > > Content-type: > > application/x-www-form-urlencoded > > Cookie: > > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k > > DNT: > > 1 > > Host: > > sso2.company.com > > Origin: > > http://app.local.company.com > > Referer: > > http://app.local.company.com/App/ > > User-Agent: > > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 > (KHTML, > > like Gecko) Chrome/47.0.2526.106 Safari/537.36 > > > > Form Dataview sourceview URL encoded > > > > code: > > > Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 > > redirect_uri: > > http://app.local.company.com/App/ > > > > Please do note that this same application is able KEYCLOAK using > basically > > the same configuration without NGINX in the MIX. Have any thoughts was to > > what we should look to configure differently with NGIX in the mix? > > > > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj > wrote: > >> > >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to > >> https://sso2.domain.com refused' means that either there is a server > side > >> problem - your Nginx isn't started and listening on port 443, a firewall > >> preventing incoming connections - or there is a client side problem - a > DNS > >> issue improperly resolving sso2.domain.com into IP on the host where > Tomcat > >> is running. > >> > >> At this point no SSL handshaking was attempted yet. > >> > >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com > 443' > >> from the server running your Tomcat you'll see the same issue. Once that > >> starts to work, only then will any SSL / proxying related configuration > >> issues start to manifest themselves. > >> > >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace < > cjwallac at gmail.com> > >> wrote: > >>> > >>> Community, I have spent a decent amount of time attempting to get > >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT > Application. It > >>> does work without the proxy, but I need the proxy to handle > certificates. I > >>> think I am pretty close to having it working, but somethings seems to > be > >>> missing... I have done the following. I appreciate any insight you may > have > >>> as I think I have exhausted other resources. > >>> > >>> 1. Configure a server in NGINX > >>> > >>> server { > >>> > >>> listen 443; > >>> > >>> > >>> ssl on; > >>> > >>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; > >>> > >>> ssl_certificate_key /etc/ssl/certs/*.domain.key; > >>> > >>> > >>> server_name sso2. domain.com; > >>> > >>> access_log /var/log/nginx/nginx.sso.access.log; > >>> > >>> error_log /var/log/nginx/nginx.sso.error.log; > >>> > >>> location / { > >>> > >>> proxy_set_header Host $host; > >>> > >>> proxy_set_header X-Real-IP $remote_addr; > >>> > >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > >>> > >>> proxy_set_header X-Forwarded-Proto $scheme; > >>> > >>> proxy_set_header X-Forwarded-Port 443; > >>> > >>> proxy_pass http://internalip:8080; > >>> > >>> } > >>> > >>> } > >>> > >>> 2. Enable SSL on a Reverse Proxy > >>> > >>> First add proxy-address-forwarding and redirect-socket to the > >>> http-listener element: > >>> > >>> > >>> ... > >>> >>> proxy-address-forwarding="true" redirect-socket="proxy-https"/> > >>> ... > >>> > >>> > >>> Then add a new socket-binding element to the socket-binding-group > >>> element: > >>> > >>> default-interface="public" > >>> port-offset="${jboss.socket.binding.port-offset:0}"> > >>> ... > >>> > >>> ... > >>> > >>> > >>> > >>> RECIVE THE FOLLOWING ERROR in TOMCAT: > >>> > >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - > >>> failed to turn code into token > >>> > >>> org.apache.http.conn.HttpHostConnectException: Connection to > >>> https://sso2.domain.com refused > >>> > >>> at > >>> > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) > >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) > >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) > >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) > >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) > >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) > >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) > >>> [lib/:na] > >>> > >>> at > >>> > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) > >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] > >>> > >>> at > >>> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) > >>> [lib/:na] > >>> > >>> at > >>> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > >>> [lib/:na] > >>> > >>> at > >>> > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) > >>> [lib/:na] > >>> > >>> at > >>> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) > >>> [lib/:na] > >>> > >>> at > >>> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) > >>> [lib/:na] > >>> > >>> at > >>> > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) > >>> [tomcat-coyote.jar:8.0.18] > >>> > >>> at > >>> > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) > >>> [tomcat-coyote.jar:8.0.18] > >>> > >>> at > >>> > org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) > >>> [tomcat-coyote.jar:8.0.18] > >>> > >>> at > >>> org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) > >>> [tomcat-coyote.jar:8.0.18] > >>> > >>> at > >>> org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) > >>> [tomcat-coyote.jar:8.0.18] > >>> > >>> at > >>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > >>> [na:1.8.0_25] > >>> > >>> at > >>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > >>> [na:1.8.0_25] > >>> > >>> at > >>> > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > >>> [tomcat-util.jar:8.0.18] > >>> > >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] > >>> > >>> Caused by: java.net.ConnectException: Connection timed out > >>> > >>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] > >>> > >>> at > >>> java.net > .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) > >>> ~[na:1.8.0_25] > >>> > >>> at > >>> java.net > .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) > >>> ~[na:1.8.0_25] > >>> > >>> at > >>> java.net > .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > >>> ~[na:1.8.0_25] > >>> > >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > >>> ~[na:1.8.0_25] > >>> > >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] > >>> > >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) > >>> ~[na:1.8.0_25] > >>> > >>> at > >>> > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> at > >>> > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > >>> ~[httpclient-4.2.1.jar:4.2.1] > >>> > >>> ... 29 common frames omitted > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/02aa8993/attachment-0001.html From amaeztu at tesicnor.com Thu Jan 14 12:39:58 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Thu, 14 Jan 2016 18:39:58 +0100 Subject: [keycloak-user] keycloak-user Digest, Vol 25, Issue 61 In-Reply-To: References: Message-ID: <5697DD6E.9010504@tesicnor.com> Marko, I think it is properly configured. Both the edge and the organization service are part of the master realm. The only difference is that access to edge is public and access to organization is confidential. From the web browser, I have no problem in logging in to the edge service and then going to the //organization/organizations/ path. The access to that path is not restricted in any other way. 14/01/2016 18:28(e)an, keycloak-user-request at lists.jboss.org igorleak idatzi zuen: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Login to keycloak from Android app (Marko Strukelj) > 2. Re: KEYCLOAK w/ NGINX Reverse Proxy (Christopher Wallace) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 14 Jan 2016 17:27:51 +0100 > From: Marko Strukelj > Subject: Re: [keycloak-user] Login to keycloak from Android app > To: Iv?n Perdomo > Cc: keycloak-user > Message-ID: > > Content-Type: text/plain; charset=UTF-8 > > Is the adapter for your 'organization' REST endpoint properly > configured to use 'master' realm and 'edge' client? > > The keycloak.json config file in your organisation.war (or keycloak > subsystem configuration) has to match that of 'edge' client > configuration in your 'master' realm on Keycloak server. > > On Thu, Jan 14, 2016 at 4:38 PM, Iv?n Perdomo wrote: >> Hi, >> >> I tried this code some months ago and managed to login from Android. >> >> https://github.com/learning-layers/android-openid-connect >> >> Cheers, >> >> On 01/14/2016 04:29 PM, Aritz Maeztu wrote: >>> Many thanks to all of you for the help. I'm so close to achieve it, so I >>> need some last tip (and think you can do even about not to have mobile >>> knowledge). That's the steps I've followed to authenticate a user in a >>> public client in the Android app: >>> >>> 1- Launch a browser app pointing to keycloak's authorization site for >>> the client: >>> >>> Intent i = new Intent(Intent.ACTION_VIEW, >>> Uri.parse("http://192.168.0.230:8080/auth/realms/master/protocol/" + >>> >>> "openid-connect/auth?response_type=code&client_id=web_service&redirect_uri=android://app")); >>> startActivity(i); >>> >>> 2- Retrieve the authorization code when coming back to my app and ask >>> for an access token: >>> >>> RestTemplate template = new RestTemplate(); >>> template.getMessageConverters().add(new >>> FormHttpMessageConverter()); >>> template.getMessageConverters().add(new >>> MappingJackson2HttpMessageConverter()); >>> MultiValueMap form = new >>> LinkedMultiValueMap<>(); >>> form.add("grant_type", "authorization_code"); >>> form.add("client_id", "edge"); >>> form.add("code", accessCode); >>> form.add("redirect_uri", "tcheck://app"); >>> ResponseEntity rssResponse = template.postForEntity( >>> >>> "http://192.168.0.230:8080/auth/realms/master/protocol/openid-connect/token", >>> form, >>> AccessToken.class); >>> >>> I'm passing the parameters in the request body as x-www-form-urlencoded >>> and it works. I do get an access token, with this format: >>> >>> { >>> "access_token" : >>> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1h! > bmF! >>> nZS1jbGl >>> lbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg", >>> "expires_in" : 60, >>> "refresh_expires_in" : 1800, >>> "refresh_token" : >>> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkOTBmNzY5Ni00NDIwLTQ3NDUtYmQ3NS01Y2Q4MDNlMWY0YjQiLCJleHAiOjE0NTI3NzY3ODQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6bnVsbCwic3ViIjoiYTcxNDcwMTUtMzVjNi00YWVhLWIzYzgtYTU2NWU0OWI3MmQ5IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwiY2xpZW50X3Nlc3Npb24iOiJkODYzNjU2Ny0zODYxLTQ2NTktODRmMi0wNmNiYzlhMjdhNTUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiU1VQRVJfQURNSU4iLCJjcmVhdGUtcmVhbG0iLCJWSUVXX09SR0FOSVpBVElPTiIsIlJPTEVfVENIRUNLX1NVUEVSX0FETUlOIiwiUk9MRV9UQ0hFQ0tfQURNSU4iLCJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Im1hc3Rlci1yZWFsbSI6eyJyb2xlcyI6WyJtYW5hZ2UtZXZlbnRzIiwidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJ2aWV3LWV2ZW50cyIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY291! > bnQ! >>> iOnsicm9 >>> sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.OZkivKxU1HJecrqKb1KDSabakruHJLUaUpNOy_DY7UW1R-4Qv6kLnPy_3soeRPP0FwYNrjzNMw94S-naE8JNCD91LqTTEyJ6o6q_1LDiDbVbfsKeyRkJDZDAbHUYtY-r35z_21SqdHxzzMcero6DoCpFaGOZZFQ86FZD7NiRE3oVzCIz1VJAFBIsSjH0W5_UQa2CEEIOxDanPnhbtdB8XZ6oQeKPB15AvobCgukvWcDufmCeJpUMcIjaTcnBdXRz6MIOp6VjQ5SyqJzn7jja8ILs3zEd8eeocAIix8Gv1CRs6PWBtWZJDss_fh4A8R2guKRBcFwQIeoncFgQeFeaoA", >>> "token_type" : "bearer", >>> "id_token" : >>> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0OTUyOGQxNS1kZmEyLTQ1YTUtYjJiYy1hNzZhY2E2M2IwYjEiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJJRCIsImF6cCI6ImVkZ2UiLCJzZXNzaW9uX3N0YXRlIjoiN2RkNWFkN2ItZDBhYi00ZmJhLWI5Y2ItZjM2NjFhOTk0ZTc5IiwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.yOs1HGLQyV33ihDIzL4CiKlKj58zlZzNpJizOlWXg59DkdnL1W5RIT4-Jw5VToy267gWv1o0XIwI2oCVHjbaXKgWZzt7NlVdGnNyGL19VQUPlISlMyyoOhaBGufC4JycQ6BrQh0fnMYUVQOvGE6HGnVwUbrLHiVL579AVhUSmVZ052fzN4VySpm03L7eQBt6BTKMo_7fmL39WvdwY2gEhoi6rz2P8cXp8vbidwqb4nNF7C1wfM7GYgbO-1yaMq_c4JiOoga9YswD68XvKpjjwVZs2WvHpvwZrQjfiqa6EtxkTeRYncMW-RutB8P09wJ3WRaBooDreVBMFB2Tw6nWnQ", >>> "not-before-policy" : 1452694301, >>> "session-state" : "7dd5ad7b-d0ab-4fba-b9cb-f3661a994e79" >>> } >>> >>> I now finally want to access some resource. As docs state, the only >>> thing I want to do is to pass that access token in the Authorization >>> header, starting with the Bearer keyword: >>> >>> HttpHeaders headers = new HttpHeaders(); >>> headers.set("Authorization", "Bearer " + token.getToken()); >>> HttpEntity entity = new HttpEntity<>("parameters", >>> headers); >>> ResponseEntity rssResponse = template.exchange( >>> "http://192.168.0.230:8765/organization/organizations", >>> HttpMethod.GET, >>> entity, >>> OrganizationExchangeSet.class); >>> >>> But I get 401 Unauthorized from keycloak. If I do the GET request using >>> Postman, I get the Unauthorized code too: >>> >>> Request: >>> >>> /Url:/ >>> >>> http://192.168.0.230:8765/organization/organizations >>> >>> /Headers:/ >>> >>> Authorization: Bearer >>> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5OTEzYmRjOS1jZmI0LTRlZjAtYTcxYy0yYWUwYmQ3MTkwZDkiLCJleHAiOjE0NTI3NzUwNDQsIm5iZiI6MCwiaWF0IjoxNDUyNzc0OTg0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC4wLjIzMDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6ImVkZ2UiLCJzdWIiOiJhNzE0NzAxNS0zNWM2LTRhZWEtYjNjOC1hNTY1ZTQ5YjcyZDkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJlZGdlIiwic2Vzc2lvbl9zdGF0ZSI6IjdkZDVhZDdiLWQwYWItNGZiYS1iOWNiLWYzNjYxYTk5NGU3OSIsImNsaWVudF9zZXNzaW9uIjoiZDg2MzY1NjctMzg2MS00NjU5LTg0ZjItMDZjYmM5YTI3YTU1IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlNVUEVSX0FETUlOIiwiY3JlYXRlLXJlYWxtIiwiVklFV19PUkdBTklaQVRJT04iLCJST0xFX1RDSEVDS19TVVBFUl9BRE1JTiIsIlJPTEVfVENIRUNLX0FETUlOIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsibWFuYWdlLWV2ZW50cyIsInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwidmlldy1ldmVudHMiLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hb! > mFn! >>> ZS1jbGll >>> bnRzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6IiIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GMoAPe9aUQBRign5J0TvOt4tg1SWwyfJkvJjuWDZ_Ayj3GBnFjhgbjb5qLreKsm87NHymPcpvCv7uHkKJRsx44TjC0514O0oBSiVIiKfcJdbE-y7nPplzYAJF6I2JlsQkw9Na67vNSvhsBNg6AfBop4xpAF9HtTU7Ca7gFwOS01bgDRO09WlJYivzOd5t-vQGNwRVlTqaCstIMiBLaUfdkc82DNQwnoP5VO9R7xZn-7O5BE288_CX0C2V96_vooIoTbB3Qoa-gV6f3s6ZSyJnRGBgoe_2QY3mjCBarFQ_mKH_sbF2qMpm-a5igoNoD_3Xlc7iluP206ZJdQn4NZdQg >>> >>> /Response:/ >>> >>> { >>> "timestamp": 1452784544622, >>> "status": 401, >>> "error": "Unauthorized", >>> "message": "Unable to authenticate bearer token", >>> "path": "/organization/organizations" >>> } >>> >>> How to solve this? >>> >>> >>> -- >>> Aritz Maeztu Ota?o >>> Departamento Desarrollo de Software >>> >>> >>> >>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) >>> Telf.: 948 21 40 40 >>> Fax.: 948 21 40 41 >>> >>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El >>> medioambiente es cosa de todos. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -- >> Iv?n >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------ > > Message: 2 > Date: Thu, 14 Jan 2016 17:28:10 +0000 > From: Christopher Wallace > Subject: Re: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy > To: Marko Strukelj > Cc: "keycloak-user at lists.jboss.org" > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > Again Marko Thanks for the information! > > We did already configure our standalone server like this. What I did find > is that we updated the .JS adapter script and enable CORS > http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx > Now > we are getting to the TOKEN step in the life cycle > > > 1. Request URL: > > https://sso2.company.com/auth/realms/master/protocol/openid-connect/token > 2. Request Method: > POST > 3. Status Code: > 400 Bad Request > 4. Remote Address: > 99.99.99.99:443 > 1. Response Headersview source > 1. Connection: > keep-alive > 2. Content-Type: > application/json > 3. Date: > Thu, 14 Jan 2016 17:10:45 GMT > 4. Server: > nginx/1.4.6 (Ubuntu) > 5. Transfer-Encoding: > chunked > 6. X-Powered-By: > Undertow/1 > 2. Request Headersview source > 1. Accept: > */* > 2. Accept-Encoding: > gzip, deflate > 3. Accept-Language: > en-US,en;q=0.8 > 4. Authorization: > Basic bXByLXBsYXRmb3JtOmU1MGYxO > 5. Connection: > keep-alive > 6. Content-Length: > 202 > 7. Content-type: > application/x-www-form-urlencoded > 8. Cookie: > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S > 9. DNT: > 1 > 10. Host: > sso2.company.com > 11. Origin: > http://portal.app.company.local.medicalpayreview.com > 12. Referer: > http://portal.app.company.local.medicalpayreview.com/App/ > 13. User-Agent: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 > 3. Form Dataview sourceview URL encoded > 1. code: > > Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be > 2. grant_type: > authorization_code > 3. redirect_uri: > http://portal.app.local.medicalpayreview.com/App/ > > > We find the following WARNING in the KEYCLOAK logs > > 17:10:48,891 WARN [org.keycloak.events] (default task-13) > type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null, > ipAddress=72.77.99.99, error=invalid_client_credentials, > grant_type=authorization_code > > And and error the browser console: > > XMLHttpRequest cannot load > https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://portal.app.company.local.medicalpayreview.com' is > therefore not allowed access. The response had HTTP status code 400. > > We appreciate everyones input on getting over this challenge. > > > > On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj wrote: > >> Maybe take a look at advice in this thread: >> http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html >> >> On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace >> wrote: >>> Marko, Thanks for your feedback! >>> >>> We have successfully pass that problem and are able to login to KEYCLOAK >>> behind NGINX using HTTPS Proxy. Our challenge now is when our >> applications >>> attempt to access we get the following error: >>> >>> Request URL: >>> https://sso2.company.com/auth/realms/master/tokens/access/codes >>> Request Method: >>> POST >>> Status Code: >>> 400 Bad Request >>> Remote Address: >>> 99.99.99.99:443 >>> >>> Response Headersview source >>> >>> Connection: >>> keep-alive >>> Content-Type: >>> application/json >>> Date: >>> Thu, 14 Jan 2016 14:35:52 GMT >>> Server: >>> nginx/1.4.6 (Ubuntu) >>> Transfer-Encoding: >>> chunked >>> X-Powered-By: >>> Undertow/1 >>> >>> Request Headersview source >>> >>> Accept: >>> */* >>> Accept-Encoding: >>> gzip, deflate >>> Accept-Language: >>> en-US,en;q=0.8 >>> Authorization: >>> Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ >>> Connection: >>> keep-alive >>> Content-Length: >>> 172 >>> Content-type: >>> application/x-www-form-urlencoded >>> Cookie: >>> >> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k >>> DNT: >>> 1 >>> Host: >>> sso2.company.com >>> Origin: >>> http://app.local.company.com >>> Referer: >>> http://app.local.company.com/App/ >>> User-Agent: >>> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 >> (KHTML, >>> like Gecko) Chrome/47.0.2526.106 Safari/537.36 >>> >>> Form Dataview sourceview URL encoded >>> >>> code: >>> >> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 >>> redirect_uri: >>> http://app.local.company.com/App/ >>> >>> Please do note that this same application is able KEYCLOAK using >> basically >>> the same configuration without NGINX in the MIX. Have any thoughts was to >>> what we should look to configure differently with NGIX in the mix? >>> >>> On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj >> wrote: >>>> The error 'org.apache.http.conn.HttpHostConnectException: Connection to >>>> https://sso2.domain.com refused' means that either there is a server >> side >>>> problem - your Nginx isn't started and listening on port 443, a firewall >>>> preventing incoming connections - or there is a client side problem - a >> DNS >>>> issue improperly resolving sso2.domain.com into IP on the host where >> Tomcat >>>> is running. >>>> >>>> At this point no SSL handshaking was attempted yet. >>>> >>>> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com >> 443' >>>> from the server running your Tomcat you'll see the same issue. Once that >>>> starts to work, only then will any SSL / proxying related configuration >>>> issues start to manifest themselves. >>>> >>>> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace < >> cjwallac at gmail.com> >>>> wrote: >>>>> Community, I have spent a decent amount of time attempting to get >>>>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT >> Application. It >>>>> does work without the proxy, but I need the proxy to handle >> certificates. I >>>>> think I am pretty close to having it working, but somethings seems to >> be >>>>> missing... I have done the following. I appreciate any insight you may >> have >>>>> as I think I have exhausted other resources. >>>>> >>>>> 1. Configure a server in NGINX >>>>> >>>>> server { >>>>> >>>>> listen 443; >>>>> >>>>> >>>>> ssl on; >>>>> >>>>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >>>>> >>>>> ssl_certificate_key /etc/ssl/certs/*.domain.key; >>>>> >>>>> >>>>> server_name sso2. domain.com; >>>>> >>>>> access_log /var/log/nginx/nginx.sso.access.log; >>>>> >>>>> error_log /var/log/nginx/nginx.sso.error.log; >>>>> >>>>> location / { >>>>> >>>>> proxy_set_header Host $host; >>>>> >>>>> proxy_set_header X-Real-IP $remote_addr; >>>>> >>>>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >>>>> >>>>> proxy_set_header X-Forwarded-Proto $scheme; >>>>> >>>>> proxy_set_header X-Forwarded-Port 443; >>>>> >>>>> proxy_pass http://internalip:8080; >>>>> >>>>> } >>>>> >>>>> } >>>>> >>>>> 2. Enable SSL on a Reverse Proxy >>>>> >>>>> First add proxy-address-forwarding and redirect-socket to the >>>>> http-listener element: >>>>> >>>>> >>>>> ... >>>>> >>>> proxy-address-forwarding="true" redirect-socket="proxy-https"/> >>>>> ... >>>>> >>>>> >>>>> Then add a new socket-binding element to the socket-binding-group >>>>> element: >>>>> >>>>> > default-interface="public" >>>>> port-offset="${jboss.socket.binding.port-offset:0}"> >>>>> ... >>>>> >>>>> ... >>>>> >>>>> >>>>> >>>>> RECIVE THE FOLLOWING ERROR in TOMCAT: >>>>> >>>>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >>>>> failed to turn code into token >>>>> >>>>> org.apache.http.conn.HttpHostConnectException: Connection to >>>>> https://sso2.domain.com refused >>>>> >>>>> at >>>>> >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >>>>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >>>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >>>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >>>>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >>>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >>>>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >>>>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >>>>> >>>>> at >>>>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>>>> [lib/:na] >>>>> >>>>> at >>>>> >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >>>>> [tomcat-coyote.jar:8.0.18] >>>>> >>>>> at >>>>> >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >>>>> [tomcat-coyote.jar:8.0.18] >>>>> >>>>> at >>>>> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >>>>> [tomcat-coyote.jar:8.0.18] >>>>> >>>>> at >>>>> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>>>> [tomcat-coyote.jar:8.0.18] >>>>> >>>>> at >>>>> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>>>> [tomcat-coyote.jar:8.0.18] >>>>> >>>>> at >>>>> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>> [na:1.8.0_25] >>>>> >>>>> at >>>>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>> [na:1.8.0_25] >>>>> >>>>> at >>>>> >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>> [tomcat-util.jar:8.0.18] >>>>> >>>>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >>>>> >>>>> Caused by: java.net.ConnectException: Connection timed out >>>>> >>>>> at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25] >>>>> >>>>> at >>>>> java.net >> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >>>>> ~[na:1.8.0_25] >>>>> >>>>> at >>>>> java.net >> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >>>>> ~[na:1.8.0_25] >>>>> >>>>> at >>>>> java.net >> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >>>>> ~[na:1.8.0_25] >>>>> >>>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >>>>> ~[na:1.8.0_25] >>>>> >>>>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >>>>> >>>>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >>>>> ~[na:1.8.0_25] >>>>> >>>>> at >>>>> >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> at >>>>> >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >>>>> ~[httpclient-4.2.1.jar:4.2.1] >>>>> >>>>> ... 29 common frames omitted >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/02aa8993/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 25, Issue 61 > ********************************************* -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/5a7a4384/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/5a7a4384/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/5a7a4384/attachment-0001.png From cjwallac at gmail.com Thu Jan 14 14:36:14 2016 From: cjwallac at gmail.com (Christopher Wallace) Date: Thu, 14 Jan 2016 19:36:14 +0000 Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy In-Reply-To: References: Message-ID: Well in lieu of all the fancy NGINX configuration I found it was simply putting KEYCLOAK to accept NON-SSL connections internally because the connection from NGINX to KEYCLOAK itself is over HTTP. We were able to remove all the special headers instructions in NGINX. Thanks for you help through it, sometimes walking away for lunch is the best idea ;-) On Thu, Jan 14, 2016 at 12:28 PM Christopher Wallace wrote: > Again Marko Thanks for the information! > > We did already configure our standalone server like this. What I did find > is that we updated the .JS adapter script and enable CORS > http://serverfault.com/questions/162429/how-do-i-add-access-control-allow-origin-in-nginx Now > we are getting to the TOKEN step in the life cycle > > > 1. Request URL: > > https://sso2.company.com/auth/realms/master/protocol/openid-connect/token > > > 1. Request Method: > POST > 2. Status Code: > 400 Bad Request > 3. Remote Address: > 99.99.99.99:443 > > > 1. Response Headersview source > 1. Connection: > keep-alive > 2. Content-Type: > application/json > 3. Date: > Thu, 14 Jan 2016 17:10:45 GMT > > > 1. Server: > nginx/1.4.6 (Ubuntu) > 2. Transfer-Encoding: > chunked > 3. X-Powered-By: > Undertow/1 > > > 1. Request Headersview source > > > 1. Accept: > */* > 2. Accept-Encoding: > gzip, deflate > 3. Accept-Language: > en-US,en;q=0.8 > 4. Authorization: > Basic bXByLXBsYXRmb3JtOmU1MGYxO > > > 1. Connection: > keep-alive > 2. Content-Length: > 202 > 3. Content-type: > application/x-www-form-urlencoded > 4. Cookie: > > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzOWIxMzg3OS1mYjY5LTQ2MTAtYTdlZS1mZjA2ZjgyOTI4MzUiLCJleHAiOjE0NTI4Mjc0NDcsIm5iZiI6MCwiaWF0IjoxNDUyNzkxNDQ3LCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiYjkwMTViMGItYTUyNC00ZDVkLWJiYjMtMDI2OTk3NjY0NjM1IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.nCUDrU2Q9DQM5c2xcxLoW1pqVJNYcc-ZCUWe6HTlBVh1rwwk0V1q15Mbq0HzWcEkDWqatUTTQ0PEysH18hsOzuJdqRaaplBURwzW4S > 5. DNT: > 1 > 6. Host: > sso2.company.com > 7. Origin: > http://portal.app.company.local.medicalpayreview.com > 8. Referer: > http://portal.app.company.local.medicalpayreview.com/App/ > > > 1. User-Agent: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 > > > 1. Form Dataview sourceview URL encoded > > > 1. code: > > Mk9BGw2vGHNBtO-caT1Z1MEpwixV4Ke5yi5YFEubDes.d82b1938-d6a6-4c3c-99eb-0a0d1c2636be > 2. grant_type: > authorization_code > 3. redirect_uri: > http://portal.app.local.medicalpayreview.com/App/ > > > We find the following WARNING in the KEYCLOAK logs > > 17:10:48,891 WARN [org.keycloak.events] (default task-13) > type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=platform, userId=null, > ipAddress=72.77.99.99, error=invalid_client_credentials, > grant_type=authorization_code > > And and error the browser console: > > XMLHttpRequest cannot load > https://sso2.medicalpayreview.com/auth/realms/master/protocol/openid-connect/token. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://portal.app.company.local.medicalpayreview.com' > is therefore not allowed access. The response had HTTP status code 400. > > We appreciate everyones input on getting over this challenge. > > > > On Thu, Jan 14, 2016 at 10:06 AM Marko Strukelj > wrote: > >> Maybe take a look at advice in this thread: >> http://lists.jboss.org/pipermail/keycloak-user/2016-January/004413.html >> >> On Thu, Jan 14, 2016 at 3:44 PM, Christopher Wallace >> wrote: >> > Marko, Thanks for your feedback! >> > >> > We have successfully pass that problem and are able to login to KEYCLOAK >> > behind NGINX using HTTPS Proxy. Our challenge now is when our >> applications >> > attempt to access we get the following error: >> > >> > Request URL: >> > https://sso2.company.com/auth/realms/master/tokens/access/codes >> > Request Method: >> > POST >> > Status Code: >> > 400 Bad Request >> > Remote Address: >> > 99.99.99.99:443 >> > >> > Response Headersview source >> > >> > Connection: >> > keep-alive >> > Content-Type: >> > application/json >> > Date: >> > Thu, 14 Jan 2016 14:35:52 GMT >> > Server: >> > nginx/1.4.6 (Ubuntu) >> > Transfer-Encoding: >> > chunked >> > X-Powered-By: >> > Undertow/1 >> > >> > Request Headersview source >> > >> > Accept: >> > */* >> > Accept-Encoding: >> > gzip, deflate >> > Accept-Language: >> > en-US,en;q=0.8 >> > Authorization: >> > Basic bXByLXBsYXRmb3JtOmU1MGYxODEyLTYzYTQtNGM0YS05NWQ >> > Connection: >> > keep-alive >> > Content-Length: >> > 172 >> > Content-type: >> > application/x-www-form-urlencoded >> > Cookie: >> > >> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzNGY0ZDI1OS02NzJjLTQzYjUtOGFmOC1hNzkwMWRiMDUxMmYiLCJleHAiOjE0NTI4MTgxNTMsIm5iZiI6MCwiaWF0IjoxNDUyNzgyMTUzLCJpc3MiOiJodHRwczovL3NzbzIubWVkaWNhbHBheXJldmlldy5jb20vYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpudWxsLCJzdWIiOiJhNWM2MzJiYy0xNmNlLTQ3NzgtOGNmMy05MWQ4MmMzNTE3NmYiLCJzZXNzaW9uX3N0YXRlIjoiOWRiNjdhNGQtOWIwMS00NjgxLTlmYmMtZDQ3N2Y1NTgyMGYyIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.JyQIOJk5214-n4y0RkpEuLJWY4u6Z4Fu_086Z9nwM9BU8TarV-oH6cxZEBYakyL8pvmwf0CWHMmN3XNF-Zv4b1UPutcLP7IChM1EEr4F1tPxwmddYS1M90NdY7Bzn2R36mnASZqczMMAisd-OE2TU8oDgMyg0Rb0iZNIi_jJU_Rd-na4qhfuBojF_u8BSFjSJsd3agjF5ZZ9ok9mo2McCMDaV21vozVryIkR1vfAKPWf6WI8fEQBpDAFsh37M_k >> > DNT: >> > 1 >> > Host: >> > sso2.company.com >> > Origin: >> > http://app.local.company.com >> > Referer: >> > http://app.local.company.com/App/ >> > User-Agent: >> > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 >> (KHTML, >> > like Gecko) Chrome/47.0.2526.106 Safari/537.36 >> > >> > Form Dataview sourceview URL encoded >> > >> > code: >> > >> Vyzj7f-Aq2anYTJy7AoK4e6h0s2Ypp0vQ6okx7lWlRo.d2acab15-f708-4838-bd4b-2562fd46f8e2 >> > redirect_uri: >> > http://app.local.company.com/App/ >> > >> > Please do note that this same application is able KEYCLOAK using >> basically >> > the same configuration without NGINX in the MIX. Have any thoughts was >> to >> > what we should look to configure differently with NGIX in the mix? >> > >> > On Mon, Jan 4, 2016 at 7:16 AM Marko Strukelj >> wrote: >> >> >> >> The error 'org.apache.http.conn.HttpHostConnectException: Connection to >> >> https://sso2.domain.com refused' means that either there is a server >> side >> >> problem - your Nginx isn't started and listening on port 443, a >> firewall >> >> preventing incoming connections - or there is a client side problem - >> a DNS >> >> issue improperly resolving sso2.domain.com into IP on the host where >> Tomcat >> >> is running. >> >> >> >> At this point no SSL handshaking was attempted yet. >> >> >> >> If you try 'curl https://sso2.domain.com' or 'telnet sso2.domain.com >> 443' >> >> from the server running your Tomcat you'll see the same issue. Once >> that >> >> starts to work, only then will any SSL / proxying related configuration >> >> issues start to manifest themselves. >> >> >> >> On Wed, Dec 30, 2015 at 11:34 PM, Christopher Wallace < >> cjwallac at gmail.com> >> >> wrote: >> >>> >> >>> Community, I have spent a decent amount of time attempting to get >> >>> KEYCLOAK behind an NGINX Reverse Proxy to protect a TOMCAT >> Application. It >> >>> does work without the proxy, but I need the proxy to handle >> certificates. I >> >>> think I am pretty close to having it working, but somethings seems to >> be >> >>> missing... I have done the following. I appreciate any insight you >> may have >> >>> as I think I have exhausted other resources. >> >>> >> >>> 1. Configure a server in NGINX >> >>> >> >>> server { >> >>> >> >>> listen 443; >> >>> >> >>> >> >>> ssl on; >> >>> >> >>> ssl_certificate /etc/ssl/certs/dcf30de94f28f16f.crt; >> >>> >> >>> ssl_certificate_key /etc/ssl/certs/*.domain.key; >> >>> >> >>> >> >>> server_name sso2. domain.com; >> >>> >> >>> access_log /var/log/nginx/nginx.sso.access.log; >> >>> >> >>> error_log /var/log/nginx/nginx.sso.error.log; >> >>> >> >>> location / { >> >>> >> >>> proxy_set_header Host $host; >> >>> >> >>> proxy_set_header X-Real-IP $remote_addr; >> >>> >> >>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> >>> >> >>> proxy_set_header X-Forwarded-Proto $scheme; >> >>> >> >>> proxy_set_header X-Forwarded-Port 443; >> >>> >> >>> proxy_pass http://internalip:8080; >> >>> >> >>> } >> >>> >> >>> } >> >>> >> >>> 2. Enable SSL on a Reverse Proxy >> >>> >> >>> First add proxy-address-forwarding and redirect-socket to the >> >>> http-listener element: >> >>> >> >>> >> >>> ... >> >>> > >>> proxy-address-forwarding="true" redirect-socket="proxy-https"/> >> >>> ... >> >>> >> >>> >> >>> Then add a new socket-binding element to the socket-binding-group >> >>> element: >> >>> >> >>> > default-interface="public" >> >>> port-offset="${jboss.socket.binding.port-offset:0}"> >> >>> ... >> >>> >> >>> ... >> >>> >> >>> >> >>> >> >>> RECIVE THE FOLLOWING ERROR in TOMCAT: >> >>> >> >>> 1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator - >> >>> failed to turn code into token >> >>> >> >>> org.apache.http.conn.HttpHostConnectException: Connection to >> >>> https://sso2.domain.com refused >> >>> >> >>> at >> >>> >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) >> >>> ~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297) >> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243) >> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) >> >>> [keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189) >> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28) >> >>> [keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170) >> >>> [keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final] >> >>> >> >>> at >> >>> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >> >>> [lib/:na] >> >>> >> >>> at >> >>> >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086) >> >>> [tomcat-coyote.jar:8.0.18] >> >>> >> >>> at >> >>> >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659) >> >>> [tomcat-coyote.jar:8.0.18] >> >>> >> >>> at >> >>> >> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223) >> >>> [tomcat-coyote.jar:8.0.18] >> >>> >> >>> at >> >>> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >> >>> [tomcat-coyote.jar:8.0.18] >> >>> >> >>> at >> >>> org.apache.tomcat.util.net >> .NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >> >>> [tomcat-coyote.jar:8.0.18] >> >>> >> >>> at >> >>> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >>> [na:1.8.0_25] >> >>> >> >>> at >> >>> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >>> [na:1.8.0_25] >> >>> >> >>> at >> >>> >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> >>> [tomcat-util.jar:8.0.18] >> >>> >> >>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25] >> >>> >> >>> Caused by: java.net.ConnectException: Connection timed out >> >>> >> >>> at java.net.PlainSocketImpl.socketConnect(Native Method) >> ~[na:1.8.0_25] >> >>> >> >>> at >> >>> java.net >> .AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345) >> >>> ~[na:1.8.0_25] >> >>> >> >>> at >> >>> java.net >> .AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) >> >>> ~[na:1.8.0_25] >> >>> >> >>> at >> >>> java.net >> .AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >> >>> ~[na:1.8.0_25] >> >>> >> >>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >> >>> ~[na:1.8.0_25] >> >>> >> >>> at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25] >> >>> >> >>> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649) >> >>> ~[na:1.8.0_25] >> >>> >> >>> at >> >>> >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> at >> >>> >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) >> >>> ~[httpclient-4.2.1.jar:4.2.1] >> >>> >> >>> ... 29 common frames omitted >> >>> >> >>> >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160114/26dbc417/attachment-0001.html From jeremy at jeremysimon.com Thu Jan 14 18:44:53 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Thu, 14 Jan 2016 18:44:53 -0500 Subject: [keycloak-user] Spring Boot REST Service Example(s) Message-ID: Hi, Would anyone be willing to point me to some good working examples that are REST services built with Spring Boot but can leverage Keycloak for authentication? I had no trouble integrating a webapp with the SAML protocol, but this OpenID Connect (/Oauth2?) area of things is really confusing. All I'm trying to do is security the REST endpoints I made and then when I actually hit a controller, also be able to pull some role or attribute information off the Authentication token. I tried to cobble together something using the reference guide and the adaptors sections, but to no avail. In particular I followed the 8.9 Spring Boot Adaptor but I get 302s and a this in the response if i try a rest client... ---- 302 Found form HEADERS Content-Length:0 Bytes Date: 2016 Jan 14 18:41:13 Location:http://localhost:11080/auth/realms/jeremy/protocol/openid-connect/auth?response_type=code&client_id=try&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadmin&state=1%2F82011a10-3b29-44eb-9801-e723c03c94bf&login=true S ---- At any rate, I tried some extra spring security and other mentions down further in the guide, but I'm definitely digging myself into a little hole! Any help would be greatly appreciated! Possibly uneducated guess with this subject, can Spring Security OAuth be used with this? Probably can't with the OpenID JWT responses? jeremy jeremy at jeremysimon.com www.JeremySimon.com From bburke at redhat.com Thu Jan 14 18:56:46 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Jan 2016 18:56:46 -0500 Subject: [keycloak-user] Spring Boot REST Service Example(s) In-Reply-To: References: Message-ID: <569835BE.3070409@redhat.com> Andrzej already replied to this earlier: take a look at these examples: https://github.com/agolPL/keycloak-spring-demo On 1/14/2016 6:44 PM, Jeremy Simon wrote: > Hi, > > Would anyone be willing to point me to some good working examples that > are REST services built with Spring Boot but can leverage Keycloak for > authentication? I had no trouble integrating a webapp with the SAML > protocol, but this OpenID Connect (/Oauth2?) area of things is really > confusing. > > All I'm trying to do is security the REST endpoints I made and then > when I actually hit a controller, also be able to pull some role or > attribute information off the Authentication token. > > I tried to cobble together something using the reference guide and the > adaptors sections, but to no avail. In particular I followed the 8.9 > Spring Boot Adaptor but I get 302s and a this in the response if i try > a rest client... > > ---- > 302 Found > > form > > HEADERS > Content-Length:0 Bytes > Date: > 2016 Jan 14 18:41:13 > Location:http://localhost:11080/auth/realms/jeremy/protocol/openid-connect/auth?response_type=code&client_id=try&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadmin&state=1%2F82011a10-3b29-44eb-9801-e723c03c94bf&login=true > S > > ---- > > At any rate, I tried some extra spring security and other mentions > down further in the guide, but I'm definitely digging myself into a > little hole! Any help would be greatly appreciated! > > Possibly uneducated guess with this subject, can Spring Security OAuth > be used with this? Probably can't with the OpenID JWT responses? > > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From kalc04 at gmail.com Thu Jan 14 22:42:18 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 15 Jan 2016 09:12:18 +0530 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload Message-ID: Hi, Refer title for the bug. This seems to have been introduced after 1.2.0.Final because in that version we didn't have this problem. Failure happens in 1.7.0.Final. Checked the logs and there's a NullPointerException thrown. Shall I create a JIRA? Regards, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/15f1200a/attachment.html From hpeng at redhat.com Thu Jan 14 23:44:36 2016 From: hpeng at redhat.com (JasonPeng) Date: Fri, 15 Jan 2016 12:44:36 +0800 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example In-Reply-To: References: Message-ID: Hi Stian, Do you have an example of pom.xml if I want to fully control the Keycloak user management(ex: create user, change roles)? I?ve tried the approach you suggest, however it comes out with problem that I don?t know if it?s missing some dependency in my client project or I fail on configuring the jboss-deployment-structure.xml Thanks, Jason From: Stian Thorgersen Reply-To: Date: Thursday, January 14, 2016 at 5:00 PM To: JasonMacAir Cc: Thomas Darimont , keycloak-user Subject: Re: [keycloak-user] How to correctly use REST API? delete user through REST API for example EAP 6.4 has an old version of RestEasy without the RestEasy client. Easiest option is probably to just include newer RestEasy jars in your WAR. On 14 January 2016 at 09:55, JasonPeng wrote: > Hi Thomas, > > Thank?s for the recommendation. However, I bumped into some clossloader issue > when I tried it on my EAP 6.4+ Keycloak 1.1.7.Final environment. > > I keep get the class not found error against RestEasy Client, > "java.lang.NoClassDefFoundError: > org/jboss/resteasy/client/jaxrs/ResteasyClientBuilder?. Although I?d setup my > jboss-deployment-structure.xml in my project under /WEB-INF/. The setting is > like below: > > > > > services="import"/> > > > > > > Thank you and best regards, > ? > Jason Peng > Solution Architect, Taiwan > Ret Hat Limited > TEL: +886-2-7743-2972 > FAX: +886-2-7743-2974 > Mobile: +886-988-836-827 > EMAIL: hpeng at redhat.com > > > > > From: Thomas Darimont > Date: Wednesday, January 13, 2016 at 3:26 AM > To: JasonMacAir > Cc: keycloak-user > Subject: Re: [keycloak-user] How to correctly use REST API? delete user > through REST API for example > > Hi Jason, > > do you really need to use the raw REST API or would it be an option to use the > keycloak-admin-client API? > > here is an example for creating and deleting a user via the admin-client API: > > package de.tdlabs.training.keycloak; > > import static java.util.Arrays.asList; > > import javax.ws.rs.core.Response; > > import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; > import org.keycloak.admin.client.Keycloak; > import org.keycloak.admin.client.KeycloakBuilder; > import org.keycloak.representations.idm.CredentialRepresentation; > import org.keycloak.representations.idm.UserRepresentation; > > public class KeycloakAdminClientExample { > > public static void main(String[] args) throws Exception { > > Keycloak kc = KeycloakBuilder.builder() // > .serverUrl("http://localhost:8081/auth") // > .realm("rest-example")// > .username("rest-user-admin") // > .password("password") // > .clientId("admin-cli") // > .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) // > .build(); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > credential.setTemporary(false); > > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(asList(credential)); > user.setEnabled(true); > user.setRealmRoles(asList("admin")); > > // Create testuser > Response result = kc.realm("rest-example").users().create(user); > if (result.getStatus() != 201) { > System.err.println("Couldn't create user."); > System.exit(0); > } > System.out.println("Testuser created.... verify in keycloak!"); > > System.out.println("Press any key..."); > System.in.read(); > > // Delete testuser > String locationHeader = result.getHeaderString("Location"); > String userId = locationHeader.replaceAll(".*/(.*)$", "$1"); > kc.realm("rest-example").users().get(userId).remove(); > } > } > > > https://gist.github.com/thomasdarimont/43689aefb37540624e35 > > Cheers, > Thomas > > 2016-01-12 19:05 GMT+01:00 JasonPeng : >> Hi there, >> >> Can someone give me some hint about how to correctly setup a client that can >> accept REST request from a httpclient in keycloak? >> For example, I use the admin-access example from keycloak source project and >> modify it to do a DELETE action through REST API, however I keep getting the >> request Forbidden 403 from keycloak server. I don?t change any setting of the >> admin-client imported from the json file and my code snippet of deleting user >> as below: >> >> public static void deleteUser(HttpServletRequest request, AccessTokenResponse >> res) throws Failure { >> HttpClient client = new DefaultHttpClient(); >> String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; >> try { >> HttpDelete delete = new HttpDelete(getBaseUrl(request) + >> "/admin/realms/demo/users/" + userId); >> delete.addHeader("Authorization", "Bearer " + res.getToken()); >> HttpResponse response = client.execute(delete); >> System.out.println(response.getStatusLine().getReasonPhrase()); >> if (response.getStatusLine().getStatusCode() != 200) { >> throw new Failure(response.getStatusLine().getStatusCode()); >> } >> HttpEntity entity = response.getEntity(); >> InputStream is = entity.getContent(); >> if (is != null) >> is.close(); >> } catch (IOException e) { >> throw new RuntimeException(e); >> } finally { >> client.getConnectionManager().shutdown(); >> } >> } >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/6cfea2b1/attachment-0001.html From aikeaguinea at xsmail.com Fri Jan 15 10:05:48 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Fri, 15 Jan 2016 10:05:48 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: <56966343.4050703@redhat.com> References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> <56966343.4050703@redhat.com> Message-ID: <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> I realize these aren't clients in the sense Keycloak intends, but in this case Keycloak provides all the functionality I need without me having to rebuild it myself -- particularly with respect to generating and managing certificates. Since the devices are all under our control, the concept of a service account seems to fit even if the Keycloak concept of "client" really is intended for something else. Will using Keycloak clients for this purpose get us in trouble somehow? On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote: > I think you'd be better served having public clients and developing cert auth for users via our auth spi, as these are users aren't they?? They aren't clients in the sense of what Keycloak thinks of as a client.? A client in keycloak is really a service or web app. > > On 1/13/2016 2:43 AM, Stian Thorgersen wrote: >> As Bill said we haven't tested with loads of clients, but we need to be able to scale to hundreds or probably thousand clients at least. So if you run into issues with it let us know and we'll look into it. >> >> On 13 January 2016 at 01:18, Aikeaguinea wrote: >>> I'd say we're talking on the order of a hundred to start with; this >>> could ramp up to multiples of that within a year or two. I imagine the >>> thing to do would be for us to do some stress testing of our own. >>> >>> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: >>> > How many devices you talking about?? I think it may become an issue as >>> > we haven't really stressed and benched with tons (hundreds/thousands) of >>> > clients. >>> > >>> > On 1/12/2016 6:08 PM, Aikeaguinea wrote: >>> > > We have a number of devices that need to access APIs; for various >>> > > reasons we need to use client certificates for this purpose. >>> > > >>> > > I have noticed that Keycloak will allow service accounts to authenticate >>> > > using client certificates and that these certificates can be generated >>> > > within Keycloak. This looks like it fits our needs well -- when we set >>> > > up a new device we would need to set up a new client and service account >>> > > for it in Keycloak. I've verified through testing that we can make this >>> > > work. >>> > > >>> > > Ultimately we may have to manage a fairly large number of devices, say >>> > > in the hundreds. Is there any reason that Keycloak would limit us in the >>> > > number of clients we could create and manage in this way? >>> > > >>> > >>> > -- >>> > Bill Burke >>> > JBoss, a division of Red Hat >>> > http://bill.burkecentral.com >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> Aikeaguinea >>> aikeaguinea at xsmail.com >>> >>> -- >>> http://www.fastmail.com - Or how I learned to stop worrying and >>> love email again >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat > http://bill.burkecentral.com > _________________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- ? Aikeaguinea ? aikeaguinea at xsmail.com -- http://www.fastmail.com - The way an email service should be -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/70762572/attachment.html From RLewis at carbonite.com Fri Jan 15 10:16:07 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 15 Jan 2016 15:16:07 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak Message-ID: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/52033342/attachment.html From sthorger at redhat.com Fri Jan 15 10:37:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Jan 2016 16:37:10 +0100 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> <56966343.4050703@redhat.com> <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> Message-ID: Depends on what a device is. If it's a device that is controlled by a human that could authenticate as themselves then use a user account. If it's a device that is purely non-human than use a service account. On 15 January 2016 at 16:05, Aikeaguinea wrote: > I realize these aren't clients in the sense Keycloak intends, but in this > case Keycloak provides all the functionality I need without me having to > rebuild it myself -- particularly with respect to generating and managing > certificates. Since the devices are all under our control, the concept of a > service account seems to fit even if the Keycloak concept of "client" > really is intended for something else. > > Will using Keycloak clients for this purpose get us in trouble somehow? > > > On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote: > > I think you'd be better served having public clients and developing cert > auth for users via our auth spi, as these are users aren't they? They > aren't clients in the sense of what Keycloak thinks of as a client. A > client in keycloak is really a service or web app. > > On 1/13/2016 2:43 AM, Stian Thorgersen wrote: > > As Bill said we haven't tested with loads of clients, but we need to be > able to scale to hundreds or probably thousand clients at least. So if you > run into issues with it let us know and we'll look into it. > > On 13 January 2016 at 01:18, Aikeaguinea wrote: > > I'd say we're talking on the order of a hundred to start with; this > could ramp up to multiples of that within a year or two. I imagine the > thing to do would be for us to do some stress testing of our own. > > On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: > > How many devices you talking about? I think it may become an issue as > > we haven't really stressed and benched with tons (hundreds/thousands) of > > clients. > > > > On 1/12/2016 6:08 PM, Aikeaguinea wrote: > > > We have a number of devices that need to access APIs; for various > > > reasons we need to use client certificates for this purpose. > > > > > > I have noticed that Keycloak will allow service accounts to > authenticate > > > using client certificates and that these certificates can be generated > > > within Keycloak. This looks like it fits our needs well -- when we set > > > up a new device we would need to set up a new client and service > account > > > for it in Keycloak. I've verified through testing that we can make this > > > work. > > > > > > Ultimately we may have to manage a fairly large number of devices, say > > > in the hundreds. Is there any reason that Keycloak would limit us in > the > > > number of clients we could create and manage in this way? > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > -- > http://www.fastmail.com - Or how I learned to stop worrying and > love email again > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > *_______________________________________________* > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > > > -- http://www.fastmail.com - The way an email service should be > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/c07c528f/attachment-0001.html From sthorger at redhat.com Fri Jan 15 10:42:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Jan 2016 16:42:56 +0100 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: Yes please On 15 January 2016 at 04:42, Lohitha Chiranjeewa wrote: > Hi, > > Refer title for the bug. This seems to have been introduced after > 1.2.0.Final because in that version we didn't have this problem. Failure > happens in 1.7.0.Final. Checked the logs and there's a NullPointerException > thrown. > > Shall I create a JIRA? > > > Regards, > Lohitha. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/77e503ef/attachment.html From sthorger at redhat.com Fri Jan 15 10:50:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Jan 2016 16:50:35 +0100 Subject: [keycloak-user] How to correctly use REST API? delete user through REST API for example In-Reply-To: References: Message-ID: We have an issue outstanding to get the admin-client example working on EAP 6.4. https://issues.jboss.org/browse/KEYCLOAK-1921 Not sure when we'll get to it though. I suspect the only way to get it to work on EAP 6.4 would be to prevent the old RestEasy from being added (should be possible to do in jboss-secure-deployment with exclude subsystem), then add the new RestEasy dependencies directly to the WAR. You could also look at https://docs.jboss.org/resteasy/docs/3.0.1.Final/userguide/html/Installation_Configuration.html#upgrading-eap61 On 15 January 2016 at 05:44, JasonPeng wrote: > Hi Stian, > > Do you have an example of pom.xml if I want to fully control the Keycloak > user management(ex: create user, change roles)? I?ve tried the approach you > suggest, however it comes out with problem that I don?t know if it?s > missing some dependency in my client project or I fail on configuring the > jboss-deployment-structure.xml > > Thanks, > Jason > > > > From: Stian Thorgersen > Reply-To: > Date: Thursday, January 14, 2016 at 5:00 PM > To: JasonMacAir > Cc: Thomas Darimont , keycloak-user < > keycloak-user at lists.jboss.org> > > Subject: Re: [keycloak-user] How to correctly use REST API? delete user > through REST API for example > > EAP 6.4 has an old version of RestEasy without the RestEasy client. > Easiest option is probably to just include newer RestEasy jars in your WAR. > > On 14 January 2016 at 09:55, JasonPeng wrote: > >> Hi Thomas, >> >> Thank?s for the recommendation. However, I bumped into some clossloader >> issue when I tried it on my EAP 6.4+ Keycloak 1.1.7.Final environment. >> >> I keep get the class not found error against RestEasy Client, >> "java.lang.NoClassDefFoundError: >> org/jboss/resteasy/client/jaxrs/ResteasyClientBuilder?. Although I?d setup >> my jboss-deployment-structure.xml in my project under /WEB-INF/. The >> setting is like below: >> >> >> >> >> > services="import"/> >> >> >> >> >> >> Thank you and best regards, >> ? >> Jason Peng >> Solution Architect, Taiwan >> Ret Hat Limited >> TEL: +886-2-7743-2972 >> FAX: +886-2-7743-2974 >> Mobile: +886-988-836-827 >> EMAIL: hpeng at redhat.com >> >> >> >> >> From: Thomas Darimont >> Date: Wednesday, January 13, 2016 at 3:26 AM >> To: JasonMacAir >> Cc: keycloak-user >> Subject: Re: [keycloak-user] How to correctly use REST API? delete user >> through REST API for example >> >> Hi Jason, >> >> do you really need to use the raw REST API or would it be an option to >> use the keycloak-admin-client API? >> >> here is an example for creating and deleting a user via the admin-client >> API: >> >> package de.tdlabs.training.keycloak; >> >> import static java.util.Arrays.asList; >> >> import javax.ws.rs.core.Response; >> >> import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; >> import org.keycloak.admin.client.Keycloak; >> import org.keycloak.admin.client.KeycloakBuilder; >> import org.keycloak.representations.idm.CredentialRepresentation; >> import org.keycloak.representations.idm.UserRepresentation; >> >> public class KeycloakAdminClientExample { >> >> public static void main(String[] args) throws Exception { >> >> Keycloak kc = KeycloakBuilder.builder() // >> .serverUrl("http://localhost:8081/auth") // >> .realm("rest-example")// >> .username("rest-user-admin") // >> .password("password") // >> .clientId("admin-cli") // >> .resteasyClient(new >> ResteasyClientBuilder().connectionPoolSize(10).build()) // >> .build(); >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue("test123"); >> credential.setTemporary(false); >> >> UserRepresentation user = new UserRepresentation(); >> user.setUsername("testuser"); >> user.setFirstName("Test"); >> user.setLastName("User"); >> user.setCredentials(asList(credential)); >> user.setEnabled(true); >> user.setRealmRoles(asList("admin")); >> >> // Create testuser >> Response result = kc.realm("rest-example").users().create(user); >> if (result.getStatus() != 201) { >> System.err.println("Couldn't create user."); >> System.exit(0); >> } >> System.out.println("Testuser created.... verify in keycloak!"); >> >> System.out.println("Press any key..."); >> System.in.read(); >> >> // Delete testuser >> String locationHeader = result.getHeaderString("Location"); >> String userId = locationHeader.replaceAll(".*/(.*)$", "$1"); >> kc.realm("rest-example").users().get(userId).remove(); >> } >> } >> >> >> https://gist.github.com/thomasdarimont/43689aefb37540624e35 >> >> Cheers, >> Thomas >> >> 2016-01-12 19:05 GMT+01:00 JasonPeng : >> >>> Hi there, >>> >>> Can someone give me some hint about how to correctly setup a client that >>> can accept REST request from a httpclient in keycloak? >>> For example, I use the admin-access example from keycloak source project >>> and modify it to do a DELETE action through REST API, however I keep >>> getting the request Forbidden 403 from keycloak server. I don?t change any >>> setting of the admin-client imported from the json file and my code snippet >>> of deleting user as below: >>> >>> public static void deleteUser(HttpServletRequest request, >>> AccessTokenResponse res) throws Failure { >>> HttpClient client = new DefaultHttpClient(); >>> String userId = "e20277f8-2ebe-4e5e-aa00-0cee9c578249"; >>> try { >>> HttpDelete delete = new HttpDelete(getBaseUrl(request) + >>> "/admin/realms/demo/users/" + userId); >>> delete.addHeader("Authorization", "Bearer " + res.getToken()); >>> HttpResponse response = client.execute(delete); >>> System.out.println(response.getStatusLine().getReasonPhrase()); >>> if (response.getStatusLine().getStatusCode() != 200) { >>> throw new Failure(response.getStatusLine().getStatusCode()); >>> } >>> HttpEntity entity = response.getEntity(); >>> InputStream is = entity.getContent(); >>> if (is != null) >>> is.close(); >>> } catch (IOException e) { >>> throw new RuntimeException(e); >>> } finally { >>> client.getConnectionManager().shutdown(); >>> } >>> } >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/641ccc19/attachment.html From thomas.darimont at googlemail.com Fri Jan 15 11:06:50 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 15 Jan 2016 17:06:50 +0100 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: References: Message-ID: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis : > Hi, > We are examining KeyCloak (It looks like it can do what we want), but > we have the need to have an external lookup of accounts who are not in > KeyCloak in an external database which is accessible via a REST call. I > know about federation, but would prefer to only check the external > datasource if the user is not in KeyCloak, but from then on have all the > data ?live? in KeyCloak and never refer to the external datasource again > once the account is ?migrated? into KeyCloak. > > > Can this be done with some modification of federation? > > We do not want to add the user accounts directly into KeyCloak as there > are many more there than will ever be in KeyCloak. > > Thank you, > > Reed Lewis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/9e0853a4/attachment-0001.html From thomas.darimont at googlemail.com Fri Jan 15 11:08:49 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 15 Jan 2016 17:08:49 +0100 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> <56966343.4050703@redhat.com> <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> Message-ID: Quick question, do you only want to use clients because they support authentication via certificats? Isn't it possible to have certificate based authentication for users as well? Cheers, Thomas 2016-01-15 16:37 GMT+01:00 Stian Thorgersen : > Depends on what a device is. If it's a device that is controlled by a > human that could authenticate as themselves then use a user account. If > it's a device that is purely non-human than use a service account. > > On 15 January 2016 at 16:05, Aikeaguinea wrote: > >> I realize these aren't clients in the sense Keycloak intends, but in this >> case Keycloak provides all the functionality I need without me having to >> rebuild it myself -- particularly with respect to generating and managing >> certificates. Since the devices are all under our control, the concept of a >> service account seems to fit even if the Keycloak concept of "client" >> really is intended for something else. >> >> Will using Keycloak clients for this purpose get us in trouble somehow? >> >> >> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote: >> >> I think you'd be better served having public clients and developing cert >> auth for users via our auth spi, as these are users aren't they? They >> aren't clients in the sense of what Keycloak thinks of as a client. A >> client in keycloak is really a service or web app. >> >> On 1/13/2016 2:43 AM, Stian Thorgersen wrote: >> >> As Bill said we haven't tested with loads of clients, but we need to be >> able to scale to hundreds or probably thousand clients at least. So if you >> run into issues with it let us know and we'll look into it. >> >> On 13 January 2016 at 01:18, Aikeaguinea wrote: >> >> I'd say we're talking on the order of a hundred to start with; this >> could ramp up to multiples of that within a year or two. I imagine the >> thing to do would be for us to do some stress testing of our own. >> >> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: >> > How many devices you talking about? I think it may become an issue as >> > we haven't really stressed and benched with tons (hundreds/thousands) of >> > clients. >> > >> > On 1/12/2016 6:08 PM, Aikeaguinea wrote: >> > > We have a number of devices that need to access APIs; for various >> > > reasons we need to use client certificates for this purpose. >> > > >> > > I have noticed that Keycloak will allow service accounts to >> authenticate >> > > using client certificates and that these certificates can be generated >> > > within Keycloak. This looks like it fits our needs well -- when we set >> > > up a new device we would need to set up a new client and service >> account >> > > for it in Keycloak. I've verified through testing that we can make >> this >> > > work. >> > > >> > > Ultimately we may have to manage a fairly large number of devices, say >> > > in the hundreds. Is there any reason that Keycloak would limit us in >> the >> > > number of clients we could create and manage in this way? >> > > >> > >> > -- >> > Bill Burke >> > JBoss, a division of Red Hat >> > http://bill.burkecentral.com >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Aikeaguinea >> aikeaguinea at xsmail.com >> >> -- >> http://www.fastmail.com - Or how I learned to stop worrying and >> love email again >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> *_______________________________________________* >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Aikeaguinea >> aikeaguinea at xsmail.com >> >> >> >> -- http://www.fastmail.com - The way an email service should be >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/1551ef22/attachment.html From RLewis at carbonite.com Fri Jan 15 13:44:11 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 15 Jan 2016 18:44:11 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: References: Message-ID: Thank you. This is exactly what I was looking for. Reed From: Thomas Darimont > Date: Friday, January 15, 2016 at 11:06 AM To: Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/eadc7503/attachment-0001.html From traviskds at gmail.com Fri Jan 15 15:06:44 2016 From: traviskds at gmail.com (Travis De Silva) Date: Fri, 15 Jan 2016 20:06:44 +0000 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: Message-ID: I can understand that. But without the client ID, we cannot redirect them back to the login screen. Is there anyway where the redirect url can be sent as a query string together with the code. That way, we can then pick the redirect url from the query string and redirect the user back to the appropriate login screen. On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen wrote: > Once the client session is removed (it's deleted at some point after the > login has timed out) the client id is no longer available. We have to > delete this session at some point as otherwise we'd be left with garbage > from abandoned logins > > On 13 January 2016 at 21:27, Travis De Silva wrote: > >> Hi, >> >> For theming the login for different clients within a realm, we are >> conditionally checking for the client ID in the freemarker templates and >> then accordingly including sub freemarker templates. This is working >> perfectly but the issue is for certain errors, such as "You took too long >> to login. Login process starting from beginning.", the clientid becomes >> null ( (sometimes). >> >> Is there anything I can do from the freemarker template to identify the >> client id so I can then accordingly handle these errors? >> >> Cheers >> Travis >> >> >> >> clientId=null >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/7849bde2/attachment.html From bburke at redhat.com Fri Jan 15 15:23:07 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 15 Jan 2016 15:23:07 -0500 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: Message-ID: <5699552B.4060507@redhat.com> NO, you can't. This would create an open redirect probably and the themes are supposed to be completely independent of the protocol. On 1/15/2016 3:06 PM, Travis De Silva wrote: > I can understand that. But without the client ID, we cannot redirect > them back to the login screen. > > Is there anyway where the redirect url can be sent as a query string > together with the code. That way, we can then pick the redirect url > from the query string and redirect the user back to the appropriate > login screen. > > > On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen > wrote: > > Once the client session is removed (it's deleted at some point > after the login has timed out) the client id is no longer > available. We have to delete this session at some point as > otherwise we'd be left with garbage from abandoned logins > > On 13 January 2016 at 21:27, Travis De Silva > wrote: > > Hi, > > For theming the login for different clients within a realm, we > are conditionally checking for the client ID in the freemarker > templates and then accordingly including sub freemarker > templates. This is working perfectly but the issue is for > certain errors, such as "You took too long to login. Login > process starting from beginning.", the clientid becomes null > ( (sometimes). > > Is there anything I can do from the freemarker template to > identify the client id so I can then accordingly handle these > errors? > > Cheers > Travis > > > > clientId=null > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/e129dbd1/attachment.html From traviskds at gmail.com Fri Jan 15 15:28:18 2016 From: traviskds at gmail.com (Travis De Silva) Date: Fri, 15 Jan 2016 20:28:18 +0000 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: <5699552B.4060507@redhat.com> References: <5699552B.4060507@redhat.com> Message-ID: irrespective of the theme, how would you provide a link to the user to redirect back to the application that they initiated the request in the first place. For example, they click on the forgot password link or the register new user link. KeyCloak sends them an email with a link. But they don't click it for awhile and then when they click it, it has expired. So we should be able to display an expired message and redirect them back to the login page. How can we handle this? On Sat, 16 Jan 2016 at 07:23 Bill Burke wrote: > NO, you can't. This would create an open redirect probably and the themes > are supposed to be completely independent of the protocol. > > > On 1/15/2016 3:06 PM, Travis De Silva wrote: > > I can understand that. But without the client ID, we cannot redirect them > back to the login screen. > > Is there anyway where the redirect url can be sent as a query string > together with the code. That way, we can then pick the redirect url from > the query string and redirect the user back to the appropriate login screen. > > > On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen wrote: > >> Once the client session is removed (it's deleted at some point after the >> login has timed out) the client id is no longer available. We have to >> delete this session at some point as otherwise we'd be left with garbage >> from abandoned logins >> >> On 13 January 2016 at 21:27, Travis De Silva wrote: >> >>> Hi, >>> >>> For theming the login for different clients within a realm, we are >>> conditionally checking for the client ID in the freemarker templates and >>> then accordingly including sub freemarker templates. This is working >>> perfectly but the issue is for certain errors, such as "You took too long >>> to login. Login process starting from beginning.", the clientid becomes >>> null ( (sometimes). >>> >>> Is there anything I can do from the freemarker template to identify the >>> client id so I can then accordingly handle these errors? >>> >>> Cheers >>> Travis >>> >>> >>> >>> clientId=null >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/d4423cc3/attachment.html From srossillo at smartling.com Fri Jan 15 16:42:36 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 15 Jan 2016 16:42:36 -0500 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: References: Message-ID: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jan 15, 2016, at 11:06 AM, Thomas Darimont wrote: > > Hello Reed, > > as you already wrote, you can write a federation provider that queries your > backend service via REST for user data. > Within the federation provider you can then import the user data > returned from the REST call. > > This would work as follows - within the method: > org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) > you call your backend REST service. > > As a next step you create a new user with the given username > UserModel keycloakUser = session.userStorage().addUser(realm, username); > > Then you copy all the user data from your backend into Keycloak's UserModel. > > After that your backend user has a corresponding representation in Keycloak > with a reference to this federation provider (id) via the "userModel.federationLink" property. > > The federation link will also be shown in the user page in the keycloak admin console. > As long as the federation link is in place keycloak will ask the federation provider > for the latest user data. Once you decide to cut the link to the federation provider you can > simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation > link right after you added the user to Keycloak. > > Keycloak has no link information after that anymore and it will only use the user data stored > in the Keycloak database for that particular user. > > You also have the option to do that for all your users via: > org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) > or just use on demand per User when he / she want's to login for the first time. > > Cheers, > Thomas > > 2016-01-15 16:16 GMT+01:00 Reed Lewis >: > Hi, > We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. > > > Can this be done with some modification of federation? > > We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. > > Thank you, > > Reed Lewis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/e993abca/attachment-0001.html From lingvisa at gmail.com Fri Jan 15 17:04:57 2016 From: lingvisa at gmail.com (Martin Min) Date: Fri, 15 Jan 2016 14:04:57 -0800 Subject: [keycloak-user] A simple user login/registration in Keycloak Message-ID: Hello, I have followed the keycloak "customer-portal" demo to learn KeyCloak, and want to use it in an application, but have no idea of how to start with KeyCloak. This is what I need: On my home page, there is a typical user name login and registration box, as you can see in many sites. How to configure KeyCloak and register in my application so that after user types username and password, then Keyclaok will do the job for me. In the customer-demo, the user first click a link "customer-linking", which redirects to the KeyCloak server for authentication, and this is configured in Web.xml, in particular this section: Customers /customers/* user In my case, users don't have to click a link to re-direct to Keycloak server to accept user input. My home page directly provides users with the user and password fields in the html form. How can i extend or modify the customer-portal demo to set up a very basic user login functionality in KeyClaok for my application? I understand this is probably something very basic, but I appreciate any feed back and information to achieve this. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/2e9e513e/attachment.html From bburke at redhat.com Fri Jan 15 17:10:18 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 15 Jan 2016 17:10:18 -0500 Subject: [keycloak-user] A simple user login/registration in Keycloak In-Reply-To: References: Message-ID: <56996E4A.1050600@redhat.com> The idea with IDPs and SSO is that the Authentication server collects username and credentials. The app NEVER sees them. We do have a REST api that you can invoke to valid a user and obtain a token. If you use this though, and you don't let keycloak gather username/credentials itself through the browser, then SSO just won't work. The auth server needs to set up an SSO cookie with your browser for SSO to work. On 1/15/2016 5:04 PM, Martin Min wrote: > Hello, > > I have followed the keycloak "customer-portal" demo to learn KeyCloak, > and want to use it in an application, but have no idea of how to start > with KeyCloak. This is what I need: > > On my home page, there is a typical user name login and registration > box, as you can see in many sites. How to configure KeyCloak and > register in my application so that after user types username and > password, then Keyclaok will do the job for me. > > In the customer-demo, the user first click a link "customer-linking", > which redirects to the KeyCloak server for authentication, and this is > configured in Web.xml, in particular this section: > > > > Customers > /customers/* > > > user > > > > In my case, users don't have to click a link to re-direct to Keycloak > server to accept user input. My home page directly provides users with > the user and password fields in the html form. How can i extend or > modify the customer-portal demo to set up a very basic user login > functionality in KeyClaok for my application? > > I understand this is probably something very basic, but I appreciate > any feed back and information to achieve this. > > Thank you. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/cd102a67/attachment.html From pnreddy.svu at gmail.com Fri Jan 15 20:53:23 2016 From: pnreddy.svu at gmail.com (Naresh Kumar Reddy) Date: Sat, 16 Jan 2016 07:23:23 +0530 Subject: [keycloak-user] Securing Application which is exposed to Guest Users Message-ID: Hi, We have two applications which provides webinar functionality. 1) Provisioning app-- Organizers provision webinar and manage their account. Since organizers are Keycloak users, I can secure provisioning app out of the box. 2) Webinar app-- The users of this app are organizers and participants. Participants are no more provisioned as Keycloack users. Those are guest users. My question is how do we secure second app with keyclock? * Note*: Both apps will be under same realm. Is there anyway to secure with custom field like webinarId which is passed as a parameter? Or something better solution? Under same realm securing one app with keycloak users and other app with custom authentication? Thanks for the great work. Thanks & Regards Naresh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/c60253aa/attachment.html From aikeaguinea at xsmail.com Fri Jan 15 22:05:29 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Fri, 15 Jan 2016 22:05:29 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> <56966343.4050703@redhat.com> <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> Message-ID: <1452913529.3711136.493625842.7D35C650@webmail.messagingengine.com> To my knowledge, if you want certificate-based authentication for users you'd have to write it yourself. On Fri, Jan 15, 2016, at 11:08 AM, Thomas Darimont wrote: > Quick question, do you only want to use clients because they support > authentication via certificats? > > Isn't it possible to have certificate based authentication for users > as well? > > Cheers, Thomas > > 2016-01-15 16:37 GMT+01:00 Stian Thorgersen : >> Depends on what a device is. If it's a device that is controlled by a >> human that could authenticate as themselves then use a user account. >> If it's a device that is purely non-human than use a service account. >> >> On 15 January 2016 at 16:05, Aikeaguinea >> wrote: >>> __ >>> I realize these aren't clients in the sense Keycloak intends, but in >>> this case Keycloak provides all the functionality I need without me >>> having to rebuild it myself -- particularly with respect to >>> generating and managing certificates. Since the devices are all >>> under our control, the concept of a service account seems to fit >>> even if the Keycloak concept of "client" really is intended for >>> something else. >>> >>> Will using Keycloak clients for this purpose get us in trouble >>> somehow? >>> >>> >>> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote: >>>> I think you'd be better served having public clients and developing cert auth for users via our auth spi, as these are users aren't they?? They aren't clients in the sense of what Keycloak thinks of as a client.? A client in keycloak is really a service or web app. >>>> >>>> On 1/13/2016 2:43 AM, Stian Thorgersen wrote: >>>>> As Bill said we haven't tested with loads of clients, but we need to be able to scale to hundreds or probably thousand clients at least. So if you run into issues with it let us know and we'll look into it. >>>>> >>>>> On 13 January 2016 at 01:18, Aikeaguinea wrote: >>>>>> I'd say we're talking on the order of a hundred to start with; this >>>>>> could ramp up to multiples of that within a year or two. I imagine the >>>>>> thing to do would be for us to do some stress testing of our own. >>>>>> >>>>>> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: >>>>>> > How many devices you talking about?? I think it may become an issue as >>>>>> > we haven't really stressed and benched with tons (hundreds/thousands) of >>>>>> > clients. >>>>>> > >>>>>> > On 1/12/2016 6:08 PM, Aikeaguinea wrote: >>>>>> > > We have a number of devices that need to access APIs; for various >>>>>> > > reasons we need to use client certificates for this purpose. >>>>>> > > >>>>>> > > I have noticed that Keycloak will allow service accounts to authenticate >>>>>> > > using client certificates and that these certificates can be generated >>>>>> > > within Keycloak. This looks like it fits our needs well -- when we set >>>>>> > > up a new device we would need to set up a new client and service account >>>>>> > > for it in Keycloak. I've verified through testing that we can make this >>>>>> > > work. >>>>>> > > >>>>>> > > Ultimately we may have to manage a fairly large number of devices, say >>>>>> > > in the hundreds. Is there any reason that Keycloak would limit us in the >>>>>> > > number of clients we could create and manage in this way? >>>>>> > > >>>>>> > >>>>>> > -- >>>>>> > Bill Burke JBoss, a division of Red Hat >>>>>> > http://bill.burkecentral.com >>>>>> > >>>>>> > _______________________________________________ >>>>>> > keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> -- >>>>>> Aikeaguinea >>>>>> aikeaguinea at xsmail.com >>>>>> >>>>>> -- >>>>>> http://www.fastmail.com - Or how I learned to stop worrying and >>>>>> love email again >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> _______________________________________________ keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> -- Bill Burke JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _________________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- >>> Aikeaguinea aikeaguinea at xsmail.com >>> >>> >>> >>> -- >>> http://www.fastmail.com - The way an email service should be >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- ? Aikeaguinea ? aikeaguinea at xsmail.com -- http://www.fastmail.com - The professional email service -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/43b88b82/attachment-0001.html From aikeaguinea at xsmail.com Fri Jan 15 22:06:47 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Fri, 15 Jan 2016 22:06:47 -0500 Subject: [keycloak-user] Any limit on number of clients? In-Reply-To: References: <1452640086.4095967.490381210.130D77EC@webmail.messagingengine.com> <569592D2.2070304@redhat.com> <1452644284.4110312.490429250.7C2DAB4A@webmail.messagingengine.com> <56966343.4050703@redhat.com> <1452870348.285393.493120858.5459A189@webmail.messagingengine.com> Message-ID: <1452913607.3711568.493626474.0F82D884@webmail.messagingengine.com> Yes, that's exactly what it is--the device has to authenticate as itself. On Fri, Jan 15, 2016, at 10:37 AM, Stian Thorgersen wrote: > Depends on what a device is. If it's a device that is controlled by a > human that could authenticate as themselves then use a user account. > If it's a device that is purely non-human than use a service account. > > On 15 January 2016 at 16:05, Aikeaguinea > wrote: >> __ >> I realize these aren't clients in the sense Keycloak intends, but in >> this case Keycloak provides all the functionality I need without me >> having to rebuild it myself -- particularly with respect to >> generating and managing certificates. Since the devices are all >> under our control, the concept of a service account seems to fit >> even if the Keycloak concept of "client" really is intended for >> something else. >> >> Will using Keycloak clients for this purpose get us in trouble >> somehow? >> >> >> On Wed, Jan 13, 2016, at 09:46 AM, Bill Burke wrote: >>> I think you'd be better served having public clients and developing cert auth for users via our auth spi, as these are users aren't they?? They aren't clients in the sense of what Keycloak thinks of as a client.? A client in keycloak is really a service or web app. >>> >>> On 1/13/2016 2:43 AM, Stian Thorgersen wrote: >>>> As Bill said we haven't tested with loads of clients, but we need to be able to scale to hundreds or probably thousand clients at least. So if you run into issues with it let us know and we'll look into it. >>>> >>>> On 13 January 2016 at 01:18, Aikeaguinea wrote: >>>>> I'd say we're talking on the order of a hundred to start with; this >>>>> could ramp up to multiples of that within a year or two. I imagine the >>>>> thing to do would be for us to do some stress testing of our own. >>>>> >>>>> On Tue, Jan 12, 2016, at 06:57 PM, Bill Burke wrote: >>>>> > How many devices you talking about?? I think it may become an issue as >>>>> > we haven't really stressed and benched with tons (hundreds/thousands) of >>>>> > clients. >>>>> > >>>>> > On 1/12/2016 6:08 PM, Aikeaguinea wrote: >>>>> > > We have a number of devices that need to access APIs; for various >>>>> > > reasons we need to use client certificates for this purpose. >>>>> > > >>>>> > > I have noticed that Keycloak will allow service accounts to authenticate >>>>> > > using client certificates and that these certificates can be generated >>>>> > > within Keycloak. This looks like it fits our needs well -- when we set >>>>> > > up a new device we would need to set up a new client and service account >>>>> > > for it in Keycloak. I've verified through testing that we can make this >>>>> > > work. >>>>> > > >>>>> > > Ultimately we may have to manage a fairly large number of devices, say >>>>> > > in the hundreds. Is there any reason that Keycloak would limit us in the >>>>> > > number of clients we could create and manage in this way? >>>>> > > >>>>> > >>>>> > -- >>>>> > Bill Burke JBoss, a division of Red Hat >>>>> > http://bill.burkecentral.com >>>>> > >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list keycloak-user at lists.jboss.org >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> -- >>>>> Aikeaguinea >>>>> aikeaguinea at xsmail.com >>>>> >>>>> -- >>>>> http://www.fastmail.com - Or how I learned to stop worrying and >>>>> love email again >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> _______________________________________________ keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _________________________________________________ >>> keycloak-user mailing list keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Aikeaguinea aikeaguinea at xsmail.com >> >> >> >> -- >> http://www.fastmail.com - The way an email service should be >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- ? Aikeaguinea ? aikeaguinea at xsmail.com -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160115/c7327a31/attachment.html From ornot2008 at yahoo.com Sat Jan 16 00:26:22 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Sat, 16 Jan 2016 05:26:22 +0000 (UTC) Subject: [keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider References: <1414402271.5999490.1452921982367.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1414402271.5999490.1452921982367.JavaMail.yahoo@mail.yahoo.com> We user 1.7.0 final ?as SP to broke a SAML 2.0 IDP. ? ?We secure the realm for several clients .?Here is the ?demo link : ?http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en The test account is ? ID : S2\Testnew2Password : Daksh at 123? We found keycloak works not stably . ?The response will ?be dead from time to time.? Pls take a try and help us . let me know what info you need. Mai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/d0deb038/attachment.html From traviskds at gmail.com Sat Jan 16 08:11:46 2016 From: traviskds at gmail.com (Travis De Silva) Date: Sat, 16 Jan 2016 13:11:46 +0000 Subject: [keycloak-user] Hotdeploy theme module Message-ID: Hi, As the the KeyCloak docs ( http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2380 ) You can bundle a theme into a jar and deploy it as a wildfly module. This all works fine but the module is not hotdeployable. Whenever you do changes, you need to remove the module, then add it again and restart KeyCloak. As you can imagine this is not ideal. I trying to deploy the jar as a normal deployment as in Wildfly you can deploy jar file like you do war files. When you deploy like this, the module name is deployment.javafilename.jar Then I added this name to the keycloak-server.json file but when I restart KeyCloak, it is not identifying the module. Is there any other war where I can get my themes to reload once I redeploy the jar? Note that as per the Keyclok docs, I disabled theme cache as well. Cheers Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/d37423be/attachment.html From ornot2008 at yahoo.com Sat Jan 16 08:34:22 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Sat, 16 Jan 2016 13:34:22 +0000 (UTC) Subject: [keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider In-Reply-To: <1035654839.6553649.1452950737762.JavaMail.yahoo@mail.yahoo.com> References: <1414402271.5999490.1452921982367.JavaMail.yahoo.ref@mail.yahoo.com> <1414402271.5999490.1452921982367.JavaMail.yahoo@mail.yahoo.com> <1035654839.6553649.1452950737762.JavaMail.yahoo@mail.yahoo.com> Message-ID: <731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com> One observation from keycloak log is as below: 2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage 2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage: org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please login again through your client. at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:319) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:350) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:165) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113) at sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. I am not sure this is a legal case or not . Thanks a lot On Saturday, January 16, 2016 1:26 PM, Mai Zi wrote: We user 1.7.0 final ?as SP to broke a SAML 2.0 IDP. ? ?We secure the realm for several clients .?Here is the ?demo link : ?http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en The test account is ? ID : S2\Testnew2Password : Daksh at 123? We found keycloak works not stably . ?The response will ?be dead from time to time.? Pls take a try and help us . let me know what info you need. Mai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/a6ee8b7b/attachment-0001.html From bburke at redhat.com Sat Jan 16 09:42:39 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 16 Jan 2016 09:42:39 -0500 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: Message-ID: <569A56DF.3000504@redhat.com> Isn't there a theme directory in standalone/configuration? I don't know if it is rechecked or not. On 1/16/2016 8:11 AM, Travis De Silva wrote: > Hi, > > As the the KeyCloak docs > (http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2380) > > You can bundle a theme into a jar and deploy it as a wildfly module. > > This all works fine but the module is not hotdeployable. Whenever you > do changes, you need to remove the module, then add it again and > restart KeyCloak. > > As you can imagine this is not ideal. > > I trying to deploy the jar as a normal deployment as in Wildfly you > can deploy jar file like you do war files. > > When you deploy like this, the module name is deployment.javafilename.jar > > Then I added this name to the keycloak-server.json file but when I > restart KeyCloak, it is not identifying the module. > > Is there any other war where I can get my themes to reload once I > redeploy the jar? > > Note that as per the Keyclok docs, I disabled theme cache as well. > > Cheers > Travis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/5fe35227/attachment.html From bburke at redhat.com Sat Jan 16 09:43:53 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 16 Jan 2016 09:43:53 -0500 Subject: [keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider In-Reply-To: <731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com> References: <1414402271.5999490.1452921982367.JavaMail.yahoo.ref@mail.yahoo.com> <1414402271.5999490.1452921982367.JavaMail.yahoo@mail.yahoo.com> <1035654839.6553649.1452950737762.JavaMail.yahoo@mail.yahoo.com> <731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com> Message-ID: <569A5729.3040802@redhat.com> The external SAML IDP is not setting RelayState correctly. It is supposed to pass it as is. On 1/16/2016 8:34 AM, Mai Zi wrote: > > One observation from keycloak log is as below: > > 2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage > 2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage:org.keycloak.broker.provider.IdentityBrokerException: > Invalid code, please login again through your client. > at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) > at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251) > atorg.keycloak.broker.saml.SAMLEndpoint > $Binding.handleLoginResponse(SAMLEndpoint.java:319) > atorg.keycloak.broker.saml.SAMLEndpoint > $Binding.handleSamlResponse(SAMLEndpoint.java:350) > atorg.keycloak.broker.saml.SAMLEndpoint > $Binding.execute(SAMLEndpoint.java:165) > atorg.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113) > > atsun.reflect.GeneratedMethodAccessor73.invoke(Unknown > Source) > atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > atjava.lang.reflect.Method.invoke(Method.java:606) > > atorg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > atorg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > > In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. > I am not sure this is a legal case or not . > Thanks a lot > On Saturday, January 16, 2016 1:26 PM, Mai Zi wrote: > > > > We user 1.7.0 final as SP to broke a SAML 2.0 IDP. We secure the > realm for several clients . > Here is the demo link : > http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en > > The test account is > > ID : S2\Testnew2 > Password : Daksh at 123 > > We found keycloak works not stably . The response will be dead from > time to time. > > Pls take a try and help us . let me know what info you need. > > > Mai > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/3a260042/attachment-0001.html From traviskds at gmail.com Sat Jan 16 17:29:58 2016 From: traviskds at gmail.com (Travis De Silva) Date: Sat, 16 Jan 2016 22:29:58 +0000 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: <569A56DF.3000504@redhat.com> References: <569A56DF.3000504@redhat.com> Message-ID: yes but the keycloak docs indicate that for production instances, to bundle the custom theme into a jar and then deploy it as a module. The hot deployment does not work when you deploy it as a module as indicated in the keycloak docs. I don't think wildfly does hot deployment for modules. But wildfly also mentions that everything that is deployed such as war files, jar files are modules. Therefore instead of creating the standard wildfly module, I tried to deploy it as a standard jar deployment and then referred to that deployment name in keycloak-server.json but keycloak did not pick it up. On Sun, 17 Jan 2016 at 01:43 Bill Burke wrote: > Isn't there a theme directory in standalone/configuration? I don't know > if it is rechecked or not. > > > On 1/16/2016 8:11 AM, Travis De Silva wrote: > > Hi, > > As the the KeyCloak docs ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2380 > ) > > You can bundle a theme into a jar and deploy it as a wildfly module. > > This all works fine but the module is not hotdeployable. Whenever you do > changes, you need to remove the module, then add it again and restart > KeyCloak. > > As you can imagine this is not ideal. > > I trying to deploy the jar as a normal deployment as in Wildfly you can > deploy jar file like you do war files. > > When you deploy like this, the module name is deployment.javafilename.jar > > Then I added this name to the keycloak-server.json file but when I restart > KeyCloak, it is not identifying the module. > > Is there any other war where I can get my themes to reload once I redeploy > the jar? > > Note that as per the Keyclok docs, I disabled theme cache as well. > > Cheers > Travis > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160116/a6225d44/attachment.html From ornot2008 at yahoo.com Sat Jan 16 21:41:10 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Sun, 17 Jan 2016 02:41:10 +0000 (UTC) Subject: [keycloak-user] Can not work from time to time for broke SAML 2.0 Identity provider In-Reply-To: <731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com> References: <1414402271.5999490.1452921982367.JavaMail.yahoo.ref@mail.yahoo.com> <1414402271.5999490.1452921982367.JavaMail.yahoo@mail.yahoo.com> <1035654839.6553649.1452950737762.JavaMail.yahoo@mail.yahoo.com> <731258399.5469994.1452951262540.JavaMail.yahoo@mail.yahoo.com> Message-ID: <111216355.6648929.1452998470279.JavaMail.yahoo@mail.yahoo.com> Hi, B.B.1) You mention "The external SAML IDP is not setting RelayState correctly. It is supposed to pass it as is." >From our observation, in most of time, the broke keycloak works well, but at somepoint, once an error occurs, then the state will go into a mess unless you restart the keycloak. Suppose this is caused by incorrect relaystate of IDP and given the external idp is a ADFS, what we can tell to the ADFS admin to fix this ? Sorry we are not very familiar with this field and need your help.? 2) we also observe there is a WARN in the log as below,? 23:13:29,867 WARN [org.keycloak.events] (default task-1) type=CODE_TO_TOKEN_ERROR, realmId=UnileverHR, clientId=hrhelperNav, userId=00412ef1-69d8-4d21-84a4-e027dd161d38, ipAddress=42.159.242.241, error=invalid_code, grant_type=authorization_code, code_id=a1679537-3577-4aa6-8dcd-13bc3804f99c, client_auth_method=client-secret This warn will mean something? 3) In our current IDP broke case, in the admin console, realm settings---Tokens tab, there are several configurations. what is the relationship with the IDP 's ? Or , in broke model, it is not necessary to set them ? On Saturday, January 16, 2016 9:34 PM, Mai Zi wrote: One observation from keycloak log is as below: 2016-01-16 18:12:33,067 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=UnileverHR, clientId=null, userId=null, ipAddress=180.107.103.49, error=identityProviderAuthenticationFailedMessage 2016-01-16 18:12:33,071 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-30) identityProviderAuthenticationFailedMessage: org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please login again through your client. at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:251) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:319) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:350) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:165) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113) at sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) In this case, we use the same account to lgoin from different clients at the same time. That is ,we may use two machines's browser to try to login into the same IDP account. I am not sure this is a legal case or not . Thanks a lot On Saturday, January 16, 2016 1:26 PM, Mai Zi wrote: We user 1.7.0 final ?as SP to broke a SAML 2.0 IDP. ? ?We secure the realm for several clients .?Here is the ?demo link : ?http://unihr.chinacloudapp.cn/campusNav/index.html?locale=en The test account is ? ID : S2\Testnew2Password : Daksh at 123? We found keycloak works not stably . ?The response will ?be dead from time to time.? Pls take a try and help us . let me know what info you need. Mai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160117/812d13b7/attachment-0001.html From Rajees.Patel at invenco.com Sun Jan 17 23:36:26 2016 From: Rajees.Patel at invenco.com (Rajees Patel) Date: Mon, 18 Jan 2016 17:36:26 +1300 Subject: [keycloak-user] Direct Access Grants for user set up for totp Message-ID: Hi, How can I get direct access grants for a user set up with totp? I tried posting the totp code, but received this error. { "error_description": "Account is not fully set up" "error": "invalid_grant" } Thanks Rajees Patel Product Architect Invenco Group Limited O: +64 9 905 5673 Rajees.Patel at invenco.com www.invenco.com Disclaimer: This email is confidential and may be legally privileged. If you are not the intended recipient you must not use any of the information in it and must delete the email immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/190b912f/attachment.html From kalc04 at gmail.com Mon Jan 18 01:21:35 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 18 Jan 2016 11:51:35 +0530 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: JIRA logged here: https://issues.jboss.org/browse/KEYCLOAK-2334 Regards, Lohitha On Fri, Jan 15, 2016 at 9:12 PM, Stian Thorgersen wrote: > Yes please > > On 15 January 2016 at 04:42, Lohitha Chiranjeewa wrote: > >> Hi, >> >> Refer title for the bug. This seems to have been introduced after >> 1.2.0.Final because in that version we didn't have this problem. Failure >> happens in 1.7.0.Final. Checked the logs and there's a NullPointerException >> thrown. >> >> Shall I create a JIRA? >> >> >> Regards, >> Lohitha. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/e6140d01/attachment.html From stuart.jacobs at symbiotics.co.za Mon Jan 18 02:35:29 2016 From: stuart.jacobs at symbiotics.co.za (Stuart Jacobs) Date: Mon, 18 Jan 2016 09:35:29 +0200 Subject: [keycloak-user] Custom Encryption module Message-ID: Good Day, The project I am currently working on has its own unique encryption module/methods. I would like to know if it is possible to change the default keycloak encryption with my own module? Regards, Stuart Jacobs -- www.symbiotics.co.za ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/e2c76783/attachment.html From juraci at kroehling.de Mon Jan 18 02:59:08 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Mon, 18 Jan 2016 08:59:08 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> Message-ID: <569C9B4C.40705@kroehling.de> On 16.01.2016 23:29, Travis De Silva wrote: > I don't think wildfly does hot deployment for modules. How about adding/removing the module via the Wildfly CLI? module add --name=the.theme... --resources=...jar - Juca. From thomas.darimont at googlemail.com Mon Jan 18 03:15:08 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 18 Jan 2016 09:15:08 +0100 Subject: [keycloak-user] Custom Encryption module In-Reply-To: References: Message-ID: Hello, there is the PasswordHashingSpi which you could use to add your own password hashing strategy: https://github.com/keycloak/keycloak/tree/master/server-spi/src/main/java/org/keycloak/hash Cheers, Thomas 2016-01-18 8:35 GMT+01:00 Stuart Jacobs : > Good Day, > > The project I am currently working on has its own unique encryption > module/methods. > > I would like to know if it is possible to change the default keycloak > encryption with my own module? > > Regards, > Stuart Jacobs > > > > > > > > www.symbiotics.co.za > > ******************************************************************************** > This email and any accompanying attachments may contain confidential and > proprietary information. This information is private and protected by law > and, accordingly, if you are not the intended recipient, you are requested > to delete this entire communication immediately and are notified that any > disclosure, copying or distribution of or taking any action based on this > information is prohibited. > > Emails cannot be guaranteed to be secure or free of errors or viruses. The > sender does not accept any liability or responsibility for any > interception, corruption, destruction, loss, late arrival or incompleteness > of or tampering or interference with any of the information contained in > this email or for its incorrect delivery or non-delivery for whatsoever > reason or for its effect on any electronic device of the recipient. > > > ******************************************************************************** > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/81d9bb21/attachment-0001.html From sthorger at redhat.com Mon Jan 18 03:15:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 09:15:44 +0100 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: Assuming by guest users you mean that no login is required then why does it need securing at all? On 16 January 2016 at 02:53, Naresh Kumar Reddy wrote: > Hi, > > We have two applications which provides webinar functionality. > > 1) Provisioning app-- Organizers provision webinar and manage their > account. Since organizers are Keycloak users, I can secure provisioning app > out of the box. > > 2) Webinar app-- The users of this app are organizers and participants. > Participants are no more provisioned as Keycloack users. Those are guest > users. > > My question is how do we secure second app with keyclock? > > * Note*: Both apps will be under same realm. > > Is there anyway to secure with custom field like webinarId which is passed > as a parameter? > > Or something better solution? > > Under same realm securing one app with keycloak users and other app with > custom authentication? > > Thanks for the great work. > > > Thanks & Regards > Naresh > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/ee385040/attachment.html From sthorger at redhat.com Mon Jan 18 03:19:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 09:19:50 +0100 Subject: [keycloak-user] Direct Access Grants for user set up for totp In-Reply-To: References: Message-ID: That error message doesn't come from needing a otp it comes from there being outstanding required actions. However, I'm pretty sure we don't support direct grant with users that have otp enabled. We should though so you can create a feature request On 18 January 2016 at 05:36, Rajees Patel wrote: > Hi, > > How can I get direct access grants for a user set up with totp? > > > > I tried posting the totp code, but received this error. > > > > { > > "error_description": "Account is not fully set up" > > "error": "invalid_grant" > > } > > > > > > Thanks > > > > > > > > > > Rajees Patel > > Product Architect > > Invenco Group Limited > > O: +64 9 905 5673 > > Rajees.Patel at invenco.com > > > > *www.invenco.com * > > > > *Disclaimer: This email is confidential and may be legally privileged. If > you are not the intended recipient you must not use any of the information > in it and must delete the email immediately.* > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/a7dd261a/attachment.html From sthorger at redhat.com Mon Jan 18 03:24:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 09:24:41 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: <569C9B4C.40705@kroehling.de> References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: You can chuck it into standalone/configuration/themes for production as well. The docs suggest to not do that as in production you want a stable set of files and make sure all nodes in a cluster has the same versions. Themes are also by default cached, both on the server side and in the browser. On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling wrote: > On 16.01.2016 23:29, Travis De Silva wrote: > > I don't think wildfly does hot deployment for modules. > > How about adding/removing the module via the Wildfly CLI? > > module add --name=the.theme... --resources=...jar > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/3bf239ec/attachment.html From pnreddy.svu at gmail.com Mon Jan 18 03:28:51 2016 From: pnreddy.svu at gmail.com (Naresh Kumar Reddy) Date: Mon, 18 Jan 2016 13:58:51 +0530 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: login is required but with custom fields like webinarId/webinar secret which are common for all guest users. On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen wrote: > Assuming by guest users you mean that no login is required then why does > it need securing at all? > > On 16 January 2016 at 02:53, Naresh Kumar Reddy > wrote: > >> Hi, >> >> We have two applications which provides webinar functionality. >> >> 1) Provisioning app-- Organizers provision webinar and manage their >> account. Since organizers are Keycloak users, I can secure provisioning app >> out of the box. >> >> 2) Webinar app-- The users of this app are organizers and participants. >> Participants are no more provisioned as Keycloack users. Those are guest >> users. >> >> My question is how do we secure second app with keyclock? >> >> * Note*: Both apps will be under same realm. >> >> Is there anyway to secure with custom field like webinarId which is >> passed as a parameter? >> >> Or something better solution? >> >> Under same realm securing one app with keycloak users and other app with >> custom authentication? >> >> Thanks for the great work. >> >> >> Thanks & Regards >> Naresh >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/ad6f9e24/attachment.html From pnreddy.svu at gmail.com Mon Jan 18 03:34:42 2016 From: pnreddy.svu at gmail.com (Naresh Kumar Reddy) Date: Mon, 18 Jan 2016 14:04:42 +0530 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: Let me clarify the work flow. organizer is a keyclock user. he schedules a webinar and an invitation mail will be sent to all participants(guest users). the mail will have webinarid/webinar secret. When participants(guest users) visits webinar portal it should ask for webinar Id/secret to authenticate. How to achieve this with keycloak assuming two kinds of applications under same realm? Thanks On Mon, Jan 18, 2016 at 1:58 PM, Naresh Kumar Reddy wrote: > login is required but with custom fields like webinarId/webinar secret > which are common for all guest users. > > On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen > wrote: > >> Assuming by guest users you mean that no login is required then why does >> it need securing at all? >> >> On 16 January 2016 at 02:53, Naresh Kumar Reddy >> wrote: >> >>> Hi, >>> >>> We have two applications which provides webinar functionality. >>> >>> 1) Provisioning app-- Organizers provision webinar and manage their >>> account. Since organizers are Keycloak users, I can secure provisioning app >>> out of the box. >>> >>> 2) Webinar app-- The users of this app are organizers and participants. >>> Participants are no more provisioned as Keycloack users. Those are guest >>> users. >>> >>> My question is how do we secure second app with keyclock? >>> >>> * Note*: Both apps will be under same realm. >>> >>> Is there anyway to secure with custom field like webinarId which is >>> passed as a parameter? >>> >>> Or something better solution? >>> >>> Under same realm securing one app with keycloak users and other app with >>> custom authentication? >>> >>> Thanks for the great work. >>> >>> >>> Thanks & Regards >>> Naresh >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/5b7b13d6/attachment-0001.html From traviskds at gmail.com Mon Jan 18 03:46:45 2016 From: traviskds at gmail.com (Travis De Silva) Date: Mon, 18 Jan 2016 08:46:45 +0000 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: I think the jar is a good idea. I have hocked it up with our Jenkins CI process. As you mentioned, since the themes are cached, we have no option but to restart KeyCloak. This might go well in a non-clustered production environment. I don't think wildfly modules are reloadable. But wildfly allows you to deploy a jar just like a war. Wondering why you guys didn't take that route and went with the module route. Also if there is anyway to clear the theme cache when we deploy a new change without having to restart KeyCloak would be great. I don't want to disable the cache settings in keycloak-server.json as cache is important for performance but just want a way to reload it when we deploy new changes/new themes via the jar file. On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen wrote: > You can chuck it into standalone/configuration/themes for production as > well. The docs suggest to not do that as in production you want a stable > set of files and make sure all nodes in a cluster has the same versions. > Themes are also by default cached, both on the server side and in the > browser. > > On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling > wrote: > >> On 16.01.2016 23:29, Travis De Silva wrote: >> > I don't think wildfly does hot deployment for modules. >> >> How about adding/removing the module via the Wildfly CLI? >> >> module add --name=the.theme... --resources=...jar >> >> - Juca. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/8460b9c7/attachment.html From thomas.darimont at googlemail.com Mon Jan 18 04:02:19 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 18 Jan 2016 10:02:19 +0100 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: Hello, you could just create a new keycloak user per webinar with: webinar id = username webinar secret = password ? Your real users would then just authenticate with those credentials - though you'd probably need to disable account management for them (and some other self-service operations). If you add a user indiviual code to the login url that you send to you users then you can associate the login with the actual user (e.g. the email address this link was generated for etc.). Another option would be to generate a bunch of keycloak users with a limited lifetime, e.g. for the duration of the webinar + x. When the time is up you could deactivate the users. In that model you would simply store the email address for each user with the actual keycloak user. This would enable you to send a concluding "thank you email" and perform some analytics on which individual user did what during the webinar. Once you're done with you analysis you could delete the users. Cheers, Thomas 2016-01-18 9:34 GMT+01:00 Naresh Kumar Reddy : > Let me clarify the work flow. > > organizer is a keyclock user. he schedules a webinar and an invitation > mail will be sent to all participants(guest users). the mail will have > webinarid/webinar secret. When participants(guest users) visits webinar > portal it should ask for webinar Id/secret to authenticate. > > How to achieve this with keycloak assuming two kinds of applications under > same realm? > > Thanks > > On Mon, Jan 18, 2016 at 1:58 PM, Naresh Kumar Reddy > wrote: > >> login is required but with custom fields like webinarId/webinar secret >> which are common for all guest users. >> >> On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen >> wrote: >> >>> Assuming by guest users you mean that no login is required then why does >>> it need securing at all? >>> >>> On 16 January 2016 at 02:53, Naresh Kumar Reddy >>> wrote: >>> >>>> Hi, >>>> >>>> We have two applications which provides webinar functionality. >>>> >>>> 1) Provisioning app-- Organizers provision webinar and manage their >>>> account. Since organizers are Keycloak users, I can secure provisioning app >>>> out of the box. >>>> >>>> 2) Webinar app-- The users of this app are organizers and participants. >>>> Participants are no more provisioned as Keycloack users. Those are guest >>>> users. >>>> >>>> My question is how do we secure second app with keyclock? >>>> >>>> * Note*: Both apps will be under same realm. >>>> >>>> Is there anyway to secure with custom field like webinarId which is >>>> passed as a parameter? >>>> >>>> Or something better solution? >>>> >>>> Under same realm securing one app with keycloak users and other app >>>> with custom authentication? >>>> >>>> Thanks for the great work. >>>> >>>> >>>> Thanks & Regards >>>> Naresh >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/11ca7f3b/attachment.html From sthorger at redhat.com Mon Jan 18 04:40:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 10:40:25 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: On 18 January 2016 at 09:46, Travis De Silva wrote: > I think the jar is a good idea. I have hocked it up with our Jenkins CI > process. > > As you mentioned, since the themes are cached, we have no option but to > restart KeyCloak. This might go well in a non-clustered production > environment. > > I don't think wildfly modules are reloadable. But wildfly allows you to > deploy a jar just like a war. Wondering why you guys didn't take that route > and went with the module route. > > Also if there is anyway to clear the theme cache when we deploy a new > change without having to restart KeyCloak would be great. I don't want to > disable the cache settings in keycloak-server.json as cache is important > for performance but just want a way to reload it when we deploy new > changes/new themes via the jar file. > The ideal would be to be able to hot-deploy both themes and providers, but using modules is much easier. We could probably extend the Keycloak subsystem to detect deployment of theme jars as they contain a keycloak-themes.json. Provider jars would be slightly harder unless we add some marker file. For themes you would have to clear the theme cache. Again, this is something the subsystem could probably do and it could automatically clear the cache for the themes found in the deployed theme jar. To prevent browser caches we'd also need some mechanism to do that. Currently resources are versioned by the version of the server and that's it. So if you change a resource it wouldn't be updated in the users browser. All nice to haves, but we don't have the resources ATM to implement it. > > > On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen wrote: > >> You can chuck it into standalone/configuration/themes for production as >> well. The docs suggest to not do that as in production you want a stable >> set of files and make sure all nodes in a cluster has the same versions. >> Themes are also by default cached, both on the server side and in the >> browser. >> >> On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling >> wrote: >> >>> On 16.01.2016 23:29, Travis De Silva wrote: >>> > I don't think wildfly does hot deployment for modules. >>> >>> How about adding/removing the module via the Wildfly CLI? >>> >>> module add --name=the.theme... --resources=...jar >>> >>> - Juca. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/c97ba009/attachment-0001.html From sthorger at redhat.com Mon Jan 18 04:43:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 10:43:24 +0100 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: What Thomas said. Just remove the account role from the webinar user and they can't use account management. You can use authentication flows to customize the authentication flow. As a first execution in the flow you check if the app is the webinar app, if it is then don't include the cookie authenticator, but add a custom one that asks for webinar id + secret. If it's not the webinar app then just continue the default flow. On 18 January 2016 at 10:02, Thomas Darimont wrote: > Hello, > > you could just create a new keycloak user per webinar with: > webinar id = username > webinar secret = password > ? > > Your real users would then just authenticate with those credentials - > though you'd probably need to disable account management for them (and some > other self-service operations). > If you add a user indiviual code to the login url that you send to you > users then you can associate the login with the actual user (e.g. the email > address this link was generated for etc.). > > Another option would be to generate a bunch of keycloak users with a > limited lifetime, e.g. for the duration of the webinar + x. > When the time is up you could deactivate the users. > In that model you would simply store the email address for each user with > the actual keycloak user. > This would enable you to send a concluding "thank you email" and perform > some analytics on which individual user did what during the webinar. > Once you're done with you analysis you could delete the users. > > Cheers, > Thomas > > 2016-01-18 9:34 GMT+01:00 Naresh Kumar Reddy : > >> Let me clarify the work flow. >> >> organizer is a keyclock user. he schedules a webinar and an invitation >> mail will be sent to all participants(guest users). the mail will have >> webinarid/webinar secret. When participants(guest users) visits webinar >> portal it should ask for webinar Id/secret to authenticate. >> >> How to achieve this with keycloak assuming two kinds of applications >> under same realm? >> >> Thanks >> >> On Mon, Jan 18, 2016 at 1:58 PM, Naresh Kumar Reddy < >> pnreddy.svu at gmail.com> wrote: >> >>> login is required but with custom fields like webinarId/webinar secret >>> which are common for all guest users. >>> >>> On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen >>> wrote: >>> >>>> Assuming by guest users you mean that no login is required then why >>>> does it need securing at all? >>>> >>>> On 16 January 2016 at 02:53, Naresh Kumar Reddy >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> We have two applications which provides webinar functionality. >>>>> >>>>> 1) Provisioning app-- Organizers provision webinar and manage their >>>>> account. Since organizers are Keycloak users, I can secure provisioning app >>>>> out of the box. >>>>> >>>>> 2) Webinar app-- The users of this app are organizers and >>>>> participants. Participants are no more provisioned as Keycloack users. >>>>> Those are guest users. >>>>> >>>>> My question is how do we secure second app with keyclock? >>>>> >>>>> * Note*: Both apps will be under same realm. >>>>> >>>>> Is there anyway to secure with custom field like webinarId which is >>>>> passed as a parameter? >>>>> >>>>> Or something better solution? >>>>> >>>>> Under same realm securing one app with keycloak users and other app >>>>> with custom authentication? >>>>> >>>>> Thanks for the great work. >>>>> >>>>> >>>>> Thanks & Regards >>>>> Naresh >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/6d35f88a/attachment.html From mstrukel at redhat.com Mon Jan 18 04:46:12 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 18 Jan 2016 10:46:12 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: Hot deployment is a tricky business always fraught with danger of leaving garbage behind, leading to difficult-to-explain slowdowns and eventually to out of memory, or to buggy behavior by not properly refreshing resources in all the places. By not using it we can save ourselves one possible cause for any such symptoms. For production the proper way is to put it in a clustered setup of at least two instances. You can then restart one at a time. At least that's the idea. For development there is a way to configure Keycloak to load themes from your source directory, you can then just refresh your browser to see changes. You can set that up like this: Build the project mvn clean install -DskipTests Open and edit distribution/server-dist/server-provisioning.xml Find copy-module-artifacts="true" and change it to copy-module-artifacts="false" I use: sed -i '' 's/copy-module-artifacts="true"/copy-module-artifacts="false"/' distribution/server-dist/server-provisioning.xml Then only build the server distribution module mvn clean install -Pdistribution -pl distribution/server-dist Finally instruct Keycloak to load themes from source directory. Open and edit distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json Find "dir": "${jboss.server.config.dir}/themes" and change it to "dir": "PATH_TO_YOUR_KEYCLOAK_GIT_HOME/forms/common-themes/src/main/resources/theme" I use: sed -i '' 's,"dir": "${jboss.server.config.dir}/themes","dir": "/Users/marko/devel/keycloak/keycloak/forms/common-themes/src/main/resources/theme",' distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json On Mon, Jan 18, 2016 at 9:46 AM, Travis De Silva wrote: > I think the jar is a good idea. I have hocked it up with our Jenkins CI > process. > > As you mentioned, since the themes are cached, we have no option but to > restart KeyCloak. This might go well in a non-clustered production > environment. > > I don't think wildfly modules are reloadable. But wildfly allows you to > deploy a jar just like a war. Wondering why you guys didn't take that route > and went with the module route. > > Also if there is anyway to clear the theme cache when we deploy a new change > without having to restart KeyCloak would be great. I don't want to disable > the cache settings in keycloak-server.json as cache is important for > performance but just want a way to reload it when we deploy new changes/new > themes via the jar file. > > > On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen wrote: >> >> You can chuck it into standalone/configuration/themes for production as >> well. The docs suggest to not do that as in production you want a stable set >> of files and make sure all nodes in a cluster has the same versions. Themes >> are also by default cached, both on the server side and in the browser. >> >> On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling >> wrote: >>> >>> On 16.01.2016 23:29, Travis De Silva wrote: >>> > I don't think wildfly does hot deployment for modules. >>> >>> How about adding/removing the module via the Wildfly CLI? >>> >>> module add --name=the.theme... --resources=...jar >>> >>> - Juca. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Jan 18 05:01:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 11:01:45 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: On 18 January 2016 at 10:46, Marko Strukelj wrote: > Hot deployment is a tricky business always fraught with danger of > leaving garbage behind, leading to difficult-to-explain slowdowns and > eventually to out of memory, or to buggy behavior by not properly > refreshing resources in all the places. By not using it we can save > ourselves one possible cause for any such symptoms. > Sure, but it's still nice to have if we could support it > > For production the proper way is to put it in a clustered setup of at > least two instances. You can then restart one at a time. At least > that's the idea. > Actually that won't work, because the two nodes would have different themes for a period. Domain mode in WildFly supports deployments to a cluster, which would be much nicer if we supported that. > > For development there is a way to configure Keycloak to load themes > from your source directory, you can then just refresh your browser to > see changes. > > > You can set that up like this: > > Build the project > mvn clean install -DskipTests > > Open and edit distribution/server-dist/server-provisioning.xml > Find copy-module-artifacts="true" and change it to > copy-module-artifacts="false" > > I use: > sed -i '' 's/copy-module-artifacts="true"/copy-module-artifacts="false"/' > distribution/server-dist/server-provisioning.xml > > Then only build the server distribution module > mvn clean install -Pdistribution -pl distribution/server-dist > > Finally instruct Keycloak to load themes from source directory. Open > and edit > distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json > > Find "dir": "${jboss.server.config.dir}/themes" and change it to > "dir": > "PATH_TO_YOUR_KEYCLOAK_GIT_HOME/forms/common-themes/src/main/resources/theme" > > I use: > sed -i '' 's,"dir": "${jboss.server.config.dir}/themes","dir": > > "/Users/marko/devel/keycloak/keycloak/forms/common-themes/src/main/resources/theme",' > > distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json > > I don't see the need for all those steps. All you need to do is change the dir property for the themes. Default built-in themes would then be loaded from the jars and your custom themes directly from the source. > On Mon, Jan 18, 2016 at 9:46 AM, Travis De Silva > wrote: > > I think the jar is a good idea. I have hocked it up with our Jenkins CI > > process. > > > > As you mentioned, since the themes are cached, we have no option but to > > restart KeyCloak. This might go well in a non-clustered production > > environment. > > > > I don't think wildfly modules are reloadable. But wildfly allows you to > > deploy a jar just like a war. Wondering why you guys didn't take that > route > > and went with the module route. > > > > Also if there is anyway to clear the theme cache when we deploy a new > change > > without having to restart KeyCloak would be great. I don't want to > disable > > the cache settings in keycloak-server.json as cache is important for > > performance but just want a way to reload it when we deploy new > changes/new > > themes via the jar file. > > > > > > On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen > wrote: > >> > >> You can chuck it into standalone/configuration/themes for production as > >> well. The docs suggest to not do that as in production you want a > stable set > >> of files and make sure all nodes in a cluster has the same versions. > Themes > >> are also by default cached, both on the server side and in the browser. > >> > >> On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling < > juraci at kroehling.de> > >> wrote: > >>> > >>> On 16.01.2016 23:29, Travis De Silva wrote: > >>> > I don't think wildfly does hot deployment for modules. > >>> > >>> How about adding/removing the module via the Wildfly CLI? > >>> > >>> module add --name=the.theme... --resources=...jar > >>> > >>> - Juca. > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/ad54b8df/attachment-0001.html From mstrukel at redhat.com Mon Jan 18 05:48:31 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 18 Jan 2016 11:48:31 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: On Mon, Jan 18, 2016 at 11:01 AM, Stian Thorgersen wrote: > > > On 18 January 2016 at 10:46, Marko Strukelj wrote: >> >> Hot deployment is a tricky business always fraught with danger of >> leaving garbage behind, leading to difficult-to-explain slowdowns and >> eventually to out of memory, or to buggy behavior by not properly >> refreshing resources in all the places. By not using it we can save >> ourselves one possible cause for any such symptoms. > > > Sure, but it's still nice to have if we could support it > >> >> >> For production the proper way is to put it in a clustered setup of at >> least two instances. You can then restart one at a time. At least >> that's the idea. > > > Actually that won't work, because the two nodes would have different themes > for a period. Domain mode in WildFly supports deployments to a cluster, > which would be much nicer if we supported that. Wildfly cluster deployment would indeed be nice. But would it really update all instances at the same time rather than do a rolling deployment? Updating all at once would be a stop-the-world situation putting everyone on hold while it's going on. As long as you have a front-end proxy that you can control in some way to redirect traffic away from one node, then upgrade and restart the node, and repeat for the other node, you can manually achieve the same - but possibly with more work, and more error prone, if you don't use good tools to do it with. > >> >> >> For development there is a way to configure Keycloak to load themes >> from your source directory, you can then just refresh your browser to >> see changes. >> >> >> You can set that up like this: >> >> Build the project >> mvn clean install -DskipTests >> >> Open and edit distribution/server-dist/server-provisioning.xml >> Find copy-module-artifacts="true" and change it to >> copy-module-artifacts="false" >> >> I use: >> sed -i '' >> 's/copy-module-artifacts="true"/copy-module-artifacts="false"/' >> distribution/server-dist/server-provisioning.xml >> >> Then only build the server distribution module >> mvn clean install -Pdistribution -pl distribution/server-dist >> >> Finally instruct Keycloak to load themes from source directory. Open >> and edit >> distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json >> >> Find "dir": "${jboss.server.config.dir}/themes" and change it to >> "dir": >> "PATH_TO_YOUR_KEYCLOAK_GIT_HOME/forms/common-themes/src/main/resources/theme" >> >> I use: >> sed -i '' 's,"dir": "${jboss.server.config.dir}/themes","dir": >> >> "/Users/marko/devel/keycloak/keycloak/forms/common-themes/src/main/resources/theme",' >> >> distribution/server-dist/target/keycloak*/standalone/configuration/keycloak-server.json >> > > I don't see the need for all those steps. All you need to do is change the > dir property for the themes. Default built-in themes would then be loaded > from the jars and your custom themes directly from the source. > >> >> On Mon, Jan 18, 2016 at 9:46 AM, Travis De Silva >> wrote: >> > I think the jar is a good idea. I have hocked it up with our Jenkins CI >> > process. >> > >> > As you mentioned, since the themes are cached, we have no option but to >> > restart KeyCloak. This might go well in a non-clustered production >> > environment. >> > >> > I don't think wildfly modules are reloadable. But wildfly allows you to >> > deploy a jar just like a war. Wondering why you guys didn't take that >> > route >> > and went with the module route. >> > >> > Also if there is anyway to clear the theme cache when we deploy a new >> > change >> > without having to restart KeyCloak would be great. I don't want to >> > disable >> > the cache settings in keycloak-server.json as cache is important for >> > performance but just want a way to reload it when we deploy new >> > changes/new >> > themes via the jar file. >> > >> > >> > On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen >> > wrote: >> >> >> >> You can chuck it into standalone/configuration/themes for production as >> >> well. The docs suggest to not do that as in production you want a >> >> stable set >> >> of files and make sure all nodes in a cluster has the same versions. >> >> Themes >> >> are also by default cached, both on the server side and in the browser. >> >> >> >> On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling >> >> >> >> wrote: >> >>> >> >>> On 16.01.2016 23:29, Travis De Silva wrote: >> >>> > I don't think wildfly does hot deployment for modules. >> >>> >> >>> How about adding/removing the module via the Wildfly CLI? >> >>> >> >>> module add --name=the.theme... --resources=...jar >> >>> >> >>> - Juca. >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From pavel.masloff at gmail.com Mon Jan 18 07:09:27 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Mon, 18 Jan 2016 13:09:27 +0100 Subject: [keycloak-user] keycloak-jetty92-adapter & UriBuilder HTTP error 500 In-Reply-To: <5693E84F.6060607@redhat.com> References: <5693E84F.6060607@redhat.com> Message-ID: Not sure how to do this. Can you elaborate, please? Regards, Pavel Maslov, MS On Mon, Jan 11, 2016 at 6:37 PM, Bill Burke wrote: > Hmm, a resteasy dependency has stuck in maybe? Remove the jaxrs and > resteasy jars that exist in the adapter distro for Jetty? Does that work? > > > On 1/11/2016 6:50 AM, Pavel Maslov wrote: > > Hi, > > > I am planning to migrate the Keycloak server from version 1.3.1 to 1.7.0. > However, when trying to access a secured resource of our API I get the > following error: > > HTTP ERROR 500 > > Problem accessing /v1/producers. Reason: > > Server Error > java.lang.AbstractMethodError: javax.ws.rs.core.UriBuilder.uri(Ljava/lang/String;)Ljavax/ws/rs/core/UriBuilder; > at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:119) > at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:292) > at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) > at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:165) > at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:239) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553) > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) > at org.eclipse.jetty.server.Server.handle(Server.java:497) > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) > at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) > at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:745) > > > It used to work with the previous version of Keycloak + adapter (1.3.1). > The only thing I did is I just changed dependency version 1.3.1 to 1.7.0 in > my pom.xml: > > > org.keycloak > keycloak-core > 1.7.0.Final > org.keycloak > keycloak-services > 1.7.0.Final > > > org.keycloak > keycloak-jetty92-adapter-dist > 1.7.0.Final > pom > > > Perhaps, something else is missing. Can it be web.xml or jetty-web.xml > that I have to update in some way? Any ideas? > Thanks. > > > > > Regards, > Pavel Maslov, MS > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/28291f81/attachment.html From ramon at iqnomy.com Mon Jan 18 07:29:54 2016 From: ramon at iqnomy.com (Ramon Rockx) Date: Mon, 18 Jan 2016 13:29:54 +0100 Subject: [keycloak-user] implicit flow response_type url parameter Message-ID: Hi all, I was trying to configure Swagger UI (http://swagger.io/swagger-ui/) so it will use Keycloak for OAuth2 authorization. Swagger UI supports the 'Authorization Code Grant' flow and the 'Implicit Grant' flow. I managed to configure Swagger UI to use the 'Authorization Code Grant' flow, but I did not succeed with the implicit flow. I think this is because Keycloak expects the response_type url parameter to be 'id_token token', while Swagger UI uses the url parameter response_type=token. rfc6749 also states (https://tools.ietf.org/html/rfc6749#section-4.2.1) that the response_type parameter should be 'token'. So why is it that Keycloak requires the value 'id_token token'? Is it possible to configure Keycloak, so it will accept 'token' as response_type? Thank you! Ramon Rockx -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/2e02e7a2/attachment-0001.html From bburke at redhat.com Mon Jan 18 07:49:52 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 18 Jan 2016 07:49:52 -0500 Subject: [keycloak-user] Direct Access Grants for user set up for totp In-Reply-To: References: Message-ID: <569CDF70.3020506@redhat.com> We don't, but you could write an authenticator to do it via the auth SPI. On 1/18/2016 3:19 AM, Stian Thorgersen wrote: > That error message doesn't come from needing a otp it comes from there > being outstanding required actions. > > However, I'm pretty sure we don't support direct grant with users that > have otp enabled. We should though so you can create a feature request > > On 18 January 2016 at 05:36, Rajees Patel > wrote: > > Hi, > > How can I get direct access grants for a user set up with totp? > > I tried posting the totp code, but received this error. > > { > > "error_description": "Account is not fully set up" > > "error": "invalid_grant" > > } > > Thanks > > Rajees Patel > > Product Architect > > Invenco Group Limited > > O: +64 9 905 5673 > > Rajees.Patel at invenco.com > > *www.invenco.com * > > > > *Disclaimer: This email is confidential and may be legally > privileged. If you are not the intended recipient you must not > use any of the information in it and must delete the email > immediately.* > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/da1833f0/attachment.html From bburke at redhat.com Mon Jan 18 07:52:47 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 18 Jan 2016 07:52:47 -0500 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> Message-ID: <569CE01F.7010507@redhat.com> I think we should support this. We also need to make sure deploying these components also picks up things like EJBs, JPA, etc. For 2.0 we should probably consider using JTA too. On 1/18/2016 4:40 AM, Stian Thorgersen wrote: > > > On 18 January 2016 at 09:46, Travis De Silva > wrote: > > I think the jar is a good idea. I have hocked it up with our > Jenkins CI process. > > As you mentioned, since the themes are cached, we have no option > but to restart KeyCloak. This might go well in a non-clustered > production environment. > > I don't think wildfly modules are reloadable. But wildfly allows > you to deploy a jar just like a war. Wondering why you guys didn't > take that route and went with the module route. > > Also if there is anyway to clear the theme cache when we deploy a > new change without having to restart KeyCloak would be great. I > don't want to disable the cache settings in keycloak-server.json > as cache is important for performance but just want a way to > reload it when we deploy new changes/new themes via the jar file. > > > The ideal would be to be able to hot-deploy both themes and providers, > but using modules is much easier. We could probably extend the > Keycloak subsystem to detect deployment of theme jars as they contain > a keycloak-themes.json. Provider jars would be slightly harder unless > we add some marker file. > > For themes you would have to clear the theme cache. Again, this is > something the subsystem could probably do and it could automatically > clear the cache for the themes found in the deployed theme jar. To > prevent browser caches we'd also need some mechanism to do that. > Currently resources are versioned by the version of the server and > that's it. So if you change a resource it wouldn't be updated in the > users browser. > > All nice to haves, but we don't have the resources ATM to implement it. > > > > On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen > wrote: > > You can chuck it into standalone/configuration/themes for > production as well. The docs suggest to not do that as in > production you want a stable set of files and make sure all > nodes in a cluster has the same versions. Themes are also by > default cached, both on the server side and in the browser. > > On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling > > wrote: > > On 16.01.2016 23:29, Travis De Silva wrote: > > I don't think wildfly does hot deployment for modules. > > How about adding/removing the module via the Wildfly CLI? > > module add --name=the.theme... --resources=...jar > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/52c55d48/attachment.html From Hermann.Kroener at barco.com Mon Jan 18 07:59:12 2016 From: Hermann.Kroener at barco.com (Kroener, Hermann) Date: Mon, 18 Jan 2016 12:59:12 +0000 Subject: [keycloak-user] Issue with special character in CommonName / DistinguishedName from Active Directory Message-ID: <26B058AEFA67354D8BA2D37514C3CB32A4E453EC@KUUMEX11.barco.com> Dear all, I'm facing some issues with the Role Mapping of user accounts in Keycloak Server (v1.7.0) which are imported from our Active Directory. I configured the User Federation and added some Role Mappers to map AD groups to Realm Roles. The user accounts are imported from AD and the Groups are added as Realm Roles. But the Roles are not assigned to the User Accounts inside Keycloak after the Import. Finally I could break the issue down to the naming scheme in our Active Directory: Our IT adds users as "CN=, " and "DN=\, ,OU=...,DC=...,DC=..." The DN (with escaped comma) is also used as Group member attribute. It seems that Keycloak has an issue with special characters in CN / DN. Is there anything I can do in my current Keycloak instance or needs this to be fixed in an upcoming version of Keyclaok? BR, Hermann ____________________________ Hermann Kr?ner Testing Engineer Security Barco Control Rooms GmbH Greschbachstrasse 5a D - 76229 Karlsruhe Telefon +49 721 6201 461 http://www.barco.com mailto:hermann.kroener at barco.com ____________________________ Registered at 76229 Karlsruhe, Amtsgericht Mannheim, HRB 102241, Management: Lutz Nehrhoff von Holderberg This message is subject to the following terms and conditions: MAIL DISCLAIMER -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/c51b9f9a/attachment-0001.html From pnreddy.svu at gmail.com Mon Jan 18 08:03:20 2016 From: pnreddy.svu at gmail.com (Naresh Kumar Reddy) Date: Mon, 18 Jan 2016 18:33:20 +0530 Subject: [keycloak-user] Securing Application which is exposed to Guest Users In-Reply-To: References: Message-ID: Thank you. I will have a look. On Mon, Jan 18, 2016 at 3:13 PM, Stian Thorgersen wrote: > What Thomas said. Just remove the account role from the webinar user and > they can't use account management. > > You can use authentication flows to customize the authentication flow. As > a first execution in the flow you check if the app is the webinar app, if > it is then don't include the cookie authenticator, but add a custom one > that asks for webinar id + secret. If it's not the webinar app then just > continue the default flow. > > On 18 January 2016 at 10:02, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hello, >> >> you could just create a new keycloak user per webinar with: >> webinar id = username >> webinar secret = password >> ? >> >> Your real users would then just authenticate with those credentials - >> though you'd probably need to disable account management for them (and some >> other self-service operations). >> If you add a user indiviual code to the login url that you send to you >> users then you can associate the login with the actual user (e.g. the email >> address this link was generated for etc.). >> >> Another option would be to generate a bunch of keycloak users with a >> limited lifetime, e.g. for the duration of the webinar + x. >> When the time is up you could deactivate the users. >> In that model you would simply store the email address for each user with >> the actual keycloak user. >> This would enable you to send a concluding "thank you email" and perform >> some analytics on which individual user did what during the webinar. >> Once you're done with you analysis you could delete the users. >> >> Cheers, >> Thomas >> >> 2016-01-18 9:34 GMT+01:00 Naresh Kumar Reddy : >> >>> Let me clarify the work flow. >>> >>> organizer is a keyclock user. he schedules a webinar and an invitation >>> mail will be sent to all participants(guest users). the mail will have >>> webinarid/webinar secret. When participants(guest users) visits webinar >>> portal it should ask for webinar Id/secret to authenticate. >>> >>> How to achieve this with keycloak assuming two kinds of applications >>> under same realm? >>> >>> Thanks >>> >>> On Mon, Jan 18, 2016 at 1:58 PM, Naresh Kumar Reddy < >>> pnreddy.svu at gmail.com> wrote: >>> >>>> login is required but with custom fields like webinarId/webinar secret >>>> which are common for all guest users. >>>> >>>> On Mon, Jan 18, 2016 at 1:45 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Assuming by guest users you mean that no login is required then why >>>>> does it need securing at all? >>>>> >>>>> On 16 January 2016 at 02:53, Naresh Kumar Reddy >>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We have two applications which provides webinar functionality. >>>>>> >>>>>> 1) Provisioning app-- Organizers provision webinar and manage their >>>>>> account. Since organizers are Keycloak users, I can secure provisioning app >>>>>> out of the box. >>>>>> >>>>>> 2) Webinar app-- The users of this app are organizers and >>>>>> participants. Participants are no more provisioned as Keycloack users. >>>>>> Those are guest users. >>>>>> >>>>>> My question is how do we secure second app with keyclock? >>>>>> >>>>>> * Note*: Both apps will be under same realm. >>>>>> >>>>>> Is there anyway to secure with custom field like webinarId which is >>>>>> passed as a parameter? >>>>>> >>>>>> Or something better solution? >>>>>> >>>>>> Under same realm securing one app with keycloak users and other app >>>>>> with custom authentication? >>>>>> >>>>>> Thanks for the great work. >>>>>> >>>>>> >>>>>> Thanks & Regards >>>>>> Naresh >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/b46038f2/attachment.html From sthorger at redhat.com Mon Jan 18 08:35:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 14:35:41 +0100 Subject: [keycloak-user] Hotdeploy theme module In-Reply-To: <569CE01F.7010507@redhat.com> References: <569A56DF.3000504@redhat.com> <569C9B4C.40705@kroehling.de> <569CE01F.7010507@redhat.com> Message-ID: On 18 January 2016 at 13:52, Bill Burke wrote: > I think we should support this. We also need to make sure deploying these > components also picks up things like EJBs, JPA, etc. For 2.0 we should > probably consider using JTA too. > +1 To everything, but for 2.x > > > On 1/18/2016 4:40 AM, Stian Thorgersen wrote: > > > > On 18 January 2016 at 09:46, Travis De Silva wrote: > >> I think the jar is a good idea. I have hocked it up with our Jenkins CI >> process. >> >> As you mentioned, since the themes are cached, we have no option but to >> restart KeyCloak. This might go well in a non-clustered production >> environment. >> >> I don't think wildfly modules are reloadable. But wildfly allows you to >> deploy a jar just like a war. Wondering why you guys didn't take that route >> and went with the module route. >> >> Also if there is anyway to clear the theme cache when we deploy a new >> change without having to restart KeyCloak would be great. I don't want to >> disable the cache settings in keycloak-server.json as cache is important >> for performance but just want a way to reload it when we deploy new >> changes/new themes via the jar file. >> > > The ideal would be to be able to hot-deploy both themes and providers, but > using modules is much easier. We could probably extend the Keycloak > subsystem to detect deployment of theme jars as they contain a > keycloak-themes.json. Provider jars would be slightly harder unless we add > some marker file. > > For themes you would have to clear the theme cache. Again, this is > something the subsystem could probably do and it could automatically clear > the cache for the themes found in the deployed theme jar. To prevent > browser caches we'd also need some mechanism to do that. Currently > resources are versioned by the version of the server and that's it. So if > you change a resource it wouldn't be updated in the users browser. > > All nice to haves, but we don't have the resources ATM to implement it. > > >> >> >> On Mon, 18 Jan 2016 at 19:25 Stian Thorgersen >> wrote: >> >>> You can chuck it into standalone/configuration/themes for production as >>> well. The docs suggest to not do that as in production you want a stable >>> set of files and make sure all nodes in a cluster has the same versions. >>> Themes are also by default cached, both on the server side and in the >>> browser. >>> >>> On 18 January 2016 at 08:59, Juraci Paix?o Kr?hling < >>> juraci at kroehling.de> wrote: >>> >>>> On 16.01.2016 23:29, Travis De Silva wrote: >>>> > I don't think wildfly does hot deployment for modules. >>>> >>>> How about adding/removing the module via the Wildfly CLI? >>>> >>>> module add --name=the.theme... --resources=...jar >>>> >>>> - Juca. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/f46ec4c9/attachment.html From sthorger at redhat.com Mon Jan 18 08:36:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jan 2016 14:36:46 +0100 Subject: [keycloak-user] implicit flow response_type url parameter In-Reply-To: References: Message-ID: Both should work, so if Keycloak is complaining with just "token" create a jira On 18 January 2016 at 13:29, Ramon Rockx wrote: > Hi all, > > I was trying to configure Swagger UI (http://swagger.io/swagger-ui/) so > it will use Keycloak for OAuth2 authorization. > Swagger UI supports the 'Authorization Code Grant' flow and the 'Implicit > Grant' flow. I managed to configure Swagger UI to use the 'Authorization > Code Grant' flow, but I did not succeed with the implicit flow. > I think this is because Keycloak expects the response_type url parameter > to be 'id_token token', while Swagger UI uses the url parameter > response_type=token. > rfc6749 also states (https://tools.ietf.org/html/rfc6749#section-4.2.1) > that the response_type parameter should be 'token'. So why is it that > Keycloak requires the value 'id_token token'? > Is it possible to configure Keycloak, so it will accept 'token' as > response_type? > > Thank you! > > Ramon Rockx > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/ad3dda6f/attachment-0001.html From jeremy at jeremysimon.com Mon Jan 18 09:17:18 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Mon, 18 Jan 2016 09:17:18 -0500 Subject: [keycloak-user] Spring Boot REST Service Example(s) In-Reply-To: <569835BE.3070409@redhat.com> References: <569835BE.3070409@redhat.com> Message-ID: Thanks! These make a lot more sense. Looks Springy. ;) Based on how these examples are configured, why would the Keycloak documentation even mention in section 8.9.2 "You also need to specify the J2EE security config that would normally go in the web.xml"? Just trying to get an understanding. jeremy jeremy at jeremysimon.com www.JeremySimon.com On Thu, Jan 14, 2016 at 6:56 PM, Bill Burke wrote: > Andrzej already replied to this earlier: > > take a look at these examples: > https://github.com/agolPL/keycloak-spring-demo > > > > On 1/14/2016 6:44 PM, Jeremy Simon wrote: >> Hi, >> >> Would anyone be willing to point me to some good working examples that >> are REST services built with Spring Boot but can leverage Keycloak for >> authentication? I had no trouble integrating a webapp with the SAML >> protocol, but this OpenID Connect (/Oauth2?) area of things is really >> confusing. >> >> All I'm trying to do is security the REST endpoints I made and then >> when I actually hit a controller, also be able to pull some role or >> attribute information off the Authentication token. >> >> I tried to cobble together something using the reference guide and the >> adaptors sections, but to no avail. In particular I followed the 8.9 >> Spring Boot Adaptor but I get 302s and a this in the response if i try >> a rest client... >> >> ---- >> 302 Found >> >> form >> >> HEADERS >> Content-Length:0 Bytes >> Date: >> 2016 Jan 14 18:41:13 >> Location:http://localhost:11080/auth/realms/jeremy/protocol/openid-connect/auth?response_type=code&client_id=try&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadmin&state=1%2F82011a10-3b29-44eb-9801-e723c03c94bf&login=true >> S >> >> ---- >> >> At any rate, I tried some extra spring security and other mentions >> down further in the guide, but I'm definitely digging myself into a >> little hole! Any help would be greatly appreciated! >> >> Possibly uneducated guess with this subject, can Spring Security OAuth >> be used with this? Probably can't with the OpenID JWT responses? >> >> jeremy >> jeremy at jeremysimon.com >> www.JeremySimon.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From alex_orl1079 at yahoo.it Mon Jan 18 13:12:36 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Mon, 18 Jan 2016 18:12:36 +0000 (UTC) Subject: [keycloak-user] Pentaho SSO integration References: <433908426.11199786.1453140756923.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <433908426.11199786.1453140756923.JavaMail.yahoo@mail.yahoo.com> hi to all, I'm facing up to the integration with Pentaho authentication mechanism.Pentaho authentication is based on Spring Security and i know Keycloak offers a Spring Security Adapter by which i can secure a spring-secured-application with keycloak authentication. In particular i'd like to know if org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider is fully compliant with Pentaho login authentication in term of userDetails too.At a first glance the answer seems to be YES.But before i undertake a deeper integration process (which will take me time and a maybe a big activity effort),? could be userful to know if i m missing something important i have to fight with.Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160118/7f6dc8f1/attachment.html From sthorger at redhat.com Tue Jan 19 08:01:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 19 Jan 2016 14:01:37 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> Message-ID: We could add a client_id param to the emails. Then if it all fails we can use the clients base url. On 15 January 2016 at 21:28, Travis De Silva wrote: > irrespective of the theme, how would you provide a link to the user to > redirect back to the application that they initiated the request in the > first place. > > For example, they click on the forgot password link or the register new > user link. > > KeyCloak sends them an email with a link. But they don't click it for > awhile and then when they click it, it has expired. So we should be able to > display an expired message and redirect them back to the login page. How > can we handle this? > > > > On Sat, 16 Jan 2016 at 07:23 Bill Burke wrote: > >> NO, you can't. This would create an open redirect probably and the >> themes are supposed to be completely independent of the protocol. >> >> >> On 1/15/2016 3:06 PM, Travis De Silva wrote: >> >> I can understand that. But without the client ID, we cannot redirect them >> back to the login screen. >> >> Is there anyway where the redirect url can be sent as a query string >> together with the code. That way, we can then pick the redirect url from >> the query string and redirect the user back to the appropriate login screen. >> >> >> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen >> wrote: >> >>> Once the client session is removed (it's deleted at some point after the >>> login has timed out) the client id is no longer available. We have to >>> delete this session at some point as otherwise we'd be left with garbage >>> from abandoned logins >>> >>> On 13 January 2016 at 21:27, Travis De Silva >>> wrote: >>> >>>> Hi, >>>> >>>> For theming the login for different clients within a realm, we are >>>> conditionally checking for the client ID in the freemarker templates and >>>> then accordingly including sub freemarker templates. This is working >>>> perfectly but the issue is for certain errors, such as "You took too long >>>> to login. Login process starting from beginning.", the clientid becomes >>>> null ( (sometimes). >>>> >>>> Is there anything I can do from the freemarker template to identify the >>>> client id so I can then accordingly handle these errors? >>>> >>>> Cheers >>>> Travis >>>> >>>> >>>> >>>> clientId=null >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/fb8c88a1/attachment.html From thomas.raehalme at aitiofinland.com Tue Jan 19 08:04:31 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Tue, 19 Jan 2016 15:04:31 +0200 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> Message-ID: +1 Sounds like a very good idea! On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen wrote: > We could add a client_id param to the emails. Then if it all fails we can > use the clients base url. > > On 15 January 2016 at 21:28, Travis De Silva wrote: > >> irrespective of the theme, how would you provide a link to the user to >> redirect back to the application that they initiated the request in the >> first place. >> >> For example, they click on the forgot password link or the register new >> user link. >> >> KeyCloak sends them an email with a link. But they don't click it for >> awhile and then when they click it, it has expired. So we should be able to >> display an expired message and redirect them back to the login page. How >> can we handle this? >> >> >> >> On Sat, 16 Jan 2016 at 07:23 Bill Burke wrote: >> >>> NO, you can't. This would create an open redirect probably and the >>> themes are supposed to be completely independent of the protocol. >>> >>> >>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>> >>> I can understand that. But without the client ID, we cannot redirect >>> them back to the login screen. >>> >>> Is there anyway where the redirect url can be sent as a query string >>> together with the code. That way, we can then pick the redirect url from >>> the query string and redirect the user back to the appropriate login screen. >>> >>> >>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen >>> wrote: >>> >>>> Once the client session is removed (it's deleted at some point after >>>> the login has timed out) the client id is no longer available. We have to >>>> delete this session at some point as otherwise we'd be left with garbage >>>> from abandoned logins >>>> >>>> On 13 January 2016 at 21:27, Travis De Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> For theming the login for different clients within a realm, we are >>>>> conditionally checking for the client ID in the freemarker templates and >>>>> then accordingly including sub freemarker templates. This is working >>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>> to login. Login process starting from beginning.", the clientid becomes >>>>> null ( (sometimes). >>>>> >>>>> Is there anything I can do from the freemarker template to identify >>>>> the client id so I can then accordingly handle these errors? >>>>> >>>>> Cheers >>>>> Travis >>>>> >>>>> >>>>> >>>>> clientId=null >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/0c884f64/attachment-0001.html From kunal at plivo.com Tue Jan 19 09:02:08 2016 From: kunal at plivo.com (Kunal K) Date: Tue, 19 Jan 2016 19:32:08 +0530 Subject: [keycloak-user] Invoking admin REST API. Message-ID: Hi all, I referred to the doc[0] regarding Initial Access Token and generated a new token for my realm. I'm using the python requests library to invoke the GET realms API[1] but I get a 401 Unauthorized status code. Am I doing it wrong? Below is my code. import requests authorization = {'Authorization': 'Bearer eyJhbGciOiJS.'} response = requests.get('http://keycloak-server.com/auth/admin/realms', headers=authorization) response.status_code // 401 ? [0] https://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1450 [1] http://keycloak.github.io/docs/rest-api/index.html#_get_accessible_realms -- *KUNAL KERKAR *| PRODUCT ENGINEER Plivo, Inc. 340 Pine St, San Francisco - 94104, USA Web: www.plivo.com | Twitter: @plivo , @tsudot Free Incoming SMS for All US Short Codes ? Get One Today!? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/beb937b7/attachment.html From bburke at redhat.com Tue Jan 19 09:40:52 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 19 Jan 2016 09:40:52 -0500 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> Message-ID: <569E4AF4.5060000@redhat.com> We already set up a cookie for client session timeouts to hold information that can reconstruct the session. Not sure if we do it for reset credentials though. On 1/19/2016 8:04 AM, Thomas Raehalme wrote: > +1 Sounds like a very good idea! > > On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen > wrote: > > We could add a client_id param to the emails. Then if it all fails > we can use the clients base url. > > On 15 January 2016 at 21:28, Travis De Silva > wrote: > > irrespective of the theme, how would you provide a link to the > user to redirect back to the application that they initiated > the request in the first place. > > For example, they click on the forgot password link or the > register new user link. > > KeyCloak sends them an email with a link. But they don't click > it for awhile and then when they click it, it has expired. So > we should be able to display an expired message and redirect > them back to the login page. How can we handle this? > > > > On Sat, 16 Jan 2016 at 07:23 Bill Burke > wrote: > > NO, you can't. This would create an open redirect > probably and the themes are supposed to be completely > independent of the protocol. > > > On 1/15/2016 3:06 PM, Travis De Silva wrote: >> I can understand that. But without the client ID, we >> cannot redirect them back to the login screen. >> >> Is there anyway where the redirect url can be sent as a >> query string together with the code. That way, we can >> then pick the redirect url from the query string and >> redirect the user back to the appropriate login screen. >> >> >> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen >> > wrote: >> >> Once the client session is removed (it's deleted at >> some point after the login has timed out) the client >> id is no longer available. We have to delete this >> session at some point as otherwise we'd be left with >> garbage from abandoned logins >> >> On 13 January 2016 at 21:27, Travis De Silva >> > wrote: >> >> Hi, >> >> For theming the login for different clients >> within a realm, we are conditionally checking for >> the client ID in the freemarker templates and >> then accordingly including sub freemarker >> templates. This is working perfectly but the >> issue is for certain errors, such as "You took >> too long to login. Login process starting from >> beginning.", the clientid becomes null ( (sometimes). >> >> Is there anything I can do from the freemarker >> template to identify the client id so I can then >> accordingly handle these errors? >> >> Cheers >> Travis >> >> >> >> clientId=null >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/d455134c/attachment-0001.html From sthorger at redhat.com Tue Jan 19 09:54:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 19 Jan 2016 15:54:18 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: <569E4AF4.5060000@redhat.com> References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: Cookie is not always going to work for emails though as the link may be opened in a new browser session (or a different browser) On 19 January 2016 at 15:40, Bill Burke wrote: > We already set up a cookie for client session timeouts to hold information > that can reconstruct the session. Not sure if we do it for reset > credentials though. > > > On 1/19/2016 8:04 AM, Thomas Raehalme wrote: > > +1 Sounds like a very good idea! > > On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < > sthorger at redhat.com> wrote: > >> We could add a client_id param to the emails. Then if it all fails we can >> use the clients base url. >> >> On 15 January 2016 at 21:28, Travis De Silva < >> traviskds at gmail.com> wrote: >> >>> irrespective of the theme, how would you provide a link to the user to >>> redirect back to the application that they initiated the request in the >>> first place. >>> >>> For example, they click on the forgot password link or the register new >>> user link. >>> >>> KeyCloak sends them an email with a link. But they don't click it for >>> awhile and then when they click it, it has expired. So we should be able to >>> display an expired message and redirect them back to the login page. How >>> can we handle this? >>> >>> >>> >>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>> bburke at redhat.com> wrote: >>> >>>> NO, you can't. This would create an open redirect probably and the >>>> themes are supposed to be completely independent of the protocol. >>>> >>>> >>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>> >>>> I can understand that. But without the client ID, we cannot redirect >>>> them back to the login screen. >>>> >>>> Is there anyway where the redirect url can be sent as a query string >>>> together with the code. That way, we can then pick the redirect url from >>>> the query string and redirect the user back to the appropriate login screen. >>>> >>>> >>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>> sthorger at redhat.com> wrote: >>>> >>>>> Once the client session is removed (it's deleted at some point after >>>>> the login has timed out) the client id is no longer available. We have to >>>>> delete this session at some point as otherwise we'd be left with garbage >>>>> from abandoned logins >>>>> >>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>> traviskds at gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> For theming the login for different clients within a realm, we are >>>>>> conditionally checking for the client ID in the freemarker templates and >>>>>> then accordingly including sub freemarker templates. This is working >>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>> null ( (sometimes). >>>>>> >>>>>> Is there anything I can do from the freemarker template to identify >>>>>> the client id so I can then accordingly handle these errors? >>>>>> >>>>>> Cheers >>>>>> Travis >>>>>> >>>>>> >>>>>> >>>>>> clientId=null >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/e1847870/attachment.html From thomas.darimont at googlemail.com Tue Jan 19 10:53:35 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 19 Jan 2016 16:53:35 +0100 Subject: [keycloak-user] Invoking admin REST API. In-Reply-To: References: Message-ID: Hello, I could successfully retrieve a list of users with this: import requests # avoid proxies for localhost.... import os os.environ['no_proxy'] = '127.0.0.1,localhost' serverUrl = 'http://localhost:8080/auth' realm = 'test-realm' username = 'realm-admin' password = 'xxxxxx' clientId = 'realm-management' clientSecret = 'yyyyyyyyyy' # Fetch access token payload = {'grant_type': ['password'], 'username': [username], 'password': [password]} response = requests.post('%s/realms/%s/protocol/openid-connect/token' % (serverUrl, realm) , auth=(clientId, clientSecret) , data=payload) response access_token = response.json()['access_token'] # Lookup users by username pattern headers = {'Authorization': 'Bearer %s' % (access_token), 'Content-Type': 'application/json'} usernamePattern = 'test' userSearchResponse = requests.get('%s/admin/realms/%s/users?username=%s&first=0&max=10' % (serverUrl, realm, usernamePattern) , headers=headers) userSearchResponse userSearchResponse.text Cheers, Thomas 2016-01-19 15:02 GMT+01:00 Kunal K : > Hi all, > > I referred to the doc[0] regarding Initial Access Token and generated a > new token for my realm. > > I'm using the python requests library to invoke the GET realms API[1] but > I get a 401 Unauthorized status code. Am I doing it wrong? Below is my code. > > import requests > authorization = {'Authorization': 'Bearer eyJhbGciOiJS.'} > > response = requests.get('http://keycloak-server.com/auth/admin/realms', headers=authorization) > response.status_code // 401 > > ? > > > [0] > https://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1450 > [1] > http://keycloak.github.io/docs/rest-api/index.html#_get_accessible_realms > > -- > *KUNAL KERKAR *| PRODUCT ENGINEER > Plivo, Inc. 340 Pine St, San Francisco - 94104, USA > Web: www.plivo.com | Twitter: @plivo , @tsudot > > > Free Incoming SMS for All US Short Codes ? Get One Today!? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/02bf357a/attachment-0001.html From traviskds at gmail.com Tue Jan 19 14:15:27 2016 From: traviskds at gmail.com (Travis De Silva) Date: Tue, 19 Jan 2016 19:15:27 +0000 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: +1 for adding client_id param to the emails. This is an important requirement especially for consumer web applications as once we get a user, we don't want to lose that user from getting back to the site. Shall I create a Jira request for this? On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen wrote: > Cookie is not always going to work for emails though as the link may be > opened in a new browser session (or a different browser) > > On 19 January 2016 at 15:40, Bill Burke wrote: > >> We already set up a cookie for client session timeouts to hold >> information that can reconstruct the session. Not sure if we do it for >> reset credentials though. >> >> >> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >> >> +1 Sounds like a very good idea! >> >> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >> sthorger at redhat.com> wrote: >> >>> We could add a client_id param to the emails. Then if it all fails we >>> can use the clients base url. >>> >>> On 15 January 2016 at 21:28, Travis De Silva < >>> traviskds at gmail.com> wrote: >>> >>>> irrespective of the theme, how would you provide a link to the user to >>>> redirect back to the application that they initiated the request in the >>>> first place. >>>> >>>> For example, they click on the forgot password link or the register new >>>> user link. >>>> >>>> KeyCloak sends them an email with a link. But they don't click it for >>>> awhile and then when they click it, it has expired. So we should be able to >>>> display an expired message and redirect them back to the login page. How >>>> can we handle this? >>>> >>>> >>>> >>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>> bburke at redhat.com> wrote: >>>> >>>>> NO, you can't. This would create an open redirect probably and the >>>>> themes are supposed to be completely independent of the protocol. >>>>> >>>>> >>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>> >>>>> I can understand that. But without the client ID, we cannot redirect >>>>> them back to the login screen. >>>>> >>>>> Is there anyway where the redirect url can be sent as a query string >>>>> together with the code. That way, we can then pick the redirect url from >>>>> the query string and redirect the user back to the appropriate login screen. >>>>> >>>>> >>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>> sthorger at redhat.com> wrote: >>>>> >>>>>> Once the client session is removed (it's deleted at some point after >>>>>> the login has timed out) the client id is no longer available. We have to >>>>>> delete this session at some point as otherwise we'd be left with garbage >>>>>> from abandoned logins >>>>>> >>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>> traviskds at gmail.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> For theming the login for different clients within a realm, we are >>>>>>> conditionally checking for the client ID in the freemarker templates and >>>>>>> then accordingly including sub freemarker templates. This is working >>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>> null ( (sometimes). >>>>>>> >>>>>>> Is there anything I can do from the freemarker template to identify >>>>>>> the client id so I can then accordingly handle these errors? >>>>>>> >>>>>>> Cheers >>>>>>> Travis >>>>>>> >>>>>>> >>>>>>> >>>>>>> clientId=null >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/70f77c41/attachment.html From sthorger at redhat.com Tue Jan 19 14:39:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 19 Jan 2016 20:39:18 +0100 Subject: [keycloak-user] Database migration error In-Reply-To: References: <81B05B78-9544-45E0-940E-0C39DBBEBD32@onion.io> Message-ID: What MySQL version? It would also be helpful if you can confirm if this is an issue with MySQL outside of AWS. Can you also create a JIRA issue please? On 13 January 2016 at 14:45, Boken Lin wrote: > Hi Stian, thanks for your reply. The database we are using is MySQL on AWS. > > Boken. > On Jan 13, 2016 2:48 AM, "Stian Thorgersen" wrote: > >> What database are you using? >> >> On 13 January 2016 at 03:41, Boken Lin wrote: >> >>> Hi everyone, >>> >>> I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, >>> encountered the following error while the system tries to update the >>> database: >>> >>> 00:55:20,179 ERROR >>> [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] >>> (ServerService Thread Pool -- 60) Change Set META-INF/ >>> jpa-changelog-1.3.0.xml::1.3.0::bburke at redhat.com fail >>> ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists >>> [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY >>> FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR >>> OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE >>> auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig] >>> >>> I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the >>> same error message was shown. >>> >>> Can someone point me in the right direction? >>> >>> Thank very much! >>> Boken. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/a2bd3fa5/attachment-0001.html From sthorger at redhat.com Tue Jan 19 14:46:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 19 Jan 2016 20:46:54 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: IMO this is a usability issue that we should fix for 1.9, so you can create a JIRA. I can't guarantee that'll it be done for 1.9 though and may be pushed. On 19 January 2016 at 20:15, Travis De Silva wrote: > +1 for adding client_id param to the emails. This is an important > requirement especially for consumer web applications as once we get a user, > we don't want to lose that user from getting back to the site. > > Shall I create a Jira request for this? > > > On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen wrote: > >> Cookie is not always going to work for emails though as the link may be >> opened in a new browser session (or a different browser) >> >> On 19 January 2016 at 15:40, Bill Burke wrote: >> >>> We already set up a cookie for client session timeouts to hold >>> information that can reconstruct the session. Not sure if we do it for >>> reset credentials though. >>> >>> >>> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >>> >>> +1 Sounds like a very good idea! >>> >>> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >>> sthorger at redhat.com> wrote: >>> >>>> We could add a client_id param to the emails. Then if it all fails we >>>> can use the clients base url. >>>> >>>> On 15 January 2016 at 21:28, Travis De Silva < >>>> traviskds at gmail.com> wrote: >>>> >>>>> irrespective of the theme, how would you provide a link to the user to >>>>> redirect back to the application that they initiated the request in the >>>>> first place. >>>>> >>>>> For example, they click on the forgot password link or the register >>>>> new user link. >>>>> >>>>> KeyCloak sends them an email with a link. But they don't click it for >>>>> awhile and then when they click it, it has expired. So we should be able to >>>>> display an expired message and redirect them back to the login page. How >>>>> can we handle this? >>>>> >>>>> >>>>> >>>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>>> bburke at redhat.com> wrote: >>>>> >>>>>> NO, you can't. This would create an open redirect probably and the >>>>>> themes are supposed to be completely independent of the protocol. >>>>>> >>>>>> >>>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>>> >>>>>> I can understand that. But without the client ID, we cannot redirect >>>>>> them back to the login screen. >>>>>> >>>>>> Is there anyway where the redirect url can be sent as a query string >>>>>> together with the code. That way, we can then pick the redirect url from >>>>>> the query string and redirect the user back to the appropriate login screen. >>>>>> >>>>>> >>>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> Once the client session is removed (it's deleted at some point after >>>>>>> the login has timed out) the client id is no longer available. We have to >>>>>>> delete this session at some point as otherwise we'd be left with garbage >>>>>>> from abandoned logins >>>>>>> >>>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>>> traviskds at gmail.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> For theming the login for different clients within a realm, we are >>>>>>>> conditionally checking for the client ID in the freemarker templates and >>>>>>>> then accordingly including sub freemarker templates. This is working >>>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>>> null ( (sometimes). >>>>>>>> >>>>>>>> Is there anything I can do from the freemarker template to identify >>>>>>>> the client id so I can then accordingly handle these errors? >>>>>>>> >>>>>>>> Cheers >>>>>>>> Travis >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> clientId=null >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/2c5f1a38/attachment.html From traviskds at gmail.com Tue Jan 19 15:05:54 2016 From: traviskds at gmail.com (Travis De Silva) Date: Tue, 19 Jan 2016 20:05:54 +0000 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: Created Jira https://issues.jboss.org/browse/KEYCLOAK-2359 1.9 would be fantastic :) Thanks a lot. Will resolve a big usability issue for us. On Wed, 20 Jan 2016 at 06:46 Stian Thorgersen wrote: > IMO this is a usability issue that we should fix for 1.9, so you can > create a JIRA. I can't guarantee that'll it be done for 1.9 though and may > be pushed. > > On 19 January 2016 at 20:15, Travis De Silva wrote: > >> +1 for adding client_id param to the emails. This is an important >> requirement especially for consumer web applications as once we get a user, >> we don't want to lose that user from getting back to the site. >> >> Shall I create a Jira request for this? >> >> >> On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen >> wrote: >> >>> Cookie is not always going to work for emails though as the link may be >>> opened in a new browser session (or a different browser) >>> >>> On 19 January 2016 at 15:40, Bill Burke wrote: >>> >>>> We already set up a cookie for client session timeouts to hold >>>> information that can reconstruct the session. Not sure if we do it for >>>> reset credentials though. >>>> >>>> >>>> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >>>> >>>> +1 Sounds like a very good idea! >>>> >>>> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >>>> sthorger at redhat.com> wrote: >>>> >>>>> We could add a client_id param to the emails. Then if it all fails we >>>>> can use the clients base url. >>>>> >>>>> On 15 January 2016 at 21:28, Travis De Silva < >>>>> traviskds at gmail.com> wrote: >>>>> >>>>>> irrespective of the theme, how would you provide a link to the user >>>>>> to redirect back to the application that they initiated the request in the >>>>>> first place. >>>>>> >>>>>> For example, they click on the forgot password link or the register >>>>>> new user link. >>>>>> >>>>>> KeyCloak sends them an email with a link. But they don't click it for >>>>>> awhile and then when they click it, it has expired. So we should be able to >>>>>> display an expired message and redirect them back to the login page. How >>>>>> can we handle this? >>>>>> >>>>>> >>>>>> >>>>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>>>> bburke at redhat.com> wrote: >>>>>> >>>>>>> NO, you can't. This would create an open redirect probably and the >>>>>>> themes are supposed to be completely independent of the protocol. >>>>>>> >>>>>>> >>>>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>>>> >>>>>>> I can understand that. But without the client ID, we cannot redirect >>>>>>> them back to the login screen. >>>>>>> >>>>>>> Is there anyway where the redirect url can be sent as a query string >>>>>>> together with the code. That way, we can then pick the redirect url from >>>>>>> the query string and redirect the user back to the appropriate login screen. >>>>>>> >>>>>>> >>>>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> Once the client session is removed (it's deleted at some point >>>>>>>> after the login has timed out) the client id is no longer available. We >>>>>>>> have to delete this session at some point as otherwise we'd be left with >>>>>>>> garbage from abandoned logins >>>>>>>> >>>>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>>>> traviskds at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> For theming the login for different clients within a realm, we are >>>>>>>>> conditionally checking for the client ID in the freemarker templates and >>>>>>>>> then accordingly including sub freemarker templates. This is working >>>>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>>>> null ( (sometimes). >>>>>>>>> >>>>>>>>> Is there anything I can do from the freemarker template to >>>>>>>>> identify the client id so I can then accordingly handle these errors? >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> Travis >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> clientId=null >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/74400370/attachment-0001.html From jstrathern at gmail.com Tue Jan 19 16:20:35 2016 From: jstrathern at gmail.com (Joe Strathern) Date: Tue, 19 Jan 2016 14:20:35 -0700 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario Message-ID: Hello Keycloak Community I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from outside of that environment. For instance, the original request goes to http://external-hostname/auth, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token with Token issuer - http://external-hostname/auth/realms/My_Realm. Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to http://interior-hostname/API, secured by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error: *Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://external-hostname/auth/realms/My_Realm , but URL from configuration is http://internal-hostname/auth/realms/My_Realm * The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine. Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation? Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/afd91b24/attachment.html From ornot2008 at yahoo.com Tue Jan 19 23:23:27 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 20 Jan 2016 04:23:27 +0000 (UTC) Subject: [keycloak-user] What can bring this error "failed to turn code into token" over and over again? References: <1460727805.8497044.1453263807685.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1460727805.8497044.1453263807685.JavaMail.yahoo@mail.yahoo.com> We get lots of errors like this: 2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out and which makes the login slow or failed . We are using keycloak 1.7.0 final ?and broke a SAML 2.0 IDP (ADFS). ?The wildfly app server ?and keycloak both are standalone.? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/0a5eccc4/attachment.html From alexander.schwartz at gmx.net Wed Jan 20 02:57:54 2016 From: alexander.schwartz at gmx.net (Alexander Schwartz) Date: Wed, 20 Jan 2016 08:57:54 +0100 Subject: [keycloak-user] What can bring this error "failed to turn code into token" over and over again? In-Reply-To: <1460727805.8497044.1453263807685.JavaMail.yahoo@mail.yahoo.com> References: <1460727805.8497044.1453263807685.JavaMail.yahoo.ref@mail.yahoo.com>, <1460727805.8497044.1453263807685.JavaMail.yahoo@mail.yahoo.com> Message-ID: An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/2396024a/attachment.html From sthorger at redhat.com Wed Jan 20 03:18:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 09:18:52 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: I was thinking about this some more last night and maybe we should add the client uuid to the ClientSessionCode that way it'll always be available even if the client session is invalidated. It would make the links long though, which I don't like. On 19 January 2016 at 21:05, Travis De Silva wrote: > Created Jira https://issues.jboss.org/browse/KEYCLOAK-2359 > > 1.9 would be fantastic :) Thanks a lot. Will resolve a big usability issue > for us. > > > On Wed, 20 Jan 2016 at 06:46 Stian Thorgersen wrote: > >> IMO this is a usability issue that we should fix for 1.9, so you can >> create a JIRA. I can't guarantee that'll it be done for 1.9 though and may >> be pushed. >> >> On 19 January 2016 at 20:15, Travis De Silva wrote: >> >>> +1 for adding client_id param to the emails. This is an important >>> requirement especially for consumer web applications as once we get a user, >>> we don't want to lose that user from getting back to the site. >>> >>> Shall I create a Jira request for this? >>> >>> >>> On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen >>> wrote: >>> >>>> Cookie is not always going to work for emails though as the link may be >>>> opened in a new browser session (or a different browser) >>>> >>>> On 19 January 2016 at 15:40, Bill Burke wrote: >>>> >>>>> We already set up a cookie for client session timeouts to hold >>>>> information that can reconstruct the session. Not sure if we do it for >>>>> reset credentials though. >>>>> >>>>> >>>>> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >>>>> >>>>> +1 Sounds like a very good idea! >>>>> >>>>> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >>>>> sthorger at redhat.com> wrote: >>>>> >>>>>> We could add a client_id param to the emails. Then if it all fails we >>>>>> can use the clients base url. >>>>>> >>>>>> On 15 January 2016 at 21:28, Travis De Silva < >>>>>> traviskds at gmail.com> wrote: >>>>>> >>>>>>> irrespective of the theme, how would you provide a link to the user >>>>>>> to redirect back to the application that they initiated the request in the >>>>>>> first place. >>>>>>> >>>>>>> For example, they click on the forgot password link or the register >>>>>>> new user link. >>>>>>> >>>>>>> KeyCloak sends them an email with a link. But they don't click it >>>>>>> for awhile and then when they click it, it has expired. So we should be >>>>>>> able to display an expired message and redirect them back to the login >>>>>>> page. How can we handle this? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>>>>> bburke at redhat.com> wrote: >>>>>>> >>>>>>>> NO, you can't. This would create an open redirect probably and the >>>>>>>> themes are supposed to be completely independent of the protocol. >>>>>>>> >>>>>>>> >>>>>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>>>>> >>>>>>>> I can understand that. But without the client ID, we cannot >>>>>>>> redirect them back to the login screen. >>>>>>>> >>>>>>>> Is there anyway where the redirect url can be sent as a query >>>>>>>> string together with the code. That way, we can then pick the redirect url >>>>>>>> from the query string and redirect the user back to the appropriate login >>>>>>>> screen. >>>>>>>> >>>>>>>> >>>>>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> Once the client session is removed (it's deleted at some point >>>>>>>>> after the login has timed out) the client id is no longer available. We >>>>>>>>> have to delete this session at some point as otherwise we'd be left with >>>>>>>>> garbage from abandoned logins >>>>>>>>> >>>>>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>>>>> traviskds at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> For theming the login for different clients within a realm, we >>>>>>>>>> are conditionally checking for the client ID in the freemarker templates >>>>>>>>>> and then accordingly including sub freemarker templates. This is working >>>>>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>>>>> null ( (sometimes). >>>>>>>>>> >>>>>>>>>> Is there anything I can do from the freemarker template to >>>>>>>>>> identify the client id so I can then accordingly handle these errors? >>>>>>>>>> >>>>>>>>>> Cheers >>>>>>>>>> Travis >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> clientId=null >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/69bc8cdc/attachment-0001.html From sthorger at redhat.com Wed Jan 20 03:22:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 09:22:14 +0100 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config for more details. On 19 January 2016 at 22:20, Joe Strathern wrote: > Hello Keycloak Community > > I am looking for some assistance on how to pass a Keycloak bearer token in > the multi-hop scenario, where the keycloak instance is inside a proxy > environment, the next hop is within the proxy, and the original request > came from outside of that environment. > > For instance, the original request goes to http://external-hostname/auth, > where external-hostname is a proxy system. Login is successful, and I > receive a Bearer Token with Token issuer - > http://external-hostname/auth/realms/My_Realm. > > Now i need to take that token from the HTTP request, and attach it to a > new request from inside the proxy. I do so, redirecting to > http://interior-hostname/API, secured by the same Keycloak. Using > "external-hostname" as host once more is not an option, as we are within > the proxied environment. However, submitting the hop HTTP request, i am > met with the error: > > *Failed to verify token: org.keycloak.common.VerificationException: Token > audience doesn't match domain. Token issuer > is http://external-hostname/auth/realms/My_Realm > , but URL from configuration > is http://internal-hostname/auth/realms/My_Realm > * > > The token is rejected (Since the hostnames are not the exact same), > however external-hostname and internal-hostname are the same machine. > > Is there a way that Keycloak can identify these hostnames as equivalent to > accept the token, or another policy that should be followed in this > situation? > > Thanks, > Joe > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/641897c9/attachment.html From ornot2008 at yahoo.com Wed Jan 20 03:57:39 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 20 Jan 2016 08:57:39 +0000 (UTC) Subject: [keycloak-user] What can bring this error "failed to turn code into token" over and over again? In-Reply-To: References: Message-ID: <612075583.7544425.1453280259511.JavaMail.yahoo@mail.yahoo.com> Hi, Alexander, ? ?We deploy the ?client application server (wildfly) and auth server (keycloak) in the same machine. ? ?? The ?web app url is : ? ? http://ourhost.com/hello/index.html? ?the ?auth server is ? ? ? ?https://ourhost.com/auth ? then the setup in keycloak.json should be : ? ?"auth-server-url": "/auth", "auth-server-url-for-backend-requests": "https://ourhost/auth" ? This can reduce the round trip? Thanks a lot? On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz wrote: During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.?In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.?If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json?Best regards,Alexander?-- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de??Gesendet:?Mittwoch, 20. Januar 2016 um 05:23 Uhr Von:?"Mai Zi" An:?Keycloak-user Betreff:?[keycloak-user] What can bring this error "failed to turn code into token" over and over again?We get lots of errors like this:?2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out??and which makes the login slow or failed .??We are using keycloak 1.7.0 final ?and broke a SAML 2.0 IDP (ADFS). ?The wildfly app server ?and keycloak both are standalone.?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/063aa334/attachment.html From traviskds at gmail.com Wed Jan 20 04:26:16 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 20 Jan 2016 09:26:16 +0000 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: I am wondering if we should send the client base url as that is what would be required to redirect the user back to the application when the client session is invalidated. Have a look at my comments to Thomas in this Jira https://issues.jboss.org/browse/KEYCLOAK-2359 On Wed, 20 Jan 2016 at 19:18 Stian Thorgersen wrote: > I was thinking about this some more last night and maybe we should add the > client uuid to the ClientSessionCode that way it'll always be available > even if the client session is invalidated. It would make the links long > though, which I don't like. > > On 19 January 2016 at 21:05, Travis De Silva wrote: > >> Created Jira https://issues.jboss.org/browse/KEYCLOAK-2359 >> >> 1.9 would be fantastic :) Thanks a lot. Will resolve a big usability >> issue for us. >> >> >> On Wed, 20 Jan 2016 at 06:46 Stian Thorgersen >> wrote: >> >>> IMO this is a usability issue that we should fix for 1.9, so you can >>> create a JIRA. I can't guarantee that'll it be done for 1.9 though and may >>> be pushed. >>> >>> On 19 January 2016 at 20:15, Travis De Silva >>> wrote: >>> >>>> +1 for adding client_id param to the emails. This is an important >>>> requirement especially for consumer web applications as once we get a user, >>>> we don't want to lose that user from getting back to the site. >>>> >>>> Shall I create a Jira request for this? >>>> >>>> >>>> On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen >>>> wrote: >>>> >>>>> Cookie is not always going to work for emails though as the link may >>>>> be opened in a new browser session (or a different browser) >>>>> >>>>> On 19 January 2016 at 15:40, Bill Burke wrote: >>>>> >>>>>> We already set up a cookie for client session timeouts to hold >>>>>> information that can reconstruct the session. Not sure if we do it for >>>>>> reset credentials though. >>>>>> >>>>>> >>>>>> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >>>>>> >>>>>> +1 Sounds like a very good idea! >>>>>> >>>>>> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> We could add a client_id param to the emails. Then if it all fails >>>>>>> we can use the clients base url. >>>>>>> >>>>>>> On 15 January 2016 at 21:28, Travis De Silva < >>>>>>> traviskds at gmail.com> wrote: >>>>>>> >>>>>>>> irrespective of the theme, how would you provide a link to the user >>>>>>>> to redirect back to the application that they initiated the request in the >>>>>>>> first place. >>>>>>>> >>>>>>>> For example, they click on the forgot password link or the register >>>>>>>> new user link. >>>>>>>> >>>>>>>> KeyCloak sends them an email with a link. But they don't click it >>>>>>>> for awhile and then when they click it, it has expired. So we should be >>>>>>>> able to display an expired message and redirect them back to the login >>>>>>>> page. How can we handle this? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>>>>>> bburke at redhat.com> wrote: >>>>>>>> >>>>>>>>> NO, you can't. This would create an open redirect probably and >>>>>>>>> the themes are supposed to be completely independent of the protocol. >>>>>>>>> >>>>>>>>> >>>>>>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>>>>>> >>>>>>>>> I can understand that. But without the client ID, we cannot >>>>>>>>> redirect them back to the login screen. >>>>>>>>> >>>>>>>>> Is there anyway where the redirect url can be sent as a query >>>>>>>>> string together with the code. That way, we can then pick the redirect url >>>>>>>>> from the query string and redirect the user back to the appropriate login >>>>>>>>> screen. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Once the client session is removed (it's deleted at some point >>>>>>>>>> after the login has timed out) the client id is no longer available. We >>>>>>>>>> have to delete this session at some point as otherwise we'd be left with >>>>>>>>>> garbage from abandoned logins >>>>>>>>>> >>>>>>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>>>>>> traviskds at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> For theming the login for different clients within a realm, we >>>>>>>>>>> are conditionally checking for the client ID in the freemarker templates >>>>>>>>>>> and then accordingly including sub freemarker templates. This is working >>>>>>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>>>>>> null ( (sometimes). >>>>>>>>>>> >>>>>>>>>>> Is there anything I can do from the freemarker template to >>>>>>>>>>> identify the client id so I can then accordingly handle these errors? >>>>>>>>>>> >>>>>>>>>>> Cheers >>>>>>>>>>> Travis >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> clientId=null >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Bill Burke >>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/1b5f43f9/attachment-0001.html From sthorger at redhat.com Wed Jan 20 04:29:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 10:29:04 +0100 Subject: [keycloak-user] Client Id and Timeout In-Reply-To: References: <5699552B.4060507@redhat.com> <569E4AF4.5060000@redhat.com> Message-ID: -1 There's no need to send the base-url that can be retrieved from the client as long as the client uuid is available On 20 January 2016 at 10:26, Travis De Silva wrote: > I am wondering if we should send the client base url as that is what would > be required to redirect the user back to the application when the client > session is invalidated. Have a look at my comments to Thomas in this Jira > https://issues.jboss.org/browse/KEYCLOAK-2359 > > > On Wed, 20 Jan 2016 at 19:18 Stian Thorgersen wrote: > >> I was thinking about this some more last night and maybe we should add >> the client uuid to the ClientSessionCode that way it'll always be available >> even if the client session is invalidated. It would make the links long >> though, which I don't like. >> >> On 19 January 2016 at 21:05, Travis De Silva wrote: >> >>> Created Jira https://issues.jboss.org/browse/KEYCLOAK-2359 >>> >>> 1.9 would be fantastic :) Thanks a lot. Will resolve a big usability >>> issue for us. >>> >>> >>> On Wed, 20 Jan 2016 at 06:46 Stian Thorgersen >>> wrote: >>> >>>> IMO this is a usability issue that we should fix for 1.9, so you can >>>> create a JIRA. I can't guarantee that'll it be done for 1.9 though and may >>>> be pushed. >>>> >>>> On 19 January 2016 at 20:15, Travis De Silva >>>> wrote: >>>> >>>>> +1 for adding client_id param to the emails. This is an important >>>>> requirement especially for consumer web applications as once we get a user, >>>>> we don't want to lose that user from getting back to the site. >>>>> >>>>> Shall I create a Jira request for this? >>>>> >>>>> >>>>> On Wed, 20 Jan 2016 at 01:56 Stian Thorgersen >>>>> wrote: >>>>> >>>>>> Cookie is not always going to work for emails though as the link may >>>>>> be opened in a new browser session (or a different browser) >>>>>> >>>>>> On 19 January 2016 at 15:40, Bill Burke wrote: >>>>>> >>>>>>> We already set up a cookie for client session timeouts to hold >>>>>>> information that can reconstruct the session. Not sure if we do it for >>>>>>> reset credentials though. >>>>>>> >>>>>>> >>>>>>> On 1/19/2016 8:04 AM, Thomas Raehalme wrote: >>>>>>> >>>>>>> +1 Sounds like a very good idea! >>>>>>> >>>>>>> On Tue, Jan 19, 2016 at 3:01 PM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> We could add a client_id param to the emails. Then if it all fails >>>>>>>> we can use the clients base url. >>>>>>>> >>>>>>>> On 15 January 2016 at 21:28, Travis De Silva < >>>>>>>> traviskds at gmail.com> wrote: >>>>>>>> >>>>>>>>> irrespective of the theme, how would you provide a link to the >>>>>>>>> user to redirect back to the application that they initiated the request in >>>>>>>>> the first place. >>>>>>>>> >>>>>>>>> For example, they click on the forgot password link or the >>>>>>>>> register new user link. >>>>>>>>> >>>>>>>>> KeyCloak sends them an email with a link. But they don't click it >>>>>>>>> for awhile and then when they click it, it has expired. So we should be >>>>>>>>> able to display an expired message and redirect them back to the login >>>>>>>>> page. How can we handle this? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sat, 16 Jan 2016 at 07:23 Bill Burke < >>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> NO, you can't. This would create an open redirect probably and >>>>>>>>>> the themes are supposed to be completely independent of the protocol. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 1/15/2016 3:06 PM, Travis De Silva wrote: >>>>>>>>>> >>>>>>>>>> I can understand that. But without the client ID, we cannot >>>>>>>>>> redirect them back to the login screen. >>>>>>>>>> >>>>>>>>>> Is there anyway where the redirect url can be sent as a query >>>>>>>>>> string together with the code. That way, we can then pick the redirect url >>>>>>>>>> from the query string and redirect the user back to the appropriate login >>>>>>>>>> screen. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, 14 Jan 2016 at 18:56 Stian Thorgersen < >>>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Once the client session is removed (it's deleted at some point >>>>>>>>>>> after the login has timed out) the client id is no longer available. We >>>>>>>>>>> have to delete this session at some point as otherwise we'd be left with >>>>>>>>>>> garbage from abandoned logins >>>>>>>>>>> >>>>>>>>>>> On 13 January 2016 at 21:27, Travis De Silva < >>>>>>>>>>> traviskds at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> For theming the login for different clients within a realm, we >>>>>>>>>>>> are conditionally checking for the client ID in the freemarker templates >>>>>>>>>>>> and then accordingly including sub freemarker templates. This is working >>>>>>>>>>>> perfectly but the issue is for certain errors, such as "You took too long >>>>>>>>>>>> to login. Login process starting from beginning.", the clientid becomes >>>>>>>>>>>> null ( (sometimes). >>>>>>>>>>>> >>>>>>>>>>>> Is there anything I can do from the freemarker template to >>>>>>>>>>>> identify the client id so I can then accordingly handle these errors? >>>>>>>>>>>> >>>>>>>>>>>> Cheers >>>>>>>>>>>> Travis >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> clientId=null >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Bill Burke >>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/a9994d22/attachment-0001.html From ornot2008 at yahoo.com Wed Jan 20 04:33:06 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 20 Jan 2016 09:33:06 +0000 (UTC) Subject: [keycloak-user] What can bring this error "failed to turn code into token" over and over again? In-Reply-To: References: Message-ID: <796617414.7907183.1453282386538.JavaMail.yahoo@mail.yahoo.com> Hi,? In the user guide can find these : For cluster setup, it may be even better to use option?auth-server-url-for-backend-request?. This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values inWEB-INF/keycloak.json?like this:"auth-server-url": "/auth", "auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth" but I can not understand it yet. ? Suppose my case, is there ?any recommendation ? ? (BTW: ?I found the reply will be listed in a separated ?thread when reply from email. ?I am very sorry. )? On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz wrote: Hi,?I am not sure what you mean with "the round trip" here.?My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL.?If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.)?I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?)?Best regards,Alexander?-- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de??Gesendet:?Mittwoch, 20. Januar 2016 um 09:57 Uhr Von:?"Mai Zi" An:?"Alexander Schwartz" , Keycloak-user Betreff:?Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?Hi, Alexander,?? ?We deploy the ?client application server (wildfly) and auth server (keycloak) in the same machine. ? ?? The ?web app url is : ? ? http://ourhost.com/hello/index.html? ?the ?auth server is ? ? ? ?https://ourhost.com/auth?? then the setup in keycloak.json should be :?? ?"auth-server-url": "/auth", "auth-server-url-for-backend-requests": "https://ourhost/auth" ?? This can reduce the round trip???Thanks a lot?????? ?On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz wrote:?During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.?In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.?If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json?Best regards,Alexander?-- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de??Gesendet:?Mittwoch, 20. Januar 2016 um 05:23 Uhr Von:?"Mai Zi" An:?Keycloak-user Betreff:?[keycloak-user] What can bring this error "failed to turn code into token" over and over again?We get lots of errors like this:?2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out??and which makes the login slow or failed .??We are using keycloak 1.7.0 final ?and broke a SAML 2.0 IDP (ADFS). ?The wildfly app server ?and keycloak both are standalone.?? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/75aef049/attachment.html From Maurice.Quaedackers at planonsoftware.com Wed Jan 20 04:45:38 2016 From: Maurice.Quaedackers at planonsoftware.com (Maurice Quaedackers) Date: Wed, 20 Jan 2016 10:45:38 +0100 Subject: [keycloak-user] Upgrade Keycloak 1.2.0Final to 1.7.0Final Message-ID: Hello all, I want to upgrade several keycloak 1.2.0Final environments (running on MS SQL database) to keycloak 1.7.0Final The keycloak-server.json is configured with: "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/KeycloakDS", "databaseSchema": "update", "driverDialect": "org.hibernate.dialect.SQLServer2008Dialect" } }, When trying to upgrade the upgrade fails, see the stacktrace below. When installing a 1.7.0Final with an empty db all works fine. Is an upgrade direct from 1.2.0Final to 1.7.0Final supported or how can I upgrade the existing environments to 1.7.0Final? Best Regards, Maurice Quaedackers. 9:26:50,130 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 75) Updating database 09:26:50,693 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 75) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 09:26:50,753 INFO [org.hibernate.Version] (ServerService Thread Pool -- 75) HHH000412: Hibernate Core {4.3.10.Final} 09:26:50,756 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 75) HHH000206: hibernate.properties not found 09:26:50,758 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 75) HHH000021: Bytecode provider name : javassist 09:26:50,926 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 75) HCANN000001: Hibernate Commons Annotations {4.0.5.Final} 09:26:50,999 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 75) HHH000400: Using dialect: org.hibernate.dialect.SQLServer2008Dialect 09:26:51,283 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService Thread Pool -- 75) HHH000397: Using ASTQueryTranslatorFactory 09:26:51,321 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 75) HV000001: Hibernate Validator 5.1.3.Final 09:26:52,490 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (ServerService Thread Pool -- 75) HHH000327: Error performing load command : org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow 09:26:52,493 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 75) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) at com.sun.proxy.$Proxy82.find(Unknown Source) at org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:65) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:161) at org.keycloak.services.managers.ApplianceBootstrap.setupDefaultRealm(ApplianceBootstrap.java:32) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:81) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148) ... 19 more Caused by: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) ... 29 more Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow at org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126) at org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) at org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362) at org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4718) at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188) at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215) at org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102) at org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186) at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4126) at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:503) at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:468) at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:213) at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:275) at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:151) at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1106) at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2587) at org.hibernate.internal.SessionImpl.get(SessionImpl.java:991) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110) ... 35 more Caused by: java.lang.IllegalArgumentException: Can not set int field org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow to null value at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) at java.lang.reflect.Field.set(Field.java:764) at org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122) ... 57 more 09:26:52,500 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: java.lang.IllegalArgumentException: Can not set int field org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow to null value"}} 09:26:52,534 INFO [org.jboss.as.server] (ServerService Thread Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 09:26:52,535 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 09:26:52,674 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.12.33.1:9990/management 09:26:52,675 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.12.33.1:9990 09:26:52,675 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) started (with errors) in 40832ms - Started 379 of 613 services (2 services failed or missing dependencies, 329 services are lazy, passive or on-demand) ed to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) ... 29 more Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow at org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126) at org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) at org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362) at org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4718) at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188) at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215) at org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102) at org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186) at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4126) at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:503) at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:468) at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:213) at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:275) at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:151) at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1106) at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2587) at org.hibernate.internal.SessionImpl.get(SessionImpl.java:991) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110) ... 35 more Caused by: java.lang.IllegalArgumentException: Can not set int field org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow to null value at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) at java.lang.reflect.Field.set(Field.java:764) at org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122) ... 57 more 2016-01-20 09:26:52,500 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: javax.persistence.PersistenceException: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property of primitive type setter of org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow Caused by: java.lang.IllegalArgumentException: Can not set int field org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow to null value"}} 2016-01-20 09:26:52,534 INFO [org.jboss.as.server] (ServerService Thread Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 2016-01-20 09:26:52,535 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 2016-01-20 09:26:52,674 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.12.33.1:9990/management 2016-01-20 09:26:52,675 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.12.33.1:9990 2016-01-20 09:26:52,675 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) started (with errors) in 40832ms - Started 379 of 613 services (2 services failed or missing dependencies, 329 services are lazy, passive or on-demand) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/fbb115e0/attachment-0001.html From kunal at plivo.com Wed Jan 20 05:53:10 2016 From: kunal at plivo.com (Kunal K) Date: Wed, 20 Jan 2016 16:23:10 +0530 Subject: [keycloak-user] Invoking admin REST API. In-Reply-To: References: Message-ID: Thanks for that snippet. It worked. You are querying for the access_token and then using that to make API calls, whats the difference between this access_token and the one I generate from Realm settings under the 'Initial Access Token' tab? When I use that access token, it gives me a 401 error. On Tue, Jan 19, 2016 at 9:23 PM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello, > > I could successfully retrieve a list of users with this: > > > import requests > > # avoid proxies for localhost.... > import os > os.environ['no_proxy'] = '127.0.0.1,localhost' > > serverUrl = 'http://localhost:8080/auth' > realm = 'test-realm' > username = 'realm-admin' > password = 'xxxxxx' > clientId = 'realm-management' > clientSecret = 'yyyyyyyyyy' > > # Fetch access token > payload = {'grant_type': ['password'], 'username': [username], 'password': > [password]} > response = requests.post('%s/realms/%s/protocol/openid-connect/token' % > (serverUrl, realm) > , auth=(clientId, clientSecret) > , data=payload) > response > access_token = response.json()['access_token'] > > # Lookup users by username pattern > headers = {'Authorization': 'Bearer %s' % (access_token), 'Content-Type': > 'application/json'} > usernamePattern = 'test' > userSearchResponse = > requests.get('%s/admin/realms/%s/users?username=%s&first=0&max=10' % > (serverUrl, realm, usernamePattern) > , headers=headers) > userSearchResponse > userSearchResponse.text > > Cheers, > Thomas > > 2016-01-19 15:02 GMT+01:00 Kunal K : > >> Hi all, >> >> I referred to the doc[0] regarding Initial Access Token and generated a >> new token for my realm. >> >> I'm using the python requests library to invoke the GET realms API[1] but >> I get a 401 Unauthorized status code. Am I doing it wrong? Below is my code. >> >> import requests >> authorization = {'Authorization': 'Bearer eyJhbGciOiJS.'} >> >> response = requests.get('http://keycloak-server.com/auth/admin/realms', headers=authorization) >> response.status_code // 401 >> >> ? >> >> >> [0] >> https://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1450 >> [1] >> http://keycloak.github.io/docs/rest-api/index.html#_get_accessible_realms >> >> -- >> *KUNAL KERKAR *| PRODUCT ENGINEER >> Plivo, Inc. 340 Pine St, San Francisco - 94104, USA >> Web: www.plivo.com | Twitter: @plivo , @tsudot >> >> >> Free Incoming SMS for All US Short Codes ? Get One Today!? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- *KUNAL KERKAR *| PRODUCT ENGINEER Plivo, Inc. 340 Pine St, San Francisco - 94104, USA Web: www.plivo.com | Twitter: @plivo , @tsudot Free Incoming SMS for All US Short Codes ? Get One Today!? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/360f594a/attachment.html From olivier.lievre at altran.com Wed Jan 20 05:58:05 2016 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Wed, 20 Jan 2016 10:58:05 +0000 Subject: [keycloak-user] save first login date in user attribute Message-ID: <5E0EBD68B410924EADA89C5CBD233CD062FA300B@XMB-DCFR-35.europe.corp.altran.com> Hello, Is there a possibility to store in user attributes the timestamp of first user login to keycloak ? KR, Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/ea077803/attachment.html From sthorger at redhat.com Wed Jan 20 06:33:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 12:33:49 +0100 Subject: [keycloak-user] Upgrade Keycloak 1.2.0Final to 1.7.0Final In-Reply-To: References: Message-ID: Please create a JIRA On 20 January 2016 at 10:45, Maurice Quaedackers < Maurice.Quaedackers at planonsoftware.com> wrote: > Hello all, > > I want to upgrade several keycloak 1.2.0Final environments (running on MS > SQL database) to keycloak 1.7.0Final > > The keycloak-server.json is configured with: > > "connectionsJpa": { > "default": { > "dataSource": "java:jboss/datasources/KeycloakDS", > "databaseSchema": "update", > "driverDialect": "org.hibernate.dialect.SQLServer2008Dialect" > } > }, > > When trying to upgrade the upgrade fails, see the stacktrace below. When > installing a 1.7.0Final with an empty db all works fine. > > Is an upgrade direct from 1.2.0Final to 1.7.0Final supported or how can I > upgrade the existing environments to 1.7.0Final? > > Best Regards, > > Maurice Quaedackers. > > > 9:26:50,130 INFO > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 75) Updating database > 09:26:50,693 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 75) HHH000204: Processing PersistenceUnitInfo > [ > name: keycloak-default > ...] > 09:26:50,753 INFO [org.hibernate.Version] (ServerService Thread Pool -- > 75) HHH000412: Hibernate Core {4.3.10.Final} > 09:26:50,756 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 75) HHH000206: hibernate.properties not found > 09:26:50,758 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 75) HHH000021: Bytecode provider name : javassist > 09:26:50,926 INFO [org.hibernate.annotations.common.Version] > (ServerService Thread Pool -- 75) HCANN000001: Hibernate Commons > Annotations {4.0.5.Final} > 09:26:50,999 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 75) HHH000400: Using dialect: > org.hibernate.dialect.SQLServer2008Dialect > 09:26:51,283 INFO > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService > Thread Pool -- 75) HHH000397: Using ASTQueryTranslatorFactory > 09:26:51,321 INFO [org.hibernate.validator.internal.util.Version] > (ServerService Thread Pool -- 75) HV000001: Hibernate Validator 5.1.3.Final > 09:26:52,490 INFO [org.hibernate.event.internal.DefaultLoadEventListener] > (ServerService Thread Pool -- 75) HHH000327: Error performing load command > : org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > 09:26:52,493 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 75) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: org.keycloak.models.ModelException: > javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) > at com.sun.proxy.$Proxy82.find(Unknown Source) > at > org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:65) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:161) > at > org.keycloak.services.managers.ApplianceBootstrap.setupDefaultRealm(ApplianceBootstrap.java:32) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:81) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148) > ... 19 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > ... 29 more > Caused by: org.hibernate.PropertyAccessException: Null value was assigned > to a property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > at > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126) > at > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) > at > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362) > at > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4718) > at > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188) > at > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144) > at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244) > at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215) > at > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102) > at > org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4126) > at > org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:503) > at > org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:468) > at > org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:213) > at > org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:275) > at > org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:151) > at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1106) > at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176) > at > org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2587) > at org.hibernate.internal.SessionImpl.get(SessionImpl.java:991) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110) > ... 35 more > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > to null value > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) > at > sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) > at java.lang.reflect.Field.set(Field.java:764) > at > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122) > ... 57 more > > 09:26:52,500 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => > {"jboss.undertow.deployment.default-server.default-host./auth" => > "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: org.keycloak.models.ModelException: > javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: org.hibernate.PropertyAccessException: Null value was > assigned to a property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > to null value"}} > 09:26:52,534 INFO [org.jboss.as.server] (ServerService Thread Pool -- 67) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > 09:26:52,535 INFO [org.jboss.as.controller] (Controller Boot Thread) > WFLYCTL0183: Service status report > WFLYCTL0186: Services which failed to start: service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > 09:26:52,674 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: > Http management interface listening on http://127.12.33.1:9990/management > 09:26:52,675 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: > Admin console listening on http://127.12.33.1:9990 > 09:26:52,675 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: > WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) started (with errors) > in 40832ms - Started 379 of 613 services (2 services failed or missing > dependencies, 329 services are lazy, passive or on-demand) > ed to a property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > ... 29 more > Caused by: org.hibernate.PropertyAccessException: Null value was assigned > to a property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > at > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126) > at > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) > at > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362) > at > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4718) > at > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188) > at > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144) > at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244) > at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215) > at > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102) > at > org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186) > at > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4126) > at > org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:503) > at > org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:468) > at > org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:213) > at > org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:275) > at > org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:151) > at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1106) > at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176) > at > org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2587) > at org.hibernate.internal.SessionImpl.get(SessionImpl.java:991) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110) > ... 35 more > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > to null value > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) > at > sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) > at java.lang.reflect.Field.set(Field.java:764) > at > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122) > ... 57 more > > 2016-01-20 09:26:52,500 ERROR > [org.jboss.as.controller.management-operation] (Controller Boot Thread) > WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => > "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed > services" => {"jboss.undertow.deployment.default-server.default-host./auth" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: org.keycloak.models.ModelException: > javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: javax.persistence.PersistenceException: > org.hibernate.PropertyAccessException: Null value was assigned to a > property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: org.hibernate.PropertyAccessException: Null value was > assigned to a property of primitive type setter of > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RealmEntity.accessTokenLifespanForImplicitFlow > to null value"}} > 2016-01-20 09:26:52,534 INFO [org.jboss.as.server] (ServerService Thread > Pool -- 67) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > 2016-01-20 09:26:52,535 INFO [org.jboss.as.controller] (Controller Boot > Thread) WFLYCTL0183: Service status report > WFLYCTL0186: Services which failed to start: service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > 2016-01-20 09:26:52,674 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0060: Http management interface listening on > http://127.12.33.1:9990/management > 2016-01-20 09:26:52,675 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0051: Admin console listening on http://127.12.33.1:9990 > 2016-01-20 09:26:52,675 ERROR [org.jboss.as] (Controller Boot Thread) > WFLYSRV0026: WildFly Full 9.0.1.Final (WildFly Core 1.0.1.Final) started > (with errors) in 40832ms - Started 379 of 613 services (2 services failed > or missing dependencies, 329 services are lazy, passive or on-demand) > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/99489529/attachment-0001.html From sthorger at redhat.com Wed Jan 20 06:35:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 12:35:07 +0100 Subject: [keycloak-user] save first login date in user attribute In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD062FA300B@XMB-DCFR-35.europe.corp.altran.com> References: <5E0EBD68B410924EADA89C5CBD233CD062FA300B@XMB-DCFR-35.europe.corp.altran.com> Message-ID: Not built-in, but you can create a required action that does that and enable it as a default action. Take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html On 20 January 2016 at 11:58, LIEVRE Olivier wrote: > Hello, > > > > Is there a possibility to store in user attributes the timestamp of first > user login to keycloak ? > > > > KR, > > Olivier > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/c5b2486d/attachment.html From ornot2008 at yahoo.com Wed Jan 20 07:10:03 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 20 Jan 2016 12:10:03 +0000 (UTC) Subject: [keycloak-user] What can bring this error "failed to turn code into token" over and over again? In-Reply-To: <796617414.7907183.1453282386538.JavaMail.yahoo@mail.yahoo.com> References: <796617414.7907183.1453282386538.JavaMail.yahoo@mail.yahoo.com> Message-ID: <2042674961.8566539.1453291803280.JavaMail.yahoo@mail.yahoo.com> I finally figure it out for my case as below: My case: The ?web app url is : ? ??http://ourhost.com/hello/index.html?the ?auth server is ? ? ? ?https://ourhost.com/auth My configuration: ??"auth-server-url": "https://ourhost.com/auth","auth-server-url-for-backend-requests": "http://localhost/auth" On Wednesday, January 20, 2016 5:33 PM, Mai Zi wrote: Hi,? In the user guide can find these : For cluster setup, it may be even better to use option?auth-server-url-for-backend-request?. This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values inWEB-INF/keycloak.json?like this:"auth-server-url": "/auth", "auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth" but I can not understand it yet. ? Suppose my case, is there ?any recommendation ? ? (BTW: ?I found the reply will be listed in a separated ?thread when reply from email. ?I am very sorry. )? On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz wrote: Hi,?I am not sure what you mean with "the round trip" here.?My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL.?If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.)?I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?)?Best regards,Alexander?-- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de??Gesendet:?Mittwoch, 20. Januar 2016 um 09:57 Uhr Von:?"Mai Zi" An:?"Alexander Schwartz" , Keycloak-user Betreff:?Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?Hi, Alexander,?? ?We deploy the ?client application server (wildfly) and auth server (keycloak) in the same machine. ? ?? The ?web app url is : ? ? http://ourhost.com/hello/index.html? ?the ?auth server is ? ? ? ?https://ourhost.com/auth?? then the setup in keycloak.json should be :?? ?"auth-server-url": "/auth", "auth-server-url-for-backend-requests": "https://ourhost/auth" ?? This can reduce the round trip???Thanks a lot?????? ?On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz wrote:?During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.?In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.?If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json?Best regards,Alexander?-- Alexander Schwartz (alexander.schwartz at gmx.net) http://www.ahus1.de??Gesendet:?Mittwoch, 20. Januar 2016 um 05:23 Uhr Von:?"Mai Zi" An:?Keycloak-user Betreff:?[keycloak-user] What can bring this error "failed to turn code into token" over and over again?We get lots of errors like this:?2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out??and which makes the login slow or failed .??We are using keycloak 1.7.0 final ?and broke a SAML 2.0 IDP (ADFS). ?The wildfly app server ?and keycloak both are standalone.?? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/685656a2/attachment-0001.html From ornot2008 at yahoo.com Wed Jan 20 07:19:20 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Wed, 20 Jan 2016 12:19:20 +0000 (UTC) Subject: [keycloak-user] Is there an option to set the connection timeout for adapter to communicate to auth server? References: <123644323.8470412.1453292360798.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <123644323.8470412.1453292360798.JavaMail.yahoo@mail.yahoo.com> Hi,?It is not always possible to ?use the "auth-server-url-for-backend-requests" to reduce the?round trip for adapter to communicate to Auth server. ?If the time it takes is ?a little bit long,is there a way to set up a configurable timeout to prevent it fails anyway? Thanks a a lot.Mai -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/39ddbcac/attachment.html From johan.heylen.public at gmail.com Wed Jan 20 08:12:44 2016 From: johan.heylen.public at gmail.com (Johan Heylen) Date: Wed, 20 Jan 2016 14:12:44 +0100 Subject: [keycloak-user] import only users into a realm Message-ID: Hello, I wanted to know if it possible to only import users into a realm without overwriting the realm settings (clients, smtp, etc). I've looked at http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html and already successfully exported the realm and users in different files, and I want to load the users into another keycloak instance. Off course I could just do trial/error experiments, but maybe someone already has some experience on migrating only users? Best regards, Johan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/f8407703/attachment.html From sthorger at redhat.com Wed Jan 20 08:18:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 14:18:04 +0100 Subject: [keycloak-user] import only users into a realm In-Reply-To: References: Message-ID: In 1.8.0.CR1 we introduced a new feature called partial import which allows you to do exactly that. On 20 January 2016 at 14:12, Johan Heylen wrote: > Hello, > > I wanted to know if it possible to only import users into a realm without > overwriting the realm settings (clients, smtp, etc). > > I've looked at > http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html > and already successfully exported the realm and users in different files, > and I want to load the users into another keycloak instance. > > Off course I could just do trial/error experiments, but maybe someone > already has some experience on migrating only users? > > Best regards, > > Johan > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/d73c7b87/attachment.html From thomas.darimont at googlemail.com Wed Jan 20 08:39:01 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 20 Jan 2016 14:39:01 +0100 Subject: [keycloak-user] save first login date in user attribute In-Reply-To: References: <5E0EBD68B410924EADA89C5CBD233CD062FA300B@XMB-DCFR-35.europe.corp.altran.com> Message-ID: As Stian said - it is really easy to do as a custom required action: 0) Define a custom RequiredActionFactory that returns your custom RequiredActionProvider package de.tdlabs.keycloak.authentication; import org.keycloak.Config.Scope; import org.keycloak.authentication.RequiredActionFactory; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; public class RecordFirstLoginRequiredActionFactory implements RequiredActionFactory { @Override public RequiredActionProvider create(KeycloakSession session) { return new RecordFirstLoginRequiredActionProvider(); } @Override public void init(Scope config) { // NOOP } @Override public void postInit(KeycloakSessionFactory factory) { // NOOP } @Override public void close() { // NOOP } @Override public String getId() { return "record-first-login-action"; } @Override public String getDisplayText() { return "Record First Login Action"; } } package de.tdlabs.keycloak.authentication; import static java.time.LocalDateTime.now; import static java.util.Arrays.asList; import java.util.List; import org.keycloak.authentication.RequiredActionContext; import org.keycloak.authentication.RequiredActionProvider; import org.keycloak.models.UserModel; public class RecordFirstLoginRequiredActionProvider implements RequiredActionProvider { @Override public void close() { // NOOP } @Override public void evaluateTriggers(RequiredActionContext context) { UserModel user = context.getUser(); List list = user.getAttribute("login.first-login-date"); if (list == null || list.isEmpty()) { user.setAttribute("login.first-login-date", asList(now().toString())); } } @Override public void requiredActionChallenge(RequiredActionContext context) { // NOOP } @Override public void processAction(RequiredActionContext context) { context.success(); } } Create a service loader file under: META-INF/services/org.keycloak.authentication.RequiredActionFactory with: de.tdlabs.keycloak.authentication.RecordFirstLoginRequiredActionFactory 1) Build the jar or add the project classpath to the keycloak-server.json via providers: e.g.: { "providers": [ "classpath:${jboss.server.config.dir}/providers/*", "classpath:${de.tdlabs.keycloak-rest-federation-provider.home}/target/classes/", "classpath:${de.tdlabs.keycloak-event-listener.home}/target/classes/", "classpath:${de.tdlabs.keycloak-required-actions.home}/target/classes/" ], ... } 2) Register the required action in keycloak 2.1) Configure Custom Required Action: Realm -> Authentication -> Required Actions -> Register -> "Record First Login Action" -> mark as "Default Action" 3) Test the required action 2.2) Login once 2.3) Users -> your user -> Attributes -> the 'login.first-login-date' attribute should be there Cheers, Thomas 2016-01-20 12:35 GMT+01:00 Stian Thorgersen : > Not built-in, but you can create a required action that does that and > enable it as a default action. Take a look at > http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html > > On 20 January 2016 at 11:58, LIEVRE Olivier > wrote: > >> Hello, >> >> >> >> Is there a possibility to store in user attributes the timestamp of first >> user login to keycloak ? >> >> >> >> KR, >> >> Olivier >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/23979a09/attachment-0001.html From thomas.darimont at googlemail.com Wed Jan 20 08:46:36 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 20 Jan 2016 14:46:36 +0100 Subject: [keycloak-user] import only users into a realm In-Reply-To: References: Message-ID: Hello Johan, as Stian said - there is the new "import" menu in Keycloak 1.8 - after you select a a previously exported "keycloak-realms-config.json" you see the attached screen. Cheers, Thomas 2016-01-20 14:18 GMT+01:00 Stian Thorgersen : > In 1.8.0.CR1 we introduced a new feature called partial import which > allows you to do exactly that. > > On 20 January 2016 at 14:12, Johan Heylen > wrote: > >> Hello, >> >> I wanted to know if it possible to only import users into a realm without >> overwriting the realm settings (clients, smtp, etc). >> >> I've looked at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html >> and already successfully exported the realm and users in different files, >> and I want to load the users into another keycloak instance. >> >> Off course I could just do trial/error experiments, but maybe someone >> already has some experience on migrating only users? >> >> Best regards, >> >> Johan >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/7c7d4ee4/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak-partial-import.PNG Type: image/png Size: 37607 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/7c7d4ee4/attachment-0001.png From pavel.masloff at gmail.com Wed Jan 20 08:48:46 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Wed, 20 Jan 2016 14:48:46 +0100 Subject: [keycloak-user] keycloak-jetty92-adapter & UriBuilder HTTP error 500 In-Reply-To: References: <5693E84F.6060607@redhat.com> Message-ID: This made the trick: org.keycloak keycloak-services ${keycloak.version} org.jboss.resteasy resteasy-multipart-provider org.jboss.resteasy jaxrs-api org.jboss.resteasy resteasy-multipart-provider 2.3.7.Final javax.servlet servlet-api Thanks. Regards, Pavel Maslov, MS On Mon, Jan 18, 2016 at 1:09 PM, Pavel Maslov wrote: > Not sure how to do this. Can you elaborate, please? > > Regards, > Pavel Maslov, MS > > On Mon, Jan 11, 2016 at 6:37 PM, Bill Burke wrote: > >> Hmm, a resteasy dependency has stuck in maybe? Remove the jaxrs and >> resteasy jars that exist in the adapter distro for Jetty? Does that work? >> >> >> On 1/11/2016 6:50 AM, Pavel Maslov wrote: >> >> Hi, >> >> >> I am planning to migrate the Keycloak server from version 1.3.1 to 1.7.0. >> However, when trying to access a secured resource of our API I get the >> following error: >> >> HTTP ERROR 500 >> >> Problem accessing /v1/producers. Reason: >> >> Server Error >> java.lang.AbstractMethodError: javax.ws.rs.core.UriBuilder.uri(Ljava/lang/String;)Ljavax/ws/rs/core/UriBuilder; >> at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:119) >> at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:292) >> at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:222) >> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808) >> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) >> at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:165) >> at com.thetransactioncompany.cors.CORSFilter.doFilter(CORSFilter.java:239) >> at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) >> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) >> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553) >> at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) >> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) >> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) >> at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) >> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) >> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) >> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >> at org.eclipse.jetty.server.Server.handle(Server.java:497) >> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) >> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) >> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) >> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) >> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) >> at java.lang.Thread.run(Thread.java:745) >> >> >> It used to work with the previous version of Keycloak + adapter (1.3.1). >> The only thing I did is I just changed dependency version 1.3.1 to 1.7.0 in >> my pom.xml: >> >> >> org.keycloak >> keycloak-core >> 1.7.0.Final >> org.keycloak >> keycloak-services >> 1.7.0.Final >> >> >> org.keycloak >> keycloak-jetty92-adapter-dist >> 1.7.0.Final >> pom >> >> >> Perhaps, something else is missing. Can it be web.xml or jetty-web.xml >> that I have to update in some way? Any ideas? >> Thanks. >> >> >> >> >> Regards, >> Pavel Maslov, MS >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/d9edc61a/attachment.html From juraci at kroehling.de Wed Jan 20 09:15:44 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Wed, 20 Jan 2016 15:15:44 +0100 Subject: [keycloak-user] Announce - Secret Store Message-ID: <569F9690.5080805@kroehling.de> For Hawkular, we were in the need of a simplified way for a REST client to communicate with our backend. After discussing this with Stian, we started the "secret-store" module, which was just spun off of Hawkular into a "standalone" project. Secret Store is a module for scenarios where the whole OAuth procedure might be undesirable or not feasible on the client side. The Secret Store has two sides: 1) a REST endpoint to create opaque tokens backed by OAuth Offline Tokens composed of a key and secret; 2) An Undertow filter/Proxy server, that translates the opaque tokens into OAuth bearer tokens, rewriting the incoming request. To your backend, it's transparent whether an opaque token or a proper OAuth token was used. More info here: https://github.com/jpkrohling/secret-store - Juca. From bburke at redhat.com Wed Jan 20 10:32:04 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Jan 2016 10:32:04 -0500 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569F9690.5080805@kroehling.de> References: <569F9690.5080805@kroehling.de> Message-ID: <569FA874.1050606@redhat.com> I honestly don't get why you are doing this. I assume you are familiar with direct grants. Why aren't these enough? Its just a REST call to keycloak to obtain a token. Honestly, this seems ridiculous. On 1/20/2016 9:15 AM, Juraci Paix?o Kr?hling wrote: > For Hawkular, we were in the need of a simplified way for a REST client > to communicate with our backend. After discussing this with Stian, we > started the "secret-store" module, which was just spun off of Hawkular > into a "standalone" project. > > Secret Store is a module for scenarios where the whole OAuth procedure > might be undesirable or not feasible on the client side. > > The Secret Store has two sides: > > 1) a REST endpoint to create opaque tokens backed by OAuth Offline > Tokens composed of a key and secret; > > 2) An Undertow filter/Proxy server, that translates the opaque tokens > into OAuth bearer tokens, rewriting the incoming request. To your > backend, it's transparent whether an opaque token or a proper OAuth > token was used. > > More info here: https://github.com/jpkrohling/secret-store > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From juraci at kroehling.de Wed Jan 20 10:57:01 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Wed, 20 Jan 2016 16:57:01 +0100 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FA874.1050606@redhat.com> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> Message-ID: <569FAE4D.6030401@kroehling.de> Direct grants require the client to have access to an user's credentials. On our specific case, having plain text access to the account credentials are not viewed as very secure by sysadmins. So, issuing those tokens and making them individually revokable make sense. On 20.01.2016 16:32, Bill Burke wrote: > I honestly don't get why you are doing this. I assume you are familiar > with direct grants. Why aren't these enough? Its just a REST call to > keycloak to obtain a token. Honestly, this seems ridiculous. > > On 1/20/2016 9:15 AM, Juraci Paix?o Kr?hling wrote: >> For Hawkular, we were in the need of a simplified way for a REST client >> to communicate with our backend. After discussing this with Stian, we >> started the "secret-store" module, which was just spun off of Hawkular >> into a "standalone" project. >> >> Secret Store is a module for scenarios where the whole OAuth procedure >> might be undesirable or not feasible on the client side. >> >> The Secret Store has two sides: >> >> 1) a REST endpoint to create opaque tokens backed by OAuth Offline >> Tokens composed of a key and secret; >> >> 2) An Undertow filter/Proxy server, that translates the opaque tokens >> into OAuth bearer tokens, rewriting the incoming request. To your >> backend, it's transparent whether an opaque token or a proper OAuth >> token was used. >> >> More info here: https://github.com/jpkrohling/secret-store >> >> - Juca. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Wed Jan 20 11:12:56 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Jan 2016 11:12:56 -0500 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FAE4D.6030401@kroehling.de> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> Message-ID: <569FB208.4060707@redhat.com> What you are describing MAKES ZERO SENSE. From your document: "A token is created when an user reaches the path |/secret-store/v1/tokens/create| via GET (or passing the username and password as Basic authentication via POST) and stored into a Cassandra data store:" You are doing EXACTLY what the direct grant REST api does except you are using basic auth. I still don't see the purpose of this service. On 1/20/2016 10:57 AM, Juraci Paix?o Kr?hling wrote: > Direct grants require the client to have access to an user's > credentials. On our specific case, having plain text access to the > account credentials are not viewed as very secure by sysadmins. So, > issuing those tokens and making them individually revokable make sense. > > On 20.01.2016 16:32, Bill Burke wrote: >> I honestly don't get why you are doing this. I assume you are familiar >> with direct grants. Why aren't these enough? Its just a REST call to >> keycloak to obtain a token. Honestly, this seems ridiculous. >> >> On 1/20/2016 9:15 AM, Juraci Paix?o Kr?hling wrote: >>> For Hawkular, we were in the need of a simplified way for a REST client >>> to communicate with our backend. After discussing this with Stian, we >>> started the "secret-store" module, which was just spun off of Hawkular >>> into a "standalone" project. >>> >>> Secret Store is a module for scenarios where the whole OAuth procedure >>> might be undesirable or not feasible on the client side. >>> >>> The Secret Store has two sides: >>> >>> 1) a REST endpoint to create opaque tokens backed by OAuth Offline >>> Tokens composed of a key and secret; >>> >>> 2) An Undertow filter/Proxy server, that translates the opaque tokens >>> into OAuth bearer tokens, rewriting the incoming request. To your >>> backend, it's transparent whether an opaque token or a proper OAuth >>> token was used. >>> >>> More info here: https://github.com/jpkrohling/secret-store >>> >>> - Juca. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/adac70af/attachment.html From juraci at kroehling.de Wed Jan 20 11:44:27 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Wed, 20 Jan 2016 17:44:27 +0100 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FB208.4060707@redhat.com> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> Message-ID: <569FB96B.9070303@kroehling.de> On 20.01.2016 17:12, Bill Burke wrote: > What you are describing MAKES ZERO SENSE. From your document: > > "A token is created when an user reaches the path > |/secret-store/v1/tokens/create| via GET (or passing the username and > password as Basic authentication via POST) and stored into a Cassandra > data store:" > > You are doing EXACTLY what the direct grant REST api does except you are > using basic auth. I still don't see the purpose of this service. Those are performed in different steps. The user creates this token via an UI (or CLI, if needed), then use this key/secret as the credentials on the client. The client has no knowledge about Keycloak, OAuth, or about any meta data that was embedded into this opaque token. All it cares is that it's going to call the end service using basic auth. The secret store is *not* for every application: it's targeted to clients where OAuth handling is costly, undesirable or even impossible (like legacy applications). So, instead of entering the user's own credentials there, the key/secret are used instead. Our "metrics collector agent" is the main target for this: the knowledge about auth doesn't belong there. All it needs to know is an "user" and "password", which are the "key" and "secret" for the token. Where Keycloak is, how to create an access token from an offline token, how long to keep an access token, and so on is made at the secret store, as we need to save every processing cycle possible, to not badly influence a server that is being monitored (and possibly, already in a bad shape). Of course, if you can live with your password being stored in plaintext on the clients, you don't need the secret store. But honestly, that seems ridiculous. - Juca. From bmcwhirt at redhat.com Wed Jan 20 11:48:17 2016 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Wed, 20 Jan 2016 11:48:17 -0500 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FB96B.9070303@kroehling.de> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> Message-ID: Is that not the use-case for the ?offline tokens? that Keycloak added support for recently? (/me isn?t certain) -Bob On Wed, Jan 20, 2016 at 11:44 AM, Juraci Paix?o Kr?hling < juraci at kroehling.de> wrote: > On 20.01.2016 17:12, Bill Burke wrote: > > What you are describing MAKES ZERO SENSE. From your document: > > > > "A token is created when an user reaches the path > > |/secret-store/v1/tokens/create| via GET (or passing the username and > > password as Basic authentication via POST) and stored into a Cassandra > > data store:" > > > > You are doing EXACTLY what the direct grant REST api does except you are > > using basic auth. I still don't see the purpose of this service. > > Those are performed in different steps. The user creates this token via > an UI (or CLI, if needed), then use this key/secret as the credentials > on the client. > > The client has no knowledge about Keycloak, OAuth, or about any meta > data that was embedded into this opaque token. All it cares is that it's > going to call the end service using basic auth. > > The secret store is *not* for every application: it's targeted to > clients where OAuth handling is costly, undesirable or even impossible > (like legacy applications). So, instead of entering the user's own > credentials there, the key/secret are used instead. > > Our "metrics collector agent" is the main target for this: the knowledge > about auth doesn't belong there. All it needs to know is an "user" and > "password", which are the "key" and "secret" for the token. Where > Keycloak is, how to create an access token from an offline token, how > long to keep an access token, and so on is made at the secret store, as > we need to save every processing cycle possible, to not badly influence > a server that is being monitored (and possibly, already in a bad shape). > > Of course, if you can live with your password being stored in plaintext > on the clients, you don't need the secret store. But honestly, that > seems ridiculous. > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/e42e4a25/attachment.html From juraci at kroehling.de Wed Jan 20 11:50:53 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Wed, 20 Jan 2016 17:50:53 +0100 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> Message-ID: <569FBAED.4060603@kroehling.de> On 20.01.2016 17:48, Bob McWhirter wrote: > Is that not the use-case for the ?offline tokens? that Keycloak added > support for recently? > > (/me isn?t certain) Sort of: the offline token is like a refresh token, as in it can only be used to create access tokens. So, the client needs to know how to get an access token from an offline token. - Juca. From bburke at redhat.com Wed Jan 20 12:50:51 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Jan 2016 12:50:51 -0500 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FB96B.9070303@kroehling.de> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> Message-ID: <569FC8FB.6010907@redhat.com> On 1/20/2016 11:44 AM, Juraci Paix?o Kr?hling wrote: > On 20.01.2016 17:12, Bill Burke wrote: >> What you are describing MAKES ZERO SENSE. From your document: >> >> "A token is created when an user reaches the path >> |/secret-store/v1/tokens/create| via GET (or passing the username and >> password as Basic authentication via POST) and stored into a Cassandra >> data store:" >> >> You are doing EXACTLY what the direct grant REST api does except you are >> using basic auth. I still don't see the purpose of this service. > Those are performed in different steps. The user creates this token via > an UI (or CLI, if needed), then use this key/secret as the credentials > on the client. > > The client has no knowledge about Keycloak, OAuth, or about any meta > data that was embedded into this opaque token. All it cares is that it's > going to call the end service using basic auth. > > The secret store is *not* for every application: it's targeted to > clients where OAuth handling is costly, undesirable or even impossible > (like legacy applications). So, instead of entering the user's own > credentials there, the key/secret are used instead. > > Our "metrics collector agent" is the main target for this: the knowledge > about auth doesn't belong there. All it needs to know is an "user" and > "password", which are the "key" and "secret" for the token. Where > Keycloak is, how to create an access token from an offline token, how > long to keep an access token, and so on is made at the secret store, as > we need to save every processing cycle possible, to not badly influence > a server that is being monitored (and possibly, already in a bad shape). > > Of course, if you can live with your password being stored in plaintext > on the clients, you don't need the secret store. But honestly, that > seems ridiculous. Thanks for the explanation and sorry if I sounded rude. We have people suggesting crazy redundant shit all the time and I thought this just might have been yet another case of this. Makes sense now. Something interesting that we should add to Keycloak as an optional service sometime in the future. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From sthorger at redhat.com Wed Jan 20 14:15:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jan 2016 20:15:26 +0100 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <569FC8FB.6010907@redhat.com> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> <569FC8FB.6010907@redhat.com> Message-ID: Another interesting aspect of this is that it can be useful in IoT. In IoT the devices themselves are often pretty dumb, they have small amount of storage and don't even talk http. The hub they connect to is generally more beefy and talks both zigbee (or whatever) and http. With IoT devices it would work something like: 1. User registers a new IoT device through some sort of flow (click a button on the hub, through an app on the smartphone, through the web browser on the hub portal, or whatever) 2. The hub creates a new "device" account for it in Keycloak, and also gets tokens from KC (refresh or offline whatever). It stores the refresh/offline token permanently, but access token only in memory 3. The hub also creates a short token (token UUID, or key/secret pari, whatever) 4. The hub sends the small short token to the device 5. The device now only needs to store this short token and also only send this short token 6. The hub looks up the real token based on the uuid or key/secret pair, and swaps it in any outgoing request Benefits here is that a small IoT device can communicate to a REST service secured with bearer tokens without having to deal with large bearer tokens, refreshing the token, etc.. On 20 January 2016 at 18:50, Bill Burke wrote: > > > On 1/20/2016 11:44 AM, Juraci Paix?o Kr?hling wrote: > > On 20.01.2016 17:12, Bill Burke wrote: > >> What you are describing MAKES ZERO SENSE. From your document: > >> > >> "A token is created when an user reaches the path > >> |/secret-store/v1/tokens/create| via GET (or passing the username and > >> password as Basic authentication via POST) and stored into a Cassandra > >> data store:" > >> > >> You are doing EXACTLY what the direct grant REST api does except you are > >> using basic auth. I still don't see the purpose of this service. > > Those are performed in different steps. The user creates this token via > > an UI (or CLI, if needed), then use this key/secret as the credentials > > on the client. > > > > The client has no knowledge about Keycloak, OAuth, or about any meta > > data that was embedded into this opaque token. All it cares is that it's > > going to call the end service using basic auth. > > > > The secret store is *not* for every application: it's targeted to > > clients where OAuth handling is costly, undesirable or even impossible > > (like legacy applications). So, instead of entering the user's own > > credentials there, the key/secret are used instead. > > > > Our "metrics collector agent" is the main target for this: the knowledge > > about auth doesn't belong there. All it needs to know is an "user" and > > "password", which are the "key" and "secret" for the token. Where > > Keycloak is, how to create an access token from an offline token, how > > long to keep an access token, and so on is made at the secret store, as > > we need to save every processing cycle possible, to not badly influence > > a server that is being monitored (and possibly, already in a bad shape). > > > > Of course, if you can live with your password being stored in plaintext > > on the clients, you don't need the secret store. But honestly, that > > seems ridiculous. > Thanks for the explanation and sorry if I sounded rude. We have people > suggesting crazy redundant shit all the time and I thought this just > might have been yet another case of this. Makes sense now. Something > interesting that we should add to Keycloak as an optional service > sometime in the future. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/7c608014/attachment.html From psilva at redhat.com Wed Jan 20 15:18:42 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 20 Jan 2016 15:18:42 -0500 (EST) Subject: [keycloak-user] Announce - Secret Store In-Reply-To: References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> <569FC8FB.6010907@redhat.com> Message-ID: <693291424.12776703.1453321122188.JavaMail.zimbra@redhat.com> IETF already has some work around OAuth2 and IoT. It is interesting https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. Also, I think IoT is usually based and preferable on UDP instead of TCP. Regards. Pedro Igor ----- Original Message ----- From: "Stian Thorgersen" To: "Bill Burke" Cc: "keycloak-user" Sent: Wednesday, January 20, 2016 5:15:26 PM Subject: Re: [keycloak-user] Announce - Secret Store Another interesting aspect of this is that it can be useful in IoT. In IoT the devices themselves are often pretty dumb, they have small amount of storage and don't even talk http. The hub they connect to is generally more beefy and talks both zigbee (or whatever) and http. With IoT devices it would work something like: 1. User registers a new IoT device through some sort of flow (click a button on the hub, through an app on the smartphone, through the web browser on the hub portal, or whatever) 2. The hub creates a new "device" account for it in Keycloak, and also gets tokens from KC (refresh or offline whatever). It stores the refresh/offline token permanently, but access token only in memory 3. The hub also creates a short token (token UUID, or key/secret pari, whatever) 4. The hub sends the small short token to the device 5. The device now only needs to store this short token and also only send this short token 6. The hub looks up the real token based on the uuid or key/secret pair, and swaps it in any outgoing request Benefits here is that a small IoT device can communicate to a REST service secured with bearer tokens without having to deal with large bearer tokens, refreshing the token, etc.. On 20 January 2016 at 18:50, Bill Burke < bburke at redhat.com > wrote: On 1/20/2016 11:44 AM, Juraci Paix?o Kr?hling wrote: > On 20.01.2016 17:12, Bill Burke wrote: >> What you are describing MAKES ZERO SENSE. From your document: >> >> "A token is created when an user reaches the path >> |/secret-store/v1/tokens/create| via GET (or passing the username and >> password as Basic authentication via POST) and stored into a Cassandra >> data store:" >> >> You are doing EXACTLY what the direct grant REST api does except you are >> using basic auth. I still don't see the purpose of this service. > Those are performed in different steps. The user creates this token via > an UI (or CLI, if needed), then use this key/secret as the credentials > on the client. > > The client has no knowledge about Keycloak, OAuth, or about any meta > data that was embedded into this opaque token. All it cares is that it's > going to call the end service using basic auth. > > The secret store is *not* for every application: it's targeted to > clients where OAuth handling is costly, undesirable or even impossible > (like legacy applications). So, instead of entering the user's own > credentials there, the key/secret are used instead. > > Our "metrics collector agent" is the main target for this: the knowledge > about auth doesn't belong there. All it needs to know is an "user" and > "password", which are the "key" and "secret" for the token. Where > Keycloak is, how to create an access token from an offline token, how > long to keep an access token, and so on is made at the secret store, as > we need to save every processing cycle possible, to not badly influence > a server that is being monitored (and possibly, already in a bad shape). > > Of course, if you can live with your password being stored in plaintext > on the clients, you don't need the secret store. But honestly, that > seems ridiculous. Thanks for the explanation and sorry if I sounded rude. We have people suggesting crazy redundant shit all the time and I thought this just might have been yet another case of this. Makes sense now. Something interesting that we should add to Keycloak as an optional service sometime in the future. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From battery4cid at gmail.com Wed Jan 20 15:31:56 2016 From: battery4cid at gmail.com (Bruce Shaw) Date: Wed, 20 Jan 2016 15:31:56 -0500 Subject: [keycloak-user] Change JWT algorithm type for access token signature Message-ID: Hello, Is there anyway to quickly change the algorithm type used for the JWT signatures in the Keycloak instance? For my OpenId Connect clients the access tokens are sent using RSA256 but I'd like to use one of the HMAC ones like HS256. thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/8f1b1c3e/attachment.html From ah at tradeworks.io Thu Jan 21 02:48:47 2016 From: ah at tradeworks.io (Anton Hughes) Date: Thu, 21 Jan 2016 08:48:47 +0100 Subject: [keycloak-user] Advice on securing user device Message-ID: Hello My use-case is as follows: Users are typically developers, who add a library to their project. This library can send and receive information. The use of this library is based on, say, a subscription. As a user-manager, I would like users of my library to have to be authorized. And I would also like to know how many devices/software products the user has connected. Is this something that Keycloak can help with? If yes, can someone recommend specifically what I should look at? Thanks -- Anton Hughes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/df0981fc/attachment.html From sthorger at redhat.com Thu Jan 21 02:50:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 08:50:19 +0100 Subject: [keycloak-user] Announce - Secret Store In-Reply-To: <693291424.12776703.1453321122188.JavaMail.zimbra@redhat.com> References: <569F9690.5080805@kroehling.de> <569FA874.1050606@redhat.com> <569FAE4D.6030401@kroehling.de> <569FB208.4060707@redhat.com> <569FB96B.9070303@kroehling.de> <569FC8FB.6010907@redhat.com> <693291424.12776703.1453321122188.JavaMail.zimbra@redhat.com> Message-ID: IoT devices are usually ZigBee or some other type of mesh protocol. It's clever stuff, my light bulbs can relay signals from each other, my laptops can't. On 20 January 2016 at 21:18, Pedro Igor Silva wrote: > IETF already has some work around OAuth2 and IoT. It is interesting > https://tools.ietf.org/html/draft-tschofenig-ace-oauth-iot-00. > > Also, I think IoT is usually based and preferable on UDP instead of TCP. > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Stian Thorgersen" > To: "Bill Burke" > Cc: "keycloak-user" > Sent: Wednesday, January 20, 2016 5:15:26 PM > Subject: Re: [keycloak-user] Announce - Secret Store > > Another interesting aspect of this is that it can be useful in IoT. > > In IoT the devices themselves are often pretty dumb, they have small > amount of storage and don't even talk http. The hub they connect to is > generally more beefy and talks both zigbee (or whatever) and http. With IoT > devices it would work something like: > > 1. User registers a new IoT device through some sort of flow (click a > button on the hub, through an app on the smartphone, through the web > browser on the hub portal, or whatever) > 2. The hub creates a new "device" account for it in Keycloak, and also > gets tokens from KC (refresh or offline whatever). It stores the > refresh/offline token permanently, but access token only in memory > 3. The hub also creates a short token (token UUID, or key/secret pari, > whatever) > 4. The hub sends the small short token to the device > 5. The device now only needs to store this short token and also only send > this short token > 6. The hub looks up the real token based on the uuid or key/secret pair, > and swaps it in any outgoing request > > Benefits here is that a small IoT device can communicate to a REST service > secured with bearer tokens without having to deal with large bearer tokens, > refreshing the token, etc.. > > On 20 January 2016 at 18:50, Bill Burke < bburke at redhat.com > wrote: > > > > > > On 1/20/2016 11:44 AM, Juraci Paix?o Kr?hling wrote: > > On 20.01.2016 17:12, Bill Burke wrote: > >> What you are describing MAKES ZERO SENSE. From your document: > >> > >> "A token is created when an user reaches the path > >> |/secret-store/v1/tokens/create| via GET (or passing the username and > >> password as Basic authentication via POST) and stored into a Cassandra > >> data store:" > >> > >> You are doing EXACTLY what the direct grant REST api does except you are > >> using basic auth. I still don't see the purpose of this service. > > Those are performed in different steps. The user creates this token via > > an UI (or CLI, if needed), then use this key/secret as the credentials > > on the client. > > > > The client has no knowledge about Keycloak, OAuth, or about any meta > > data that was embedded into this opaque token. All it cares is that it's > > going to call the end service using basic auth. > > > > The secret store is *not* for every application: it's targeted to > > clients where OAuth handling is costly, undesirable or even impossible > > (like legacy applications). So, instead of entering the user's own > > credentials there, the key/secret are used instead. > > > > Our "metrics collector agent" is the main target for this: the knowledge > > about auth doesn't belong there. All it needs to know is an "user" and > > "password", which are the "key" and "secret" for the token. Where > > Keycloak is, how to create an access token from an offline token, how > > long to keep an access token, and so on is made at the secret store, as > > we need to save every processing cycle possible, to not badly influence > > a server that is being monitored (and possibly, already in a bad shape). > > > > Of course, if you can live with your password being stored in plaintext > > on the clients, you don't need the secret store. But honestly, that > > seems ridiculous. > Thanks for the explanation and sorry if I sounded rude. We have people > suggesting crazy redundant shit all the time and I thought this just > might have been yet another case of this. Makes sense now. Something > interesting that we should add to Keycloak as an optional service > sometime in the future. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/8987a021/attachment-0001.html From sthorger at redhat.com Thu Jan 21 02:51:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 08:51:06 +0100 Subject: [keycloak-user] Change JWT algorithm type for access token signature In-Reply-To: References: Message-ID: We don't currently support changing this. You can create a JIRA to request this, but it'll be a while to we get time to do it. On 20 January 2016 at 21:31, Bruce Shaw wrote: > Hello, > > Is there anyway to quickly change the algorithm type used for the JWT > signatures in the Keycloak instance? For my OpenId Connect clients the > access tokens are sent using RSA256 but I'd like to use one of the HMAC > ones like HS256. > > thanks. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/f82d191e/attachment.html From thomas.darimont at googlemail.com Thu Jan 21 03:23:03 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 21 Jan 2016 09:23:03 +0100 Subject: [keycloak-user] Change JWT algorithm type for access token signature In-Reply-To: References: Message-ID: Hello, do you see that as a client only or also as a realm option? Cheers, Thomas 2016-01-21 8:51 GMT+01:00 Stian Thorgersen : > We don't currently support changing this. You can create a JIRA to request > this, but it'll be a while to we get time to do it. > > On 20 January 2016 at 21:31, Bruce Shaw wrote: > >> Hello, >> >> Is there anyway to quickly change the algorithm type used for the JWT >> signatures in the Keycloak instance? For my OpenId Connect clients the >> access tokens are sent using RSA256 but I'd like to use one of the HMAC >> ones like HS256. >> >> thanks. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/510f196a/attachment.html From sthorger at redhat.com Thu Jan 21 03:43:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 09:43:16 +0100 Subject: [keycloak-user] Change JWT algorithm type for access token signature In-Reply-To: References: Message-ID: I'd say there should be an option to configure the default for a realm, then override for a client template or individual client. It'll be needed once we start certifying with OpenID Connect and adding more optional parts of the specs. On 21 January 2016 at 09:23, Thomas Darimont wrote: > Hello, > > do you see that as a client only or also as a realm option? > > Cheers, > Thomas > > 2016-01-21 8:51 GMT+01:00 Stian Thorgersen : > >> We don't currently support changing this. You can create a JIRA to >> request this, but it'll be a while to we get time to do it. >> >> On 20 January 2016 at 21:31, Bruce Shaw wrote: >> >>> Hello, >>> >>> Is there anyway to quickly change the algorithm type used for the JWT >>> signatures in the Keycloak instance? For my OpenId Connect clients the >>> access tokens are sent using RSA256 but I'd like to use one of the HMAC >>> ones like HS256. >>> >>> thanks. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/0a8d0b8c/attachment.html From revanth at arvindinternet.com Thu Jan 21 05:38:33 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Thu, 21 Jan 2016 16:08:33 +0530 Subject: [keycloak-user] Error while building Keycloak Message-ID: Hi All, I have made a few changes to the keycloak code for a little customization of my own and i am getting the following error while running the command (mvn install -Pdistribution). [ERROR] Failed to execute goal on project keycloak-spring-boot-adapter: Could not resolve dependencies for project org.keycloak:keycloak-spring-boot-adapter:jar:1.6.0.Final-SNAPSHOT: The following artifacts could not be resolved: org.keycloak:keycloak-tomcat8-adapter:jar:1.6.0.Final-SNAPSHOT, org.keycloak:keycloak-jetty92-adapter:jar:1.6.0.Final-SNAPSHOT: Could not find artifact org.keycloak:keycloak-tomcat8-adapter:jar:1.6.0.Final-SNAPSHOT in jboss ( http://repository.jboss.org/nexus/content/groups/public/) -> [Help 1] Anyone has idea as to why this is happening. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/b4ff3adf/attachment.html From sthorger at redhat.com Thu Jan 21 06:00:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 12:00:11 +0100 Subject: [keycloak-user] Keycloak 1.8.0.CR2 Released Message-ID: We had a few issues reported against 1.8.0.CR1, so we're doing another CR release with the fixes. If everything is OK, 1.8.0.Final will be released next week. There was also a feature that sneaked in. We now support sign-on with Microsoft Live. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/f1cc261e/attachment.html From revanth at arvindinternet.com Thu Jan 21 08:00:53 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Thu, 21 Jan 2016 18:30:53 +0530 Subject: [keycloak-user] Database changes on every build. Message-ID: Hi, I am customizing keycloak1.5.0 according to my preferences and everytime i build, the database gets changed. Is there any way to protect the already existing data?? And also could you give me some pointers on how to change the default database to mysql on every build. We want to use a MySql database and not a h2 db. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/b806be0c/attachment-0001.html From sthorger at redhat.com Thu Jan 21 08:05:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 14:05:19 +0100 Subject: [keycloak-user] Database changes on every build. In-Reply-To: References: Message-ID: Take a look at the hacking on Keycloak documentation that explains about databases and testsuite On 21 January 2016 at 14:00, Revanth Ayalasomayajula < revanth at arvindinternet.com> wrote: > Hi, > > I am customizing keycloak1.5.0 according to my preferences and everytime i > build, the database gets changed. Is there any way to protect the already > existing data?? And also could you give me some pointers on how to change > the default database to mysql on every build. We want to use a MySql > database and not a h2 db. > > Thanks in advance. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/afad0069/attachment.html From revanth at arvindinternet.com Thu Jan 21 08:54:18 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Thu, 21 Jan 2016 19:24:18 +0530 Subject: [keycloak-user] Database changes on every build. In-Reply-To: References: Message-ID: Hi, Thanks for the quick reply. I took a loot at hacking on keycloak and in that, there is testing with mysql but no information on how to change my default database from h2 to mysql like what additional things i have to do when i build so that my default database is mysql. Thanks in advance. On Thu, Jan 21, 2016 at 6:35 PM, Stian Thorgersen wrote: > Take a look at the hacking on Keycloak documentation that explains about > databases and testsuite > > On 21 January 2016 at 14:00, Revanth Ayalasomayajula < > revanth at arvindinternet.com> wrote: > >> Hi, >> >> I am customizing keycloak1.5.0 according to my preferences and everytime >> i build, the database gets changed. Is there any way to protect the already >> existing data?? And also could you give me some pointers on how to change >> the default database to mysql on every build. We want to use a MySql >> database and not a h2 db. >> >> Thanks in advance. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/06eaa1b4/attachment.html From sthorger at redhat.com Thu Jan 21 10:08:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jan 2016 16:08:49 +0100 Subject: [keycloak-user] Database changes on every build. In-Reply-To: References: Message-ID: Hacking on KC docs links to https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md, which links to https://github.com/keycloak/keycloak/blob/master/misc/DatabaseTesting.md On 21 January 2016 at 14:54, Revanth Ayalasomayajula < revanth at arvindinternet.com> wrote: > Hi, > > Thanks for the quick reply. I took a loot at hacking on keycloak and in > that, there is testing with mysql but no information on how to change my > default database from h2 to mysql like what additional things i have to do > when i build so that my default database is mysql. > > Thanks in advance. > > On Thu, Jan 21, 2016 at 6:35 PM, Stian Thorgersen > wrote: > >> Take a look at the hacking on Keycloak documentation that explains about >> databases and testsuite >> >> On 21 January 2016 at 14:00, Revanth Ayalasomayajula < >> revanth at arvindinternet.com> wrote: >> >>> Hi, >>> >>> I am customizing keycloak1.5.0 according to my preferences and everytime >>> i build, the database gets changed. Is there any way to protect the already >>> existing data?? And also could you give me some pointers on how to change >>> the default database to mysql on every build. We want to use a MySql >>> database and not a h2 db. >>> >>> Thanks in advance. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/902108ce/attachment.html From prabhalar at yahoo.com Thu Jan 21 14:23:18 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Thu, 21 Jan 2016 19:23:18 +0000 (UTC) Subject: [keycloak-user] Realm Certificate from commercial Vendors References: <646083569.7053352.1453404198204.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <646083569.7053352.1453404198204.JavaMail.yahoo@mail.yahoo.com> I have a question about the Certificate/private key which is generated today by Keycloak. But rather than use that certificate ,is there any way we can use a commercial Certificate from Vendors like Verisign? When that certificate expires, how do we generate/upload a new certificate (lifecycle) and handle the switch over to a new certificate with minimal impact to any of the client who will have to download the new certificate and use it when KC starts using the new one? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/11e6a57b/attachment.html From jstrathern at gmail.com Thu Jan 21 17:00:20 2016 From: jstrathern at gmail.com (Joe Strathern) Date: Thu, 21 Jan 2016 15:00:20 -0700 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: Stian Thank you for your response. I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster enviroment with a load balancing proxy, I updated my adapter to have the following settings, much like the example provided at http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization : { ... /auth http:/internal-hostname/auth ... } The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request. As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring. I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects numerous other URL variabled stored). Therefore, the realmInfoURL remains http://external-hostname/auth. Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before). Is there an additional configuration, or concept I am missing to correct this workflow? Thanks, Joe On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen wrote: > Assuming you are using our adapters there are two separate urls to > configure: "auth-server-url" is the external > one, auth-server-url-for-backend-requests is the internal one. See > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > for more details. > > On 19 January 2016 at 22:20, Joe Strathern wrote: > >> Hello Keycloak Community >> >> I am looking for some assistance on how to pass a Keycloak bearer token >> in the multi-hop scenario, where the keycloak instance is inside a proxy >> environment, the next hop is within the proxy, and the original request >> came from outside of that environment. >> >> For instance, the original request goes to http://external-hostname/auth, >> where external-hostname is a proxy system. Login is successful, and I >> receive a Bearer Token with Token issuer - >> http://external-hostname/auth/realms/My_Realm. >> >> Now i need to take that token from the HTTP request, and attach it to a >> new request from inside the proxy. I do so, redirecting to >> http://interior-hostname/API, secured by the same Keycloak. Using >> "external-hostname" as host once more is not an option, as we are within >> the proxied environment. However, submitting the hop HTTP request, i am >> met with the error: >> >> *Failed to verify token: org.keycloak.common.VerificationException: Token >> audience doesn't match domain. Token issuer >> is http://external-hostname/auth/realms/My_Realm >> , but URL from configuration >> is http://internal-hostname/auth/realms/My_Realm >> * >> >> The token is rejected (Since the hostnames are not the exact same), >> however external-hostname and internal-hostname are the same machine. >> >> Is there a way that Keycloak can identify these hostnames as equivalent >> to accept the token, or another policy that should be followed in this >> situation? >> >> Thanks, >> Joe >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160121/9541a5c4/attachment-0001.html From kalc04 at gmail.com Fri Jan 22 00:45:47 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 22 Jan 2016 11:15:47 +0530 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? Message-ID: Hi, There are a few clients of ours who use the Direct Grants API to authenticate their users. A requirement has come up to provide the Reset Password flow to those clients. From what I've checked and gathered, there's no REST API to initiate this flow (sending the Keycloak password reset email + resetting the password through the UI); only way to do is through the browser. If it's actually there somewhere, can someone point me to it? Regards, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/995661fa/attachment.html From jayblanc at gmail.com Fri Jan 22 04:27:17 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Fri, 22 Jan 2016 09:27:17 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> Message-ID: Hi Bill, all, I succeed in authenticating via shibboleth federation using SAML IdP but I encounter problem. One SAML attribute of our authentication response is not of type String but a fulle NameID type (eduPersonTargetId) and makes the authentication crash because of class BaseWriter which is not able to serialize an attribute which is not a String (line 176). If I avoid this test, authentication works well using the UsernameTemplateMapper. By the way, it does not solve the whole problem. The provider user id and the provider user name store the saml auth response nameid (and not an attribute) which makes the next IdP SAML session impossible to use the same keycloak account because of a change of this transient nameid... Actually, I don't see another solution than rewriting another Identity Provider based on Shibboleth attribute as a fork of the SAML provider but including. It will also allows me to include the Shibboleth DIscovery Service directly in keycloak instead of providing another webapp to ensure the federation idps synchronization by parsing periodiccaly the WAYF file. I will also provide a small patch for the BaseWriter in order to allow serialization of complex types attribute, except if you have in mind to do so... Best regards, J?r?me. Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard a ?crit : > Thanks for your answer. > In fact Shibboleth supports others saml nameid but in the renater > federation, it only contains transient nameid. Here is a part of their doc > (sorry it's in french) : > Utilisation des identifiants utilisateur opaques > > Voir la description du eduPersonTargetedID > > > Votre application a peut-?tre besoin de manipuler de identifiants > utilisateur, dont la valeur est stable d'une session ? l'autre ; par > exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de > protection des donn?es personnelles, les fournisseurs d'identit?s ne > peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, > vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des > identifiants stables mais opaques, appel?s *eduPersonTargetedID*. > > Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de > services Shibboleth comme indiqu? ci-dessous : > > > > > > > > L'attribut sera accessible pour l'application dans l'en-t?te HTTP > *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du > eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur > > > > According to their doc, nameid are session based and not user based so if > you want stable identifier, you have to ask for eduPersonTargetedID > attribute !! > I'm going to have a look at UsernameTemplateMapper. > Thanks again, J?r?me. > > Le jeu. 14 janv. 2016 ? 15:23, Bill Burke a ?crit : > >> Shibboleth only supports transient name ids? I find that hard to >> believe. Remember Keycloak would just look like any other client. IMO you >> should go that route. >> >> Also though, I think you might be able to write a Broker Mapper, take a >> look at UsernameTemplateMapper. This SPI is undocumented and unsupported >> at the moment, but I hope to change that soon. >> >> >> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >> >> Hi all, >> >> According to shibboleth specification, IdP of a federation usually use >> transient NameID which makes Shibboleth impossible to interface with >> keycloak, even if we manage the Discovery Service externally in order to >> maintain IdP list mapping between federation and keycloak. >> It's really annoying for me and I'm trying to investigate a way to solve >> this problem. >> In my federation, some doc say that if you need to manage personnal user >> information in your application, you have to rely on a dedicated attribute >> in order to retreive real user id and not the transient opaque one. In this >> case, an attribute called eduPersoneTargetedId exists and can be use by >> shibboleth. >> I am trying to patch the saml broker in order to take into consideration >> this attribute in a kind of attributeToNameIdMapper but I have to admit >> that I'm lost a bit in the code. >> Do you think this approach is good ? >> >> Best regards, J?r?me. >> >> >> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard a >> ?crit : >> >>> Hi Bill, all, >>> >>> In the case of a transient only nameid, would it be possible to create a >>> dedicated attribute mapper in order to use for exemple the email attribute >>> as name identifier ? >>> >>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML >>> v1 for request a nameid that is transient also... so there is no solution >>> in this way. >>> >>> Best regards, J?r?me. >>> >>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke a ?crit : >>> >>>> We won't be able to support temporary ids (transient) for awhile as it >>>> requires temporary user creation which requires some rearchitecting. >>>> >>>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a >>>> JIRA and it is simple enough to implement support for, we may be able to >>>> get it in. >>>> >>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>> > Hi Bill, >>>> > >>>> > Thanks for your answer regarding transient and temporary ids. I >>>> > understand the problem due to keycloak account creation and binding to >>>> > the IdP. >>>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>>> > integration for keycloak ? >>>> > If I look into the idps entities descriptors of renater, I found that >>>> it >>>> > uses also another nameid format based on shibboleth namesapce : >>>> > >>>> urn:mace:shibboleth:1.0:nameIdentifier >>>> > >>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>> > >>>> > Do you think it is possible to patch the saml idp provider (or to >>>> create >>>> > another one dedicated to shibboleth) in order to integrate keycloak to >>>> > our identity federation (renater) ? >>>> > >>>> > Best whiches for this upcoming year and thanks for your great work >>>> > around keycloak. >>>> > >>>> > J?r?me. >>>> > >>>> > >>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >>> > > a ?crit : >>>> > >>>> > Our brokering doesn't support temporary user ids from the >>>> "parent" IDP. >>>> > Transient Ids in SAML or temporary ids. >>>> > >>>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>>> > > Hi, >>>> > > >>>> > > I'm trying to integrate keycloak into a the french research >>>> > federation >>>> > > of identity (renater) and I'm facing some problems. >>>> > > Actually, when IdP respond to keycloak i'm getting the >>>> following >>>> > error : >>>> > > PL00084: Writer: Unsupported Attribute >>>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>> > > >>>> > > It seems that this IdP is using transient NameID policy only >>>> and >>>> > using >>>> > > the unspecified field in the idp config in keycloak generate >>>> this >>>> > > exception as a return. >>>> > > >>>> > > Log of the keycloak server is joined. >>>> > > >>>> > > I have no idea of what happening because when I was using the >>>> test >>>> > > federation, everything was working but no I'm in the production >>>> > > federation, login fails. >>>> > > >>>> > > The renater federation is using Shibolleth and keycloak is not >>>> > supported >>>> > > by federation moderators so I'm alone in the dark now... >>>> > > >>>> > > Renater provides an IdP list that I have to parse and >>>> > synchronized with >>>> > > IdP in keycloak. As a return I provide a list of all endpoints >>>> > for each >>>> > > keycloak registered IdP to allow federation IdP to answear >>>> > correctly to >>>> > > the right endpoint. All of this is done by a small web app >>>> deployed >>>> > > aside keycloak and using REST API to synchronize all the IdP. >>>> > > >>>> > > One of the IdP entity descriptor is joined. As you can see, >>>> only >>>> > > transient nameid policy is supported and if I configure >>>> keycloak >>>> > to use >>>> > > email or persistent, I received a response saying that the >>>> nameid >>>> > is not >>>> > > supported : >>>> > > >>>> > > >>> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>> > > >>>> > AssertionConsumerServiceURL=" >>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>> " >>>> > > Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>> > > ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>>> > > >>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>> > > Version="2.0">>>> > > >>>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>>> >>> > > AllowCreate="true" >>>> > > >>>> > >>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>> > > >>>> > > >>>> > > >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>> > > >>>> > Destination=" >>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>> " >>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>>> Version="2.0">>>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>> > > >>>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>>> https://janus.cnrs.fr/idp >>>> >>> > > >>>> > >>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>> > > >>>> > >>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>> > > NameID format not >>>> > > >>>> supported >>>> > > >>>> > > >>>> > > Any help would be gracefully appreciated. >>>> > > >>>> > > Thanks a lot, J?r?me. >>>> > > >>>> > > >>>> > > >>>> > > _______________________________________________ >>>> > > keycloak-user mailing list >>>> > > keycloak-user at lists.jboss.org >>> keycloak-user at lists.jboss.org> >>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > > >>>> > >>>> > -- >>>> > Bill Burke >>>> > JBoss, a division of Red Hat >>>> > http://bill.burkecentral.com >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>> keycloak-user at lists.jboss.org> >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >>> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/1afa7848/attachment-0001.html From thorsten315 at gmx.de Fri Jan 22 06:53:32 2016 From: thorsten315 at gmx.de (Thorsten) Date: Fri, 22 Jan 2016 12:53:32 +0100 Subject: [keycloak-user] Keycloak 1.8.0.CR2 Released In-Reply-To: References: Message-ID: Just ran into an issue starting up a fresh install 1.8.0.CR2 on a new mysql db. Got this exception at first startup: 11:45:47,034 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 49) Load config from /opt/keycloak-1.8.0.CR2/standalone/configuration/keycloak-server.json 11:45:50,881 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Initializing database schema 11:45:55,265 WARN [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Database does not support drop with cascade 11:45:55,285 WARN [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Database does not support drop with cascade 11:46:00,630 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Change Set META-INF/jpa-changelog-1.8.0.xml::1.8.0-2::keycloak failed. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1']: liquibase.exception.DatabaseException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:137) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:80) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) at com.mysql.jdbc.Util.getInstance(Util.java:387) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:939) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3878) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2478) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2625) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2547) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2505) at com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:840) at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:740) at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) ... 47 more 11:46:00,652 ERROR [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 49) Failed to migrate datamodel: java.lang.RuntimeException: Failed to update database at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:137) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:80) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: liquibase.exception.MigrationFailedException: Migration failed for change set META-INF/jpa-changelog-1.8.0.xml::1.8.0-2::keycloak: Reason: liquibase.exception.DatabaseException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] at liquibase.changelog.ChangeSet.execute(ChangeSet.java:584) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) ... 36 more Caused by: liquibase.exception.DatabaseException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) ... 42 more Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) at com.mysql.jdbc.Util.getInstance(Util.java:387) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:939) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3878) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2478) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2625) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2547) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2505) at com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:840) at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:740) at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) ... 47 more 11:46:00,774 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] Seems that other tables are being created just fine. Thanks, Thorsten 2016-01-21 12:00 GMT+01:00 Stian Thorgersen : > We had a few issues reported against 1.8.0.CR1, so we're doing another CR > release with the fixes. If everything is OK, 1.8.0.Final will be released > next week. > > There was also a feature that sneaked in. We now support sign-on with > Microsoft Live. > > For the full list of issues resolved check out JIRA > and > to download the release go to the Keycloak homepage > . > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/638524fa/attachment-0001.html From sthorger at redhat.com Fri Jan 22 07:02:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 22 Jan 2016 13:02:11 +0100 Subject: [keycloak-user] Keycloak 1.8.0.CR2 Released In-Reply-To: References: Message-ID: Should be fixed in master now. Apparently I'd temporarily forgotten how to write SQL statements On 22 January 2016 at 12:53, Thorsten wrote: > Just ran into an issue starting up a fresh install 1.8.0.CR2 on a new > mysql db. Got this exception at first startup: > > 11:45:47,034 INFO [org.keycloak.services.resources.KeycloakApplication] > (ServerService Thread Pool -- 49) Load config from > /opt/keycloak-1.8.0.CR2/standalone/configuration/keycloak-server.json > 11:45:50,881 INFO > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 49) Initializing database schema > 11:45:55,265 WARN > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 49) Database does not support drop with > cascade > 11:45:55,285 WARN > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 49) Database does not support drop with > cascade > 11:46:00,630 ERROR > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 49) Change Set > META-INF/jpa-changelog-1.8.0.xml::1.8.0-2::keycloak failed. Error: You > have an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near ''HmacSHA1'' at line > 1 [Failed SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE > TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1']: > liquibase.exception.DatabaseException: You have an error in your SQL > syntax; check the manual that corresponds to your MySQL server version for > the right syntax to use near ''HmacSHA1'' at line 1 [Failed SQL: UPDATE > keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in > ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) > at > liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at > liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at > liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) > at > liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > at > liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at > liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:137) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:80) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You > have an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) > at com.mysql.jdbc.Util.getInstance(Util.java:387) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:939) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3878) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2478) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2625) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2547) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2505) > at > com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:840) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:740) > at > org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) > ... 47 more > > 11:46:00,652 ERROR [org.keycloak.services.resources.KeycloakApplication] > (ServerService Thread Pool -- 49) Failed to migrate datamodel: > java.lang.RuntimeException: Failed to update database > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:137) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:80) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: liquibase.exception.MigrationFailedException: Migration failed > for change set META-INF/jpa-changelog-1.8.0.xml::1.8.0-2::keycloak: > Reason: liquibase.exception.DatabaseException: You have an error in > your SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed > SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in > ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:584) > at > liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at > liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) > ... 36 more > Caused by: liquibase.exception.DatabaseException: You have an error in > your SQL syntax; check the manual that corresponds to your MySQL server > version for the right syntax to use near ''HmacSHA1'' at line 1 [Failed > SQL: UPDATE keycloak.CREDENTIAL SET ALGORITHM = 'pbkdf2' WHERE TYPE in > ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'] > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) > at > liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at > liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at > liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) > at > liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > ... 42 more > Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You > have an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near ''HmacSHA1'' at line 1 > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) > at com.mysql.jdbc.Util.getInstance(Util.java:387) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:939) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3878) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2478) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2625) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2547) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2505) > at > com.mysql.jdbc.StatementImpl.executeInternal(StatementImpl.java:840) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:740) > at > org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) > ... 47 more > > 11:46:00,774 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo > [ > name: keycloak-default > ...] > > Seems that other tables are being created just fine. > > Thanks, Thorsten > > > 2016-01-21 12:00 GMT+01:00 Stian Thorgersen : > >> We had a few issues reported against 1.8.0.CR1, so we're doing another CR >> release with the fixes. If everything is OK, 1.8.0.Final will be released >> next week. >> >> There was also a feature that sneaked in. We now support sign-on with >> Microsoft Live. >> >> For the full list of issues resolved check out JIRA >> and >> to download the release go to the Keycloak homepage >> . >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/1b59087f/attachment-0001.html From sthorger at redhat.com Fri Jan 22 08:19:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 22 Jan 2016 14:19:24 +0100 Subject: [keycloak-user] Keycloak 1.8.0.CR3 Released Message-ID: A few more fixes, hopefully this will be the last CR and we can release Final next week. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/37a5784e/attachment.html From bburke at redhat.com Fri Jan 22 08:56:41 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 08:56:41 -0500 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> Message-ID: <56A23519.5010100@redhat.com> Can you spell out exactly what you need here as I'm not understanding. You need to support a complex attribute type? Is that it? On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: > Hi Bill, all, > > I succeed in authenticating via shibboleth federation using SAML IdP > but I encounter problem. > One SAML attribute of our authentication response is not of type > String but a fulle NameID type (eduPersonTargetId) and makes the > authentication crash because of class BaseWriter which is not able to > serialize an attribute which is not a String (line 176). > If I avoid this test, authentication works well using the > UsernameTemplateMapper. > By the way, it does not solve the whole problem. The provider user id > and the provider user name store the saml auth response nameid (and > not an attribute) which makes the next IdP SAML session impossible to > use the same keycloak account because of a change of this transient > nameid... > Actually, I don't see another solution than rewriting another Identity > Provider based on Shibboleth attribute as a fork of the SAML provider > but including. > It will also allows me to include the Shibboleth DIscovery Service > directly in keycloak instead of providing another webapp to ensure the > federation idps synchronization by parsing periodiccaly the WAYF file. > I will also provide a small patch for the BaseWriter in order to allow > serialization of complex types attribute, except if you have in mind > to do so... > > Best regards, J?r?me. > > Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard > a ?crit : > > Thanks for your answer. > In fact Shibboleth supports others saml nameid but in the renater > federation, it only contains transient nameid. Here is a part of > their doc (sorry it's in french) : > > > Utilisation des identifiants utilisateur opaques > > Voir la description du eduPersonTargetedID > > > > Votre application a peut-?tre besoin de manipuler de identifiants > utilisateur, dont la valeur est stable d'une session ? l'autre ; > par exemple pour g?rer les pr?f?rences utilisateur. Or, pour des > raisons de protection des donn?es personnelles, les fournisseurs > d'identit?s ne peuvent vous transmettre les identifiants des > utilisateurs. Dans ce cas, vous pouvez demander aux fournisseurs > d'identit?s de vous communiquer des identifiants stables mais > opaques, appel?s *eduPersonTargetedID*. > > Vous devrez configurer le fichier /AAP.xml/ de votre fournisseur > de services Shibboleth comme indiqu? ci-dessous : > > > > > > > > L'attribut sera accessible pour l'application dans l'en-t?te HTTP > *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du > eduPersonTargetedID est le suivant : > identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur > > > According to their doc, nameid are session based and not user > based so if you want stable identifier, you have to ask for > eduPersonTargetedID attribute !! > > I'm going to have a look at UsernameTemplateMapper. > Thanks again, J?r?me. > > > > Le jeu. 14 janv. 2016 ? 15:23, Bill Burke > a ?crit : > > Shibboleth only supports transient name ids? I find that hard > to believe. Remember Keycloak would just look like any other > client. IMO you should go that route. > > Also though, I think you might be able to write a Broker > Mapper, take a look at UsernameTemplateMapper. This SPI is > undocumented and unsupported at the moment, but I hope to > change that soon. > > > On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >> Hi all, >> >> According to shibboleth specification, IdP of a federation >> usually use transient NameID which makes Shibboleth >> impossible to interface with keycloak, even if we manage the >> Discovery Service externally in order to maintain IdP list >> mapping between federation and keycloak. >> It's really annoying for me and I'm trying to investigate a >> way to solve this problem. >> In my federation, some doc say that if you need to manage >> personnal user information in your application, you have to >> rely on a dedicated attribute in order to retreive real user >> id and not the transient opaque one. In this case, an >> attribute called eduPersoneTargetedId exists and can be use >> by shibboleth. >> I am trying to patch the saml broker in order to take into >> consideration this attribute in a kind of >> attributeToNameIdMapper but I have to admit that I'm lost a >> bit in the code. >> Do you think this approach is good ? >> >> Best regards, J?r?me. >> >> >> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard >> > a ?crit : >> >> Hi Bill, all, >> >> In the case of a transient only nameid, would it be >> possible to create a dedicated attribute mapper in order >> to use for exemple the email attribute as name identifier ? >> >> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in >> fact use in SAML v1 for request a nameid that is >> transient also... so there is no solution in this way. >> >> Best regards, J?r?me. >> >> Le mar. 5 janv. 2016 ? 16:13, Bill Burke >> > a ?crit : >> >> We won't be able to support temporary ids (transient) >> for awhile as it >> requires temporary user creation which requires some >> rearchitecting. >> >> As for "urn:mace:shibboleth:1.0:nameIdentifier" if >> you spec it out in a >> JIRA and it is simple enough to implement support >> for, we may be able to >> get it in. >> >> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >> > Hi Bill, >> > >> > Thanks for your answer regarding transient and >> temporary ids. I >> > understand the problem due to keycloak account >> creation and binding to >> > the IdP. >> > Renarter is using Shibboleth ; Is there is any work >> on shibboleth >> > integration for keycloak ? >> > If I look into the idps entities descriptors of >> renater, I found that it >> > uses also another nameid format based on shibboleth >> namesapce : >> > >> urn:mace:shibboleth:1.0:nameIdentifier >> > >> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >> > >> > Do you think it is possible to patch the saml idp >> provider (or to create >> > another one dedicated to shibboleth) in order to >> integrate keycloak to >> > our identity federation (renater) ? >> > >> > Best whiches for this upcoming year and thanks for >> your great work >> > around keycloak. >> > >> > J?r?me. >> > >> > >> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >> >> > > >> a ?crit : >> > >> > Our brokering doesn't support temporary user >> ids from the "parent" IDP. >> > Transient Ids in SAML or temporary ids. >> > >> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >> > > Hi, >> > > >> > > I'm trying to integrate keycloak into a the >> french research >> > federation >> > > of identity (renater) and I'm facing some >> problems. >> > > Actually, when IdP respond to keycloak i'm >> getting the following >> > error : >> > > PL00084: Writer: Unsupported Attribute >> > > >> Value:org.keycloak.dom.saml.v2.assertion.NameIDType >> > > >> > > It seems that this IdP is using transient >> NameID policy only and >> > using >> > > the unspecified field in the idp config in >> keycloak generate this >> > > exception as a return. >> > > >> > > Log of the keycloak server is joined. >> > > >> > > I have no idea of what happening because >> when I was using the test >> > > federation, everything was working but no >> I'm in the production >> > > federation, login fails. >> > > >> > > The renater federation is using Shibolleth >> and keycloak is not >> > supported >> > > by federation moderators so I'm alone in the >> dark now... >> > > >> > > Renater provides an IdP list that I have to >> parse and >> > synchronized with >> > > IdP in keycloak. As a return I provide a >> list of all endpoints >> > for each >> > > keycloak registered IdP to allow federation >> IdP to answear >> > correctly to >> > > the right endpoint. All of this is done by a >> small web app deployed >> > > aside keycloak and using REST API to >> synchronize all the IdP. >> > > >> > > One of the IdP entity descriptor is joined. >> As you can see, only >> > > transient nameid policy is supported and if >> I configure keycloak >> > to use >> > > email or persistent, I received a response >> saying that the nameid >> > is not >> > > supported : >> > > >> > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >> > > >> > >> AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >> > > >> Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >> > > ForceAuthn="false" >> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >> > > IsPassive="false" >> IssueInstant="2015-12-22T16:13:15.987Z" >> > > >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> > > Version="2.0">> > > >> > >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang> > > AllowCreate="true" >> > > >> > >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >> > > >> > > >> > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> > > >> > >> Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >> > > ID="_9d03761957aade819b6823c35bbab278" >> > > >> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >> > > IssueInstant="2015-12-22T16:13:16.420Z" >> Version="2.0">> > > >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> > > >> > >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp> > > >> > >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">> > > >> > >> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >> > > NameID format not >> > > >> supported >> > > >> > > >> > > Any help would be gracefully appreciated. >> > > >> > > Thanks a lot, J?r?me. >> > > >> > > >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> >> > > >> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > >> > -- >> > Bill Burke >> > JBoss, a division of Red Hat >> > http://bill.burkecentral.com >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/60fa519b/attachment-0001.html From glaissard at axway.com Fri Jan 22 10:06:13 2016 From: glaissard at axway.com (Gerard Laissard) Date: Fri, 22 Jan 2016 15:06:13 +0000 Subject: [keycloak-user] User attributes Message-ID: <4AC8C602867B3A4CB6F9F6BA4528DEE477B3D047@WPHXMAIL1.phx.axway.int> With keycloak 1.8.0 RC1, I'm using user federation (Active directory) for users: the active directory is in Read Only mode. I can assign roles to user. I can retrieve user federation attributes I need. I can assign roles and attributes at group level. To some user, I would like to add attributes not in the Active Directory. But it fails : 'Error! User is Read Only!'. Is there a way to specify user attributes in such case : 'user federation is read only' ? Thanks Gerard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/901bbf32/attachment.html From jayblanc at gmail.com Fri Jan 22 11:00:28 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Fri, 22 Jan 2016 16:00:28 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <56A23519.5010100@redhat.com> References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> Message-ID: Yes exactly. But I also need to use this complex type attribute in the Endpoint.handleLoginResponse as the subjectNameID in order to avoid using the provided transient nameID ; something like : protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState) { try { AssertionType assertion = AssertionUtil.getAssertion(responseType, realm.getPrivateKey()); SubjectType subject = assertion.getSubject(); SubjectType.STSubType subType = subject.getSubType(); NameIDType subjectNameID = (NameIDType) subType.getBaseID(); //Map notes = new HashMap<>(); if (subjectNameID.getFormat() != null && subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) { if (assertion.getAttributeStatements() != null ) { for (AttributeStatementType attrStatement : assertion.getAttributeStatements()) { for (AttributeStatementType.ASTChoiceType choice : attrStatement.getAttributes()) { AttributeType attribute = choice.getAttribute(); if (attribute.getFriendlyName().equals("eduPersonTargetID") || attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { if (!attribute.getAttributeValue().isEmpty()) { //TODO Use NameId of this attribute to replace subjectNameID } } } } (...) } } Do you think I need to patch this class in order to allow this or do you think there is a way of integration in keycloak considering the shibboleth federation use case ? Best regards, J?r?me. Le ven. 22 janv. 2016 14:56, Bill Burke a ?crit : > Can you spell out exactly what you need here as I'm not understanding. > > You need to support a complex attribute type? Is that it? > > > On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: > > Hi Bill, all, > > I succeed in authenticating via shibboleth federation using SAML IdP but I > encounter problem. > One SAML attribute of our authentication response is not of type String > but a fulle NameID type (eduPersonTargetId) and makes the authentication > crash because of class BaseWriter which is not able to serialize an > attribute which is not a String (line 176). > If I avoid this test, authentication works well using the > UsernameTemplateMapper. > By the way, it does not solve the whole problem. The provider user id and > the provider user name store the saml auth response nameid (and not an > attribute) which makes the next IdP SAML session impossible to use the same > keycloak account because of a change of this transient nameid... > Actually, I don't see another solution than rewriting another Identity > Provider based on Shibboleth attribute as a fork of the SAML provider but > including. > It will also allows me to include the Shibboleth DIscovery Service > directly in keycloak instead of providing another webapp to ensure the > federation idps synchronization by parsing periodiccaly the WAYF file. > I will also provide a small patch for the BaseWriter in order to allow > serialization of complex types attribute, except if you have in mind to do > so... > > Best regards, J?r?me. > > Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard a > ?crit : > >> Thanks for your answer. >> In fact Shibboleth supports others saml nameid but in the renater >> federation, it only contains transient nameid. Here is a part of their doc >> (sorry it's in french) : >> Utilisation des identifiants utilisateur opaques >> >> Voir la description du eduPersonTargetedID >> >> >> Votre application a peut-?tre besoin de manipuler de identifiants >> utilisateur, dont la valeur est stable d'une session ? l'autre ; par >> exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de >> protection des donn?es personnelles, les fournisseurs d'identit?s ne >> peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, >> vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des >> identifiants stables mais opaques, appel?s *eduPersonTargetedID*. >> >> Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de >> services Shibboleth comme indiqu? ci-dessous : >> >> >> >> >> >> >> >> L'attribut sera accessible pour l'application dans l'en-t?te HTTP >> *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du >> eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur >> >> >> >> According to their doc, nameid are session based and not user based so if >> you want stable identifier, you have to ask for eduPersonTargetedID >> attribute !! >> I'm going to have a look at UsernameTemplateMapper. >> Thanks again, J?r?me. >> >> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke a ?crit : >> >>> Shibboleth only supports transient name ids? I find that hard to >>> believe. Remember Keycloak would just look like any other client. IMO you >>> should go that route. >>> >>> Also though, I think you might be able to write a Broker Mapper, take a >>> look at UsernameTemplateMapper. This SPI is undocumented and unsupported >>> at the moment, but I hope to change that soon. >>> >>> >>> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>> >>> Hi all, >>> >>> According to shibboleth specification, IdP of a federation usually use >>> transient NameID which makes Shibboleth impossible to interface with >>> keycloak, even if we manage the Discovery Service externally in order to >>> maintain IdP list mapping between federation and keycloak. >>> It's really annoying for me and I'm trying to investigate a way to solve >>> this problem. >>> In my federation, some doc say that if you need to manage personnal user >>> information in your application, you have to rely on a dedicated attribute >>> in order to retreive real user id and not the transient opaque one. In this >>> case, an attribute called eduPersoneTargetedId exists and can be use by >>> shibboleth. >>> I am trying to patch the saml broker in order to take into consideration >>> this attribute in a kind of attributeToNameIdMapper but I have to admit >>> that I'm lost a bit in the code. >>> Do you think this approach is good ? >>> >>> Best regards, J?r?me. >>> >>> >>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard a >>> ?crit : >>> >>>> Hi Bill, all, >>>> >>>> In the case of a transient only nameid, would it be possible to create >>>> a dedicated attribute mapper in order to use for exemple the email >>>> attribute as name identifier ? >>>> >>>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML >>>> v1 for request a nameid that is transient also... so there is no solution >>>> in this way. >>>> >>>> Best regards, J?r?me. >>>> >>>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke a ?crit : >>>> >>>>> We won't be able to support temporary ids (transient) for awhile as it >>>>> requires temporary user creation which requires some rearchitecting. >>>>> >>>>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in a >>>>> JIRA and it is simple enough to implement support for, we may be able >>>>> to >>>>> get it in. >>>>> >>>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>>> > Hi Bill, >>>>> > >>>>> > Thanks for your answer regarding transient and temporary ids. I >>>>> > understand the problem due to keycloak account creation and binding >>>>> to >>>>> > the IdP. >>>>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>>>> > integration for keycloak ? >>>>> > If I look into the idps entities descriptors of renater, I found >>>>> that it >>>>> > uses also another nameid format based on shibboleth namesapce : >>>>> > >>>>> urn:mace:shibboleth:1.0:nameIdentifier >>>>> > >>>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>>> > >>>>> > Do you think it is possible to patch the saml idp provider (or to >>>>> create >>>>> > another one dedicated to shibboleth) in order to integrate keycloak >>>>> to >>>>> > our identity federation (renater) ? >>>>> > >>>>> > Best whiches for this upcoming year and thanks for your great work >>>>> > around keycloak. >>>>> > >>>>> > J?r?me. >>>>> > >>>>> > >>>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >>>> > > a ?crit : >>>>> > >>>>> > Our brokering doesn't support temporary user ids from the >>>>> "parent" IDP. >>>>> > Transient Ids in SAML or temporary ids. >>>>> > >>>>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>>>> > > Hi, >>>>> > > >>>>> > > I'm trying to integrate keycloak into a the french research >>>>> > federation >>>>> > > of identity (renater) and I'm facing some problems. >>>>> > > Actually, when IdP respond to keycloak i'm getting the >>>>> following >>>>> > error : >>>>> > > PL00084: Writer: Unsupported Attribute >>>>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>>> > > >>>>> > > It seems that this IdP is using transient NameID policy only >>>>> and >>>>> > using >>>>> > > the unspecified field in the idp config in keycloak generate >>>>> this >>>>> > > exception as a return. >>>>> > > >>>>> > > Log of the keycloak server is joined. >>>>> > > >>>>> > > I have no idea of what happening because when I was using the >>>>> test >>>>> > > federation, everything was working but no I'm in the >>>>> production >>>>> > > federation, login fails. >>>>> > > >>>>> > > The renater federation is using Shibolleth and keycloak is not >>>>> > supported >>>>> > > by federation moderators so I'm alone in the dark now... >>>>> > > >>>>> > > Renater provides an IdP list that I have to parse and >>>>> > synchronized with >>>>> > > IdP in keycloak. As a return I provide a list of all endpoints >>>>> > for each >>>>> > > keycloak registered IdP to allow federation IdP to answear >>>>> > correctly to >>>>> > > the right endpoint. All of this is done by a small web app >>>>> deployed >>>>> > > aside keycloak and using REST API to synchronize all the IdP. >>>>> > > >>>>> > > One of the IdP entity descriptor is joined. As you can see, >>>>> only >>>>> > > transient nameid policy is supported and if I configure >>>>> keycloak >>>>> > to use >>>>> > > email or persistent, I received a response saying that the >>>>> nameid >>>>> > is not >>>>> > > supported : >>>>> > > >>>>> > > >>>> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>>> > > >>>>> > AssertionConsumerServiceURL=" >>>>> >>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>> " >>>>> > > Destination=" >>>>> >>>>> https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>>> > > ForceAuthn="false" >>>>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>>>> > > >>>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>>> > > Version="2.0">>>>> > > >>>>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>> >>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>>>> >>>> > > AllowCreate="true" >>>>> > > >>>>> > >>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>>> > > >>>>> > > >>>>> > > >>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>>> > > >>>>> > Destination=" >>>>> >>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>> " >>>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>>>> Version="2.0">>>>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>>> > > >>>>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>>>> https://janus.cnrs.fr/idp >>>>> >>>> > > >>>>> > >>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>>> > > >>>>> > >>>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>>> > > NameID format not >>>>> > > >>>>> supported >>>>> > > >>>>> > > >>>>> > > Any help would be gracefully appreciated. >>>>> > > >>>>> > > Thanks a lot, J?r?me. >>>>> > > >>>>> > > >>>>> > > >>>>> > > _______________________________________________ >>>>> > > keycloak-user mailing list >>>>> > > keycloak-user at lists.jboss.org >>>> keycloak-user at lists.jboss.org> >>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > > >>>>> > >>>>> > -- >>>>> > Bill Burke >>>>> > JBoss, a division of Red Hat >>>>> > http://bill.burkecentral.com >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>> keycloak-user at lists.jboss.org> >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> >>>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/d4104df6/attachment-0001.html From bburke at redhat.com Fri Jan 22 11:06:29 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 11:06:29 -0500 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> Message-ID: <56A25385.30502@redhat.com> Can you show me the actual crash? Stack trace? If the attribute is parsed correctly, you should be able to write a UsernameMapper to handle everything no? On 1/22/2016 11:00 AM, J?r?me Blanchard wrote: > Yes exactly. > But I also need to use this complex type attribute in the > Endpoint.handleLoginResponse as the subjectNameID in order to avoid > using the provided transient nameID ; something like : > > protected Response handleLoginResponse(String samlResponse, > SAMLDocumentHolder holder, ResponseType responseType, String > relayState) { > try { > AssertionType assertion = AssertionUtil.getAssertion(responseType, > realm.getPrivateKey()); > SubjectType subject = assertion.getSubject(); > SubjectType.STSubType subType = subject.getSubType(); > NameIDType subjectNameID = (NameIDType) subType.getBaseID(); > //Map notes = new HashMap<>(); > if (subjectNameID.getFormat() != null && > subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) > { > if (assertion.getAttributeStatements() != null ) { > for (AttributeStatementType attrStatement : > assertion.getAttributeStatements()) { > for (AttributeStatementType.ASTChoiceType choice : > attrStatement.getAttributes()) { > AttributeType attribute = choice.getAttribute(); > if > (attribute.getFriendlyName().equals("eduPersonTargetID") || > attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { > if (!attribute.getAttributeValue().isEmpty()) { > //TODO Use NameId of this attribute to replace > subjectNameID > } > } > } > } > (...) > } > } > > Do you think I need to patch this class in order to allow this or do > you think there is a way of integration in keycloak considering the > shibboleth federation use case ? > > Best regards, J?r?me. > > > > Le ven. 22 janv. 2016 14:56, Bill Burke > a ?crit : > > Can you spell out exactly what you need here as I'm not understanding. > > You need to support a complex attribute type? Is that it? > > > On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: >> Hi Bill, all, >> >> I succeed in authenticating via shibboleth federation using SAML >> IdP but I encounter problem. >> One SAML attribute of our authentication response is not of type >> String but a fulle NameID type (eduPersonTargetId) and makes the >> authentication crash because of class BaseWriter which is not >> able to serialize an attribute which is not a String (line 176). >> If I avoid this test, authentication works well using the >> UsernameTemplateMapper. >> By the way, it does not solve the whole problem. The provider >> user id and the provider user name store the saml auth response >> nameid (and not an attribute) which makes the next IdP SAML >> session impossible to use the same keycloak account because of a >> change of this transient nameid... >> Actually, I don't see another solution than rewriting another >> Identity Provider based on Shibboleth attribute as a fork of the >> SAML provider but including. >> It will also allows me to include the Shibboleth DIscovery >> Service directly in keycloak instead of providing another webapp >> to ensure the federation idps synchronization by parsing >> periodiccaly the WAYF file. >> I will also provide a small patch for the BaseWriter in order to >> allow serialization of complex types attribute, except if you >> have in mind to do so... >> >> Best regards, J?r?me. >> >> Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard >> > a ?crit : >> >> Thanks for your answer. >> In fact Shibboleth supports others saml nameid but in the >> renater federation, it only contains transient nameid. Here >> is a part of their doc (sorry it's in french) : >> >> >> Utilisation des identifiants utilisateur opaques >> >> Voir la description du eduPersonTargetedID >> >> >> >> Votre application a peut-?tre besoin de manipuler de >> identifiants utilisateur, dont la valeur est stable d'une >> session ? l'autre ; par exemple pour g?rer les pr?f?rences >> utilisateur. Or, pour des raisons de protection des donn?es >> personnelles, les fournisseurs d'identit?s ne peuvent vous >> transmettre les identifiants des utilisateurs. Dans ce cas, >> vous pouvez demander aux fournisseurs d'identit?s de vous >> communiquer des identifiants stables mais opaques, appel?s >> *eduPersonTargetedID*. >> >> Vous devrez configurer le fichier /AAP.xml/ de votre >> fournisseur de services Shibboleth comme indiqu? ci-dessous : >> >> >> >> >> >> >> >> L'attribut sera accessible pour l'application dans l'en-t?te >> HTTP *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format >> du eduPersonTargetedID est le suivant : >> identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur >> >> >> According to their doc, nameid are session based and not user >> based so if you want stable identifier, you have to ask for >> eduPersonTargetedID attribute !! >> >> I'm going to have a look at UsernameTemplateMapper. >> Thanks again, J?r?me. >> >> >> >> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke > > a ?crit : >> >> Shibboleth only supports transient name ids? I find that >> hard to believe. Remember Keycloak would just look like >> any other client. IMO you should go that route. >> >> Also though, I think you might be able to write a Broker >> Mapper, take a look at UsernameTemplateMapper. This SPI >> is undocumented and unsupported at the moment, but I hope >> to change that soon. >> >> >> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>> Hi all, >>> >>> According to shibboleth specification, IdP of a >>> federation usually use transient NameID which makes >>> Shibboleth impossible to interface with keycloak, even >>> if we manage the Discovery Service externally in order >>> to maintain IdP list mapping between federation and >>> keycloak. >>> It's really annoying for me and I'm trying to >>> investigate a way to solve this problem. >>> In my federation, some doc say that if you need to >>> manage personnal user information in your application, >>> you have to rely on a dedicated attribute in order to >>> retreive real user id and not the transient opaque one. >>> In this case, an attribute called eduPersoneTargetedId >>> exists and can be use by shibboleth. >>> I am trying to patch the saml broker in order to take >>> into consideration this attribute in a kind of >>> attributeToNameIdMapper but I have to admit that I'm >>> lost a bit in the code. >>> Do you think this approach is good ? >>> >>> Best regards, J?r?me. >>> >>> >>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard >>> > a ?crit : >>> >>> Hi Bill, all, >>> >>> In the case of a transient only nameid, would it be >>> possible to create a dedicated attribute mapper in >>> order to use for exemple the email attribute as name >>> identifier ? >>> >>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is >>> in fact use in SAML v1 for request a nameid that is >>> transient also... so there is no solution in this way. >>> >>> Best regards, J?r?me. >>> >>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke >>> > a ?crit : >>> >>> We won't be able to support temporary ids >>> (transient) for awhile as it >>> requires temporary user creation which requires >>> some rearchitecting. >>> >>> As for "urn:mace:shibboleth:1.0:nameIdentifier" >>> if you spec it out in a >>> JIRA and it is simple enough to implement >>> support for, we may be able to >>> get it in. >>> >>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>> > Hi Bill, >>> > >>> > Thanks for your answer regarding transient and >>> temporary ids. I >>> > understand the problem due to keycloak account >>> creation and binding to >>> > the IdP. >>> > Renarter is using Shibboleth ; Is there is any >>> work on shibboleth >>> > integration for keycloak ? >>> > If I look into the idps entities descriptors >>> of renater, I found that it >>> > uses also another nameid format based on >>> shibboleth namesapce : >>> > >>> urn:mace:shibboleth:1.0:nameIdentifier >>> > >>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>> > >>> > Do you think it is possible to patch the saml >>> idp provider (or to create >>> > another one dedicated to shibboleth) in order >>> to integrate keycloak to >>> > our identity federation (renater) ? >>> > >>> > Best whiches for this upcoming year and thanks >>> for your great work >>> > around keycloak. >>> > >>> > J?r?me. >>> > >>> > >>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >>> >>> > >> >> a ?crit : >>> > >>> > Our brokering doesn't support temporary >>> user ids from the "parent" IDP. >>> > Transient Ids in SAML or temporary ids. >>> > >>> > On 12/22/2015 11:46 AM, J?r?me Blanchard >>> wrote: >>> > > Hi, >>> > > >>> > > I'm trying to integrate keycloak into a >>> the french research >>> > federation >>> > > of identity (renater) and I'm facing >>> some problems. >>> > > Actually, when IdP respond to keycloak >>> i'm getting the following >>> > error : >>> > > PL00084: Writer: Unsupported Attribute >>> > > >>> Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>> > > >>> > > It seems that this IdP is using >>> transient NameID policy only and >>> > using >>> > > the unspecified field in the idp config >>> in keycloak generate this >>> > > exception as a return. >>> > > >>> > > Log of the keycloak server is joined. >>> > > >>> > > I have no idea of what happening >>> because when I was using the test >>> > > federation, everything was working but >>> no I'm in the production >>> > > federation, login fails. >>> > > >>> > > The renater federation is using >>> Shibolleth and keycloak is not >>> > supported >>> > > by federation moderators so I'm alone >>> in the dark now... >>> > > >>> > > Renater provides an IdP list that I >>> have to parse and >>> > synchronized with >>> > > IdP in keycloak. As a return I provide >>> a list of all endpoints >>> > for each >>> > > keycloak registered IdP to allow >>> federation IdP to answear >>> > correctly to >>> > > the right endpoint. All of this is done >>> by a small web app deployed >>> > > aside keycloak and using REST API to >>> synchronize all the IdP. >>> > > >>> > > One of the IdP entity descriptor is >>> joined. As you can see, only >>> > > transient nameid policy is supported >>> and if I configure keycloak >>> > to use >>> > > email or persistent, I received a >>> response saying that the nameid >>> > is not >>> > > supported : >>> > > >>> > > >> > >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>> > > >>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>> > > >>> > >>> AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >>> > > >>> Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>> > > ForceAuthn="false" >>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>> > > IsPassive="false" >>> IssueInstant="2015-12-22T16:13:15.987Z" >>> > > >>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> > > Version="2.0">>> > > >>> > >>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang>> > > AllowCreate="true" >>> > > >>> > >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>> > > >>> > > >>> > > >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> > > >>> > >>> Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >>> > > ID="_9d03761957aade819b6823c35bbab278" >>> > > >>> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>> Version="2.0">>> > > >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>> > > >>> > >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp>> > > >>> > >>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>> > > >>> > >>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>> > > NameID format not >>> > > >>> supported >>> > > >>> > > >>> > > Any help would be gracefully appreciated. >>> > > >>> > > Thanks a lot, J?r?me. >>> > > >>> > > >>> > > >>> > > >>> _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >>> >>> >> > >>> > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > >>> > >>> > -- >>> > Bill Burke >>> > JBoss, a division of Red Hat >>> > http://bill.burkecentral.com >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> >>> >> > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/e7ca0cf4/attachment-0001.html From emorny at gmail.com Fri Jan 22 11:25:16 2016 From: emorny at gmail.com (Edem Morny) Date: Fri, 22 Jan 2016 16:25:16 +0000 Subject: [keycloak-user] Password Hints Message-ID: <1453479916.17896.2.camel@localhost.localdomain> Hi, I'm using keycloak 1.5.1.Final. Is it possible to display a hint on the login page to point out to the user the password requirements that have been configured via the authentication UI i.e. length of password, numeric etc? Our users are having a hard time knowing what the password requirements are and are only shown an error message AFTER they enter the wrong details. Cheers. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/e04eb2ff/attachment.html From jayblanc at gmail.com Fri Jan 22 12:19:55 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Fri, 22 Jan 2016 17:19:55 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <56A25385.30502@redhat.com> References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> <56A25385.30502@redhat.com> Message-ID: Hi, Stack trace is joined. Using a UsernameTemplateMapper is not enough cause the broderId keep the transient nameid that is used to link the IdP to the keycloak Account. As soon as the IdP session expires, if I use the IdP again, a new transient nameId is generated and keycloak is not able to map the incoming SAML response to the right keycloak Account. It so open the first login form and ask for a user name (prepopulated with the ${ALIAS}.${NAMEID} syntax or the mapper value (I am unable to use the complex type in this UsernameTemplateMapper (like ${ATTRIBUTE.eduPersonTargetID.value[0]})). By the way, this attribute mapper does not override the brokerUserId : String brokerUserId = config.getAlias() + "." + subjectNameID.getValue(); identity.setBrokerUserId(brokerUserId); so a transient subjectNameID is a problem even with the UsernameTemplateMapper... It always creates a new link between account and IdP and this link does not work if the keycloak account already exists. Do you see more clearly my understanding ? (I'm sorry for my poor english) Le ven. 22 janv. 2016 ? 17:06, Bill Burke a ?crit : > Can you show me the actual crash? Stack trace? If the attribute is > parsed correctly, you should be able to write a UsernameMapper to handle > everything no? > > On 1/22/2016 11:00 AM, J?r?me Blanchard wrote: > > Yes exactly. > But I also need to use this complex type attribute in the > Endpoint.handleLoginResponse as the subjectNameID in order to avoid using > the provided transient nameID ; something like : > > protected Response handleLoginResponse(String samlResponse, > SAMLDocumentHolder holder, ResponseType responseType, String relayState) { > try { > AssertionType assertion = AssertionUtil.getAssertion(responseType, > realm.getPrivateKey()); > SubjectType subject = assertion.getSubject(); > SubjectType.STSubType subType = subject.getSubType(); > NameIDType subjectNameID = (NameIDType) subType.getBaseID(); > //Map notes = new HashMap<>(); > if (subjectNameID.getFormat() != null && > subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) > { > if (assertion.getAttributeStatements() != null ) { > for (AttributeStatementType attrStatement : > assertion.getAttributeStatements()) { > for (AttributeStatementType.ASTChoiceType choice : > attrStatement.getAttributes()) { > AttributeType attribute = choice.getAttribute(); > if (attribute.getFriendlyName().equals("eduPersonTargetID") || > attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { > if (!attribute.getAttributeValue().isEmpty()) { > //TODO Use NameId of this attribute to replace > subjectNameID > } > } > } > } > (...) > } > } > > Do you think I need to patch this class in order to allow this or do you > think there is a way of integration in keycloak considering the shibboleth > federation use case ? > > Best regards, J?r?me. > > > > Le ven. 22 janv. 2016 14:56, Bill Burke < > bburke at redhat.com> a ?crit : > >> Can you spell out exactly what you need here as I'm not understanding. >> >> You need to support a complex attribute type? Is that it? >> >> >> On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: >> >> Hi Bill, all, >> >> I succeed in authenticating via shibboleth federation using SAML IdP but >> I encounter problem. >> One SAML attribute of our authentication response is not of type String >> but a fulle NameID type (eduPersonTargetId) and makes the authentication >> crash because of class BaseWriter which is not able to serialize an >> attribute which is not a String (line 176). >> If I avoid this test, authentication works well using the >> UsernameTemplateMapper. >> By the way, it does not solve the whole problem. The provider user id and >> the provider user name store the saml auth response nameid (and not an >> attribute) which makes the next IdP SAML session impossible to use the same >> keycloak account because of a change of this transient nameid... >> Actually, I don't see another solution than rewriting another Identity >> Provider based on Shibboleth attribute as a fork of the SAML provider but >> including. >> It will also allows me to include the Shibboleth DIscovery Service >> directly in keycloak instead of providing another webapp to ensure the >> federation idps synchronization by parsing periodiccaly the WAYF file. >> I will also provide a small patch for the BaseWriter in order to allow >> serialization of complex types attribute, except if you have in mind to do >> so... >> >> Best regards, J?r?me. >> >> Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard < >> jayblanc at gmail.com> a ?crit : >> >>> Thanks for your answer. >>> In fact Shibboleth supports others saml nameid but in the renater >>> federation, it only contains transient nameid. Here is a part of their doc >>> (sorry it's in french) : >>> Utilisation des identifiants utilisateur opaques >>> >>> Voir la description du eduPersonTargetedID >>> >>> >>> Votre application a peut-?tre besoin de manipuler de identifiants >>> utilisateur, dont la valeur est stable d'une session ? l'autre ; par >>> exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de >>> protection des donn?es personnelles, les fournisseurs d'identit?s ne >>> peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, >>> vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des >>> identifiants stables mais opaques, appel?s *eduPersonTargetedID*. >>> >>> Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de >>> services Shibboleth comme indiqu? ci-dessous : >>> >>> >>> >>> >>> >>> >>> >>> L'attribut sera accessible pour l'application dans l'en-t?te HTTP >>> *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du >>> eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur >>> >>> >>> >>> According to their doc, nameid are session based and not user based so >>> if you want stable identifier, you have to ask for eduPersonTargetedID >>> attribute !! >>> I'm going to have a look at UsernameTemplateMapper. >>> Thanks again, J?r?me. >>> >>> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke < >>> bburke at redhat.com> a ?crit : >>> >>>> Shibboleth only supports transient name ids? I find that hard to >>>> believe. Remember Keycloak would just look like any other client. IMO you >>>> should go that route. >>>> >>>> Also though, I think you might be able to write a Broker Mapper, take >>>> a look at UsernameTemplateMapper. This SPI is undocumented and unsupported >>>> at the moment, but I hope to change that soon. >>>> >>>> >>>> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>>> >>>> Hi all, >>>> >>>> According to shibboleth specification, IdP of a federation usually use >>>> transient NameID which makes Shibboleth impossible to interface with >>>> keycloak, even if we manage the Discovery Service externally in order to >>>> maintain IdP list mapping between federation and keycloak. >>>> It's really annoying for me and I'm trying to investigate a way to >>>> solve this problem. >>>> In my federation, some doc say that if you need to manage personnal >>>> user information in your application, you have to rely on a dedicated >>>> attribute in order to retreive real user id and not the transient opaque >>>> one. In this case, an attribute called eduPersoneTargetedId exists and can >>>> be use by shibboleth. >>>> I am trying to patch the saml broker in order to take into >>>> consideration this attribute in a kind of attributeToNameIdMapper but I >>>> have to admit that I'm lost a bit in the code. >>>> Do you think this approach is good ? >>>> >>>> Best regards, J?r?me. >>>> >>>> >>>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard a >>>> ?crit : >>>> >>>>> Hi Bill, all, >>>>> >>>>> In the case of a transient only nameid, would it be possible to create >>>>> a dedicated attribute mapper in order to use for exemple the email >>>>> attribute as name identifier ? >>>>> >>>>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in SAML >>>>> v1 for request a nameid that is transient also... so there is no solution >>>>> in this way. >>>>> >>>>> Best regards, J?r?me. >>>>> >>>>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke < >>>>> bburke at redhat.com> a ?crit : >>>>> >>>>>> We won't be able to support temporary ids (transient) for awhile as it >>>>>> requires temporary user creation which requires some rearchitecting. >>>>>> >>>>>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out in >>>>>> a >>>>>> JIRA and it is simple enough to implement support for, we may be able >>>>>> to >>>>>> get it in. >>>>>> >>>>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>>>> > Hi Bill, >>>>>> > >>>>>> > Thanks for your answer regarding transient and temporary ids. I >>>>>> > understand the problem due to keycloak account creation and binding >>>>>> to >>>>>> > the IdP. >>>>>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>>>>> > integration for keycloak ? >>>>>> > If I look into the idps entities descriptors of renater, I found >>>>>> that it >>>>>> > uses also another nameid format based on shibboleth namesapce : >>>>>> > >>>>>> urn:mace:shibboleth:1.0:nameIdentifier >>>>>> > >>>>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>>>> > >>>>>> > Do you think it is possible to patch the saml idp provider (or to >>>>>> create >>>>>> > another one dedicated to shibboleth) in order to integrate keycloak >>>>>> to >>>>>> > our identity federation (renater) ? >>>>>> > >>>>>> > Best whiches for this upcoming year and thanks for your great work >>>>>> > around keycloak. >>>>>> > >>>>>> > J?r?me. >>>>>> > >>>>>> > >>>>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke < >>>>>> bburke at redhat.com >>>>>> > bburke at redhat.com>> a ?crit : >>>>>> > >>>>>> > Our brokering doesn't support temporary user ids from the >>>>>> "parent" IDP. >>>>>> > Transient Ids in SAML or temporary ids. >>>>>> > >>>>>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>>>>> > > Hi, >>>>>> > > >>>>>> > > I'm trying to integrate keycloak into a the french research >>>>>> > federation >>>>>> > > of identity (renater) and I'm facing some problems. >>>>>> > > Actually, when IdP respond to keycloak i'm getting the >>>>>> following >>>>>> > error : >>>>>> > > PL00084: Writer: Unsupported Attribute >>>>>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>>>> > > >>>>>> > > It seems that this IdP is using transient NameID policy only >>>>>> and >>>>>> > using >>>>>> > > the unspecified field in the idp config in keycloak generate >>>>>> this >>>>>> > > exception as a return. >>>>>> > > >>>>>> > > Log of the keycloak server is joined. >>>>>> > > >>>>>> > > I have no idea of what happening because when I was using >>>>>> the test >>>>>> > > federation, everything was working but no I'm in the >>>>>> production >>>>>> > > federation, login fails. >>>>>> > > >>>>>> > > The renater federation is using Shibolleth and keycloak is >>>>>> not >>>>>> > supported >>>>>> > > by federation moderators so I'm alone in the dark now... >>>>>> > > >>>>>> > > Renater provides an IdP list that I have to parse and >>>>>> > synchronized with >>>>>> > > IdP in keycloak. As a return I provide a list of all >>>>>> endpoints >>>>>> > for each >>>>>> > > keycloak registered IdP to allow federation IdP to answear >>>>>> > correctly to >>>>>> > > the right endpoint. All of this is done by a small web app >>>>>> deployed >>>>>> > > aside keycloak and using REST API to synchronize all the IdP. >>>>>> > > >>>>>> > > One of the IdP entity descriptor is joined. As you can see, >>>>>> only >>>>>> > > transient nameid policy is supported and if I configure >>>>>> keycloak >>>>>> > to use >>>>>> > > email or persistent, I received a response saying that the >>>>>> nameid >>>>>> > is not >>>>>> > > supported : >>>>>> > > >>>>>> > > >>>>> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>> > > >>>>>> > AssertionConsumerServiceURL=" >>>>>> >>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>> " >>>>>> > > Destination=" >>>>>> >>>>>> https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>>>> > > ForceAuthn="false" >>>>>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>>>>> > > >>>>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>>>> > > Version="2.0">>>>>> > > >>>>>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>> >>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>>>>> >>>>> > > AllowCreate="true" >>>>>> > > >>>>>> > >>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>>>> > > >>>>>> > > >>>>>> > > >>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>> > > >>>>>> > Destination=" >>>>>> >>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>> " >>>>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>>>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>>>>> Version="2.0">>>>>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>> > > >>>>>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>>>>> https://janus.cnrs.fr/idp >>>>>> >>>>> > > >>>>>> > >>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>>>> > > >>>>>> > >>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>>>> > > NameID format not >>>>>> > > >>>>>> supported >>>>>> > > >>>>>> > > >>>>>> > > Any help would be gracefully appreciated. >>>>>> > > >>>>>> > > Thanks a lot, J?r?me. >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > _______________________________________________ >>>>>> > > keycloak-user mailing list >>>>>> > > keycloak-user at lists.jboss.org >>>>>> keycloak-user at lists.jboss.org >>>>>> > >>>>>> > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> > > >>>>>> > >>>>>> > -- >>>>>> > Bill Burke >>>>>> > JBoss, a division of Red Hat >>>>>> > http://bill.burkecentral.com >>>>>> > _______________________________________________ >>>>>> > keycloak-user mailing list >>>>>> > keycloak-user at lists.jboss.org >>>>>> keycloak-user at lists.jboss.org >>>>>> > >>>>>> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> > >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> >>>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/16676d14/attachment-0001.html -------------- next part -------------- 2016-01-21 19:30:12,634 ERROR [io.undertow.request] (default task-56) UT005023: Exception handling request to /auth/realms/ortolang/broker/f35faa434a4029e720f25e948bca80b3/endpoint: java.lang.RuntimeException: request path: /auth/realms/ortolang/broker/f35faa434a4029e720f25e948bca80b3/endpoint at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider. at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) ... 29 more Caused by: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider. at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:322) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:350) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:165) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more Caused by: java.lang.RuntimeException: PL00084: Writer: Unsupported Attribute Value:org.keycloak.dom.saml.v2.assertion.NameIDType at org.keycloak.saml.common.DefaultPicketLinkLogger.writerUnsupportedAttributeValueError(DefaultPicketLinkLogger.java:620) at org.keycloak.saml.processing.core.saml.v2.writers.BaseWriter.writeAttributeTypeWithoutRootTag(BaseWriter.java:177) at org.keycloak.saml.processing.core.saml.v2.writers.BaseWriter.write(BaseWriter.java:130) at org.keycloak.saml.processing.core.saml.v2.writers.SAMLAssertionWriter.write(SAMLAssertionWriter.java:172) at org.keycloak.saml.processing.core.saml.v2.writers.SAMLAssertionWriter.write(SAMLAssertionWriter.java:141) at org.keycloak.broker.saml.SAMLDataMarshaller.serialize(SAMLDataMarshaller.java:41) at org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext.serialize(SerializedBrokeredIdentityContext.java:295) at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:312) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:319) ... 52 more From bburke at redhat.com Fri Jan 22 12:51:58 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 12:51:58 -0500 Subject: [keycloak-user] Password Hints In-Reply-To: <1453479916.17896.2.camel@localhost.localdomain> References: <1453479916.17896.2.camel@localhost.localdomain> Message-ID: <56A26C3E.60403@redhat.com> Extend the Change Password required action page, add the information yourself. Same with the account page. On 1/22/2016 11:25 AM, Edem Morny wrote: > Hi, > > I'm using keycloak 1.5.1.Final. > > Is it possible to display a hint on the login page to point out to the > user the password requirements that have been configured via the > authentication UI i.e. length of password, numeric etc? > > Our users are having a hard time knowing what the password > requirements are and are only shown an error message AFTER they enter > the wrong details. > > Cheers. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/6ff21bba/attachment.html From bburke at redhat.com Fri Jan 22 12:53:16 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 12:53:16 -0500 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> <56A25385.30502@redhat.com> Message-ID: <56A26C8C.7030108@redhat.com> So, if you have a maper for the brokerUserId, that would solve the problem? On 1/22/2016 12:19 PM, J?r?me Blanchard wrote: > Hi, > Stack trace is joined. > Using a UsernameTemplateMapper is not enough cause the broderId keep > the transient nameid that is used to link the IdP to the keycloak > Account. > As soon as the IdP session expires, if I use the IdP again, a new > transient nameId is generated and keycloak is not able to map the > incoming SAML response to the right keycloak Account. It so open the > first login form and ask for a user name (prepopulated with the > ${ALIAS}.${NAMEID} syntax or the mapper value (I am unable to use the > complex type in this UsernameTemplateMapper (like > ${ATTRIBUTE.eduPersonTargetID.value[0]})). > By the way, this attribute mapper does not override the brokerUserId : > String brokerUserId = config.getAlias() + "." + > subjectNameID.getValue(); identity.setBrokerUserId(brokerUserId); > so a transient subjectNameID is a problem even with the > UsernameTemplateMapper... > It always creates a new link between account and IdP and this link > does not work if the keycloak account already exists. > > Do you see more clearly my understanding ? (I'm sorry for my poor english) > > Le ven. 22 janv. 2016 ? 17:06, Bill Burke > a ?crit : > > Can you show me the actual crash? Stack trace? If the attribute > is parsed correctly, you should be able to write a UsernameMapper > to handle everything no? > > On 1/22/2016 11:00 AM, J?r?me Blanchard wrote: >> Yes exactly. >> But I also need to use this complex type attribute in the >> Endpoint.handleLoginResponse as the subjectNameID in order to >> avoid using the provided transient nameID ; something like : >> >> protected Response handleLoginResponse(String samlResponse, >> SAMLDocumentHolder holder, ResponseType responseType, String >> relayState) { >> try { >> AssertionType assertion = >> AssertionUtil.getAssertion(responseType, realm.getPrivateKey()); >> SubjectType subject = assertion.getSubject(); >> SubjectType.STSubType subType = subject.getSubType(); >> NameIDType subjectNameID = (NameIDType) subType.getBaseID(); >> //Map notes = new HashMap<>(); >> if (subjectNameID.getFormat() != null && >> subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) >> { >> if (assertion.getAttributeStatements() != null ) { >> for (AttributeStatementType attrStatement : >> assertion.getAttributeStatements()) { >> for (AttributeStatementType.ASTChoiceType choice : >> attrStatement.getAttributes()) { >> AttributeType attribute = choice.getAttribute(); >> if >> (attribute.getFriendlyName().equals("eduPersonTargetID") || >> attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { >> if (!attribute.getAttributeValue().isEmpty()) { >> //TODO Use NameId of this attribute to replace >> subjectNameID >> } >> } >> } >> } >> (...) >> } >> } >> >> Do you think I need to patch this class in order to allow this or >> do you think there is a way of integration in keycloak >> considering the shibboleth federation use case ? >> >> Best regards, J?r?me. >> >> >> >> Le ven. 22 janv. 2016 14:56, Bill Burke > > a ?crit : >> >> Can you spell out exactly what you need here as I'm not >> understanding. >> >> You need to support a complex attribute type? Is that it? >> >> >> On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: >>> Hi Bill, all, >>> >>> I succeed in authenticating via shibboleth federation using >>> SAML IdP but I encounter problem. >>> One SAML attribute of our authentication response is not of >>> type String but a fulle NameID type (eduPersonTargetId) and >>> makes the authentication crash because of class BaseWriter >>> which is not able to serialize an attribute which is not a >>> String (line 176). >>> If I avoid this test, authentication works well using the >>> UsernameTemplateMapper. >>> By the way, it does not solve the whole problem. The >>> provider user id and the provider user name store the saml >>> auth response nameid (and not an attribute) which makes the >>> next IdP SAML session impossible to use the same keycloak >>> account because of a change of this transient nameid... >>> Actually, I don't see another solution than rewriting >>> another Identity Provider based on Shibboleth attribute as a >>> fork of the SAML provider but including. >>> It will also allows me to include the Shibboleth DIscovery >>> Service directly in keycloak instead of providing another >>> webapp to ensure the federation idps synchronization by >>> parsing periodiccaly the WAYF file. >>> I will also provide a small patch for the BaseWriter in >>> order to allow serialization of complex types attribute, >>> except if you have in mind to do so... >>> >>> Best regards, J?r?me. >>> >>> Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard >>> > a ?crit : >>> >>> Thanks for your answer. >>> In fact Shibboleth supports others saml nameid but in >>> the renater federation, it only contains transient >>> nameid. Here is a part of their doc (sorry it's in >>> french) : >>> >>> >>> Utilisation des identifiants utilisateur opaques >>> >>> Voir la description du eduPersonTargetedID >>> >>> >>> >>> Votre application a peut-?tre besoin de manipuler de >>> identifiants utilisateur, dont la valeur est stable >>> d'une session ? l'autre ; par exemple pour g?rer les >>> pr?f?rences utilisateur. Or, pour des raisons de >>> protection des donn?es personnelles, les fournisseurs >>> d'identit?s ne peuvent vous transmettre les identifiants >>> des utilisateurs. Dans ce cas, vous pouvez demander aux >>> fournisseurs d'identit?s de vous communiquer des >>> identifiants stables mais opaques, appel?s >>> *eduPersonTargetedID*. >>> >>> Vous devrez configurer le fichier /AAP.xml/ de votre >>> fournisseur de services Shibboleth comme indiqu? >>> ci-dessous : >>> >>> >>> >>> >>> >>> >>> >>> L'attribut sera accessible pour l'application dans >>> l'en-t?te HTTP *HTTP_SHIB_TARGETEDID* (avec Shibboleth >>> 1.3). Le format du eduPersonTargetedID est le suivant : >>> identifiant_IdP*!*identifiant_SP*!*identifiant_utilisateur >>> >>> >>> According to their doc, nameid are session based and not >>> user based so if you want stable identifier, you have to >>> ask for eduPersonTargetedID attribute !! >>> >>> I'm going to have a look at UsernameTemplateMapper. >>> Thanks again, J?r?me. >>> >>> >>> >>> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke >>> > a ?crit : >>> >>> Shibboleth only supports transient name ids? I find >>> that hard to believe. Remember Keycloak would just >>> look like any other client. IMO you should go that >>> route. >>> >>> Also though, I think you might be able to write a >>> Broker Mapper, take a look at >>> UsernameTemplateMapper. This SPI is undocumented and >>> unsupported at the moment, but I hope to change that >>> soon. >>> >>> >>> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>>> Hi all, >>>> >>>> According to shibboleth specification, IdP of a >>>> federation usually use transient NameID which makes >>>> Shibboleth impossible to interface with keycloak, >>>> even if we manage the Discovery Service externally >>>> in order to maintain IdP list mapping between >>>> federation and keycloak. >>>> It's really annoying for me and I'm trying to >>>> investigate a way to solve this problem. >>>> In my federation, some doc say that if you need to >>>> manage personnal user information in your >>>> application, you have to rely on a dedicated >>>> attribute in order to retreive real user id and not >>>> the transient opaque one. In this case, an >>>> attribute called eduPersoneTargetedId exists and >>>> can be use by shibboleth. >>>> I am trying to patch the saml broker in order to >>>> take into consideration this attribute in a kind of >>>> attributeToNameIdMapper but I have to admit that >>>> I'm lost a bit in the code. >>>> Do you think this approach is good ? >>>> >>>> Best regards, J?r?me. >>>> >>>> >>>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard >>>> > a >>>> ?crit : >>>> >>>> Hi Bill, all, >>>> >>>> In the case of a transient only nameid, would >>>> it be possible to create a dedicated attribute >>>> mapper in order to use for exemple the email >>>> attribute as name identifier ? >>>> >>>> PS : the urn:mace:shibboleth:1.0:nameIdentifier >>>> is in fact use in SAML v1 for request a nameid >>>> that is transient also... so there is no >>>> solution in this way. >>>> >>>> Best regards, J?r?me. >>>> >>>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke >>>> > >>>> a ?crit : >>>> >>>> We won't be able to support temporary ids >>>> (transient) for awhile as it >>>> requires temporary user creation which >>>> requires some rearchitecting. >>>> >>>> As for >>>> "urn:mace:shibboleth:1.0:nameIdentifier" if >>>> you spec it out in a >>>> JIRA and it is simple enough to implement >>>> support for, we may be able to >>>> get it in. >>>> >>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>> > Hi Bill, >>>> > >>>> > Thanks for your answer regarding >>>> transient and temporary ids. I >>>> > understand the problem due to keycloak >>>> account creation and binding to >>>> > the IdP. >>>> > Renarter is using Shibboleth ; Is there >>>> is any work on shibboleth >>>> > integration for keycloak ? >>>> > If I look into the idps entities >>>> descriptors of renater, I found that it >>>> > uses also another nameid format based on >>>> shibboleth namesapce : >>>> > >>>> urn:mace:shibboleth:1.0:nameIdentifier >>>> > >>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>> > >>>> > Do you think it is possible to patch the >>>> saml idp provider (or to create >>>> > another one dedicated to shibboleth) in >>>> order to integrate keycloak to >>>> > our identity federation (renater) ? >>>> > >>>> > Best whiches for this upcoming year and >>>> thanks for your great work >>>> > around keycloak. >>>> > >>>> > J?r?me. >>>> > >>>> > >>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke >>>> >>>> > >>> >> a ?crit : >>>> > >>>> > Our brokering doesn't support >>>> temporary user ids from the "parent" IDP. >>>> > Transient Ids in SAML or temporary ids. >>>> > >>>> > On 12/22/2015 11:46 AM, J?r?me >>>> Blanchard wrote: >>>> > > Hi, >>>> > > >>>> > > I'm trying to integrate keycloak >>>> into a the french research >>>> > federation >>>> > > of identity (renater) and I'm >>>> facing some problems. >>>> > > Actually, when IdP respond to >>>> keycloak i'm getting the following >>>> > error : >>>> > > PL00084: Writer: Unsupported Attribute >>>> > > >>>> Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>> > > >>>> > > It seems that this IdP is using >>>> transient NameID policy only and >>>> > using >>>> > > the unspecified field in the idp >>>> config in keycloak generate this >>>> > > exception as a return. >>>> > > >>>> > > Log of the keycloak server is joined. >>>> > > >>>> > > I have no idea of what happening >>>> because when I was using the test >>>> > > federation, everything was working >>>> but no I'm in the production >>>> > > federation, login fails. >>>> > > >>>> > > The renater federation is using >>>> Shibolleth and keycloak is not >>>> > supported >>>> > > by federation moderators so I'm >>>> alone in the dark now... >>>> > > >>>> > > Renater provides an IdP list that >>>> I have to parse and >>>> > synchronized with >>>> > > IdP in keycloak. As a return I >>>> provide a list of all endpoints >>>> > for each >>>> > > keycloak registered IdP to allow >>>> federation IdP to answear >>>> > correctly to >>>> > > the right endpoint. All of this is >>>> done by a small web app deployed >>>> > > aside keycloak and using REST API >>>> to synchronize all the IdP. >>>> > > >>>> > > One of the IdP entity descriptor >>>> is joined. As you can see, only >>>> > > transient nameid policy is >>>> supported and if I configure keycloak >>>> > to use >>>> > > email or persistent, I received a >>>> response saying that the nameid >>>> > is not >>>> > > supported : >>>> > > >>>> > > >>> > >>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>> > > >>>> xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>> > > >>>> > >>>> AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >>>> > > >>>> Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>> > > ForceAuthn="false" >>>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>> > > IsPassive="false" >>>> IssueInstant="2015-12-22T16:13:15.987Z" >>>> > > >>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>> > > Version="2.0">>>> > > >>>> > >>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang>>> > > AllowCreate="true" >>>> > > >>>> > >>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>> > > >>>> > > >>>> > > >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>> > > >>>> > >>>> Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint" >>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>> > > >>>> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>> > > >>>> IssueInstant="2015-12-22T16:13:16.420Z" >>>> Version="2.0">>>> > > >>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>> > > >>>> > >>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp>>> > > >>>> > >>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>> > > >>>> > >>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>> > > NameID format not >>>> > > >>>> supported >>>> > > >>>> > > >>>> > > Any help would be gracefully >>>> appreciated. >>>> > > >>>> > > Thanks a lot, J?r?me. >>>> > > >>>> > > >>>> > > >>>> > > >>>> _______________________________________________ >>>> > > keycloak-user mailing list >>>> > > keycloak-user at lists.jboss.org >>>> >>>> >>> > >>>> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > > >>>> > >>>> > -- >>>> > Bill Burke >>>> > JBoss, a division of Red Hat >>>> > http://bill.burkecentral.com >>>> > >>>> _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> >>>> >>> > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/0b02290a/attachment-0001.html From traviskds at gmail.com Fri Jan 22 15:21:12 2016 From: traviskds at gmail.com (Travis De Silva) Date: Fri, 22 Jan 2016 20:21:12 +0000 Subject: [keycloak-user] User Attribute Value Field Size Message-ID: Hi, We are thinking of storing application specific user attributes in Keycloak so that everything related to user is in one place. For example users can create favourite lists (i.e. bookmarks), recent actions etc. We thought we can just push a json structure to the user attributes but realise that the value attribute can store only up to 255 characters. Can't we make this an unlimited field type like a text field so we can then do things like the above? Or is there a better way to store these type of values in KeyCloak. Cheers Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/7c914184/attachment.html From bburke at redhat.com Fri Jan 22 15:28:38 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 15:28:38 -0500 Subject: [keycloak-user] User Attribute Value Field Size In-Reply-To: References: Message-ID: <56A290F6.1060308@redhat.com> I've just scheduled a jira for this for 1.9. Hopefully it doesn't get deferred. A few people have asked for this. Not sure how portable a size increase we can support that works cross-db. On 1/22/2016 3:21 PM, Travis De Silva wrote: > Hi, > > We are thinking of storing application specific user attributes in > Keycloak so that everything related to user is in one place. > > For example users can create favourite lists (i.e. bookmarks), recent > actions etc. > > We thought we can just push a json structure to the user attributes > but realise that the value attribute can store only up to 255 characters. > > Can't we make this an unlimited field type like a text field so we can > then do things like the above? > > Or is there a better way to store these type of values in KeyCloak. > > Cheers > Travis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/b4382d93/attachment.html From traviskds at gmail.com Fri Jan 22 15:54:22 2016 From: traviskds at gmail.com (Travis De Silva) Date: Fri, 22 Jan 2016 20:54:22 +0000 Subject: [keycloak-user] User Attribute Value Field Size In-Reply-To: <56A290F6.1060308@redhat.com> References: <56A290F6.1060308@redhat.com> Message-ID: thats great. Thanks a lot Bill. On Sat, 23 Jan 2016 at 07:29 Bill Burke wrote: > I've just scheduled a jira for this for 1.9. Hopefully it doesn't get > deferred. A few people have asked for this. Not sure how portable a size > increase we can support that works cross-db. > > On 1/22/2016 3:21 PM, Travis De Silva wrote: > > Hi, > > We are thinking of storing application specific user attributes in > Keycloak so that everything related to user is in one place. > > For example users can create favourite lists (i.e. bookmarks), recent > actions etc. > > We thought we can just push a json structure to the user attributes but > realise that the value attribute can store only up to 255 characters. > > Can't we make this an unlimited field type like a text field so we can > then do things like the above? > > Or is there a better way to store these type of values in KeyCloak. > > Cheers > Travis > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/6fafeb0a/attachment.html From jayblanc at gmail.com Fri Jan 22 15:55:48 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Fri, 22 Jan 2016 21:55:48 +0100 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: <56A26C8C.7030108@redhat.com> References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> <56A25385.30502@redhat.com> <56A26C8C.7030108@redhat.com> Message-ID: I think so. If the call to this mapper is done during in the handleLoginResponse it should do the trick but it should also be able to parse a complex type to extract value of a NameIdType. Le ven. 22 janv. 2016 18:53, Bill Burke a ?crit : > So, if you have a maper for the brokerUserId, that would solve the problem? > > > On 1/22/2016 12:19 PM, J?r?me Blanchard wrote: > > Hi, > Stack trace is joined. > Using a UsernameTemplateMapper is not enough cause the broderId keep the > transient nameid that is used to link the IdP to the keycloak Account. > As soon as the IdP session expires, if I use the IdP again, a new > transient nameId is generated and keycloak is not able to map the incoming > SAML response to the right keycloak Account. It so open the first login > form and ask for a user name (prepopulated with the ${ALIAS}.${NAMEID} > syntax or the mapper value (I am unable to use the complex type in this > UsernameTemplateMapper (like ${ATTRIBUTE.eduPersonTargetID.value[0]})). > By the way, this attribute mapper does not override the brokerUserId : > String brokerUserId = config.getAlias() + "." + subjectNameID.getValue(); > identity.setBrokerUserId(brokerUserId); > so a transient subjectNameID is a problem even with the > UsernameTemplateMapper... > It always creates a new link between account and IdP and this link does > not work if the keycloak account already exists. > > Do you see more clearly my understanding ? (I'm sorry for my poor english) > > Le ven. 22 janv. 2016 ? 17:06, Bill Burke a ?crit : > >> Can you show me the actual crash? Stack trace? If the attribute is >> parsed correctly, you should be able to write a UsernameMapper to handle >> everything no? >> >> On 1/22/2016 11:00 AM, J?r?me Blanchard wrote: >> >> Yes exactly. >> But I also need to use this complex type attribute in the >> Endpoint.handleLoginResponse as the subjectNameID in order to avoid using >> the provided transient nameID ; something like : >> >> protected Response handleLoginResponse(String samlResponse, >> SAMLDocumentHolder holder, ResponseType responseType, String relayState) { >> try { >> AssertionType assertion = AssertionUtil.getAssertion(responseType, >> realm.getPrivateKey()); >> SubjectType subject = assertion.getSubject(); >> SubjectType.STSubType subType = subject.getSubType(); >> NameIDType subjectNameID = (NameIDType) subType.getBaseID(); >> //Map notes = new HashMap<>(); >> if (subjectNameID.getFormat() != null && >> subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) >> { >> if (assertion.getAttributeStatements() != null ) { >> for (AttributeStatementType attrStatement : >> assertion.getAttributeStatements()) { >> for (AttributeStatementType.ASTChoiceType choice : >> attrStatement.getAttributes()) { >> AttributeType attribute = choice.getAttribute(); >> if (attribute.getFriendlyName().equals("eduPersonTargetID") >> || attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { >> if (!attribute.getAttributeValue().isEmpty()) { >> //TODO Use NameId of this attribute to replace >> subjectNameID >> } >> } >> } >> } >> (...) >> } >> } >> >> Do you think I need to patch this class in order to allow this or do you >> think there is a way of integration in keycloak considering the shibboleth >> federation use case ? >> >> Best regards, J?r?me. >> >> >> >> Le ven. 22 janv. 2016 14:56, Bill Burke < >> bburke at redhat.com> a ?crit : >> >>> Can you spell out exactly what you need here as I'm not understanding. >>> >>> You need to support a complex attribute type? Is that it? >>> >>> >>> On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: >>> >>> Hi Bill, all, >>> >>> I succeed in authenticating via shibboleth federation using SAML IdP but >>> I encounter problem. >>> One SAML attribute of our authentication response is not of type String >>> but a fulle NameID type (eduPersonTargetId) and makes the authentication >>> crash because of class BaseWriter which is not able to serialize an >>> attribute which is not a String (line 176). >>> If I avoid this test, authentication works well using the >>> UsernameTemplateMapper. >>> By the way, it does not solve the whole problem. The provider user id >>> and the provider user name store the saml auth response nameid (and not an >>> attribute) which makes the next IdP SAML session impossible to use the same >>> keycloak account because of a change of this transient nameid... >>> Actually, I don't see another solution than rewriting another Identity >>> Provider based on Shibboleth attribute as a fork of the SAML provider but >>> including. >>> It will also allows me to include the Shibboleth DIscovery Service >>> directly in keycloak instead of providing another webapp to ensure the >>> federation idps synchronization by parsing periodiccaly the WAYF file. >>> I will also provide a small patch for the BaseWriter in order to allow >>> serialization of complex types attribute, except if you have in mind to do >>> so... >>> >>> Best regards, J?r?me. >>> >>> Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard < >>> jayblanc at gmail.com> a ?crit : >>> >>>> Thanks for your answer. >>>> In fact Shibboleth supports others saml nameid but in the renater >>>> federation, it only contains transient nameid. Here is a part of their doc >>>> (sorry it's in french) : >>>> Utilisation des identifiants utilisateur opaques >>>> >>>> Voir la description du eduPersonTargetedID >>>> >>>> >>>> Votre application a peut-?tre besoin de manipuler de identifiants >>>> utilisateur, dont la valeur est stable d'une session ? l'autre ; par >>>> exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de >>>> protection des donn?es personnelles, les fournisseurs d'identit?s ne >>>> peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, >>>> vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des >>>> identifiants stables mais opaques, appel?s *eduPersonTargetedID*. >>>> >>>> Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de >>>> services Shibboleth comme indiqu? ci-dessous : >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> L'attribut sera accessible pour l'application dans l'en-t?te HTTP >>>> *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du >>>> eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP >>>> *!*identifiant_utilisateur >>>> >>>> >>>> According to their doc, nameid are session based and not user based so >>>> if you want stable identifier, you have to ask for eduPersonTargetedID >>>> attribute !! >>>> I'm going to have a look at UsernameTemplateMapper. >>>> Thanks again, J?r?me. >>>> >>>> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke < >>>> bburke at redhat.com> a ?crit : >>>> >>>>> Shibboleth only supports transient name ids? I find that hard to >>>>> believe. Remember Keycloak would just look like any other client. IMO you >>>>> should go that route. >>>>> >>>>> Also though, I think you might be able to write a Broker Mapper, take >>>>> a look at UsernameTemplateMapper. This SPI is undocumented and unsupported >>>>> at the moment, but I hope to change that soon. >>>>> >>>>> >>>>> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>>>> >>>>> Hi all, >>>>> >>>>> According to shibboleth specification, IdP of a federation usually use >>>>> transient NameID which makes Shibboleth impossible to interface with >>>>> keycloak, even if we manage the Discovery Service externally in order to >>>>> maintain IdP list mapping between federation and keycloak. >>>>> It's really annoying for me and I'm trying to investigate a way to >>>>> solve this problem. >>>>> In my federation, some doc say that if you need to manage personnal >>>>> user information in your application, you have to rely on a dedicated >>>>> attribute in order to retreive real user id and not the transient opaque >>>>> one. In this case, an attribute called eduPersoneTargetedId exists and can >>>>> be use by shibboleth. >>>>> I am trying to patch the saml broker in order to take into >>>>> consideration this attribute in a kind of attributeToNameIdMapper but I >>>>> have to admit that I'm lost a bit in the code. >>>>> Do you think this approach is good ? >>>>> >>>>> Best regards, J?r?me. >>>>> >>>>> >>>>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard < >>>>> jayblanc at gmail.com> a ?crit : >>>>> >>>>>> Hi Bill, all, >>>>>> >>>>>> In the case of a transient only nameid, would it be possible to >>>>>> create a dedicated attribute mapper in order to use for exemple the email >>>>>> attribute as name identifier ? >>>>>> >>>>>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in >>>>>> SAML v1 for request a nameid that is transient also... so there is no >>>>>> solution in this way. >>>>>> >>>>>> Best regards, J?r?me. >>>>>> >>>>>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke < >>>>>> bburke at redhat.com> a ?crit : >>>>>> >>>>>>> We won't be able to support temporary ids (transient) for awhile as >>>>>>> it >>>>>>> requires temporary user creation which requires some rearchitecting. >>>>>>> >>>>>>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out >>>>>>> in a >>>>>>> JIRA and it is simple enough to implement support for, we may be >>>>>>> able to >>>>>>> get it in. >>>>>>> >>>>>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>>>>> > Hi Bill, >>>>>>> > >>>>>>> > Thanks for your answer regarding transient and temporary ids. I >>>>>>> > understand the problem due to keycloak account creation and >>>>>>> binding to >>>>>>> > the IdP. >>>>>>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>>>>>> > integration for keycloak ? >>>>>>> > If I look into the idps entities descriptors of renater, I found >>>>>>> that it >>>>>>> > uses also another nameid format based on shibboleth namesapce : >>>>>>> > >>>>>>> urn:mace:shibboleth:1.0:nameIdentifier >>>>>>> > >>>>>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>>>>> > >>>>>>> > Do you think it is possible to patch the saml idp provider (or to >>>>>>> create >>>>>>> > another one dedicated to shibboleth) in order to integrate >>>>>>> keycloak to >>>>>>> > our identity federation (renater) ? >>>>>>> > >>>>>>> > Best whiches for this upcoming year and thanks for your great work >>>>>>> > around keycloak. >>>>>>> > >>>>>>> > J?r?me. >>>>>>> > >>>>>>> > >>>>>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke < >>>>>>> bburke at redhat.com >>>>>>> > bburke at redhat.com>> a ?crit : >>>>>>> > >>>>>>> > Our brokering doesn't support temporary user ids from the >>>>>>> "parent" IDP. >>>>>>> > Transient Ids in SAML or temporary ids. >>>>>>> > >>>>>>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>>>>>> > > Hi, >>>>>>> > > >>>>>>> > > I'm trying to integrate keycloak into a the french research >>>>>>> > federation >>>>>>> > > of identity (renater) and I'm facing some problems. >>>>>>> > > Actually, when IdP respond to keycloak i'm getting the >>>>>>> following >>>>>>> > error : >>>>>>> > > PL00084: Writer: Unsupported Attribute >>>>>>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>>>>> > > >>>>>>> > > It seems that this IdP is using transient NameID policy >>>>>>> only and >>>>>>> > using >>>>>>> > > the unspecified field in the idp config in keycloak >>>>>>> generate this >>>>>>> > > exception as a return. >>>>>>> > > >>>>>>> > > Log of the keycloak server is joined. >>>>>>> > > >>>>>>> > > I have no idea of what happening because when I was using >>>>>>> the test >>>>>>> > > federation, everything was working but no I'm in the >>>>>>> production >>>>>>> > > federation, login fails. >>>>>>> > > >>>>>>> > > The renater federation is using Shibolleth and keycloak is >>>>>>> not >>>>>>> > supported >>>>>>> > > by federation moderators so I'm alone in the dark now... >>>>>>> > > >>>>>>> > > Renater provides an IdP list that I have to parse and >>>>>>> > synchronized with >>>>>>> > > IdP in keycloak. As a return I provide a list of all >>>>>>> endpoints >>>>>>> > for each >>>>>>> > > keycloak registered IdP to allow federation IdP to answear >>>>>>> > correctly to >>>>>>> > > the right endpoint. All of this is done by a small web app >>>>>>> deployed >>>>>>> > > aside keycloak and using REST API to synchronize all the >>>>>>> IdP. >>>>>>> > > >>>>>>> > > One of the IdP entity descriptor is joined. As you can see, >>>>>>> only >>>>>>> > > transient nameid policy is supported and if I configure >>>>>>> keycloak >>>>>>> > to use >>>>>>> > > email or persistent, I received a response saying that the >>>>>>> nameid >>>>>>> > is not >>>>>>> > > supported : >>>>>>> > > >>>>>>> > > >>>>>> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>>> > > >>>>>>> > AssertionConsumerServiceURL=" >>>>>>> >>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>>> " >>>>>>> > > Destination=" >>>>>>> >>>>>>> https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>>>>> > > ForceAuthn="false" >>>>>>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>>>>>> > > >>>>>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>>>>> > > Version="2.0">>>>>>> > > >>>>>>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>> >>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>>>>>> >>>>>> > > AllowCreate="true" >>>>>>> > > >>>>>>> > >>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>>> > > >>>>>>> > Destination=" >>>>>>> >>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>>> " >>>>>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>>>>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>>>>>> Version="2.0">>>>>>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>>> > > >>>>>>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>>>>>> https://janus.cnrs.fr/idp >>>>>>> >>>>>> > > >>>>>>> > >>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>>>>> > > >>>>>>> > >>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>>>>> > > NameID format not >>>>>>> > > >>>>>>> supported >>>>>>> > > >>>>>>> > > >>>>>>> > > Any help would be gracefully appreciated. >>>>>>> > > >>>>>>> > > Thanks a lot, J?r?me. >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > _______________________________________________ >>>>>>> > > keycloak-user mailing list >>>>>>> > > >>>>>>> keycloak-user at lists.jboss.org >>>>>> keycloak-user at lists.jboss.org> >>>>>>> > > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> > > >>>>>>> > >>>>>>> > -- >>>>>>> > Bill Burke >>>>>>> > JBoss, a division of Red Hat >>>>>>> > http://bill.burkecentral.com >>>>>>> > _______________________________________________ >>>>>>> > keycloak-user mailing list >>>>>>> > keycloak-user at lists.jboss.org >>>>>>> >>>>>>> keycloak-user at lists.jboss.org> >>>>>>> > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> > >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> >>>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>> >>>>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160122/179dfcdc/attachment-0001.html From jeremy at jeremysimon.com Fri Jan 22 17:17:15 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Fri, 22 Jan 2016 17:17:15 -0500 Subject: [keycloak-user] Realms using certificate files, not autogenerated keys Message-ID: Hi, I'd like my realm(s) to pull from a keystore file instead of the autogenerated keys in the UI, but I'm not quite sure how to pull it off. In 8.1 (General Adaptor Config), you can set a client-keystore but it doesn't seem like what I'm looking for...nor is it clear if you just name it whatever you please or if this goes in keycloak-server.json ("Each adapter supported by Keycloak can be configured by a simple JSON text file"... not descriptive enough). But like I said, this doesn't seem like the right place / scenario. Any direction would be greatly appreciated! jeremy jeremy at jeremysimon.com www.JeremySimon.com From bburke at redhat.com Fri Jan 22 17:26:33 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 17:26:33 -0500 Subject: [keycloak-user] Realms using certificate files, not autogenerated keys In-Reply-To: References: Message-ID: <56A2AC99.8050204@redhat.com> adapter is for the client/application side. For openid connect clients, there is no keys generated for the client. The client-keystore is to set up SSL trust. On 1/22/2016 5:17 PM, Jeremy Simon wrote: > Hi, > > I'd like my realm(s) to pull from a keystore file instead of the > autogenerated keys in the UI, but I'm not quite sure how to pull it > off. > > In 8.1 (General Adaptor Config), you can set a client-keystore but it > doesn't seem like what I'm looking for...nor is it clear if you just > name it whatever you please or if this goes in keycloak-server.json > ("Each adapter supported by Keycloak can be configured by a simple > JSON text file"... not descriptive enough). But like I said, this > doesn't seem like the right place / scenario. > > Any direction would be greatly appreciated! > > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jeremy at jeremysimon.com Fri Jan 22 17:30:58 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Fri, 22 Jan 2016 17:30:58 -0500 Subject: [keycloak-user] Realms using certificate files, not autogenerated keys In-Reply-To: <56A2AC99.8050204@redhat.com> References: <56A2AC99.8050204@redhat.com> Message-ID: ok. You are saying that is limited to HTTPS connection only? If so, how do I effectively configure "This realm uses this cert or keystore"? jeremy jeremy at jeremysimon.com www.JeremySimon.com On Fri, Jan 22, 2016 at 5:26 PM, Bill Burke wrote: > adapter is for the client/application side. For openid connect clients, > there is no keys generated for the client. The client-keystore is to > set up SSL trust. > > On 1/22/2016 5:17 PM, Jeremy Simon wrote: >> Hi, >> >> I'd like my realm(s) to pull from a keystore file instead of the >> autogenerated keys in the UI, but I'm not quite sure how to pull it >> off. >> >> In 8.1 (General Adaptor Config), you can set a client-keystore but it >> doesn't seem like what I'm looking for...nor is it clear if you just >> name it whatever you please or if this goes in keycloak-server.json >> ("Each adapter supported by Keycloak can be configured by a simple >> JSON text file"... not descriptive enough). But like I said, this >> doesn't seem like the right place / scenario. >> >> Any direction would be greatly appreciated! >> >> jeremy >> jeremy at jeremysimon.com >> www.JeremySimon.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Jan 22 17:42:44 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 22 Jan 2016 17:42:44 -0500 Subject: [keycloak-user] Realms using certificate files, not autogenerated keys In-Reply-To: References: <56A2AC99.8050204@redhat.com> Message-ID: <56A2B064.10805@redhat.com> Each realm uses a keypair to sign tokens or SAML documents that it sends to the client/app. This is stored and generated by keycloak. We don't have an option to change that. For HTTPS, you can configure a truststore on the IDP/server side when the REALM is making background HTTPS requests. This truststore is used to verify the cert used by the remote connection to encrypt (one-way SSL). Is this what you mean? On 1/22/2016 5:30 PM, Jeremy Simon wrote: > ok. You are saying that is limited to HTTPS connection only? If so, > how do I effectively configure "This realm uses this cert or > keystore"? > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > > > On Fri, Jan 22, 2016 at 5:26 PM, Bill Burke wrote: >> adapter is for the client/application side. For openid connect clients, >> there is no keys generated for the client. The client-keystore is to >> set up SSL trust. >> >> On 1/22/2016 5:17 PM, Jeremy Simon wrote: >>> Hi, >>> >>> I'd like my realm(s) to pull from a keystore file instead of the >>> autogenerated keys in the UI, but I'm not quite sure how to pull it >>> off. >>> >>> In 8.1 (General Adaptor Config), you can set a client-keystore but it >>> doesn't seem like what I'm looking for...nor is it clear if you just >>> name it whatever you please or if this goes in keycloak-server.json >>> ("Each adapter supported by Keycloak can be configured by a simple >>> JSON text file"... not descriptive enough). But like I said, this >>> doesn't seem like the right place / scenario. >>> >>> Any direction would be greatly appreciated! >>> >>> jeremy >>> jeremy at jeremysimon.com >>> www.JeremySimon.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ornot2008 at yahoo.com Sat Jan 23 01:19:49 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Sat, 23 Jan 2016 06:19:49 +0000 (UTC) Subject: [keycloak-user] Adapter workflow References: <1709194052.101262.1453529989711.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1709194052.101262.1453529989711.JavaMail.yahoo@mail.yahoo.com> HI,?When a secured restful URL is hit in the browser, ?this request will reach the web server ,say wildlfy, first and then?touch the keycloak for authentication. ?I am debugging a wildfly8 adapter to try to understand this workflow.?I want to intercept at the moment before adapter to send request to keycloak. I don't know where to set a ?breakpoint .?I have tried several places in ?the keycloak.adapter.core package but failed. ? Thanks. Mai ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160123/c7ea1912/attachment.html From hr.stoyanov at peruncs.com Sun Jan 24 15:29:34 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Sun, 24 Jan 2016 12:29:34 -0800 Subject: [keycloak-user] Wait for WF10 Final? Message-ID: For KC 1.8, does it make sense to wait for WF10 Final, which is really close now, rather then releasing on WF10RC5? http://lists.jboss.org/pipermail/wildfly-dev/2016-January/004690.html /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160124/c37c8f0c/attachment.html From sthorger at redhat.com Mon Jan 25 03:08:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 25 Jan 2016 09:08:13 +0100 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: You'd need to make sure all adapters are configured with the same. http://external-hostname/auth needs to be the auth-server-url on all adapters. On 21 January 2016 at 23:00, Joe Strathern wrote: > Stian > Thank you for your response. > I am using your Wildfly adapter to secure my WAR. As it is contained in a > cluster enviroment with a load balancing proxy, I updated my adapter to > have the following settings, much like the example provided at > http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization > : > { > ... > /auth > > http:/internal-hostname/auth > ... > } > > The auth-server-url is still working as expected for the external request, > however i am still getting the same 401 error, caused by the mismatching > Token audience and Domain when I try to make the hop with my new HTTP > request. > As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and > debugged, looking for a bit more insight as to what may be occurring. > > I noticed that the URL Keycloak is retrieving to compare against the > token, is retrieving it from the realmInfoUrl variable of the > KeyCloakDeployment object. This variable is unaffected by the > auth-server-url-for-backend-requests option. (Instead it affects numerous > other URL variabled stored). Therefore, the realmInfoURL remains > http://external-hostname/auth. > > Then the error occurs as (in this case), the RSATokenVerifier directly > compares this Realm URL against the Token Issuer, which differ due hostname > (external vs internal, as before). > > Is there an additional configuration, or concept I am missing to correct > this workflow? > > Thanks, > Joe > > On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen > wrote: > >> Assuming you are using our adapters there are two separate urls to >> configure: "auth-server-url" is the external >> one, auth-server-url-for-backend-requests is the internal one. See >> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >> for more details. >> >> On 19 January 2016 at 22:20, Joe Strathern wrote: >> >>> Hello Keycloak Community >>> >>> I am looking for some assistance on how to pass a Keycloak bearer token >>> in the multi-hop scenario, where the keycloak instance is inside a proxy >>> environment, the next hop is within the proxy, and the original request >>> came from outside of that environment. >>> >>> For instance, the original request goes to http://external-hostname/auth, >>> where external-hostname is a proxy system. Login is successful, and I >>> receive a Bearer Token with Token issuer - >>> http://external-hostname/auth/realms/My_Realm. >>> >>> Now i need to take that token from the HTTP request, and attach it to a >>> new request from inside the proxy. I do so, redirecting to >>> http://interior-hostname/API, secured by the same Keycloak. Using >>> "external-hostname" as host once more is not an option, as we are within >>> the proxied environment. However, submitting the hop HTTP request, i am >>> met with the error: >>> >>> *Failed to verify token: org.keycloak.common.VerificationException: >>> Token audience doesn't match domain. Token issuer >>> is http://external-hostname/auth/realms/My_Realm >>> , but URL from configuration >>> is http://internal-hostname/auth/realms/My_Realm >>> * >>> >>> The token is rejected (Since the hostnames are not the exact same), >>> however external-hostname and internal-hostname are the same machine. >>> >>> Is there a way that Keycloak can identify these hostnames as equivalent >>> to accept the token, or another policy that should be followed in this >>> situation? >>> >>> Thanks, >>> Joe >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/60617c79/attachment-0001.html From sthorger at redhat.com Mon Jan 25 04:48:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 25 Jan 2016 10:48:06 +0100 Subject: [keycloak-user] Wait for WF10 Final? In-Reply-To: References: Message-ID: Hopefully yes, but we can't wait much longer. On 24 January 2016 at 21:29, Hristo Stoyanov wrote: > For KC 1.8, does it make sense to wait for WF10 Final, which is really > close now, rather then releasing on WF10RC5? > > http://lists.jboss.org/pipermail/wildfly-dev/2016-January/004690.html > > /Hristo Stoyanov > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/16b8a00f/attachment.html From prabhalar at yahoo.com Mon Jan 25 05:50:20 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Mon, 25 Jan 2016 10:50:20 +0000 (UTC) Subject: [keycloak-user] Realm Certificate from commercial Vendors In-Reply-To: <646083569.7053352.1453404198204.JavaMail.yahoo@mail.yahoo.com> References: <646083569.7053352.1453404198204.JavaMail.yahoo.ref@mail.yahoo.com> <646083569.7053352.1453404198204.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1319101580.639569.1453719020394.JavaMail.yahoo@mail.yahoo.com> Dev team - any comments on the commercial certificates instead of the ones created by Keycloak? Raghu From: Raghuram Prabhala To: Keycloak-user Sent: Thursday, January 21, 2016 2:23 PM Subject: Realm Certificate from commercial Vendors I have a question about the Certificate/private key which is generated today by Keycloak. But rather than use that certificate ,is there any way we can use a commercial Certificate from Vendors like Verisign? When that certificate expires, how do we generate/upload a new certificate (lifecycle) and handle the switch over to a new certificate with minimal impact to any of the client who will have to download the new certificate and use it when KC starts using the new one? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/b9f9a6a2/attachment.html From jeremy at jeremysimon.com Mon Jan 25 09:03:31 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Mon, 25 Jan 2016 09:03:31 -0500 Subject: [keycloak-user] Realms using certificate files, not autogenerated keys In-Reply-To: <56A2B064.10805@redhat.com> References: <56A2AC99.8050204@redhat.com> <56A2B064.10805@redhat.com> Message-ID: Alright I get it. Thinking about it, I guess that isn't so bad. I see there's an endpoint I can grab cert info, so should be ok. Thanks! jeremy jeremy at jeremysimon.com www.JeremySimon.com On Fri, Jan 22, 2016 at 5:42 PM, Bill Burke wrote: > Each realm uses a keypair to sign tokens or SAML documents that it sends to > the client/app. This is stored and generated by keycloak. We don't have an > option to change that. > > For HTTPS, you can configure a truststore on the IDP/server side when the > REALM is making background HTTPS requests. This truststore is used to > verify the cert used by the remote connection to encrypt (one-way SSL). Is > this what you mean? > > On 1/22/2016 5:30 PM, Jeremy Simon wrote: >> >> ok. You are saying that is limited to HTTPS connection only? If so, >> how do I effectively configure "This realm uses this cert or >> keystore"? >> jeremy >> jeremy at jeremysimon.com >> www.JeremySimon.com >> >> >> On Fri, Jan 22, 2016 at 5:26 PM, Bill Burke wrote: >>> >>> adapter is for the client/application side. For openid connect clients, >>> there is no keys generated for the client. The client-keystore is to >>> set up SSL trust. >>> >>> On 1/22/2016 5:17 PM, Jeremy Simon wrote: >>>> >>>> Hi, >>>> >>>> I'd like my realm(s) to pull from a keystore file instead of the >>>> autogenerated keys in the UI, but I'm not quite sure how to pull it >>>> off. >>>> >>>> In 8.1 (General Adaptor Config), you can set a client-keystore but it >>>> doesn't seem like what I'm looking for...nor is it clear if you just >>>> name it whatever you please or if this goes in keycloak-server.json >>>> ("Each adapter supported by Keycloak can be configured by a simple >>>> JSON text file"... not descriptive enough). But like I said, this >>>> doesn't seem like the right place / scenario. >>>> >>>> Any direction would be greatly appreciated! >>>> >>>> jeremy >>>> jeremy at jeremysimon.com >>>> www.JeremySimon.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From jeremy at jeremysimon.com Mon Jan 25 12:58:06 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Mon, 25 Jan 2016 12:58:06 -0500 Subject: [keycloak-user] 'attr' attribute in rest api Message-ID: I'm trying to figure out what I should even think of putting for {attr}... the api docs don't describe it. Get a keystore file for the client, containing private key and public certificate POST /admin/realms/{realm}/clients/{id}/certificates/{attr}/download From bburke at redhat.com Mon Jan 25 13:08:43 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 25 Jan 2016 13:08:43 -0500 Subject: [keycloak-user] 'attr' attribute in rest api In-Reply-To: References: Message-ID: <56A664AB.7000003@redhat.com> For saml? Its not really documented sorry: saml.signing saml.encryption A lot of this REST API was really only designed for the admin UI. On 1/25/2016 12:58 PM, Jeremy Simon wrote: > I'm trying to figure out what I should even think of putting for > {attr}... the api docs don't describe it. > > Get a keystore file for the client, containing private key and public > certificate > > POST /admin/realms/{realm}/clients/{id}/certificates/{attr}/download > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jeremy at jeremysimon.com Mon Jan 25 14:04:16 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Mon, 25 Jan 2016 14:04:16 -0500 Subject: [keycloak-user] 'attr' attribute in rest api In-Reply-To: <56A664AB.7000003@redhat.com> References: <56A664AB.7000003@redhat.com> Message-ID: maybe that'll get the same result, but not looking for saml. I basically wanted a programmatic way to grab the public key for decoding JWTs in Spring OAuth.... JwtAccessTokenConverter class. jeremy jeremy at jeremysimon.com www.JeremySimon.com On Mon, Jan 25, 2016 at 1:08 PM, Bill Burke wrote: > For saml? Its not really documented sorry: > > saml.signing > saml.encryption > > A lot of this REST API was really only designed for the admin UI. > > > > On 1/25/2016 12:58 PM, Jeremy Simon wrote: >> I'm trying to figure out what I should even think of putting for >> {attr}... the api docs don't describe it. >> >> Get a keystore file for the client, containing private key and public >> certificate >> >> POST /admin/realms/{realm}/clients/{id}/certificates/{attr}/download >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From RLewis at carbonite.com Mon Jan 25 14:40:25 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Mon, 25 Jan 2016 19:40:25 +0000 Subject: [keycloak-user] Accessing Google OAuth tokens when using Keycloak Message-ID: <74FA1AA4-E928-4DF8-864B-4CEA0E081252@carbonite.com> First: Thanks for a great well designed solution. Keycloak looks like is going to do exactly what we need. I do have a question though. If we use Google as an identity provider, is there a way to ?piggyback? on that authentication to be able to retrieve a token for accessing google drive contents for example without having the user to have to log in again? Here is my workflow: 1. User goes to our webserver. 2. User is presented a login page from Keycloak 3. User clicks Google 4. User logs into Google 5. User is redirected back to Keycloak?s webpage 6. User is redirected back to our webserver. Now what we also want to do is use the workflow documented here: https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en to get a token for google drive access. Is this possible? Or am I doing something wrong? Or am I going about this the wrong way? We need to authenticate the user in our Keycloak, but we also want to let the user?s application directly access the user?s Google Drive data. Thank you. Reed Lewis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/ef8d6e2f/attachment-0001.html From jstrathern at gmail.com Mon Jan 25 17:27:19 2016 From: jstrathern at gmail.com (Joe Strathern) Date: Mon, 25 Jan 2016 15:27:19 -0700 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: Stian, Thank you for the reply. While changing the auth-server-url to an absolute URL ( http://external-hostname/auth) for all adapters allowed the token to be passed successfully, the relative URI optimization ( http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization) for the auth-server-url is very important functionality I need access to. By leaving */auth* as the auth-server-url, I can access the secured resources by case-insensitive host name, host ip address, http vs https and more, all of which are lost by having to switch to an absolute URL. How can I retain the relative URL for auth-server-url, allowing my required external requests to pass through keycloak, while allowing the internal requests and hops to use the auth-server-url-for-backend-requests absolute URL to authenticate? Thanks, Joe On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen wrote: > You'd need to make sure all adapters are configured with the same. > http://external-hostname/auth needs to be the auth-server-url on all > adapters. > > On 21 January 2016 at 23:00, Joe Strathern wrote: > >> Stian >> Thank you for your response. >> I am using your Wildfly adapter to secure my WAR. As it is contained in a >> cluster enviroment with a load balancing proxy, I updated my adapter to >> have the following settings, much like the example provided at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization >> : >> { >> ... >> /auth >> >> http:/internal-hostname/auth >> ... >> } >> >> The auth-server-url is still working as expected for the external >> request, however i am still getting the same 401 error, caused by the >> mismatching Token audience and Domain when I try to make the hop with my >> new HTTP request. >> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and >> debugged, looking for a bit more insight as to what may be occurring. >> >> I noticed that the URL Keycloak is retrieving to compare against the >> token, is retrieving it from the realmInfoUrl variable of the >> KeyCloakDeployment object. This variable is unaffected by the >> auth-server-url-for-backend-requests option. (Instead it affects numerous >> other URL variabled stored). Therefore, the realmInfoURL remains >> http://external-hostname/auth. >> >> Then the error occurs as (in this case), the RSATokenVerifier directly >> compares this Realm URL against the Token Issuer, which differ due hostname >> (external vs internal, as before). >> >> Is there an additional configuration, or concept I am missing to correct >> this workflow? >> >> Thanks, >> Joe >> >> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen >> wrote: >> >>> Assuming you are using our adapters there are two separate urls to >>> configure: "auth-server-url" is the external >>> one, auth-server-url-for-backend-requests is the internal one. See >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>> for more details. >>> >>> On 19 January 2016 at 22:20, Joe Strathern wrote: >>> >>>> Hello Keycloak Community >>>> >>>> I am looking for some assistance on how to pass a Keycloak bearer token >>>> in the multi-hop scenario, where the keycloak instance is inside a proxy >>>> environment, the next hop is within the proxy, and the original request >>>> came from outside of that environment. >>>> >>>> For instance, the original request goes to >>>> http://external-hostname/auth, where external-hostname is a proxy >>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>> - http://external-hostname/auth/realms/My_Realm. >>>> >>>> Now i need to take that token from the HTTP request, and attach it to a >>>> new request from inside the proxy. I do so, redirecting to >>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>> "external-hostname" as host once more is not an option, as we are within >>>> the proxied environment. However, submitting the hop HTTP request, i am >>>> met with the error: >>>> >>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>> Token audience doesn't match domain. Token issuer >>>> is http://external-hostname/auth/realms/My_Realm >>>> , but URL from configuration >>>> is http://internal-hostname/auth/realms/My_Realm >>>> * >>>> >>>> The token is rejected (Since the hostnames are not the exact same), >>>> however external-hostname and internal-hostname are the same machine. >>>> >>>> Is there a way that Keycloak can identify these hostnames as equivalent >>>> to accept the token, or another policy that should be followed in this >>>> situation? >>>> >>>> Thanks, >>>> Joe >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/eaaea949/attachment.html From jayblanc at gmail.com Mon Jan 25 17:34:14 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Mon, 25 Jan 2016 22:34:14 +0000 Subject: [keycloak-user] Problem using SAML IdP In-Reply-To: References: <5679AE36.8060701@redhat.com> <568BDDB4.90903@redhat.com> <5697AF67.50008@redhat.com> <56A23519.5010100@redhat.com> <56A25385.30502@redhat.com> <56A26C8C.7030108@redhat.com> Message-ID: Hi Bill, all, I confirm that patching the two classes SAMLEndpoint and BaseWriter is working and use my federation attribute dedicated to persistent nameID. I encounter a new error also which seam to be simple but I don't find the solution. Scenario is : 1. I use a IdP from federation to connect. 2. No account exists so I'm redirected to the first broker login page and fullfill my name, email, first name and last name. 3. COnfirmation mail is sent to finish account validation. 4. Login is OK. 5. Logout from my application. 6. Use another IdP from federation to connect (I have an account in research institute and university and it's the case of most users) 7. Redirected to the first broker login page 8. I fill the SAME EMAIL than in 2 and I have a INTERNAL SERVER ERROR Stack trace is clear ; it's a class not found exception... (see file join) I tried to add the dependency to module org.keycloak.keycloak-broker-core to module org.keycloak.keycloak-forms-common-freemarker but without success... Did I missed something ? I'm using keycloak 1.7.0.Final. I saw that in master branch, organisation of saml broker as changed so maybe the dependency problem is already solved but my question is about fixing this in the 1.7.0.Final because I use this in production and I need a working solution even if I have to patch this version for instance. Thanks again for your greatfull supports, best regards, J?r?me. Le ven. 22 janv. 2016 ? 21:55, J?r?me Blanchard a ?crit : > I think so. If the call to this mapper is done during in the > handleLoginResponse it should do the trick but it should also be able to > parse a complex type to extract value of a NameIdType. > > > Le ven. 22 janv. 2016 18:53, Bill Burke a ?crit : > >> So, if you have a maper for the brokerUserId, that would solve the >> problem? >> >> >> On 1/22/2016 12:19 PM, J?r?me Blanchard wrote: >> >> Hi, >> Stack trace is joined. >> Using a UsernameTemplateMapper is not enough cause the broderId keep the >> transient nameid that is used to link the IdP to the keycloak Account. >> As soon as the IdP session expires, if I use the IdP again, a new >> transient nameId is generated and keycloak is not able to map the incoming >> SAML response to the right keycloak Account. It so open the first login >> form and ask for a user name (prepopulated with the ${ALIAS}.${NAMEID} >> syntax or the mapper value (I am unable to use the complex type in this >> UsernameTemplateMapper (like ${ATTRIBUTE.eduPersonTargetID.value[0]})). >> By the way, this attribute mapper does not override the brokerUserId : >> String brokerUserId = config.getAlias() + "." + subjectNameID.getValue(); >> identity.setBrokerUserId(brokerUserId); >> so a transient subjectNameID is a problem even with the >> UsernameTemplateMapper... >> It always creates a new link between account and IdP and this link does >> not work if the keycloak account already exists. >> >> Do you see more clearly my understanding ? (I'm sorry for my poor english) >> >> Le ven. 22 janv. 2016 ? 17:06, Bill Burke a ?crit : >> >>> Can you show me the actual crash? Stack trace? If the attribute is >>> parsed correctly, you should be able to write a UsernameMapper to handle >>> everything no? >>> >>> On 1/22/2016 11:00 AM, J?r?me Blanchard wrote: >>> >>> Yes exactly. >>> But I also need to use this complex type attribute in the >>> Endpoint.handleLoginResponse as the subjectNameID in order to avoid using >>> the provided transient nameID ; something like : >>> >>> protected Response handleLoginResponse(String samlResponse, >>> SAMLDocumentHolder holder, ResponseType responseType, String relayState) { >>> try { >>> AssertionType assertion = AssertionUtil.getAssertion(responseType, >>> realm.getPrivateKey()); >>> SubjectType subject = assertion.getSubject(); >>> SubjectType.STSubType subType = subject.getSubType(); >>> NameIDType subjectNameID = (NameIDType) subType.getBaseID(); >>> //Map notes = new HashMap<>(); >>> if (subjectNameID.getFormat() != null && >>> subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) >>> { >>> if (assertion.getAttributeStatements() != null ) { >>> for (AttributeStatementType attrStatement : >>> assertion.getAttributeStatements()) { >>> for (AttributeStatementType.ASTChoiceType choice : >>> attrStatement.getAttributes()) { >>> AttributeType attribute = choice.getAttribute(); >>> if (attribute.getFriendlyName().equals("eduPersonTargetID") >>> || attribute.getName().equals("urn:oid:1.3.6.1.4.1.5923.1.1.1.10")) { >>> if (!attribute.getAttributeValue().isEmpty()) { >>> //TODO Use NameId of this attribute to replace >>> subjectNameID >>> } >>> } >>> } >>> } >>> (...) >>> } >>> } >>> >>> Do you think I need to patch this class in order to allow this or do you >>> think there is a way of integration in keycloak considering the shibboleth >>> federation use case ? >>> >>> Best regards, J?r?me. >>> >>> >>> >>> Le ven. 22 janv. 2016 14:56, Bill Burke < >>> bburke at redhat.com> a ?crit : >>> >>>> Can you spell out exactly what you need here as I'm not understanding. >>>> >>>> You need to support a complex attribute type? Is that it? >>>> >>>> >>>> On 1/22/2016 4:27 AM, J?r?me Blanchard wrote: >>>> >>>> Hi Bill, all, >>>> >>>> I succeed in authenticating via shibboleth federation using SAML IdP >>>> but I encounter problem. >>>> One SAML attribute of our authentication response is not of type String >>>> but a fulle NameID type (eduPersonTargetId) and makes the authentication >>>> crash because of class BaseWriter which is not able to serialize an >>>> attribute which is not a String (line 176). >>>> If I avoid this test, authentication works well using the >>>> UsernameTemplateMapper. >>>> By the way, it does not solve the whole problem. The provider user id >>>> and the provider user name store the saml auth response nameid (and not an >>>> attribute) which makes the next IdP SAML session impossible to use the same >>>> keycloak account because of a change of this transient nameid... >>>> Actually, I don't see another solution than rewriting another Identity >>>> Provider based on Shibboleth attribute as a fork of the SAML provider but >>>> including. >>>> It will also allows me to include the Shibboleth DIscovery Service >>>> directly in keycloak instead of providing another webapp to ensure the >>>> federation idps synchronization by parsing periodiccaly the WAYF file. >>>> I will also provide a small patch for the BaseWriter in order to allow >>>> serialization of complex types attribute, except if you have in mind to do >>>> so... >>>> >>>> Best regards, J?r?me. >>>> >>>> Le jeu. 14 janv. 2016 ? 15:37, J?r?me Blanchard < >>>> jayblanc at gmail.com> a ?crit : >>>> >>>>> Thanks for your answer. >>>>> In fact Shibboleth supports others saml nameid but in the renater >>>>> federation, it only contains transient nameid. Here is a part of their doc >>>>> (sorry it's in french) : >>>>> Utilisation des identifiants utilisateur opaques >>>>> >>>>> Voir la description du eduPersonTargetedID >>>>> >>>>> >>>>> Votre application a peut-?tre besoin de manipuler de identifiants >>>>> utilisateur, dont la valeur est stable d'une session ? l'autre ; par >>>>> exemple pour g?rer les pr?f?rences utilisateur. Or, pour des raisons de >>>>> protection des donn?es personnelles, les fournisseurs d'identit?s ne >>>>> peuvent vous transmettre les identifiants des utilisateurs. Dans ce cas, >>>>> vous pouvez demander aux fournisseurs d'identit?s de vous communiquer des >>>>> identifiants stables mais opaques, appel?s *eduPersonTargetedID*. >>>>> >>>>> Vous devrez configurer le fichier *AAP.xml* de votre fournisseur de >>>>> services Shibboleth comme indiqu? ci-dessous : >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> L'attribut sera accessible pour l'application dans l'en-t?te HTTP >>>>> *HTTP_SHIB_TARGETEDID* (avec Shibboleth 1.3). Le format du >>>>> eduPersonTargetedID est le suivant : identifiant_IdP*!*identifiant_SP >>>>> *!*identifiant_utilisateur >>>>> >>>>> >>>>> According to their doc, nameid are session based and not user based so >>>>> if you want stable identifier, you have to ask for eduPersonTargetedID >>>>> attribute !! >>>>> I'm going to have a look at UsernameTemplateMapper. >>>>> Thanks again, J?r?me. >>>>> >>>>> Le jeu. 14 janv. 2016 ? 15:23, Bill Burke < >>>>> bburke at redhat.com> a ?crit : >>>>> >>>>>> Shibboleth only supports transient name ids? I find that hard to >>>>>> believe. Remember Keycloak would just look like any other client. IMO you >>>>>> should go that route. >>>>>> >>>>>> Also though, I think you might be able to write a Broker Mapper, >>>>>> take a look at UsernameTemplateMapper. This SPI is undocumented and >>>>>> unsupported at the moment, but I hope to change that soon. >>>>>> >>>>>> >>>>>> On 1/14/2016 6:20 AM, J?r?me Blanchard wrote: >>>>>> >>>>>> Hi all, >>>>>> >>>>>> According to shibboleth specification, IdP of a federation usually >>>>>> use transient NameID which makes Shibboleth impossible to interface with >>>>>> keycloak, even if we manage the Discovery Service externally in order to >>>>>> maintain IdP list mapping between federation and keycloak. >>>>>> It's really annoying for me and I'm trying to investigate a way to >>>>>> solve this problem. >>>>>> In my federation, some doc say that if you need to manage personnal >>>>>> user information in your application, you have to rely on a dedicated >>>>>> attribute in order to retreive real user id and not the transient opaque >>>>>> one. In this case, an attribute called eduPersoneTargetedId exists and can >>>>>> be use by shibboleth. >>>>>> I am trying to patch the saml broker in order to take into >>>>>> consideration this attribute in a kind of attributeToNameIdMapper but I >>>>>> have to admit that I'm lost a bit in the code. >>>>>> Do you think this approach is good ? >>>>>> >>>>>> Best regards, J?r?me. >>>>>> >>>>>> >>>>>> Le mer. 6 janv. 2016 ? 09:31, J?r?me Blanchard < >>>>>> jayblanc at gmail.com> a ?crit : >>>>>> >>>>>>> Hi Bill, all, >>>>>>> >>>>>>> In the case of a transient only nameid, would it be possible to >>>>>>> create a dedicated attribute mapper in order to use for exemple the email >>>>>>> attribute as name identifier ? >>>>>>> >>>>>>> PS : the urn:mace:shibboleth:1.0:nameIdentifier is in fact use in >>>>>>> SAML v1 for request a nameid that is transient also... so there is no >>>>>>> solution in this way. >>>>>>> >>>>>>> Best regards, J?r?me. >>>>>>> >>>>>>> Le mar. 5 janv. 2016 ? 16:13, Bill Burke < >>>>>>> bburke at redhat.com> a ?crit : >>>>>>> >>>>>>>> We won't be able to support temporary ids (transient) for awhile as >>>>>>>> it >>>>>>>> requires temporary user creation which requires some rearchitecting. >>>>>>>> >>>>>>>> As for "urn:mace:shibboleth:1.0:nameIdentifier" if you spec it out >>>>>>>> in a >>>>>>>> JIRA and it is simple enough to implement support for, we may be >>>>>>>> able to >>>>>>>> get it in. >>>>>>>> >>>>>>>> On 1/5/2016 8:18 AM, J?r?me Blanchard wrote: >>>>>>>> > Hi Bill, >>>>>>>> > >>>>>>>> > Thanks for your answer regarding transient and temporary ids. I >>>>>>>> > understand the problem due to keycloak account creation and >>>>>>>> binding to >>>>>>>> > the IdP. >>>>>>>> > Renarter is using Shibboleth ; Is there is any work on shibboleth >>>>>>>> > integration for keycloak ? >>>>>>>> > If I look into the idps entities descriptors of renater, I found >>>>>>>> that it >>>>>>>> > uses also another nameid format based on shibboleth namesapce : >>>>>>>> > >>>>>>>> urn:mace:shibboleth:1.0:nameIdentifier >>>>>>>> > >>>>>>>> urn:oasis:names:tc:SAML:2.0:nameid-format:transient >>>>>>>> > >>>>>>>> > Do you think it is possible to patch the saml idp provider (or to >>>>>>>> create >>>>>>>> > another one dedicated to shibboleth) in order to integrate >>>>>>>> keycloak to >>>>>>>> > our identity federation (renater) ? >>>>>>>> > >>>>>>>> > Best whiches for this upcoming year and thanks for your great work >>>>>>>> > around keycloak. >>>>>>>> > >>>>>>>> > J?r?me. >>>>>>>> > >>>>>>>> > >>>>>>>> > Le mar. 22 d?c. 2015 ? 21:10, Bill Burke < >>>>>>>> bburke at redhat.com >>>>>>>> > bburke at redhat.com>> a ?crit : >>>>>>>> > >>>>>>>> > Our brokering doesn't support temporary user ids from the >>>>>>>> "parent" IDP. >>>>>>>> > Transient Ids in SAML or temporary ids. >>>>>>>> > >>>>>>>> > On 12/22/2015 11:46 AM, J?r?me Blanchard wrote: >>>>>>>> > > Hi, >>>>>>>> > > >>>>>>>> > > I'm trying to integrate keycloak into a the french research >>>>>>>> > federation >>>>>>>> > > of identity (renater) and I'm facing some problems. >>>>>>>> > > Actually, when IdP respond to keycloak i'm getting the >>>>>>>> following >>>>>>>> > error : >>>>>>>> > > PL00084: Writer: Unsupported Attribute >>>>>>>> > > Value:org.keycloak.dom.saml.v2.assertion.NameIDType >>>>>>>> > > >>>>>>>> > > It seems that this IdP is using transient NameID policy >>>>>>>> only and >>>>>>>> > using >>>>>>>> > > the unspecified field in the idp config in keycloak >>>>>>>> generate this >>>>>>>> > > exception as a return. >>>>>>>> > > >>>>>>>> > > Log of the keycloak server is joined. >>>>>>>> > > >>>>>>>> > > I have no idea of what happening because when I was using >>>>>>>> the test >>>>>>>> > > federation, everything was working but no I'm in the >>>>>>>> production >>>>>>>> > > federation, login fails. >>>>>>>> > > >>>>>>>> > > The renater federation is using Shibolleth and keycloak is >>>>>>>> not >>>>>>>> > supported >>>>>>>> > > by federation moderators so I'm alone in the dark now... >>>>>>>> > > >>>>>>>> > > Renater provides an IdP list that I have to parse and >>>>>>>> > synchronized with >>>>>>>> > > IdP in keycloak. As a return I provide a list of all >>>>>>>> endpoints >>>>>>>> > for each >>>>>>>> > > keycloak registered IdP to allow federation IdP to answear >>>>>>>> > correctly to >>>>>>>> > > the right endpoint. All of this is done by a small web app >>>>>>>> deployed >>>>>>>> > > aside keycloak and using REST API to synchronize all the >>>>>>>> IdP. >>>>>>>> > > >>>>>>>> > > One of the IdP entity descriptor is joined. As you can >>>>>>>> see, only >>>>>>>> > > transient nameid policy is supported and if I configure >>>>>>>> keycloak >>>>>>>> > to use >>>>>>>> > > email or persistent, I received a response saying that the >>>>>>>> nameid >>>>>>>> > is not >>>>>>>> > > supported : >>>>>>>> > > >>>>>>>> > > >>>>>>> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>>>> > > xmlns="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>>>> > > >>>>>>>> > AssertionConsumerServiceURL=" >>>>>>>> >>>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>>>> " >>>>>>>> > > Destination=" >>>>>>>> >>>>>>>> https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO" >>>>>>>> > > ForceAuthn="false" >>>>>>>> ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>>>> > > IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z" >>>>>>>> > > >>>>>>>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>>>>>>> > > Version="2.0">>>>>>>> > > >>>>>>>> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>>> >>>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang >>>>>>>> >>>>>>> > > AllowCreate="true" >>>>>>>> > > >>>>>>>> > >>>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>>>>>>> > > >>>>>>>> > Destination=" >>>>>>>> >>>>>>>> https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint >>>>>>>> " >>>>>>>> > > ID="_9d03761957aade819b6823c35bbab278" >>>>>>>> > > InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d" >>>>>>>> > > IssueInstant="2015-12-22T16:13:16.420Z" >>>>>>>> Version="2.0">>>>>>>> > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >>>>>>>> > > >>>>>>>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> >>>>>>>> https://janus.cnrs.fr/idp >>>>>>>> >>>>>>> > > >>>>>>>> > >>>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Responder">>>>>>>> > > >>>>>>>> > >>>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>Required >>>>>>>> > > NameID format not >>>>>>>> > > >>>>>>>> supported >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > Any help would be gracefully appreciated. >>>>>>>> > > >>>>>>>> > > Thanks a lot, J?r?me. >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > _______________________________________________ >>>>>>>> > > keycloak-user mailing list >>>>>>>> > > >>>>>>>> keycloak-user at lists.jboss.org >>>>>>> keycloak-user at lists.jboss.org> >>>>>>>> > > >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> > > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Bill Burke >>>>>>>> > JBoss, a division of Red Hat >>>>>>>> > http://bill.burkecentral.com >>>>>>>> > _______________________________________________ >>>>>>>> > keycloak-user mailing list >>>>>>>> > keycloak-user at lists.jboss.org >>>>>>>> >>>>>>>> keycloak-user at lists.jboss.org> >>>>>>>> > >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> > >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hat >>>>>>>> http://bill.burkecentral.com >>>>>>>> >>>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>> >>>>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/0042a467/attachment-0001.html -------------- next part -------------- 2016-01-25 22:50:46,152 ERROR [io.undertow.request] (default task-30) UT005023: Exception handling request to /auth/realms/ortolang/login-actions/first-broker-login: java.lang.RuntimeException: request path: /auth/realms/ortolang/login-actions/first-broker-login at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) ... 29 more Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290) at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467) at org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43) at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301) at org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528) at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) ... 37 more Caused by: java.lang.ClassNotFoundException: org.keycloak.broker.provider.BrokeredIdentityContext from [Module "org.keycloak.keycloak-login-freemarker:main" from local module loader @1060b431 (finder: local module finder @612679d6 (roots: /applis/olauth/home/wildfly-9.0.1.Final/modules,/applis/olauth/home/wildfly-9.0.1.Final/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:455) at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:404) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:385) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:130) ... 57 more From sthorger at redhat.com Tue Jan 26 05:43:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 26 Jan 2016 11:43:27 +0100 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: You can't. Relative url uses the request url, and when it's using an internal IP address/domain that'll end up being the request url, which will be wrong in your case. On 25 January 2016 at 23:27, Joe Strathern wrote: > Stian, > > Thank you for the reply. > While changing the auth-server-url to an absolute URL ( > http://external-hostname/auth) for all adapters allowed the token to be > passed successfully, the relative URI optimization ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization) > for the auth-server-url is very important functionality I need access to. > By leaving */auth* as the auth-server-url, I can access the secured > resources by case-insensitive host name, host ip address, http vs https and > more, all of which are lost by having to switch to an absolute URL. > > How can I retain the relative URL for auth-server-url, allowing my > required external requests to pass through keycloak, while allowing the > internal requests and hops to use the auth-server-url-for-backend-requests > absolute URL to authenticate? > > Thanks, > Joe > > On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen > wrote: > >> You'd need to make sure all adapters are configured with the same. >> http://external-hostname/auth needs to be the auth-server-url on all >> adapters. >> >> On 21 January 2016 at 23:00, Joe Strathern wrote: >> >>> Stian >>> Thank you for your response. >>> I am using your Wildfly adapter to secure my WAR. As it is contained in >>> a cluster enviroment with a load balancing proxy, I updated my adapter to >>> have the following settings, much like the example provided at >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization >>> : >>> { >>> ... >>> /auth >>> >>> http:/internal-hostname/auth >>> ... >>> } >>> >>> The auth-server-url is still working as expected for the external >>> request, however i am still getting the same 401 error, caused by the >>> mismatching Token audience and Domain when I try to make the hop with my >>> new HTTP request. >>> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and >>> debugged, looking for a bit more insight as to what may be occurring. >>> >>> I noticed that the URL Keycloak is retrieving to compare against the >>> token, is retrieving it from the realmInfoUrl variable of the >>> KeyCloakDeployment object. This variable is unaffected by the >>> auth-server-url-for-backend-requests option. (Instead it affects numerous >>> other URL variabled stored). Therefore, the realmInfoURL remains >>> http://external-hostname/auth. >>> >>> Then the error occurs as (in this case), the RSATokenVerifier directly >>> compares this Realm URL against the Token Issuer, which differ due hostname >>> (external vs internal, as before). >>> >>> Is there an additional configuration, or concept I am missing to correct >>> this workflow? >>> >>> Thanks, >>> Joe >>> >>> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen >>> wrote: >>> >>>> Assuming you are using our adapters there are two separate urls to >>>> configure: "auth-server-url" is the external >>>> one, auth-server-url-for-backend-requests is the internal one. See >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>>> for more details. >>>> >>>> On 19 January 2016 at 22:20, Joe Strathern >>>> wrote: >>>> >>>>> Hello Keycloak Community >>>>> >>>>> I am looking for some assistance on how to pass a Keycloak bearer >>>>> token in the multi-hop scenario, where the keycloak instance is inside a >>>>> proxy environment, the next hop is within the proxy, and the original >>>>> request came from outside of that environment. >>>>> >>>>> For instance, the original request goes to >>>>> http://external-hostname/auth, where external-hostname is a proxy >>>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>>> - http://external-hostname/auth/realms/My_Realm. >>>>> >>>>> Now i need to take that token from the HTTP request, and attach it to >>>>> a new request from inside the proxy. I do so, redirecting to >>>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>>> "external-hostname" as host once more is not an option, as we are within >>>>> the proxied environment. However, submitting the hop HTTP request, i am >>>>> met with the error: >>>>> >>>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>>> Token audience doesn't match domain. Token issuer >>>>> is http://external-hostname/auth/realms/My_Realm >>>>> , but URL from configuration >>>>> is http://internal-hostname/auth/realms/My_Realm >>>>> * >>>>> >>>>> The token is rejected (Since the hostnames are not the exact same), >>>>> however external-hostname and internal-hostname are the same machine. >>>>> >>>>> Is there a way that Keycloak can identify these hostnames as >>>>> equivalent to accept the token, or another policy that should be followed >>>>> in this situation? >>>>> >>>>> Thanks, >>>>> Joe >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/98829a41/attachment.html From ornot2008 at yahoo.com Tue Jan 26 05:54:53 2016 From: ornot2008 at yahoo.com (Mai Zi) Date: Tue, 26 Jan 2016 10:54:53 +0000 (UTC) Subject: [keycloak-user] About "HTTP-POST Binding for AuthnReques" option References: <1276462731.286181.1453805693336.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1276462731.286181.1453805693336.JavaMail.yahoo@mail.yahoo.com> In Identity Provider Setting page, ?there is the option "HTTP-POST Binding for AuthnReques" .When Switch this option, in the export xml , the value of ?Binding for SingleLogoutService ?and AssertionConsumerServicewill be changed between HTTP-Redirect and HTTP-POST like this: ? I don't understand this because I think this binding method should be controlled by the "HTTP-POST Binding Response" . ?what do I misunderstand ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/77b58a67/attachment.html From juraci at kroehling.de Tue Jan 26 11:09:30 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Tue, 26 Jan 2016 17:09:30 +0100 Subject: [keycloak-user] ZipException: Unsupported compression method Message-ID: <56A79A3A.5080705@kroehling.de> We are seeing this exception "from time to time" on the logs. Unfortunately, I don't have much information about it, as I couldn't reproduce it consistently (yet), but perhaps someone has also seen this before? We are using KC 1.8.0.CR1. http://fpaste.org/314926/45382345/ ERROR [stderr] (default task-62) java.util.zip.ZipException: Unsupported compression method ERROR [stderr] (default task-62) at java.util.zip.GZIPInputStream.readHeader(GZIPInputStream.java:169) ERROR [stderr] (default task-62) at java.util.zip.GZIPInputStream.(GZIPInputStream.java:79) ERROR [stderr] (default task-62) at java.util.zip.GZIPInputStream.(GZIPInputStream.java:91) ERROR [stderr] (default task-62) at org.keycloak.common.util.Base64.decode(Base64.java:1274) ERROR [stderr] (default task-62) at org.keycloak.common.util.Base64.decode(Base64.java:1224) ERROR [stderr] (default task-62) at org.keycloak.common.util.Base64Url.decode(Base64Url.java:35) ERROR [stderr] (default task-62) at org.keycloak.jose.jws.JWSInput.(JWSInput.java:35) ERROR [stderr] (default task-62) at org.keycloak.RSATokenVerifier.toAccessToken(RSATokenVerifier.java:52) ERROR [stderr] (default task-62) at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:22) ERROR [stderr] (default task-62) at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:18) - Juca. From peterson.dean at gmail.com Tue Jan 26 12:40:10 2016 From: peterson.dean at gmail.com (Dean Peterson) Date: Tue, 26 Jan 2016 11:40:10 -0600 Subject: [keycloak-user] mongodb 3.0 scram-sha security Message-ID: Does keycloak v1.3.1 support mongodb 3.0 and it's new default scram-sha security? If not, do later versions support it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/c930b21f/attachment-0001.html From peterson.dean at gmail.com Tue Jan 26 12:53:20 2016 From: peterson.dean at gmail.com (Dean Peterson) Date: Tue, 26 Jan 2016 11:53:20 -0600 Subject: [keycloak-user] mongodb 3.0 scram-sha security In-Reply-To: References: Message-ID: I can see the DefaultMongoConnectionFactoryProvider hard codes the old mongocr security: MongoCredential credential = MongoCredential.createMongoCRCredential(user, dbName, password.toCharArray()); client = new MongoClient(new ServerAddress(host, port), Collections.singletonList(credential), clientOptions); } else { client = new MongoClient(new ServerAddress(host, port), clientOptions); } It should be using: MongoCredential credential = MongoCredential.createScramSha1Credential( System.getProperty("mongouser"), System.getProperty("mongodatabase"), System.getProperty("mongopassword").toCharArray()); On Tue, Jan 26, 2016 at 11:40 AM, Dean Peterson wrote: > Does keycloak v1.3.1 support mongodb 3.0 and it's new default scram-sha > security? If not, do later versions support it? > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/ffba1914/attachment.html From charles at dazen.com.br Tue Jan 26 13:16:21 2016 From: charles at dazen.com.br (Charles Queiroz) Date: Tue, 26 Jan 2016 15:16:21 -0300 Subject: [keycloak-user] Logout problems Message-ID: <2A757039-5463-43D0-9416-9D36DA2C8C91@dazen.com.br> Hi Folks! I have a little problem with logout on keycloak (version: 1.8.0.RC3). I have a Java EE 7 application + AngularJS, and a REST API. When I put the URL of logout like: ADMIN.TOOLBAR.LOGOUT In a html tag, the session is logout on Keycloak, but the JSSESSIONID in cookies storage is not clean. See: In the keycloak server, the session is destroyed, but in browser not. How can make this logout correctly ? Atenciosamente, Charles Queiroz Dazen? IT Services Technology - Software Development charles at dazen.com.br Fortaleza - CE Phone: +55 85 9933 1585 Twitter: @CharlesQueiiroz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/2c5daf69/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: RSHolmes.png Type: image/png Size: 60565 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/2c5daf69/attachment-0001.png From mposolda at redhat.com Tue Jan 26 15:30:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Jan 2016 21:30:11 +0100 Subject: [keycloak-user] mongodb 3.0 scram-sha security In-Reply-To: References: Message-ID: <56A7D753.4010500@redhat.com> Hi, could you please create JIRA for this? Thanks, Marek On 26/01/16 18:53, Dean Peterson wrote: > I can see the DefaultMongoConnectionFactoryProvider hard codes the old > mongocr security: > > > MongoCredential credential = > MongoCredential.createMongoCRCredential(user, dbName, > password.toCharArray()); > > client = new MongoClient(new ServerAddress(host, port), > Collections.singletonList(credential), clientOptions); > > } else { > > client = new MongoClient(new ServerAddress(host, port), clientOptions); > > } > > It should be using: > MongoCredential credential = MongoCredential.createScramSha1Credential( > System.getProperty("mongouser"), > System.getProperty("mongodatabase"), > System.getProperty("mongopassword").toCharArray()); > > On Tue, Jan 26, 2016 at 11:40 AM, Dean Peterson > > wrote: > > Does keycloak v1.3.1 support mongodb 3.0 and it's new default > scram-sha security? If not, do later versions support it? > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/ad28b27f/attachment.html From mposolda at redhat.com Tue Jan 26 15:32:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Jan 2016 21:32:53 +0100 Subject: [keycloak-user] Logout problems In-Reply-To: <2A757039-5463-43D0-9416-9D36DA2C8C91@dazen.com.br> References: <2A757039-5463-43D0-9416-9D36DA2C8C91@dazen.com.br> Message-ID: <56A7D7F5.6030406@redhat.com> Hi, I think you need to configure "admin URL" in admin console for your client corresponding to Java EE 7 frontend application. See our example demo applications on how it's configured ( customer-portal, product-portal, ...) Marek On 26/01/16 19:16, Charles Queiroz wrote: > Hi Folks! > > I have a little problem with logout on keycloak (version: 1.8.0.RC3). > I have a Java EE 7 application + AngularJS, and a REST API. When I put > the URL of logout like: > > href="https://ssoserver.dazen.com.br:8443/auth/realms/dazen/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fapp-service"> translate>ADMIN.TOOLBAR.LOGOUT > > In a html tag, the session is logout on Keycloak, but the > *JSSESSIONID* in cookies storage is not clean. > > See: > > > > In the keycloak server, the session is destroyed, but in browser not. > > How can make this logout correctly ? > > Atenciosamente, > > *Charles Queiroz * > > ------------------------------------------------------------------------ > > *Dazen?****IT Services** > Technology - Software Development* > charles at dazen.com.br > Fortaleza - CE > Phone: +55 85 9933 1585 > > Twitter: @CharlesQueiiroz > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/b18cc6f2/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 60565 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/b18cc6f2/attachment-0001.png From mposolda at redhat.com Tue Jan 26 15:39:59 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Jan 2016 21:39:59 +0100 Subject: [keycloak-user] Accessing Google OAuth tokens when using Keycloak In-Reply-To: <74FA1AA4-E928-4DF8-864B-4CEA0E081252@carbonite.com> References: <74FA1AA4-E928-4DF8-864B-4CEA0E081252@carbonite.com> Message-ID: <56A7D99F.5070308@redhat.com> This is possible. If you select "Store tokens" flag for Google identity provider in keycloak admin console, the Google access token will be stored in Keycloak database (in your step 5). Then you can send request from your application to special Keycloak REST endpoint, which will return you Google access token and you can use it in your application. You need to secure this REST request with the Keycloak access token returned to your app. We even have the example for that, but it's not part of the example distribution. See: https://github.com/keycloak/keycloak/tree/master/examples/broker/google-authentication There is also some docs for that: http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2177 Marek On 25/01/16 20:40, Reed Lewis wrote: > First: Thanks for a great well designed solution. Keycloak looks like > is going to do exactly what we need. > > I do have a question though. If we use Google as an identity > provider, is there a way to ?piggyback? on that authentication to be > able to retrieve a token for accessing google drive contents for > example without having the user to have to log in again? > > Here is my workflow: > > 1. User goes to our webserver. > 2. User is presented a login page from Keycloak > 3. User clicks Google > 4. User logs into Google > 5. User is redirected back to Keycloak?s webpage > 6. User is redirected back to our webserver. > > Now what we also want to do is use the workflow documented here: > https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en to > get a token for google drive access. > > Is this possible? Or am I doing something wrong? Or am I going > about this the wrong way? We need to authenticate the user in our > Keycloak, but we also want to let the user?s application directly > access the user?s Google Drive data. > > Thank you. > > Reed Lewis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160126/03f71fa5/attachment.html From DSzeto at investlab.com Tue Jan 26 20:51:10 2016 From: DSzeto at investlab.com (Doug Szeto) Date: Wed, 27 Jan 2016 01:51:10 +0000 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: +1 Joe?s request. In larger deployments with reverse proxies, we control the request url and hostname and ip visible to the keycloak server, so internal IP address concerns are less of an issue. From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, January 26, 2016 at 6:43 PM To: Joe Strathern > Cc: keycloak-user > Subject: Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario You can't. Relative url uses the request url, and when it's using an internal IP address/domain that'll end up being the request url, which will be wrong in your case. On 25 January 2016 at 23:27, Joe Strathern > wrote: Stian, Thank you for the reply. While changing the auth-server-url to an absolute URL (http://external-hostname/auth) for all adapters allowed the token to be passed successfully, the relative URI optimization (http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization) for the auth-server-url is very important functionality I need access to. By leaving /auth as the auth-server-url, I can access the secured resources by case-insensitive host name, host ip address, http vs https and more, all of which are lost by having to switch to an absolute URL. How can I retain the relative URL for auth-server-url, allowing my required external requests to pass through keycloak, while allowing the internal requests and hops to use the auth-server-url-for-backend-requests absolute URL to authenticate? Thanks, Joe On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen > wrote: You'd need to make sure all adapters are configured with the same. http://external-hostname/auth needs to be the auth-server-url on all adapters. On 21 January 2016 at 23:00, Joe Strathern > wrote: Stian Thank you for your response. I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster enviroment with a load balancing proxy, I updated my adapter to have the following settings, much like the example provided at http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization : { ... /auth http:/internal-hostname/auth ... } The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request. As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring. I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects numerous other URL variabled stored). Therefore, the realmInfoURL remains http://external-hostname/auth. Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before). Is there an additional configuration, or concept I am missing to correct this workflow? Thanks, Joe On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen > wrote: Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config for more details. On 19 January 2016 at 22:20, Joe Strathern > wrote: Hello Keycloak Community I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from outside of that environment. For instance, the original request goes to http://external-hostname/auth, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token with Token issuer - http://external-hostname/auth/realms/My_Realm. Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to http://interior-hostname/API, secured by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error: Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://external-hostname/auth/realms/My_Realm, but URL from configuration is http://internal-hostname/auth/realms/My_Realm The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine. Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation? Thanks, Joe _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/33c9b151/attachment-0001.html From sthorger at redhat.com Wed Jan 27 03:59:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 27 Jan 2016 09:59:56 +0100 Subject: [keycloak-user] mongodb 3.0 scram-sha security In-Reply-To: <56A7D753.4010500@redhat.com> References: <56A7D753.4010500@redhat.com> Message-ID: Even better a PR as well ;) On 26 January 2016 at 21:30, Marek Posolda wrote: > Hi, > > could you please create JIRA for this? > > Thanks, > Marek > > > On 26/01/16 18:53, Dean Peterson wrote: > > I can see the DefaultMongoConnectionFactoryProvider hard codes the old > mongocr security: > > > MongoCredential credential = MongoCredential.createMongoCRCredential(user, > dbName, password.toCharArray()); > > client = new MongoClient(new ServerAddress(host, port), Collections.singletonList(credential), > clientOptions); > > } else { > > client = new MongoClient(new ServerAddress(host, port), clientOptions); > > } It should be using: > MongoCredential credential = MongoCredential.createScramSha1Credential( > System.getProperty("mongouser"), > System.getProperty("mongodatabase"), > System.getProperty("mongopassword").toCharArray()); > > On Tue, Jan 26, 2016 at 11:40 AM, Dean Peterson > wrote: > >> Does keycloak v1.3.1 support mongodb 3.0 and it's new default scram-sha >> security? If not, do later versions support it? >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/4d679877/attachment.html From sthorger at redhat.com Wed Jan 27 05:08:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 27 Jan 2016 11:08:31 +0100 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: It can't be done. What you are asking for is that the adapter when receiving the request on the internal IP is somehow going to be able to resolve the relative auth-server-url which is using the external domain. Unless you tell it what the external domain is it won't know. On 27 January 2016 at 02:51, Doug Szeto wrote: > +1 Joe?s request. > In larger deployments with reverse proxies, we control the request url and > hostname and ip visible to the keycloak server, so internal IP address > concerns are less of an issue. > > From: on behalf of Stian > Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, January 26, 2016 at 6:43 PM > To: Joe Strathern > Cc: keycloak-user > Subject: Re: [keycloak-user] Passing External URL Bearer Token to > Interior Proxy URL in Multi-Hop scenario > > You can't. Relative url uses the request url, and when it's using an > internal IP address/domain that'll end up being the request url, which will > be wrong in your case. > > On 25 January 2016 at 23:27, Joe Strathern wrote: > >> Stian, >> >> Thank you for the reply. >> While changing the auth-server-url to an absolute URL ( >> http://external-hostname/auth) for all adapters allowed the token to be >> passed successfully, the relative URI optimization ( >> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization) >> for the auth-server-url is very important functionality I need access to. >> By leaving */auth* as the auth-server-url, I can access the secured >> resources by case-insensitive host name, host ip address, http vs https and >> more, all of which are lost by having to switch to an absolute URL. >> >> How can I retain the relative URL for auth-server-url, allowing my >> required external requests to pass through keycloak, while allowing the >> internal requests and hops to use the auth-server-url-for-backend-requests >> absolute URL to authenticate? >> >> Thanks, >> Joe >> >> On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen >> wrote: >> >>> You'd need to make sure all adapters are configured with the same. >>> http://external-hostname/auth needs to be the auth-server-url on all >>> adapters. >>> >>> On 21 January 2016 at 23:00, Joe Strathern wrote: >>> >>>> Stian >>>> Thank you for your response. >>>> I am using your Wildfly adapter to secure my WAR. As it is contained in >>>> a cluster enviroment with a load balancing proxy, I updated my adapter to >>>> have the following settings, much like the example provided at >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization >>>> : >>>> { >>>> ... >>>> /auth >>>> >>>> http:/internal-hostname/auth >>>> ... >>>> } >>>> >>>> The auth-server-url is still working as expected for the external >>>> request, however i am still getting the same 401 error, caused by the >>>> mismatching Token audience and Domain when I try to make the hop with my >>>> new HTTP request. >>>> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source >>>> and debugged, looking for a bit more insight as to what may be occurring. >>>> >>>> I noticed that the URL Keycloak is retrieving to compare against the >>>> token, is retrieving it from the realmInfoUrl variable of the >>>> KeyCloakDeployment object. This variable is unaffected by the >>>> auth-server-url-for-backend-requests option. (Instead it affects numerous >>>> other URL variabled stored). Therefore, the realmInfoURL remains >>>> http://external-hostname/auth. >>>> >>>> Then the error occurs as (in this case), the RSATokenVerifier directly >>>> compares this Realm URL against the Token Issuer, which differ due hostname >>>> (external vs internal, as before). >>>> >>>> Is there an additional configuration, or concept I am missing to >>>> correct this workflow? >>>> >>>> Thanks, >>>> Joe >>>> >>>> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen >>>> wrote: >>>> >>>>> Assuming you are using our adapters there are two separate urls to >>>>> configure: "auth-server-url" is the external >>>>> one, auth-server-url-for-backend-requests is the internal one. See >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>>>> for more details. >>>>> >>>>> On 19 January 2016 at 22:20, Joe Strathern >>>>> wrote: >>>>> >>>>>> Hello Keycloak Community >>>>>> >>>>>> I am looking for some assistance on how to pass a Keycloak bearer >>>>>> token in the multi-hop scenario, where the keycloak instance is inside a >>>>>> proxy environment, the next hop is within the proxy, and the original >>>>>> request came from outside of that environment. >>>>>> >>>>>> For instance, the original request goes to >>>>>> http://external-hostname/auth, where external-hostname is a proxy >>>>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>>>> - http://external-hostname/auth/realms/My_Realm. >>>>>> >>>>>> Now i need to take that token from the HTTP request, and attach it to >>>>>> a new request from inside the proxy. I do so, redirecting to >>>>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>>>> "external-hostname" as host once more is not an option, as we are within >>>>>> the proxied environment. However, submitting the hop HTTP request, i am >>>>>> met with the error: >>>>>> >>>>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>>>> Token audience doesn't match domain. Token issuer >>>>>> is http://external-hostname/auth/realms/My_Realm >>>>>> , but URL from configuration >>>>>> is http://internal-hostname/auth/realms/My_Realm >>>>>> * >>>>>> >>>>>> The token is rejected (Since the hostnames are not the exact same), >>>>>> however external-hostname and internal-hostname are the same machine. >>>>>> >>>>>> Is there a way that Keycloak can identify these hostnames as >>>>>> equivalent to accept the token, or another policy that should be followed >>>>>> in this situation? >>>>>> >>>>>> Thanks, >>>>>> Joe >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/ca11c0e8/attachment-0001.html From sthorger at redhat.com Wed Jan 27 05:17:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 27 Jan 2016 11:17:25 +0100 Subject: [keycloak-user] Realm Certificate from commercial Vendors In-Reply-To: <1319101580.639569.1453719020394.JavaMail.yahoo@mail.yahoo.com> References: <646083569.7053352.1453404198204.JavaMail.yahoo.ref@mail.yahoo.com> <646083569.7053352.1453404198204.JavaMail.yahoo@mail.yahoo.com> <1319101580.639569.1453719020394.JavaMail.yahoo@mail.yahoo.com> Message-ID: We don't support uploading the realm keys through the admin console at the moment. However, you should be able to use the admin endpoints to manually set it. Should be relatively easy to add though, so you can create a JIRA to request it, but you're actually the first to request it. With regards to clients we don't have an elegant way to deal with this. What we have is if the public key is not specified in the client config it will download it from Keycloak at startup, so if you restart your clients after creating new keys it should work. Ideally Keycloak should send a message to the clients to notify them that the keys have changed so they can re-fetch from Keycloak, but that hasn't been implemented yet. Again, feel free to request that. On 25 January 2016 at 11:50, Raghuram Prabhala wrote: > Dev team - any comments on the commercial certificates instead of the ones > created by Keycloak? > > Raghu > > ------------------------------ > *From:* Raghuram Prabhala > *To:* Keycloak-user > *Sent:* Thursday, January 21, 2016 2:23 PM > *Subject:* Realm Certificate from commercial Vendors > > > I have a question about the Certificate/private key which is generated > today by Keycloak. But rather than use that certificate ,is there any way > we can use a commercial Certificate from Vendors like Verisign? When that > certificate expires, how do we generate/upload a new certificate > (lifecycle) and handle the switch over to a new certificate with minimal > impact to any of the client who will have to download the new certificate > and use it when KC starts using the new one? > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/c82b6c76/attachment.html From sthorger at redhat.com Wed Jan 27 05:19:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 27 Jan 2016 11:19:07 +0100 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: There is in the admin endpoints, but nothing that's available to end-users. On 22 January 2016 at 06:45, Lohitha Chiranjeewa wrote: > Hi, > > There are a few clients of ours who use the Direct Grants API to > authenticate their users. A requirement has come up to provide the Reset > Password flow to those clients. From what I've checked and gathered, > there's no REST API to initiate this flow (sending the Keycloak password > reset email + resetting the password through the UI); only way to do is > through the browser. > > If it's actually there somewhere, can someone point me to it? > > > Regards, > Lohitha. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/cde9ad63/attachment.html From Edgar at info.nl Wed Jan 27 07:25:29 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 27 Jan 2016 12:25:29 +0000 Subject: [keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty Message-ID: <4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl> Hi, I would like to use the Full Name User Federation Mapper to set the CN attribute in Active Directory from Keycloak. If I am not mistaken this is currently not possible in Keycloak because on creation of the user the only thing that is available is the username and no other user attributes (see UserFederationManager#addUser(RealmModel realm, String username). Since the CN is mandatory it needs to be set during creation of the user object in AD (and in any LDAP server). With our current configuration with the Full Name mapper enabled and configured to map to the CN attribute we cannot create users from Keycloak since the full name (as well as the first and last name) and hence the CN are still empty on user creation: 10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75) at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50) at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154) at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56) at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190) If I am not mistaken the way Keycloak creates users is by first creating an ?empty? user with only the username set and after that the user is updated with all user attributes like firstname, last name, email etc. The only workaround we can find is to add an attribute mapper that maps the Keycloak username field to the CN LDAP/AD attribute. This works ok but it different from how AD treats the CN which is as the full name and not the user name. Shall I create a JIRA issue for this? cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/45e7b9d3/attachment.html From mposolda at redhat.com Wed Jan 27 07:38:18 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 27 Jan 2016 13:38:18 +0100 Subject: [keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty In-Reply-To: <4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl> References: <4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl> Message-ID: <56A8BA3A.6010100@redhat.com> Yes, feel free to create JIRA for that. You're right. There is limitation, that at registration time, just username is available to LDAP federation provider. However it should be possible to handle this in mapper. Either we can create new mapper or add the option to current FullNameMapper, that it will use username as fallback if fullname is not yet available. LDAP doesn't have issue with renaming CN in later phase. This mapper shouldn't be hard to do, hopefully I can do it even in 1.9 or 1.10 release (not like your previous request for password history, which is a bit more tricky :) ) For Keycloak 2.X we plan some refactoring of federation SPI and user's management. So hopefully we can handle it more properly and have all attributes available even during federation registration. Marek On 27/01/16 13:25, Edgar Vonk - Info.nl wrote: > Hi, > > I would like to use the Full Name User Federation Mapper to set the CN > attribute in Active Directory from Keycloak. If I am not mistaken this > is currently not possible in Keycloak because on creation of the user > the only thing that is available is the username and no other user > attributes (see UserFederationManager#addUser(RealmModel realm, String > username). > > Since the CN is mandatory it needs to be set during creation of the > user object in AD (and in any LDAP server). With our current > configuration with the Full Name mapper enabled and configured to map > to the CN attribute we cannot create users from Keycloak since the > full name (as well as the first and last name) and hence the CN are > still empty on user creation: > > 10:03:56,246 ERROR > [org.keycloak.services.resources.ModelExceptionMapper] (default > task-5) Error creating subcontext [cn= > ,ou=Customers,dc=hf,dc=info,dc=nl]: > org.keycloak.models.ModelException: Error creating subcontext [cn= > ,ou=Customers,dc=hf,dc=info,dc=nl] > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425) > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75) > at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50) > at > org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154) > at > org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56) > at > org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48) > at > org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190) > > > > If I am not mistaken the way Keycloak creates users is by first > creating an ?empty? user with only the username set and after that the > user is updated with all user attributes like firstname, last name, > email etc. > > The only workaround we can find is to add an attribute mapper that > maps the Keycloak username field to the CN LDAP/AD attribute. This > works ok but it different from how AD treats the CN which is as the > full name and not the user name. > > Shall I create a JIRA issue for this? > > cheers > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/66855b07/attachment-0001.html From Edgar at info.nl Wed Jan 27 07:45:45 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 27 Jan 2016 12:45:45 +0000 Subject: [keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty In-Reply-To: <56A8BA3A.6010100@redhat.com> References: <4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl> <56A8BA3A.6010100@redhat.com> Message-ID: <15CC2C40-2975-4834-8D4D-0C57CA1532AB@info.nl> Ok will do. Thanks Marek! Regarding my password policies/history issue: I was trying to make my it into a pull request for you but I have not finished quite yet. Considering the upcoming refactoring I now wonder if that would be worth the trouble at this stage? We are not in a big hurry with this feature in any case. cheers On 27 Jan 2016, at 13:38, Marek Posolda > wrote: Yes, feel free to create JIRA for that. You're right. There is limitation, that at registration time, just username is available to LDAP federation provider. However it should be possible to handle this in mapper. Either we can create new mapper or add the option to current FullNameMapper, that it will use username as fallback if fullname is not yet available. LDAP doesn't have issue with renaming CN in later phase. This mapper shouldn't be hard to do, hopefully I can do it even in 1.9 or 1.10 release (not like your previous request for password history, which is a bit more tricky :) ) For Keycloak 2.X we plan some refactoring of federation SPI and user's management. So hopefully we can handle it more properly and have all attributes available even during federation registration. Marek On 27/01/16 13:25, Edgar Vonk - Info.nl wrote: Hi, I would like to use the Full Name User Federation Mapper to set the CN attribute in Active Directory from Keycloak. If I am not mistaken this is currently not possible in Keycloak because on creation of the user the only thing that is available is the username and no other user attributes (see UserFederationManager#addUser(RealmModel realm, String username). Since the CN is mandatory it needs to be set during creation of the user object in AD (and in any LDAP server). With our current configuration with the Full Name mapper enabled and configured to map to the CN attribute we cannot create users from Keycloak since the full name (as well as the first and last name) and hence the CN are still empty on user creation: 10:03:56,246 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-5) Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl]: org.keycloak.models.ModelException: Error creating subcontext [cn= ,ou=Customers,dc=hf,dc=info,dc=nl] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75) at org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50) at org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154) at org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56) at org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190) If I am not mistaken the way Keycloak creates users is by first creating an ?empty? user with only the username set and after that the user is updated with all user attributes like firstname, last name, email etc. The only workaround we can find is to add an attribute mapper that maps the Keycloak username field to the CN LDAP/AD attribute. This works ok but it different from how AD treats the CN which is as the full name and not the user name. Shall I create a JIRA issue for this? cheers _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/e8100761/attachment.html From bburke at redhat.com Wed Jan 27 09:17:47 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 27 Jan 2016 09:17:47 -0500 Subject: [keycloak-user] Realm Certificate from commercial Vendors In-Reply-To: References: <646083569.7053352.1453404198204.JavaMail.yahoo.ref@mail.yahoo.com> <646083569.7053352.1453404198204.JavaMail.yahoo@mail.yahoo.com> <1319101580.639569.1453719020394.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56A8D18B.7040306@redhat.com> You can upload client certs for saml clients, but I think we have a attribute size problem for large cert chains. On 1/27/2016 5:17 AM, Stian Thorgersen wrote: > We don't support uploading the realm keys through the admin console at > the moment. However, you should be able to use the admin endpoints to > manually set it. Should be relatively easy to add though, so you can > create a JIRA to request it, but you're actually the first to request it. > > With regards to clients we don't have an elegant way to deal with > this. What we have is if the public key is not specified in the client > config it will download it from Keycloak at startup, so if you restart > your clients after creating new keys it should work. Ideally Keycloak > should send a message to the clients to notify them that the keys have > changed so they can re-fetch from Keycloak, but that hasn't been > implemented yet. Again, feel free to request that. > > On 25 January 2016 at 11:50, Raghuram Prabhala > wrote: > > Dev team - any comments on the commercial certificates instead of > the ones created by Keycloak? > > Raghu > > ------------------------------------------------------------------------ > *From:* Raghuram Prabhala > > *To:* Keycloak-user > > *Sent:* Thursday, January 21, 2016 2:23 PM > *Subject:* Realm Certificate from commercial Vendors > > > I have a question about the Certificate/private key which is > generated today by Keycloak. But rather than use that certificate > ,is there any way we can use a commercial Certificate from Vendors > like Verisign? When that certificate expires, how do we > generate/upload a new certificate (lifecycle) and handle the > switch over to a new certificate with minimal impact to any of the > client who will have to download the new certificate and use it > when KC starts using the new one? > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/72e80df3/attachment.html From mposolda at redhat.com Wed Jan 27 09:50:32 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 27 Jan 2016 15:50:32 +0100 Subject: [keycloak-user] Cannot create user in LDAP/AD from Keycloak using Full Name User Federation Mapper - CN is empty In-Reply-To: <15CC2C40-2975-4834-8D4D-0C57CA1532AB@info.nl> References: <4CD4C082-4A49-4458-AF90-2DC0BA9CE833@info.nl> <56A8BA3A.6010100@redhat.com> <15CC2C40-2975-4834-8D4D-0C57CA1532AB@info.nl> Message-ID: <56A8D938.1010700@redhat.com> If you're not in a hurry, it will be better to wait and put it into Keycloak 2.X. Right now, we are around feature freeze for 1.X and the MSAD password history support might mean a bit more refactoring and change in more places. And right now, we don't have much time to properly implement and test it due to other priority tasks TBH ;) Marek On 27/01/16 13:45, Edgar Vonk - Info.nl wrote: > Ok will do. Thanks Marek! > > Regarding my password policies/history issue: I was trying to make my > it into a pull request for you but I have not finished quite yet. > Considering the upcoming refactoring I now wonder if that would be > worth the trouble at this stage? We are not in a big hurry with this > feature in any case. > > cheers > >> On 27 Jan 2016, at 13:38, Marek Posolda > > wrote: >> >> Yes, feel free to create JIRA for that. >> >> You're right. There is limitation, that at registration time, just >> username is available to LDAP federation provider. However it should >> be possible to handle this in mapper. Either we can create new mapper >> or add the option to current FullNameMapper, that it will use >> username as fallback if fullname is not yet available. LDAP doesn't >> have issue with renaming CN in later phase. This mapper shouldn't be >> hard to do, hopefully I can do it even in 1.9 or 1.10 release (not >> like your previous request for password history, which is a bit more >> tricky :) ) >> >> For Keycloak 2.X we plan some refactoring of federation SPI and >> user's management. So hopefully we can handle it more properly and >> have all attributes available even during federation registration. >> >> Marek >> >> >> On 27/01/16 13:25, Edgar Vonk - Info.nl wrote: >>> Hi, >>> >>> I would like to use the Full Name User Federation Mapper to set the >>> CN attribute in Active Directory from Keycloak. If I am not mistaken >>> this is currently not possible in Keycloak because on creation of >>> the user the only thing that is available is the username and no >>> other user attributes (see UserFederationManager#addUser(RealmModel >>> realm, String username). >>> >>> Since the CN is mandatory it needs to be set during creation of the >>> user object in AD (and in any LDAP server). With our current >>> configuration with the Full Name mapper enabled and configured to >>> map to the CN attribute we cannot create users from Keycloak since >>> the full name (as well as the first and last name) and hence the CN >>> are still empty on user creation: >>> >>> 10:03:56,246 ERROR >>> [org.keycloak.services.resources.ModelExceptionMapper] (default >>> task-5) Error creating subcontext [cn= >>> ,ou=Customers,dc=hf,dc=info,dc=nl]: >>> org.keycloak.models.ModelException: Error creating subcontext [cn= >>> ,ou=Customers,dc=hf,dc=info,dc=nl] >>> at >>> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:425) >>> at >>> org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:75) >>> at >>> org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:50) >>> at >>> org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:154) >>> at >>> org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:56) >>> at >>> org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:48) >>> at >>> org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:190) >>> >>> >>> >>> If I am not mistaken the way Keycloak creates users is by first >>> creating an ?empty? user with only the username set and after that >>> the user is updated with all user attributes like firstname, last >>> name, email etc. >>> >>> The only workaround we can find is to add an attribute mapper that >>> maps the Keycloak username field to the CN LDAP/AD attribute. This >>> works ok but it different from how AD treats the CN which is as the >>> full name and not the user name. >>> >>> Shall I create a JIRA issue for this? >>> >>> cheers >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/13f7280f/attachment-0001.html From RLewis at carbonite.com Wed Jan 27 12:34:01 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 27 Jan 2016 17:34:01 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> Message-ID: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/d8e780f6/attachment.html From srossillo at smartling.com Wed Jan 27 13:02:14 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 27 Jan 2016 13:02:14 -0500 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> Message-ID: <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott > On Jan 27, 2016, at 12:34 PM, Reed Lewis wrote: > > This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. > > The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? > > Thank you, > > Reed Lewis > > From: Scott Rossillo > > Date: Friday, January 15, 2016 at 4:42 PM > To: Thomas Darimont >, Reed Lewis > > Cc: "keycloak-user at lists.jboss.org " > > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak > > We just put up and blog post[0] and some sample code[1] on how to do this type of migration. > > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > > >> On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: >> >> Hello Reed, >> >> as you already wrote, you can write a federation provider that queries your >> backend service via REST for user data. >> Within the federation provider you can then import the user data >> returned from the REST call. >> >> This would work as follows - within the method: >> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) >> you call your backend REST service. >> >> As a next step you create a new user with the given username >> UserModel keycloakUser = session.userStorage().addUser(realm, username); >> >> Then you copy all the user data from your backend into Keycloak's UserModel. >> >> After that your backend user has a corresponding representation in Keycloak >> with a reference to this federation provider (id) via the "userModel.federationLink" property. >> >> The federation link will also be shown in the user page in the keycloak admin console. >> As long as the federation link is in place keycloak will ask the federation provider >> for the latest user data. Once you decide to cut the link to the federation provider you can >> simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation >> link right after you added the user to Keycloak. >> >> Keycloak has no link information after that anymore and it will only use the user data stored >> in the Keycloak database for that particular user. >> >> You also have the option to do that for all your users via: >> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) >> or just use on demand per User when he / she want's to login for the first time. >> >> Cheers, >> Thomas >> >> 2016-01-15 16:16 GMT+01:00 Reed Lewis >: >> Hi, >> We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. >> >> >> Can this be done with some modification of federation? >> >> We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. >> >> Thank you, >> >> Reed Lewis >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/50138da6/attachment-0001.html From RLewis at carbonite.com Wed Jan 27 13:48:52 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 27 Jan 2016 18:48:52 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> Message-ID: <628629D6-5CEF-4B91-B66C-72A0C1A7ABBE@carbonite.com> Scott, Yes that is exactly what I wish to have happen. If a user is from an external IDP do not check the federation provider at all. The reason for this is I might have users in my federation provider who are going to log in using external IDP going forward. I wish to have them always use the IDP to login now. I checked your suggestion, and my federation provider gets the account name as just the email address, not (idp).email. For example when It is called it comes in as foo at google.com not google.foo at google.com so that will not work. So I think that there must be changes needed to Keycloak to not check the Federation provider if it comes from an external IDP Thanks, Reed From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis > Cc: Thomas Darimont >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/ff6c4990/attachment-0001.html From thomas.darimont at googlemail.com Wed Jan 27 14:06:46 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 27 Jan 2016 20:06:46 +0100 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <628629D6-5CEF-4B91-B66C-72A0C1A7ABBE@carbonite.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <628629D6-5CEF-4B91-B66C-72A0C1A7ABBE@carbonite.com> Message-ID: Hello, I think it would be helpful if keycloak would store a "note" about where a use came from in the user model. Cloud Foundry's UAA stores the "origin system name" (origin) as well as the "origin user id" (externalId) in the user model. See: https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java#L323 In the UAA case users created by the UAA have the origin set to "uaa" and externalId to null. Other users have a different origin. In my federation provider I set custom user attributes origin.name and origin.id in order to store a reference to the original user account. I found this very helpful especially during migration / transition phases as well as for debugging. Cheers, Thomas 2016-01-27 19:48 GMT+01:00 Reed Lewis : > Scott, > Yes that is exactly what I wish to have happen. If a user is from an > external IDP do not check the federation provider at all. The reason for > this is I might have users in my federation provider who are going to log > in using external IDP going forward. I wish to have them always use the IDP > to login now. > > I checked your suggestion, and my federation provider gets the account > name as just the email address, not (idp).email. For example when It is > called it comes in as foo at google.com not google.foo at google.com so that > will not work. > > So I think that there must be changes needed to Keycloak to not check the > Federation provider if it comes from an external IDP > > Thanks, > > Reed > > > From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM > To: Reed Lewis > Cc: Thomas Darimont , " > keycloak-user at lists.jboss.org" > > Subject: Re: [keycloak-user] External Username, Password, Email... > dataset with Keycloak > > I think that?s a more general question about user account merging so maybe > one of the core devs can chime in. However, I just want to clarify, you > don?t want to query the federation provider at all when a user signs in > with external IDP, right? In that case, you could modify the > findByUsername() method to not create a user if the login is with a IDP. > I?m not sure if it still exists in 1.7+ but the username used to be created > as idp.email at provider.com where the IDP is the username prefix. > > Does that make sense / sufficiently address the use case? > > ~ Scott > > On Jan 27, 2016, at 12:34 PM, Reed Lewis wrote: > > This is working for me now. I created a service that listens on a port > and implements the GET, HEAD and POST requests that are being made. > > The one issue now is that integration with other Identity providers does > not work now since it still calls my server with the username from the > external provider. How can I tell Keycloak that when a user comes from > an external Identity provider not to check the user Federation provider? > > Thank you, > > Reed Lewis > > From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM > To: Thomas Darimont , Reed Lewis < > RLewis at carbonite.com> > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... > dataset with Keycloak > > We just put up and blog post[0] and some sample code[1] on how to do this > type of migration. > > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > [image: Latest News + Events] > > [image: Powered by Sigstr] > > On Jan 15, 2016, at 11:06 AM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > > Hello Reed, > > as you already wrote, you can write a federation provider that queries your > backend service via REST for user data. > Within the federation provider you can then import the user data > returned from the REST call. > > This would work as follows - within the method: > org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, > String) > you call your backend REST service. > > As a next step you create a new user with the given username > UserModel keycloakUser = session.userStorage().addUser(realm, username); > > Then you copy all the user data from your backend into Keycloak's > UserModel. > > After that your backend user has a corresponding representation in Keycloak > with a reference to this federation provider (id) via the > "userModel.federationLink" property. > > The federation link will also be shown in the user page in the keycloak > admin console. > As long as the federation link is in place keycloak will ask the > federation provider > for the latest user data. Once you decide to cut the link to the > federation provider you can > simply do userModel.setFederationLink(null). You could basically cut (or > rather omit) the federation > link right after you added the user to Keycloak. > > Keycloak has no link information after that anymore and it will only use > the user data stored > in the Keycloak database for that particular user. > > You also have the option to do that for all your users via: > > org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, > String, UserFederationProviderModel) > or just use on demand per User when he / she want's to login for the first > time. > > Cheers, > Thomas > > 2016-01-15 16:16 GMT+01:00 Reed Lewis : > >> Hi, >> We are examining KeyCloak (It looks like it can do what we want), but >> we have the need to have an external lookup of accounts who are not in >> KeyCloak in an external database which is accessible via a REST call. I >> know about federation, but would prefer to only check the external >> datasource if the user is not in KeyCloak, but from then on have all the >> data ?live? in KeyCloak and never refer to the external datasource again >> once the account is ?migrated? into KeyCloak. >> >> >> Can this be done with some modification of federation? >> >> We do not want to add the user accounts directly into KeyCloak as there >> are many more there than will ever be in KeyCloak. >> >> Thank you, >> >> Reed Lewis >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/2bcf4d29/attachment.html From RLewis at carbonite.com Wed Jan 27 14:13:19 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 27 Jan 2016 19:13:19 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <628629D6-5CEF-4B91-B66C-72A0C1A7ABBE@carbonite.com> Message-ID: The interesting thing is that the user is not being added to Keycloak at all (or at least does not look like it gets in at all). When I use an external IDP, and it also calls my local federation provider I return an account representation, but it never seems to be added to Keycloak at all. I am getting an Error in Keycloak execution. I will attach that error to this email. Reed From: Thomas Darimont > Date: Wednesday, January 27, 2016 at 2:06 PM To: Reed Lewis > Cc: Scott Rossillo >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak Hello, I think it would be helpful if keycloak would store a "note" about where a use came from in the user model. Cloud Foundry's UAA stores the "origin system name" (origin) as well as the "origin user id" (externalId) in the user model. See: https://github.com/cloudfoundry/uaa/blob/master/model/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUser.java#L323 In the UAA case users created by the UAA have the origin set to "uaa" and externalId to null. Other users have a different origin. In my federation provider I set custom user attributes origin.name and origin.id in order to store a reference to the original user account. I found this very helpful especially during migration / transition phases as well as for debugging. Cheers, Thomas 2016-01-27 19:48 GMT+01:00 Reed Lewis >: Scott, Yes that is exactly what I wish to have happen. If a user is from an external IDP do not check the federation provider at all. The reason for this is I might have users in my federation provider who are going to log in using external IDP going forward. I wish to have them always use the IDP to login now. I checked your suggestion, and my federation provider gets the account name as just the email address, not (idp).email. For example when It is called it comes in as foo at google.com not google.foo at google.com so that will not work. So I think that there must be changes needed to Keycloak to not check the Federation provider if it comes from an external IDP Thanks, Reed From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis > Cc: Thomas Darimont >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/1f161cda/attachment-0001.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: kclog.txt Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/1f161cda/attachment-0001.txt From RLewis at carbonite.com Wed Jan 27 15:28:14 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 27 Jan 2016 20:28:14 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> Message-ID: <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> It looks like no matter which External IDP I use, it always checks the federation provider also which is not something that I think wants to be done. Is this a bug in the Keycloak software? So it looks like one cannot do external IDP and federation at the same time. This should be fixed. Reed From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis > Cc: Thomas Darimont >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/0bb6235b/attachment-0001.html From fabricio.milone at shinetech.com Wed Jan 27 16:01:32 2016 From: fabricio.milone at shinetech.com (Fabricio Milone) Date: Thu, 28 Jan 2016 08:01:32 +1100 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: Hi Lohitha, I had the same requirements (Direct grant + forgotten password) and ended up implementing a SPI using some piece of code made by Pedro Igor. An extract of the DEV Mailing list called: "*Add custom REST paths? New SPI?*" *It is part of a working in progress around fine-grained authorization [1].* > *The new SPI changes [2] specific to Keycloak are located in a specific > branch [3] in my Keycloak fork.* > *I need to discuss these changes with Bill and see what he thinks about > it. Depending on his feedback, I can prepare a PR and send these changes to > upstream.* > > *[1] https://github.com/pedroigor/keycloak-authz > * > *[2] > https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 > **[3] > https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified > * Not sure if Keycloak will ever adopt those changes as official or something similar though. That's a good starting point. Regards On 27 January 2016 at 21:19, Stian Thorgersen wrote: > There is in the admin endpoints, but nothing that's available to end-users. > > On 22 January 2016 at 06:45, Lohitha Chiranjeewa wrote: > >> Hi, >> >> There are a few clients of ours who use the Direct Grants API to >> authenticate their users. A requirement has come up to provide the Reset >> Password flow to those clients. From what I've checked and gathered, >> there's no REST API to initiate this flow (sending the Keycloak password >> reset email + resetting the password through the UI); only way to do is >> through the browser. >> >> If it's actually there somewhere, can someone point me to it? >> >> >> Regards, >> Lohitha. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Fabricio Milone* Developer *Shine Consulting * 30/600 Bourke Street Melbourne VIC 3000 T: 03 8488 9939 M: 04 3200 4006 www.shinetech.com *a* passion for excellence -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/cb7e9bde/attachment.html From lingvisa at gmail.com Wed Jan 27 16:58:26 2016 From: lingvisa at gmail.com (Martin Min) Date: Wed, 27 Jan 2016 13:58:26 -0800 Subject: [keycloak-user] Realm persistance Message-ID: Hello, I set up a KeyCloak server and created a realm and an application on a computer, which I can access through localhost:8080/auth. If I use this same KeyCloak server (copy the whole keycloak directory to another computer), can I get the same realm and application up without any additional configuration? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160127/2539e092/attachment.html From fabricio.milone at shinetech.com Wed Jan 27 18:59:48 2016 From: fabricio.milone at shinetech.com (Fabricio Milone) Date: Thu, 28 Jan 2016 10:59:48 +1100 Subject: [keycloak-user] Direct Grant and OAuth 2.0 error response Message-ID: Hi, I have a direct grant flow working correctly and returning all the information I need using Mappers when the response is OK. However, I would like to include more information in the error response when my Federator doesn't authenticate the username, specifically, my own federator's error codes/messages. I've been reading the RFC and there is a parameter called error_description in the error response, but not sure how to add a json there (it is supported by the USASCII chars, afaik). This is my architecture: Mobile client ---direct access grant---> Keycloak -------validateUser----> Federator If Error Federator ----response---> MyFederatorProvider (on validate() method, parse the response and somehow include the error coming from the federator inside the error_description field of the standard OAuth 2.0 response). Can someone please give me a hint on this? Is there any other (better/cleaner) way to do this? Thanks in advance! -- *Fabricio Milone* Developer *Shine Consulting * 30/600 Bourke Street Melbourne VIC 3000 T: 03 8488 9939 M: 04 3200 4006 www.shinetech.com *a* passion for excellence -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/cbe5fbb3/attachment.html From adrianmatei at gmail.com Thu Jan 28 00:47:44 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Thu, 28 Jan 2016 06:47:44 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue Message-ID: Hi everyone, I am experimenting "too many redirects"/infinite loops issues in the browser when I try to connect with social providers. I am also getting internal server error on Chrome via google account (Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I did everything "by the book": # realm Require SSL:none #nginx http { gzip on; gzip_proxied any; #gzip_proxied no-cache no-store private expired auth; gzip_types text/plain text/html text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; #gzip_min_length 1000; server_tokens off; #hides nginx version and OS running on include /etc/nginx/mime.types; upstream tomcat_server { server localhost:8080; } upstream keycloak_server { server localhost:8180; } server { listen 80; server_name podcastmania.ro; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name podcastmania.ro www.podcastmania.ro; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { root /opt/tomcat/webapps/ROOT; try_files $uri /maintenance.html @tomcat; } location @tomcat { proxy_pass http://tomcat_server; proxy_set_header Host $host; #to change the "Host" header set by default to $proxy_host to $host - the originating host request proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /auth/ { root /opt/keycloak/standalone/configuration/themes/keycloak/; try_files $uri @keycloak; } location @keycloak { proxy_pass http://keycloak_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; } } # standalone.xml * * # app:spring security configuration Has anyone faced similar issues? Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/412c6012/attachment-0001.html From kalc04 at gmail.com Thu Jan 28 02:41:38 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 28 Jan 2016 13:11:38 +0530 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: Thanks Fabricio, will check on how we can proceed with such an implementation. Since there is an already existing registration-email API, I thought it's consistent from Keycloak's perspective to expose a reset-password API as well... Regards, Lohitha. On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < fabricio.milone at shinetech.com> wrote: > Hi Lohitha, > > I had the same requirements (Direct grant + forgotten password) and ended > up implementing a SPI using some piece of code made by Pedro Igor. > > An extract of the DEV Mailing list called: "*Add custom REST paths? New > SPI?*" > > *It is part of a working in progress around fine-grained authorization >> [1].* >> *The new SPI changes [2] specific to Keycloak are located in a specific >> branch [3] in my Keycloak fork.* > > >> *I need to discuss these changes with Bill and see what he thinks about >> it. Depending on his feedback, I can prepare a PR and send these changes to >> upstream.* > > >> >> *[1] https://github.com/pedroigor/keycloak-authz >> * >> *[2] >> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >> **[3] >> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >> * > > > > Not sure if Keycloak will ever adopt those changes as official or > something similar though. > > That's a good starting point. > > Regards > > On 27 January 2016 at 21:19, Stian Thorgersen wrote: > >> There is in the admin endpoints, but nothing that's available to >> end-users. >> >> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >> wrote: >> >>> Hi, >>> >>> There are a few clients of ours who use the Direct Grants API to >>> authenticate their users. A requirement has come up to provide the Reset >>> Password flow to those clients. From what I've checked and gathered, >>> there's no REST API to initiate this flow (sending the Keycloak password >>> reset email + resetting the password through the UI); only way to do is >>> through the browser. >>> >>> If it's actually there somewhere, can someone point me to it? >>> >>> >>> Regards, >>> Lohitha. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > *Fabricio Milone* > Developer > > *Shine Consulting * > > 30/600 Bourke Street > > Melbourne VIC 3000 > > T: 03 8488 9939 > > M: 04 3200 4006 > > > www.shinetech.com *a* passion for excellence > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/b5317822/attachment.html From revanth at arvindinternet.com Thu Jan 28 05:25:35 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Thu, 28 Jan 2016 15:55:35 +0530 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: References: Message-ID: Hi I am using keycloak1.5.0 and want to cluster it, I made the changes necessary changes to standalone-ha.xml. I am running the following command: ./standalone.sh --server-config=standalone-ha.xml -b=0.0.0.0 I am getting the below error: Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.jgroups.util.Util.checkIfValidAddress(Util.java:3484) at org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) at org.jgroups.JChannel.init(JChannel.java:854) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:96) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:93) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634) ... 7 more I changed my keycloak.json as per the documentation for clustering. Could you help me figure out what is the issue?? On Wed, Jan 13, 2016 at 12:08 AM, Stian Thorgersen wrote: > If you're saying you can only access it using localhost, then run it with > "bin/standalone.sh -b 0.0.0.0" and it'll be bound to all interfaces. > > On 12 January 2016 at 16:26, Revanth Ayalasomayajula < > revanth at arvindinternet.com> wrote: > >> I mean, i am not able to access it using it public ip. >> >> >> >> On Tue, Jan 12, 2016 at 8:18 PM, Stian Thorgersen >> wrote: >> >>> I don't know what you mean that you can't access from outside world, but >>> if you're running a cluster you'll need a load balance in front. Apache, >>> Nginx or even Undertow would do that for you. >>> >>> You add nodes by just running more nodes on the same subnet and they'll >>> discover themselves. >>> >>> On 12 January 2016 at 12:37, Revanth Ayalasomayajula < >>> revanth at arvindinternet.com> wrote: >>> >>>> Hi, >>>> >>>> I have a few applications that are using Keycloak 1.5 and I now want to >>>> cluster it. I had followed this link ( >>>> https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) >>>> but i am not able to access this server from outside world and I also >>>> wanted to know how I can add nodes to my cluster. Could anyone please help >>>> me out in this respect. >>>> >>>> Thanks. >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/1903bb0d/attachment.html From mposolda at redhat.com Thu Jan 28 06:12:51 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:12:51 +0100 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> Message-ID: <56A9F7B3.60705@redhat.com> Hi, If you're using Keycloak version 1.7 or later, you can create new "firstBrokerLogin" flow and replace "Create User If Unique" authenticator with your own implementation. You can create subclass of IdpCreateUserIfUniqueAuthenticator and override method "checkExistingUser" to not look for username at federation provider. It can be done if you use: context.getSession().*userStorage()*.getUserByUsername(username, context.getRealm()); instead of: context.getSession().*users()*.getUserByUsername(username, context.getRealm()); Same for email checking. In that case if you login with user "john" from external identity provider, the authenticator won't try to find this "john" user in your external federation provider, but just in Keycloak DB. Is this what you are trying to achieve? Btv. As pointed already, the keycloak username for user registered from external IDP looks like "google.john" by default . You can change this behaviour to use identity provider mapper for username, which allows you to change the username template and remove broker prefix from that. So Keycloak will treat this username as "john". In 1.9 we plan to remove broker prefix by default and we will always just the username from broker, because "first login flow" added in Keycloak 1.7 allow us to easily resolve username conflicts. Corresponding JIRA is: https://issues.jboss.org/browse/KEYCLOAK-2292 Marek On 27/01/16 21:28, Reed Lewis wrote: > It looks like no matter which External IDP I use, it always checks the > federation provider also which is not something that I think wants to > be done. Is this a bug in the Keycloak software? > > So it looks like one cannot do external IDP and federation at the same > time. This should be fixed. > > Reed > > From: Scott Rossillo > > Date: Wednesday, January 27, 2016 at 1:02 PM > To: Reed Lewis > > Cc: Thomas Darimont >, > "keycloak-user at lists.jboss.org " > > > Subject: Re: [keycloak-user] External Username, Password, Email... > dataset with Keycloak > > I think that?s a more general question about user account merging so > maybe one of the core devs can chime in. However, I just want to > clarify, you don?t want to query the federation provider at all when a > user signs in with external IDP, right? In that case, you could modify > the findByUsername() method to not create a user if the login is with > a IDP. I?m not sure if it still exists in 1.7+ but the username used > to be created as idp.email at provider.com > where the IDP is the username prefix. > > Does that make sense / sufficiently address the use case? > > ~ Scott > >> On Jan 27, 2016, at 12:34 PM, Reed Lewis > > wrote: >> >> This is working for me now. I created a service that listens on a >> port and implements the GET, HEAD and POST requests that are being made. >> >> The one issue now is that integration with other Identity providers >> does not work now since it still calls my server with the username >> from the external provider. How can I tell Keycloak that when a >> user comes from an external Identity provider not to check the user >> Federation provider? >> >> Thank you, >> >> Reed Lewis >> >> From: Scott Rossillo > > >> Date: Friday, January 15, 2016 at 4:42 PM >> To: Thomas Darimont > >, Reed Lewis >> > >> Cc: "keycloak-user at lists.jboss.org >> " >> > >> Subject: Re: [keycloak-user] External Username, Password, Email... >> dataset with Keycloak >> >> We just put up and blog post[0] and some sample code[1] on how to do >> this type of migration. >> >> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ >> [1]: https://github.com/Smartling/keycloak-user-migration-provider >> >> >> Scott Rossillo >> Smartling | Senior Software Engineer >> srossillo at smartling.com >> >> Latest News + Events >> Powered by Sigstr >> >>> On Jan 15, 2016, at 11:06 AM, Thomas Darimont >>> >> > wrote: >>> >>> Hello Reed, >>> >>> as you already wrote, you can write a federation provider that >>> queries your >>> backend service via REST for user data. >>> Within the federation provider you can then import the user data >>> returned from the REST call. >>> >>> This would work as follows - within the method: >>> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, >>> String) >>> you call your backend REST service. >>> >>> As a next step you create a new user with the given username >>> UserModel keycloakUser = session.userStorage().addUser(realm, >>> username); >>> >>> Then you copy all the user data from your backend into Keycloak's >>> UserModel. >>> >>> After that your backend user has a corresponding representation in >>> Keycloak >>> with a reference to this federation provider (id) via the >>> "userModel.federationLink" property. >>> >>> The federation link will also be shown in the user page in the >>> keycloak admin console. >>> As long as the federation link is in place keycloak will ask the >>> federation provider >>> for the latest user data. Once you decide to cut the link to the >>> federation provider you can >>> simply do userModel.setFederationLink(null). You could basically cut >>> (or rather omit) the federation >>> link right after you added the user to Keycloak. >>> >>> Keycloak has no link information after that anymore and it will only >>> use the user data stored >>> in the Keycloak database for that particular user. >>> >>> You also have the option to do that for all your users via: >>> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, >>> String, UserFederationProviderModel) >>> or just use on demand per User when he / she want's to login for the >>> first time. >>> >>> Cheers, >>> Thomas >>> >>> 2016-01-15 16:16 GMT+01:00 Reed Lewis >> >: >>> >>> Hi, >>> We are examining KeyCloak (It looks like it can do what we >>> want), but we have the need to have an external lookup of >>> accounts who are not in KeyCloak in an external database which >>> is accessible via a REST call. I know about federation, but >>> would prefer to only check the external datasource if the user >>> is not in KeyCloak, but from then on have all the data ?live? in >>> KeyCloak and never refer to the external datasource again once >>> the account is ?migrated? into KeyCloak. >>> >>> >>> Can this be done with some modification of federation? >>> >>> We do not want to add the user accounts directly into KeyCloak >>> as there are many more there than will ever be in KeyCloak. >>> >>> Thank you, >>> >>> Reed Lewis >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/b55b7ff8/attachment-0001.html From mposolda at redhat.com Thu Jan 28 06:19:00 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:19:00 +0100 Subject: [keycloak-user] Realm persistance In-Reply-To: References: Message-ID: <56A9F924.1000102@redhat.com> Yes, as by default the Keycloak uses H2 database, which is stored in the filesystem inside the keycloak (wildfly) directory. So if you copy whole directory to another location, the data will be still there. Marek On 27/01/16 22:58, Martin Min wrote: > Hello, > > I set up a KeyCloak server and created a realm and an application on a > computer, which I can access through localhost:8080/auth. > > If I use this same KeyCloak server (copy the whole keycloak directory > to another computer), can I get the same realm and application up > without any additional configuration? > > Thank you. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/75a91a66/attachment.html From mposolda at redhat.com Thu Jan 28 06:23:20 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:23:20 +0100 Subject: [keycloak-user] Direct Grant and OAuth 2.0 error response In-Reply-To: References: Message-ID: <56A9FA28.3050402@redhat.com> Maybe you can achieve this by override authentication flow for "direct access grants" and plug your own authenticators. Your authenticator will catch the exception thrown by your UserFederationProvider and send some response corresponding to that. See docs for Authentication SPI for more details. Marek On 28/01/16 00:59, Fabricio Milone wrote: > Hi, > > I have a direct grant flow working correctly and returning all the > information I need using Mappers when the response is OK. However, I > would like to include more information in the error response when my > Federator doesn't authenticate the username, specifically, my own > federator's error codes/messages. > > I've been reading the RFC and there is a parameter called > error_description in the error response, but not sure how to add a > json there (it is supported by the USASCII chars, afaik). > > This is my architecture: > > Mobile client ---direct access grant---> Keycloak > -------validateUser----> Federator > > If Error > Federator ----response---> MyFederatorProvider (on validate() method, > parse the response and somehow include the error coming from the > federator inside the error_description field of the standard OAuth 2.0 > response). > > > Can someone please give me a hint on this? Is there any other > (better/cleaner) way to do this? > > Thanks in advance! > > -- > *Fabricio Milone* > Developer > * > * > * > Shine Consulting * > > 30/600 Bourke Street > > Melbourne VIC 3000 > > T: 03 8488 9939 > > M: 04 3200 4006 > > > www.shinetech.com /*a*/ passion for excellence > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/213e83d4/attachment.html From mposolda at redhat.com Thu Jan 28 06:28:21 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:28:21 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: References: Message-ID: <56A9FB55.6050006@redhat.com> I suppose you're using Keycloak 1.7? There is known issue related to this NoClassDefFoundError . You can workaround it by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line: into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml Marek On 28/01/16 06:47, Adrian Matei wrote: > Hi everyone, > > I am experimenting "too many redirects"/infinite loops issues in the > browser when I try to connect with social providers. I am also getting > internal server error on Chrome via google account (Caused by: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext). It might be my > configuration, but I did everything "by the book": > > # realm Require SSL:none > > #nginx > http { > gzip on; > gzip_proxied any; > #gzip_proxied no-cache no-store private expired auth; > gzip_types text/plain text/html text/css application/json > application/x-javascript application/xml application/xml+rss > text/javascript application/javascript text/x-js; > #gzip_min_length 1000; > > > server_tokens off; #hides nginx version and OS running on > include /etc/nginx/mime.types; > > > upstream tomcat_server { > server localhost:8080; > } > upstream keycloak_server { > server localhost:8180; > } > > server { > listen 80; > server_name podcastmania.ro ; > return 301 https://$host$request_uri; > } > > server { > > listen 443 ssl; > > server_name podcastmania.ro > www.podcastmania.ro ; > > ssl_certificate /etc/nginx/ssl/nginx.crt; > ssl_certificate_key /etc/nginx/ssl/nginx.key; > location / { > root /opt/tomcat/webapps/ROOT; > try_files $uri /maintenance.html @tomcat; > } > > location @tomcat { > proxy_pass http://tomcat_server ; > > proxy_set_header Host $host; #to change the "Host" > header set by default to $proxy_host to $host - the originating host > request > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > > location /auth/ { > root > /opt/keycloak/standalone/configuration/themes/keycloak/; > try_files $uri @keycloak; > } > > location @keycloak { > proxy_pass http://keycloak_server > ; > > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Port 443; > } > > > } > > > # standalone.xml > > > > *redirect-socket="proxy-https" proxy-address-forwarding="true"*/> > > > > > > > > default-interface="public" > port-offset="${jboss.socket.binding.port-offset:100}"> > port="${jboss.management.http.port:9990}"/> > port="${jboss.management.https.port:9993}"/> > > > > > > * * > > > > > > # app:spring security configuration > base-package="org.keycloak.adapters.springsecurity" /> > > > > > > class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean"> > > > class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" > /> > class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" > /> > class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" > /> > class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter"> > ref="authenticationManager" /> > > > class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler"> > > > > class="org.springframework.security.web.authentication.logout.LogoutFilter"> > > > > > class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" > /> > > > > class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> > > > > > > > entry-point-ref="keycloakAuthenticationEntryPoint"> > before="LOGOUT_FILTER" /> > before="FORM_LOGIN_FILTER" /> > > access="permitAll"/> > access="permitAll"/> > access="permitAll"/> > pattern="/users/password-forgotten/confirm-email" access="permitAll"/> > access="permitAll"/> > access="hasRole('ROLE_USER')"/> > > > > > Has anyone faced similar issues? > > Thanks, > Adrian > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/46bbdf0c/attachment-0001.html From mposolda at redhat.com Thu Jan 28 06:29:06 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:29:06 +0100 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: References: Message-ID: <56A9FB82.7010009@redhat.com> You can try to use "-b 0.0.0.0" instead of "-b=0.0.0.0" Marek On 28/01/16 11:25, Revanth Ayalasomayajula wrote: > Hi I am using keycloak1.5.0 and want to cluster it, I made the changes > necessary changes to standalone-ha.xml. > > I am running the following command: ./standalone.sh > --server-config=standalone-ha.xml -b=0.0.0.0 > > I am getting the below error: > > Caused by: java.net.BindException: [UDP] /0.0.0.0 is > not a valid address on any local network interface > at org.jgroups.util.Util.checkIfValidAddress(Util.java:3484) > at > org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) > at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) > at org.jgroups.JChannel.init(JChannel.java:854) > at org.jgroups.JChannel.(JChannel.java:159) > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:96) > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:93) > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634) > ... 7 more > > I changed my keycloak.json as per the documentation for clustering. > > Could you help me figure out what is the issue?? > > On Wed, Jan 13, 2016 at 12:08 AM, Stian Thorgersen > > wrote: > > If you're saying you can only access it using localhost, then run > it with "bin/standalone.sh -b 0.0.0.0" and it'll be bound to all > interfaces. > > On 12 January 2016 at 16:26, Revanth Ayalasomayajula > > > wrote: > > I mean, i am not able to access it using it public ip. > > > > On Tue, Jan 12, 2016 at 8:18 PM, Stian Thorgersen > > wrote: > > I don't know what you mean that you can't access from > outside world, but if you're running a cluster you'll need > a load balance in front. Apache, Nginx or even Undertow > would do that for you. > > You add nodes by just running more nodes on the same > subnet and they'll discover themselves. > > On 12 January 2016 at 12:37, Revanth Ayalasomayajula > > wrote: > > Hi, > > I have a few applications that are using Keycloak 1.5 > and I now want to cluster it. I had followed this link > (https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) > but i am not able to access this server from outside > world and I also wanted to know how I can add nodes to > my cluster. Could anyone please help me out in this > respect. > > Thanks. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/ae706944/attachment.html From tech at psynd.net Thu Jan 28 06:32:30 2016 From: tech at psynd.net (tech at psynd.net) Date: Thu, 28 Jan 2016 12:32:30 +0100 Subject: [keycloak-user] Keycloak - 2FA with SMS Message-ID: Dear team, did anybody try already to implement the 2FA with keycloak? is there any documentation that could be followed? I need to implement passwd + SMS token. Thanks! From mposolda at redhat.com Thu Jan 28 06:36:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 12:36:05 +0100 Subject: [keycloak-user] Keycloak - 2FA with SMS In-Reply-To: References: Message-ID: <56A9FD25.6060402@redhat.com> We have support for TOTP and HOTP, but not for SMS. You may need to create custom Authenticator to support this. See documentation of our Authentication SPI for more details. Marek On 28/01/16 12:32, tech at psynd.net wrote: > Dear team, > > did anybody try already to implement the 2FA with keycloak? is there any > documentation that could be followed? I need to implement passwd + SMS > token. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From adrianmatei at gmail.com Thu Jan 28 07:23:50 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Thu, 28 Jan 2016 13:23:50 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: <56A9FB55.6050006@redhat.com> References: <56A9FB55.6050006@redhat.com> Message-ID: Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same "This webpage has a redirect loop" message when trying to sign in with Google also... On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda wrote: > I suppose you're using Keycloak 1.7? There is known issue related to this > NoClassDefFoundError . You can workaround it by edit file > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml > and add the line: > > > > into dependencies section. Same for module > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml > > Marek > > > > On 28/01/16 06:47, Adrian Matei wrote: > > Hi everyone, > > I am experimenting "too many redirects"/infinite loops issues in the > browser when I try to connect with social providers. I am also getting > internal server error on Chrome via google account (Caused by: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext). It might be my > configuration, but I did everything "by the book": > > # realm Require SSL:none > > #nginx > http { > gzip on; > gzip_proxied any; > #gzip_proxied no-cache no-store private expired auth; > gzip_types text/plain text/html text/css application/json > application/x-javascript application/xml application/xml+rss > text/javascript application/javascript text/x-js; > #gzip_min_length 1000; > > > server_tokens off; #hides nginx version and OS running on > include /etc/nginx/mime.types; > > > upstream tomcat_server { > server localhost:8080; > } > upstream keycloak_server { > server localhost:8180; > } > > server { > listen 80; > server_name podcastmania.ro; > return 301 https://$host$request_uri; > } > > server { > > listen 443 ssl; > > server_name podcastmania.ro > www.podcastmania.ro; > > ssl_certificate /etc/nginx/ssl/nginx.crt; > ssl_certificate_key /etc/nginx/ssl/nginx.key; > location / { > root /opt/tomcat/webapps/ROOT; > try_files $uri /maintenance.html @tomcat; > } > > location @tomcat { > proxy_pass http://tomcat_server; > > proxy_set_header Host $host; #to change the "Host" header > set by default to $proxy_host to $host - the originating host request > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > > location /auth/ { > root > /opt/keycloak/standalone/configuration/themes/keycloak/; > try_files $uri @keycloak; > } > > location @keycloak { > proxy_pass http://keycloak_server; > > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Port 443; > } > > > } > > > # standalone.xml > > > > proxy-address-forwarding="true"*/> > > > > > > > > default-interface="public" > port-offset="${jboss.socket.binding.port-offset:100}"> > port="${jboss.management.http.port:9990}"/> > port="${jboss.management.https.port:9993}"/> > > > > > > * * > > > > > > # app:spring security configuration > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Has anyone faced similar issues? > > Thanks, > Adrian > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/25269624/attachment-0001.html From jorsol at gmail.com Thu Jan 28 08:42:33 2016 From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=) Date: Thu, 28 Jan 2016 07:42:33 -0600 Subject: [keycloak-user] Keycloak Clustering In-Reply-To: <56A9FB82.7010009@redhat.com> References: <56A9FB82.7010009@redhat.com> Message-ID: I believe JGroups has problems trying to bind to all interfaces (with 0.0.0.0) you need to set the IP address you want to bind to properly work. Setting -Djgroups.bind_addr=127.0.0.1 ? ? should ? also? work too. Jorge Sol?rzano http://www.jorsol.com On Thu, Jan 28, 2016 at 5:29 AM, Marek Posolda wrote: > You can try to use "-b 0.0.0.0" instead of "-b=0.0.0.0" > > Marek > > > On 28/01/16 11:25, Revanth Ayalasomayajula wrote: > > Hi I am using keycloak1.5.0 and want to cluster it, I made the changes > necessary changes to standalone-ha.xml. > > I am running the following command: ./standalone.sh > --server-config=standalone-ha.xml -b=0.0.0.0 > > I am getting the below error: > > Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address > on any local network interface > at org.jgroups.util.Util.checkIfValidAddress(Util.java:3484) > at > org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) > at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) > at org.jgroups.JChannel.init(JChannel.java:854) > at org.jgroups.JChannel.(JChannel.java:159) > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:96) > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:93) > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634) > ... 7 more > > I changed my keycloak.json as per the documentation for clustering. > > Could you help me figure out what is the issue?? > > On Wed, Jan 13, 2016 at 12:08 AM, Stian Thorgersen > wrote: > >> If you're saying you can only access it using localhost, then run it with >> "bin/standalone.sh -b 0.0.0.0" and it'll be bound to all interfaces. >> >> On 12 January 2016 at 16:26, Revanth Ayalasomayajula < >> revanth at arvindinternet.com> wrote: >> >>> I mean, i am not able to access it using it public ip. >>> >>> >>> >>> On Tue, Jan 12, 2016 at 8:18 PM, Stian Thorgersen >>> wrote: >>> >>>> I don't know what you mean that you can't access from outside world, >>>> but if you're running a cluster you'll need a load balance in front. >>>> Apache, Nginx or even Undertow would do that for you. >>>> >>>> You add nodes by just running more nodes on the same subnet and they'll >>>> discover themselves. >>>> >>>> On 12 January 2016 at 12:37, Revanth Ayalasomayajula < >>>> revanth at arvindinternet.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a few applications that are using Keycloak 1.5 and I now want >>>>> to cluster it. I had followed this link ( >>>>> >>>>> https://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/clustering.html) >>>>> but i am not able to access this server from outside world and I also >>>>> wanted to know how I can add nodes to my cluster. Could anyone please help >>>>> me out in this respect. >>>>> >>>>> Thanks. >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/3f979d71/attachment.html From mposolda at redhat.com Thu Jan 28 09:35:02 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 15:35:02 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: References: <56A9FB55.6050006@redhat.com> Message-ID: <56AA2716.1080706@redhat.com> Does login through Google works if you don't use nginx proxy? Is there anything in the log? Marek On 28/01/16 13:23, Adrian Matei wrote: > Thanks Marek, that fixed the NoClassDefFoundError, but now I am > getting the same "This webpage has a redirect loop" message when > trying to sign in with Google also... > > On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda > wrote: > > I suppose you're using Keycloak 1.7? There is known issue related > to this NoClassDefFoundError . You can workaround it by edit file > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml > and add the line: > > > > into dependencies section. Same for module > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml > > Marek > > > > On 28/01/16 06:47, Adrian Matei wrote: >> Hi everyone, >> >> I am experimenting "too many redirects"/infinite loops issues in >> the browser when I try to connect with social providers. I am >> also getting internal server error on Chrome via google account >> (Caused by: java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext). It might >> be my configuration, but I did everything "by the book": >> >> # realm Require SSL:none >> >> #nginx >> http { >> gzip on; >> gzip_proxied any; >> #gzip_proxied no-cache no-store private expired auth; >> gzip_types text/plain text/html text/css application/json >> application/x-javascript application/xml application/xml+rss >> text/javascript application/javascript text/x-js; >> #gzip_min_length 1000; >> >> >> server_tokens off; #hides nginx version and OS running on >> include /etc/nginx/mime.types; >> >> >> upstream tomcat_server { >> server localhost:8080; >> } >> upstream keycloak_server { >> server localhost:8180; >> } >> >> server { >> listen 80; >> server_name podcastmania.ro >> ; >> return 301 https://$host$request_uri; >> } >> >> server { >> >> listen 443 ssl; >> >> server_name podcastmania.ro >> www.podcastmania.ro >> ; >> >> ssl_certificate /etc/nginx/ssl/nginx.crt; >> ssl_certificate_key /etc/nginx/ssl/nginx.key; >> location / { >> root /opt/tomcat/webapps/ROOT; >> try_files $uri /maintenance.html @tomcat; >> } >> >> location @tomcat { >> proxy_pass http://tomcat_server >> ; >> >> proxy_set_header Host $host; #to change the >> "Host" header set by default to $proxy_host to $host - the >> originating host request >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> } >> >> >> location /auth/ { >> root >> /opt/keycloak/standalone/configuration/themes/keycloak/; >> try_files $uri @keycloak; >> } >> >> location @keycloak { >> proxy_pass http://keycloak_server >> ; >> >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Port 443; >> } >> >> >> } >> >> >> # standalone.xml >> >> >> >> > socket-binding="http" *redirect-socket="proxy-https" >> proxy-address-forwarding="true"*/> >> >> >> >> >> >> >> >> > default-interface="public" >> port-offset="${jboss.socket.binding.port-offset:100}"> >> > interface="management" port="${jboss.management.http.port:9990}"/> >> > interface="management" port="${jboss.management.https.port:9993}"/> >> >> >> > port="${jboss.https.port:8443}"/> >> >> >> * * >> >> >> >> >> >> # app:spring security configuration >> > base-package="org.keycloak.adapters.springsecurity" /> >> >> >> > ref="keycloakAuthenticationProvider" /> >> >> >> > class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean"> >> >> >> > class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint" >> /> >> > class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider" >> /> >> > class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter" >> /> >> > class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter"> >> > ref="authenticationManager" /> >> >> >> > class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler"> >> >> >> >> > class="org.springframework.security.web.authentication.logout.LogoutFilter"> >> >> >> >> >> > class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >> /> >> >> >> >> > class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> >> >> >> >> >> >> >> > entry-point-ref="keycloakAuthenticationEntryPoint"> >> > before="LOGOUT_FILTER" /> >> > ref="keycloakAuthenticationProcessingFilter" >> before="FORM_LOGIN_FILTER" /> >> > access="permitAll"/> >> > pattern="/users/registration/confirm-email" access="permitAll"/> >> > access="permitAll"/> >> > access="permitAll"/> >> > pattern="/users/password-forgotten/confirm-email" >> access="permitAll"/> >> > pattern="/users/password-forgotten/confirmed" access="permitAll"/> >> > access="hasRole('ROLE_USER')"/> >> >> > position="LOGOUT_FILTER" /> >> >> >> Has anyone faced similar issues? >> >> Thanks, >> Adrian >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/60ac2509/attachment-0001.html From Edgar at info.nl Thu Jan 28 10:21:19 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Thu, 28 Jan 2016 15:21:19 +0000 Subject: [keycloak-user] Missing client roles to view and manage groups? Message-ID: Hi, (oops, sent this to keycloak-dev mailing this by mistake earlier..) It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups. Our case is that we want to have ?functional admin? users that are allowed to manage users and groups within their realm (and nothing else). I have now created such a functional admin user with the following client roles in this particular realm: - view-events - manage-users - view-users - impersonation When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ?Manage Groups? menu item in the admin console but when I click on it I get a ?Forbidden. You don't have access to the requested resource.? and in the logs we see: 4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53) at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72) at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it? cheers Edgar From bburke at redhat.com Thu Jan 28 10:39:56 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 28 Jan 2016 10:39:56 -0500 Subject: [keycloak-user] Missing client roles to view and manage groups? In-Reply-To: References: Message-ID: <56AA364C.2060204@redhat.com> I'll log a jira On 1/28/2016 10:21 AM, Edgar Vonk - Info.nl wrote: > Hi, > > (oops, sent this to keycloak-dev mailing this by mistake earlier..) > > It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups. > > Our case is that we want to have ?functional admin? users that are allowed to manage users and groups within their realm (and nothing else). > > I have now created such a functional admin user with the following client roles in this particular realm: > - view-events > - manage-users > - view-users > - impersonation > > When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ?Manage Groups? menu item in the admin console but when I click on it I get a ?Forbidden. You don't have access to the requested resource.? and in the logs we see: > > 4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException > at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53) > at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72) > at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > > > Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it? > > cheers > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Jan 28 10:40:47 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 28 Jan 2016 10:40:47 -0500 Subject: [keycloak-user] Missing client roles to view and manage groups? In-Reply-To: References: Message-ID: <56AA367F.4020305@redhat.com> https://issues.jboss.org/browse/KEYCLOAK-2408 On 1/28/2016 10:21 AM, Edgar Vonk - Info.nl wrote: > It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups. > > Our case is that we want to have ?functional admin? users that are allowed to manage users and groups within their realm (and nothing else). > > I have now created such a functional admin user with the following client roles in this particular realm: > - view-events > - manage-users > - view-users > - impersonation > > When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ?Manage Groups? menu item in the admin console but when I click on it I get a ?Forbidden. You don't have access to the requested resource.? and in the logs we see: > > 4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException > at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53) > at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72) > at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > > > Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From glavoie at gmail.com Thu Jan 28 13:22:26 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Thu, 28 Jan 2016 13:22:26 -0500 Subject: [keycloak-user] Very slow export/import of realms Message-ID: Hi, I am currently having issues with very slow export/import of realms with a large number of users (10K). Both operations take ~10 minutes each. After digging in the KeyCloak code, I've found out that a lot of "flush" is done at the Hibernate/JPA level (at least 4-5 times per user). *Export:* For the export, there are 4 very slow queries in ExportUtils.exportUser() ( https://github.com/keycloak/keycloak/blob/7895eb6a3dd7e4abc16dd401066bd08ed8075ffb/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java ): * Set socialLinks = session.users().getFederatedIdentities(user, realm); * Set roles = user.getRoleMappings(); * List consents = user.getConsents(); * for (GroupModel group : user.getGroups()) { They seem to be caused by Hibernate that forces a flush by default in "getResultList()". As a workaround I told Hibernate to flush only on commit of the transaction through "-Dorg.hibernate.flushMode=COMMIT" and the export time came down to *~20 seconds*. Could there be any issue of changing the flush mode only for the export? Data shouldn't change in the database at this moment and queries shouldn't return stale data. *Import:* For the import it seems that changing the flushMode isn't sufficient. It should likely not be done. However, I found a few places in the keycloak-model-jpa module where entities are created, persisted, then em.flush() and em.detatch() is called right away without the entity being returned (ex: UserAdapter.grantRole() - https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java ). If I remove all those flush/detach calls, the import process goes down to *~50 seconds*. What is the reason for flushing every time an entity is created rather than letting JPA/Hibernate do it when necessary? Thank you, Gabriel -- Gabriel Lavoie glavoie at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/d23ae2aa/attachment.html From adrianmatei at gmail.com Thu Jan 28 15:12:10 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Thu, 28 Jan 2016 21:12:10 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: <56AA2716.1080706@redhat.com> References: <56A9FB55.6050006@redhat.com> <56AA2716.1080706@redhat.com> Message-ID: Hi Marek, everything works fine with both fb and google logins via nginx as reverse proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I get either "Invalid parameter:redirect_uri" (the redirect_uri query parameter is generated with *http, not https* in the navigation bar) before reaching the login form dialog or the redirect loops (fb login) or Error: redirect_uri_mismatch with google login if I manage to get passed that... In the realm client configuration I've added both https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect URIs. Note: the builtin account application can be accessed correctly both with fb and google via https too... I guess the next step would be to try to secure also the channel between nginx and keycloak, but that shouldn't be mandatory right?... Thanks, Adrian On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda wrote: > Does login through Google works if you don't use nginx proxy? Is there > anything in the log? > > Marek > > > On 28/01/16 13:23, Adrian Matei wrote: > > Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting > the same "This webpage has a redirect loop" message when trying to sign in > with Google also... > > On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda > wrote: > >> I suppose you're using Keycloak 1.7? There is known issue related to this >> NoClassDefFoundError . You can workaround it by edit file >> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml >> and add the line: >> >> >> >> into dependencies section. Same for module >> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml >> >> Marek >> >> >> >> On 28/01/16 06:47, Adrian Matei wrote: >> >> Hi everyone, >> >> I am experimenting "too many redirects"/infinite loops issues in the >> browser when I try to connect with social providers. I am also getting >> internal server error on Chrome via google account (Caused by: >> java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my >> configuration, but I did everything "by the book": >> >> # realm Require SSL:none >> >> #nginx >> http { >> gzip on; >> gzip_proxied any; >> #gzip_proxied no-cache no-store private expired auth; >> gzip_types text/plain text/html text/css application/json >> application/x-javascript application/xml application/xml+rss >> text/javascript application/javascript text/x-js; >> #gzip_min_length 1000; >> >> >> server_tokens off; #hides nginx version and OS running on >> include /etc/nginx/mime.types; >> >> >> upstream tomcat_server { >> server localhost:8080; >> } >> upstream keycloak_server { >> server localhost:8180; >> } >> >> server { >> listen 80; >> server_name podcastmania.ro; >> return 301 >> https://$host$request_uri; >> } >> >> server { >> >> listen 443 ssl; >> >> server_name podcastmania.ro >> www.podcastmania.ro; >> >> ssl_certificate /etc/nginx/ssl/nginx.crt; >> ssl_certificate_key /etc/nginx/ssl/nginx.key; >> location / { >> root /opt/tomcat/webapps/ROOT; >> try_files $uri /maintenance.html @tomcat; >> } >> >> location @tomcat { >> proxy_pass http://tomcat_server; >> >> proxy_set_header Host $host; #to change the "Host" header >> set by default to $proxy_host to $host - the originating host request >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> } >> >> >> location /auth/ { >> root >> /opt/keycloak/standalone/configuration/themes/keycloak/; >> try_files $uri @keycloak; >> } >> >> location @keycloak { >> proxy_pass >> http://keycloak_server; >> >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_set_header X-Forwarded-Port 443; >> } >> >> >> } >> >> >> # standalone.xml >> >> >> >> > proxy-address-forwarding="true"*/> >> >> >> >> >> >> >> >> > default-interface="public" >> port-offset="${jboss.socket.binding.port-offset:100}"> >> > port="${jboss.management.http.port:9990}"/> >> > port="${jboss.management.https.port:9993}"/> >> >> >> >> >> >> * * >> >> >> >> >> >> # app:spring security configuration >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Has anyone faced similar issues? >> >> Thanks, >> Adrian >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/bdf4647b/attachment-0001.html From lskierkowski at bluesoft.net.pl Thu Jan 28 15:20:02 2016 From: lskierkowski at bluesoft.net.pl (=?UTF-8?Q?=C5=81ukasz_Skierkowski?=) Date: Thu, 28 Jan 2016 21:20:02 +0100 Subject: [keycloak-user] LDAP Federation - synchronization on cluster error Message-ID: Hello, Has anyone have a problem with synchronization on JBoss cluster? Recently I've noticed that some synchronization ends with error: *javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 * If synchronization is started manually there is no problem with the feature. I think that it can be a problem with scheduled job synchronization on cluster. BasicTimerProvider uses simple, not synchronized java timers and it can cause race condition on database. Lukasz Skierkowski -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/9a7261c2/attachment.html From mposolda at redhat.com Thu Jan 28 15:26:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 21:26:19 +0100 Subject: [keycloak-user] Very slow export/import of realms In-Reply-To: References: Message-ID: <56AA796B.1010609@redhat.com> Thanks for reporting this. Could you please create JIRA and describe your findings? We didn't yet try to test export/import with bigger number of users, so didn't spotted this yet. I think the only reason for the redundant flush/detach calls is, that "something" didn't work as expected (maybe even just during development phase) and flush helped to solve the issue. This doesn't mean that it's necessarily correct. Now we are close to the "feature freeze" and we will probably look at performance tuning. So we will likely look at this issue too. Btv. are you using default H2 database or something else? Could you please mention this in JIRA too? Thanks, Marek On 28/01/16 19:22, Gabriel Lavoie wrote: > Hi, > I am currently having issues with very slow export/import of > realms with a large number of users (10K). Both operations take ~10 > minutes each. > > After digging in the KeyCloak code, I've found out that a lot of > "flush" is done at the Hibernate/JPA level (at least 4-5 times per user). > > _Export:_ > For the export, there are 4 very slow queries in > ExportUtils.exportUser() > (https://github.com/keycloak/keycloak/blob/7895eb6a3dd7e4abc16dd401066bd08ed8075ffb/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java): > * Set socialLinks = > session.users().getFederatedIdentities(user, realm); > * Set roles = user.getRoleMappings(); > * List consents = user.getConsents(); > * for(GroupModel group : user.getGroups()) { > > They seem to be caused by Hibernate that forces a flush by default in > "getResultList()". As a workaround I told Hibernate to flush only on > commit of the transaction through "-Dorg.hibernate.flushMode=COMMIT" > and the export time came down to _~20 seconds_. > > Could there be any issue of changing the flush mode only for the > export? Data shouldn't change in the database at this moment and > queries shouldn't return stale data. > > _Import:_ > For the import it seems that changing the flushMode isn't sufficient. > It should likely not be done. However, I found a few places in the > keycloak-model-jpa module where entities are created, persisted, then > em.flush() and em.detatch() is called right away without the entity > being returned (ex: UserAdapter.grantRole() - > https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/UserAdapter.java). > > > If I remove all those flush/detach calls, the import process goes down > to _~50 seconds_. What is the reason for flushing every time an entity > is created rather than letting JPA/Hibernate do it when necessary? > > Thank you, > > Gabriel > -- > Gabriel Lavoie > glavoie at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/6e719210/attachment.html From mposolda at redhat.com Thu Jan 28 15:29:04 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 Jan 2016 21:29:04 +0100 Subject: [keycloak-user] LDAP Federation - synchronization on cluster error In-Reply-To: References: Message-ID: <56AA7A10.5000005@redhat.com> Can you please create JIRA for this? Also please attach whole exception stacktrace if possible. Maybe it will help if you use smaller "Batch size", but not sure... Marek On 28/01/16 21:20, ?ukasz Skierkowski wrote: > Hello, > > Has anyone have a problem with synchronization on JBoss cluster? > > Recently I've noticed that some synchronization ends with error: > > /javax.persistence.OptimisticLockException: Batch update returned > unexpected row count from update [0]; actual row count: 0; expected: 1 / > > If synchronization is started manually there is no problem with the > feature. > > I think that it can be a problem with scheduled job synchronization on > cluster. BasicTimerProvider uses simple, not synchronized java timers > and it can cause race condition on database. > > Lukasz Skierkowski > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/fa486acc/attachment.html From RLewis at carbonite.com Thu Jan 28 16:26:54 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 28 Jan 2016 21:26:54 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <56A9F7B3.60705@redhat.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> <56A9F7B3.60705@redhat.com> Message-ID: <6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com> I modified the Keycloak code directly in the method you mentioned, recompiled the whole package, and attempted to use it. The issue now is that when I log in using a external Identity provider, and have a User Federation defined, I still get called in my user federation with the username that is from the IDP. Plus the login screen shows me a screen with ?ACCOUNT ALREADY EXISTS? and an option to review the profile info or Link Google with existing account. The account does not exist before starting the login process. Thank you for all your help in getting this working. I am attempting to use 1.8RC3 BTW. Reed From: Marek Posolda > Date: Thursday, January 28, 2016 at 6:12 AM To: Reed Lewis >, Scott Rossillo > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak Hi, If you're using Keycloak version 1.7 or later, you can create new "firstBrokerLogin" flow and replace "Create User If Unique" authenticator with your own implementation. You can create subclass of IdpCreateUserIfUniqueAuthenticator and override method "checkExistingUser" to not look for username at federation provider. It can be done if you use: context.getSession().userStorage().getUserByUsername(username, context.getRealm()); instead of: context.getSession().users().getUserByUsername(username, context.getRealm()); Same for email checking. In that case if you login with user "john" from external identity provider, the authenticator won't try to find this "john" user in your external federation provider, but just in Keycloak DB. Is this what you are trying to achieve? Btv. As pointed already, the keycloak username for user registered from external IDP looks like "google.john" by default . You can change this behaviour to use identity provider mapper for username, which allows you to change the username template and remove broker prefix from that. So Keycloak will treat this username as "john". In 1.9 we plan to remove broker prefix by default and we will always just the username from broker, because "first login flow" added in Keycloak 1.7 allow us to easily resolve username conflicts. Corresponding JIRA is: https://issues.jboss.org/browse/KEYCLOAK-2292 Marek On 27/01/16 21:28, Reed Lewis wrote: It looks like no matter which External IDP I use, it always checks the federation provider also which is not something that I think wants to be done. Is this a bug in the Keycloak software? So it looks like one cannot do external IDP and federation at the same time. This should be fixed. Reed From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis <RLewis at carbonite.com> Cc: Thomas Darimont >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo <srossillo at smartling.com> Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont <thomas.darimont at googlemail.com> wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/decdb4ce/attachment-0001.html From RLewis at carbonite.com Thu Jan 28 16:38:00 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 28 Jan 2016 21:38:00 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> <56A9F7B3.60705@redhat.com> <6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com> Message-ID: <64801E2E-4DE1-40E8-BA8F-AD5A06EC8E25@carbonite.com> More information: I tried all three options for Authentication ? First Broker Login ? Create User if Unique With ?Alternative? I get the behavior below With ?Required I get "User with email xxx at gmail.com already exists. Please login to account management to link the account.? and the account is created without a link to Google With ?Disabled? I get ?Invalid username or password? and the account is never created at all in Keycloak. Thank you. Reed From: > on behalf of Reed Lewis > Date: Thursday, January 28, 2016 at 4:26 PM To: Marek Posolda >, Scott Rossillo > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I modified the Keycloak code directly in the method you mentioned, recompiled the whole package, and attempted to use it. The issue now is that when I log in using a external Identity provider, and have a User Federation defined, I still get called in my user federation with the username that is from the IDP. Plus the login screen shows me a screen with ?ACCOUNT ALREADY EXISTS? and an option to review the profile info or Link Google with existing account. The account does not exist before starting the login process. Thank you for all your help in getting this working. I am attempting to use 1.8RC3 BTW. Reed From: Marek Posolda > Date: Thursday, January 28, 2016 at 6:12 AM To: Reed Lewis >, Scott Rossillo > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak Hi, If you're using Keycloak version 1.7 or later, you can create new "firstBrokerLogin" flow and replace "Create User If Unique" authenticator with your own implementation. You can create subclass of IdpCreateUserIfUniqueAuthenticator and override method "checkExistingUser" to not look for username at federation provider. It can be done if you use: context.getSession().userStorage().getUserByUsername(username, context.getRealm()); instead of: context.getSession().users().getUserByUsername(username, context.getRealm()); Same for email checking. In that case if you login with user "john" from external identity provider, the authenticator won't try to find this "john" user in your external federation provider, but just in Keycloak DB. Is this what you are trying to achieve? Btv. As pointed already, the keycloak username for user registered from external IDP looks like "google.john" by default . You can change this behaviour to use identity provider mapper for username, which allows you to change the username template and remove broker prefix from that. So Keycloak will treat this username as "john". In 1.9 we plan to remove broker prefix by default and we will always just the username from broker, because "first login flow" added in Keycloak 1.7 allow us to easily resolve username conflicts. Corresponding JIRA is: https://issues.jboss.org/browse/KEYCLOAK-2292 Marek On 27/01/16 21:28, Reed Lewis wrote: It looks like no matter which External IDP I use, it always checks the federation provider also which is not something that I think wants to be done. Is this a bug in the Keycloak software? So it looks like one cannot do external IDP and federation at the same time. This should be fixed. Reed From: Scott Rossillo > Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis <RLewis at carbonite.com> Cc: Thomas Darimont >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo <srossillo at smartling.com> Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont <thomas.darimont at googlemail.com> wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/dc6679cf/attachment-0001.html From RLewis at carbonite.com Thu Jan 28 17:36:45 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 28 Jan 2016 22:36:45 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> Message-ID: It looks like when the User Federation is enabled, Keycloak cannot add a user to the system at all. I always get an error. So the question is the following: When a user is presented the login screen there are four flows: 1. The user clicks Google/Facebook/etc. and is sent off to the appropriate site, and then returns back to Keycloak and an account is created correctly 2. The user Creates an account directly on Keycloak and it is created correctly 3. The user has no account on Keycloak but does have an account on a system that we control and can directly verify username/password and we wish to create an account in Keycloak that is wholly owned by Keycloak 4.the user has an account on Keycloak and logs in directly. Is this possible? Reed From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [Latest News + Events] [Powered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/333f3a1b/attachment.html From jstrathern at gmail.com Thu Jan 28 18:39:09 2016 From: jstrathern at gmail.com (Joe Strathern) Date: Thu, 28 Jan 2016 16:39:09 -0700 Subject: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario In-Reply-To: References: Message-ID: In light of this, i have found an acceptable solution on my end that will hopefully help other users who encounter this issue. When the request comes in from http://external-hostname, i grab the token from it as before, however i also look at the HTTP session and take the external hostname, port, and scheme (http vs https). I then use those values instead of http://internal-hostname/... for my next hop. In this way, I essentially reach "outside" the proxy for the next jump, retrieve the external values from inside the proxy, and redirect the token with the same host to pass through keycloak. While it requires that external-hostname is able to be resolved from inside the proxy, it prevents the need to store the host name value(s) in order to make the next hop, and allows some flexibility in host name granted by a relative auth-server-url. Thanks, Joe On Wed, Jan 27, 2016 at 3:08 AM, Stian Thorgersen wrote: > It can't be done. What you are asking for is that the adapter when > receiving the request on the internal IP is somehow going to be able to > resolve the relative auth-server-url which is using the external domain. > Unless you tell it what the external domain is it won't know. > > On 27 January 2016 at 02:51, Doug Szeto wrote: > >> +1 Joe?s request. >> In larger deployments with reverse proxies, we control the request url >> and hostname and ip visible to the keycloak server, so internal IP address >> concerns are less of an issue. >> >> From: on behalf of Stian >> Thorgersen >> Reply-To: "stian at redhat.com" >> Date: Tuesday, January 26, 2016 at 6:43 PM >> To: Joe Strathern >> Cc: keycloak-user >> Subject: Re: [keycloak-user] Passing External URL Bearer Token to >> Interior Proxy URL in Multi-Hop scenario >> >> You can't. Relative url uses the request url, and when it's using an >> internal IP address/domain that'll end up being the request url, which will >> be wrong in your case. >> >> On 25 January 2016 at 23:27, Joe Strathern wrote: >> >>> Stian, >>> >>> Thank you for the reply. >>> While changing the auth-server-url to an absolute URL ( >>> http://external-hostname/auth) for all adapters allowed the token to be >>> passed successfully, the relative URI optimization ( >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization) >>> for the auth-server-url is very important functionality I need access to. >>> By leaving */auth* as the auth-server-url, I can access the secured >>> resources by case-insensitive host name, host ip address, http vs https and >>> more, all of which are lost by having to switch to an absolute URL. >>> >>> How can I retain the relative URL for auth-server-url, allowing my >>> required external requests to pass through keycloak, while allowing the >>> internal requests and hops to use the auth-server-url-for-backend-requests >>> absolute URL to authenticate? >>> >>> Thanks, >>> Joe >>> >>> On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen >>> wrote: >>> >>>> You'd need to make sure all adapters are configured with the same. >>>> http://external-hostname/auth needs to be the auth-server-url on all >>>> adapters. >>>> >>>> On 21 January 2016 at 23:00, Joe Strathern >>>> wrote: >>>> >>>>> Stian >>>>> Thank you for your response. >>>>> I am using your Wildfly adapter to secure my WAR. As it is contained >>>>> in a cluster enviroment with a load balancing proxy, I updated my adapter >>>>> to have the following settings, much like the example provided at >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization >>>>> : >>>>> { >>>>> ... >>>>> /auth >>>>> >>>>> http:/internal-hostname/auth >>>>> ... >>>>> } >>>>> >>>>> The auth-server-url is still working as expected for the external >>>>> request, however i am still getting the same 401 error, caused by the >>>>> mismatching Token audience and Domain when I try to make the hop with my >>>>> new HTTP request. >>>>> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source >>>>> and debugged, looking for a bit more insight as to what may be occurring. >>>>> >>>>> I noticed that the URL Keycloak is retrieving to compare against the >>>>> token, is retrieving it from the realmInfoUrl variable of the >>>>> KeyCloakDeployment object. This variable is unaffected by the >>>>> auth-server-url-for-backend-requests option. (Instead it affects numerous >>>>> other URL variabled stored). Therefore, the realmInfoURL remains >>>>> http://external-hostname/auth. >>>>> >>>>> Then the error occurs as (in this case), the RSATokenVerifier directly >>>>> compares this Realm URL against the Token Issuer, which differ due hostname >>>>> (external vs internal, as before). >>>>> >>>>> Is there an additional configuration, or concept I am missing to >>>>> correct this workflow? >>>>> >>>>> Thanks, >>>>> Joe >>>>> >>>>> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen >>>> > wrote: >>>>> >>>>>> Assuming you are using our adapters there are two separate urls to >>>>>> configure: "auth-server-url" is the external >>>>>> one, auth-server-url-for-backend-requests is the internal one. See >>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>>>>> for more details. >>>>>> >>>>>> On 19 January 2016 at 22:20, Joe Strathern >>>>>> wrote: >>>>>> >>>>>>> Hello Keycloak Community >>>>>>> >>>>>>> I am looking for some assistance on how to pass a Keycloak bearer >>>>>>> token in the multi-hop scenario, where the keycloak instance is inside a >>>>>>> proxy environment, the next hop is within the proxy, and the original >>>>>>> request came from outside of that environment. >>>>>>> >>>>>>> For instance, the original request goes to >>>>>>> http://external-hostname/auth, where external-hostname is a proxy >>>>>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>>>>> - http://external-hostname/auth/realms/My_Realm. >>>>>>> >>>>>>> Now i need to take that token from the HTTP request, and attach it >>>>>>> to a new request from inside the proxy. I do so, redirecting to >>>>>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>>>>> "external-hostname" as host once more is not an option, as we are within >>>>>>> the proxied environment. However, submitting the hop HTTP request, i am >>>>>>> met with the error: >>>>>>> >>>>>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>>>>> Token audience doesn't match domain. Token issuer >>>>>>> is http://external-hostname/auth/realms/My_Realm >>>>>>> , but URL from configuration >>>>>>> is http://internal-hostname/auth/realms/My_Realm >>>>>>> * >>>>>>> >>>>>>> The token is rejected (Since the hostnames are not the exact same), >>>>>>> however external-hostname and internal-hostname are the same machine. >>>>>>> >>>>>>> Is there a way that Keycloak can identify these hostnames as >>>>>>> equivalent to accept the token, or another policy that should be followed >>>>>>> in this situation? >>>>>>> >>>>>>> Thanks, >>>>>>> Joe >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/9dca9881/attachment-0001.html From bburke at redhat.com Thu Jan 28 23:34:07 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 28 Jan 2016 23:34:07 -0500 Subject: [keycloak-user] saml client adapter changes incoming in 1.9 Message-ID: <56AAEBBF.6040903@redhat.com> FYI, heads up: A major change to our Keycloak saml client adapter is coming (PR buildling right now). Basically you'll need to register a specific endpoint with your IDPs. Before it was really any secure URL. You must now register /saml. i.e. https://example.com//saml The reason for this is that SAML POST binding would eat the HttpRequest input stream for any secured URL. This can be bad if you are uploading to a secure URL :) -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From malmi.suh at gmail.com Fri Jan 29 00:35:46 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Fri, 29 Jan 2016 11:05:46 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role Message-ID: Hi Everyone, In my application we create retrieve and assign role subsequently and it seems that even for a small load (2-3 threads) with realm cache enabled option, assign realm role call fails due to role not exist error and 404 is returned from keycloak. With the realm cache disabled option the load works fine. Please get back to me if you have any information on any other option we can follow to get this issue sorted or on what action the realm cache will be persisted to DB. Regards, Malmi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/ffc8c842/attachment.html From malmi.suh at gmail.com Fri Jan 29 00:58:50 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Fri, 29 Jan 2016 11:28:50 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role Message-ID: Hi Everyone, In my application we create retrieve and assign role subsequently and it seems that even for a small load (2-3 threads) with realm cache enabled option, assign realm role call fails due to role not exist error and 404 is returned from keycloak. With the realm cache disabled option the load works fine. Please get back to me if you have any information on any other option we can follow to get this issue sorted or on what action the realm cache will be persisted to DB. Regards, Malmi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/aa33abf6/attachment.html From lingvisa at gmail.com Fri Jan 29 02:27:00 2016 From: lingvisa at gmail.com (Martin Min) Date: Thu, 28 Jan 2016 23:27:00 -0800 Subject: [keycloak-user] Google social login in Message-ID: Hi, I am configuring Keycloak google login. On Google Developer Console, there is a field: Authorized redirect URI with the format: http:// {host}:{port}/auth/realms/{realm}/broker/{provider_alias}. I am testing my KeyCloak server on my local computer, with IP 127.0.0.1. So here this IP or "localhost" probably doesn't work in this field. I have to use a real public IP address. Right? How can I testing social login in KeyCloak without using a real IP address. Thank you. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160128/18819804/attachment.html From DSzeto at investlab.com Fri Jan 29 03:07:50 2016 From: DSzeto at investlab.com (Doug Szeto) Date: Fri, 29 Jan 2016 08:07:50 +0000 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: References: <56A9FB55.6050006@redhat.com> <56AA2716.1080706@redhat.com> Message-ID: Ran into your issue, found that securing the channel between nginx and keycloak did the trick. ?Doug From: > on behalf of Adrian Matei > Date: Friday, January 29, 2016 at 4:12 AM To: Marek Posolda > Cc: keycloak-user > Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue Hi Marek, everything works fine with both fb and google logins via nginx as reverse proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I get either "Invalid parameter:redirect_uri" (the redirect_uri query parameter is generated with http, not https in the navigation bar) before reaching the login form dialog or the redirect loops (fb login) or Error: redirect_uri_mismatch with google login if I manage to get passed that... In the realm client configuration I've added both https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect URIs. Note: the builtin account application can be accessed correctly both with fb and google via https too... I guess the next step would be to try to secure also the channel between nginx and keycloak, but that shouldn't be mandatory right?... Thanks, Adrian On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda > wrote: Does login through Google works if you don't use nginx proxy? Is there anything in the log? Marek On 28/01/16 13:23, Adrian Matei wrote: Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting the same "This webpage has a redirect loop" message when trying to sign in with Google also... On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda > wrote: I suppose you're using Keycloak 1.7? There is known issue related to this NoClassDefFoundError . You can workaround it by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line: into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml Marek On 28/01/16 06:47, Adrian Matei wrote: Hi everyone, I am experimenting "too many redirects"/infinite loops issues in the browser when I try to connect with social providers. I am also getting internal server error on Chrome via google account (Caused by: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext). It might be my configuration, but I did everything "by the book": # realm Require SSL:none #nginx http { gzip on; gzip_proxied any; #gzip_proxied no-cache no-store private expired auth; gzip_types text/plain text/html text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js; #gzip_min_length 1000; server_tokens off; #hides nginx version and OS running on include /etc/nginx/mime.types; upstream tomcat_server { server localhost:8080; } upstream keycloak_server { server localhost:8180; } server { listen 80; server_name podcastmania.ro; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name podcastmania.ro www.podcastmania.ro; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { root /opt/tomcat/webapps/ROOT; try_files $uri /maintenance.html @tomcat; } location @tomcat { proxy_pass http://tomcat_server; proxy_set_header Host $host; #to change the "Host" header set by default to $proxy_host to $host - the originating host request proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /auth/ { root /opt/keycloak/standalone/configuration/themes/keycloak/; try_files $uri @keycloak; } location @keycloak { proxy_pass http://keycloak_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; } } # standalone.xml # app:spring security configuration Has anyone faced similar issues? Thanks, Adrian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/375f160b/attachment-0001.html From mstrukel at redhat.com Fri Jan 29 04:48:19 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 29 Jan 2016 10:48:19 +0100 Subject: [keycloak-user] Google social login in In-Reply-To: References: Message-ID: No, localhost should work fine. It's not Google's servers, but your browser that connects to this url after being redirected from Google. So as long as your browser can see it it should work. From revanth at arvindinternet.com Fri Jan 29 05:15:31 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Fri, 29 Jan 2016 15:45:31 +0530 Subject: [keycloak-user] Clustering not working properly. Message-ID: Hi, I am using keycloak 1.5.0 and i am facing an issue with the clustering of it. I have two instances of keycloak behind a load balancer and i made the following changes to keycloak-server.json on both the instances. Added: "realmCache": { "provider": "infinispan" }, "userCache": { "provider": "infinispan" } ,t "userSessions": { "provider": "infinispan" } and ran the following command: ./standalone.sh --server-config=standalone-ha.xml -b=172.31.7.132. The server is starting but when i try to access admin console, it first gives me this error: type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.31.18.200, error=expired_code, restart_after_timeout=true and redirects me to the login page again and then if i try to login in again, it gives me another again: type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.31.25.198, error=invalid_code and exits saying 'try login using your application'. What am i doing that is causing this ?? Any config changes i need to do?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/c37d6260/attachment.html From sthorger at redhat.com Fri Jan 29 07:25:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 29 Jan 2016 13:25:45 +0100 Subject: [keycloak-user] Keycloak 1.8.0.Final release Message-ID: For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/edf2981a/attachment.html From bburke at redhat.com Fri Jan 29 09:06:20 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 29 Jan 2016 09:06:20 -0500 Subject: [keycloak-user] Clustering not working properly. In-Reply-To: References: Message-ID: <56AB71DC.7080005@redhat.com> Are your clustered machines clocks in sync? On 1/29/2016 5:15 AM, Revanth Ayalasomayajula wrote: > Hi, > > I am using keycloak 1.5.0 and i am facing an issue with the clustering > of it. > > I have two instances of keycloak behind a load balancer and i made the > following changes to keycloak-server.json on both the instances. > > Added: > "realmCache": { > "provider": "infinispan" > }, > > "userCache": { > "provider": "infinispan" > } ,t > "userSessions": { > "provider": "infinispan" > } > > and ran the following command: ./standalone.sh > --server-config=standalone-ha.xml -b=172.31.7.132. > > The server is starting but when i try to access admin console, it > first gives me this error: > type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=172.31.18.200, error=expired_code, restart_after_timeout=true > > and redirects me to the login page again and then if i try to login in > again, it gives me another again: > type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=172.31.25.198, error=invalid_code > and exits > saying 'try login using your application'. > > What am i doing that is causing this ?? Any config changes i need to do?? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/d0e5fc80/attachment.html From bburke at redhat.com Fri Jan 29 09:11:36 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 29 Jan 2016 09:11:36 -0500 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: Message-ID: <56AB7318.6050009@redhat.com> Which version of keycloak? RDBMS or Mongo? On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: > Hi Everyone, > > In my application we create retrieve and assign role subsequently and > it seems that even for a small load (2-3 threads) with realm cache > enabled option, assign realm role call fails due to role not exist > error and 404 is returned from keycloak. > > With the realm cache disabled option the load works fine. > > Please get back to me if you have any information on any other option > we can follow to get this issue sorted or on what action the realm > cache will be persisted to DB. > > Regards, > Malmi > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/368e1e5a/attachment.html From revanth at arvindinternet.com Fri Jan 29 09:13:38 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Fri, 29 Jan 2016 19:43:38 +0530 Subject: [keycloak-user] Clustering not working properly. In-Reply-To: <56AB71DC.7080005@redhat.com> References: <56AB71DC.7080005@redhat.com> Message-ID: Hi Bill, I seemed to have identified the issue. Both the machines are on AWS and AWS doesn't support multicast. Is there any way around this which can help me out?? Thanks On Fri, Jan 29, 2016 at 7:36 PM, Bill Burke wrote: > Are your clustered machines clocks in sync? > > > On 1/29/2016 5:15 AM, Revanth Ayalasomayajula wrote: > > Hi, > > I am using keycloak 1.5.0 and i am facing an issue with the clustering of > it. > > I have two instances of keycloak behind a load balancer and i made the > following changes to keycloak-server.json on both the instances. > > Added: > > "realmCache": { > "provider": "infinispan" > }, > > "userCache": { > "provider": "infinispan" > > } ,t > > "userSessions": { > "provider": "infinispan" > } > > > and ran the following command: ./standalone.sh > --server-config=standalone-ha.xml -b=172.31.7.132. > > The server is starting but when i try to access admin console, it first > gives me this error: > type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=172.31.18.200, error=expired_code, restart_after_timeout=true > > and redirects me to the login page again and then if i try to login in > again, it gives me another again: > type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=172.31.25.198, error=invalid_code > and exits > saying 'try login using your application'. > > What am i doing that is causing this ?? Any config changes i need to do?? > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/74de0da4/attachment-0001.html From bburke at redhat.com Fri Jan 29 09:23:24 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 29 Jan 2016 09:23:24 -0500 Subject: [keycloak-user] Clustering not working properly. In-Reply-To: References: <56AB71DC.7080005@redhat.com> Message-ID: <56AB75DC.1000500@redhat.com> There was a long thread about this here. You'll have to google infinispan jgroups AWS. Or find the thread. On 1/29/2016 9:13 AM, Revanth Ayalasomayajula wrote: > Hi Bill, > > I seemed to have identified the issue. Both the machines are on AWS > and AWS doesn't support multicast. Is there any way around this which > can help me out?? > > Thanks > > On Fri, Jan 29, 2016 at 7:36 PM, Bill Burke > wrote: > > Are your clustered machines clocks in sync? > > > On 1/29/2016 5:15 AM, Revanth Ayalasomayajula wrote: >> Hi, >> >> I am using keycloak 1.5.0 and i am facing an issue with the >> clustering of it. >> >> I have two instances of keycloak behind a load balancer and i >> made the following changes to keycloak-server.json on both the >> instances. >> >> Added: >> "realmCache": { >> "provider": "infinispan" >> }, >> >> "userCache": { >> "provider": "infinispan" >> } ,t >> "userSessions": { >> "provider": "infinispan" >> } >> >> and ran the following command: ./standalone.sh >> --server-config=standalone-ha.xml -b=172.31.7.132. >> >> The server is starting but when i try to access admin console, it >> first gives me this error: >> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, >> ipAddress=172.31.18.200, error=expired_code, >> restart_after_timeout=true >> >> and redirects me to the login page again and then if i try to >> login in again, it gives me another again: >> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, >> ipAddress=172.31.25.198, error=invalid_code >> and exits >> saying 'try login using your application'. >> >> What am i doing that is causing this ?? Any config changes i need >> to do?? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/c09339f7/attachment.html From mposolda at redhat.com Fri Jan 29 11:01:49 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 29 Jan 2016 17:01:49 +0100 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <1CAAD48A-2E51-4FE7-AA6A-7A3634B9E5E5@carbonite.com> <56A9F7B3.60705@redhat.com> <6BEA3420-05E6-4474-8DCF-85A38F8755DE@carbonite.com> Message-ID: <56AB8CED.4000904@redhat.com> Are you using "userStorage()" also for calling getUserByEmail? That should skip federation call too. Otherwise you can add some additional logging and check why method "checkExistingUser" returns something. Btv. you don't need to change Keycloak classes directly, but you can create your own subclass and register it as SPI (similarly like your UserFederationSPI provider. See this chapter for details [1]) and then create modification of "first broker login" authentication flow, which will use your changed authenticator instead of default IdpCreateUserIfUniqueAuthenticator. See [2] [1] http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html [2] http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login Marek On 28/01/16 22:26, Reed Lewis wrote: > I modified the Keycloak code directly in the method you mentioned, > recompiled the whole package, and attempted to use it. The issue now > is that when I log in using a external Identity provider, and have a > User Federation defined, I still get called in my user federation with > the username that is from the IDP. Plus the login screen shows me a > screen with ?ACCOUNT ALREADY EXISTS? and an option to review the > profile info or Link Google with existing account. > > The account does not exist before starting the login process. > > Thank you for all your help in getting this working. I am attempting > to use 1.8RC3 BTW. > > Reed > > From: Marek Posolda > > Date: Thursday, January 28, 2016 at 6:12 AM > To: Reed Lewis >, > Scott Rossillo > > Cc: "keycloak-user at lists.jboss.org > " > > Subject: Re: [keycloak-user] External Username, Password, Email... > dataset with Keycloak > > Hi, > > If you're using Keycloak version 1.7 or later, you can create new > "firstBrokerLogin" flow and replace "Create User If Unique" > authenticator with your own implementation. You can create subclass of > IdpCreateUserIfUniqueAuthenticator and override method > "checkExistingUser" to not look for username at federation provider. > It can be done if you use: > > context.getSession().*userStorage()*.getUserByUsername(username, > context.getRealm()); > > instead of: > > context.getSession().*users()*.getUserByUsername(username, > context.getRealm()); > > Same for email checking. > > In that case if you login with user "john" from external identity > provider, the authenticator won't try to find this "john" user in your > external federation provider, but just in Keycloak DB. > > Is this what you are trying to achieve? > > Btv. As pointed already, the keycloak username for user registered > from external IDP looks like "google.john" by default . You can change > this behaviour to use identity provider mapper for username, which > allows you to change the username template and remove broker prefix > from that. So Keycloak will treat this username as "john". In 1.9 we > plan to remove broker prefix by default and we will always just the > username from broker, because "first login flow" added in Keycloak 1.7 > allow us to easily resolve username conflicts. Corresponding JIRA is: > https://issues.jboss.org/browse/KEYCLOAK-2292 > > Marek > > > On 27/01/16 21:28, Reed Lewis wrote: >> It looks like no matter which External IDP I use, it always checks >> the federation provider also which is not something that I think >> wants to be done. Is this a bug in the Keycloak software? >> >> So it looks like one cannot do external IDP and federation at the >> same time. This should be fixed. >> >> Reed >> >> From: Scott Rossillo > > >> Date: Wednesday, January 27, 2016 at 1:02 PM >> To: Reed Lewis >> Cc: Thomas Darimont > >, >> "keycloak-user at lists.jboss.org >> " >> > >> Subject: Re: [keycloak-user] External Username, Password, Email... >> dataset with Keycloak >> >> I think that?s a more general question about user account merging so >> maybe one of the core devs can chime in. However, I just want to >> clarify, you don?t want to query the federation provider at all when >> a user signs in with external IDP, right? In that case, you could >> modify the findByUsername() method to not create a user if the login >> is with a IDP. I?m not sure if it still exists in 1.7+ but the >> username used to be created as idp.email at provider.com >> where the IDP is the username prefix. >> >> Does that make sense / sufficiently address the use case? >> >> ~ Scott >> >>> On Jan 27, 2016, at 12:34 PM, Reed Lewis >> > wrote: >>> >>> This is working for me now. I created a service that listens on a >>> port and implements the GET, HEAD and POST requests that are being made. >>> >>> The one issue now is that integration with other Identity providers >>> does not work now since it still calls my server with the username >>> from the external provider. How can I tell Keycloak that when a >>> user comes from an external Identity provider not to check the user >>> Federation provider? >>> >>> Thank you, >>> >>> Reed Lewis >>> >>> From: Scott Rossillo >>> Date: Friday, January 15, 2016 at 4:42 PM >>> To: Thomas Darimont >> >, Reed Lewis >>> > >>> Cc: "keycloak-user at lists.jboss.org" >> > >>> Subject: Re: [keycloak-user] External Username, Password, Email... >>> dataset with Keycloak >>> >>> We just put up and blog post[0] and some sample code[1] on how to do >>> this type of migration. >>> >>> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ >>> [1]: https://github.com/Smartling/keycloak-user-migration-provider >>> >>> >>> Scott Rossillo >>> Smartling | Senior Software Engineer >>> srossillo at smartling.com >>> >>> Latest News + Events >>> >>> Powered by Sigstr >>> >>>> On Jan 15, 2016, at 11:06 AM, Thomas Darimont >>>> wrote: >>>> >>>> Hello Reed, >>>> >>>> as you already wrote, you can write a federation provider that >>>> queries your >>>> backend service via REST for user data. >>>> Within the federation provider you can then import the user data >>>> returned from the REST call. >>>> >>>> This would work as follows - within the method: >>>> org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, >>>> String) >>>> you call your backend REST service. >>>> >>>> As a next step you create a new user with the given username >>>> UserModel keycloakUser = session.userStorage().addUser(realm, >>>> username); >>>> >>>> Then you copy all the user data from your backend into Keycloak's >>>> UserModel. >>>> >>>> After that your backend user has a corresponding representation in >>>> Keycloak >>>> with a reference to this federation provider (id) via the >>>> "userModel.federationLink" property. >>>> >>>> The federation link will also be shown in the user page in the >>>> keycloak admin console. >>>> As long as the federation link is in place keycloak will ask the >>>> federation provider >>>> for the latest user data. Once you decide to cut the link to the >>>> federation provider you can >>>> simply do userModel.setFederationLink(null). You could basically >>>> cut (or rather omit) the federation >>>> link right after you added the user to Keycloak. >>>> >>>> Keycloak has no link information after that anymore and it will >>>> only use the user data stored >>>> in the Keycloak database for that particular user. >>>> >>>> You also have the option to do that for all your users via: >>>> org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, >>>> String, UserFederationProviderModel) >>>> or just use on demand per User when he / she want's to login for >>>> the first time. >>>> >>>> Cheers, >>>> Thomas >>>> >>>> 2016-01-15 16:16 GMT+01:00 Reed Lewis >>> >: >>>> >>>> Hi, >>>> We are examining KeyCloak (It looks like it can do what we >>>> want), but we have the need to have an external lookup of >>>> accounts who are not in KeyCloak in an external database which >>>> is accessible via a REST call. I know about federation, but >>>> would prefer to only check the external datasource if the user >>>> is not in KeyCloak, but from then on have all the data ?live? >>>> in KeyCloak and never refer to the external datasource again >>>> once the account is ?migrated? into KeyCloak. >>>> >>>> >>>> Can this be done with some modification of federation? >>>> >>>> We do not want to add the user accounts directly into KeyCloak >>>> as there are many more there than will ever be in KeyCloak. >>>> >>>> Thank you, >>>> >>>> Reed Lewis >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/c7f8f1d8/attachment-0001.html From lingvisa at gmail.com Fri Jan 29 15:57:27 2016 From: lingvisa at gmail.com (Martin Min) Date: Fri, 29 Jan 2016 12:57:27 -0800 Subject: [keycloak-user] Google social login in In-Reply-To: References: Message-ID: After I restarted my KeyCloak server, all my realm and applications created are gone. Is that because the built-in database H2 doesn't persist the data on disk? How to keep the database after I restart the keycloak server? Thanks. On Fri, Jan 29, 2016 at 1:48 AM, Marko Strukelj wrote: > No, localhost should work fine. > It's not Google's servers, but your browser that connects to this url > after being redirected from Google. So as long as your browser can see > it it should work. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/91aecdda/attachment.html From lingvisa at gmail.com Fri Jan 29 17:49:34 2016 From: lingvisa at gmail.com (Martin Min) Date: Fri, 29 Jan 2016 14:49:34 -0800 Subject: [keycloak-user] Social login error message Message-ID: Hello, I am configuring the social login with google, twitter and github. Everything else works fine until this point, namely, after it's authorized, at the "update account information" page, after I fill out the fields on this page, clicked the "submitted" and I received this error message. What could cause this? I followed the instruction carefully, but not sure what caused this. Context Path: /auth Servlet Path: Path Info: /realms/myproject/login-actions/first-broker-login Query String: code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 *Stack Trace* java.lang.RuntimeException: request path: /auth/realms/myproject/login-actions/first-broker-login org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: org/keycloak/broker/provider/BrokeredIdentityContext -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160129/6d390de7/attachment.html From malmi.suh at gmail.com Fri Jan 29 23:16:21 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Sat, 30 Jan 2016 09:46:21 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: <56AB7318.6050009@redhat.com> References: <56AB7318.6050009@redhat.com> Message-ID: Hi Bill, We are using keycloak 1.7.0 and rdbms (mysql) Regards, Malmi Samarasinghe On Jan 29, 2016 7:41 PM, "Bill Burke" wrote: > Which version of keycloak? RDBMS or Mongo? > > On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: > > Hi Everyone, > > In my application we create retrieve and assign role subsequently and it > seems that even for a small load (2-3 threads) with realm cache enabled > option, assign realm role call fails due to role not exist error and 404 is > returned from keycloak. > > With the realm cache disabled option the load works fine. > > Please get back to me if you have any information on any other option we > can follow to get this issue sorted or on what action the realm cache will > be persisted to DB. > > Regards, > Malmi > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160130/98abcf6c/attachment.html From adrianmatei at gmail.com Sat Jan 30 01:13:23 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Sat, 30 Jan 2016 07:13:23 +0100 Subject: [keycloak-user] keycloak + nginx reverse proxy + too many redirects issue In-Reply-To: References: <56A9FB55.6050006@redhat.com> <56AA2716.1080706@redhat.com> Message-ID: Hey Doug, Thanks for the info. Did that too, but I am still getting that infamous invalid *redirect_uri* which contains *http* instead of *https*, though I set up https everywhere - need to look at it with a fresh mind I guess... Adrian On Fri, Jan 29, 2016 at 9:07 AM, Doug Szeto wrote: > Ran into your issue, found that securing the channel between nginx and > keycloak did the trick. > ?Doug > > From: on behalf of Adrian Matei < > adrianmatei at gmail.com> > Date: Friday, January 29, 2016 at 4:12 AM > To: Marek Posolda > Cc: keycloak-user > Subject: Re: [keycloak-user] keycloak + nginx reverse proxy + too many > redirects issue > > Hi Marek, > > everything works fine with both fb and google logins via nginx as reverse > proxy, as long as I do everything over HTTP. Once I switch to HTTPS now I > get either "Invalid parameter:redirect_uri" (the redirect_uri query > parameter is generated with *http, not https* in the navigation bar) > before reaching the login form dialog or the redirect loops (fb login) or Error: > redirect_uri_mismatch with google login if I manage to get passed that... > In the realm client configuration I've added both > https://podcastmania.ro/* and http://podcastmania.ro/* as valid redirect > URIs. > > Note: the builtin account application can be accessed correctly both with > fb and google via https too... > > I guess the next step would be to try to secure also the channel between > nginx and keycloak, but that shouldn't be mandatory right?... > > Thanks, > Adrian > > On Thu, Jan 28, 2016 at 3:35 PM, Marek Posolda > wrote: > >> Does login through Google works if you don't use nginx proxy? Is there >> anything in the log? >> >> Marek >> >> >> On 28/01/16 13:23, Adrian Matei wrote: >> >> Thanks Marek, that fixed the NoClassDefFoundError, but now I am getting >> the same "This webpage has a redirect loop" message when trying to sign in >> with Google also... >> >> On Thu, Jan 28, 2016 at 12:28 PM, Marek Posolda >> wrote: >> >>> I suppose you're using Keycloak 1.7? There is known issue related to >>> this NoClassDefFoundError . You can workaround it by edit file >>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml >>> and add the line: >>> >>> >>> >>> into dependencies section. Same for module >>> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml >>> >>> Marek >>> >>> >>> >>> On 28/01/16 06:47, Adrian Matei wrote: >>> >>> Hi everyone, >>> >>> I am experimenting "too many redirects"/infinite loops issues in the >>> browser when I try to connect with social providers. I am also getting >>> internal server error on Chrome via google account (Caused by: >>> java.lang.NoClassDefFoundError: >>> org/keycloak/broker/provider/BrokeredIdentityContext). It might be my >>> configuration, but I did everything "by the book": >>> >>> # realm Require SSL:none >>> >>> #nginx >>> http { >>> gzip on; >>> gzip_proxied any; >>> #gzip_proxied no-cache no-store private expired auth; >>> gzip_types text/plain text/html text/css application/json >>> application/x-javascript application/xml application/xml+rss >>> text/javascript application/javascript text/x-js; >>> #gzip_min_length 1000; >>> >>> >>> server_tokens off; #hides nginx version and OS running on >>> include /etc/nginx/mime.types; >>> >>> >>> upstream tomcat_server { >>> server localhost:8080; >>> } >>> upstream keycloak_server { >>> server localhost:8180; >>> } >>> >>> server { >>> listen 80; >>> server_name podcastmania.ro; >>> return 301 >>> https://$host$request_uri; >>> } >>> >>> server { >>> >>> listen 443 ssl; >>> >>> server_name podcastmania.ro >>> www.podcastmania.ro; >>> >>> ssl_certificate /etc/nginx/ssl/nginx.crt; >>> ssl_certificate_key /etc/nginx/ssl/nginx.key; >>> location / { >>> root /opt/tomcat/webapps/ROOT; >>> try_files $uri /maintenance.html @tomcat; >>> } >>> >>> location @tomcat { >>> proxy_pass http://tomcat_server; >>> >>> proxy_set_header Host $host; #to change the "Host" >>> header set by default to $proxy_host to $host - the originating host request >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> } >>> >>> >>> location /auth/ { >>> root >>> /opt/keycloak/standalone/configuration/themes/keycloak/; >>> try_files $uri @keycloak; >>> } >>> >>> location @keycloak { >>> proxy_pass >>> http://keycloak_server; >>> >>> proxy_set_header Host $host; >>> proxy_set_header X-Real-IP $remote_addr; >>> proxy_set_header X-Forwarded-For >>> $proxy_add_x_forwarded_for; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_set_header X-Forwarded-Port 443; >>> } >>> >>> >>> } >>> >>> >>> # standalone.xml >>> >>> >>> >>> >> proxy-address-forwarding="true"*/> >>> >>> >>> >>> >>> >>> >>> >>> >> default-interface="public" >>> port-offset="${jboss.socket.binding.port-offset:100}"> >>> >> port="${jboss.management.http.port:9990}"/> >>> >> port="${jboss.management.https.port:9993}"/> >>> >>> >>> >>> >>> >>> * * >>> >>> >>> >>> >>> >>> # app:spring security configuration >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Has anyone faced similar issues? >>> >>> Thanks, >>> Adrian >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160130/285a3b7e/attachment-0001.html From darkness.renann at gmail.com Sun Jan 31 21:57:39 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Mon, 1 Feb 2016 00:57:39 -0200 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? Message-ID: Hello At least for now, I would like to use Keycloak as a library so I don't have to configure a "Keycloak server". Is it possible? Renann Prado -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/b184740d/attachment.html