From raiden0610 at gmail.com  Wed Jun  1 02:26:03 2016
From: raiden0610 at gmail.com (Cyril Casaucau)
Date: Wed, 01 Jun 2016 06:26:03 +0000
Subject: [keycloak-user] Help : Problem with CORS - Spring boot - Angular 2
Message-ID: <CAL9QDjXM7=unu5Ujh8WOAOKKwHJFOwxjCDYWcYvLib2JCWiPsg@mail.gmail.com>

Hello,
I have a problem to secure my webservice REST.
I have a spring boot application who is a Webservice REST and an angular 2
application who call the webservice.
I'm using the keycloak-spring-security-adapter with this configuration :

@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
    /**
     * Registers the KeycloakAuthenticationProvider with the
authentication manager.
     */
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    /**
     * Defines the session authentication strategy.
     */
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
                .authorizeRequests()
                .antMatchers("/userFacade*").hasRole("user")
                .anyRequest().permitAll();
    }
}

And i have configured CORS in the spring boot config like this :

@Bean
 public WebMvcConfigurer corsConfigurer() {
     return new WebMvcConfigurerAdapter() {
         @Override
         public void addCorsMappings(CorsRegistry registry) {
             registry.addMapping("/userFacade/**")
                     .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")

.allowedOrigins("*").allowedHeaders("Authorization", "Content-Type",
"X-Requested-With");
         }
     };
 }

The endpoint :

@RestController
@RequestMapping("/userFacade")
public class UserFacade {

    @Autowired
    private UserService userService;

    @RequestMapping(method = RequestMethod.GET, value = "/getAllUsers")
    public List<UserDTO> getAllUsers() {
        return userService.getAllUsers();
    }
}

When i make the call on the frontend, chrome tell me this :

XMLHttpRequest cannot load http://localhost:8080/userFacade/getAllUsers.
The request was redirected to 'http://localhost:8080/', which is disallowed
for cross-origin requests that require preflight.

My headers on the frontend side :
this.headers.append('Authorization', 'BEARER ' +
localStorage.getItem('token'));
    this.headers.append('Content-Type', 'application/json');
    this.headers.append('X-Requested-With', 'XMLHttpRequest');

I have tried a lot of things like using the keycloak-spring-boot-adapter
but same kind of error.

Can you help me ?

Thanks,

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/45ef5990/attachment-0001.html 

From mposolda at redhat.com  Wed Jun  1 03:02:09 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 1 Jun 2016 09:02:09 +0200
Subject: [keycloak-user] KC 1.9.4 Error during
In-Reply-To: <CAJOtheznXMBija5wJmXJ2HkMCk7jo7uR9oLpzuo_Mx4ErHhr4g@mail.gmail.com>
References: <CAGf0ewBesSQEfVUJn-1WgkP94=9nCccDqZHCUMjaT=jMZn6uXQ@mail.gmail.com>
	<574D82EB.7050504@redhat.com>
	<CAGf0ewBdYXcnbd7ehOPr8YhfHY3F7rtZunQbC=RWjBNjq9+vGw@mail.gmail.com>
	<574D8C06.2050600@redhat.com>
	<CAJOtheznXMBija5wJmXJ2HkMCk7jo7uR9oLpzuo_Mx4ErHhr4g@mail.gmail.com>
Message-ID: <574E8871.6060303@redhat.com>

Yes, that's possible. According to http://www.ietf.org/rfc/rfc952.txt 
the underscore is not valid character in hostname. Maybe it causes 
issues with Apache HTTP client. If you have possibility to remove 
underscore, it worth a try though.

Marek

On 31/05/16 16:21, Gregory Orciuch wrote:
> Hi,
> I dont get it. How the truststore/keystore properties are related to 
> not having hostname in the returned URL ?
>
> truststore is usually taken by java low level SSL stack (unless 
> KeyCloak using own ssl stack) and even if wrong it does produce PKIX 
> exception which is not in Emil's stack trace.
>
> I suspect the underscore "_" in the  "auth-server-url" or, the name is 
> not resolved by DNS from KeyCloak server perspective.
>
> BR,
> Gregory
>
>
> 2016-05-31 15:05 GMT+02:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     Does your keycloak server have certificate signed by known CA
>     authority or are you using some self-signed? If you have
>     self-signed, you also need to configure truststore. See
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>     and especially properties related to truststore.
>
>     Marek
>
>     On 31/05/16 15:00, Emil Posmyk wrote:
>>     sorry, i forgot to finish title
>>
>>     {
>>       "realm": "Brandpath",
>>       "realm-public-key": "key.....",
>>       "auth-server-url": "https://sabdev_oms.brandpath.net/auth",
>>       "ssl-required": "external",
>>       "resource": "oms-web",
>>       "credentials": {
>>         "secret": "secret"
>>       },
>>       "use-resource-role-mappings": true
>>     }
>>
>>
>>
>>     regards
>>     /--/
>>     /Emil Posmyk
>>
>>     /
>>
>>     2016-05-31 14:26 GMT+02:00 Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>>:
>>
>>         How is "auth-server-url" in your keycloak.json configured? If
>>         you're using relative URI, then you can maybe try to use
>>         absolute URI and see if it help?
>>
>>         Marek
>>
>>
>>         On 31/05/16 14:19, Emil Posmyk wrote:
>>>         Hello
>>>
>>>         I'm reciving error when I try login to our application:
>>>         ClientProtocolException: URI does not specify a valid host
>>>         name: https:/auth/realms/Brandpath/protocol/openid-connect/token
>>>         Http protocol is working fine, no errors, but using https I
>>>         recive each time uri without host name.
>>>         Auth page is working fine.
>>>
>>>         What can cause that error ?
>>>
>>>
>>>         14:59:22,937 ERROR
>>>         [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>>>         task-2) failed to turn code into token:
>>>         org.apache.http.client.ClientProtocolException: URI does not
>>>         specify a valid host name:
>>>         https:/auth/realms/Brandpath/protocol/openid-connect/token
>>>         [Server:ms-server1]     at
>>>         org.apache.http.impl.client.CloseableHttpClient.determineTarget(CloseableHttpClient.java:94)
>>>         [Server:ms-server1]     at
>>>         org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>>         [Server:ms-server1]     at
>>>         org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>>>         [Server:ms-server1]     at
>>>         org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>         [Server:ms-server1]     at
>>>         io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         [Server:ms-server1]     at
>>>         org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         [Server:ms-server1]     at
>>>         org.wildfly.mod_cluster.undertow.metric.RunningRequestsHttpHandler.handleRequest(RunningRequestsHttpHandler.java:69)
>>>         [Server:ms-server1]     at
>>>         org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>         [Server:ms-server1]     at
>>>         io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>         [Server:ms-server1]     at
>>>         io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>         [Server:ms-server1]     at
>>>         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>         [Server:ms-server1]     at
>>>         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>         [Server:ms-server1]     at java.lang.Thread.run(Thread.java:745)
>>>
>>>         /
>>>         regards/
>>>         /--/
>>>         /Emil Posmyk
>>>         /
>>>
>>>
>>>         _______________________________________________
>>>         keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>
>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/ffe2fee1/attachment.html 

From bystrik.horvath at gmail.com  Wed Jun  1 03:12:06 2016
From: bystrik.horvath at gmail.com (Bystrik Horvath)
Date: Wed, 1 Jun 2016 09:12:06 +0200
Subject: [keycloak-user] Async request/response processing at Keycloak
In-Reply-To: <694086856.12892867.1464714483395.JavaMail.zimbra@redhat.com>
References: <CADjGaaeDW=t0J00L7aspN=y5bO1Wf7O-tdMXmw3MQ08Pd=gvUQ@mail.gmail.com>
	<574D8552.8060508@redhat.com> <574D8581.9040105@redhat.com>
	<CADjGaacu_moSFYUs4BS_Hh5zADHAAWRSQ=8saBa72MOxce_1Nw@mail.gmail.com>
	<CADjGaafMjC9oJhRSEEqNsaRf2j39gKXdAS7MUjY=yO1GXwoN_Q@mail.gmail.com>
	<694086856.12892867.1464714483395.JavaMail.zimbra@redhat.com>
Message-ID: <CADjGaad_18wTEBeXEgFr1o1LgDjizFKmmL6yV5On9wyGxQm3CQ@mail.gmail.com>

Hi Pedro,

the pull requst  https://github.com/keycloak/keycloak/pull/2617 contains
the change
in /modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/web.xml
which starts the support of async request/response processing, so it is
also suitable for the issue https://issues.jboss.org/browse/KEYCLOAK-3062

Best regards,
Bystrik

On Tue, May 31, 2016 at 7:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> We already have async support from
> https://github.com/keycloak/keycloak/pull/2617.
>
> Those changes are related with the fine-grained authorization services,
> which are currently implemented using async support. Wondering if you can
> try it out and see if we are missing something.
>
> ----- Original Message -----
> From: "Bystrik Horvath" <bystrik.horvath at gmail.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, May 31, 2016 11:12:05 AM
> Subject: Re: [keycloak-user] Async request/response processing at Keycloak
>
> https://issues.jboss.org/browse/KEYCLOAK-3062
>
> On Tue, May 31, 2016 at 3:49 PM, Bystrik Horvath <
> bystrik.horvath at gmail.com > wrote:
>
>
>
> Hi Marek,
>
> thank you for the advice. It helped me. Just small correction - the
> web.xml is located in
> /modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/web.xml
> (in my Keycloak 1.9.3.Final). The filter definition looks then like follows:
>
> <filter>
> <filter-name>Keycloak Session Management</filter-name>
>
> <filter-class>org.keycloak.services.filters.KeycloakSessionServletFilter</filter-class>
> <async-supported>true</async-supported>
> </filter>
>
> Before applying the filter settings I found a small trick how to do the
> same by putting two lines in the code:
> ServletRequestContext context = ServletRequestContext.current();
> context.setAsyncSupported(true);
> Anyway, I will create a JIRA for this.
> Thank you&Best regards,
> Bystrik
>
> On Tue, May 31, 2016 at 2:37 PM, Marek Posolda < mposolda at redhat.com >
> wrote:
>
>
>
> Sorry, I meant to put:
>
> <assync-supported>true</async-supported>
>
> to that filter.
>
> Marek
>
>
> On 31/05/16 14:36, Marek Posolda wrote:
>
>
>
> Maybe it will help if you put it to
> KEYCLOAK_HOME/modules/systems/add-ons/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/web.xml
> to Keycloak Session Management Filter? Feel free to create JIRA for it (and
> mention if it helps or not. If it helps, then we know that it's sufficient
> to add it to that filter, so it will be easy work to fix).
>
> Marek
>
>
> On 31/05/16 10:50, Bystrik Horvath wrote:
>
>
>
> Hello community,
>
> I found that (since 1.9.2?) there's RealmResourceProvider that gives me
> the possibility to provide own REST endpoint. After implementing the
> endpoint using async capabilty of jax-rs, I'm getting exception like:
> UT010026: Async is not supported for this request, as not all filters or
> Servlets were marked as supporting async.
>
> How is it possible to tweak Keycloak (I'm currently on 1.9.3) to
> asynchronously respond to my requests in implementation of
> RealmResourceProvider ?
>
> Thank you for any comment on this.
>
> Best regards,
> Bystrik
>
>
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/a8984e9a/attachment-0001.html 

From mposolda at redhat.com  Wed Jun  1 03:41:56 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 1 Jun 2016 09:41:56 +0200
Subject: [keycloak-user] Keycloak integration with REST service
In-Reply-To: <CACXTNgL6hyYM=R1gTJp59LL2aWdjopCVNhjUVEZP8iX8bA4uQg@mail.gmail.com>
References: <CACXTNgL6hyYM=R1gTJp59LL2aWdjopCVNhjUVEZP8iX8bA4uQg@mail.gmail.com>
Message-ID: <574E91C4.8060002@redhat.com>

On 01/06/16 03:20, Jim Dillon wrote:
> It looks like a custom User Federation Provider in needs to be created 
> in order to access a REST Service for user information and an 
> Authentication Provider to authenticate against a REST Service.
>
> I've looked at the example User Federation Provider that uses a static 
> file and the Authentication Provider examples which enforce secret 
> question / answer flow. I have a better understanding of what needs to 
> be accomplished, but I'm still quite a ways from where I need to be.
>
> Can anyone point me in the direction of an example User Federation 
> Provider and / or an Authentication Provider that uses a REST 
> Service?  (Google hasn't found any examples for me.)
>
> Is there more documentation to be found on these subjects other than 
> the inline code comments, User Manual, and github based docs?
>
> Could I possibly be making it more difficult than it is, do I simply 
> need to substitute http requests for file i/o in the User Federation 
> Provider example?
I think yes, that's what you can to do. And I think that you don't need 
to implement any Authentication Provider, really just an User Federation 
Provider.

The Authentication Provider is used if you need to somehow change the 
authentication flow (for example add some new form with new login 
mechanism), however here you don't need it. Here the flow is like this:

 1. User lands on Keycloak login page and initiates login. This is done
    with the standard Keycloak login form for username/password. So you
    don't need any custom Authentication provider.
 2. User does not exist in Keycloak
 3. Keycloak asks User storage (UserFederationManager), which will try
    to lookup user in it's database and if it doesn't exists in
    database, then will lookup via your UserFederationProvider. So it
    will call method YourUserFederationProvider.getUserByUsername . In
    this method, you are supposed to implement calling your REST API and
    lookup user and then create user into Keycloak DB
 4. User is authenticated - Keycloak will call
    YourUserFederationProvider.validCredentials where you are supposed
    to implement validation of username/password against your REST service
 5. You can implement the proxy object for your user where you can
    control which info exactly is retrieved from/to Keycloak DB and
    which is retrieved from/to your REST service.


Note that registering user back to REST service is done via 
YourUserFederationProvider.register . So always when new user is created 
in Keycloak, it will call this method of your FederationProvider and you 
are supposed to "register" user in your REST service too. Via the User 
proxy object, you can control when your REST service needs to be updated 
(for example if you implement user.setEmail in your proxy and call the 
REST service here, then Keycloak will call this method and hence your 
REST service always when email of some user is changed.

And btv. you can try to contact the guys from RH jboss.org team, which 
did some UserFederationProvider calling REST. It's possible that your 
implementation will be similar. You can try velias at redhat.com and/or 
lkrzyzan at redhat.com .

Marek
>
>
> The Flow (as I understand it, please confirm / correct as needed):
>
>  1. User lands on Keycloak login page and initiates login
>  2. User does not exist in Keycloak
>  3. REST API is asked to authenticate via Authentication Provider SPI
>  4. User is authenticated
>  5. REST API is asked for user information to create user in Keycloak
>     (part of this process would need to decrypt the existing password
>     and then encrypt it using Keycloak's "default" method.)
>  6. User is created in Keycloak and any further authentication /
>     authorization logic will remain "in house"
>
> Thank you for your time,
>
> jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/4a69fdde/attachment.html 

From emil.posmyk at gmail.com  Wed Jun  1 04:10:18 2016
From: emil.posmyk at gmail.com (Emil Posmyk)
Date: Wed, 1 Jun 2016 10:10:18 +0200
Subject: [keycloak-user] KC 1.9.4 Error during
In-Reply-To: <574E8871.6060303@redhat.com>
References: <CAGf0ewBesSQEfVUJn-1WgkP94=9nCccDqZHCUMjaT=jMZn6uXQ@mail.gmail.com>
	<574D82EB.7050504@redhat.com>
	<CAGf0ewBdYXcnbd7ehOPr8YhfHY3F7rtZunQbC=RWjBNjq9+vGw@mail.gmail.com>
	<574D8C06.2050600@redhat.com>
	<CAJOtheznXMBija5wJmXJ2HkMCk7jo7uR9oLpzuo_Mx4ErHhr4g@mail.gmail.com>
	<574E8871.6060303@redhat.com>
Message-ID: <CAGf0ewDQkfNRC=wX-ufdpzU_zJpoxKR_N8bzUGsAoV+0HA9JyA@mail.gmail.com>

yes, after removing underscore everything is working fine now, thanks


*regards*
*--*

*Emil Posmyk*

2016-06-01 9:02 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> Yes, that's possible. According to http://www.ietf.org/rfc/rfc952.txt the
> underscore is not valid character in hostname. Maybe it causes issues with
> Apache HTTP client. If you have possibility to remove underscore, it worth
> a try though.
>
> Marek
>
>
> On 31/05/16 16:21, Gregory Orciuch wrote:
>
> Hi,
> I dont get it. How the truststore/keystore properties are related to not
> having hostname in the returned URL ?
>
> truststore is usually taken by java low level SSL stack (unless KeyCloak
> using own ssl stack) and even if wrong it does produce PKIX exception which
> is not in Emil's stack trace.
>
> I suspect the underscore "_" in the  "auth-server-url" or, the name is not
> resolved by DNS from KeyCloak server perspective.
>
> BR,
> Gregory
>
>
> 2016-05-31 15:05 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> Does your keycloak server have certificate signed by known CA authority
>> or are you using some self-signed? If you have self-signed, you also need
>> to configure truststore. See
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>> and especially properties related to truststore.
>>
>> Marek
>>
>> On 31/05/16 15:00, Emil Posmyk wrote:
>>
>> sorry, i forgot to finish title
>>
>> {
>>   "realm": "Brandpath",
>>   "realm-public-key": "key.....",
>>   "auth-server-url": "https://sabdev_oms.brandpath.net/auth",
>>   "ssl-required": "external",
>>   "resource": "oms-web",
>>   "credentials": {
>>     "secret": "secret"
>>   },
>>   "use-resource-role-mappings": true
>> }
>>
>>
>>
>> regards
>> *--*
>>
>>
>> *Emil Posmyk *
>>
>> 2016-05-31 14:26 GMT+02:00 Marek Posolda < <mposolda at redhat.com>
>> mposolda at redhat.com>:
>>
>>> How is "auth-server-url" in your keycloak.json configured? If you're
>>> using relative URI, then you can maybe try to use absolute URI and see if
>>> it help?
>>>
>>> Marek
>>>
>>>
>>> On 31/05/16 14:19, Emil Posmyk wrote:
>>>
>>> Hello
>>>
>>> I'm reciving error when I try login to our application:
>>> ClientProtocolException: URI does not specify a valid host name:
>>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>>> Http protocol is working fine, no errors, but using https I recive each
>>> time uri without host name.
>>> Auth page is working fine.
>>>
>>> What can cause that error ?
>>>
>>>
>>> 14:59:22,937 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>>> (default task-2) failed to turn code into token:
>>> org.apache.http.client.ClientProtocolException: URI does not specify a
>>> valid host name:
>>> <https:/auth/realms/Brandpath/protocol/openid-connect/token>
>>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>>> [Server:ms-server1]     at
>>> org.apache.http.impl.client.CloseableHttpClient.determineTarget(CloseableHttpClient.java:94)
>>> [Server:ms-server1]     at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>> [Server:ms-server1]     at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>>> [Server:ms-server1]     at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>>> [Server:ms-server1]     at
>>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>> [Server:ms-server1]     at
>>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>>> [Server:ms-server1]     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> [Server:ms-server1]     at
>>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>>> [Server:ms-server1]     at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>>> [Server:ms-server1]     at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> [Server:ms-server1]     at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> [Server:ms-server1]     at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> [Server:ms-server1]     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> [Server:ms-server1]     at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> [Server:ms-server1]     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> [Server:ms-server1]     at
>>> org.wildfly.mod_cluster.undertow.metric.RunningRequestsHttpHandler.handleRequest(RunningRequestsHttpHandler.java:69)
>>> [Server:ms-server1]     at
>>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>>> [Server:ms-server1]     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> [Server:ms-server1]     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>> [Server:ms-server1]     at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> [Server:ms-server1]     at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>> [Server:ms-server1]     at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> [Server:ms-server1]     at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> [Server:ms-server1]     at java.lang.Thread.run(Thread.java:745)
>>>
>>>
>>> * regards*
>>> *--*
>>>
>>> *Emil Posmyk *
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/9ea8b5a2/attachment-0001.html 

From g.orciuch at gmail.com  Wed Jun  1 04:12:21 2016
From: g.orciuch at gmail.com (Gregory Orciuch)
Date: Wed, 1 Jun 2016 10:12:21 +0200
Subject: [keycloak-user] KC 1.9.4 Error during
In-Reply-To: <CAGf0ewDQkfNRC=wX-ufdpzU_zJpoxKR_N8bzUGsAoV+0HA9JyA@mail.gmail.com>
References: <CAGf0ewBesSQEfVUJn-1WgkP94=9nCccDqZHCUMjaT=jMZn6uXQ@mail.gmail.com>
	<574D82EB.7050504@redhat.com>
	<CAGf0ewBdYXcnbd7ehOPr8YhfHY3F7rtZunQbC=RWjBNjq9+vGw@mail.gmail.com>
	<574D8C06.2050600@redhat.com>
	<CAJOtheznXMBija5wJmXJ2HkMCk7jo7uR9oLpzuo_Mx4ErHhr4g@mail.gmail.com>
	<574E8871.6060303@redhat.com>
	<CAGf0ewDQkfNRC=wX-ufdpzU_zJpoxKR_N8bzUGsAoV+0HA9JyA@mail.gmail.com>
Message-ID: <CAJOthewB9U9LDpubwynZV8n+2YerZ97RVuZH0spiUm4MjMNhMQ@mail.gmail.com>

Which seems to be a bug in KeyCloak. it should log an error or throw some
clear exception.
Where is the best place to record the bug for same?

BR,
Gregory

2016-06-01 10:10 GMT+02:00 Emil Posmyk <emil.posmyk at gmail.com>:

> yes, after removing underscore everything is working fine now, thanks
>
>
> *regards*
> *--*
>
> *Emil Posmyk*
>
> 2016-06-01 9:02 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>
>> Yes, that's possible. According to http://www.ietf.org/rfc/rfc952.txt
>> the underscore is not valid character in hostname. Maybe it causes issues
>> with Apache HTTP client. If you have possibility to remove underscore, it
>> worth a try though.
>>
>> Marek
>>
>>
>> On 31/05/16 16:21, Gregory Orciuch wrote:
>>
>> Hi,
>> I dont get it. How the truststore/keystore properties are related to not
>> having hostname in the returned URL ?
>>
>> truststore is usually taken by java low level SSL stack (unless KeyCloak
>> using own ssl stack) and even if wrong it does produce PKIX exception which
>> is not in Emil's stack trace.
>>
>> I suspect the underscore "_" in the  "auth-server-url" or, the name is
>> not resolved by DNS from KeyCloak server perspective.
>>
>> BR,
>> Gregory
>>
>>
>> 2016-05-31 15:05 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
>>
>>> Does your keycloak server have certificate signed by known CA authority
>>> or are you using some self-signed? If you have self-signed, you also need
>>> to configure truststore. See
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>>> and especially properties related to truststore.
>>>
>>> Marek
>>>
>>> On 31/05/16 15:00, Emil Posmyk wrote:
>>>
>>> sorry, i forgot to finish title
>>>
>>> {
>>>   "realm": "Brandpath",
>>>   "realm-public-key": "key.....",
>>>   "auth-server-url": "https://sabdev_oms.brandpath.net/auth",
>>>   "ssl-required": "external",
>>>   "resource": "oms-web",
>>>   "credentials": {
>>>     "secret": "secret"
>>>   },
>>>   "use-resource-role-mappings": true
>>> }
>>>
>>>
>>>
>>> regards
>>> *--*
>>>
>>>
>>> *Emil Posmyk *
>>>
>>> 2016-05-31 14:26 GMT+02:00 Marek Posolda < <mposolda at redhat.com>
>>> mposolda at redhat.com>:
>>>
>>>> How is "auth-server-url" in your keycloak.json configured? If you're
>>>> using relative URI, then you can maybe try to use absolute URI and see if
>>>> it help?
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 31/05/16 14:19, Emil Posmyk wrote:
>>>>
>>>> Hello
>>>>
>>>> I'm reciving error when I try login to our application:
>>>> ClientProtocolException: URI does not specify a valid host name:
>>>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>>>> Http protocol is working fine, no errors, but using https I recive each
>>>> time uri without host name.
>>>> Auth page is working fine.
>>>>
>>>> What can cause that error ?
>>>>
>>>>
>>>> 14:59:22,937 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>>>> (default task-2) failed to turn code into token:
>>>> org.apache.http.client.ClientProtocolException: URI does not specify a
>>>> valid host name:
>>>> <https:/auth/realms/Brandpath/protocol/openid-connect/token>
>>>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>>>> [Server:ms-server1]     at
>>>> org.apache.http.impl.client.CloseableHttpClient.determineTarget(CloseableHttpClient.java:94)
>>>> [Server:ms-server1]     at
>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>>>> [Server:ms-server1]     at
>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>>>> [Server:ms-server1]     at
>>>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> [Server:ms-server1]     at
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> [Server:ms-server1]     at
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> [Server:ms-server1]     at
>>>> org.wildfly.mod_cluster.undertow.metric.RunningRequestsHttpHandler.handleRequest(RunningRequestsHttpHandler.java:69)
>>>> [Server:ms-server1]     at
>>>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> [Server:ms-server1]     at
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>> [Server:ms-server1]     at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>> [Server:ms-server1]     at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> [Server:ms-server1]     at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> [Server:ms-server1]     at java.lang.Thread.run(Thread.java:745)
>>>>
>>>>
>>>> * regards*
>>>> *--*
>>>>
>>>> *Emil Posmyk *
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/6c7b2761/attachment-0001.html 

From palermo at pobox.com  Wed Jun  1 08:38:17 2016
From: palermo at pobox.com (Bruno Palermo)
Date: Wed, 1 Jun 2016 09:38:17 -0300
Subject: [keycloak-user] Realm Resource Provider
Message-ID: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>

Hi,

I just create a custom resource provider. It's possible to render a freemarker template as response?

https://github.com/keycloak/keycloak/blob/master/examples/providers/rest/src/main/java/org/keycloak/examples/rest/HelloResourceProvider.java


Thanks,
Bruno
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/6b9adc4c/attachment.html 

From jdillon at redhat.com  Wed Jun  1 09:18:09 2016
From: jdillon at redhat.com (Jim Dillon)
Date: Wed, 1 Jun 2016 09:18:09 -0400
Subject: [keycloak-user] Keycloak integration with REST service
In-Reply-To: <574E91C4.8060002@redhat.com>
References: <CACXTNgL6hyYM=R1gTJp59LL2aWdjopCVNhjUVEZP8iX8bA4uQg@mail.gmail.com>
	<574E91C4.8060002@redhat.com>
Message-ID: <CACXTNg+WcfDdJE6-VB1z4Koxm=3yM38u2nk+NJKKEvS53O=BAw@mail.gmail.com>

Marek,
Thank you very much for the information and the leads!  That should get me
a good ways towards my goal.


Mike,
If you do get to that blog post, please post your link, I'd really like to
check it out.


Thomas,
Thank you for the links, they are very helpful!  The example User
Federation Provider appears to be close to what I'll need to implement.
It's just missing the part where the external data source is kept in sync.


jim


On Wed, Jun 1, 2016 at 3:41 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 01/06/16 03:20, Jim Dillon wrote:
>
> It looks like a custom User Federation Provider in needs to be created in
> order to access a REST Service for user information and an Authentication
> Provider to authenticate against a REST Service.
>
> I've looked at the example User Federation Provider that uses a static
> file and the Authentication Provider examples which enforce secret question
> / answer flow. I have a better understanding of what needs to be
> accomplished, but I'm still quite a ways from where I need to be.
>
> Can anyone point me in the direction of an example User Federation
> Provider and / or an Authentication Provider that uses a REST Service?
> (Google hasn't found any examples for me.)
>
> Is there more documentation to be found on these subjects other than the
> inline code comments, User Manual, and github based docs?
>
> Could I possibly be making it more difficult than it is, do I simply need
> to substitute http requests for file i/o in the User Federation Provider
> example?
>
> I think yes, that's what you can to do. And I think that you don't need to
> implement any Authentication Provider, really just an User Federation
> Provider.
>
> The Authentication Provider is used if you need to somehow change the
> authentication flow (for example add some new form with new login
> mechanism), however here you don't need it. Here the flow is like this:
>
>
>    1. User lands on Keycloak login page and initiates login. This is done
>    with the standard Keycloak login form for username/password. So you don't
>    need any custom Authentication provider.
>    2. User does not exist in Keycloak
>    3. Keycloak asks User storage (UserFederationManager), which will try
>    to lookup user in it's database and if it doesn't exists in database, then
>    will lookup via your UserFederationProvider. So it will call method
>    YourUserFederationProvider.getUserByUsername . In this method, you are
>    supposed to implement calling your REST API and lookup user and then create
>    user into Keycloak DB
>    4. User is authenticated - Keycloak will call
>    YourUserFederationProvider.validCredentials where you are supposed to
>    implement validation of username/password against your REST service
>    5. You can implement the proxy object for your user where you can
>    control which info exactly is retrieved from/to Keycloak DB and which is
>    retrieved from/to your REST service.
>
>
> Note that registering user back to REST service is done via
> YourUserFederationProvider.register . So always when new user is created in
> Keycloak, it will call this method of your FederationProvider and you are
> supposed to "register" user in your REST service too. Via the User proxy
> object, you can control when your REST service needs to be updated (for
> example if you implement user.setEmail in your proxy and call the REST
> service here, then Keycloak will call this method and hence your REST
> service always when email of some user is changed.
>
> And btv. you can try to contact the guys from RH jboss.org team, which
> did some UserFederationProvider calling REST. It's possible that your
> implementation will be similar. You can try velias at redhat.com and/or
> lkrzyzan at redhat.com .
>
> Marek
>
>
>
> The Flow (as I understand it, please confirm / correct as needed):
>
>    1. User lands on Keycloak login page and initiates login
>    2. User does not exist in Keycloak
>    3. REST API is asked to authenticate via Authentication Provider SPI
>    4. User is authenticated
>    5. REST API is asked for user information to create user in Keycloak
>    (part of this process would need to decrypt the existing password and then
>    encrypt it using Keycloak's "default" method.)
>    6. User is created in Keycloak and any further authentication /
>    authorization logic will remain "in house"
>
> Thank you for your time,
>
> jim
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/70281aa3/attachment.html 

From sthorger at redhat.com  Wed Jun  1 09:39:43 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 1 Jun 2016 15:39:43 +0200
Subject: [keycloak-user] Realm Resource Provider
In-Reply-To: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>
References: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>
Message-ID: <CAJgngAdHZQayc4DLOhvBaYzryJRO4KUmM5_rVmA1KWg=C5HJcg@mail.gmail.com>

Try looking at the authenticator provider example I believe that does it

On 1 June 2016 at 14:38, Bruno Palermo <palermo at pobox.com> wrote:

> Hi,
>
> I just create a custom resource provider. It's possible to render a
> freemarker template as response?
>
>
> https://github.com/keycloak/keycloak/blob/master/examples/providers/rest/src/main/java/org/keycloak/examples/rest/HelloResourceProvider.java
> <https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java/org/keycloak/services/resource/RealmResourceProvider.java>
>
>
> Thanks,
> Bruno
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/2c077b8b/attachment.html 

From Vincent.Sluijter at crv4all.com  Wed Jun  1 10:14:17 2016
From: Vincent.Sluijter at crv4all.com (Vincent Sluijter)
Date: Wed, 1 Jun 2016 14:14:17 +0000
Subject: [keycloak-user] Is it possible to partial import an User Federation
	provider?
Message-ID: <AM3PR07MB3404F1C81AEC8BF9E6D0130CE470@AM3PR07MB340.eurprd07.prod.outlook.com>

Hello,

I'm trying to 'partial' import a json with an User Federation provider containing ldap configuration to connect to Active Directory, but the import keeps failing with the message "No resouces specified to import". Is it even possible to import a single user federation provider using the partial import function?


This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/064704d4/attachment-0001.html 

From palermo at pobox.com  Wed Jun  1 10:58:34 2016
From: palermo at pobox.com (Bruno Palermo)
Date: Wed, 1 Jun 2016 11:58:34 -0300
Subject: [keycloak-user] Realm Resource Provider
In-Reply-To: <CAJgngAdHZQayc4DLOhvBaYzryJRO4KUmM5_rVmA1KWg=C5HJcg@mail.gmail.com>
References: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>,
	<CAJgngAdHZQayc4DLOhvBaYzryJRO4KUmM5_rVmA1KWg=C5HJcg@mail.gmail.com>
Message-ID: <BLU180-W88D7E39D4520C2026A1774B7470@phx.gbl>

Yes, it does. But it uses 'RequiredActionContext' context, how can I have access to this context inside 'RealmResourceProvider'?

'RealmResourceProviderFactory' create method is:

@Override
public RealmResourceProvider create(KeycloakSession session)

Date: Wed, 1 Jun 2016 15:39:43 +0200
Subject: Re: [keycloak-user] Realm Resource Provider
From: sthorger at redhat.com
To: palermo at pobox.com
CC: keycloak-user at lists.jboss.org

Try looking at the authenticator provider example I believe that does it
On 1 June 2016 at 14:38, Bruno Palermo <palermo at pobox.com> wrote:



Hi,

I just create a custom resource provider. It's possible to render a freemarker template as response?

https://github.com/keycloak/keycloak/blob/master/examples/providers/rest/src/main/java/org/keycloak/examples/rest/HelloResourceProvider.java


Thanks,
Bruno
 		 	   		  

_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/3e64dd9e/attachment.html 

From Marque.Davis at PremiseHealth.com  Wed Jun  1 11:08:48 2016
From: Marque.Davis at PremiseHealth.com (Marque Davis)
Date: Wed, 1 Jun 2016 15:08:48 +0000
Subject: [keycloak-user] SAML Setup
Message-ID: <F1E596E6-84F8-4385-9FB7-7E3ABD49DD4A@premisehealth.com>

Hi,

I?m working on moving SAML auth in one app into Keycloak. Since we have many clients hitting our existing API, we don?t want to change the external API. Instead we need to proxy through to Keycloak. I have a SAML test harness that generates the SAML doc and redirects to KC, but I constantly get a staleCodeError int he logs and the following error on the page it redirects to.

WE'RE SORRY ...
This page is no longer valid, please go back to your application and login again

I?ve setup an Identity Provider named ?saml? and pointed my test app to the Redirect URI (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). Config screenshot attached (if it isn?t stripped from email)

Am I doing something wrong, or is this just not a use case Keycloak is designed for?


[cid:7826F03C-D253-46FA-904F-ADC09DFAA111]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/7f4f1674/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 7826F03C-D253-46FA-904F-ADC09DFAA111.png
Type: image/png
Size: 108967 bytes
Desc: 7826F03C-D253-46FA-904F-ADC09DFAA111.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/7f4f1674/attachment-0001.png 

From okie.othsam at gmail.com  Wed Jun  1 11:09:30 2016
From: okie.othsam at gmail.com (Okie Oth)
Date: Wed, 1 Jun 2016 17:09:30 +0200
Subject: [keycloak-user] Apache or other webserver adapter
Message-ID: <574EFAAA.9080001@gmail.com>

Hello,
I wonder if there is a way to protected static webserver ressources with 
keycloak. I have a Apache Adapter in mind but I can't find anything 
about this topic.

Kind regards
Eiko

From petervn1 at yahoo.com  Wed Jun  1 13:19:35 2016
From: petervn1 at yahoo.com (Peter Nalyvayko)
Date: Wed, 1 Jun 2016 17:19:35 +0000 (UTC)
Subject: [keycloak-user] Fw: Are there plans to implement PK Certificate
 user authentication?
In-Reply-To: <546849148.2815900.1464741692784.JavaMail.yahoo@mail.yahoo.com>
References: <546849148.2815900.1464741692784.JavaMail.yahoo.ref@mail.yahoo.com>
	<546849148.2815900.1464741692784.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <724036490.3301884.1464801575544.JavaMail.yahoo@mail.yahoo.com>




  
Hello,
Cross-posting...We are considering using keycloak as an STS (Secure Token Service). One of the requirements is PK certificate user authentication. It seems the only supported user authentication mechanism in keycloak is user credentials (user name / password). Before rolling out our own implementation, I just want to make sure I am not missing something obvious and that PK authentication is indeed not supported in keycloak yet.?Regards,Peter

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/cf07d589/attachment.html 

From sthorger at redhat.com  Wed Jun  1 14:45:23 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 1 Jun 2016 20:45:23 +0200
Subject: [keycloak-user] Apache or other webserver adapter
In-Reply-To: <574EFAAA.9080001@gmail.com>
References: <574EFAAA.9080001@gmail.com>
Message-ID: <CAJgngAdzDatN8oE__jpPQm8pFqKBvYYxXxfdOV0_YQH7D+Db5w@mail.gmail.com>

For OpenID Connect you can try mod_auth_openidc or for SAML
mod_auth_mellon. We've tried mod_auth_mellon ourselves, but
not mod_auth_openidc.

On 1 June 2016 at 17:09, Okie Oth <okie.othsam at gmail.com> wrote:

> Hello,
> I wonder if there is a way to protected static webserver ressources with
> keycloak. I have a Apache Adapter in mind but I can't find anything
> about this topic.
>
> Kind regards
> Eiko
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/03ce76fb/attachment.html 

From okie.othsam at gmail.com  Wed Jun  1 16:34:04 2016
From: okie.othsam at gmail.com (Okie Oth)
Date: Wed, 1 Jun 2016 22:34:04 +0200
Subject: [keycloak-user] Apache or other webserver adapter
In-Reply-To: <CAJgngAdzDatN8oE__jpPQm8pFqKBvYYxXxfdOV0_YQH7D+Db5w@mail.gmail.com>
References: <574EFAAA.9080001@gmail.com>
	<CAJgngAdzDatN8oE__jpPQm8pFqKBvYYxXxfdOV0_YQH7D+Db5w@mail.gmail.com>
Message-ID: <574F46BC.2070301@gmail.com>

Thank you, I will check this out

Cheers

Am 01.06.2016 um 20:45 schrieb Stian Thorgersen:
> For OpenID Connect you can try mod_auth_openidc or for SAML 
> mod_auth_mellon. We've tried mod_auth_mellon ourselves, but 
> not mod_auth_openidc.
>
> On 1 June 2016 at 17:09, Okie Oth <okie.othsam at gmail.com 
> <mailto:okie.othsam at gmail.com>> wrote:
>
>     Hello,
>     I wonder if there is a way to protected static webserver
>     ressources with
>     keycloak. I have a Apache Adapter in mind but I can't find anything
>     about this topic.
>
>     Kind regards
>     Eiko
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/7839a1dd/attachment.html 

From rsoares at redhat.com  Wed Jun  1 18:26:10 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Wed, 1 Jun 2016 19:26:10 -0300
Subject: [keycloak-user] SSO between apps with different protocol
Message-ID: <574F6102.8040905@redhat.com>

Hi!

I have one common realm (eg: demo-realm) with two client apps under it:

  - 1st app using SAML protocol - hosted in app srv 1 (tomcat)
  - 2nd app using Keycloak default OpenID Connect - hosted in app srv 2 
(JBoss EAP)

What I need to do in order to enable SSO between these both apps?

I tried log in in the 1st one and them tried to access the 2nd one, but 
the SSO does not works :-/

-- 
___
Rafael T. C. Soares

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/55420c1f/attachment.html 

From yelata at blulogix.com  Wed Jun  1 20:19:30 2016
From: yelata at blulogix.com (Yasser El-ata)
Date: Thu, 2 Jun 2016 03:19:30 +0300
Subject: [keycloak-user] Classification all email that sent from keycloak as
	SPAM on GMAIL
Message-ID: <CAHnbcZjnkgCbk5Vheekouois7+qPToupqqd8fb1M6Pv-_TffqQ@mail.gmail.com>

Hello,

I have an issue , all the emails that send by keycloak are classified as
spam just on gmail.

the email that sends to Yahoo and Hotmail are received in the inbox.

i'am using Amazon SMTP and i already use certificates from amazon to make
sure all emails will not send as spam.

Any ideas please?

Thanks

-- 
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*

The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/fc57b037/attachment-0001.html 

From rsoares at redhat.com  Wed Jun  1 22:13:19 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Wed, 1 Jun 2016 23:13:19 -0300
Subject: [keycloak-user] SSO between apps with different protocol
In-Reply-To: <574F6102.8040905@redhat.com>
References: <574F6102.8040905@redhat.com>
Message-ID: <574F963F.9050006@redhat.com>

Hi!

Please ignore my last question.

It worked fine. Keycloak checks the existence of a Session for the user 
logged in the first app. Obviously the SSO will happen if I try to 
access the other app using the same Browser Session. Additionally I 
suppose  both apps have to be under the same realm. Makes sense?

BTW, is it possible to disable Single Sign out for a specific client app?

___
Rafael T. C. Soares

On 06/01/2016 07:26 PM, Rafael T. C. Soares wrote:
> Hi!
>
> I have one common realm (eg: demo-realm) with two client apps under it:
>
>  - 1st app using SAML protocol - hosted in app srv 1 (tomcat)
>  - 2nd app using Keycloak default OpenID Connect - hosted in app srv 2 
> (JBoss EAP)
>
> What I need to do in order to enable SSO between these both apps?
>
> I tried log in in the 1st one and them tried to access the 2nd one, 
> but the SSO does not works :-/
>
> -- 
> ___
> Rafael T. C. Soares

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/cfea153e/attachment.html 

From sthorger at redhat.com  Thu Jun  2 01:43:45 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jun 2016 07:43:45 +0200
Subject: [keycloak-user] SSO between apps with different protocol
In-Reply-To: <574F963F.9050006@redhat.com>
References: <574F6102.8040905@redhat.com>
	<574F963F.9050006@redhat.com>
Message-ID: <CAJgngAeMet6T_-JaznBRAZkGNAgfU120xGfG697KkAgLaWb7Vg@mail.gmail.com>

On 2 June 2016 at 04:13, Rafael T. C. Soares <rsoares at redhat.com> wrote:

> Hi!
>
> Please ignore my last question.
>
> It worked fine. Keycloak checks the existence of a Session for the user
> logged in the first app. Obviously the SSO will happen if I try to access
> the other app using the same Browser Session. Additionally I suppose  both
> apps have to be under the same realm. Makes sense?
>

Yes, the SSO session is bound to one realm and browser session


>
> BTW, is it possible to disable Single Sign out for a specific client app?
>

Not sure what you mean about disabling single sign out? Do you want to
client to have access after the user has logged-out? If so you can use
offline tokens if you are using OpenID Connect


>
> ___
> Rafael T. C. Soares
>
> On 06/01/2016 07:26 PM, Rafael T. C. Soares wrote:
>
> Hi!
>
> I have one common realm (eg: demo-realm) with two client apps under it:
>
>  - 1st app using SAML protocol - hosted in app srv 1 (tomcat)
>  - 2nd app using Keycloak default OpenID Connect - hosted in app srv 2
> (JBoss EAP)
>
> What I need to do in order to enable SSO between these both apps?
>
> I tried log in in the 1st one and them tried to access the 2nd one, but
> the SSO does not works :-/
>
> --
> ___
> Rafael T. C. Soares
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/384a6c6d/attachment.html 

From paal.oliver at gmail.com  Thu Jun  2 07:24:28 2016
From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=)
Date: Thu, 02 Jun 2016 11:24:28 +0000
Subject: [keycloak-user] Absolute links in admin pages
Message-ID: <CAHT+r5j5tp_yoN21DXjBjLakQfYmtbK7d3bJupuopPqR9vHiQA@mail.gmail.com>

Hi!

We are trying to install Keycloak on a server behind a BigIP SSL
terminator. Keycloak is running within a Docker container on a different
server.

But trying to open the Administration Console fails because all the links
within the markup are absolute links which is resolved to
http://localhost:9555/auth/...

So both the scheme and the hostname is wrong.

Questions:

Why are these links absolute? Is there a way to configure this to be
relative links?
Or, if they must be absolute, is there a way to configure the links to
become correct?

>From what I can gather, this is the line where the absolute link is
resolved:
https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d906156d8fc212ccd9dfd57d/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java#L292

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/7b2d4e3a/attachment.html 

From rsoares at redhat.com  Thu Jun  2 09:06:35 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Thu, 2 Jun 2016 10:06:35 -0300
Subject: [keycloak-user] SSO between apps with different protocol
In-Reply-To: <CAJgngAeMet6T_-JaznBRAZkGNAgfU120xGfG697KkAgLaWb7Vg@mail.gmail.com>
References: <574F6102.8040905@redhat.com> <574F963F.9050006@redhat.com>
	<CAJgngAeMet6T_-JaznBRAZkGNAgfU120xGfG697KkAgLaWb7Vg@mail.gmail.com>
Message-ID: <57502F5B.6080801@redhat.com>


___
Rafael T. C. Soares

On 06/02/2016 02:43 AM, Stian Thorgersen wrote:
>
>
> On 2 June 2016 at 04:13, Rafael T. C. Soares <rsoares at redhat.com 
> <mailto:rsoares at redhat.com>> wrote:
>
>     Hi!
>
>     Please ignore my last question.
>
>     It worked fine. Keycloak checks the existence of a Session for the
>     user logged in the first app. Obviously the SSO will happen if I
>     try to access the other app using the same Browser Session.
>     Additionally I suppose both apps have to be under the same realm.
>     Makes sense?
>
>
> Yes, the SSO session is bound to one realm and browser session
>
>
>     BTW, is it possible to disable Single Sign out for a specific
>     client app?
>
>
> Not sure what you mean about disabling single sign out? Do you want to 
> client to have access after the user has logged-out? If so you can use 
> offline tokens if you are using OpenID Connect
For example In my scenario If the user logout from the second app 
(sharing the same browser session and realm) it should be logged out 
only from that app (2nd). But should remain logged in the 1st one. Does 
it makes sense? Is that possible?
>
>
>     ___
>     Rafael T. C. Soares
>
>     On 06/01/2016 07:26 PM, Rafael T. C. Soares wrote:
>>     Hi!
>>
>>     I have one common realm (eg: demo-realm) with two client apps
>>     under it:
>>
>>      - 1st app using SAML protocol - hosted in app srv 1 (tomcat)
>>      - 2nd app using Keycloak default OpenID Connect - hosted in app
>>     srv 2 (JBoss EAP)
>>
>>     What I need to do in order to enable SSO between these both apps?
>>
>>     I tried log in in the 1st one and them tried to access the 2nd
>>     one, but the SSO does not works :-/
>>
>>     -- 
>>     ___
>>     Rafael T. C. Soares
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/0323a49f/attachment.html 

From gahealy at redhat.com  Thu Jun  2 09:28:21 2016
From: gahealy at redhat.com (Gareth Healy)
Date: Thu, 2 Jun 2016 14:28:21 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <CAD4q6WLqp2UF4z=FOVjo+wjU6pz5BwPsSyY-27+DmNBLmn83Lg@mail.gmail.com>

I am trying to secure a URL with KeyCloak, backed by Kerberos. I've
followed the below link, but sadly not not seeing what i would expect.


   -
   https://github.com/keycloak/keycloak-documentation/blob/master/topics/jboss-adapter.adoc#required-per-war-configuration

The exploded war web.xml contains:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee"
  xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
  version="2.5">

  <listener>

<listener-class>io.apiman.gateway.platforms.war.listeners.WarGatewayBootstrapper</listener-class>
  </listener>

  <!-- Gateway Servlet -->
  <servlet>
    <servlet-name>GatewayServlet</servlet-name>

<servlet-class>io.apiman.gateway.platforms.war.servlets.WarGatewayServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>GatewayServlet</servlet-name>
    <url-pattern>/*</url-pattern>
  </servlet-mapping>

  <security-constraint>
        <web-resource-collection>
            <web-resource-name>apiman-gateway</web-resource-name>
            <url-pattern>/apiman-gateway/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


<login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>user</role-name>
    </security-role>

</web-app>


And the keycloak.json file in the WEB-INF folder contains:

{
  "realm": "apiman",
  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB",
  "auth-server-url": "https://reuxgbls359:8443/auth",
  "ssl-required": "none",
  "resource": "apiman-gateway",
  "public-client": true
}


When i hit the URL, i see the below debug:

2016-06-02 13:20:10,460 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-43) adminRequest
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.undertow.ServletSessionTokenStore] (default task-43)
session was null, returning null
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) there
was no code
2016-06-02 13:20:10,461 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
redirecting to auth server
2016-06-02 13:20:10,462 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
callback uri: https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
2016-06-02 13:20:10,463 DEBUG
[org.keycloak.adapters.AuthenticatedActionsHandler] (default task-43)
AuthenticatedActionsValve.invoke
https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl


But i never get redirected to the auth/login page.

Any ideas what i am doing wrong?

-- 
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK

Mobile: +44(0)7818511214
E-Mail: gahealy at redhat.com

Registered in England and Wales under Company Registration No. 03798903
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/c198b275/attachment-0001.html 

From gahealy at redhat.com  Thu Jun  2 10:07:23 2016
From: gahealy at redhat.com (Gareth Healy)
Date: Thu, 2 Jun 2016 15:07:23 +0100
Subject: [keycloak-user] (no subject)
In-Reply-To: <CAD4q6WLqp2UF4z=FOVjo+wjU6pz5BwPsSyY-27+DmNBLmn83Lg@mail.gmail.com>
References: <CAD4q6WLqp2UF4z=FOVjo+wjU6pz5BwPsSyY-27+DmNBLmn83Lg@mail.gmail.com>
Message-ID: <CAD4q6W+W3mFmGC9nWqLz9V8B_pPZcX3Pi86q5waOXaAukd97cg@mail.gmail.com>

Just released i was using the wrong url-pattern. All good.

On Thu, Jun 2, 2016 at 2:28 PM, Gareth Healy <gahealy at redhat.com> wrote:

> I am trying to secure a URL with KeyCloak, backed by Kerberos. I've
> followed the below link, but sadly not not seeing what i would expect.
>
>
>    -
>    https://github.com/keycloak/keycloak-documentation/blob/master/topics/jboss-adapter.adoc#required-per-war-configuration
>
> The exploded war web.xml contains:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
> http://java.sun.com/xml/ns/javaee"
>   xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
>   version="2.5">
>
>   <listener>
>
> <listener-class>io.apiman.gateway.platforms.war.listeners.WarGatewayBootstrapper</listener-class>
>   </listener>
>
>   <!-- Gateway Servlet -->
>   <servlet>
>     <servlet-name>GatewayServlet</servlet-name>
>
> <servlet-class>io.apiman.gateway.platforms.war.servlets.WarGatewayServlet</servlet-class>
>   </servlet>
>   <servlet-mapping>
>     <servlet-name>GatewayServlet</servlet-name>
>     <url-pattern>/*</url-pattern>
>   </servlet-mapping>
>
>   <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>apiman-gateway</web-resource-name>
>             <url-pattern>/apiman-gateway/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>user</role-name>
>         </auth-constraint>
>         <user-data-constraint>
>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
>
>
> <login-config>
>         <auth-method>KEYCLOAK</auth-method>
>         <realm-name>this is ignored currently</realm-name>
>     </login-config>
>
>     <security-role>
>         <role-name>user</role-name>
>     </security-role>
>
> </web-app>
>
>
> And the keycloak.json file in the WEB-INF folder contains:
>
> {
>   "realm": "apiman",
>   "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxyG61ohrfJQKNmDA/ePZtqZVpPXjwn3k3T+iWiTvMsxW2+WlnqIEmL5qZ09DMhBH9r50WZRO2gVoCb657Er9x0vfD6GNf/47XU2y33TX8axhP+hSwkv/VViaDlu4jQrfgPWz/FXMjWIZxg1xQS+nOBF2ScCRYWNQ/ZnUNnvrq8dGC2/AlyeYcgDUOdwlJuvgkGlF0QoVPQiRPurR3RwlG+BjL8JB3hbaAZhdJqwqApmGQbcpgLj2tODnlrZnEAp5cPPU/lgqCE1OOp78BAEiE91ZLPl/+D8qDHk+Maz0Io3bkeRZMXPpvtbL3qN+3GlF8Yz264HDSsTNrH+nd19tFQIDAQAB",
>   "auth-server-url": "https://reuxgbls359:8443/auth",
>   "ssl-required": "none",
>   "resource": "apiman-gateway",
>   "public-client": true
> }
>
>
> When i hit the URL, i see the below debug:
>
> 2016-06-02 13:20:10,460 DEBUG
> [org.keycloak.adapters.PreAuthActionsHandler] (default task-43)
> adminRequest https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
> 2016-06-02 13:20:10,461 DEBUG
> [org.keycloak.adapters.undertow.ServletSessionTokenStore] (default task-43)
> session was null, returning null
> 2016-06-02 13:20:10,461 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) there
> was no code
> 2016-06-02 13:20:10,461 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
> redirecting to auth server
> 2016-06-02 13:20:10,462 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43)
> callback uri: https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
> 2016-06-02 13:20:10,463 DEBUG
> [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-43)
> AuthenticatedActionsValve.invoke
> https://reuxgbls359:8443/apiman-gateway/bp/mapping/1.0?wsdl
>
>
> But i never get redirected to the auth/login page.
>
> Any ideas what i am doing wrong?
>
> --
> Gareth Healy
> UKI Middleware Consultant
> Red Hat UK Ltd
> 200 Fowler Avenue
> Farnborough, Hants
> GU14 7JP, UK
>
> Mobile: +44(0)7818511214
> E-Mail: gahealy at redhat.com
>
> Registered in England and Wales under Company Registration No. 03798903
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK

Mobile: +44(0)7818511214
E-Mail: gahealy at redhat.com

Registered in England and Wales under Company Registration No. 03798903
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/63b9601b/attachment.html 

From sthorger at redhat.com  Thu Jun  2 13:22:49 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jun 2016 19:22:49 +0200
Subject: [keycloak-user] SSO between apps with different protocol
In-Reply-To: <57502F5B.6080801@redhat.com>
References: <574F6102.8040905@redhat.com> <574F963F.9050006@redhat.com>
	<CAJgngAeMet6T_-JaznBRAZkGNAgfU120xGfG697KkAgLaWb7Vg@mail.gmail.com>
	<57502F5B.6080801@redhat.com>
Message-ID: <CAJgngAchUVdG6m=P0vieRaPW1yOkfMx+csCpgLw3_x7RZsh_Dg@mail.gmail.com>

On 2 June 2016 at 15:06, Rafael T. C. Soares <rsoares at redhat.com> wrote:

>
> ___
> Rafael T. C. Soares
>
> On 06/02/2016 02:43 AM, Stian Thorgersen wrote:
>
>
>
> On 2 June 2016 at 04:13, Rafael T. C. Soares <rsoares at redhat.com> wrote:
>
>> Hi!
>>
>> Please ignore my last question.
>>
>> It worked fine. Keycloak checks the existence of a Session for the user
>> logged in the first app. Obviously the SSO will happen if I try to access
>> the other app using the same Browser Session. Additionally I suppose  both
>> apps have to be under the same realm. Makes sense?
>>
>
> Yes, the SSO session is bound to one realm and browser session
>
>
>>
>> BTW, is it possible to disable Single Sign out for a specific client app?
>>
>
> Not sure what you mean about disabling single sign out? Do you want to
> client to have access after the user has logged-out? If so you can use
> offline tokens if you are using OpenID Connect
>
> For example In my scenario If the user logout from the second app (sharing
> the same browser session and realm) it should be logged out only from that
> app (2nd). But should remain logged in the 1st one. Does it makes sense? Is
> that possible?
>

Not really. It's SSO and all apps are using the same SSO session. In either
case it's not really supported.


>
>
>
>>
>> ___
>> Rafael T. C. Soares
>>
>> On 06/01/2016 07:26 PM, Rafael T. C. Soares wrote:
>>
>> Hi!
>>
>> I have one common realm (eg: demo-realm) with two client apps under it:
>>
>>  - 1st app using SAML protocol - hosted in app srv 1 (tomcat)
>>  - 2nd app using Keycloak default OpenID Connect - hosted in app srv 2
>> (JBoss EAP)
>>
>> What I need to do in order to enable SSO between these both apps?
>>
>> I tried log in in the 1st one and them tried to access the 2nd one, but
>> the SSO does not works :-/
>>
>> --
>> ___
>> Rafael T. C. Soares
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/2628f715/attachment-0001.html 

From sthorger at redhat.com  Thu Jun  2 13:23:28 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jun 2016 19:23:28 +0200
Subject: [keycloak-user] Apache or other webserver adapter
In-Reply-To: <574F46BC.2070301@gmail.com>
References: <574EFAAA.9080001@gmail.com>
	<CAJgngAdzDatN8oE__jpPQm8pFqKBvYYxXxfdOV0_YQH7D+Db5w@mail.gmail.com>
	<574F46BC.2070301@gmail.com>
Message-ID: <CAJgngAcwFMKXg10Pgx=PaYkCD_U9zVumF1hmnip7DkRV7B4uow@mail.gmail.com>

If you do try them, let me know if it works for you. Especially if you try
mod_auth_openidc.

On 1 June 2016 at 22:34, Okie Oth <okie.othsam at gmail.com> wrote:

> Thank you, I will check this out
>
> Cheers
>
>
> Am 01.06.2016 um 20:45 schrieb Stian Thorgersen:
>
> For OpenID Connect you can try mod_auth_openidc or for SAML
> mod_auth_mellon. We've tried mod_auth_mellon ourselves, but
> not mod_auth_openidc.
>
> On 1 June 2016 at 17:09, Okie Oth <okie.othsam at gmail.com> wrote:
>
>> Hello,
>> I wonder if there is a way to protected static webserver ressources with
>> keycloak. I have a Apache Adapter in mind but I can't find anything
>> about this topic.
>>
>> Kind regards
>> Eiko
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/ea781e3e/attachment.html 

From sthorger at redhat.com  Thu Jun  2 13:27:15 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 2 Jun 2016 19:27:15 +0200
Subject: [keycloak-user] Absolute links in admin pages
In-Reply-To: <CAHT+r5j5tp_yoN21DXjBjLakQfYmtbK7d3bJupuopPqR9vHiQA@mail.gmail.com>
References: <CAHT+r5j5tp_yoN21DXjBjLakQfYmtbK7d3bJupuopPqR9vHiQA@mail.gmail.com>
Message-ID: <CAJgngAfGdE8XrBgMXo_vW-NuqNQr5atdscvZVObjdHJ6U1H7TQ@mail.gmail.com>

I'm not sure how you even get to that point as Keycloak needs to be aware
of the real request URL for several reasons (token validation, links in
emails, etc, etc.). For this end if you have a proxy in front of Keycloak
there's a few steps you need to take to make sure it works properly. Take a
look at
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e409
and
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding

On 2 June 2016 at 13:24, P?l Oliver Kristiansen <paal.oliver at gmail.com>
wrote:

> Hi!
>
> We are trying to install Keycloak on a server behind a BigIP SSL
> terminator. Keycloak is running within a Docker container on a different
> server.
>
> But trying to open the Administration Console fails because all the links
> within the markup are absolute links which is resolved to
> http://localhost:9555/auth/...
>
> So both the scheme and the hostname is wrong.
>
> Questions:
>
> Why are these links absolute? Is there a way to configure this to be
> relative links?
> Or, if they must be absolute, is there a way to configure the links to
> become correct?
>
> From what I can gather, this is the line where the absolute link is
> resolved:
>
> https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d906156d8fc212ccd9dfd57d/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java#L292
>
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/33a33d73/attachment.html 

From amaeztu at tesicnor.com  Thu Jun  2 16:08:56 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Thu, 2 Jun 2016 22:08:56 +0200
Subject: [keycloak-user] Fwd: Re: Redirection issue with proxy behind
 keycloak
In-Reply-To: <11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com>
References: <03225e22-5a31-d3c5-4285-69e355e1950e@tesicnor.com>
	<5e1b50b9-b7d0-5b2e-b16c-4df98da6f485@tesicnor.com>
	<CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com>
	<7a45ae5d-cf0f-a5d5-0ab5-1df8ee8aa9da@tesicnor.com>
	<D8C74651-F010-49A7-92AF-3A771D68C560@smartling.com>
	<895342cc-a03d-caff-ffa3-281cf9a25499@tesicnor.com>
	<11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com>
Message-ID: <d3fa1d7f-2d03-48a3-a8d9-f863dc42160d@tesicnor.com>

Hi Scott and all,

Tried removing the tomcat adapter from my project, it was my mistake 
putting it with the Spring Security one, all together. Thanks for the 
link to the question, it was a question I made in SO some time ago and 
your answer worked that time. However, even I leave /sso/login 
unprotected by Spring Security, the same behaviour happens. So I tried 
creating a sample scenario from scratch and I can reproduce the issue. 
Here it is, three maven projects, the service discovery (Eureka), the 
proxy service (Zuul) and the sample secured service:

https://github.com/xtremebiker/zuul-keycloak-test

The keycloak.json file in the secured service should be replaced by the 
one for your client, of course. And here there is a filter declaration 
that can be made in Spring Boot to show the request dumper for Tomcat:

http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922

The steps to reproduce it are:

1- Boot the three projects

2- Wait till the two services are registered in Eureka and navigate to 
localhost:8765/secured-service/path

3- After logging in in Keycloak, the port changes to 8083

I'll continue struggling and see if I can figure it out myself.

Regards


31/05/2016 22:56(e)an, Scott Rossillo igorleak idatzi zuen:
> Hi Artiz,
>
> If you?re using the Tomcat adapter and Spring Security adapter 
> together, they may be interfering with each other. I?m not saying this 
> is the problem you?re having but I?d avoid using both adapters together.
>
> Please also take a look at this Stack Overflow answer[0] related to 
> redirect issues. If none of this helps I?ll try to debug with Eureka 
> and Zuul.
>
> [0]: 
> http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On May 31, 2016, at 4:00 PM, Aritz Maeztu <amaeztu at tesicnor.com 
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>> Hello Scott,
>>
>> I've got the spring security and tomcat keycloak adapters both as a 
>> project dependency for each service (as I'm running the services in 
>> Tomcat 8 embedded servers). Basically I want to base my security in 
>> Spring Security, that's why I chose this adapter over the Spring Boot 
>> adapter.
>>
>> As the behaviour states, a redirection is made first to the 
>> /sso/login endpoint, then other one to the keycloak authorization 
>> server. The question is, as a redirection is a mere instruction 
>> stated from the server to the browser, which chances do I have to 
>> send the original x-forwarded headers to the keycloak authorization 
>> server, so that it can make the redirection to the url requested at 
>> the very beginning (to the reverse proxy)?
>>
>> I could implement a playground scenario for you if you happen to 
>> require it.
>>
>> Many thanks
>>
>>
>> 31/05/2016 20:14(e)an, Scott Rossillo igorleak idatzi zuen:
>>> Hi Artiz,
>>>
>>> So just to be clear, which Keycloak adapter are you using? The 
>>> Spring Boot Adapter or the Spring Security Adapter?
>>>
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo at smartling.com
>>>
>>>> On May 31, 2016, at 3:13 AM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>>>>
>>>> I've got some Spring Boot application instances with embeded Tomcat 
>>>> servlet containers. Tomcat has a similar system to Wildfly for 
>>>> request dumpering, that's what I have enabled for getting the trace 
>>>> below. In short words that's the behaviour I'm able to see:
>>>>
>>>> 1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083 
>>>> port) : A forward request where X-forwarded headers are included
>>>>
>>>> 2. Organization Service (localhost:8083) : Looks for a token and if 
>>>> it's not available, the keycloak adapter redirects to the 
>>>> /sso/login of the same service (Here the traceability from the 
>>>> proxy gets losts)
>>>>
>>>> 3. localhost:8083/sso/login: Redirects to the keycloak wildfly 
>>>> server, saving the requested url
>>>>
>>>> 4. Keycloak login: The user performs the authentication and the 
>>>> redirectUri is localhost:8083/sso/login. Later on, the login 
>>>> endpoint redirects the user to the url requested in point 2, not 
>>>> the first one from the proxy.
>>>>
>>>> I only have this problem when my organization service needs to 
>>>> verify the token (or a token doesn't exist) using the keycloak 
>>>> adapter. When the /sso/login endpoint is not requested, everything 
>>>> is working properly. Hope I've explained it well!
>>>>
>>>>
>>>> 31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>> Where is your app deployed? If it's on WildFly you can follow the 
>>>>> same steps used to configure reverse proxy for Keycloak Server to 
>>>>> configure WildFly. Check if getRequestURL returns the correct URL 
>>>>> in your app.
>>>>>
>>>>> On 30 May 2016 at 15:08, Aritz Maeztu<amaeztu at tesicnor.com 
>>>>> <mailto:amaeztu at tesicnor.com>>wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     -------- Birbidalitako mezua --------
>>>>>     Gaia: 	Re: [keycloak-user] Redirection issue with proxy behind
>>>>>     keycloak
>>>>>     Data: 	Mon, 30 May 2016 13:28:21 +0200
>>>>>     Nork: 	Aritz Maeztu<amaeztu at tesicnor.com>
>>>>>     Nori: 	stian at redhat.com <mailto:stian at redhat.com>
>>>>>     CC: 	Niels Bertram<nielsbne at gmail.com>,
>>>>>     keycloak-user<keycloak-user at lists.jboss.org>, Scott
>>>>>     Rossillo<srossillo at smartling.com>
>>>>>
>>>>>
>>>>>
>>>>>     I've done all the traceability from the proxy server till the
>>>>>     login page is displayed:
>>>>>
>>>>>     First step, /organization/organizations is requested, so the
>>>>>     proxy server knows it has to be forwarded to the 8083 port
>>>>>     (the one for the organization service). That's the first
>>>>>     request received by my application's Tomcat:
>>>>>
>>>>>     2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 START
>>>>>     TIME =30-may-2016 13:01:18
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     requestURI=/organizations
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     authType=null
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     characterEncoding=UTF-8
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     contentLength=-1
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     contentType=null
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     contextPath=
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=accept-language=es-ES,es;q=0.8
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=x-forwarded-host=mies-057:8765
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=x-forwarded-prefix=/organization
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=upgrade-insecure-requests=1
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=accept-encoding=gzip
>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>>>>     Safari/537.36
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=netflix.nfhttpclient.version=1.0
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=x-netflix-httpclientname=organization
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=host=mies-057:8083
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=connection=Keep-Alive
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     locale=es_ES
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     method=GET
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     pathInfo=null
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     protocol=HTTP/1.1
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     queryString=null
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     remoteAddr=192.168.56.1
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     remoteHost=192.168.56.1
>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     remoteUser=null
>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     requestedSessionId=null
>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     scheme=http
>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     serverName=mies-057
>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     serverPort=8083
>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     servletPath=/organizations
>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     isSecure=false
>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     ------------------=--------------------------------------------
>>>>>
>>>>>     Here x-forwarded-host is mies-057:8765 (the proxy server) and
>>>>>     x-forwarded-prefix is /organization. So the original request
>>>>>     is kept in the headers. Well, now my service (8083) tries to
>>>>>     check for authorization via the /sso/login endpoint from the
>>>>>     keycloak spring security adapter:
>>>>>
>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>     o.k.a.s.management.HttpSessionManager : Session created:
>>>>>     CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
>>>>>     login URI /sso/login
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     ------------------=--------------------------------------------
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     authType=null
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     contentType=null
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=X-Content-Type-Options=nosniff
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=X-XSS-Protection=1; mode=block
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=Cache-Control=no-cache, no-store, max-age=0,
>>>>>     must-revalidate
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=Pragma=no-cache
>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=Expires=0
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=X-Frame-Options=DENY
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
>>>>>     Path=/; HttpOnly
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     header=Location=http://mies-057:8083/sso/login
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     remoteUser=null
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     status=302
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9 END
>>>>>     TIME          =30-may-2016 13:01:18
>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-9
>>>>>     ===============================================================
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     START TIME =30-may-2016 13:01:18
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     requestURI=/sso/login
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     authType=null
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     characterEncoding=UTF-8
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     contentLength=-1
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     contentType=null
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     contextPath=
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=host=mies-057:8083
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=connection=keep-alive
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=upgrade-insecure-requests=1
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102
>>>>>     Safari/537.36
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=accept-encoding=gzip, deflate, sdch
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=accept-language=es-ES,es;q=0.8
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     locale=es_ES
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     method=GET
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     pathInfo=null
>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     protocol=HTTP/1.1
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     queryString=null
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     remoteAddr=192.168.56.1
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     remoteHost=192.168.56.1
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     remoteUser=null
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     scheme=http
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     serverName=mies-057
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     serverPort=8083
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     servletPath=/sso/login
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     isSecure=false
>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>     o.a.c.filters.RequestDumperFilter : http-nio-8083-exec-10
>>>>>     ------------------=--------------------------------------------
>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.PreAuthActionsHandler :
>>>>>     adminRequesthttp://mies-057:8083/sso/login
>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     f.KeycloakAuthenticationProcessingFilter : Request is to
>>>>>     process authentication
>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak
>>>>>     authentication
>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.RequestAuthenticator : --> authenticate()
>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.RequestAuthenticator : try bearer
>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.RequestAuthenticator : try oauth
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.a.s.token.SpringSecurityTokenStore : Checking if
>>>>>     org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
>>>>>     is cached
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.OAuthRequestAuthenticator : there was no code
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.OAuthRequestAuthenticator : redirecting to auth
>>>>>     server
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.OAuthRequestAuthenticator : callback
>>>>>     uri:http://mies-057:8083/sso/login
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     f.KeycloakAuthenticationProcessingFilter : Auth outcome:
>>>>>     NOT_ATTEMPTED
>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>     o.k.adapters.OAuthRequestAuthenticator : Sending redirect to
>>>>>     login
>>>>>     page:http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>>>>>
>>>>>     As it's shown in the logs, the X-forwarded logs are not kept
>>>>>     by the keycloak adapter (look at the lines
>>>>>     belowk.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
>>>>>     login URI /sso/login). So could it be the proxy server itself
>>>>>     being properly configured but the keycloak adapter losing the
>>>>>     original headers while performing the redirection?
>>>>>
>>>>>     I've also set up the request dumper in the undertow server as
>>>>>     Niels suggested, but obviously, X-forwarded headers are not
>>>>>     reaching the keycloak server..
>>>>>
>>>>>     Thanks for your time, again ;-)
>>>>>
>>>>>
>>>>>
>>>>>     25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>     You need the Host and X-Forwarded-For headers to be included
>>>>>>     and there's also some config to be done on the Keycloak
>>>>>>     server (see
>>>>>>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding)
>>>>>>
>>>>>>     On 24 May 2016 at 08:46, Aritz Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>
>>>>>>         Hi Niels and Scott. First of all, thank you very much for
>>>>>>         your help. I'm currently using Zuul (Spring Cloud) as the
>>>>>>         reverse proxy. All the services are registered in a
>>>>>>         discovery service called Eureka and then Zuul looks for
>>>>>>         the service id there and performs de redirection. I read
>>>>>>         aboutX-Forwarded headers, but I thought it might result
>>>>>>         in a security issue if not included, not that it could
>>>>>>         affect the redirection process.
>>>>>>
>>>>>>         As Scott says, I suppose the Host and the X-Real-Ip
>>>>>>         headers are the relevant ones here, so I guess I should
>>>>>>         instruct Zuul to send them when the service is addressed
>>>>>>         (however I wonder why they are not already being sent, as
>>>>>>         Zuul is a proxy service, all in all).
>>>>>>
>>>>>>         Here I include a preview of the first redirection made to
>>>>>>         the keycloak login page, which shows the request headers
>>>>>>         sent to the service /login endpoint (at port 8081 in
>>>>>>         localhost):
>>>>>>
>>>>>>         https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>>>>>
>>>>>>         24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>>>>>>         Hi Artitz,
>>>>>>>
>>>>>>>         a great way to figure out what is sent from the reverse
>>>>>>>         proxy to your keycloak server is to use the undertow
>>>>>>>         request dumper.
>>>>>>>
>>>>>>>         From the jboss-cli just add the request dumper filter to
>>>>>>>         your undertow configuration like this:
>>>>>>>
>>>>>>>         $KC_HOME/bin/jbpss-cli.sh -c
>>>>>>>
>>>>>>>         /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>>>>>>         module=io.undertow.core)
>>>>>>>
>>>>>>>         /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>>>>>
>>>>>>>         /:reload
>>>>>>>
>>>>>>>         given your apache config looks something like this:
>>>>>>>
>>>>>>>         ProxyRequests Off
>>>>>>>         ProxyPreserveHost On
>>>>>>>         ProxyVia On
>>>>>>>
>>>>>>>         ProxyPass /auth ajp://127.0.0.1:8009/auth
>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>         ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>
>>>>>>>
>>>>>>>         you should see something like that (forwared info is
>>>>>>>         somewhat rubbish in this example as I am running the
>>>>>>>         hosts on Virtualbox - but you can see this request was
>>>>>>>         put through 2 proxies from local pc 192.168.33.1 to
>>>>>>>         haproxy on 192.168.33.80 and then apache reverse proxy
>>>>>>>         on 192.168.33.81 ):
>>>>>>>
>>>>>>>         ==============================================================
>>>>>>>         23:47:20,563 INFO  [io.undertow.request.dump] (default
>>>>>>>         task-14)
>>>>>>>         ----------------------------REQUEST---------------------------
>>>>>>>          URI=/auth/welcome-content/favicon.ico
>>>>>>>          characterEncoding=null
>>>>>>>          contentLength=-1
>>>>>>>          contentType=null
>>>>>>>         header=Accept=*/*
>>>>>>>         header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>>>>>>         header=Cache-Control=no-cache
>>>>>>>         header=Accept-Encoding=gzip, deflate, sdch
>>>>>>>         header=DNT=1
>>>>>>>         header=Pragma=no-cache
>>>>>>>         header=X-Original-To=192.168.33.80
>>>>>>>         header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>>>         AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>         Chrome/50.0.2661.102 Safari/537.36
>>>>>>>         header=Authorization=Basic
>>>>>>>         bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>>>>>>         header=X-Forwarded-Proto=https
>>>>>>>         header=X-Forwarded-Port=443
>>>>>>>         header=X-Forwarded-For=192.168.33.1
>>>>>>>         header=Referer=https://login.vagrant.dev/auth/
>>>>>>>         header=Host=login.vagrant.dev
>>>>>>>         locale=[en_US, en, de]
>>>>>>>         method=GET
>>>>>>>         protocol=HTTP/1.1
>>>>>>>          queryString=
>>>>>>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0/>
>>>>>>>         remoteHost=192.168.33.1
>>>>>>>         scheme=https
>>>>>>>         host=login.vagrant.dev
>>>>>>>         serverPort=443
>>>>>>>         --------------------------RESPONSE--------------------------
>>>>>>>          contentLength=627
>>>>>>>          contentType=application/octet-stream
>>>>>>>         header=Cache-Control=max-age=2592000
>>>>>>>         header=X-Powered-By=Undertow/1
>>>>>>>         header=Server=WildFly/10
>>>>>>>
>>>>>>>
>>>>>>>         Hope this helps diagnosing your issue. Niels
>>>>>>>
>>>>>>>         On Tue, May 24, 2016 at 1:20 AM, Aritz
>>>>>>>         Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>
>>>>>>>             I'm using keycloak to securize some Spring based
>>>>>>>             services (with the keycloak spring security
>>>>>>>             adapter). The adapter creates a `/login` endpoint in
>>>>>>>             each of the services which redirects to the keycloak
>>>>>>>             login page and then redirects back to the service
>>>>>>>             when authentication is done. I also have a proxy
>>>>>>>             service which I want to publish in the 80 port and
>>>>>>>             will take care of routing all the requests to each
>>>>>>>             service. The proxy performs a plain FORWARD to the
>>>>>>>             service, but the problem comes when I securize the
>>>>>>>             service with the keycloak adapter.
>>>>>>>
>>>>>>>             When I make a request, the adapter redirects to its
>>>>>>>             login endpoint and then to the keycloak auth url.
>>>>>>>             When keycloak sends the redirection, the url shown
>>>>>>>             in the browser is the one from the service and not
>>>>>>>             the one from the proxy. Do I have some choice to
>>>>>>>             tell the adapter I want to redirect back to the
>>>>>>>             first requested url?
>>>>>>>
>>>>>>>
>>>>>>>             --
>>>>>>>             Aritz Maeztu Ota?o
>>>>>>>             Departamento Desarrollo de Software 	<Mail
>>>>>>>             Attachment.gif>
>>>>>>>             <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>
>>>>>>>             <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>
>>>>>>>             Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain
>>>>>>>             (Navarra)
>>>>>>>             Telf.: 948 21 40 40
>>>>>>>             Fax.: 948 21 40 41
>>>>>>>
>>>>>>>             Antes de imprimir este e-mail piense bien si es
>>>>>>>             necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>>
>>>>>>>
>>>>>>>             _______________________________________________
>>>>>>>             keycloak-user mailing list
>>>>>>>             keycloak-user at lists.jboss.org
>>>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>         --
>>>>>>         Aritz Maeztu Ota?o
>>>>>>         Departamento Desarrollo de Software 	<Mail
>>>>>>         Attachment.gif>
>>>>>>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>
>>>>>>         <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>
>>>>>>         Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>>         Telf.: 948 21 40 40
>>>>>>         Fax.: 948 21 40 41
>>>>>>
>>>>>>         Antes de imprimir este e-mail piense bien si es necesario
>>>>>>         hacerlo: El medioambiente es cosa de todos.
>>>>>>
>>>>>>
>>>>>>         _______________________________________________
>>>>>>         keycloak-user mailing list
>>>>>>         keycloak-user at lists.jboss.org
>>>>>>         <mailto:keycloak-user at lists.jboss.org>
>>>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>
>>>>>     --
>>>>>     Aritz Maeztu Ota?o
>>>>>     Departamento Desarrollo de Software 	<Mail Attachment.gif>
>>>>>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>     <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>
>>>>>     Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>     Telf.: 948 21 40 40
>>>>>     Fax.: 948 21 40 41
>>>>>
>>>>>     Antes de imprimir este e-mail piense bien si es necesario
>>>>>     hacerlo: El medioambiente es cosa de todos.
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     keycloak-user mailing list
>>>>>     keycloak-user at lists.jboss.org
>>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>> --
>>>> Aritz Maeztu Ota?o
>>>> Departamento Desarrollo de Software 	<linkdin.gif> 
>>>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>> <logo.png> <http://www.tesicnor.com/> 	
>>>>
>>>> Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>> Telf.: 948 21 40 40
>>>> Fax.: 948 21 40 41
>>>>
>>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: 
>>>> El medioambiente es cosa de todos.
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> Avast logo 
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>> 	
>>
>> El software de antivirus Avast ha analizado este correo electr?nico 
>> en busca de virus.
>> www.avast.com 
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>
>>
>>
>



---
El software de antivirus Avast ha analizado este correo electr?nico en busca de virus.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/db098cc8/attachment-0001.html 

From thomas.darimont at googlemail.com  Thu Jun  2 17:30:51 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 2 Jun 2016 23:30:51 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
Message-ID: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>

Hello group,

Just wanted to let you know that I build a small example [0] that
demonstrates the usage of Keycloak with mod_auth_oidc [1]
with Docker + Apache + PHP.

Works like a charm :)

Cheers,
Thomas

[0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
[1] https://github.com/pingidentity/mod_auth_openidc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160602/ea6842e1/attachment.html 

From anthony.fryer at gmail.com  Thu Jun  2 19:20:15 2016
From: anthony.fryer at gmail.com (Anthony Fryer)
Date: Fri, 3 Jun 2016 09:20:15 +1000
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
Message-ID: <CAF4sgx+bO6k0jzc2-jMyT2qLXyxX3z41hU0ivdMLBZzvHSW-AQ@mail.gmail.com>

Just need to keep in mind if you want to use mod_auth_oidc to secure urls
using keycloak roles, there can be issues.  Is it possible to somehow map
keycloak roles to a top level attribute in the access token as a work
around?

>>>>

No, it is not possible to use json path syntax,  patches would be welcome...

Expression can be of limited complexity today: 1-level deep arrays are
 supported as are regular expressions. So if you would be able to instruct
your OP to send the roles in a top-level attribute called
"realm_access.roles", then what you currently have configured would work.

Hans.

On Tue, May 24, 2016 at 3:50 PM, <anthony.fryer at gmail.com> wrote:

> I am using keycloak and have assigned some global roles (TOUPPER and
> REVERSE) to a user.  The decoded access token looks like this...
>
>         {
>   "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",
>   "exp" : 1464097823,
>   "nbf" : 0,
>   "iat" : 1464097523,
>   "iss" : "https://my.keycloak.com/auth/realms/T
> <https://keycloak.cyberavenue.com.au/auth/realms/Glomex>enantA",
>   "aud" : "test-client",
>   "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",
>   "typ" : "Bearer",
>   "azp" : "test-client",
>   "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",
>   "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",
>   "name" : "",
>   "preferred_username" : "anthony",
>   "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",
>   "allowed-origins" : [ ],
>   "realm_access" : {
>     "roles" : [ "TOUPPER", "REVERSE" ]
>   },
>   "resource_access" : { },
>   "groups" : [ "tenantA/brandA", "tenantA" ]
> }
>
>
> I'm now trying to configure mod_auth_openidc authorization on some url
> paths based on the roles in the "realm_access"."roles" path of the token.
> I've tried this configuration...
>
>         <Location /glomex-mds-webapp/api/v1/secure/demo/toupper>
>                 AuthType openid-connect
>                 #Require valid-user
>                 Require claim realm_access.roles:TOUPPER
>         </Location>
>
> This doesn't seem to work though.  Is it possible to use json path syntax
> for claim authorization?


On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello group,
>
> Just wanted to let you know that I build a small example [0] that
> demonstrates the usage of Keycloak with mod_auth_oidc [1]
> with Docker + Apache + PHP.
>
> Works like a charm :)
>
> Cheers,
> Thomas
>
> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
> [1] https://github.com/pingidentity/mod_auth_openidc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/a84a2857/attachment.html 

From srossillo at smartling.com  Fri Jun  3 00:05:21 2016
From: srossillo at smartling.com (Scott Rossillo)
Date: Fri, 3 Jun 2016 00:05:21 -0400
Subject: [keycloak-user] Fwd: Re: Redirection issue with proxy behind
	keycloak
In-Reply-To: <d3fa1d7f-2d03-48a3-a8d9-f863dc42160d@tesicnor.com>
References: <03225e22-5a31-d3c5-4285-69e355e1950e@tesicnor.com>
	<5e1b50b9-b7d0-5b2e-b16c-4df98da6f485@tesicnor.com>
	<CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com>
	<7a45ae5d-cf0f-a5d5-0ab5-1df8ee8aa9da@tesicnor.com>
	<D8C74651-F010-49A7-92AF-3A771D68C560@smartling.com>
	<895342cc-a03d-caff-ffa3-281cf9a25499@tesicnor.com>
	<11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com>
	<d3fa1d7f-2d03-48a3-a8d9-f863dc42160d@tesicnor.com>
Message-ID: <FAC29BBF-9791-4A46-AE8E-E4F164C6FB94@smartling.com>

Hi Aritz,

Your sample project was very helpful to understand the problems you?re facing with Zuul as a proxy server. I spent some time investigating and I?ve sent you a pull request[0] that will get your sample working.

That being said, please do read the "Cookies and Sensitive Headers? documentation from Spring Cloud Netflix[1]. This applies to anyone thinking of using Zuul as a stateful proxy server. Zuul was designed by Netflix to proxy stateless services. In the Keycloak world, these would be clients with an access type of bearer-only.

I'd strongly recommend against this setup in production. You could continue to use Zuul for stateless services but anything requiring an interactive login should really be behind a more traditional HTTP proxy (e.g. Nginx, Apache, etc).

If you disagree, can you tell us the reason you?d want to proxy a stateful service with Zuul?

Hope this helps clear things up a bit.

Best,
Scott

[0]: https://github.com/xtremebiker/zuul-keycloak-test/pull/1 <https://github.com/xtremebiker/zuul-keycloak-test/pull/1>
[1]: http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html <http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html>

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Jun 2, 2016, at 4:08 PM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
> 
> Hi Scott and all,
> 
> Tried removing the tomcat adapter from my project, it was my mistake putting it with the Spring Security one, all together. Thanks for the link to the question, it was a question I made in SO some time ago and your answer worked that time. However, even I leave /sso/login unprotected by Spring Security, the same behaviour happens. So I tried creating a sample scenario from scratch and I can reproduce the issue. Here it is, three maven projects, the service discovery (Eureka), the proxy service (Zuul) and the sample secured service:
> 
> https://github.com/xtremebiker/zuul-keycloak-test <https://github.com/xtremebiker/zuul-keycloak-test>
> The keycloak.json file in the secured service should be replaced by the one for your client, of course. And here there is a filter declaration that can be made in Spring Boot to show the request dumper for Tomcat:
> 
> http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922 <http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922>
> The steps to reproduce it are:
> 
> 1- Boot the three projects
> 
> 2- Wait till the two services are registered in Eureka and navigate to localhost:8765/secured-service/path
> 
> 3- After logging in in Keycloak, the port changes to 8083
> I'll continue struggling and see if I can figure it out myself.
> 
> Regards
> 
> 31/05/2016 22:56(e)an, Scott Rossillo igorleak idatzi zuen:
>> Hi Artiz,
>> 
>> If you?re using the Tomcat adapter and Spring Security adapter together, they may be interfering with each other. I?m not saying this is the problem you?re having but I?d avoid using both adapters together.
>> 
>> Please also take a look at this Stack Overflow answer[0] related to redirect issues. If none of this helps I?ll try to debug with Eureka and Zuul.
>> 
>> [0]: http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top <http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top>
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>>  <mailto:srossillo at smartling.com>srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>> On May 31, 2016, at 4:00 PM, Aritz Maeztu < <mailto:amaeztu at tesicnor.com>amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>> 
>>> Hello Scott,
>>> 
>>> I've got the spring security and tomcat keycloak adapters both as a project dependency for each service (as I'm running the services in Tomcat 8 embedded servers). Basically I want to base my security in Spring Security, that's why I chose this adapter over the Spring Boot adapter.
>>> 
>>> As the behaviour states, a redirection is made first to the /sso/login endpoint, then other one to the keycloak authorization server. The question is, as a redirection is a mere instruction stated from the server to the browser, which chances do I have to send the original x-forwarded headers to the keycloak authorization server, so that it can make the                   redirection to the url requested at the very beginning (to the reverse proxy)?
>>> 
>>> I could implement a playground scenario for you if you happen to require it.
>>> 
>>> Many thanks
>>> 
>>> 31/05/2016 20:14(e)an, Scott Rossillo igorleak idatzi zuen:
>>>> Hi Artiz,
>>>> 
>>>> So just to be clear, which Keycloak adapter are you using? The Spring Boot Adapter or the Spring Security Adapter?
>>>> 
>>>> Scott Rossillo
>>>> Smartling | Senior Software Engineer
>>>>  <mailto:srossillo at smartling.com>srossillo at smartling.com <mailto:srossillo at smartling.com>
>>>> 
>>>>> On May 31, 2016, at 3:13 AM, Aritz Maeztu <amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>>>> 
>>>>> I've got some Spring Boot application instances with embeded Tomcat servlet containers. Tomcat has a similar system to Wildfly for request dumpering, that's what I have enabled for getting the trace below. In short words that's the behaviour I'm able to see: 
>>>>> 1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service (8083 port) : A forward request where X-forwarded headers are included
>>>>> 
>>>>> 2. Organization Service (localhost:8083) : Looks for a token and if it's not available, the keycloak adapter redirects to the /sso/login of the same service (Here the traceability from the proxy gets losts)
>>>>> 
>>>>> 3. localhost:8083/sso/login: Redirects to the keycloak wildfly server, saving the requested url 
>>>>> 4. Keycloak login: The user performs the authentication and the redirectUri is localhost:8083/sso/login. Later on, the login endpoint redirects the user to the url requested in point 2, not the first one from the proxy.
>>>>> 
>>>>> I only have this problem when my organization service needs to verify the token (or a token doesn't exist) using the keycloak adapter. When the /sso/login endpoint is not requested, everything is working properly. Hope I've explained it well!
>>>>> 
>>>>> 31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>> Where is your app deployed? If it's on WildFly you can follow the same steps used to configure reverse proxy for Keycloak Server to configure WildFly. Check if getRequestURL returns the correct URL in your app.
>>>>>> 
>>>>>> On 30 May 2016 at 15:08, Aritz Maeztu < <mailto:amaeztu at tesicnor.com>amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> -------- Birbidalitako mezua --------
>>>>>> Gaia:	Re: [keycloak-user] Redirection issue with proxy behind keycloak
>>>>>> Data:	Mon, 30 May 2016 13:28:21 +0200
>>>>>> Nork:	Aritz Maeztu <amaeztu at tesicnor.com> <mailto:amaeztu at tesicnor.com>
>>>>>> Nori:	 <mailto:stian at redhat.com>stian at redhat.com <mailto:stian at redhat.com>
>>>>>> CC:	Niels Bertram <nielsbne at gmail.com> <mailto:nielsbne at gmail.com>, keycloak-user  <mailto:keycloak-user at lists.jboss.org><keycloak-user at lists.jboss.org> <mailto:keycloak-user at lists.jboss.org>, Scott Rossillo  <mailto:srossillo at smartling.com><srossillo at smartling.com> <mailto:srossillo at smartling.com>
>>>>>> 
>>>>>> 
>>>>>> I've done all the traceability from the proxy server till the login page is displayed:
>>>>>> 
>>>>>> First step, /organization/organizations is requested, so the proxy server knows it has to be forwarded to the 8083 port (the one for the organization service). That's the first request received by my application's Tomcat:
>>>>>> 
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 START TIME        =30-may-2016 13:01:18
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         requestURI=/organizations
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9           authType=null
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9  characterEncoding=UTF-8
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9      contentLength=-1
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        contentType=null
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        contextPath=
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=accept-language=es-ES,es;q=0.8
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=x-forwarded-host=mies-057:8765
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=x-forwarded-prefix=/organization
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=upgrade-insecure-requests=1
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=accept-encoding=gzip
>>>>>> 2016-05-30 13:01:18.888  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=netflix.nfhttpclient.version=1.0
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=x-netflix-httpclientname=organization
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=host=mies-057:8083
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=connection=Keep-Alive
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             locale=es_ES
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             method=GET
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9           pathInfo=null
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9           protocol=HTTP/1.1
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        queryString=null
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         remoteAddr=192.168.56.1
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         remoteHost=192.168.56.1
>>>>>> 2016-05-30 13:01:18.889  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         remoteUser=null
>>>>>> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 requestedSessionId=null
>>>>>> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             scheme=http
>>>>>> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         serverName=mies-057
>>>>>> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         serverPort=8083
>>>>>> 2016-05-30 13:01:18.890  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        servletPath=/organizations
>>>>>> 2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9           isSecure=false
>>>>>> 2016-05-30 13:01:18.891  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 ------------------=--------------------------------------------
>>>>>> 
>>>>>> Here x-forwarded-host is mies-057:8765 (the proxy server) and x-forwarded-prefix is /organization. So the original request is kept in the headers. Well, now my service (8083) tries to check for authorization via the /sso/login endpoint from the keycloak spring security adapter:
>>>>>> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9] o.k.a.s.management.HttpSessionManager    : Session created: CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>> 2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9] k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 ------------------=--------------------------------------------
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9           authType=null
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9        contentType=null
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=X-Content-Type-Options=nosniff
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=X-XSS-Protection=1; mode=block
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=Cache-Control=no-cache, no-store, max-age=0, must-revalidate
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=Pragma=no-cache
>>>>>> 2016-05-30 13:01:18.892  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=Expires=0
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=X-Frame-Options=DENY
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752; Path=/; HttpOnly
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             header=Location= <http://mies-057:8083/sso/login>http://mies-057:8083/sso/login <http://mies-057:8083/sso/login>
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9         remoteUser=null
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9             status=302
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 END TIME          =30-may-2016 13:01:18
>>>>>> 2016-05-30 13:01:18.893  INFO 18096 --- [nio-8083-exec-9] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-9 ===============================================================
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 START TIME        =30-may-2016 13:01:18
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         requestURI=/sso/login
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10           authType=null
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10  characterEncoding=UTF-8
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10      contentLength=-1
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        contentType=null
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        contextPath=
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>> 2016-05-30 13:01:18.902  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=host=mies-057:8083
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=connection=keep-alive
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=upgrade-insecure-requests=1
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=accept-encoding=gzip, deflate, sdch
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=accept-language=es-ES,es;q=0.8
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             locale=es_ES
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             method=GET
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10           pathInfo=null
>>>>>> 2016-05-30 13:01:18.903  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10           protocol=HTTP/1.1
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        queryString=null
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         remoteAddr=192.168.56.1
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         remoteHost=192.168.56.1
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         remoteUser=null
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10             scheme=http
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         serverName=mies-057
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10         serverPort=8083
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10        servletPath=/sso/login
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10           isSecure=false
>>>>>> 2016-05-30 13:01:18.904  INFO 18096 --- [io-8083-exec-10] o.a.c.filters.RequestDumperFilter        : http-nio-8083-exec-10 ------------------=--------------------------------------------
>>>>>> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] o.k.adapters.PreAuthActionsHandler       : adminRequest  <http://mies-057:8083/sso/login>http://mies-057:8083/sso/login <http://mies-057:8083/sso/login>
>>>>>> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
>>>>>> 2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
>>>>>> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] o.k.adapters.RequestAuthenticator        : --> authenticate()
>>>>>> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] o.k.adapters.RequestAuthenticator        : try bearer
>>>>>> 2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10] o.k.adapters.RequestAuthenticator        : try oauth
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] o.k.a.s.token.SpringSecurityTokenStore   : Checking if org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d is cached
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] o.k.adapters.OAuthRequestAuthenticator   : there was no code
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] o.k.adapters.OAuthRequestAuthenticator   : redirecting to auth server
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] o.k.adapters.OAuthRequestAuthenticator   : callback uri:  <http://mies-057:8083/sso/login>http://mies-057:8083/sso/login <http://mies-057:8083/sso/login>
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] f.KeycloakAuthenticationProcessingFilter : Auth outcome: NOT_ATTEMPTED
>>>>>> 2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10] o.k.adapters.OAuthRequestAuthenticator   : Sending redirect to login page:  <http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true>http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true <http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true>
>>>>>> As it's shown in the logs, the X-forwarded logs are not kept by the keycloak adapter (look at the lines below k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to login URI /sso/login). So could it be the proxy server itself being properly configured but the keycloak adapter losing the original headers while performing the redirection?
>>>>>> 
>>>>>> I've also set up the request dumper in the undertow server as Niels suggested, but obviously, X-forwarded headers are not reaching the keycloak server..
>>>>>> 
>>>>>> Thanks for your time, again ;-)
>>>>>> 
>>>>>> 
>>>>>> 25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>> You need the Host and X-Forwarded-For headers to be included and there's also some config to be done on the Keycloak server (see  <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding>http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding <http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding>)
>>>>>>> 
>>>>>>> On 24 May 2016 at 08:46, Aritz Maeztu < <mailto:amaeztu at tesicnor.com>amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>>>>>> Hi Niels and Scott. First of all, thank you very much for your help. I'm currently using Zuul (Spring Cloud) as the reverse proxy. All the services are registered in a discovery service called Eureka and then Zuul looks for the service id there and performs de redirection. I read about X-Forwarded headers, but I thought it might result in a security issue if not included, not that it could affect the redirection process. 
>>>>>>> 
>>>>>>> As Scott says, I suppose the Host and the X-Real-Ip headers are the relevant ones here, so I guess I should instruct Zuul to send them when the service is addressed (however I wonder why they are not already being sent, as Zuul is a proxy service, all in all).
>>>>>>> 
>>>>>>> Here I include a preview of the first redirection made to the keycloak login page, which shows the request headers sent to the service /login endpoint (at port 8081 in localhost):
>>>>>>> 
>>>>>>>  <https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0>https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0 <https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0>
>>>>>>> 
>>>>>>> 24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>>>>>>> Hi Artitz,
>>>>>>>> 
>>>>>>>> a great way to figure out what is sent from the reverse proxy to your keycloak server is to use the undertow request dumper.
>>>>>>>> 
>>>>>>>> From the jboss-cli just add the request dumper filter to your undertow configuration like this:
>>>>>>>> 
>>>>>>>> $KC_HOME/bin/jbpss-cli.sh -c
>>>>>>>> 
>>>>>>>> /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler, module=io.undertow.core)
>>>>>>>> 
>>>>>>>> /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>>>>>> 
>>>>>>>> /:reload
>>>>>>>> 
>>>>>>>> given your apache config looks something like this:
>>>>>>>> 
>>>>>>>>   ProxyRequests Off
>>>>>>>>   ProxyPreserveHost On
>>>>>>>>   ProxyVia On
>>>>>>>> 
>>>>>>>>   ProxyPass /auth ajp://127.0.0.1:8009/auth <http://127.0.0.1:8009/auth>
>>>>>>>>   ProxyPassReverse /auth ajp://127.0.0.1:8009/auth <http://127.0.0.1:8009/auth>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> you should see something like that (forwared info is somewhat rubbish in this example as I am running the hosts on Virtualbox - but you can see this request was                                                           put through 2 proxies from local pc 192.168.33.1 to haproxy on 192.168.33.80 and then apache reverse proxy on 192.168.33.81 ):
>>>>>>>> 
>>>>>>>> ==============================================================
>>>>>>>> 23:47:20,563 INFO  [io.undertow.request.dump] (default task-14)
>>>>>>>> ----------------------------REQUEST---------------------------
>>>>>>>>                URI=/auth/welcome-content/favicon.ico
>>>>>>>>  characterEncoding=null
>>>>>>>>      contentLength=-1
>>>>>>>>        contentType=null
>>>>>>>>             header=Accept=*/*
>>>>>>>>             header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>>>>>>>             header=Cache-Control=no-cache
>>>>>>>>             header=Accept-Encoding=gzip, deflate, sdch
>>>>>>>>             header=DNT=1
>>>>>>>>             header=Pragma=no-cache
>>>>>>>>             header=X-Original-To=192.168.33.80
>>>>>>>>             header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
>>>>>>>>             header=Authorization=Basic bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>>>>>>>             header=X-Forwarded-Proto=https
>>>>>>>>             header=X-Forwarded-Port=443
>>>>>>>>             header=X-Forwarded-For=192.168.33.1
>>>>>>>>             header=Referer= <https://login.vagrant.dev/auth/>https://login.vagrant.dev/auth/ <https://login.vagrant.dev/auth/>
>>>>>>>>             header=Host=login.vagrant.dev
>>>>>>>>             locale=[en_US, en, de]
>>>>>>>>             method=GET
>>>>>>>>           protocol=HTTP/1.1
>>>>>>>>        queryString=
>>>>>>>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0/>
>>>>>>>>         remoteHost=192.168.33.1
>>>>>>>>             scheme=https
>>>>>>>>               host=login.vagrant.dev
>>>>>>>>         serverPort=443
>>>>>>>> --------------------------RESPONSE--------------------------
>>>>>>>>      contentLength=627
>>>>>>>>        contentType=application/octet-stream
>>>>>>>>             header=Cache-Control=max-age=2592000
>>>>>>>>             header=X-Powered-By=Undertow/1
>>>>>>>>             header=Server=WildFly/10
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Hope this helps diagnosing your issue. Niels
>>>>>>>> 
>>>>>>>> On Tue, May 24, 2016 at 1:20 AM, Aritz Maeztu < <mailto:amaeztu at tesicnor.com>amaeztu at tesicnor.com <mailto:amaeztu at tesicnor.com>> wrote:
>>>>>>>> I'm using keycloak to securize some Spring based services (with the keycloak spring security adapter). The adapter creates a `/login` endpoint in each of the services which redirects to the keycloak login page and then redirects back to the service when authentication is done. I also have a proxy service which I want                                                           to publish in the 80 port and will take care of routing all the requests to each service. The proxy performs a plain FORWARD to the service, but the problem comes when I securize the service with the keycloak adapter. 
>>>>>>>> When I make a request, the adapter redirects to its login endpoint and then to the keycloak auth url. When keycloak sends the redirection, the url shown in the browser is the one from the service and not the one from the proxy. Do I have some choice to tell the adapter I want to redirect back to the first requested url?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> Aritz Maeztu Ota?o
>>>>>>>> Departamento Desarrollo de Software	<Mail Attachment.gif> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>> <Mail Attachment.png> <http://www.tesicnor.com/>	
>>>>>>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>>>>>>> Telf.: 948 21 40 40 
>>>>>>>> Fax.: 948 21 40 41 
>>>>>>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>>  <mailto:keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>>>>  <https://lists.jboss.org/mailman/listinfo/keycloak-user>https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> Aritz Maeztu Ota?o
>>>>>>> Departamento Desarrollo de Software	<Mail Attachment.gif> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>> <Mail Attachment.png> <http://www.tesicnor.com/>	
>>>>>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>>>>>> Telf.: 948 21 40 40 
>>>>>>> Fax.: 948 21 40 41 
>>>>>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>>  <mailto:keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>>>  <https://lists.jboss.org/mailman/listinfo/keycloak-user>https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> Aritz Maeztu Ota?o
>>>>>> Departamento Desarrollo de Software	<Mail Attachment.gif> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>> <Mail Attachment.png> <http://www.tesicnor.com/>	
>>>>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>>>>> Telf.: 948 21 40 40 
>>>>>> Fax.: 948 21 40 41 
>>>>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>>> 
>>>>> 
>>>>> -- 
>>>>> Aritz Maeztu Ota?o
>>>>> Departamento Desarrollo de Software	<linkdin.gif> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>> <logo.png> <http://www.tesicnor.com/>	
>>>>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>>>>> Telf.: 948 21 40 40 
>>>>> Fax.: 948 21 40 41 
>>>>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos._______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>>> 
>>> 
>>>   <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>	
>>> El software de antivirus Avast ha analizado este correo electr?nico en busca de virus. 
>>> www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>> 
> 
> 
> 
>   <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>	
> El software de antivirus Avast ha analizado este correo electr?nico en busca de virus. 
> www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/8bd189d2/attachment-0001.html 

From a.beljaev at ftc.ru  Fri Jun  3 00:12:50 2016
From: a.beljaev at ftc.ru (Beljaev Aleksandr)
Date: Fri, 3 Jun 2016 04:12:50 +0000
Subject: [keycloak-user] Email Html template does not work... I guess
Message-ID: <e8b9cb29243842208793e514acfc4d4d@nut-mbx-3.win.ftc.ru>

Hello everyone.
I'm trying to send html-emails from keycloak administration console to some user, but this user gets only plain text messages.
As I see in sources, keycloak can work with html, but I don't know how to switch on this option.
Even if I'm trying to write html in text template, messages are still only text, but with html-tags.

Example for executeActions:

Template html:
<html>
<body>
${msg("executeActionsBodyHtml",link,linkExpiration,realmName)}
</body>
</html>

Template text:
<html>
<body>
<p>${msg("executeActionsBody",link,linkExpiration,realmName)}</p>
</body>
</html>

Template message:
executeActionsBody=PlainTextMessage
executeActionsBodyHtml=<p>HtmlTextMessage</p>

Recived email:
<html>
<body>
<p> PlainTextMessage </p>
</body>
</html>


What am I doing wrong?
How could I configure KeyCloak to send html messages with  template from themes/{theme name}/email/html?


Aleksandr Belyaev,
QA engeneer,
Center of Financial Technologies,
e-mail: A.Beljaev at ftc.ru<mailto:A.Beljaev at ftc.ru>
http://www.cft.ru<http://www.cft.ru/>
[cid:InlineMailImage_6944a6d1aaad40e886cadb18d509edf8.gif]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/4b1166fc/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1171 bytes
Desc: image001.gif
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/4b1166fc/attachment.gif 

From sthorger at redhat.com  Fri Jun  3 01:48:05 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jun 2016 07:48:05 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAF4sgx+bO6k0jzc2-jMyT2qLXyxX3z41hU0ivdMLBZzvHSW-AQ@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<CAF4sgx+bO6k0jzc2-jMyT2qLXyxX3z41hU0ivdMLBZzvHSW-AQ@mail.gmail.com>
Message-ID: <CAJgngAffdng3_F0751YUJ3RKPsvfgAVzC71RJTM66i0Q5xkd6g@mail.gmail.com>

Don't think there's a built-in option to add roles as a top-level
attribute. You can create a JIRA for it. In the mean time you can also
create your own custom mapper.

On 3 June 2016 at 01:20, Anthony Fryer <anthony.fryer at gmail.com> wrote:

> Just need to keep in mind if you want to use mod_auth_oidc to secure urls
> using keycloak roles, there can be issues.  Is it possible to somehow map
> keycloak roles to a top level attribute in the access token as a work
> around?
>
> >>>>
>
> No, it is not possible to use json path syntax,  patches would be
> welcome...
>
> Expression can be of limited complexity today: 1-level deep arrays are
>  supported as are regular expressions. So if you would be able to instruct
> your OP to send the roles in a top-level attribute called
> "realm_access.roles", then what you currently have configured would work.
>
> Hans.
>
> On Tue, May 24, 2016 at 3:50 PM, <anthony.fryer at gmail.com> wrote:
>
>> I am using keycloak and have assigned some global roles (TOUPPER and
>> REVERSE) to a user.  The decoded access token looks like this...
>>
>>         {
>>   "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",
>>   "exp" : 1464097823,
>>   "nbf" : 0,
>>   "iat" : 1464097523,
>>   "iss" : "https://my.keycloak.com/auth/realms/T
>> <https://keycloak.cyberavenue.com.au/auth/realms/Glomex>enantA",
>>   "aud" : "test-client",
>>   "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",
>>   "typ" : "Bearer",
>>   "azp" : "test-client",
>>   "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",
>>   "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",
>>   "name" : "",
>>   "preferred_username" : "anthony",
>>   "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",
>>   "allowed-origins" : [ ],
>>   "realm_access" : {
>>     "roles" : [ "TOUPPER", "REVERSE" ]
>>   },
>>   "resource_access" : { },
>>   "groups" : [ "tenantA/brandA", "tenantA" ]
>> }
>>
>>
>> I'm now trying to configure mod_auth_openidc authorization on some url
>> paths based on the roles in the "realm_access"."roles" path of the token.
>> I've tried this configuration...
>>
>>         <Location /glomex-mds-webapp/api/v1/secure/demo/toupper>
>>                 AuthType openid-connect
>>                 #Require valid-user
>>                 Require claim realm_access.roles:TOUPPER
>>         </Location>
>>
>> This doesn't seem to work though.  Is it possible to use json path syntax
>> for claim authorization?
>
>
> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello group,
>>
>> Just wanted to let you know that I build a small example [0] that
>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>> with Docker + Apache + PHP.
>>
>> Works like a charm :)
>>
>> Cheers,
>> Thomas
>>
>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>> [1] https://github.com/pingidentity/mod_auth_openidc
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/7803f38a/attachment.html 

From sthorger at redhat.com  Fri Jun  3 01:49:30 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jun 2016 07:49:30 +0200
Subject: [keycloak-user] Email Html template does not work... I guess
In-Reply-To: <e8b9cb29243842208793e514acfc4d4d@nut-mbx-3.win.ftc.ru>
References: <e8b9cb29243842208793e514acfc4d4d@nut-mbx-3.win.ftc.ru>
Message-ID: <CAJgngAdtsDPrdBMf2B0phcET393h5H5jesr8SR2VKC1hfn9QLA@mail.gmail.com>

Emails are sent with multi-part so both the html and text version is
included in the email. If the user only sees the text version it's quite
likely the user has configured the mail client to always show the text
version.

On 3 June 2016 at 06:12, Beljaev Aleksandr <a.beljaev at ftc.ru> wrote:

> Hello everyone.
>
> I?m trying to send html-emails from keycloak administration console to
> some user, but this user gets only plain text messages.
>
> As I see in sources, keycloak can work with html, but I don?t know how to
> switch on this option.
>
> Even if I?m trying to write html in text template, messages are still only
> text, but with html-tags.
>
>
>
> Example for executeActions:
>
>
>
> *Template html:*
>
> <html>
>
> <body>
>
> ${msg(?executeActionsBodyHtml?,link,linkExpiration,realmName)}
>
> </body>
>
> </html>
>
>
>
> *Template text:*
>
> <html>
>
> <body>
>
> <p>${msg(?executeActionsBody?,link,linkExpiration,realmName)}</p>
>
> </body>
>
> </html>
>
>
>
> *Template message:*
>
> executeActionsBody=PlainTextMessage
>
> executeActionsBodyHtml=<p>HtmlTextMessage</p>
>
>
>
> *Recived email:*
>
> <html>
>
> <body>
>
> <p> PlainTextMessage </p>
>
> </body>
>
> </html>
>
>
>
>
>
> What am I doing wrong?
>
> How could I configure KeyCloak to send html messages with  template from
> themes/{theme name}/email/html?
>
>
>
>
>
>
> *Aleksandr Belyaev, QA engeneer,*
>
>
>
> *Center of Financial Technologies, e-mail: A.Beljaev at ftc.ru
> <A.Beljaev at ftc.ru> **http://www.cft.ru <http://www.cft.ru/>*
> *[image: cid:InlineMailImage_6944a6d1aaad40e886cadb18d509edf8.gif]*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/46612775/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1171 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/46612775/attachment-0001.gif 

From thomas.darimont at googlemail.com  Fri Jun  3 02:57:13 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 08:57:13 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAJgngAffdng3_F0751YUJ3RKPsvfgAVzC71RJTM66i0Q5xkd6g@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<CAF4sgx+bO6k0jzc2-jMyT2qLXyxX3z41hU0ivdMLBZzvHSW-AQ@mail.gmail.com>
	<CAJgngAffdng3_F0751YUJ3RKPsvfgAVzC71RJTM66i0Q5xkd6g@mail.gmail.com>
Message-ID: <CAK-7U1gmoOnQq_vc7Z=nyECafGDq9Bm05Y+7VrtvzRMKZOvnxg@mail.gmail.com>

Hello,

I just gave this a try but couldn't find a way to propagate the roles
assigned to a user via a custom mapper.
What I could do was to add a "fixed role" for the client as a custom client
mapper as a "Hardcoded claim".

Mapper Configuration:

Name: custom_client_role
Mapper Type:  Hard coded claim
Token Claim Name: client_role
Claim value: user
Claim JSON Type: String
Add to ID token: ON (Note that this seems to be required for mod_auth_oidc
to include the claim in the headers by default)
Add to access token: ON

Cheers,
Thomas

2016-06-03 7:48 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> Don't think there's a built-in option to add roles as a top-level
> attribute. You can create a JIRA for it. In the mean time you can also
> create your own custom mapper.
>
> On 3 June 2016 at 01:20, Anthony Fryer <anthony.fryer at gmail.com> wrote:
>
>> Just need to keep in mind if you want to use mod_auth_oidc to secure urls
>> using keycloak roles, there can be issues.  Is it possible to somehow map
>> keycloak roles to a top level attribute in the access token as a work
>> around?
>>
>> >>>>
>>
>> No, it is not possible to use json path syntax,  patches would be
>> welcome...
>>
>> Expression can be of limited complexity today: 1-level deep arrays are
>>  supported as are regular expressions. So if you would be able to instruct
>> your OP to send the roles in a top-level attribute called
>> "realm_access.roles", then what you currently have configured would work.
>>
>> Hans.
>>
>> On Tue, May 24, 2016 at 3:50 PM, <anthony.fryer at gmail.com> wrote:
>>
>>> I am using keycloak and have assigned some global roles (TOUPPER and
>>> REVERSE) to a user.  The decoded access token looks like this...
>>>
>>>         {
>>>   "jti" : "0a0541f2-9b74-4a41-b862-a20a3cbc2bcb",
>>>   "exp" : 1464097823,
>>>   "nbf" : 0,
>>>   "iat" : 1464097523,
>>>   "iss" : "https://my.keycloak.com/auth/realms/T
>>> <https://keycloak.cyberavenue.com.au/auth/realms/Glomex>enantA",
>>>   "aud" : "test-client",
>>>   "sub" : "20974f13-8272-4cd5-a172-5c8de4cdc782",
>>>   "typ" : "Bearer",
>>>   "azp" : "test-client",
>>>   "nonce" : "C_D0xDSCytoFaopJoYZu36BJcb6eMR2Xeg8VGP2nxeQ",
>>>   "session_state" : "b625d171-e01d-462c-9d01-d159b9b75635",
>>>   "name" : "",
>>>   "preferred_username" : "anthony",
>>>   "client_session" : "80b0ac34-5ee8-41f2-97da-649cf1abbd81",
>>>   "allowed-origins" : [ ],
>>>   "realm_access" : {
>>>     "roles" : [ "TOUPPER", "REVERSE" ]
>>>   },
>>>   "resource_access" : { },
>>>   "groups" : [ "tenantA/brandA", "tenantA" ]
>>> }
>>>
>>>
>>> I'm now trying to configure mod_auth_openidc authorization on some url
>>> paths based on the roles in the "realm_access"."roles" path of the token.
>>> I've tried this configuration...
>>>
>>>         <Location /glomex-mds-webapp/api/v1/secure/demo/toupper>
>>>                 AuthType openid-connect
>>>                 #Require valid-user
>>>                 Require claim realm_access.roles:TOUPPER
>>>         </Location>
>>>
>>> This doesn't seem to work though.  Is it possible to use json path
>>> syntax for claim authorization?
>>
>>
>> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> Hello group,
>>>
>>> Just wanted to let you know that I build a small example [0] that
>>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>> with Docker + Apache + PHP.
>>>
>>> Works like a charm :)
>>>
>>> Cheers,
>>> Thomas
>>>
>>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>> [1] https://github.com/pingidentity/mod_auth_openidc
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/ad61cda8/attachment.html 

From mposolda at redhat.com  Fri Jun  3 03:03:22 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 3 Jun 2016 09:03:22 +0200
Subject: [keycloak-user] SAML Setup
In-Reply-To: <F1E596E6-84F8-4385-9FB7-7E3ABD49DD4A@premisehealth.com>
References: <F1E596E6-84F8-4385-9FB7-7E3ABD49DD4A@premisehealth.com>
Message-ID: <57512BBA.6090607@redhat.com>

Am I understand correctly that your application wants to talk with 
Keycloak through SAML protocol? If yes, then SAML Identity provider is 
not something for your usecase. SAML Identity provider is useful for the 
opposite case (for example: your application wants to talk OIDC with 
Keycloak, and Keycloak itself will then use SAML Identity provider to 
redirect to some other 3rd party SAML IDP. So defacto Keycloak acts as 
"bridge" between OIDC App and external SAML IDP in that case).

For your case, you may need regular SAML adapters. Take a look at 
keycloak-examples under directory "saml" and at the docs 
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html

If your "consumer" application wants to use SAML and you want Keycloak 
to use SAML and act as "bridge" then you may need both SAML adapter and 
SAML Identity provider.

Marek

On 01/06/16 17:08, Marque Davis wrote:
> Hi,
>
> I?m working on moving SAML auth in one app into Keycloak. Since we 
> have many clients hitting our existing API, we don?t want to change 
> the external API. Instead we need to proxy through to Keycloak. I have 
> a SAML test harness that generates the SAML doc and redirects to KC, 
> but I constantly get a staleCodeError int he logs and the following 
> error on the page it redirects to.
>
> WE'RE SORRY ...
> This page is no longer valid, please go back to your application and 
> login again
>
> I?ve setup an Identity Provider named ?saml? and pointed my test app 
> to the Redirect URI 
> (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). 
> Config screenshot attached (if it isn?t stripped from email)
>
> Am I doing something wrong, or is this just not a use case Keycloak is 
> designed for?
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/c7e70e42/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 108967 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/c7e70e42/attachment-0001.png 

From mposolda at redhat.com  Fri Jun  3 03:07:56 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 3 Jun 2016 09:07:56 +0200
Subject: [keycloak-user] SAML Setup
In-Reply-To: <57512BBA.6090607@redhat.com>
References: <F1E596E6-84F8-4385-9FB7-7E3ABD49DD4A@premisehealth.com>
	<57512BBA.6090607@redhat.com>
Message-ID: <57512CCC.5070306@redhat.com>

Btv. I noticed that you have "First login flow" set to "registration" 
and post-login flow set to "direct grant" . I am quite sure that it is 
not correct to setup like this. Value for "First login flow" is usually 
ok to keep default value "First broker login" and PostBrokerLogin is 
usually ok to be kept empty (unless you want some additional 
verifications triggered once user authenticates through your 
identityProvider, for example authenticate those users through OTP on 
keycloak side).

See docs for more details:
http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e1672
http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#identity-broker-first-login

Marek

On 03/06/16 09:03, Marek Posolda wrote:
> Am I understand correctly that your application wants to talk with 
> Keycloak through SAML protocol? If yes, then SAML Identity provider is 
> not something for your usecase. SAML Identity provider is useful for 
> the opposite case (for example: your application wants to talk OIDC 
> with Keycloak, and Keycloak itself will then use SAML Identity 
> provider to redirect to some other 3rd party SAML IDP. So defacto 
> Keycloak acts as "bridge" between OIDC App and external SAML IDP in 
> that case).
>
> For your case, you may need regular SAML adapters. Take a look at 
> keycloak-examples under directory "saml" and at the docs 
> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/index.html
>
> If your "consumer" application wants to use SAML and you want Keycloak 
> to use SAML and act as "bridge" then you may need both SAML adapter 
> and SAML Identity provider.
>
> Marek
>
> On 01/06/16 17:08, Marque Davis wrote:
>> Hi,
>>
>> I?m working on moving SAML auth in one app into Keycloak. Since we 
>> have many clients hitting our existing API, we don?t want to change 
>> the external API. Instead we need to proxy through to Keycloak. I 
>> have a SAML test harness that generates the SAML doc and redirects to 
>> KC, but I constantly get a staleCodeError int he logs and the 
>> following error on the page it redirects to.
>>
>> WE'RE SORRY ...
>> This page is no longer valid, please go back to your application and 
>> login again
>>
>> I?ve setup an Identity Provider named ?saml? and pointed my test app 
>> to the Redirect URI 
>> (http://192.168.99.100:10080/auth/realms/demo/broker/saml/endpoint). 
>> Config screenshot attached (if it isn?t stripped from email)
>>
>> Am I doing something wrong, or is this just not a use case Keycloak 
>> is designed for?
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/16f63be0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 108967 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/16f63be0/attachment-0001.png 

From mposolda at redhat.com  Fri Jun  3 03:21:05 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 3 Jun 2016 09:21:05 +0200
Subject: [keycloak-user] Is it possible to partial import an User
 Federation provider?
In-Reply-To: <AM3PR07MB3404F1C81AEC8BF9E6D0130CE470@AM3PR07MB340.eurprd07.prod.outlook.com>
References: <AM3PR07MB3404F1C81AEC8BF9E6D0130CE470@AM3PR07MB340.eurprd07.prod.outlook.com>
Message-ID: <57512FE1.9070003@redhat.com>

It seems it's not possible at this moment. Feel free to create JIRA.

Marek

On 01/06/16 16:14, Vincent Sluijter wrote:
>
> Hello,
>
> I?m trying to ?partial? import a json with an User Federation provider 
> containing ldap configuration to connect to Active Directory, but the 
> import keeps failing with the message ?No resouces specified to 
> import?. Is it even possible to import a single user federation 
> provider using the partial import function?
>
> **
>
> This message is subject to the following E-mail Disclaimer. 
> (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats 
> according to the articles of association in Arnhem, Dutch trade number 
> 09125050.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/9f6bbfba/attachment.html 

From okie.othsam at gmail.com  Fri Jun  3 04:13:01 2016
From: okie.othsam at gmail.com (Okie Oth)
Date: Fri, 3 Jun 2016 10:13:01 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
Message-ID: <57513C0D.30509@gmail.com>

Hello Thomas,
that's what I'm looking for and it works great also in my test 
environment :)

Thank you.

Cheers

Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
> Hello group,
>
> Just wanted to let you know that I build a small example [0] that
> demonstrates the usage of Keycloak with mod_auth_oidc [1]
> with Docker + Apache + PHP.
>
> Works like a charm :)
>
> Cheers,
> Thomas
>
> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
> [1] https://github.com/pingidentity/mod_auth_openidc
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/e89f35a9/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 04:36:40 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 10:36:40 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <57513C0D.30509@gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<57513C0D.30509@gmail.com>
Message-ID: <CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>

Hello Okie,

great to hear :)

@Stian I already implemented mappers for propagating client and realm role
mappings to JWT tokens.
If you point me to the JIRA issue I can send a PR for it.

Cheers,
Thomas

2016-06-03 10:13 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:

> Hello Thomas,
> that's what I'm looking for and it works great also in my test environment
> :)
>
> Thank you.
>
> Cheers
>
>
> Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
>
> Hello group,
>
> Just wanted to let you know that I build a small example [0] that
> demonstrates the usage of Keycloak with mod_auth_oidc [1]
> with Docker + Apache + PHP.
>
> Works like a charm :)
>
> Cheers,
> Thomas
>
> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
> [1] https://github.com/pingidentity/mod_auth_openidc
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/2a4fcbfa/attachment.html 

From okie.othsam at gmail.com  Fri Jun  3 05:50:19 2016
From: okie.othsam at gmail.com (Okie Oth)
Date: Fri, 3 Jun 2016 11:50:19 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<57513C0D.30509@gmail.com>
	<CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>
Message-ID: <575152DB.3050602@gmail.com>

I use the setting in a Ubuntu 14.04 environment and there is Apache 2.4 
currently the standard. For me the provided binaries on github don't 
work and some notes there mention that this releases only work with 
Apache 2.2.

After a clone and compile it works also with Apache 2.4

./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc

Cheers,
Eiko


Am 03.06.2016 um 10:36 schrieb Thomas Darimont:
> Hello Okie,
>
> great to hear :)
>
> @Stian I already implemented mappers for propagating client and realm 
> role mappings to JWT tokens.
> If you point me to the JIRA issue I can send a PR for it.
>
> Cheers,
> Thomas
>
> 2016-06-03 10:13 GMT+02:00 Okie Oth <okie.othsam at gmail.com 
> <mailto:okie.othsam at gmail.com>>:
>
>     Hello Thomas,
>     that's what I'm looking for and it works great also in my test
>     environment :)
>
>     Thank you.
>
>     Cheers
>
>
>     Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
>>     Hello group,
>>
>>     Just wanted to let you know that I build a small example [0] that
>>     demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>     with Docker + Apache + PHP.
>>
>>     Works like a charm :)
>>
>>     Cheers,
>>     Thomas
>>
>>     [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>     [1] https://github.com/pingidentity/mod_auth_openidc
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/ce544c66/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 07:15:05 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 13:15:05 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <575152DB.3050602@gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<57513C0D.30509@gmail.com>
	<CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>
	<575152DB.3050602@gmail.com>
Message-ID: <CAK-7U1iWv739mMW06eO+WjP7gVj+k492bsEqpU3qiyVF1V-mog@mail.gmail.com>

FYI I created https://issues.jboss.org/browse/KEYCLOAK-3081
for the "Custom User Role Attribute Protocol Mapper" feature request.

PR incoming...

Cheers,
Thomas

2016-06-03 11:50 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:

> I use the setting in a Ubuntu 14.04 environment and there is Apache 2.4
> currently the standard. For me the provided binaries on github don't work
> and some notes there mention that this releases only work with Apache 2.2.
>
> After a clone and compile it works also with Apache 2.4
>
> ./autogen.sh
> ./configure
> make
> sudo make install
> sudo a2enmod auth_openidc
>
> Cheers,
> Eiko
>
>
>
> Am 03.06.2016 um 10:36 schrieb Thomas Darimont:
>
> Hello Okie,
>
> great to hear :)
>
> @Stian I already implemented mappers for propagating client and realm role
> mappings to JWT tokens.
> If you point me to the JIRA issue I can send a PR for it.
>
> Cheers,
> Thomas
>
> 2016-06-03 10:13 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:
>
>> Hello Thomas,
>> that's what I'm looking for and it works great also in my test
>> environment :)
>>
>> Thank you.
>>
>> Cheers
>>
>>
>> Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
>>
>> Hello group,
>>
>> Just wanted to let you know that I build a small example [0] that
>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>> with Docker + Apache + PHP.
>>
>> Works like a charm :)
>>
>> Cheers,
>> Thomas
>>
>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>> [1] https://github.com/pingidentity/mod_auth_openidc
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/784be3ac/attachment-0001.html 

From sthorger at redhat.com  Fri Jun  3 07:25:49 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jun 2016 13:25:49 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1iWv739mMW06eO+WjP7gVj+k492bsEqpU3qiyVF1V-mog@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<57513C0D.30509@gmail.com>
	<CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>
	<575152DB.3050602@gmail.com>
	<CAK-7U1iWv739mMW06eO+WjP7gVj+k492bsEqpU3qiyVF1V-mog@mail.gmail.com>
Message-ID: <CAJgngAe2_iesKAmeKnhvW-94OTDxJeS5v7V90ewgQ6cd+P3b0Q@mail.gmail.com>

Thomas fancy adding a page about using mod_auth_openidc to our new docs?

Git repo is here: https://github.com/keycloak/securing_apps_guide
Published guide is here:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/oidc-overview.html


On 3 June 2016 at 13:15, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> FYI I created https://issues.jboss.org/browse/KEYCLOAK-3081
> for the "Custom User Role Attribute Protocol Mapper" feature request.
>
> PR incoming...
>
> Cheers,
> Thomas
>
> 2016-06-03 11:50 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:
>
>> I use the setting in a Ubuntu 14.04 environment and there is Apache 2.4
>> currently the standard. For me the provided binaries on github don't work
>> and some notes there mention that this releases only work with Apache 2.2.
>>
>> After a clone and compile it works also with Apache 2.4
>>
>> ./autogen.sh
>> ./configure
>> make
>> sudo make install
>> sudo a2enmod auth_openidc
>>
>> Cheers,
>> Eiko
>>
>>
>>
>> Am 03.06.2016 um 10:36 schrieb Thomas Darimont:
>>
>> Hello Okie,
>>
>> great to hear :)
>>
>> @Stian I already implemented mappers for propagating client and realm
>> role mappings to JWT tokens.
>> If you point me to the JIRA issue I can send a PR for it.
>>
>> Cheers,
>> Thomas
>>
>> 2016-06-03 10:13 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:
>>
>>> Hello Thomas,
>>> that's what I'm looking for and it works great also in my test
>>> environment :)
>>>
>>> Thank you.
>>>
>>> Cheers
>>>
>>>
>>> Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
>>>
>>> Hello group,
>>>
>>> Just wanted to let you know that I build a small example [0] that
>>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>> with Docker + Apache + PHP.
>>>
>>> Works like a charm :)
>>>
>>> Cheers,
>>> Thomas
>>>
>>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>> [1] https://github.com/pingidentity/mod_auth_openidc
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/84dc1589/attachment.html 

From sthorger at redhat.com  Fri Jun  3 07:34:19 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jun 2016 13:34:19 +0200
Subject: [keycloak-user] Swedish translation
In-Reply-To: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
References: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
Message-ID: <CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>

We need to find a way to share translations that scales. We're not able to
maintain all these translations ourselves so I'm considering adding some
external repository for the translations and have elect a maintainer for
each language.

Does anyone have a good suggestion how to deal with this?

On 31 May 2016 at 12:01, Thomas Raehalme <thomas.raehalme at aitiofinland.com>
wrote:

> Hi!
>
> We need to translate Keycloak user interface (excluding admin console) to
> the Swedish language. I was wondering if anyone has already done the
> translation and would be willing to share it?
>
> We have already translated Keycloak to Finnish and hope to share the
> translation with the community in the near future.
>
> Best regards,
> Thomas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/3d69f367/attachment.html 

From amaeztu at tesicnor.com  Fri Jun  3 08:20:42 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Fri, 3 Jun 2016 14:20:42 +0200
Subject: [keycloak-user] Fwd: Re: Redirection issue with proxy behind
 keycloak
In-Reply-To: <FAC29BBF-9791-4A46-AE8E-E4F164C6FB94@smartling.com>
References: <03225e22-5a31-d3c5-4285-69e355e1950e@tesicnor.com>
	<5e1b50b9-b7d0-5b2e-b16c-4df98da6f485@tesicnor.com>
	<CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com>
	<7a45ae5d-cf0f-a5d5-0ab5-1df8ee8aa9da@tesicnor.com>
	<D8C74651-F010-49A7-92AF-3A771D68C560@smartling.com>
	<895342cc-a03d-caff-ffa3-281cf9a25499@tesicnor.com>
	<11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com>
	<d3fa1d7f-2d03-48a3-a8d9-f863dc42160d@tesicnor.com>
	<FAC29BBF-9791-4A46-AE8E-E4F164C6FB94@smartling.com>
Message-ID: <78c6e629-d3ab-2ea7-b4bb-ac5d10478f7c@tesicnor.com>

Hi all,

Good work with the sample project Scott, it's a proper isolated code 
where we might easily see what's going on. My previous problem was 
nearly solved, it only keeps happening with FF, when user isn't logged 
in[0].

Scott, I've got no reason to avoid other traditional HTTP proxies, all 
of this is because I'm a bit of newbie in this kind of topics about 
distributed environments and having chosen the Spring Cloud utility I 
thought I could implement everything I needed using Zuul. So that's the 
design I was thinking in for production:

Browser request -> Zuul proxy (80) -> UI Service (8099 and accesses 
other services using the keycloak rest template) -> Backbone services 
(80xx). They call each other using the keycloak rest template

Mobile app request -> Zuul proxy (80) -> Backbone services (80xx). They 
call each other using the keycloak rest template

I've declared each backbone service in Keycloak as confidential because 
that way I can access the service directly through the browser. Like you 
say, it might be a properer option to use bearer-only access, but how 
could I deal with the UI Service? This could be a choice according to 
what you say, not adding any other proxy:

Browser request -> UI Service (80)  -> Zuul proxy (8765) -> Backbone 
services (80xx). They call each other using the keycloak rest template

The only drawback I can think about this design is the case of needing 
to have more UI replicas, I would need to manage them myself? If I add a 
proxy on the top of it could I have it talking with Eureka to know where 
the different instances of the UI Service are?

Thanks!


[0]https://github.com/xtremebiker/zuul-keycloak-test/pull/1


03/06/2016 6:05(e)an, Scott Rossillo igorleak idatzi zuen:
> Hi Aritz,
>
> Your sample project was very helpful to understand the problems you?re 
> facing with Zuul as a proxy server. I spent some time investigating 
> and I?ve sent you a pull request[0] that will get your sample working.
>
> That being said, please do read the "Cookies and Sensitive Headers? 
> documentation from Spring Cloud Netflix[1]. This applies to anyone 
> thinking of using Zuul as a stateful proxy server. Zuul was designed 
> by Netflix to proxy stateless services. In the Keycloak world, these 
> would be clients with an access type of bearer-only.
>
> I'd strongly recommend against this setup in production. You could 
> continue to use Zuul for stateless services but anything requiring an 
> interactive login should really be behind a more traditional HTTP 
> proxy (e.g. Nginx, Apache, etc).
>
> If you disagree, can you tell us the reason you?d want to proxy a 
> stateful service with Zuul?
>
> Hope this helps clear things up a bit.
>
> Best,
> Scott
>
> [0]: https://github.com/xtremebiker/zuul-keycloak-test/pull/1
> [1]: http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>> On Jun 2, 2016, at 4:08 PM, Aritz Maeztu <amaeztu at tesicnor.com 
>> <mailto:amaeztu at tesicnor.com>> wrote:
>>
>> Hi Scott and all,
>>
>> Tried removing the tomcat adapter from my project, it was my mistake 
>> putting it with the Spring Security one, all together. Thanks for the 
>> link to the question, it was a question I made in SO some time ago 
>> and your answer worked that time. However, even I leave /sso/login 
>> unprotected by Spring Security, the same behaviour happens. So I 
>> tried creating a sample scenario from scratch and I can reproduce the 
>> issue. Here it is, three maven projects, the service discovery 
>> (Eureka), the proxy service (Zuul) and the sample secured service:
>>
>> https://github.com/xtremebiker/zuul-keycloak-test
>>
>> The keycloak.json file in the secured service should be replaced by 
>> the one for your client, of course. And here there is a filter 
>> declaration that can be made in Spring Boot to show the request 
>> dumper for Tomcat:
>>
>> http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922
>>
>> The steps to reproduce it are:
>>
>> 1- Boot the three projects
>>
>> 2- Wait till the two services are registered in Eureka and navigate 
>> to localhost:8765/secured-service/path
>>
>> 3- After logging in in Keycloak, the port changes to 8083
>>
>> I'll continue struggling and see if I can figure it out myself.
>>
>> Regards
>>
>>
>> 31/05/2016 22:56(e)an, Scott Rossillo igorleak idatzi zuen:
>>> Hi Artiz,
>>>
>>> If you?re using the Tomcat adapter and Spring Security adapter 
>>> together, they may be interfering with each other. I?m not saying 
>>> this is the problem you?re having but I?d avoid using both adapters 
>>> together.
>>>
>>> Please also take a look at this Stack Overflow answer[0] related to 
>>> redirect issues. If none of this helps I?ll try to debug with Eureka 
>>> and Zuul.
>>>
>>> [0]: 
>>> http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top
>>>
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo at smartling.com
>>>
>>>> On May 31, 2016, at 4:00 PM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>>>>
>>>> Hello Scott,
>>>>
>>>> I've got the spring security and tomcat keycloak adapters both as a 
>>>> project dependency for each service (as I'm running the services in 
>>>> Tomcat 8 embedded servers). Basically I want to base my security in 
>>>> Spring Security, that's why I chose this adapter over the Spring 
>>>> Boot adapter.
>>>>
>>>> As the behaviour states, a redirection is made first to the 
>>>> /sso/login endpoint, then other one to the keycloak authorization 
>>>> server. The question is, as a redirection is a mere instruction 
>>>> stated from the server to the browser, which chances do I have to 
>>>> send the original x-forwarded headers to the keycloak authorization 
>>>> server, so that it can make the redirection to the url requested at 
>>>> the very beginning (to the reverse proxy)?
>>>>
>>>> I could implement a playground scenario for you if you happen to 
>>>> require it.
>>>>
>>>> Many thanks
>>>>
>>>>
>>>> 31/05/2016 20:14(e)an, Scott Rossillo igorleak idatzi zuen:
>>>>> Hi Artiz,
>>>>>
>>>>> So just to be clear, which Keycloak adapter are you using? The 
>>>>> Spring Boot Adapter or the Spring Security Adapter?
>>>>>
>>>>> Scott Rossillo
>>>>> Smartling | Senior Software Engineer
>>>>> srossillo at smartling.com
>>>>>
>>>>>> On May 31, 2016, at 3:13 AM, Aritz Maeztu <amaeztu at tesicnor.com> 
>>>>>> wrote:
>>>>>>
>>>>>> I've got some Spring Boot application instances with embeded 
>>>>>> Tomcat servlet containers. Tomcat has a similar system to Wildfly 
>>>>>> for request dumpering, that's what I have enabled for getting the 
>>>>>> trace below. In short words that's the behaviour I'm able to see:
>>>>>>
>>>>>> 1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service 
>>>>>> (8083 port) : A forward request where X-forwarded headers are 
>>>>>> included
>>>>>>
>>>>>> 2. Organization Service (localhost:8083) : Looks for a token and 
>>>>>> if it's not available, the keycloak adapter redirects to the 
>>>>>> /sso/login of the same service (Here the traceability from the 
>>>>>> proxy gets losts)
>>>>>>
>>>>>> 3. localhost:8083/sso/login: Redirects to the keycloak wildfly 
>>>>>> server, saving the requested url
>>>>>>
>>>>>> 4. Keycloak login: The user performs the authentication and the 
>>>>>> redirectUri is localhost:8083/sso/login. Later on, the login 
>>>>>> endpoint redirects the user to the url requested in point 2, not 
>>>>>> the first one from the proxy.
>>>>>>
>>>>>> I only have this problem when my organization service needs to 
>>>>>> verify the token (or a token doesn't exist) using the keycloak 
>>>>>> adapter. When the /sso/login endpoint is not requested, 
>>>>>> everything is working properly. Hope I've explained it well!
>>>>>>
>>>>>>
>>>>>> 31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>> Where is your app deployed? If it's on WildFly you can follow 
>>>>>>> the same steps used to configure reverse proxy for Keycloak 
>>>>>>> Server to configure WildFly. Check if getRequestURL returns the 
>>>>>>> correct URL in your app.
>>>>>>>
>>>>>>> On 30 May 2016 at 15:08, Aritz Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     -------- Birbidalitako mezua --------
>>>>>>>     Gaia: 	Re: [keycloak-user] Redirection issue with proxy
>>>>>>>     behind keycloak
>>>>>>>     Data: 	Mon, 30 May 2016 13:28:21 +0200
>>>>>>>     Nork: 	Aritz Maeztu<amaeztu at tesicnor.com>
>>>>>>>     Nori: 	stian at redhat.com
>>>>>>>     CC: 	Niels Bertram<nielsbne at gmail.com>,
>>>>>>>     keycloak-user<keycloak-user at lists.jboss.org>, Scott
>>>>>>>     Rossillo<srossillo at smartling.com>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     I've done all the traceability from the proxy server till
>>>>>>>     the login page is displayed:
>>>>>>>
>>>>>>>     First step, /organization/organizations is requested, so the
>>>>>>>     proxy server knows it has to be forwarded to the 8083 port
>>>>>>>     (the one for the organization service). That's the first
>>>>>>>     request received by my application's Tomcat:
>>>>>>>
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 START TIME =30-may-2016 13:01:18
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 requestURI=/organizations
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 authType=null
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 characterEncoding=UTF-8
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 contentLength=-1
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 contentType=null
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 contextPath=
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=accept-language=es-ES,es;q=0.8
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=x-forwarded-host=mies-057:8765
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=x-forwarded-prefix=/organization
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=upgrade-insecure-requests=1
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=accept-encoding=gzip
>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=user-agent=Mozilla/5.0 (Windows
>>>>>>>     NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>     Chrome/50.0.2661.102 Safari/537.36
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=netflix.nfhttpclient.version=1.0
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     header=x-netflix-httpclientname=organization
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=host=mies-057:8083
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=connection=Keep-Alive
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 locale=es_ES
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 method=GET
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 pathInfo=null
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 protocol=HTTP/1.1
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 queryString=null
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 remoteAddr=192.168.56.1
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 remoteHost=192.168.56.1
>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 remoteUser=null
>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 requestedSessionId=null
>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 scheme=http
>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 serverName=mies-057
>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 serverPort=8083
>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 servletPath=/organizations
>>>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 isSecure=false
>>>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     ------------------=--------------------------------------------
>>>>>>>
>>>>>>>     Here x-forwarded-host is mies-057:8765 (the proxy server)
>>>>>>>     and x-forwarded-prefix is /organization. So the original
>>>>>>>     request is kept in the headers. Well, now my service (8083)
>>>>>>>     tries to check for authorization via the /sso/login endpoint
>>>>>>>     from the keycloak spring security adapter:
>>>>>>>
>>>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>>>     o.k.a.s.management.HttpSessionManager    : Session created:
>>>>>>>     CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>>>     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
>>>>>>>     login URI /sso/login
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     ------------------=--------------------------------------------
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 authType=null
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 contentType=null
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=X-Content-Type-Options=nosniff
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=X-XSS-Protection=1; mode=block
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=Cache-Control=no-cache,
>>>>>>>     no-store, max-age=0, must-revalidate
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=Pragma=no-cache
>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=Expires=0
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 header=X-Frame-Options=DENY
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
>>>>>>>     Path=/; HttpOnly
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     header=Location=http://mies-057:8083/sso/login
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 remoteUser=null
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 status=302
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9 END TIME =30-may-2016 13:01:18
>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-9
>>>>>>>     ===============================================================
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 START TIME =30-may-2016 13:01:18
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 requestURI=/sso/login
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 authType=null
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 characterEncoding=UTF-8
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 contentLength=-1
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 contentType=null
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 contextPath=
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10
>>>>>>>     cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=host=mies-057:8083
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=connection=keep-alive
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10
>>>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=upgrade-insecure-requests=1
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=user-agent=Mozilla/5.0 (Windows
>>>>>>>     NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>     Chrome/50.0.2661.102 Safari/537.36
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=accept-encoding=gzip, deflate, sdch
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 header=accept-language=es-ES,es;q=0.8
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10
>>>>>>>     header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 locale=es_ES
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 method=GET
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 pathInfo=null
>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 protocol=HTTP/1.1
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 queryString=null
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 remoteAddr=192.168.56.1
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 remoteHost=192.168.56.1
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 remoteUser=null
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10
>>>>>>>     requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 scheme=http
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 serverName=mies-057
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 serverPort=8083
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 servletPath=/sso/login
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10 isSecure=false
>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>     http-nio-8083-exec-10
>>>>>>>     ------------------=--------------------------------------------
>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.PreAuthActionsHandler       :
>>>>>>>     adminRequesthttp://mies-057:8083/sso/login
>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Request is to
>>>>>>>     process authentication
>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Attempting
>>>>>>>     Keycloak authentication
>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.RequestAuthenticator        : --> authenticate()
>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.RequestAuthenticator        : try bearer
>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.RequestAuthenticator        : try oauth
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.a.s.token.SpringSecurityTokenStore   : Checking if
>>>>>>>     org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
>>>>>>>     is cached
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : there was no code
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : redirecting to
>>>>>>>     auth server
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : callback
>>>>>>>     uri:http://mies-057:8083/sso/login
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Auth outcome:
>>>>>>>     NOT_ATTEMPTED
>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : Sending redirect
>>>>>>>     to login
>>>>>>>     page:http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>>>>>>>
>>>>>>>     As it's shown in the logs, the X-forwarded logs are not kept
>>>>>>>     by the keycloak adapter (look at the lines
>>>>>>>     belowk.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting
>>>>>>>     to login URI /sso/login). So could it be the proxy server
>>>>>>>     itself being properly configured but the keycloak adapter
>>>>>>>     losing the original headers while performing the redirection?
>>>>>>>
>>>>>>>     I've also set up the request dumper in the undertow server
>>>>>>>     as Niels suggested, but obviously, X-forwarded headers are
>>>>>>>     not reaching the keycloak server..
>>>>>>>
>>>>>>>     Thanks for your time, again ;-)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>     25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>>>     You need the Host and X-Forwarded-For headers to be
>>>>>>>>     included and there's also some config to be done on the
>>>>>>>>     Keycloak server (see
>>>>>>>>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding)
>>>>>>>>
>>>>>>>>     On 24 May 2016 at 08:46, Aritz
>>>>>>>>     Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>>
>>>>>>>>         Hi Niels and Scott. First of all, thank you very much
>>>>>>>>         for your help. I'm currently using Zuul (Spring Cloud)
>>>>>>>>         as the reverse proxy. All the services are registered
>>>>>>>>         in a discovery service called Eureka and then Zuul
>>>>>>>>         looks for the service id there and performs de
>>>>>>>>         redirection. I read aboutX-Forwarded headers, but I
>>>>>>>>         thought it might result in a security issue if not
>>>>>>>>         included, not that it could affect the redirection process.
>>>>>>>>
>>>>>>>>         As Scott says, I suppose the Host and the X-Real-Ip
>>>>>>>>         headers are the relevant ones here, so I guess I should
>>>>>>>>         instruct Zuul to send them when the service is
>>>>>>>>         addressed (however I wonder why they are not already
>>>>>>>>         being sent, as Zuul is a proxy service, all in all).
>>>>>>>>
>>>>>>>>         Here I include a preview of the first redirection made
>>>>>>>>         to the keycloak login page, which shows the request
>>>>>>>>         headers sent to the service /login endpoint (at port
>>>>>>>>         8081 in localhost):
>>>>>>>>
>>>>>>>>         https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>>>>>>>
>>>>>>>>         24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>>>>>>>>         Hi Artitz,
>>>>>>>>>
>>>>>>>>>         a great way to figure out what is sent from the
>>>>>>>>>         reverse proxy to your keycloak server is to use the
>>>>>>>>>         undertow request dumper.
>>>>>>>>>
>>>>>>>>>         From the jboss-cli just add the request dumper filter
>>>>>>>>>         to your undertow configuration like this:
>>>>>>>>>
>>>>>>>>>         $KC_HOME/bin/jbpss-cli.sh -c
>>>>>>>>>
>>>>>>>>>         /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>>>>>>>>         module=io.undertow.core)
>>>>>>>>>
>>>>>>>>>         /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>>>>>>>
>>>>>>>>>         /:reload
>>>>>>>>>
>>>>>>>>>         given your apache config looks something like this:
>>>>>>>>>
>>>>>>>>>         ProxyRequests Off
>>>>>>>>>         ProxyPreserveHost On
>>>>>>>>>         ProxyVia On
>>>>>>>>>
>>>>>>>>>         ProxyPass /auth ajp://127.0.0.1:8009/auth
>>>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>>>         ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         you should see something like that (forwared info is
>>>>>>>>>         somewhat rubbish in this example as I am running the
>>>>>>>>>         hosts on Virtualbox - but you can see this request was
>>>>>>>>>         put through 2 proxies from local pc 192.168.33.1 to
>>>>>>>>>         haproxy on 192.168.33.80 and then apache reverse proxy
>>>>>>>>>         on 192.168.33.81 ):
>>>>>>>>>
>>>>>>>>>         ==============================================================
>>>>>>>>>         23:47:20,563 INFO  [io.undertow.request.dump] (default
>>>>>>>>>         task-14)
>>>>>>>>>         ----------------------------REQUEST---------------------------
>>>>>>>>>          URI=/auth/welcome-content/favicon.ico
>>>>>>>>>          characterEncoding=null
>>>>>>>>>          contentLength=-1
>>>>>>>>>          contentType=null
>>>>>>>>>         header=Accept=*/*
>>>>>>>>>         header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>>>>>>>>         header=Cache-Control=no-cache
>>>>>>>>>         header=Accept-Encoding=gzip, deflate, sdch
>>>>>>>>>         header=DNT=1
>>>>>>>>>         header=Pragma=no-cache
>>>>>>>>>         header=X-Original-To=192.168.33.80
>>>>>>>>>         header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>>>>>         AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>>>         Chrome/50.0.2661.102 Safari/537.36
>>>>>>>>>         header=Authorization=Basic
>>>>>>>>>         bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>>>>>>>>         header=X-Forwarded-Proto=https
>>>>>>>>>         header=X-Forwarded-Port=443
>>>>>>>>>         header=X-Forwarded-For=192.168.33.1
>>>>>>>>>         header=Referer=https://login.vagrant.dev/auth/
>>>>>>>>>         header=Host=login.vagrant.dev
>>>>>>>>>         locale=[en_US, en, de]
>>>>>>>>>         method=GET
>>>>>>>>>         protocol=HTTP/1.1
>>>>>>>>>          queryString=
>>>>>>>>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0/>
>>>>>>>>>         remoteHost=192.168.33.1
>>>>>>>>>         scheme=https
>>>>>>>>>         host=login.vagrant.dev
>>>>>>>>>         serverPort=443
>>>>>>>>>         --------------------------RESPONSE--------------------------
>>>>>>>>>          contentLength=627
>>>>>>>>>          contentType=application/octet-stream
>>>>>>>>>         header=Cache-Control=max-age=2592000
>>>>>>>>>         header=X-Powered-By=Undertow/1
>>>>>>>>>         header=Server=WildFly/10
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         Hope this helps diagnosing your issue. Niels
>>>>>>>>>
>>>>>>>>>         On Tue, May 24, 2016 at 1:20 AM, Aritz
>>>>>>>>>         Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>>>
>>>>>>>>>             I'm using keycloak to securize some Spring based
>>>>>>>>>             services (with the keycloak spring security
>>>>>>>>>             adapter). The adapter creates a `/login` endpoint
>>>>>>>>>             in each of the services which redirects to the
>>>>>>>>>             keycloak login page and then redirects back to the
>>>>>>>>>             service when authentication is done. I also have a
>>>>>>>>>             proxy service which I want to publish in the 80
>>>>>>>>>             port and will take care of routing all the
>>>>>>>>>             requests to each service. The proxy performs a
>>>>>>>>>             plain FORWARD to the service, but the problem
>>>>>>>>>             comes when I securize the service with the
>>>>>>>>>             keycloak adapter.
>>>>>>>>>
>>>>>>>>>             When I make a request, the adapter redirects to
>>>>>>>>>             its login endpoint and then to the keycloak auth
>>>>>>>>>             url. When keycloak sends the redirection, the url
>>>>>>>>>             shown in the browser is the one from the service
>>>>>>>>>             and not the one from the proxy. Do I have some
>>>>>>>>>             choice to tell the adapter I want to redirect back
>>>>>>>>>             to the first requested url?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             --
>>>>>>>>>             Aritz Maeztu Ota?o
>>>>>>>>>             Departamento Desarrollo de Software 	<Mail
>>>>>>>>>             Attachment.gif>
>>>>>>>>>             <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>>>
>>>>>>>>>             <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>>>
>>>>>>>>>             Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain
>>>>>>>>>             (Navarra)
>>>>>>>>>             Telf.: 948 21 40 40
>>>>>>>>>             Fax.: 948 21 40 41
>>>>>>>>>
>>>>>>>>>             Antes de imprimir este e-mail piense bien si es
>>>>>>>>>             necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             _______________________________________________
>>>>>>>>>             keycloak-user mailing list
>>>>>>>>>             keycloak-user at lists.jboss.org
>>>>>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>         --
>>>>>>>>         Aritz Maeztu Ota?o
>>>>>>>>         Departamento Desarrollo de Software 	<Mail
>>>>>>>>         Attachment.gif>
>>>>>>>>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>>
>>>>>>>>         <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>>
>>>>>>>>         Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain
>>>>>>>>         (Navarra)
>>>>>>>>         Telf.: 948 21 40 40
>>>>>>>>         Fax.: 948 21 40 41
>>>>>>>>
>>>>>>>>         Antes de imprimir este e-mail piense bien si es
>>>>>>>>         necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>>>
>>>>>>>>
>>>>>>>>         _______________________________________________
>>>>>>>>         keycloak-user mailing list
>>>>>>>>         keycloak-user at lists.jboss.org
>>>>>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>     --
>>>>>>>     Aritz Maeztu Ota?o
>>>>>>>     Departamento Desarrollo de Software 	<Mail Attachment.gif>
>>>>>>>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>     <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>
>>>>>>>     Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>>>     Telf.: 948 21 40 40
>>>>>>>     Fax.: 948 21 40 41
>>>>>>>
>>>>>>>     Antes de imprimir este e-mail piense bien si es necesario
>>>>>>>     hacerlo: El medioambiente es cosa de todos.
>>>>>>>
>>>>>>>
>>>>>>>     _______________________________________________
>>>>>>>     keycloak-user mailing list
>>>>>>>     keycloak-user at lists.jboss.org
>>>>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Aritz Maeztu Ota?o
>>>>>> Departamento Desarrollo de Software 	<linkdin.gif> 
>>>>>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>> <logo.png> <http://www.tesicnor.com/> 	
>>>>>>
>>>>>> Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>> Telf.: 948 21 40 40
>>>>>> Fax.: 948 21 40 41
>>>>>>
>>>>>> Antes de imprimir este e-mail piense bien si es necesario 
>>>>>> hacerlo: El medioambiente es cosa de todos.
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> Avast logo 
>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>>> 	
>>>>
>>>> El software de antivirus Avast ha analizado este correo electr?nico 
>>>> en busca de virus.
>>>> www.avast.com 
>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> Avast logo 
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>> 	
>>
>> El software de antivirus Avast ha analizado este correo electr?nico 
>> en busca de virus.
>> www.avast.com 
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>
>>
>>
>

-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/f1ce9519/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/f1ce9519/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/f1ce9519/attachment-0001.png 

From sthorger at redhat.com  Fri Jun  3 08:46:24 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 3 Jun 2016 14:46:24 +0200
Subject: [keycloak-user] Keycloak 1.9.7.Final released
Message-ID: <CAJgngAcYukYi8bDpd_S7XpTXMAgxT5QvWSX-7=sZzyPFBwcWvg@mail.gmail.com>

Keycloak 1.9.7.Final has just been released.

For the full list of resolved issues check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.9.7.Final>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/1c758ca2/attachment.html 

From john.d.ament at gmail.com  Fri Jun  3 09:27:23 2016
From: john.d.ament at gmail.com (John D. Ament)
Date: Fri, 03 Jun 2016 13:27:23 +0000
Subject: [keycloak-user] Managing the attack surface of Keycloak
Message-ID: <CAOqetn-r74O_5ricAqUYhNek=4kAaVZG-yj-ECs_mJpM1_gKjg@mail.gmail.com>

Hey,

So, a very high level question, and any insight you guys may have would
help.

We're looking to potentially deploy keycloak as a part of a public cloud
application to support authentication to our applications based on security
settings our tenants may use, which may include talking back to their
internal LDAPs, our LDAP, our database, or their hosted SAML solutions.

We're not looking to expose this UI to them, so they would never need to
login other than visiting the login page to access our applications.  Are
there any mitigation strategies for reducing the attack surface of
keycloak? I saw that you had brute force detection available, in addition
to using public/private key pairs to do API authentication.  I'm wondering
if there's any more security levels that could be leveraged? Does reducing
the amount of API endpoints accessible publically make sense in this
scenario?  If so, what endpoints would need to be there to support
authentication?

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/39ce8e27/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 09:48:11 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 15:48:11 +0200
Subject: [keycloak-user] Managing the attack surface of Keycloak
In-Reply-To: <CAOqetn-r74O_5ricAqUYhNek=4kAaVZG-yj-ECs_mJpM1_gKjg@mail.gmail.com>
References: <CAOqetn-r74O_5ricAqUYhNek=4kAaVZG-yj-ECs_mJpM1_gKjg@mail.gmail.com>
Message-ID: <CAK-7U1jSRpkgVrCF0Uj7JmNt+DjL-EuE-oB5pGWD=7e4poP+mw@mail.gmail.com>

Hello John,

have a look at: Guidelines for protecting Keycloak Endpoints
http://lists.jboss.org/pipermail/keycloak-user/2016-March/005525.html

Cheers,
Thomas

2016-06-03 15:27 GMT+02:00 John D. Ament <john.d.ament at gmail.com>:

> Hey,
>
> So, a very high level question, and any insight you guys may have would
> help.
>
> We're looking to potentially deploy keycloak as a part of a public cloud
> application to support authentication to our applications based on security
> settings our tenants may use, which may include talking back to their
> internal LDAPs, our LDAP, our database, or their hosted SAML solutions.
>
> We're not looking to expose this UI to them, so they would never need to
> login other than visiting the login page to access our applications.  Are
> there any mitigation strategies for reducing the attack surface of
> keycloak? I saw that you had brute force detection available, in addition
> to using public/private key pairs to do API authentication.  I'm wondering
> if there's any more security levels that could be leveraged? Does reducing
> the amount of API endpoints accessible publically make sense in this
> scenario?  If so, what endpoints would need to be there to support
> authentication?
>
> John
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/1577615b/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 09:58:38 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 15:58:38 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAJgngAe2_iesKAmeKnhvW-94OTDxJeS5v7V90ewgQ6cd+P3b0Q@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<57513C0D.30509@gmail.com>
	<CAK-7U1h-SCYCpYBTP7MTEXZpwBNN1-rBPMRA6v=MOm++dMGuqQ@mail.gmail.com>
	<575152DB.3050602@gmail.com>
	<CAK-7U1iWv739mMW06eO+WjP7gVj+k492bsEqpU3qiyVF1V-mog@mail.gmail.com>
	<CAJgngAe2_iesKAmeKnhvW-94OTDxJeS5v7V90ewgQ6cd+P3b0Q@mail.gmail.com>
Message-ID: <CAK-7U1gPUZjAAttf_nipyZAcO9ZBeVx2AxM2N3HKQWAvhcgEhA@mail.gmail.com>

I'll compile something over the weekend.

Cheers,
Thomas

2016-06-03 13:25 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> Thomas fancy adding a page about using mod_auth_openidc to our new docs?
>
> Git repo is here: https://github.com/keycloak/securing_apps_guide
> Published guide is here:
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/oidc-overview.html
>
>
> On 3 June 2016 at 13:15, Thomas Darimont <thomas.darimont at googlemail.com>
> wrote:
>
>> FYI I created https://issues.jboss.org/browse/KEYCLOAK-3081
>> for the "Custom User Role Attribute Protocol Mapper" feature request.
>>
>> PR incoming...
>>
>> Cheers,
>> Thomas
>>
>> 2016-06-03 11:50 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:
>>
>>> I use the setting in a Ubuntu 14.04 environment and there is Apache 2.4
>>> currently the standard. For me the provided binaries on github don't work
>>> and some notes there mention that this releases only work with Apache 2.2.
>>>
>>> After a clone and compile it works also with Apache 2.4
>>>
>>> ./autogen.sh
>>> ./configure
>>> make
>>> sudo make install
>>> sudo a2enmod auth_openidc
>>>
>>> Cheers,
>>> Eiko
>>>
>>>
>>>
>>> Am 03.06.2016 um 10:36 schrieb Thomas Darimont:
>>>
>>> Hello Okie,
>>>
>>> great to hear :)
>>>
>>> @Stian I already implemented mappers for propagating client and realm
>>> role mappings to JWT tokens.
>>> If you point me to the JIRA issue I can send a PR for it.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-06-03 10:13 GMT+02:00 Okie Oth <okie.othsam at gmail.com>:
>>>
>>>> Hello Thomas,
>>>> that's what I'm looking for and it works great also in my test
>>>> environment :)
>>>>
>>>> Thank you.
>>>>
>>>> Cheers
>>>>
>>>>
>>>> Am 02.06.2016 um 23:30 schrieb Thomas Darimont:
>>>>
>>>> Hello group,
>>>>
>>>> Just wanted to let you know that I build a small example [0] that
>>>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>>> with Docker + Apache + PHP.
>>>>
>>>> Works like a charm :)
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>>> [1] https://github.com/pingidentity/mod_auth_openidc
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/d6614076/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 10:00:19 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 16:00:19 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.9.7.Final released
In-Reply-To: <CAJgngAcYukYi8bDpd_S7XpTXMAgxT5QvWSX-7=sZzyPFBwcWvg@mail.gmail.com>
References: <CAJgngAcYukYi8bDpd_S7XpTXMAgxT5QvWSX-7=sZzyPFBwcWvg@mail.gmail.com>
Message-ID: <CAK-7U1j7Gp+y-+0tSZP4CAQVHvsCxMr5hcNG9=Czf7YoJ9NV9Q@mail.gmail.com>

Great Job! :)

You should tweet for every release so we can retweet.
https://twitter.com/keycloak

Cheers,
Thomas

2016-06-03 14:46 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> Keycloak 1.9.7.Final has just been released.
>
> For the full list of resolved issues check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.9.7.Final> and
> to download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/67ea16ad/attachment-0001.html 

From nielsbne at gmail.com  Fri Jun  3 10:34:55 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Sat, 4 Jun 2016 00:34:55 +1000
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
Message-ID: <CAPLPyg=4wc5GQa7FRbjVF4GB3-Pw74Eh6wt+8VzhXYiD6i7=4Q@mail.gmail.com>

Hi Thomas,

just a comment on your example project, the Apache directive
OIDCCryptoPassphrase is (AFAIK) used by the apache module to en/decrypt the
state parameter that is sent with the redirect params to the OP. This is a
mandatory settings and you will have to make sure its random and secured
(otherwise someone can steal your users session). If you run the apache
behind a load balancer, this value needs to be the same on all nodes, else
the module will return invalid state errors.

Cheers,
Niels

On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello group,
>
> Just wanted to let you know that I build a small example [0] that
> demonstrates the usage of Keycloak with mod_auth_oidc [1]
> with Docker + Apache + PHP.
>
> Works like a charm :)
>
> Cheers,
> Thomas
>
> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
> [1] https://github.com/pingidentity/mod_auth_openidc
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160604/f4cc7c9e/attachment.html 

From thomas.darimont at googlemail.com  Fri Jun  3 10:57:57 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 3 Jun 2016 16:57:57 +0200
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAPLPyg=4wc5GQa7FRbjVF4GB3-Pw74Eh6wt+8VzhXYiD6i7=4Q@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<CAPLPyg=4wc5GQa7FRbjVF4GB3-Pw74Eh6wt+8VzhXYiD6i7=4Q@mail.gmail.com>
Message-ID: <CAK-7U1j9cC3ztGec8B_y+OhLyJHX7HMiA3vcSAN58tWEQCmQKg@mail.gmail.com>

Hello Niels,

I think you're right here - apachectl -L says:
OIDCCryptoPassphrase (mod_auth_openidc.c)
Passphrase used for AES crypto on cookies and state.
Allowed in *.conf only outside <Directory>, <Files>, <Location>, or <If>

I did not read the docks properly. So this OIDCCryptoPassphrase is only
used by
Apache mod_oidc & mod_balancer & not by keycloak if I understand you
correctly.

So I could simply change:

OIDCCryptoPassphrase currently-not-supported-by-keycloak
to
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer

... to make it more clear that this secret should really be a secret and is
not used by Keycloak, right?

Cheers,
Thomas

2016-06-03 16:34 GMT+02:00 Niels Bertram <nielsbne at gmail.com>:

> Hi Thomas,
>
> just a comment on your example project, the Apache directive
> OIDCCryptoPassphrase is (AFAIK) used by the apache module to en/decrypt
> the state parameter that is sent with the redirect params to the OP. This
> is a mandatory settings and you will have to make sure its random and
> secured (otherwise someone can steal your users session). If you run the
> apache behind a load balancer, this value needs to be the same on all
> nodes, else the module will return invalid state errors.
>
> Cheers,
> Niels
>
> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello group,
>>
>> Just wanted to let you know that I build a small example [0] that
>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>> with Docker + Apache + PHP.
>>
>> Works like a charm :)
>>
>> Cheers,
>> Thomas
>>
>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>> [1] https://github.com/pingidentity/mod_auth_openidc
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160603/92d4422b/attachment.html 

From nielsbne at gmail.com  Fri Jun  3 21:29:43 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Sat, 4 Jun 2016 11:29:43 +1000
Subject: [keycloak-user] Using Keycloak with Apache and mod_auth_oidc
In-Reply-To: <CAK-7U1j9cC3ztGec8B_y+OhLyJHX7HMiA3vcSAN58tWEQCmQKg@mail.gmail.com>
References: <CAK-7U1iPCon-E1hj9-7DTPf0zyB2ph7xmTBoFtm9SRj_S-o7EA@mail.gmail.com>
	<CAPLPyg=4wc5GQa7FRbjVF4GB3-Pw74Eh6wt+8VzhXYiD6i7=4Q@mail.gmail.com>
	<CAK-7U1j9cC3ztGec8B_y+OhLyJHX7HMiA3vcSAN58tWEQCmQKg@mail.gmail.com>
Message-ID: <CAPLPyg=p9ZZ7_P4uH4WAJ421QX0hpRD8XAr7Yq6Kw0XAaS9-vA@mail.gmail.com>

yes that is my understanding

On Sat, Jun 4, 2016 at 12:57 AM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello Niels,
>
> I think you're right here - apachectl -L says:
> OIDCCryptoPassphrase (mod_auth_openidc.c)
> Passphrase used for AES crypto on cookies and state.
> Allowed in *.conf only outside <Directory>, <Files>, <Location>, or <If>
>
> I did not read the docks properly. So this OIDCCryptoPassphrase is only
> used by
> Apache mod_oidc & mod_balancer & not by keycloak if I understand you
> correctly.
>
> So I could simply change:
>
> OIDCCryptoPassphrase currently-not-supported-by-keycloak
> to
> OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
>
> ... to make it more clear that this secret should really be a secret and
> is not used by Keycloak, right?
>
> Cheers,
> Thomas
>
> 2016-06-03 16:34 GMT+02:00 Niels Bertram <nielsbne at gmail.com>:
>
>> Hi Thomas,
>>
>> just a comment on your example project, the Apache directive
>> OIDCCryptoPassphrase is (AFAIK) used by the apache module to en/decrypt
>> the state parameter that is sent with the redirect params to the OP. This
>> is a mandatory settings and you will have to make sure its random and
>> secured (otherwise someone can steal your users session). If you run the
>> apache behind a load balancer, this value needs to be the same on all
>> nodes, else the module will return invalid state errors.
>>
>> Cheers,
>> Niels
>>
>> On Fri, Jun 3, 2016 at 7:30 AM, Thomas Darimont <
>> thomas.darimont at googlemail.com> wrote:
>>
>>> Hello group,
>>>
>>> Just wanted to let you know that I build a small example [0] that
>>> demonstrates the usage of Keycloak with mod_auth_oidc [1]
>>> with Docker + Apache + PHP.
>>>
>>> Works like a charm :)
>>>
>>> Cheers,
>>> Thomas
>>>
>>> [0] https://github.com/thomasdarimont/keycloak_mod_auth_oidc_example
>>> [1] https://github.com/pingidentity/mod_auth_openidc
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160604/8b77ada1/attachment.html 

From petervn1 at yahoo.com  Sun Jun  5 10:31:14 2016
From: petervn1 at yahoo.com (Peter Nalyvayko)
Date: Sun, 5 Jun 2016 14:31:14 +0000 (UTC)
Subject: [keycloak-user] Are there plans to implement PK Certificate
 user authentication?
In-Reply-To: <724036490.3301884.1464801575544.JavaMail.yahoo@mail.yahoo.com>
References: <546849148.2815900.1464741692784.JavaMail.yahoo.ref@mail.yahoo.com>
	<546849148.2815900.1464741692784.JavaMail.yahoo@mail.yahoo.com>
	<724036490.3301884.1464801575544.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <1357928231.5565752.1465137074032.JavaMail.yahoo@mail.yahoo.com>

Hi again,Judging from the silence regarding my question about a support for PK certificate user authentication in keycloak I guess I must assume that PK certificate authentication is not supported out of the box.



   >Sent: Wednesday, June 1, 2016 1:19 PM
 >Subject: Fw: Are there plans to implement PK Certificate user authentication?
   
>Hello,
>>Cross-posting...We are considering using keycloak as an STS (Secure Token Service). One of the requirements is PK >certificate user authentication. It seems the only supported user authentication mechanism in keycloak is user >credentials (user name / password). Before rolling out our own implementation, I just want to make sure I am not >missing something obvious and that PK authentication is indeed not supported in keycloak yet.?>Regards,>Peter

   

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160605/f03b7ab5/attachment-0001.html 

From sthorger at redhat.com  Mon Jun  6 02:04:23 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 Jun 2016 08:04:23 +0200
Subject: [keycloak-user] keycloak catridge and extra modules
In-Reply-To: <BV.WM.2.0.pv.1.0.18.1605311032290.2570@webmail02.plus.net>
References: <BV.WM.2.0.pv.1.0.18.1605311032290.2570@webmail02.plus.net>
Message-ID: <CAJgngAdAo_w2XiCH4wEedxQ9cmnGB-08JkuWEJ8nqJejLBFUsw@mail.gmail.com>

By cartridge I assume you mean OpenShift cartridge. It does not currently
have the ability to add custom providers or themes. Development of the
OpenShift v2 cartridge was more or less frozen as we believe OpenShift v3
would be replacing it sooner.

On 31 May 2016 at 11:32, Simon Gordon <dev at sgordon.totalise.co.uk> wrote:

> Hey all
>
> Another simple one from me I think!
>
> I'm looking to add a userFederation provider, plus a new theme. I am using
> the keycloak cartridge, which is very convenient - but maybe I should
> resort to a .war to add modules? Or is there a way to add modules to the
> keycloak cartridge?
>
> Thanks,
>
>   Simon
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/9d7c3df5/attachment.html 

From sthorger at redhat.com  Mon Jun  6 02:11:02 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 Jun 2016 08:11:02 +0200
Subject: [keycloak-user] Realm Resource Provider
In-Reply-To: <BLU180-W88D7E39D4520C2026A1774B7470@phx.gbl>
References: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>
	<CAJgngAdHZQayc4DLOhvBaYzryJRO4KUmM5_rVmA1KWg=C5HJcg@mail.gmail.com>
	<BLU180-W88D7E39D4520C2026A1774B7470@phx.gbl>
Message-ID: <CAJgngAc=5BTf_L_nmeTt1c50pRF959RbiOg4pds67PNm-GqcNw@mail.gmail.com>

You can try
session.getProvider(LoginFormsProvider.class).createForm("template.ftl")

On 1 June 2016 at 16:58, Bruno Palermo <palermo at pobox.com> wrote:

> Yes, it does. But it uses 'RequiredActionContext' context, how can I have
> access to this context inside 'RealmResourceProvider'?
>
> 'RealmResourceProviderFactory' create method is:
>
> @Override
> public RealmResourceProvider create(KeycloakSession session)
>
> ------------------------------
> Date: Wed, 1 Jun 2016 15:39:43 +0200
> Subject: Re: [keycloak-user] Realm Resource Provider
> From: sthorger at redhat.com
> To: palermo at pobox.com
> CC: keycloak-user at lists.jboss.org
>
>
> Try looking at the authenticator provider example I believe that does it
>
> On 1 June 2016 at 14:38, Bruno Palermo <palermo at pobox.com> wrote:
>
> Hi,
>
> I just create a custom resource provider. It's possible to render a
> freemarker template as response?
>
>
> https://github.com/keycloak/keycloak/blob/master/examples/providers/rest/src/main/java/org/keycloak/examples/rest/HelloResourceProvider.java
> <https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java/org/keycloak/services/resource/RealmResourceProvider.java>
>
>
> Thanks,
> Bruno
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/261c0e66/attachment.html 

From thomas.raehalme at aitiofinland.com  Mon Jun  6 02:14:57 2016
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 6 Jun 2016 09:14:57 +0300
Subject: [keycloak-user] Swedish translation
In-Reply-To: <CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>
References: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
	<CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>
Message-ID: <CAPyAMoZdmW82jwo6n4GPqJJPU+pxVM-zDR9wpb1aah1uypJ-yA@mail.gmail.com>

How about making translations deployable in a similar way as themes? The
base theme would define the required set of keys which each translation
should include. You could even write tests to make sure the translation is
complete which would simplify maintenance.

Perhaps the main distribution could include only English as it would now be
simple for the admins to deploy the needed translations. If the
translations are separated from the main Keycloak repository, as you
suggested, then the main repository would not be dependant of up-to-date
translations (which could slow the development down if they start lagging
behind). For the same reason it could also be beneficial to be able to
release translations independently from each other.

Themes would still need a way to include custom/override messages but they
could be included directly in the theme just like now.

Just an initial thought....

Best regards,
Thomas


On Jun 3, 2016 14:34, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> We need to find a way to share translations that scales. We're not able to
> maintain all these translations ourselves so I'm considering adding some
> external repository for the translations and have elect a maintainer for
> each language.
>
> Does anyone have a good suggestion how to deal with this?
>
> On 31 May 2016 at 12:01, Thomas Raehalme <thomas.raehalme at aitiofinland.com
> > wrote:
>
>> Hi!
>>
>> We need to translate Keycloak user interface (excluding admin console) to
>> the Swedish language. I was wondering if anyone has already done the
>> translation and would be willing to share it?
>>
>> We have already translated Keycloak to Finnish and hope to share the
>> translation with the community in the near future.
>>
>> Best regards,
>> Thomas
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/6ecec453/attachment.html 

From sthorger at redhat.com  Mon Jun  6 02:17:51 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 Jun 2016 08:17:51 +0200
Subject: [keycloak-user] Are there plans to implement PK Certificate
	user authentication?
In-Reply-To: <1357928231.5565752.1465137074032.JavaMail.yahoo@mail.yahoo.com>
References: <546849148.2815900.1464741692784.JavaMail.yahoo.ref@mail.yahoo.com>
	<546849148.2815900.1464741692784.JavaMail.yahoo@mail.yahoo.com>
	<724036490.3301884.1464801575544.JavaMail.yahoo@mail.yahoo.com>
	<1357928231.5565752.1465137074032.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAcK_CD2KbLsX7zpGtEjGNCqyNjTjBbY3MxqpOySFgf7jA@mail.gmail.com>

By PK certificate authentication do you mean mutual SSL? If so it's on our
radar, but not a high priority as we haven't had demand for it. It may take
a while until we get around to it.

You may also be able to implement it yourself using a custom authenticator
and a root CA certificate added to the underlying Undertow/WildFly.

On 5 June 2016 at 16:31, Peter Nalyvayko <petervn1 at yahoo.com> wrote:

> Hi again,
> Judging from the silence regarding my question about a support for PK
> certificate user authentication in keycloak I guess I must assume that PK
> certificate authentication is not supported out of the box.
>
>
>
>
> *>Sent:* Wednesday, June 1, 2016 1:19 PM
> *>Subject:* Fw: Are there plans to implement PK Certificate user
> authentication?
>
> >Hello,
> >
> >Cross-posting...We are considering using keycloak as an STS (Secure Token
> Service). One of the requirements is PK >certificate user authentication.
> It seems the only supported user authentication mechanism in keycloak is
> user >credentials (user name / password). Before rolling out our own
> implementation, I just want to make sure I am not >missing something
> obvious and that PK authentication is indeed not supported in keycloak yet.
> >Regards,
> >Peter
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/fbc2950f/attachment.html 

From sthorger at redhat.com  Mon Jun  6 02:24:14 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 Jun 2016 08:24:14 +0200
Subject: [keycloak-user] Classification all email that sent from
 keycloak as SPAM on GMAIL
In-Reply-To: <CAHnbcZjnkgCbk5Vheekouois7+qPToupqqd8fb1M6Pv-_TffqQ@mail.gmail.com>
References: <CAHnbcZjnkgCbk5Vheekouois7+qPToupqqd8fb1M6Pv-_TffqQ@mail.gmail.com>
Message-ID: <CAJgngAfcKt=RUHJZiWEi8jsiLy7X5Eq+XArxQOnfWEJi=daqsg@mail.gmail.com>

Did you get any further with this issue? There may be some answers in the
following doc: https://support.google.com/mail/answer/81126

On 2 June 2016 at 02:19, Yasser El-ata <yelata at blulogix.com> wrote:

> Hello,
>
> I have an issue , all the emails that send by keycloak are classified as
> spam just on gmail.
>
> the email that sends to Yahoo and Hotmail are received in the inbox.
>
> i'am using Amazon SMTP and i already use certificates from amazon to make
> sure all emails will not send as spam.
>
> Any ideas please?
>
> Thanks
>
> --
> Yasser El-Ata
> Java Developer
> BluLogix
> 737 Walker Rd Ste 3, Great Falls, VA 22066
> t: 443.333.4100 | f: 443.333.4101
> *www.blulogix.com <http://www.blueoss.com/>*
>
> The information transmitted is intended only for the person(s) to whom it
> is addressed and may contain confidential and/or privileged material. Any
> review, retransmission, dissemination or other use of, or taking of any
> action in reliance upon, this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and delete the material from any computer.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/e8bd3c5a/attachment-0001.html 

From ivan at akvo.org  Mon Jun  6 06:21:10 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Mon, 6 Jun 2016 12:21:10 +0200
Subject: [keycloak-user] Undertow adapter setup
Message-ID: <38de1b39-cfb3-c93b-3f5b-ae7407cdfba3@akvo.org>

Hi all,

I'm trying to setup a small example of Keycloak's Undertow adapter.
Using Keycloak 1.9.7.Final and Undertow 1.3.15.Final

I've read about the Undertow's security model (SecurityContext,
AuthenticationMechanism, SecurityInitialHandler, etc) [1]

Part of my sample code was borrowed from Keycloak's ProxyServer [2]

However, I'm not able to "trigger/force" the authentication. The
SecurityContext is there, but the authentication state is
`NOT_ATTEMPTED`. Any hints on what I'm doing wrong in this code? [3]


[1] http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security

[2]
https://github.com/keycloak/keycloak/blob/1.9.7.Final/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java#L249

[3]
https://github.com/iperdomo/undertow-keycloak/blob/master/src/main/java/SecuredServer.java

Thanks,

-- 
Iv?n

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/4779b055/attachment.bin 

From 00hf11 at gmail.com  Mon Jun  6 08:12:52 2016
From: 00hf11 at gmail.com (Helio Frota)
Date: Mon, 6 Jun 2016 09:12:52 -0300
Subject: [keycloak-user] Correct setup of clientID
Message-ID: <CABv=XZV9zKpTw50n-RXpOHo_piaqf24x044e-cVW83jjKzK71g@mail.gmail.com>

Hi,

1. Is correct to manually add clientID on keycloak.json ?

2.  I found this email from archives:

>* > I was hoping this would Just Work, but I quickly discovered that some
of*

>* > the properties are "renamed" after the HTTP request:
*>* >
*>* >     kc.authServerUrl = config['auth-server-url'];
*>* >     kc.realm = config['realm'];
**>** >     kc.clientId = config['resource'];*>* >     kc.clientSecret
= (config['credentials'] || {})['secret'];*


*http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html
<http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html>*


clientId is now called 'resource' ?


thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/697ecc3b/attachment.html 

From rsoares at redhat.com  Mon Jun  6 08:38:29 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Mon, 6 Jun 2016 09:38:29 -0300
Subject: [keycloak-user] Understanding Realm vs. Client roles
Message-ID: <57556EC5.6060803@redhat.com>

Hi.

I'm trying to understand how a standard Java web app (client) deal with 
keycloak roles mechanism.

...
  <security-constraint>
   <web-resource-collection>
    <web-resource-name>App</web-resource-name>
    <url-pattern>/some-context/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
    <role-name>some-role</role-name>
   </auth-constraint>
  </security-constraint>
  <login-config>
   <auth-method>KEYCLOAK</auth-method>
   <realm-name>demo</realm-name>
  </login-config>
  <security-role>
     <role-name>some-role</role-name>
  </security-role>
...

Keycloak has two different role levels: Realm roles and Client roles.
When I create a new user it can automatically inherit default roles from 
its realm.

But I can't refer to realm roles from my client app because by default 
there is no relationship between realm roles and client apps.
I mean a client under the realm is not aware of realm roles. Right?

 From the client app user perspective, I have to create the roles for a 
specific client app and then associate that role(s) with a given user 
(who wants to have access to that client app). Ok! But what can I do to 
associate realm roles with a given client app?

I can create a composite role inside the client and associate it with 
some realm roles. But I still have to explicitly associate that client 
role with each user I want to grant access to that client app.

Imagine a scenario where you imported thousands of users from a LDAP 
server (through User Federation).

Let me explain my scenario:
   I'm federating users and roles from an MS AD server. I created a Role 
Mapper to import AD groups as Keycloak roles and automatically create 
realm roles.
   Keycloak imported LDAP groups as realm roles and associated that 
roles with each user (according to the group/user association on LDAP)
   But in this scenario the association roles/client app on Keycloak is 
missing. Ok, I could choose to import LDAP groups as Client roles on the 
LDAP Role Mapper configuration. But I prefer to import as realm roles. 
Thus all client app create under this realm will inherit that roles.



The role mapper worked perfectly! The problem is: How can I use that 
roles (imported to realm and associated with each imported user) to 
restrict access to a specific client app?

Can some one point me what would be the correct understanding and the 
right approach to use imported AD roles into my realm?

-- 
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone:  +55 11 3529-6096

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/44bec068/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldap-federation-role-mapper.png
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/44bec068/attachment-0001.png 

From bburke at redhat.com  Mon Jun  6 08:48:53 2016
From: bburke at redhat.com (Bill Burke)
Date: Mon, 6 Jun 2016 08:48:53 -0400
Subject: [keycloak-user] Understanding Realm vs. Client roles
In-Reply-To: <57556EC5.6060803@redhat.com>
References: <57556EC5.6060803@redhat.com>
Message-ID: <5b0a57d9-935f-ba01-3ca1-59ec2760ee7d@redhat.com>

Right now, it is either/or.  Either you map realm roles only to your 
client app, or you use the client roles for the app.  We intend to fix 
this in 2.0:

|"use-resource-role-mappings" : false |

Make sure user-resource-role-mappings is false if you want your app to 
use realm-level roles.  Basically client roels are a namespace dedicated 
to a client.

On 6/6/16 8:38 AM, Rafael T. C. Soares wrote:
> Hi.
>
> I'm trying to understand how a standard Java web app (client) deal 
> with keycloak roles mechanism.
> ...
>   <security-constraint>
>    <web-resource-collection>
>     <web-resource-name>App</web-resource-name>
>     <url-pattern>/some-context/*</url-pattern>
>    </web-resource-collection>
>    <auth-constraint>
>     <role-name>some-role</role-name>
>    </auth-constraint>
>   </security-constraint>
>   <login-config>
>    <auth-method>KEYCLOAK</auth-method>
>    <realm-name>demo</realm-name>
>   </login-config>
>   <security-role>
>      <role-name>some-role</role-name>
>   </security-role>
> ...
> Keycloak has two different role levels: Realm roles and Client roles.
> When I create a new user it can automatically inherit default roles 
> from its realm.
>
> But I can't refer to realm roles from my client app because by default 
> there is no relationship between realm roles and client apps.
> I mean a client under the realm is not aware of realm roles. Right?
>
> From the client app user perspective, I have to create the roles for a 
> specific client app and then associate that role(s) with a given user 
> (who wants to have access to that client app). Ok! But what can I do 
> to associate realm roles with a given client app?
>
> I can create a composite role inside the client and associate it with 
> some realm roles. But I still have to explicitly associate that client 
> role with each user I want to grant access to that client app.
>
> Imagine a scenario where you imported thousands of users from a LDAP 
> server (through User Federation).
>
> Let me explain my scenario:
>   I'm federating users and roles from an MS AD server. I created a 
> Role Mapper to import AD groups as Keycloak roles and automatically 
> create realm roles.
>   Keycloak imported LDAP groups as realm roles and associated that 
> roles with each user (according to the group/user association on LDAP)
>   But in this scenario the association roles/client app on Keycloak is 
> missing. Ok, I could choose to import LDAP groups as Client roles on 
> the LDAP Role Mapper configuration. But I prefer to import as realm 
> roles. Thus all client app create under this realm will inherit that 
> roles.
>
>
>
> The role mapper worked perfectly! The problem is: How can I use that 
> roles (imported to realm and associated with each imported user) to 
> restrict access to a specific client app?
>
> Can some one point me what would be the correct understanding and the 
> right approach to use imported AD roles into my realm?
> -- 
> ___
> Rafael T. C. Soares | Solution Architect
> JBoss Enterprise Middleware | Red Hat Brazil
> Mobile: +55 71 98181-3636
> Phone:  +55 11 3529-6096
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3a7d315e/attachment-0001.png 

From rsoares at redhat.com  Mon Jun  6 08:57:41 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Mon, 6 Jun 2016 09:57:41 -0300
Subject: [keycloak-user] Searching on Keycloak mailing list archive
Message-ID: <57557345.2060409@redhat.com>

How can I search for something on keycloak mailing lists archive?
It appears keycloak lists are not indexed by JBoss Community Search 
engine [1][2]

[1] http://search.jboss.org
[2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ

-- 
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone:  +55 11 3529-6096

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/92ff4a42/attachment.html 

From rsoares at redhat.com  Mon Jun  6 10:04:39 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Mon, 6 Jun 2016 11:04:39 -0300
Subject: [keycloak-user] Understanding Realm vs. Client roles
In-Reply-To: <5b0a57d9-935f-ba01-3ca1-59ec2760ee7d@redhat.com>
References: <57556EC5.6060803@redhat.com>
	<5b0a57d9-935f-ba01-3ca1-59ec2760ee7d@redhat.com>
Message-ID: <575582F7.5030109@redhat.com>

Thanks Bill!

I changed this config property on my client keycloak.json descriptor and 
it worked as expected.

The documentation says the default value for this flag is 'false', but 
if you copy the generated JSON config/installation snippet from the 
Keycloak UI console it comes as 'true'. :-)

" *use-resource-role-mappings*
If set to true, the adapter will look inside the token for application 
level role mappings for the user. If false, it will look at the realm 
level for user role mappings. This is OPTIONAL. The default value is 
false." [1]

[1] 
https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config

___
Rafael T. C. Soares

On 06/06/2016 09:48 AM, Bill Burke wrote:
>
> Right now, it is either/or.  Either you map realm roles only to your 
> client app, or you use the client roles for the app.  We intend to fix 
> this in 2.0:
>
> |"use-resource-role-mappings" : false |
> Make sure user-resource-role-mappings is false if you want your app to 
> use realm-level roles.  Basically client roels are a namespace 
> dedicated to a client.
>
> On 6/6/16 8:38 AM, Rafael T. C. Soares wrote:
>> Hi.
>>
>> I'm trying to understand how a standard Java web app (client) deal 
>> with keycloak roles mechanism.
>> ...
>>   <security-constraint>
>>    <web-resource-collection>
>>     <web-resource-name>App</web-resource-name>
>>     <url-pattern>/some-context/*</url-pattern>
>>    </web-resource-collection>
>>    <auth-constraint>
>>     <role-name>some-role</role-name>
>>    </auth-constraint>
>>   </security-constraint>
>>   <login-config>
>>    <auth-method>KEYCLOAK</auth-method>
>>    <realm-name>demo</realm-name>
>>   </login-config>
>>   <security-role>
>>      <role-name>some-role</role-name>
>>   </security-role>
>> ...
>> Keycloak has two different role levels: Realm roles and Client roles.
>> When I create a new user it can automatically inherit default roles 
>> from its realm.
>>
>> But I can't refer to realm roles from my client app because by 
>> default there is no relationship between realm roles and client apps.
>> I mean a client under the realm is not aware of realm roles. Right?
>>
>> From the client app user perspective, I have to create the roles for 
>> a specific client app and then associate that role(s) with a given 
>> user (who wants to have access to that client app). Ok! But what can 
>> I do to associate realm roles with a given client app?
>>
>> I can create a composite role inside the client and associate it with 
>> some realm roles. But I still have to explicitly associate that 
>> client role with each user I want to grant access to that client app.
>>
>> Imagine a scenario where you imported thousands of users from a LDAP 
>> server (through User Federation).
>>
>> Let me explain my scenario:
>>   I'm federating users and roles from an MS AD server. I created a 
>> Role Mapper to import AD groups as Keycloak roles and automatically 
>> create realm roles.
>>   Keycloak imported LDAP groups as realm roles and associated that 
>> roles with each user (according to the group/user association on LDAP)
>>   But in this scenario the association roles/client app on Keycloak 
>> is missing. Ok, I could choose to import LDAP groups as Client roles 
>> on the LDAP Role Mapper configuration. But I prefer to import as 
>> realm roles. Thus all client app create under this realm will inherit 
>> that roles.
>>
>>
>>
>> The role mapper worked perfectly! The problem is: How can I use that 
>> roles (imported to realm and associated with each imported user) to 
>> restrict access to a specific client app?
>>
>> Can some one point me what would be the correct understanding and the 
>> right approach to use imported AD roles into my realm?
>> -- 
>> ___
>> Rafael T. C. Soares | Solution Architect
>> JBoss Enterprise Middleware | Red Hat Brazil
>> Mobile: +55 71 98181-3636
>> Phone:  +55 11 3529-6096
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/c3a82c68/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 55937 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/c3a82c68/attachment-0001.png 

From 00hf11 at gmail.com  Mon Jun  6 11:26:23 2016
From: 00hf11 at gmail.com (Helio Frota)
Date: Mon, 6 Jun 2016 12:26:23 -0300
Subject: [keycloak-user] Correct setup of clientID
In-Reply-To: <CABv=XZV9zKpTw50n-RXpOHo_piaqf24x044e-cVW83jjKzK71g@mail.gmail.com>
References: <CABv=XZV9zKpTw50n-RXpOHo_piaqf24x044e-cVW83jjKzK71g@mail.gmail.com>
Message-ID: <CABv=XZWoaCEg9WXiuR8a0mne=c8e47kHxh4=MRBZXomTNh5UjQ@mail.gmail.com>

Hi folks we have a PR on this subject:

https://github.com/keycloak/keycloak-nodejs-auth-utils/pull/22



On Mon, Jun 6, 2016 at 9:12 AM, Helio Frota <00hf11 at gmail.com> wrote:

> Hi,
>
> 1. Is correct to manually add clientID on keycloak.json ?
>
> 2.  I found this email from archives:
>
> >* > I was hoping this would Just Work, but I quickly discovered that
> some of*
>
> >* > the properties are "renamed" after the HTTP request:
> *>* >
> *>* >     kc.authServerUrl = config['auth-server-url'];
> *>* >     kc.realm = config['realm'];
> **>** >     kc.clientId = config['resource'];*>* >     kc.clientSecret = (config['credentials'] || {})['secret'];*
>
>
> *http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html <http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html>*
>
>
> clientId is now called 'resource' ?
>
>
> thanks
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/3c684716/attachment.html 

From ivan at akvo.org  Mon Jun  6 11:36:29 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Mon, 6 Jun 2016 17:36:29 +0200
Subject: [keycloak-user] Undertow adapter setup
In-Reply-To: <38de1b39-cfb3-c93b-3f5b-ae7407cdfba3@akvo.org>
References: <38de1b39-cfb3-c93b-3f5b-ae7407cdfba3@akvo.org>
Message-ID: <8cc655b6-e62d-32a7-b5c2-165ad45ee439@akvo.org>

Hi again,

I made it work. I can authenticate a sample Undertow server with
Keycloak. The code is published:

https://github.com/iperdomo/undertow-keycloak/blob/master/src/main/java/SecuredServer.java

Cheers,

On 06/06/2016 12:21 PM, Iv?n Perdomo wrote:
> Hi all,
> 
> I'm trying to setup a small example of Keycloak's Undertow adapter.
> Using Keycloak 1.9.7.Final and Undertow 1.3.15.Final
> 
> I've read about the Undertow's security model (SecurityContext,
> AuthenticationMechanism, SecurityInitialHandler, etc) [1]
> 
> Part of my sample code was borrowed from Keycloak's ProxyServer [2]
> 
> However, I'm not able to "trigger/force" the authentication. The
> SecurityContext is there, but the authentication state is
> `NOT_ATTEMPTED`. Any hints on what I'm doing wrong in this code? [3]
> 
> 
> [1] http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security
> 
> [2]
> https://github.com/keycloak/keycloak/blob/1.9.7.Final/proxy/proxy-server/src/main/java/org/keycloak/proxy/ProxyServerBuilder.java#L249
> 
> [3]
> https://github.com/iperdomo/undertow-keycloak/blob/master/src/main/java/SecuredServer.java
> 
> Thanks,
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-- 
Iv?n

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/57b0e22d/attachment.bin 

From palermo at pobox.com  Mon Jun  6 11:48:27 2016
From: palermo at pobox.com (Bruno Palermo)
Date: Mon, 6 Jun 2016 12:48:27 -0300
Subject: [keycloak-user] Realm Resource Provider
In-Reply-To: <CAJgngAc=5BTf_L_nmeTt1c50pRF959RbiOg4pds67PNm-GqcNw@mail.gmail.com>
References: <BLU180-W47050D4688C267FB079A4CB7470@phx.gbl>,
	<CAJgngAdHZQayc4DLOhvBaYzryJRO4KUmM5_rVmA1KWg=C5HJcg@mail.gmail.com>,
	<BLU180-W88D7E39D4520C2026A1774B7470@phx.gbl>,
	<CAJgngAc=5BTf_L_nmeTt1c50pRF959RbiOg4pds67PNm-GqcNw@mail.gmail.com>
Message-ID: <BLU180-W27FF2D4758D72DDF447FB5B75C0@phx.gbl>

A little tweak needed, because I had to create a new template since I can use the existing one, but it works.

Thanks!

Date: Mon, 6 Jun 2016 08:11:02 +0200
Subject: Re: [keycloak-user] Realm Resource Provider
From: sthorger at redhat.com
To: palermo at pobox.com
CC: keycloak-user at lists.jboss.org

You can try session.getProvider(LoginFormsProvider.class).createForm("template.ftl")
On 1 June 2016 at 16:58, Bruno Palermo <palermo at pobox.com> wrote:



Yes, it does. But it uses 'RequiredActionContext' context, how can I have access to this context inside 'RealmResourceProvider'?

'RealmResourceProviderFactory' create method is:

@Override
public RealmResourceProvider create(KeycloakSession session)

Date: Wed, 1 Jun 2016 15:39:43 +0200
Subject: Re: [keycloak-user] Realm Resource Provider
From: sthorger at redhat.com
To: palermo at pobox.com
CC: keycloak-user at lists.jboss.org

Try looking at the authenticator provider example I believe that does it
On 1 June 2016 at 14:38, Bruno Palermo <palermo at pobox.com> wrote:



Hi,

I just create a custom resource provider. It's possible to render a freemarker template as response?

https://github.com/keycloak/keycloak/blob/master/examples/providers/rest/src/main/java/org/keycloak/examples/rest/HelloResourceProvider.java


Thanks,
Bruno
 		 	   		  

_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org

https://lists.jboss.org/mailman/listinfo/keycloak-user

 		 	   		  

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/df2e9ce4/attachment.html 

From robin1233 at gmail.com  Mon Jun  6 13:18:10 2016
From: robin1233 at gmail.com (robinfernandes .)
Date: Mon, 6 Jun 2016 13:18:10 -0400
Subject: [keycloak-user] Shibboleth IdP configuration issues with Keycloak
	as SP
Message-ID: <CAFOTW4Zm3N2X+7EWG3F5B5qNVATJ6KHzOK_vuH054wWKhWct7w@mail.gmail.com>

Hi All,

We have a situation where the customer is using Shibboleth IdP and sending
the NAMEID in the transient format to Keycloak which acts as an SP.
However, we use one of the SAML attributes which is email to store that as
the username for the user.

However, after the first login, all subsequent logins fail with the error
"User with username already exists." I presume that this is because the
NAMEID which is transient is associated with that user somehow, and since
it is transient it is not able to associate that user correctly even though
we use email as the username?

Any insights on this would be helpful.

Thanks,
Robin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/2475e15a/attachment.html 

From thomas.darimont at googlemail.com  Mon Jun  6 13:22:05 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 6 Jun 2016 19:22:05 +0200
Subject: [keycloak-user] Shibboleth IdP configuration issues with
 Keycloak as SP
In-Reply-To: <CAFOTW4Zm3N2X+7EWG3F5B5qNVATJ6KHzOK_vuH054wWKhWct7w@mail.gmail.com>
References: <CAFOTW4Zm3N2X+7EWG3F5B5qNVATJ6KHzOK_vuH054wWKhWct7w@mail.gmail.com>
Message-ID: <CAK-7U1jtaHc-Kbcb_ym9UJns-wEkwJK2r741FmFDfXBE1mGBdQ@mail.gmail.com>

Hello Robin,

do you have an example configuration for Shibboleth + Keycloak at hand?

Cheers,
Thomas

2016-06-06 19:18 GMT+02:00 robinfernandes . <robin1233 at gmail.com>:

> Hi All,
>
> We have a situation where the customer is using Shibboleth IdP and sending
> the NAMEID in the transient format to Keycloak which acts as an SP.
> However, we use one of the SAML attributes which is email to store that as
> the username for the user.
>
> However, after the first login, all subsequent logins fail with the error
> "User with username already exists." I presume that this is because the
> NAMEID which is transient is associated with that user somehow, and since
> it is transient it is not able to associate that user correctly even though
> we use email as the username?
>
> Any insights on this would be helpful.
>
> Thanks,
> Robin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/eb895090/attachment-0001.html 

From a.nekrasov at ftc.ru  Mon Jun  6 08:12:26 2016
From: a.nekrasov at ftc.ru (Nekrasov Aleksandr)
Date: Mon, 6 Jun 2016 12:12:26 +0000
Subject: [keycloak-user] Email internationalization
Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a@nut-mbx-4.win.ftc.ru>

Hello everyone.
I found a bug when trying to send email from keycloak to users with encoding against English.
For example, when I try to send Russian message with subject "???????? ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my email.

I think you should update org.keycloak.email.DefaultEmailSenderProvider class with line
msg.setSubject(subject);
to
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));

Thanks.

Nekrasov Aleksander,
Developer,
Center of Financial Techologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f782/attachment.html 

From sthorger at redhat.com  Mon Jun  6 13:38:59 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 6 Jun 2016 19:38:59 +0200
Subject: [keycloak-user] Email internationalization
In-Reply-To: <59219ba4c1b449d0a2bded5436b8ca6a@nut-mbx-4.win.ftc.ru>
References: <59219ba4c1b449d0a2bded5436b8ca6a@nut-mbx-4.win.ftc.ru>
Message-ID: <CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw@mail.gmail.com>

Please create a JIRA. If you want to submit a PR that would be welcome as
well.

On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov at ftc.ru> wrote:

> Hello everyone.
>
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
>
> For example, when I try to send Russian message with subject ?????????
> ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in my
> email.
>
>
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
>
> msg.setSubject(subject);
>
> to
>
> msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
>
>
>
> Thanks.
>
>
>
> Nekrasov Aleksander,
>
> Developer,
>
> Center of Financial Techologies
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c2041b/attachment.html 

From haimv at perfectomobile.com  Tue Jun  7 01:02:21 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 05:02:21 +0000
Subject: [keycloak-user] How to get specific client role programmatically
In-Reply-To: <HE1PR03MB13855FECE221BB486655508FD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385313A8B0C6B7CEDBE769DD2400@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB1385CC3A2254E86AF63DB63BD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAek_BHS+QjmMEY=kJpDvq0zMuKA+XFr4i3Fc1mXshNcOQ@mail.gmail.com>
	<HE1PR03MB13855FECE221BB486655508FD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <HE1PR03MB138500914A5F7FEFEB752035D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi,

Any idea regarding the below ?

From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Haim Vana
Sent: Monday, May 30, 2016 10:22 PM
To: stian at redhat.com
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get specific client role programmatically

But the ClientRepresentation doesn?t have any getRole method, so how should I do it ?

Here is my code:
ClientRepresentation clientRepresentation = masterRealm.clients().findByClientId(realmName + "-realm").get(0);


Thanks,
Haim.

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, May 30, 2016 10:27 AM
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get specific client role programmatically

To get a specific role for a client you need to get the client, then the role from that client. It's not available through the user resource.
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Haim Vana
Sent: Wednesday, May 25, 2016 10:53 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] How to get specific client role programmatically

Hi,

I am using the KeyCloak API to create admin users and update their roles, I am able to add to an admin user all the available client roles, however how can I add a specific one ?

This is my code to get all the available client roles:
userResource.roles().clientLevel(userRealmClientId).listAvailable()

How can I get specific one and not all ?


Any advice will be appreciated,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/6844df2c/attachment-0001.html 

From sthorger at redhat.com  Tue Jun  7 01:22:53 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 7 Jun 2016 07:22:53 +0200
Subject: [keycloak-user] How to get specific client role programmatically
In-Reply-To: <HE1PR03MB138500914A5F7FEFEB752035D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385313A8B0C6B7CEDBE769DD2400@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB1385CC3A2254E86AF63DB63BD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAek_BHS+QjmMEY=kJpDvq0zMuKA+XFr4i3Fc1mXshNcOQ@mail.gmail.com>
	<HE1PR03MB13855FECE221BB486655508FD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB138500914A5F7FEFEB752035D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAcMvwaMFexAo+ND4i1j69fq56o9=m7dVVmTjnpVe8=UOA@mail.gmail.com>

Please don't repeat your question, if you're not getting an answer straight
away it means we're busy.

realm.clients().get("client-uuid").roles().get("rolename").toRepresentation()

On 7 June 2016 at 07:02, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
>
>
> Any idea regarding the below ?
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Haim Vana
> *Sent:* Monday, May 30, 2016 10:22 PM
> *To:* stian at redhat.com
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get specific client role
> programmatically
>
>
>
> But the ClientRepresentation doesn?t have any getRole method, so how
> should I do it ?
>
>
>
> Here is my code:
>
> ClientRepresentation clientRepresentation =
> masterRealm.clients().findByClientId(realmName + *"-realm"*).get(0);
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com <sthorger at redhat.com>]
>
> *Sent:* Monday, May 30, 2016 10:27 AM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get specific client role
> programmatically
>
>
>
> To get a specific role for a client you need to get the client, then the
> role from that client. It's not available through the user resource.
>
> *From:* keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Haim Vana
> *Sent:* Wednesday, May 25, 2016 10:53 PM
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] How to get specific client role
> programmatically
>
>
>
> Hi,
>
>
>
> I am using the KeyCloak API to create admin users and update their roles,
> I am able to add to an admin user all the available client roles, however
> how can I add a specific one ?
>
>
>
> This is my code to get all the available client roles:
>
> userResource.roles().clientLevel(userRealmClientId).listAvailable()
>
>
>
> How can I get specific one and not all ?
>
>
>
>
>
> Any advice will be appreciated,
>
> Haim.
>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/b3f29008/attachment.html 

From tair.sabirgaliev at bee.kz  Tue Jun  7 01:27:53 2016
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Tue, 7 Jun 2016 01:27:53 -0400
Subject: [keycloak-user] keycloak-user Digest, Vol 30, Issue 24
In-Reply-To: <mailman.49264.1465275747.3348.keycloak-user@lists.jboss.org>
References: <mailman.49264.1465275747.3348.keycloak-user@lists.jboss.org>
Message-ID: <CAGHMyQ39DkanNeYUL95a9qN_WCovtiC4VKQXPU6s7vcqY6kUdQ@mail.gmail.com>

Hi Aleksandr!

What is your Wildfly version?

Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding
is done automatically, no need to `encodeText` manually.

See my answer here:
http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-greek-attachment-filenames

-- 
Tair Sabirgaliev


On 7 June 2016 at 11:03:50, keycloak-user-request at lists.jboss.org (
keycloak-user-request at lists.jboss.org) wrote:

Message: 1
Date: Mon, 6 Jun 2016 12:12:26 +0000
From: Nekrasov Aleksandr <a.nekrasov at ftc.ru>
Subject: [keycloak-user] Email internationalization
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a at nut-mbx-4.win.ftc.ru>
Content-Type: text/plain; charset="koi8-r"

Hello everyone.
I found a bug when trying to send email from keycloak to users with
encoding against English.
For example, when I try to send Russian message with subject "???????? ????
??????? ??????" I see "????????????? ?????? ??????????? ?????" in my email.

I think you should update org.keycloak.email.DefaultEmailSenderProvider
class with line
msg.setSubject(subject);
to
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));

Thanks.

Nekrasov Aleksander,
Developer,
Center of Financial Techologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f782/attachment-0001.html

------------------------------

Message: 2
Date: Mon, 6 Jun 2016 19:38:59 +0200
From: Stian Thorgersen <sthorger at redhat.com>
Subject: Re: [keycloak-user] Email internationalization
To: Nekrasov Aleksandr <a.nekrasov at ftc.ru>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
<CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Please create a JIRA. If you want to submit a PR that would be welcome as
well.

On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov at ftc.ru> wrote:

> Hello everyone.
>
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
>
> For example, when I try to send Russian message with subject ?????????
> ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in my
> email.
>
>
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
>
> msg.setSubject(subject);
>
> to
>
> msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
>
>
>
> Thanks.
>
>
>
> Nekrasov Aleksander,
>
> Developer,
>
> Center of Financial Techologies
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c2041b/attachment-0001.html

------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/4823664c/attachment.html 

From haimv at perfectomobile.com  Tue Jun  7 01:31:01 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 05:31:01 +0000
Subject: [keycloak-user] How to get specific client role programmatically
In-Reply-To: <CAJgngAcMvwaMFexAo+ND4i1j69fq56o9=m7dVVmTjnpVe8=UOA@mail.gmail.com>
References: <HE1PR03MB1385313A8B0C6B7CEDBE769DD2400@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB1385CC3A2254E86AF63DB63BD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAek_BHS+QjmMEY=kJpDvq0zMuKA+XFr4i3Fc1mXshNcOQ@mail.gmail.com>
	<HE1PR03MB13855FECE221BB486655508FD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB138500914A5F7FEFEB752035D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAcMvwaMFexAo+ND4i1j69fq56o9=m7dVVmTjnpVe8=UOA@mail.gmail.com>
Message-ID: <HE1PR03MB1385BFA7D0D224D825AD207ED25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

Thanks and sorry about the repetition.


From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, June 07, 2016 8:23 AM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to get specific client role programmatically

Please don't repeat your question, if you're not getting an answer straight away it means we're busy.

realm.clients().get("client-uuid").roles().get("rolename").toRepresentation()

On 7 June 2016 at 07:02, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

Any idea regarding the below ?

From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Haim Vana
Sent: Monday, May 30, 2016 10:22 PM
To: stian at redhat.com<mailto:stian at redhat.com>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get specific client role programmatically

But the ClientRepresentation doesn?t have any getRole method, so how should I do it ?

Here is my code:
ClientRepresentation clientRepresentation = masterRealm.clients().findByClientId(realmName + "-realm").get(0);


Thanks,
Haim.

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, May 30, 2016 10:27 AM
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] How to get specific client role programmatically

To get a specific role for a client you need to get the client, then the role from that client. It's not available through the user resource.
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Haim Vana
Sent: Wednesday, May 25, 2016 10:53 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] How to get specific client role programmatically

Hi,

I am using the KeyCloak API to create admin users and update their roles, I am able to add to an admin user all the available client roles, however how can I add a specific one ?

This is my code to get all the available client roles:
userResource.roles().clientLevel(userRealmClientId).listAvailable()

How can I get specific one and not all ?


Any advice will be appreciated,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c23e84d6917a8405f7ae308d38e93c7a1%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=sLhYtllxBuSVwgemvc7335ro0x%2fKsvw75pDs%2bHTX3OE%3d>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/f132f353/attachment-0001.html 

From tair.sabirgaliev at gmail.com  Tue Jun  7 01:24:37 2016
From: tair.sabirgaliev at gmail.com (Tair Sabirgaliev)
Date: Tue, 7 Jun 2016 11:24:37 +0600
Subject: [keycloak-user] Email internationalization
In-Reply-To: <mailman.49264.1465275747.3348.keycloak-user@lists.jboss.org>
References: <mailman.49264.1465275747.3348.keycloak-user@lists.jboss.org>
Message-ID: <etPan.57565a9a.52e54a7b.5e3@gmail.com>

Hi Aleksandr!

What is your Wildfly version?

Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding is done automatically, no need to `encodeText` manually.

See my answer here:?http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-greek-attachment-filenames

--?
Tair Sabirgaliev


On 7 June 2016 at 11:03:50, keycloak-user-request at lists.jboss.org (keycloak-user-request at lists.jboss.org) wrote:

Message: 1  
Date: Mon, 6 Jun 2016 12:12:26 +0000  
From: Nekrasov Aleksandr <a.nekrasov at ftc.ru>  
Subject: [keycloak-user] Email internationalization  
To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>  
Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a at nut-mbx-4.win.ftc.ru>  
Content-Type: text/plain; charset="koi8-r"  

Hello everyone.  
I found a bug when trying to send email from keycloak to users with encoding against English.  
For example, when I try to send Russian message with subject "???????? ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my email.  

I think you should update org.keycloak.email.DefaultEmailSenderProvider class with line  
msg.setSubject(subject);  
to  
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));  

Thanks.  

Nekrasov Aleksander,  
Developer,  
Center of Financial Techologies  
-------------- next part --------------  
An HTML attachment was scrubbed...  
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f782/attachment-0001.html  

------------------------------  

Message: 2  
Date: Mon, 6 Jun 2016 19:38:59 +0200  
From: Stian Thorgersen <sthorger at redhat.com>  
Subject: Re: [keycloak-user] Email internationalization  
To: Nekrasov Aleksandr <a.nekrasov at ftc.ru>  
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>  
Message-ID:  
<CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw at mail.gmail.com>  
Content-Type: text/plain; charset="utf-8"  

Please create a JIRA. If you want to submit a PR that would be welcome as  
well.  

On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov at ftc.ru> wrote:  

> Hello everyone.  
>  
> I found a bug when trying to send email from keycloak to users with  
> encoding against English.  
>  
> For example, when I try to send Russian message with subject ?????????  
> ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in my  
> email.  
>  
>  
>  
> I think you should update org.keycloak.email.DefaultEmailSenderProvider  
> class with line  
>  
> msg.setSubject(subject);  
>  
> to  
>  
> msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));  
>  
>  
>  
> Thanks.  
>  
>  
>  
> Nekrasov Aleksander,  
>  
> Developer,  
>  
> Center of Financial Techologies  
>  
> _______________________________________________  
> keycloak-user mailing list  
> keycloak-user at lists.jboss.org  
> https://lists.jboss.org/mailman/listinfo/keycloak-user  
>  
-------------- next part --------------  
An HTML attachment was scrubbed...  
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c2041b/attachment-0001.html  

------------------------------  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/22e101e3/attachment.html 

From Ming.Li at alcatel-lucent.com  Tue Jun  7 02:02:20 2016
From: Ming.Li at alcatel-lucent.com (LI Ming)
Date: Tue, 7 Jun 2016 06:02:20 +0000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
Message-ID: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>

Hi,

  When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:

2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
        at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        ...
2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure

   Can you help to identity the failure reason?

   Thanks,

Ming Li
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/db1c455f/attachment.html 

From mposolda at redhat.com  Tue Jun  7 03:08:38 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 09:08:38 +0200
Subject: [keycloak-user] Swedish translation
In-Reply-To: <CAPyAMoZdmW82jwo6n4GPqJJPU+pxVM-zDR9wpb1aah1uypJ-yA@mail.gmail.com>
References: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
	<CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>
	<CAPyAMoZdmW82jwo6n4GPqJJPU+pxVM-zDR9wpb1aah1uypJ-yA@mail.gmail.com>
Message-ID: <575672F6.2060307@redhat.com>

Not directly related, but IMO we can potentially improve the experience 
for translators/maintainers and create some tool, which will simplify 
their work. This can result in better experience for them and hence more 
contributions for more languages.

IMO it is currently a bit of pain to maintain the translation and 
manually check if there were some recent changes in english file 
"messages_en.properties" and then adding/updating them to my locale 
(assume it's messages_es.properties) . So I am wondering that we will 
have a tool (or maybe we can reuse some already existing tool), which will:

- Check the last github revision of my "messages_es.properties" file. 
Let's assume this is revision XY
- Then check english locale file "messages_en.properties" and look for 
all the commits newer than XY
- The tool will automatically remove all the keys from 
"messages_es.properties", which were in the meantime removed from 
"messages_en.properties"
- Then tool will create/update the key/value pairs in 
"messages_es.properties" for all the keys, which were added or updated 
in the meantime in "messages_en.properties" .

So assume that in messages_en.properties you added the key:

greetings.key=hello

then in messages_es.properties, the tool will generate something like:

greetings.key=<TRANSLATE_ME> hello


So the translator will be just required to check the keys with 
<TRANSLATE_ME> and translate them to his language like:

greetings.key=buenos dias

Note that translator doesn't need to manually check what was added or 
updated in the meantime. He is also not required to continuously switch 
between messages_en.properties and messages_es.properties and compare 
what is the english translation for "greetings.key" etc.

Having separate repositories will be good, on the other hand it may 
complicate things if we want to have some tool like I mentioned above 
(but maybe not, if it's able to work with times of commits).

Marek

On 06/06/16 08:14, Thomas Raehalme wrote:
>
> How about making translations deployable in a similar way as themes? 
> The base theme would define the required set of keys which each 
> translation should include. You could even write tests to make sure 
> the translation is complete which would simplify maintenance.
>
> Perhaps the main distribution could include only English as it would 
> now be simple for the admins to deploy the needed translations. If the 
> translations are separated from the main Keycloak repository, as you 
> suggested, then the main repository would not be dependant of 
> up-to-date translations (which could slow the development down if they 
> start lagging behind). For the same reason it could also be beneficial 
> to be able to release translations independently from each other.
>
> Themes would still need a way to include custom/override messages but 
> they could be included directly in the theme just like now.
>
> Just an initial thought....
>
> Best regards,
> Thomas
>
>
> On Jun 3, 2016 14:34, "Stian Thorgersen" <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     We need to find a way to share translations that scales. We're not
>     able to maintain all these translations ourselves so I'm
>     considering adding some external repository for the translations
>     and have elect a maintainer for each language.
>
>     Does anyone have a good suggestion how to deal with this?
>
>     On 31 May 2016 at 12:01, Thomas Raehalme
>     <thomas.raehalme at aitiofinland.com
>     <mailto:thomas.raehalme at aitiofinland.com>> wrote:
>
>         Hi!
>
>         We need to translate Keycloak user interface (excluding admin
>         console) to the Swedish language. I was wondering if anyone
>         has already done the translation and would be willing to share it?
>
>         We have already translated Keycloak to Finnish and hope to
>         share the translation with the community in the near future.
>
>         Best regards,
>         Thomas
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/18990d15/attachment-0001.html 

From haimv at perfectomobile.com  Tue Jun  7 03:10:13 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 07:10:13 +0000
Subject: [keycloak-user] Custom page for not found realm (tenant)
Message-ID: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi,

We are using KeyCloak with multi-tenancy, each realm represents a tenant (customer).

Sometimes due to setup issue or typo in the realm name we are getting 404 page, is there a custom page or a way to customize a page for missing realm scenario ?
For example something like - Realm <name> doesn't exist...


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/fbd08083/attachment.html 

From mposolda at redhat.com  Tue Jun  7 03:17:12 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 09:17:12 +0200
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
Message-ID: <575674F8.9050603@redhat.com>

It seems that's because Keycloak is not able to send backchannel request 
to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with 
"javax.net.ssl.truststore" system property? I think that by default 
github SSL certificate is verified by well-known CA, so it shouldn't be 
the issue to connect to that if you use default Java file with 
certificates (cacerts). However if you have custom trustore set, then 
default java cacerts file is possibly not used, so well-known 
certificates like the one from github are not trusted. We should likely 
have a solution, which will allow to set custom truststore in addition 
to default java cacerts file. But until we have it, you probably need to 
manually create truststore file, where you import both the "well-known" 
certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
>
> Hi,
>
>   When I setup social identity provider (GitHub) to authenticate the 
> user, it always failed with the below error:
>
> 2016-06-07 00:49:05,349 ERROR 
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default 
> task-9) Failed to make identity provider oauth callback: 
> java.net.ConnectException: Connection timed out
>
>         at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>         at 
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>         at 
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>         at 
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>         at java.net.Socket.connect(Socket.java:589)
>
>         at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>         at 
> sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>         at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>         at 
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>         at 
> sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>         at 
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>         at 
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>         at 
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>         at 
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>         ?
>
> 2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) 
> type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, 
> ipAddress=135.252.159.35, error=identity_provider_login_failure
>
>    Can you help to identity the failure reason?
>
>    Thanks,
>
> Ming Li
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/7a12fc09/attachment.html 

From mposolda at redhat.com  Tue Jun  7 03:21:07 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 09:21:07 +0200
Subject: [keycloak-user] Custom page for not found realm (tenant)
In-Reply-To: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <575675E3.6080308@redhat.com>

Is the error thrown on application side or on keycloak side? If it's on 
application side and you have servlet application, you can configure the 
custom error page in web.xml . For example see 
https://www.onehippo.org/library/concepts/error-pages-and-error-handling/1.-handling-error-codes-and-exceptions-by-the-web.xml.html 
.

If it's on keycloak side, you can change look&feel of keycloak error 
pages with usage of custom theme. See the docs and our theme examples 
for more details.

Marek


On 07/06/16 09:10, Haim Vana wrote:
>
> Hi,
>
> We are using KeyCloak with multi-tenancy, each realm represents a 
> tenant (customer).
>
> Sometimes due to setup issue or typo in the realm name we are getting 
> 404 page, is there a custom page or a way to customize a page for 
> missing realm scenario ?
>
> For example something like ? Realm <name> doesn't exist?
>
> Thanks,
>
> Haim.
>
> The information contained in this message is proprietary to the 
> sender, protected from disclosure, and may be privileged. The 
> information is intended to be conveyed only to the designated 
> recipient(s) of the message. If the reader of this message is not the 
> intended recipient, you are hereby notified that any dissemination, 
> use, distribution or copying of this communication is strictly 
> prohibited and may be unlawful. If you have received this 
> communication in error, please notify us immediately by replying to 
> the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/b9103f81/attachment-0001.html 

From Ming.Li at alcatel-lucent.com  Tue Jun  7 03:38:34 2016
From: Ming.Li at alcatel-lucent.com (LI Ming)
Date: Tue, 7 Jun 2016 07:38:34 +0000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <575674F8.9050603@redhat.com>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
Message-ID: <81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>

Marek,

I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
    "truststore": {
      "file": {
        "file": "/usr/java/jre/lib/security/cacerts",
        "password": "changeit",
        "hostname-verification-policy": "ANY",
        "disabled": false
      }
    }
   And I put my customer certificate file in it also.

Ming Li
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 3:17 PM
To: LI Ming; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
Hi,

  When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:

2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
        at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        ...
2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure

   Can you help to identity the failure reason?

   Thanks,

Ming Li




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/32152b29/attachment.html 

From khirschmann at huebinet.de  Tue Jun  7 03:41:21 2016
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Tue, 7 Jun 2016 09:41:21 +0200
Subject: [keycloak-user] Keycloak behind firewall
Message-ID: <0b4d01d1c08f$fc236750$f46a35f0$@huebinet.de>

Hello,

 

when sending an authentication request it seems, that the keycloak
application uses the server url (from the request) to issue a request to
obtain a token.

The server sends a request to itself. I am running a wildfly instance behind
a transparent proxy and the firewall blocks requests from the wildfly server
to the IP address of the proxy. Is there a way to configure keycloak to send
?intern? requests to a different IP address?

 

Thx for your help

 

Kind regards

 

Kevin Hirschmann 

 

HUEBINET Informationsmanagement GmbH & Co. KG

An der K?nigsbach 8

56075 Koblenz

 

Sitz und Registergericht: Koblenz HRA 5329

 

Pers?nlich haftender Gesellschafter der KG:

HUEBINET GmbH;

Sitz und Registergericht: Koblenz HRB 6857

 

Gesch?ftsf?hrung:

Frank H?ttmann; Michael Biemer

 

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------

 

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.

 

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/9f0a3713/attachment-0001.html 

From okie.othsam at gmail.com  Tue Jun  7 03:54:01 2016
From: okie.othsam at gmail.com (Okie Oth)
Date: Tue, 7 Jun 2016 09:54:01 +0200
Subject: [keycloak-user] How to get specific client role programmatically
In-Reply-To: <HE1PR03MB1385BFA7D0D224D825AD207ED25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385313A8B0C6B7CEDBE769DD2400@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB1385CC3A2254E86AF63DB63BD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAek_BHS+QjmMEY=kJpDvq0zMuKA+XFr4i3Fc1mXshNcOQ@mail.gmail.com>
	<HE1PR03MB13855FECE221BB486655508FD2450@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<HE1PR03MB138500914A5F7FEFEB752035D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAcMvwaMFexAo+ND4i1j69fq56o9=m7dVVmTjnpVe8=UOA@mail.gmail.com>
	<HE1PR03MB1385BFA7D0D224D825AD207ED25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <57567D99.5030400@gmail.com>

In this example I play around with keycloak-admin-client. The following 
example access the client roles and add new roles to a already defined 
client.

Maybe it helps

https://github.com/OkieOth/grantMaster/blob/master/InitKeycloakServer/src/main/java/de/oth/keycloak/impl/KeycloakAccess.java#L287

Kind regards
Eiko

Am 07.06.2016 um 07:31 schrieb Haim Vana:
>
> Thanks and sorry about the repetition.
>
> *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, June 07, 2016 8:23 AM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to get specific client role 
> programmatically
>
> Please don't repeat your question, if you're not getting an answer 
> straight away it means we're busy.
>
> realm.clients().get("client-uuid").roles().get("rolename").toRepresentation()
>
> On 7 June 2016 at 07:02, Haim Vana <haimv at perfectomobile.com 
> <mailto:haimv at perfectomobile.com>> wrote:
>
>     Hi,
>
>     Any idea regarding the below ?
>
>     *From:*keycloak-user-bounces at lists.jboss.org
>     <mailto:keycloak-user-bounces at lists.jboss.org>
>     [mailto:keycloak-user-bounces at lists.jboss.org
>     <mailto:keycloak-user-bounces at lists.jboss.org>] *On Behalf Of
>     *Haim Vana
>     *Sent:* Monday, May 30, 2016 10:22 PM
>     *To:* stian at redhat.com <mailto:stian at redhat.com>
>     *Cc:* keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     *Subject:* Re: [keycloak-user] How to get specific client role
>     programmatically
>
>     But the ClientRepresentation doesn?t have any getRole method, so
>     how should I do it ?
>
>     Here is my code:
>
>     ClientRepresentation clientRepresentation =
>     masterRealm.clients().findByClientId(realmName + *"-realm"*).get(0);
>
>     Thanks,
>
>     Haim.
>
>     *From:*Stian Thorgersen [mailto:sthorger at redhat.com]
>     *Sent:* Monday, May 30, 2016 10:27 AM
>     *To:* Haim Vana <haimv at perfectomobile.com
>     <mailto:haimv at perfectomobile.com>>
>     *Cc:* keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     *Subject:* Re: [keycloak-user] How to get specific client role
>     programmatically
>
>     To get a specific role for a client you need to get the client,
>     then the role from that client. It's not available through the
>     user resource.
>
>         *From:* keycloak-user-bounces at lists.jboss.org
>         <mailto:keycloak-user-bounces at lists.jboss.org>
>         [mailto:keycloak-user-bounces at lists.jboss.org
>         <mailto:keycloak-user-bounces at lists.jboss.org>] *On Behalf Of
>         *Haim Vana
>         *Sent:* Wednesday, May 25, 2016 10:53 PM
>         *To:* keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         *Subject:* [keycloak-user] How to get specific client role
>         programmatically
>
>         Hi,
>
>         I am using the KeyCloak API to create admin users and update
>         their roles, I am able to add to an admin user all the
>         available client roles, however how can I add a specific one ?
>
>         This is my code to get all the available client roles:
>
>         userResource.roles().clientLevel(userRealmClientId).listAvailable()
>
>         How can I get specific one and not all ?
>
>         Any advice will be appreciated,
>
>         Haim.
>
>         The information contained in this message is proprietary to
>         the sender, protected from disclosure, and may be privileged.
>         The information is intended to be conveyed only to the
>         designated recipient(s) of the message. If the reader of this
>         message is not the intended recipient, you are hereby notified
>         that any dissemination, use, distribution or copying of this
>         communication is strictly prohibited and may be unlawful. If
>         you have received this communication in error, please notify
>         us immediately by replying to the message and deleting it from
>         your computer. Thank you.
>
>         The information contained in this message is proprietary to
>         the sender, protected from disclosure, and may be privileged.
>         The information is intended to be conveyed only to the
>         designated recipient(s) of the message. If the reader of this
>         message is not the intended recipient, you are hereby notified
>         that any dissemination, use, distribution or copying of this
>         communication is strictly prohibited and may be unlawful. If
>         you have received this communication in error, please notify
>         us immediately by replying to the message and deleting it from
>         your computer. Thank you.
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c23e84d6917a8405f7ae308d38e93c7a1%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=sLhYtllxBuSVwgemvc7335ro0x%2fKsvw75pDs%2bHTX3OE%3d>
>
>     The information contained in this message is proprietary to the
>     sender, protected from disclosure, and may be privileged. The
>     information is intended to be conveyed only to the designated
>     recipient(s) of the message. If the reader of this message is not
>     the intended recipient, you are hereby notified that any
>     dissemination, use, distribution or copying of this communication
>     is strictly prohibited and may be unlawful. If you have received
>     this communication in error, please notify us immediately by
>     replying to the message and deleting it from your computer. Thank
>     you.
>
>     The information contained in this message is proprietary to the
>     sender, protected from disclosure, and may be privileged. The
>     information is intended to be conveyed only to the designated
>     recipient(s) of the message. If the reader of this message is not
>     the intended recipient, you are hereby notified that any
>     dissemination, use, distribution or copying of this communication
>     is strictly prohibited and may be unlawful. If you have received
>     this communication in error, please notify us immediately by
>     replying to the message and deleting it from your computer. Thank
>     you.
>
> The information contained in this message is proprietary to the 
> sender, protected from disclosure, and may be privileged. The 
> information is intended to be conveyed only to the designated 
> recipient(s) of the message. If the reader of this message is not the 
> intended recipient, you are hereby notified that any dissemination, 
> use, distribution or copying of this communication is strictly 
> prohibited and may be unlawful. If you have received this 
> communication in error, please notify us immediately by replying to 
> the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/27c57d19/attachment-0001.html 

From mposolda at redhat.com  Tue Jun  7 04:06:57 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 10:06:57 +0200
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
Message-ID: <575680A1.4000907@redhat.com>

Hmm... is github working for you if you omit the "truststore" 
configuration in keycloak-server.json and use the default java cacerts 
file without any changes?

Marek

On 07/06/16 09:38, LI Ming wrote:
>
> Marek,
>
> I already set truststore file to the default java certificates file 
> path in keycloak configuration file 
> $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
>     "truststore": {
>
>       "file": {
>
>         "file": "/usr/java/jre/lib/security/cacerts",
>
>         "password": "changeit",
>
> "hostname-verification-policy": "ANY",
>
>         "disabled": false
>
>       }
>
>     }
>
> And I put my customer certificate file in it also.
>
> Ming Li
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 3:17 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it 
> failed with failure "Connection timed out"
>
> It seems that's because Keycloak is not able to send backchannel 
> request to github due to github certificate not trusted.
>
> Are you using custom truststore set with truststore SPI or with 
> "javax.net.ssl.truststore" system property? I think that by default 
> github SSL certificate is verified by well-known CA, so it shouldn't 
> be the issue to connect to that if you use default Java file with 
> certificates (cacerts). However if you have custom trustore set, then 
> default java cacerts file is possibly not used, so well-known 
> certificates like the one from github are not trusted. We should 
> likely have a solution, which will allow to set custom truststore in 
> addition to default java cacerts file. But until we have it, you 
> probably need to manually create truststore file, where you import 
> both the "well-known" certificates together with your custom certificates.
>
> Marek
>
> On 07/06/16 08:02, LI Ming wrote:
>
>     Hi,
>
>       When I setup social identity provider (GitHub) to authenticate
>     the user, it always failed with the below error:
>
>     2016-06-07 00:49:05,349 ERROR
>     [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
>     task-9) Failed to make identity provider oauth callback:
>     java.net.ConnectException: Connection timed out
>
>             at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>             at
>     java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>             at
>     java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>             at
>     java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>             at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>             at java.net.Socket.connect(Socket.java:589)
>
>             at
>     sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>             at
>     sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>             at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>             at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>             at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>             at
>     sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>             at
>     sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>             at
>     sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>             at
>     sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>             at
>     sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>             at
>     sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>             at
>     org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>             at
>     org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>             ?
>
>     2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default
>     task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
>     userId=null, ipAddress=135.252.159.35,
>     error=identity_provider_login_failure
>
>        Can you help to identity the failure reason?
>
>        Thanks,
>
>     Ming Li
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/e0e28573/attachment.html 

From Ming.Li at alcatel-lucent.com  Tue Jun  7 04:42:16 2016
From: Ming.Li at alcatel-lucent.com (LI Ming)
Date: Tue, 7 Jun 2016 08:42:16 +0000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <575680A1.4000907@redhat.com>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
Message-ID: <81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>

No, github is not working.
BTW, my server needs set http_proxy/https_proxy to access github.com.

wget --secure-protocol=TLSv1 github.com

--2016-06-07 03:39:02--  http://github.com/
Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2016-06-07 03:39:03--  https://github.com/
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

    [ <=>                                                                                              ] 25,508      --.-K/s   in 0.03s

2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]

Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 4:07 PM
To: LI Ming; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes?

Marek

On 07/06/16 09:38, LI Ming wrote:
Marek,

I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
    "truststore": {
      "file": {
        "file": "/usr/java/jre/lib/security/cacerts",
        "password": "changeit",
        "hostname-verification-policy": "ANY",
        "disabled": false
      }
    }
   And I put my customer certificate file in it also.

Ming Li
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 3:17 PM
To: LI Ming; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
Hi,

  When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:

2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
        at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        ...
2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure

   Can you help to identity the failure reason?

   Thanks,

Ming Li





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/19b32b57/attachment-0001.html 

From nielsbne at gmail.com  Tue Jun  7 04:56:02 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 7 Jun 2016 18:56:02 +1000
Subject: [keycloak-user] When using Social Identity Provider,
	it failed with failure "Connection timed out"
In-Reply-To: <81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
Message-ID: <E208EED7-5B7F-466E-B53B-A4262057F50A@gmail.com>

That looks more like a proxy issue than SSL. Did you try adding -Dproxy.host

> On 7 Jun 2016, at 18:42, LI Ming <Ming.Li at alcatel-lucent.com> wrote:
> 
> No, github is not working.
> BTW, my server needs set http_proxy/https_proxy to access github.com.
>  
> wget --secure-protocol=TLSv1 github.com
>  
> --2016-06-07 03:39:02--  http://github.com/
> Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33
> Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
> Proxy request sent, awaiting response... 301 Moved Permanently
> Location: https://github.com/ [following]
> --2016-06-07 03:39:03--  https://github.com/
> Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
> Proxy request sent, awaiting response... 200 OK
> Length: unspecified [text/html]
> Saving to: 'index.html'
>  
>     [ <=>                                                                                              ] 25,508      --.-K/s   in 0.03s  
>  
> 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]
>  
> Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate.
>  
> From: Marek Posolda [mailto:mposolda at redhat.com] 
> Sent: Tuesday, June 07, 2016 4:07 PM
> To: LI Ming; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"
>  
> Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes?
> 
> Marek
> 
> On 07/06/16 09:38, LI Ming wrote:
> Marek,
>  
> I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>     "truststore": {
>       "file": {
>         "file": "/usr/java/jre/lib/security/cacerts",
>         "password": "changeit",
>         "hostname-verification-policy": "ANY",
>         "disabled": false
>       }
>     }
>    And I put my customer certificate file in it also.
>  
> Ming Li
> From: Marek Posolda [mailto:mposolda at redhat.com] 
> Sent: Tuesday, June 07, 2016 3:17 PM
> To: LI Ming; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"
>  
> It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted. 
> 
> Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates.
> 
> Marek
> 
> On 07/06/16 08:02, LI Ming wrote:
> Hi,
>  
>   When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:
>  
> 2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
>         at java.net.PlainSocketImpl.socketConnect(Native Method)
>         at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>         at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>         at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>         at java.net.Socket.connect(Socket.java:589)
>         at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>         at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>         at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>         at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>         at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>         at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>         at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>         at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>         at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         ?
> 2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure
>  
>    Can you help to identity the failure reason?
>  
>    Thanks,
>  
> Ming Li
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>  
>  
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/a767d40a/attachment-0001.html 

From nielsbne at gmail.com  Tue Jun  7 05:01:15 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 7 Jun 2016 19:01:15 +1000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <E208EED7-5B7F-466E-B53B-A4262057F50A@gmail.com>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
	<E208EED7-5B7F-466E-B53B-A4262057F50A@gmail.com>
Message-ID: <CAPLPygkd0dvGFBRW2TEsRPC5_AZuShEJC3dHah-h0q1MANVU7w@mail.gmail.com>

ooops, lets try that again .. did you add -Dhttp.proxyHost=
global.proxy.alcatel-lucent.com and -Dhttp.proxyPort=8000 to your server
JAVA_OPTS?

On Tue, Jun 7, 2016 at 6:56 PM, Niels Bertram <nielsbne at gmail.com> wrote:

> That looks more like a proxy issue than SSL. Did you try adding
> -Dproxy.host
>
> On 7 Jun 2016, at 18:42, LI Ming <Ming.Li at alcatel-lucent.com> wrote:
>
> No, github is not working.
>
> BTW, my server needs set http_proxy/https_proxy to access github.com.
>
>
>
> wget --secure-protocol=TLSv1 github.com
>
>
>
> --2016-06-07 03:39:02--  http://github.com/
>
> Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)...
> 135.245.48.33
>
> Connecting to global.proxy.alcatel-lucent.com (
> global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 301 Moved Permanently
>
> Location: https://github.com/ [following]
>
> --2016-06-07 03:39:03--  https://github.com/
>
> Connecting to global.proxy.alcatel-lucent.com (
> global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 200 OK
>
> Length: unspecified [text/html]
>
> Saving to: 'index.html'
>
>
>
>     [
> <=>
> ] 25,508      --.-K/s   in 0.03s
>
>
>
> 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]
>
>
>
> Github.com <http://github.com> can be accessible via http proxy. I do not
> know why keycloak will complain the certificate.
>
>
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com <mposolda at redhat.com>]
> *Sent:* Tuesday, June 07, 2016 4:07 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it
> failed with failure "Connection timed out"
>
>
>
> Hmm... is github working for you if you omit the "truststore"
> configuration in keycloak-server.json and use the default java cacerts file
> without any changes?
>
> Marek
>
> On 07/06/16 09:38, LI Ming wrote:
>
> Marek,
>
>
>
> I already set truststore file to the default java certificates file path
> in keycloak configuration file
> $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
>     "truststore": {
>
>       "file": {
>
>         "file": "/usr/java/jre/lib/security/cacerts",
>
>         "password": "changeit",
>
>         "hostname-verification-policy": "ANY",
>
>         "disabled": false
>
>       }
>
>     }
>
>    And I put my customer certificate file in it also.
>
>
>
> Ming Li
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com <mposolda at redhat.com>]
> *Sent:* Tuesday, June 07, 2016 3:17 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it
> failed with failure "Connection timed out"
>
>
>
> It seems that's because Keycloak is not able to send backchannel request
> to github due to github certificate not trusted.
>
> Are you using custom truststore set with truststore SPI or with
> "javax.net.ssl.truststore" system property? I think that by default github
> SSL certificate is verified by well-known CA, so it shouldn't be the issue
> to connect to that if you use default Java file with certificates
> (cacerts). However if you have custom trustore set, then default java
> cacerts file is possibly not used, so well-known certificates like the one
> from github are not trusted. We should likely have a solution, which will
> allow to set custom truststore in addition to default java cacerts file.
> But until we have it, you probably need to manually create truststore file,
> where you import both the "well-known" certificates together with your
> custom certificates.
>
> Marek
>
> On 07/06/16 08:02, LI Ming wrote:
>
> Hi,
>
>
>
>   When I setup social identity provider (GitHub) to authenticate the user,
> it always failed with the below error:
>
>
>
> 2016-06-07 00:49:05,349 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9)
> Failed to make identity provider oauth callback: java.net.ConnectException:
> Connection timed out
>
>         at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>         at
> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>         at
> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>         at
> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>         at java.net.Socket.connect(Socket.java:589)
>
>         at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>         at
> sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>         at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>         at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>         at
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>         at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>         at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>         at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>         at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>         at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>         at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>         at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>         at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>         at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>         at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>         ?
>
> 2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9)
> type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null,
> ipAddress=135.252.159.35, error=identity_provider_login_failure
>
>
>
>    Can you help to identity the failure reason?
>
>
>
>    Thanks,
>
>
>
> Ming Li
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/3d3e5513/attachment.html 

From nielsbne at gmail.com  Tue Jun  7 05:25:32 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 7 Jun 2016 19:25:32 +1000
Subject: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException:
 Received fatal alert: handshake_failure
In-Reply-To: <20160414071901.Horde.T9uak356KytpJ0OCjs87gvJ@secure.sqmail.me>
References: <CA+1OW+gEXHSd-7ytXwQXhG9wn2=uPQH1ugsuBWFVEgY+bagwLQ@mail.gmail.com>
	<20160414071901.Horde.T9uak356KytpJ0OCjs87gvJ@secure.sqmail.me>
Message-ID: <CAPLPygmYTKDHiwvjVpMz14mAd-gi_W8-tBgcta69dNNcW1aomg@mail.gmail.com>

Hi Jazz,

did you ever got closure on this issue? The reason I asked, I ran into a
SNI problem with the keycloak adapter client side a while ago and this was
caused by the version of http commons used by keycloak 1.7.0 was dated and
did not support SNI. I can see in your logs that the stack trace
contains org.apache.http
in the exception path. Also sometimes adding -Djavax.net.debug=all JVM arg
gives better information on what actually failed during handshake
negotiation.

Cheers,
Niels

On Thu, Apr 14, 2016 at 3:19 PM, <jazz at sqmail.me> wrote:

> Hi Marko,
>
> Thanks for the feedback. I verified that strong encryption is
> available in the JVM:
>
> 2016-04-13 21:41:33,304 INFO  [stdout] (ServerService Thread Pool --
> 83) max allowed keylength = 2147483647
>
> This seems to be the case. Any other ideas?
>
> Thanks in advance, Jazz
>
>
> Marko Strukelj ? Wed., 13. April 2016 23:15
> > If you are using Oracle JDK you may need to install strong encryption.
> >
> >
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> >
> > On Apr 13, 2016 10:03 PM, "jazz" <jazz at sqmail.me> wrote:
> > Hi,
> >
> >
> > I have wildfly 10 installed using nginx as https proxy server [1,
> > standalone-full.xml]. Works great when using weak ciphers in nginx.
> > In that case keycloak can connect back to the app after
> > authentication (redirect SSL). When using strong ciphers in nginx
> > [2] is fails the ssl handshake [4]. JCE seems enabled since the
> > deployed app reports 2016-04-13 21:41:33,304 INFO  [stdout]
> > (ServerService Thread Pool -- 83) max allowed keylength = 2147483647
> >
> >
> > My question is: does keycloak use a limited set of ciphers? SNI
> > works fine according to the log. I was digging in the code, but
> > could not find something obvious [5]
> >
> >
> > Best regards, Jazz
> >
> >
> >
> >
> >
> >
> >
> >
> > [1] wildfly standalone-full.xml
> >
> >
> > <subsystem
> > xmlns="urn:jboss:domain:undertow:3.0">            <buffer-cache
> > name="default"/>            <server
> > name="default-server">                <http-listener name="default"
> > proxy-address-forwarding="true" socket-binding="http"
> > redirect-socket="proxy-https"/>
> >       [... snip ...]        <socket-binding-group name="standard-sockets"
> > default-interface="public"
> >
> port-offset="${jboss.socket.binding.port-offset:0}">        <socket-binding
> > name="management-http" interface="management"
> > port="${jboss.management.http.port:9990}"/>        <socket-binding
> > name="management-https" interface="management"
> > port="${jboss.management.https.port:9993}"/>        <socket-binding
> > name="http" port="${jboss.http.port:8080}"/>        <socket-binding
> > name="https"
> > port="${jboss.https.port:8444}"/>        <socket-binding
> > name="proxy-https" port="443"/>
> > [2] nginx ssl.conf
> >  ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
> >  ssl_prefer_server_ciphers on;
> >     ssl_session_timeout 5m;
> >     ssl_ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
> >
> >
> >
> > [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
> >
> >
> > [4]
> >
> >
> > 2016-04-13 21:41:46,495 INFO  [stdout] (default task-7) default
> > task-7, setSoTimeout(0) called
> > 2016-04-13 21:41:46,498 INFO  [stdout] (default task-7) Allow unsafe
> > renegotiation: false
> > 2016-04-13 21:41:46,500 INFO  [stdout] (default task-7) Allow legacy
> > hello messages: true
> > 2016-04-13 21:41:46,502 INFO  [stdout] (default task-7) Is initial
> > handshake: true
> > 2016-04-13 21:41:46,503 INFO  [stdout] (default task-7) Is secure
> > renegotiation: false
> > 2016-04-13 21:41:46,505 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> > 2016-04-13 21:41:46,506 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> > TLSv1
> > 2016-04-13 21:41:46,508 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> > TLSv1
> > 2016-04-13 21:41:46,509 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> > 2016-04-13 21:41:46,511 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> > TLSv1.1
> > 2016-04-13 21:41:46,512 INFO  [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> > TLSv1.1
> > 2016-04-13 21:41:46,514 INFO  [stdout] (default task-7) %% No cached
> > client session
> > 2016-04-13 21:41:46,518 INFO  [stdout] (default task-7) ***
> > ClientHello, TLSv1.2
> > 2016-04-13 21:41:46,522 INFO  [stdout] (default task-7)
> > RandomCookie:  GMT: 1460510714 bytes = { 151, 73, 204, 252, 103,
> > 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182,
> > 180, 12, 171, 41, 74, 46, 186, 180, 88 }
> > 2016-04-13 21:41:46,523 INFO  [stdout] (default task-7) Session ID:  {}
> > 2016-04-13 21:41:46,525 INFO  [stdout] (default task-7) Cipher
> > Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> > TLS_RSA_WITH_AES_128_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> > TLS_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
> > TLS_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> > 2016-04-13 21:41:46,526 INFO  [stdout] (default task-7) Compression
> > Methods:  { 0 }
> > 2016-04-13 21:41:46,527 INFO  [stdout] (default task-7) Extension
> > signature_algorithms, signature_algorithms: SHA512withECDSA,
> > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
> > SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
> > SHA1withRSA, SHA1withDSA
> > 2016-04-13 21:41:46,529 INFO  [stdout] (default task-7) Extension
> > server_name, server_name: [type=host_name (0),
> > value=keycloak.example.com]
> > 2016-04-13 21:41:46,530 INFO  [stdout] (default task-7) ***
> > 2016-04-13 21:41:46,531 INFO  [stdout] (default task-7) default
> > task-7, WRITE: TLSv1.2 Handshake, length = 138
> > 2016-04-13 21:41:46,533 INFO  [stdout] (default task-7) default
> > task-7, READ: TLSv1.2 Alert, length = 2
> > 2016-04-13 21:41:46,534 INFO  [stdout] (default task-7) default
> > task-7, RECV TLSv1.2 ALERT:  fatal, handshake_failure
> > 2016-04-13 21:41:46,535 INFO  [stdout] (default task-7) default
> > task-7, called closeSocket()
> > 2016-04-13 21:41:46,536 INFO  [stdout] (default task-7) default
> > task-7, handling exception: javax.net.ssl.SSLHandshakeException:
> > Received fatal alert: handshake_failure
> > 2016-04-13 21:41:46,537 INFO  [stdout] (default task-7) default
> > task-7, called close()
> > 2016-04-13 21:41:46,538 INFO  [stdout] (default task-7) default
> > task-7, called closeInternal(true)
> > 2016-04-13 21:41:46,539 ERROR
> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
> > failed to turn code into token: javax.net.ssl.SSLHandshakeException:
> > Received fatal alert: handshake_failure
> >       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >       at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> >       at
> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
> >       at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
> >       at
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> >       at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> >       at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> >       at
> >
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
> >       at
> >
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
> >       at
> >
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
> >       at
> >
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
> >       at
> >
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> >       at
> >
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> >       at
> >
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> >       at
> >
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> >       at
> >
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
> >       at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> >       at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> >       at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> >       at
> >
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
> >       at
> >
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
> >       at
> >
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
> >       at
> >
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
> >       at
> >
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> >       at
> >
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
> >       at
> >
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
> >       at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> >       at
> >
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> >       at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >       at
> >
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> >       at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >       at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >       at
> >
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> >       at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >       at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >       at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >       at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >       at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >       at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >       at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >       at
> >
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> >       at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >       at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> >       at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> >       at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >       at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> >       at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> >       at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> >       at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >       at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >       at java.lang.Thread.run(Thread.java:745)
> >
> >
> > [5]
> >
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
> >
> >
> >
> >
> >
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/c4d3c07f/attachment-0001.html 

From jazz at sqmail.me  Tue Jun  7 05:45:29 2016
From: jazz at sqmail.me (jazz)
Date: Tue, 07 Jun 2016 11:45:29 +0200
Subject: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException:
 Received fatal alert: handshake_failure
In-Reply-To: <CAPLPygmYTKDHiwvjVpMz14mAd-gi_W8-tBgcta69dNNcW1aomg@mail.gmail.com>
References: <CA+1OW+gEXHSd-7ytXwQXhG9wn2=uPQH1ugsuBWFVEgY+bagwLQ@mail.gmail.com>
	<20160414071901.Horde.T9uak356KytpJ0OCjs87gvJ@secure.sqmail.me>
	<CAPLPygmYTKDHiwvjVpMz14mAd-gi_W8-tBgcta69dNNcW1aomg@mail.gmail.com>
Message-ID: <FDFEB93A-09CA-47FE-9168-98D0A41B69B2@sqmail.me>

Hi Niels,

Thanks for the pointer. 

I was not able to fix it so far (other than adapting the nginx ssl config). I checked the POM of key cloak. Apache Commons which is used now is 4.5, I used -Djavax.net.debug=ssl:handshake with key cloak 1.9.1. Will try later this week to see if it still fails.

Regards, Jazz

From:  Niels Bertram <nielsbne at gmail.com>
Date:  Tuesday, June 7, 2016 at 11:25
To:  Mogeneti <jazz at sqmail.me>
Cc:  keycloak-user <keycloak-user at lists.jboss.org>
Subject:  Re: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Hi Jazz,

did you ever got closure on this issue? The reason I asked, I ran into a SNI problem with the keycloak adapter client side a while ago and this was caused by the version of http commons used by keycloak 1.7.0 was dated and did not support SNI. I can see in your logs that the stack trace contains org.apache.http in the exception path. Also sometimes adding -Djavax.net.debug=all JVM arg gives better information on what actually failed during handshake negotiation.

Cheers,
Niels

On Thu, Apr 14, 2016 at 3:19 PM,  <jazz at sqmail.me> wrote:
Hi Marko,

Thanks for the feedback. I verified that strong encryption is
available in the JVM:

2016-04-13 21:41:33,304 INFO  [stdout] (ServerService Thread Pool --
83) max allowed keylength = 2147483647

This seems to be the case. Any other ideas?

Thanks in advance, Jazz


Marko Strukelj ? Wed., 13. April 2016 23:15
> If you are using Oracle JDK you may need to install strong encryption.
>
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
>
> On Apr 13, 2016 10:03 PM, "jazz" <jazz at sqmail.me> wrote:
> Hi,
>
>
> I have wildfly 10 installed using nginx as https proxy server [1,
> standalone-full.xml]. Works great when using weak ciphers in nginx.
> In that case keycloak can connect back to the app after
> authentication (redirect SSL). When using strong ciphers in nginx
> [2] is fails the ssl handshake [4]. JCE seems enabled since the
> deployed app reports 2016-04-13 21:41:33,304 INFO  [stdout]
> (ServerService Thread Pool -- 83) max allowed keylength = 2147483647
>
>
> My question is: does keycloak use a limited set of ciphers? SNI
> works fine according to the log. I was digging in the code, but
> could not find something obvious [5]
>
>
> Best regards, Jazz
>
>
>
>
>
>
>
>
> [1] wildfly standalone-full.xml
>
>
> <subsystem
> xmlns="urn:jboss:domain:undertow:3.0">            <buffer-cache
> name="default"/>            <server
> name="default-server">                <http-listener name="default"
> proxy-address-forwarding="true" socket-binding="http"
> redirect-socket="proxy-https"/>
>       [... snip ...]        <socket-binding-group name="standard-sockets"
> default-interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">        <socket-binding
> name="management-http" interface="management"
> port="${jboss.management.http.port:9990}"/>        <socket-binding
> name="management-https" interface="management"
> port="${jboss.management.https.port:9993}"/>        <socket-binding
> name="http" port="${jboss.http.port:8080}"/>        <socket-binding
> name="https"
> port="${jboss.https.port:8444}"/>        <socket-binding
> name="proxy-https" port="443"/>
> [2] nginx ssl.conf
>  ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
>  ssl_prefer_server_ciphers on;
>     ssl_session_timeout 5m;
>     ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
>     
>
>
> [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service 
>
>
> [4]
>
>
> 2016-04-13 21:41:46,495 INFO  [stdout] (default task-7) default
> task-7, setSoTimeout(0) called
> 2016-04-13 21:41:46,498 INFO  [stdout] (default task-7) Allow unsafe
> renegotiation: false
> 2016-04-13 21:41:46,500 INFO  [stdout] (default task-7) Allow legacy
> hello messages: true
> 2016-04-13 21:41:46,502 INFO  [stdout] (default task-7) Is initial
> handshake: true
> 2016-04-13 21:41:46,503 INFO  [stdout] (default task-7) Is secure
> renegotiation: false
> 2016-04-13 21:41:46,505 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 2016-04-13 21:41:46,506 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> 2016-04-13 21:41:46,508 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1
> 2016-04-13 21:41:46,509 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 2016-04-13 21:41:46,511 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> 2016-04-13 21:41:46,512 INFO  [stdout] (default task-7) Ignoring
> unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> 2016-04-13 21:41:46,514 INFO  [stdout] (default task-7) %% No cached
> client session
> 2016-04-13 21:41:46,518 INFO  [stdout] (default task-7) ***
> ClientHello, TLSv1.2
> 2016-04-13 21:41:46,522 INFO  [stdout] (default task-7)
> RandomCookie:  GMT: 1460510714 bytes = { 151, 73, 204, 252, 103,
> 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182,
> 180, 12, 171, 41, 74, 46, 186, 180, 88 }
> 2016-04-13 21:41:46,523 INFO  [stdout] (default task-7) Session ID:  {}
> 2016-04-13 21:41:46,525 INFO  [stdout] (default task-7) Cipher
> Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> 2016-04-13 21:41:46,526 INFO  [stdout] (default task-7) Compression
> Methods:  { 0 }
> 2016-04-13 21:41:46,527 INFO  [stdout] (default task-7) Extension
> signature_algorithms, signature_algorithms: SHA512withECDSA,
> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
> SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
> SHA1withRSA, SHA1withDSA
> 2016-04-13 21:41:46,529 INFO  [stdout] (default task-7) Extension
> server_name, server_name: [type=host_name (0),
> value=keycloak.example.com]
> 2016-04-13 21:41:46,530 INFO  [stdout] (default task-7) ***
> 2016-04-13 21:41:46,531 INFO  [stdout] (default task-7) default
> task-7, WRITE: TLSv1.2 Handshake, length = 138
> 2016-04-13 21:41:46,533 INFO  [stdout] (default task-7) default
> task-7, READ: TLSv1.2 Alert, length = 2
> 2016-04-13 21:41:46,534 INFO  [stdout] (default task-7) default
> task-7, RECV TLSv1.2 ALERT:  fatal, handshake_failure
> 2016-04-13 21:41:46,535 INFO  [stdout] (default task-7) default
> task-7, called closeSocket()
> 2016-04-13 21:41:46,536 INFO  [stdout] (default task-7) default
> task-7, handling exception: javax.net.ssl.SSLHandshakeException:
> Received fatal alert: handshake_failure
> 2016-04-13 21:41:46,537 INFO  [stdout] (default task-7) default
> task-7, called close()
> 2016-04-13 21:41:46,538 INFO  [stdout] (default task-7) default
> task-7, called closeInternal(true)
> 2016-04-13 21:41:46,539 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
> failed to turn code into token: javax.net.ssl.SSLHandshakeException:
> Received fatal alert: handshake_failure
>       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>       at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>       at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
>       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
>       at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>       at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
>       at
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
>       at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
>       at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
>       at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
>       at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
>       at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
>       at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
>       at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>       at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>       at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>       at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>       at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>       at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>       at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>       at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>       at
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>       at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>       at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>       at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>       at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>       at
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>       at
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>       at
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>       at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>       at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>       at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>       at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>       at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>       at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>       at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>       at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>       at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>       at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>       at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>       at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>       at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>       at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>       at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>       at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>       at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>       at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>       at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>       at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>       at java.lang.Thread.run(Thread.java:745)
>
>
> [5]
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
>
>
>
>
>
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/ae8a04bd/attachment-0001.html 

From sthorger at redhat.com  Tue Jun  7 07:48:30 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 7 Jun 2016 13:48:30 +0200
Subject: [keycloak-user] Email internationalization
In-Reply-To: <529ad73bad5643fcbc6edb277299ce88@nut-mbx-4.win.ftc.ru>
References: <mailman.49264.1465275747.3348.keycloak-user@lists.jboss.org>
	<etPan.57565a9a.52e54a7b.5e3@gmail.com>
	<792f5731fa9a4013bd30c7551c254e3c@nut-mbx-4.win.ftc.ru>
	<CAGU3vRf+PDf6OGezrKPFmimd=txkWZD=fwh-ux3xDCnofj3+gA@mail.gmail.com>
	<529ad73bad5643fcbc6edb277299ce88@nut-mbx-4.win.ftc.ru>
Message-ID: <CAJgngAcUhnPVaMXCiA2HJFMzT39mV7MnzdE1kYyYJMpbF7NS1w@mail.gmail.com>

If you change the PR to use MimeMessage#setSubject(subject, charset) we
should just add it. It's better to have it just work rather than require
changing default system encoding or using -Dfile.encoding.

On 7 June 2016 at 08:18, Nekrasov Aleksandr <a.nekrasov at ftc.ru> wrote:

> I`m configured new allocated standalone keycloak server with your note and
> it was very helpful in all my cases.
>
>
>
> Should we add a note to the documentation about this issue?
>
>
>
> I`m already create issue  https://issues.jboss.org/browse/KEYCLOAK-3089
> and PR https://github.com/keycloak/keycloak/pull/2918 for it. Do you need
> to reject it?
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev at gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:52 AM
> *To:* keycloak-user at lists.jboss.org; ???????? ????????? ?????????; Stian
> Thorgersen
> *Subject:* RE: [keycloak-user] Email internationalization
>
>
>
> Did you try specifying default encoding for Java?
>
>
>
> in bin/standalone.conf: JAVA_OPTS=??.. -Dfile.encoding=UTF-8"
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:48:03, Nekrasov Aleksandr (a.nekrasov at ftc.ru) wrote:
>
> Hello.
>
> I have installed Wildfly10 on SunOS 5.10.
>
>
>
> I am using Microsoft Outlook as a client and it shows header Subject as
>
>
>
> Subject:
> =?ISO646-US?B?Pz8/Pz8/Pz8/Pz8/PyA/Pz8/Pz8gPz8/Pz8/Pz8/Pz8gPz8/Pz8=?=
>
>
>
> System encoding for some reasons is ISO646-US, which is diffefent with
> encoding, what I needed.
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev at gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:25 AM
> *To:* keycloak-user at lists.jboss.org; ???????? ????????? ?????????; Stian
> Thorgersen
> *Subject:* Re: [keycloak-user] Email internationalization
>
>
>
> Hi Aleksandr!
>
>
>
> What is your Wildfly version?
>
>
>
> Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding
> is done automatically, no need to `encodeText` manually.
>
>
>
> See my answer here:
> http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-greek-attachment-filenames
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:03:50, keycloak-user-request at lists.jboss.org (
> keycloak-user-request at lists.jboss.org) wrote:
>
> Message: 1
> Date: Mon, 6 Jun 2016 12:12:26 +0000
> From: Nekrasov Aleksandr <a.nekrasov at ftc.ru>
> Subject: [keycloak-user] Email internationalization
> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a at nut-mbx-4.win.ftc.ru>
> Content-Type: text/plain; charset="koi8-r"
>
> Hello everyone.
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
> For example, when I try to send Russian message with subject "????????
> ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my
> email.
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
> msg.setSubject(subject);
> to
> msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
>
> Thanks.
>
> Nekrasov Aleksander,
> Developer,
> Center of Financial Techologies
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f782/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 6 Jun 2016 19:38:59 +0200
> From: Stian Thorgersen <sthorger at redhat.com>
> Subject: Re: [keycloak-user] Email internationalization
> To: Nekrasov Aleksandr <a.nekrasov at ftc.ru>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Message-ID:
> <CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Please create a JIRA. If you want to submit a PR that would be welcome as
> well.
>
> On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov at ftc.ru> wrote:
>
> > Hello everyone.
> >
> > I found a bug when trying to send email from keycloak to users with
> > encoding against English.
> >
> > For example, when I try to send Russian message with subject ?????????
> > ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in
> my
> > email.
> >
> >
> >
> > I think you should update org.keycloak.email.DefaultEmailSenderProvider
> > class with line
> >
> > msg.setSubject(subject);
> >
> > to
> >
> > msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
> >
> >
> >
> > Thanks.
> >
> >
> >
> > Nekrasov Aleksander,
> >
> > Developer,
> >
> > Center of Financial Techologies
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c2041b/attachment-0001.html
>
> ------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/cbffa924/attachment.html 

From thomas.darimont at googlemail.com  Tue Jun  7 08:03:16 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Tue, 7 Jun 2016 14:03:16 +0200
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <57557345.2060409@redhat.com>
References: <57557345.2060409@redhat.com>
Message-ID: <CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>

I asked for it here:
https://developer.jboss.org/wiki/JBossCommunitySearchHelp

Would be really useful to have - I downloaded the news archives locally and
search through with thunderbird.

2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:

> How can I search for something on keycloak mailing lists archive?
> It appears keycloak lists are not indexed by JBoss Community Search engine
> [1][2]
>
> [1] http://search.jboss.org
> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>
> --
> ___
> Rafael T. C. Soares | Solution Architect
> JBoss Enterprise Middleware | Red Hat Brazil
> Mobile: +55 71 98181-3636
> Phone:  +55 11 3529-6096
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/90702922/attachment-0001.html 

From sthorger at redhat.com  Tue Jun  7 08:59:38 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 7 Jun 2016 14:59:38 +0200
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
Message-ID: <CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>

I sent an email to the JBoss.org guys to ask them to add our mailing lists
to search.jboss.org.

On 7 June 2016 at 14:03, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> I asked for it here:
> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>
> Would be really useful to have - I downloaded the news archives locally
> and search through with thunderbird.
>
> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>
>> How can I search for something on keycloak mailing lists archive?
>> It appears keycloak lists are not indexed by JBoss Community Search
>> engine [1][2]
>>
>> [1] http://search.jboss.org
>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>
>> --
>> ___
>> Rafael T. C. Soares | Solution Architect
>> JBoss Enterprise Middleware | Red Hat Brazil
>> Mobile: +55 71 98181-3636
>> Phone:  +55 11 3529-6096
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/512c6302/attachment.html 

From haimv at perfectomobile.com  Tue Jun  7 09:31:35 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 13:31:35 +0000
Subject: [keycloak-user] Custom page for not found realm (tenant)
In-Reply-To: <575675E3.6080308@redhat.com>
References: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<575675E3.6080308@redhat.com>
Message-ID: <HE1PR03MB13851CBDD7F7D28602A064E7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi Marek,

The exception (HTTP error 404) is on KeyCloak side (missing tenant), I have looked into the themes<http://keycloak.github.io/docs/userguide/keycloak-server/html_single/index.html#themes>  chapter and the themes examples<https://github.com/keycloak/keycloak/tree/master/examples/themes> but I didn't find a way to customize the missing tenant page (instead of the 404 that is thrown).
Is it possible ?

We can't do it in the web.xml since we want it to only for the missing tenant scenario.


Thanks,
Haim.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 10:21 AM
To: Haim Vana <haimv at perfectomobile.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom page for not found realm (tenant)

Is the error thrown on application side or on keycloak side? If it's on application side and you have servlet application, you can configure the custom error page in web.xml . For example see https://www.onehippo.org/library/concepts/error-pages-and-error-handling/1.-handling-error-codes-and-exceptions-by-the-web.xml.html<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.onehippo.org%2flibrary%2fconcepts%2ferror-pages-and-error-handling%2f1.-handling-error-codes-and-exceptions-by-the-web.xml.html&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=K8cKlTEFcGnJbJJXSxYkLV5rS110wO5kW7yTKNuU5DU%3d> .

If it's on keycloak side, you can change look&feel of keycloak error pages with usage of custom theme. See the docs and our theme examples for more details.

Marek


On 07/06/16 09:10, Haim Vana wrote:
Hi,

We are using KeyCloak with multi-tenancy, each realm represents a tenant (customer).

Sometimes due to setup issue or typo in the realm name we are getting 404 page, is there a custom page or a way to customize a page for missing realm scenario ?
For example something like - Realm <name> doesn't exist...


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.



_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=dGJHvWU5BkL9%2fD9O%2fVX6TjrfG6geCDU9zsqVV8FgKiU%3d>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8656dd40/attachment.html 

From haimv at perfectomobile.com  Tue Jun  7 10:17:53 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 14:17:53 +0000
Subject: [keycloak-user] Can't access admin console with realm admin (from
 1.9.4 version and above)
Message-ID: <HE1PR03MB13853D0E89560090619CBA1DD25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi,

>From version 1.9.4 and above I can't access the admin console with realm admin user.
The realm admin user is a specific realm admin, it was created in the master realm and his only roles are the client (the realm) roles.
I am getting the below exception and it look like it's not a bug (see RealmsAdminResource.java line 114), if so how am I supposed to create an admin only for a realm ?

Also what about realm admins created in versions 1.9.3 could they still access the admin console if KeyCloak will be upgraded ?

2016-06-07 17:09:09,962 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-79) RESTEASY002005: Failed executing GET /admin/realms: org.keycloak.services.ForbiddenException
                at org.keycloak.services.resources.admin.RealmsAdminResource.addRealmRep(RealmsAdminResource.java:114)
                at org.keycloak.services.resources.admin.RealmsAdminResource.getRealms(RealmsAdminResource.java:102)

Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/02f55a18/attachment-0001.html 

From mposolda at redhat.com  Tue Jun  7 12:49:50 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 18:49:50 +0200
Subject: [keycloak-user] Custom page for not found realm (tenant)
In-Reply-To: <HE1PR03MB13851CBDD7F7D28602A064E7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<575675E3.6080308@redhat.com>
	<HE1PR03MB13851CBDD7F7D28602A064E7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <5756FB2E.3000307@redhat.com>

How exactly the error page looks like and how the browser URL looks 
like? Is it something in the server.log when it's displayed?

Marek

On 07/06/16 15:31, Haim Vana wrote:
>
> Hi Marek,
>
> The exception (HTTP error 404) is on KeyCloak side (missing tenant), I 
> have looked into the themes 
> <http://keycloak.github.io/docs/userguide/keycloak-server/html_single/index.html#themes> 
>  chapter and the themes examples 
> <https://github.com/keycloak/keycloak/tree/master/examples/themes> but 
> I didn't find a way to customize the missing tenant page (instead of 
> the 404 that is thrown).
>
> Is it possible ?
>
> We can?t do it in the web.xml since we want it to only for the missing 
> tenant scenario.
>
> Thanks,
>
> Haim.
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 10:21 AM
> *To:* Haim Vana <haimv at perfectomobile.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Custom page for not found realm (tenant)
>
> Is the error thrown on application side or on keycloak side? If it's 
> on application side and you have servlet application, you can 
> configure the custom error page in web.xml . For example see 
> https://www.onehippo.org/library/concepts/error-pages-and-error-handling/1.-handling-error-codes-and-exceptions-by-the-web.xml.html 
> <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.onehippo.org%2flibrary%2fconcepts%2ferror-pages-and-error-handling%2f1.-handling-error-codes-and-exceptions-by-the-web.xml.html&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=K8cKlTEFcGnJbJJXSxYkLV5rS110wO5kW7yTKNuU5DU%3d> 
> .
>
> If it's on keycloak side, you can change look&feel of keycloak error 
> pages with usage of custom theme. See the docs and our theme examples 
> for more details.
>
> Marek
>
>
> On 07/06/16 09:10, Haim Vana wrote:
>
>     Hi,
>
>     We are using KeyCloak with multi-tenancy, each realm represents a
>     tenant (customer).
>
>     Sometimes due to setup issue or typo in the realm name we are
>     getting 404 page, is there a custom page or a way to customize a
>     page for missing realm scenario ?
>
>     For example something like ? Realm <name> doesn't exist?
>
>     Thanks,
>
>     Haim.
>
>     The information contained in this message is proprietary to the
>     sender, protected from disclosure, and may be privileged. The
>     information is intended to be conveyed only to the designated
>     recipient(s) of the message. If the reader of this message is not
>     the intended recipient, you are hereby notified that any
>     dissemination, use, distribution or copying of this communication
>     is strictly prohibited and may be unlawful. If you have received
>     this communication in error, please notify us immediately by
>     replying to the message and deleting it from your computer. Thank
>     you.
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=dGJHvWU5BkL9%2fD9O%2fVX6TjrfG6geCDU9zsqVV8FgKiU%3d>
>
> The information contained in this message is proprietary to the 
> sender, protected from disclosure, and may be privileged. The 
> information is intended to be conveyed only to the designated 
> recipient(s) of the message. If the reader of this message is not the 
> intended recipient, you are hereby notified that any dissemination, 
> use, distribution or copying of this communication is strictly 
> prohibited and may be unlawful. If you have received this 
> communication in error, please notify us immediately by replying to 
> the message and deleting it from your computer. Thank you. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/2b3ab1e1/attachment.html 

From haimv at perfectomobile.com  Tue Jun  7 13:21:39 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 7 Jun 2016 17:21:39 +0000
Subject: [keycloak-user] Custom page for not found realm (tenant)
In-Reply-To: <5756FB2E.3000307@redhat.com>
References: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<575675E3.6080308@redhat.com>
	<HE1PR03MB13851CBDD7F7D28602A064E7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<5756FB2E.3000307@redhat.com>
Message-ID: <HE1PR03MB138563E279E9D0AD45C692C3D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>

It's pretty straight forward the JS utility redirects us to KeyCloak with a realm that doesn't exist, marked in yellow below.

http://192.168.99.100:9090/auth/realms/1000000121/protocol/openid-connect/auth?client_id=reportium&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F%3FTENANTID%3D1000000121&state=20d710ca-ffe3-4c67-b495-bdb6fc9bad40&response_type=code

KeyCloak returns 404 resulting in a blank page.


From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 7:50 PM
To: Haim Vana <haimv at perfectomobile.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom page for not found realm (tenant)

How exactly the error page looks like and how the browser URL looks like? Is it something in the server.log when it's displayed?

Marek

On 07/06/16 15:31, Haim Vana wrote:
Hi Marek,

The exception (HTTP error 404) is on KeyCloak side (missing tenant), I have looked into the themes<https://emea01.safelinks.protection.outlook.com/?url=http%3a%2f%2fkeycloak.github.io%2fdocs%2fuserguide%2fkeycloak-server%2fhtml_single%2findex.html%23themes&data=01%7c01%7chaimv%40perfectomobile.com%7c626641da90b9484e5d2a08d38ef3c0fb%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=Hii1VGckqpBLk1RNW94EvLMlZdazbCXatypIRAGhWk4%3d>  chapter and the themes examples<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fkeycloak%2fkeycloak%2ftree%2fmaster%2fexamples%2fthemes&data=01%7c01%7chaimv%40perfectomobile.com%7c626641da90b9484e5d2a08d38ef3c0fb%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=lo9wMO8BHKE%2fEZTR6J8FfKMuCyTEjBialzqOGq629LQ%3d> but I didn't find a way to customize the missing tenant page (instead of the 404 that is thrown).
Is it possible ?

We can't do it in the web.xml since we want it to only for the missing tenant scenario.


Thanks,
Haim.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 10:21 AM
To: Haim Vana <haimv at perfectomobile.com><mailto:haimv at perfectomobile.com>; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Custom page for not found realm (tenant)

Is the error thrown on application side or on keycloak side? If it's on application side and you have servlet application, you can configure the custom error page in web.xml . For example see https://www.onehippo.org/library/concepts/error-pages-and-error-handling/1.-handling-error-codes-and-exceptions-by-the-web.xml.html<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.onehippo.org%2flibrary%2fconcepts%2ferror-pages-and-error-handling%2f1.-handling-error-codes-and-exceptions-by-the-web.xml.html&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=K8cKlTEFcGnJbJJXSxYkLV5rS110wO5kW7yTKNuU5DU%3d> .

If it's on keycloak side, you can change look&feel of keycloak error pages with usage of custom theme. See the docs and our theme examples for more details.

Marek


On 07/06/16 09:10, Haim Vana wrote:
Hi,

We are using KeyCloak with multi-tenancy, each realm represents a tenant (customer).

Sometimes due to setup issue or typo in the realm name we are getting 404 page, is there a custom page or a way to customize a page for missing realm scenario ?
For example something like - Realm <name> doesn't exist...


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=dGJHvWU5BkL9%2fD9O%2fVX6TjrfG6geCDU9zsqVV8FgKiU%3d>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/22f3bd13/attachment-0001.html 

From mposolda at redhat.com  Tue Jun  7 14:46:10 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 7 Jun 2016 20:46:10 +0200
Subject: [keycloak-user] Custom page for not found realm (tenant)
In-Reply-To: <HE1PR03MB138563E279E9D0AD45C692C3D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB13850F1100282FD419CA99A7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<575675E3.6080308@redhat.com>
	<HE1PR03MB13851CBDD7F7D28602A064E7D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<5756FB2E.3000307@redhat.com>
	<HE1PR03MB138563E279E9D0AD45C692C3D25D0@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <57571672.2040706@redhat.com>

Then maybe the easiest path is to configure error page at undertow 
subsystem level in standalone.xml . You can take a look for example at 
https://developer.jboss.org/thread/251980?start=0&tstart=0

Marek

On 07/06/16 19:21, Haim Vana wrote:
>
> It's pretty straight forward the JS utility redirects us to KeyCloak 
> with a realm that doesn?t exist, marked in yellow below.
>
> http://192.168.99.100:9090/auth/realms/1000000121/protocol/openid-connect/auth?client_id=reportium&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F%3FTENANTID%3D1000000121&state=20d710ca-ffe3-4c67-b495-bdb6fc9bad40&response_type=code 
> <http://192.168.99.100:9090/auth/realms/1000000121/protocol/openid-connect/auth?client_id=reportium&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F%3FTENANTID%3D1000000121&state=20d710ca-ffe3-4c67-b495-bdb6fc9bad40&response_type=code>
>
> KeyCloak returns 404 resulting in a blank page.
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 7:50 PM
> *To:* Haim Vana <haimv at perfectomobile.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Custom page for not found realm (tenant)
>
> How exactly the error page looks like and how the browser URL looks 
> like? Is it something in the server.log when it's displayed?
>
> Marek
>
> On 07/06/16 15:31, Haim Vana wrote:
>
>     Hi Marek,
>
>     The exception (HTTP error 404) is on KeyCloak side (missing
>     tenant), I have looked into the themes
>     <https://emea01.safelinks.protection.outlook.com/?url=http%3a%2f%2fkeycloak.github.io%2fdocs%2fuserguide%2fkeycloak-server%2fhtml_single%2findex.html%23themes&data=01%7c01%7chaimv%40perfectomobile.com%7c626641da90b9484e5d2a08d38ef3c0fb%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=Hii1VGckqpBLk1RNW94EvLMlZdazbCXatypIRAGhWk4%3d>
>      chapter and the themes examples
>     <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fkeycloak%2fkeycloak%2ftree%2fmaster%2fexamples%2fthemes&data=01%7c01%7chaimv%40perfectomobile.com%7c626641da90b9484e5d2a08d38ef3c0fb%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=lo9wMO8BHKE%2fEZTR6J8FfKMuCyTEjBialzqOGq629LQ%3d>
>     but I didn't find a way to customize the missing tenant page
>     (instead of the 404 that is thrown).
>
>     Is it possible ?
>
>     We can?t do it in the web.xml since we want it to only for the
>     missing tenant scenario.
>
>     Thanks,
>
>     Haim.
>
>     *From:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Sent:* Tuesday, June 07, 2016 10:21 AM
>     *To:* Haim Vana <haimv at perfectomobile.com>
>     <mailto:haimv at perfectomobile.com>; keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     *Subject:* Re: [keycloak-user] Custom page for not found realm
>     (tenant)
>
>     Is the error thrown on application side or on keycloak side? If
>     it's on application side and you have servlet application, you can
>     configure the custom error page in web.xml . For example see
>     https://www.onehippo.org/library/concepts/error-pages-and-error-handling/1.-handling-error-codes-and-exceptions-by-the-web.xml.html
>     <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.onehippo.org%2flibrary%2fconcepts%2ferror-pages-and-error-handling%2f1.-handling-error-codes-and-exceptions-by-the-web.xml.html&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=K8cKlTEFcGnJbJJXSxYkLV5rS110wO5kW7yTKNuU5DU%3d>
>     .
>
>     If it's on keycloak side, you can change look&feel of keycloak
>     error pages with usage of custom theme. See the docs and our theme
>     examples for more details.
>
>     Marek
>
>
>     On 07/06/16 09:10, Haim Vana wrote:
>
>         Hi,
>
>         We are using KeyCloak with multi-tenancy, each realm
>         represents a tenant (customer).
>
>         Sometimes due to setup issue or typo in the realm name we are
>         getting 404 page, is there a custom page or a way to customize
>         a page for missing realm scenario ?
>
>         For example something like ? Realm <name> doesn't exist?
>
>         Thanks,
>
>         Haim.
>
>         The information contained in this message is proprietary to
>         the sender, protected from disclosure, and may be privileged.
>         The information is intended to be conveyed only to the
>         designated recipient(s) of the message. If the reader of this
>         message is not the intended recipient, you are hereby notified
>         that any dissemination, use, distribution or copying of this
>         communication is strictly prohibited and may be unlawful. If
>         you have received this communication in error, please notify
>         us immediately by replying to the message and deleting it from
>         your computer. Thank you.
>
>
>
>         _______________________________________________
>
>         keycloak-user mailing list
>
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c5730227127a048fb870e08d38ea44dce%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=dGJHvWU5BkL9%2fD9O%2fVX6TjrfG6geCDU9zsqVV8FgKiU%3d>
>
>     The information contained in this message is proprietary to the
>     sender, protected from disclosure, and may be privileged. The
>     information is intended to be conveyed only to the designated
>     recipient(s) of the message. If the reader of this message is not
>     the intended recipient, you are hereby notified that any
>     dissemination, use, distribution or copying of this communication
>     is strictly prohibited and may be unlawful. If you have received
>     this communication in error, please notify us immediately by
>     replying to the message and deleting it from your computer. Thank
>     you.
>
> The information contained in this message is proprietary to the 
> sender, protected from disclosure, and may be privileged. The 
> information is intended to be conveyed only to the designated 
> recipient(s) of the message. If the reader of this message is not the 
> intended recipient, you are hereby notified that any dissemination, 
> use, distribution or copying of this communication is strictly 
> prohibited and may be unlawful. If you have received this 
> communication in error, please notify us immediately by replying to 
> the message and deleting it from your computer. Thank you. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/b965d845/attachment.html 

From dguerrar at gmail.com  Tue Jun  7 14:59:20 2016
From: dguerrar at gmail.com (David Guerra)
Date: Tue, 7 Jun 2016 20:59:20 +0200
Subject: [keycloak-user] impossible to get logs from adapter-saml
Message-ID: <CAENWE6NVDN3XOs2KVt+K8oesZeiXEW_jFLW7PooTZBw=Gr4mhQ@mail.gmail.com>

Hi,

I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.

I am facing a problem (perhaps a silly problem):  I am using Tomcat 7 and I
try to get logs from the keycload saml adapter  as said in:

http://keycloak.github.io/docs/userguide/saml-client-adapter/html/debugging.html

with  "log4j.logger.org.keycloak.saml=DEBUG" in my log4j.properties.


But there are no 'debug' info in the console. I have other debug info for
my application bat none for keycloak adapter.

I am doing something wrong?

Thanls for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/5a7910c6/attachment-0001.html 

From dguerrar at gmail.com  Tue Jun  7 15:06:50 2016
From: dguerrar at gmail.com (David Guerra)
Date: Tue, 7 Jun 2016 21:06:50 +0200
Subject: [keycloak-user] tomcat 7 SAMl adapter and <login-config> question
Message-ID: <CAENWE6N9iqdQOE1KaqH_bsG6iDHw-n4TrfX5K6E42+4Ks9afbA@mail.gmail.com>

Hi,

I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.

I have some issues with that development on Tomcat 7: in the "web.xml"
file, the following lines are suppose to be add


 <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>


Reading the other options, in the Wildfly the following code must be add:

 <login-config>
        <auth-method>KEYCLOAK-SAML</auth-method>
        <realm-name>this is ignored currently</realm-name>

    </login-config>

And, googling a like, I found that, on Tomcat 7, the correct configuration
must be:

 <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently</realm-name>

    </login-config>


My question is: "BASIC" for tomcat 7 and SAML adapter is correct for my
development?



Thanks!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/98bce4bf/attachment.html 

From petervn1 at yahoo.com  Tue Jun  7 15:22:29 2016
From: petervn1 at yahoo.com (Peter Nalyvayko)
Date: Tue, 7 Jun 2016 19:22:29 +0000 (UTC)
Subject: [keycloak-user] Revoking individual refresh tokens
References: <1455910294.691706.1465327349672.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <1455910294.691706.1465327349672.JavaMail.yahoo@mail.yahoo.com>

Hello,Is there a way to revoke/invalidate a refresh token issued to a specific user? My understanding is that I can revoke all of the previously issued refresh tokens ?using 'Revocation' and setting Not Before to Now; this is good but it would be great if I can revoke individual tokens as well.Thx--Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/5c0d5280/attachment.html 

From bburke at redhat.com  Tue Jun  7 15:46:08 2016
From: bburke at redhat.com (Bill Burke)
Date: Tue, 7 Jun 2016 15:46:08 -0400
Subject: [keycloak-user] Revoking individual refresh tokens
In-Reply-To: <1455910294.691706.1465327349672.JavaMail.yahoo@mail.yahoo.com>
References: <1455910294.691706.1465327349672.JavaMail.yahoo.ref@mail.yahoo.com>
	<1455910294.691706.1465327349672.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <729d8043-d746-b2d3-78a9-10b409996e2a@redhat.com>

Yes you can.  IN the admin console, go to the individual user and go to 
the sessions tab.  You can then view each session the user has.  This 
action has a REST api behind it.

http://keycloak.github.io/docs/rest-api/index.html

REST api allows you to get list of sessions for the user, logout all 
sessions for the user, and to remove an individual session.



On 6/7/16 3:22 PM, Peter Nalyvayko wrote:
> Hello,
> Is there a way to revoke/invalidate a refresh token issued to a 
> specific user? My understanding is that I can revoke all of the 
> previously issued refresh tokens  using 'Revocation' and setting Not 
> Before to Now; this is good but it would be great if I can revoke 
> individual tokens as well.
> Thx
> --Peter
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/7bbb0796/attachment.html 

From bburke at redhat.com  Tue Jun  7 15:47:11 2016
From: bburke at redhat.com (Bill Burke)
Date: Tue, 7 Jun 2016 15:47:11 -0400
Subject: [keycloak-user] tomcat 7 SAMl adapter and <login-config>
	question
In-Reply-To: <CAENWE6N9iqdQOE1KaqH_bsG6iDHw-n4TrfX5K6E42+4Ks9afbA@mail.gmail.com>
References: <CAENWE6N9iqdQOE1KaqH_bsG6iDHw-n4TrfX5K6E42+4Ks9afbA@mail.gmail.com>
Message-ID: <dde2a492-2171-20b2-57e5-8ae266b65f7d@redhat.com>

Read the docs.  You have to use BASIC, then specify a valve in your context.


On 6/7/16 3:06 PM, David Guerra wrote:
> Hi,
>
> I am updating an old struts 1.3 web app and integrating our SAML - SSO 
> service with help of keycloak adapter for SAML.
>
> I have some issues with that development on Tomcat 7: in the "web.xml" 
> file, the following lines are suppose to be add
>
>
>   <login-config>
>          <auth-method>BASIC</auth-method>
>          <realm-name>this is ignored currently</realm-name>
>      </login-config>
>
> Reading the other options, in the Wildfly the following code must be add:
>
>   <login-config>
>          <auth-method>KEYCLOAK-SAML</auth-method>
>          <realm-name>this is ignored currently</realm-name>
>   </login-config>
>
> And, googling a like, I found that, on Tomcat 7, the correct 
> configuration must be:
>
>   <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>this is ignored currently</realm-name>
>   </login-config>
>
>
> My question is: "BASIC" for tomcat 7 and SAML adapter is correct for 
> my development?
>
>
>
> Thanks!!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/f5a249f8/attachment.html 

From bruno at abstractj.org  Tue Jun  7 17:22:01 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 7 Jun 2016 18:22:01 -0300
Subject: [keycloak-user] Correct setup of clientID
In-Reply-To: <CABv=XZWoaCEg9WXiuR8a0mne=c8e47kHxh4=MRBZXomTNh5UjQ@mail.gmail.com>
References: <CABv=XZV9zKpTw50n-RXpOHo_piaqf24x044e-cVW83jjKzK71g@mail.gmail.com>
	<CABv=XZWoaCEg9WXiuR8a0mne=c8e47kHxh4=MRBZXomTNh5UjQ@mail.gmail.com>
Message-ID: <20160607212201.GC11591@abstractj.org>

On 2016-06-06, Helio Frota wrote:
> Hi folks we have a PR on this subject:
>
> https://github.com/keycloak/keycloak-nodejs-auth-utils/pull/22

The PR will be reviewed, we get notifications from GH when someone
submits.

>
>
>
> On Mon, Jun 6, 2016 at 9:12 AM, Helio Frota <00hf11 at gmail.com> wrote:
>
> > Hi,
> >
> > 1. Is correct to manually add clientID on keycloak.json ?

I don't think so.

> >
> > 2.  I found this email from archives:
> >
> > >* > I was hoping this would Just Work, but I quickly discovered that
> > some of*
> >
> > >* > the properties are "renamed" after the HTTP request:
> > *>* >
> > *>* >     kc.authServerUrl = config['auth-server-url'];
> > *>* >     kc.realm = config['realm'];
> > **>** >     kc.clientId = config['resource'];*>* >     kc.clientSecret = (config['credentials'] || {})['secret'];*
> >
> >
> > *http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html <http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html>*
> >
> >
> > clientId is now called 'resource' ?
> >
> >
> > thanks
> >
> >
> >

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


--

abstractj
PGP: 0x84DC9914

From Ming.Li at alcatel-lucent.com  Tue Jun  7 18:04:55 2016
From: Ming.Li at alcatel-lucent.com (LI Ming)
Date: Tue, 7 Jun 2016 22:04:55 +0000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
Message-ID: <81FBAB8F05BC6F418853660D9326281E1F142B87@cnshjmbx03>

Marek,

Do you have idea on the failure reason ?
>From the call stack, Keycloak hung at the following function:
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228
    In the source code, Keycloak tried to send Post request to the below Url:
          tokenUrl:  https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token
It is local token authentication service, why reporting "Connection timed out"?

Ming Li
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of LI Ming
Sent: Tuesday, June 07, 2016 4:42 PM
To: Marek Posolda; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

No, github is not working.
BTW, my server needs set http_proxy/https_proxy to access github.com.

wget --secure-protocol=TLSv1 github.com

--2016-06-07 03:39:02--  http://github.com/
Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2016-06-07 03:39:03--  https://github.com/
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

    [ <=>                                                                                              ] 25,508      --.-K/s   in 0.03s

2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]

Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 4:07 PM
To: LI Ming; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes?

Marek

On 07/06/16 09:38, LI Ming wrote:
Marek,

I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
    "truststore": {
      "file": {
        "file": "/usr/java/jre/lib/security/cacerts",
        "password": "changeit",
        "hostname-verification-policy": "ANY",
        "disabled": false
      }
    }
   And I put my customer certificate file in it also.

Ming Li
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 3:17 PM
To: LI Ming; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
Hi,

  When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:

2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
        at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        ...
2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure

   Can you help to identity the failure reason?

   Thanks,

Ming Li




_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/bb866013/attachment-0001.html 

From fabricio.milone at shinetech.com  Tue Jun  7 19:30:14 2016
From: fabricio.milone at shinetech.com (Fabricio Milone)
Date: Wed, 8 Jun 2016 09:30:14 +1000
Subject: [keycloak-user] Performance issues with Federation provider enabled
Message-ID: <CAOjtoUMY8Lh2gN9ocYfmKZcCCgH7Vtsrh+Gg03x-7GiWtx-chA@mail.gmail.com>

Hi all,

I sent this email yesterday with 5 or more attachments, so I think it was
blocked or something... here I go again :)

I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.

The performance issue does not exist when the federator is disabled.

*Configuration*:

I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We?ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.

*Federator*:

We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.

As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.

*Tests*:

It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.

The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.

*Problem*:

If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.


Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.

CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.

There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.

I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.

So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.

I'd really appreciate your help on this one as I'm out of ideas.

I've attached some screenshots of visualVM and tests results from my last
run today.


Sorry for the long email and please let me know if you need further
information.

Thank you in advance,

Regards,
Fab

-- 
*Fabricio Milone*
Developer

*Shine Consulting *

30/600 Bourke Street

Melbourne VIC 3000

T: 03 8488 9939

M: 04 3200 4006


www.shinetech.com  *a* passion for excellence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b90cdc52/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.png
Type: image/png
Size: 51524 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b90cdc52/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 72533 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b90cdc52/attachment-0003.png 

From sthorger at redhat.com  Wed Jun  8 01:15:27 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 8 Jun 2016 07:15:27 +0200
Subject: [keycloak-user] Swedish translation
In-Reply-To: <575672F6.2060307@redhat.com>
References: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
	<CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>
	<CAPyAMoZdmW82jwo6n4GPqJJPU+pxVM-zDR9wpb1aah1uypJ-yA@mail.gmail.com>
	<575672F6.2060307@redhat.com>
Message-ID: <CAJgngAfYZ87ShjBAxC2w32QsdLhd2p0ih93Ht9T5nr=_CrE-2w@mail.gmail.com>

I sent a separate mail to dev mailing list about moving translations out of
the main repository.

Marek - having a tool would be great, but I'm worried about how much effort
it would be, unless there's something out there already.

Thomas - for now you can send a PR to main repository with the translation
if you are happy to be maintainer for the translation.

On 7 June 2016 at 09:08, Marek Posolda <mposolda at redhat.com> wrote:

> Not directly related, but IMO we can potentially improve the experience
> for translators/maintainers and create some tool, which will simplify their
> work. This can result in better experience for them and hence more
> contributions for more languages.
>
> IMO it is currently a bit of pain to maintain the translation and manually
> check if there were some recent changes in english file
> "messages_en.properties" and then adding/updating them to my locale (assume
> it's messages_es.properties) . So I am wondering that we will have a tool
> (or maybe we can reuse some already existing tool), which will:
>
> - Check the last github revision of my "messages_es.properties" file.
> Let's assume this is revision XY
> - Then check english locale file "messages_en.properties" and look for all
> the commits newer than XY
> - The tool will automatically remove all the keys from
> "messages_es.properties", which were in the meantime removed from
> "messages_en.properties"
> - Then tool will create/update the key/value pairs in
> "messages_es.properties" for all the keys, which were added or updated in
> the meantime in "messages_en.properties" .
>
> So assume that in messages_en.properties you added the key:
>
> greetings.key=hello
>
> then in messages_es.properties, the tool will generate something like:
>
> greetings.key=<TRANSLATE_ME> hello
>
>
> So the translator will be just required to check the keys with
> <TRANSLATE_ME> and translate them to his language like:
>
> greetings.key=buenos dias
>
> Note that translator doesn't need to manually check what was added or
> updated in the meantime. He is also not required to continuously switch
> between messages_en.properties and messages_es.properties and compare what
> is the english translation for "greetings.key" etc.
>
> Having separate repositories will be good, on the other hand it may
> complicate things if we want to have some tool like I mentioned above (but
> maybe not, if it's able to work with times of commits).
>
> Marek
>
>
> On 06/06/16 08:14, Thomas Raehalme wrote:
>
> How about making translations deployable in a similar way as themes? The
> base theme would define the required set of keys which each translation
> should include. You could even write tests to make sure the translation is
> complete which would simplify maintenance.
>
> Perhaps the main distribution could include only English as it would now
> be simple for the admins to deploy the needed translations. If the
> translations are separated from the main Keycloak repository, as you
> suggested, then the main repository would not be dependant of up-to-date
> translations (which could slow the development down if they start lagging
> behind). For the same reason it could also be beneficial to be able to
> release translations independently from each other.
>
> Themes would still need a way to include custom/override messages but they
> could be included directly in the theme just like now.
>
> Just an initial thought....
>
> Best regards,
> Thomas
>
>
> On Jun 3, 2016 14:34, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> We need to find a way to share translations that scales. We're not able
>> to maintain all these translations ourselves so I'm considering adding some
>> external repository for the translations and have elect a maintainer for
>> each language.
>>
>> Does anyone have a good suggestion how to deal with this?
>>
>> On 31 May 2016 at 12:01, Thomas Raehalme <
>> thomas.raehalme at aitiofinland.com> wrote:
>>
>>> Hi!
>>>
>>> We need to translate Keycloak user interface (excluding admin console)
>>> to the Swedish language. I was wondering if anyone has already done the
>>> translation and would be willing to share it?
>>>
>>> We have already translated Keycloak to Finnish and hope to share the
>>> translation with the community in the near future.
>>>
>>> Best regards,
>>> Thomas
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/d4069d28/attachment.html 

From fabricio.milone at shinetech.com  Tue Jun  7 02:49:45 2016
From: fabricio.milone at shinetech.com (Fabricio Milone)
Date: Tue, 7 Jun 2016 16:49:45 +1000
Subject: [keycloak-user] Performance issues with Federation provider enabled
Message-ID: <CAOjtoUP2pExfguGNcX63_mWQrorcjmvMaDSW6Nu15ZBhULw1Vg@mail.gmail.com>

Hi all,

I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.

The performance issue does not exist when the federator is disabled.

*Configuration*:

I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We?ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.

*Federator*:

We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.

As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.

*Tests*:

It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.

The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.

*Problem*:

If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.


Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.

CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.

There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.

I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.

So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.

I'd really appreciate your help on this one as I'm out of ideas.

I've attached some screenshots of visualVM and tests results from my last
run today.


Sorry for the long email and please let me know if you need further
information.

Thank you in advance,

Regards,
Fab

-- 
*Fabricio Milone*
Developer

*Shine Consulting *

30/600 Bourke Street

Melbourne VIC 3000

T: 03 8488 9939

M: 04 3200 4006


www.shinetech.com  *a* passion for excellence
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8afd4851/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-06-07 at 2.56.34 PM.png
Type: image/png
Size: 220378 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8afd4851/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-06-07 at 3.01.32 PM.png
Type: image/png
Size: 171179 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8afd4851/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-06-07 at 3.02.29 PM.png
Type: image/png
Size: 58182 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8afd4851/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-06-07 at 3.10.12 PM.png
Type: image/png
Size: 272567 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/8afd4851/attachment-0007.png 

From sthorger at redhat.com  Wed Jun  8 01:23:33 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 8 Jun 2016 07:23:33 +0200
Subject: [keycloak-user] Keycloak behind firewall
In-Reply-To: <0b4d01d1c08f$fc236750$f46a35f0$@huebinet.de>
References: <0b4d01d1c08f$fc236750$f46a35f0$@huebinet.de>
Message-ID: <CAJgngAe9VJVHoPcQMtztQOkhaCgqndFNzThPGsisNeMn0E1SDQ@mail.gmail.com>

If you want the Keycloak instance to use internal IP address for internal
communication you can do that either by updating your internal DNS server
to point to the internal IP, or you can edit the hosts file on the machine
hosting Keycloak.

On 7 June 2016 at 09:41, Kevin Hirschmann <khirschmann at huebinet.de> wrote:

> Hello,
>
>
>
> when sending an authentication request it seems, that the keycloak
> application uses the server url (from the request) to issue a request to
> obtain a token.
>
> The server sends a request to itself. I am running a wildfly instance
> behind a transparent proxy and the firewall blocks requests from the
> wildfly server to the IP address of the proxy. Is there a way to configure
> keycloak to send ?intern? requests to a different IP address?
>
>
>
> Thx for your help
>
>
>
> Kind regards
>
>
>
> Kevin Hirschmann
>
>
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
> An der K?nigsbach 8
>
> 56075 Koblenz
>
>
>
> Sitz und Registergericht: Koblenz HRA 5329
>
>
>
> Pers?nlich haftender Gesellschafter der KG:
>
> HUEBINET GmbH;
>
> Sitz und Registergericht: Koblenz HRB 6857
>
>
>
> Gesch?ftsf?hrung:
>
> Frank H?ttmann; Michael Biemer
>
>
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
> KG, Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
>
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails and email contents.
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/281a5a92/attachment.html 

From snehalata.nagaje at harbingergroup.com  Wed Jun  8 02:05:13 2016
From: snehalata.nagaje at harbingergroup.com (Snehalata Nagaje)
Date: Wed, 8 Jun 2016 11:35:13 +0530 (IST)
Subject: [keycloak-user] Keycloak cluster question
Message-ID: <485985836.1814193.1465365913536.JavaMail.zimbra@harbingergroup.com>



Hi All, 


I am setting up keycloak cluster. 

As we are running the keycloak server in full-ha profile with domain mode, there is by default configuration for hornet queue cluster, do we need this for keycloak? 

Can we remove it? 

Thanks, 
Snehalata 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/0d66d7b9/attachment.html 

From mposolda at redhat.com  Wed Jun  8 05:45:57 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 8 Jun 2016 11:45:57 +0200
Subject: [keycloak-user] Swedish translation
In-Reply-To: <CAJgngAfYZ87ShjBAxC2w32QsdLhd2p0ih93Ht9T5nr=_CrE-2w@mail.gmail.com>
References: <CAPyAMoYm-0A8FQcAT2xhcYaqDeg5TfOO_DvOG_NEPc3nKr-bLw@mail.gmail.com>
	<CAJgngAcO+4K9sbE9aeCBof3hiko1X6qKAeb8TjaXE9hJJzhSqQ@mail.gmail.com>
	<CAPyAMoZdmW82jwo6n4GPqJJPU+pxVM-zDR9wpb1aah1uypJ-yA@mail.gmail.com>
	<575672F6.2060307@redhat.com>
	<CAJgngAfYZ87ShjBAxC2w32QsdLhd2p0ih93Ht9T5nr=_CrE-2w@mail.gmail.com>
Message-ID: <5757E955.6060401@redhat.com>

On 08/06/16 07:15, Stian Thorgersen wrote:
> I sent a separate mail to dev mailing list about moving translations 
> out of the main repository.
>
> Marek - having a tool would be great, but I'm worried about how much 
> effort it would be, unless there's something out there already.
Working with the property files and CRUD operations around properties is 
quite an easy task.

A bit more challenging is checking git history. However I've tried some 
playing with jgit [1] and it works fine to read the git history of some 
file and see the diff of changes, which are newer than some particular 
timestamp. So the fact that translation messages will be in different 
repository than messages_en.properties is not an issue. Translator can 
then just run something like:

mvn exec:java -Ptranslate 
-Dmessages_en.location=<path_to_messages_en_inside_keycloak_sources> 
-Dmessages_es.location=<path_to_messages_es_inside_translations_repository>

The disadvantage is, that translator will need sources of both keycloak 
repository with english locale and the translations repository, so tool 
is able to read git history. However I am not seeing very big issue, as 
currently all translators needs to have keycloak sources anyway to being 
able to send PRs.

My guess to do some tool like that could be around 2 working days.

[1] https://www.javacodegeeks.com/2015/12/getting-started-jgit.html

Marek
>
> Thomas - for now you can send a PR to main repository with the 
> translation if you are happy to be maintainer for the translation.
>
> On 7 June 2016 at 09:08, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Not directly related, but IMO we can potentially improve the
>     experience for translators/maintainers and create some tool, which
>     will simplify their work. This can result in better experience for
>     them and hence more contributions for more languages.
>
>     IMO it is currently a bit of pain to maintain the translation and
>     manually check if there were some recent changes in english file
>     "messages_en.properties" and then adding/updating them to my
>     locale (assume it's messages_es.properties) . So I am wondering
>     that we will have a tool (or maybe we can reuse some already
>     existing tool), which will:
>
>     - Check the last github revision of my "messages_es.properties"
>     file. Let's assume this is revision XY
>     - Then check english locale file "messages_en.properties" and look
>     for all the commits newer than XY
>     - The tool will automatically remove all the keys from
>     "messages_es.properties", which were in the meantime removed from
>     "messages_en.properties"
>     - Then tool will create/update the key/value pairs in
>     "messages_es.properties" for all the keys, which were added or
>     updated in the meantime in "messages_en.properties" .
>
>     So assume that in messages_en.properties you added the key:
>
>     greetings.key=hello
>
>     then in messages_es.properties, the tool will generate something like:
>
>     greetings.key=<TRANSLATE_ME> hello
>
>
>     So the translator will be just required to check the keys with
>     <TRANSLATE_ME> and translate them to his language like:
>
>     greetings.key=buenos dias
>
>     Note that translator doesn't need to manually check what was added
>     or updated in the meantime. He is also not required to
>     continuously switch between messages_en.properties and
>     messages_es.properties and compare what is the english translation
>     for "greetings.key" etc.
>
>     Having separate repositories will be good, on the other hand it
>     may complicate things if we want to have some tool like I
>     mentioned above (but maybe not, if it's able to work with times of
>     commits).
>
>     Marek
>
>
>     On 06/06/16 08:14, Thomas Raehalme wrote:
>>
>>     How about making translations deployable in a similar way as
>>     themes? The base theme would define the required set of keys
>>     which each translation should include. You could even write tests
>>     to make sure the translation is complete which would simplify
>>     maintenance.
>>
>>     Perhaps the main distribution could include only English as it
>>     would now be simple for the admins to deploy the needed
>>     translations. If the translations are separated from the main
>>     Keycloak repository, as you suggested, then the main repository
>>     would not be dependant of up-to-date translations (which could
>>     slow the development down if they start lagging behind). For the
>>     same reason it could also be beneficial to be able to release
>>     translations independently from each other.
>>
>>     Themes would still need a way to include custom/override messages
>>     but they could be included directly in the theme just like now.
>>
>>     Just an initial thought....
>>
>>     Best regards,
>>     Thomas
>>
>>
>>     On Jun 3, 2016 14:34, "Stian Thorgersen" <sthorger at redhat.com
>>     <mailto:sthorger at redhat.com>> wrote:
>>
>>         We need to find a way to share translations that scales.
>>         We're not able to maintain all these translations ourselves
>>         so I'm considering adding some external repository for the
>>         translations and have elect a maintainer for each language.
>>
>>         Does anyone have a good suggestion how to deal with this?
>>
>>         On 31 May 2016 at 12:01, Thomas Raehalme
>>         <thomas.raehalme at aitiofinland.com
>>         <mailto:thomas.raehalme at aitiofinland.com>> wrote:
>>
>>             Hi!
>>
>>             We need to translate Keycloak user interface (excluding
>>             admin console) to the Swedish language. I was wondering
>>             if anyone has already done the translation and would be
>>             willing to share it?
>>
>>             We have already translated Keycloak to Finnish and hope
>>             to share the translation with the community in the near
>>             future.
>>
>>             Best regards,
>>             Thomas
>>
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/964e0c63/attachment-0001.html 

From mposolda at redhat.com  Wed Jun  8 06:08:02 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 8 Jun 2016 12:08:02 +0200
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <81FBAB8F05BC6F418853660D9326281E1F142B87@cnshjmbx03>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
	<81FBAB8F05BC6F418853660D9326281E1F142B87@cnshjmbx03>
Message-ID: <5757EE82.1000702@redhat.com>

The keycloak tries to send POST request to the endpoint specified as 
"token URL" in the configuration. In case of github provider, token URL 
is set to https://github.com/login/oauth/access_token .

TBH I don't know how exactly this works if you are behind proxy. However 
SimpleHttp class is using standard java.net.HttpURLConnection to send 
backchannel request and it seems that this is able to read system 
properties "http.proxyHost" and "http.proxyPort" as Niels pointed. I 
assume that system properties are working based on the 
http://stackoverflow.com/questions/1432961/how-do-i-make-httpurlconnection-use-a-proxy 
(see post from Sean Owen).

Marek

On 08/06/16 00:04, LI Ming wrote:
>
> Marek,
>
> Do you have idea on the failure reason ?
>
> From the call stack, Keycloak hung at the following function:
>
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228
>
> In the source code, Keycloak tried to send Post request to the below Url:
>
>       tokenUrl: 
> https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token
>
> It is local token authentication service, why reporting ?Connection 
> timed out??
>
> Ming Li
>
> *From:*keycloak-user-bounces at lists.jboss.org 
> [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *LI Ming
> *Sent:* Tuesday, June 07, 2016 4:42 PM
> *To:* Marek Posolda; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it 
> failed with failure "Connection timed out"
>
> No, github is not working.
>
> BTW, my server needs set http_proxy/https_proxy to access github.com.
>
> wget --secure-protocol=TLSv1 github.com
>
> --2016-06-07 03:39:02-- http://github.com/
>
> Resolving global.proxy.alcatel-lucent.com 
> (global.proxy.alcatel-lucent.com)... 135.245.48.33
>
> Connecting to global.proxy.alcatel-lucent.com 
> (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 301 Moved Permanently
>
> Location: https://github.com/ <https://github.com/> [following]
>
> --2016-06-07 03:39:03-- https://github.com/
>
> Connecting to global.proxy.alcatel-lucent.com 
> (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
>
> Proxy request sent, awaiting response... 200 OK
>
> Length: unspecified [text/html]
>
> Saving to: 'index.html'
>
> [ <=> ] 25,508      --.-K/s   in 0.03s
>
> 2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]
>
> Github.com can be accessible via http proxy. I do not know why 
> keycloak will complain the certificate.
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 07, 2016 4:07 PM
> *To:* LI Ming; keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] When using Social Identity Provider, it 
> failed with failure "Connection timed out"
>
> Hmm... is github working for you if you omit the "truststore" 
> configuration in keycloak-server.json and use the default java cacerts 
> file without any changes?
>
> Marek
>
> On 07/06/16 09:38, LI Ming wrote:
>
>     Marek,
>
>     I already set truststore file to the default java certificates
>     file path in keycloak configuration file
>     $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
>
>         "truststore": {
>
>           "file": {
>
>             "file": "/usr/java/jre/lib/security/cacerts",
>
>             "password": "changeit",
>
>     "hostname-verification-policy": "ANY",
>
>             "disabled": false
>
>           }
>
>         }
>
>     And I put my customer certificate file in it also.
>
>     Ming Li
>
>     *From:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Sent:* Tuesday, June 07, 2016 3:17 PM
>     *To:* LI Ming; keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     *Subject:* Re: [keycloak-user] When using Social Identity
>     Provider, it failed with failure "Connection timed out"
>
>     It seems that's because Keycloak is not able to send backchannel
>     request to github due to github certificate not trusted.
>
>     Are you using custom truststore set with truststore SPI or with
>     "javax.net.ssl.truststore" system property? I think that by
>     default github SSL certificate is verified by well-known CA, so it
>     shouldn't be the issue to connect to that if you use default Java
>     file with certificates (cacerts). However if you have custom
>     trustore set, then default java cacerts file is possibly not used,
>     so well-known certificates like the one from github are not
>     trusted. We should likely have a solution, which will allow to set
>     custom truststore in addition to default java cacerts file. But
>     until we have it, you probably need to manually create truststore
>     file, where you import both the "well-known" certificates together
>     with your custom certificates.
>
>     Marek
>
>     On 07/06/16 08:02, LI Ming wrote:
>
>         Hi,
>
>           When I setup social identity provider (GitHub) to
>         authenticate the user, it always failed with the below error:
>
>         2016-06-07 00:49:05,349 ERROR
>         [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
>         (default task-9) Failed to make identity provider oauth
>         callback: java.net.ConnectException: Connection timed out
>
>                 at java.net.PlainSocketImpl.socketConnect(Native Method)
>
>                 at
>         java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
>
>                 at
>         java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
>
>                 at
>         java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
>
>                 at
>         java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>
>                 at java.net.Socket.connect(Socket.java:589)
>
>                 at
>         sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
>
>                 at
>         sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
>
>                 at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
>
>                 at
>         sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
>
>                 at
>         sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
>
>                 at
>         sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
>
>                 at
>         sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
>
>                 at
>         sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
>                 at
>         sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
>
>                 at
>         sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
>
>                 at
>         sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
>                 at
>         sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
>
>                 at
>         sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
>
>                 at
>         sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
>
>                 at
>         org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
>
>                 at
>         org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
>
>                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>         Method)
>
>                 ?
>
>         2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default
>         task-9) type=LOGIN_ERROR, realmId=demo, clientId=null,
>         userId=null, ipAddress=135.252.159.35,
>         error=identity_provider_login_failure
>
>            Can you help to identity the failure reason?
>
>            Thanks,
>
>         Ming Li
>
>
>
>
>         _______________________________________________
>
>         keycloak-user mailing list
>
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/ecccdad7/attachment-0001.html 

From mposolda at redhat.com  Wed Jun  8 06:28:19 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 8 Jun 2016 12:28:19 +0200
Subject: [keycloak-user] Performance issues with Federation provider
 enabled
In-Reply-To: <CAOjtoUMY8Lh2gN9ocYfmKZcCCgH7Vtsrh+Gg03x-7GiWtx-chA@mail.gmail.com>
References: <CAOjtoUMY8Lh2gN9ocYfmKZcCCgH7Vtsrh+Gg03x-7GiWtx-chA@mail.gmail.com>
Message-ID: <5757F343.1040803@redhat.com>

Hi,

what's the keycloak version used? Could you try latest keycloak and 
check if performance is still the issue?

Marek

On 08/06/16 01:30, Fabricio Milone wrote:
> Hi all,
>
> I sent this email yesterday with 5 or more attachments, so I think it 
> was blocked or something... here I go again :)
>
> I've been running load tests on our application during the last few 
> weeks, and having some performance issues when my custom federator is 
> enabled.
>
> The performance issue does not exist when the federator is disabled.
> *Configuration*:
>
> I have a cluster of 2 instances of Keycloak, with a standalone DB, 
> we've verified the DB isn't an issue when the federator is disabled. 
> Both instances have a quad core CPU and they are in the same network. 
> We?ve left the memory at 512MB. The test script, database and API that 
> connects to the federator are in separate machines.
> *Federator*:
>
> We have a simple custom federator that makes calls to a very 
> performant api, which has been tested and is ok. Additionally, we've 
> tested stubbing the API so the performance is not a problem there. 
> This federator is using a jaxb marshaller to create a request, again 
> tested in isolation and is performing well.
>
> As the federator is doing a lot of calls to the API (3 per login 
> request), I've implemented a httpclient that uses a 
> PoolingHttpClientConnectionManager with 1000 connections available to 
> use, instead of using the standard apache httpclient from http 
> components. That hasn't improved a bit the performance of the system.
> *Tests*:
> It is a gatling scala script that could generate around ~300 (or more) 
> requests/second to the direct grants login endpoint using random 
> usernames from a list (all of them already registered using KC). The 
> script is doing a round robin across both instances of Keycloak with 
> an even distribution to each KC instance.
> The idea is simulate a load of 300 to 1500 concurrent users trying to 
> login into our systems.
> *Problem*:
>
> If I run the tests without using a federation I can see a very good 
> performance, but when I try to run the tests with the custom 
> federation code, the performance drops from ~150 requests/second to 22 
> req/sec using both instances.
> Memory wise, it seems to be ok. I've never seen an error related to 
> memory with this configuration, also if you take a look at the 
> attached visualVM screenshot you'll see that memory is not a problem 
> or it seems not to be.
> CPU utilisation is very low to my mind, I'd expect more than 80% of 
> usage or something like that.
> There is a method that is leading the CPU samples on VisualVM called 
> Semaphore.tryAcquire(). Not quite sure what's that for, still 
> investigating.
>
> I can see that a lot of new threads are being created when the test 
> starts, as it creates around 60requests/second to the direct grants 
> login call, but it seems to be a bottleneck at some point.
>
> So I'm wondering if there is some configuration I'm missing on 
> Keycloak side that could be affecting the cluster performance when a 
> federator is enabled. Maybe something related to jpa connections, 
> infinispan configuration or even wildfly.
>
> I'd really appreciate your help on this one as I'm out of ideas.
>
> I've attached some screenshots of visualVM and tests results from my 
> last run today.
>
>
> Sorry for the long email and please let me know if you need further 
> information.
>
> Thank you in advance,
>
> Regards,
> Fab
>
> -- 
> *Fabricio Milone*
> Developer
> *
> *
> *
> Shine Consulting *
>
> 30/600 Bourke Street
>
> Melbourne VIC 3000
>
> T: 03 8488 9939
>
> M: 04 3200 4006
>
>
> www.shinetech.com <http://www.shinetech.com/>/*a*/ passion for excellence
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/7fc66d20/attachment.html 

From robin1233 at gmail.com  Wed Jun  8 14:35:59 2016
From: robin1233 at gmail.com (robinfernandes .)
Date: Wed, 8 Jun 2016 14:35:59 -0400
Subject: [keycloak-user] Shibboleth IdP configuration issues with
 Keycloak as SP
In-Reply-To: <CAK-7U1jtaHc-Kbcb_ym9UJns-wEkwJK2r741FmFDfXBE1mGBdQ@mail.gmail.com>
References: <CAFOTW4Zm3N2X+7EWG3F5B5qNVATJ6KHzOK_vuH054wWKhWct7w@mail.gmail.com>
	<CAK-7U1jtaHc-Kbcb_ym9UJns-wEkwJK2r741FmFDfXBE1mGBdQ@mail.gmail.com>
Message-ID: <CAFOTW4bK4G5VBbJ+npR7jp=zYE4rj8NgmLg47XFBX_tAGco11g@mail.gmail.com>

Hi Thomas,

The shibboleth that we have configured looks like this (attached are the
values for the attribute-resolver & attribute-filters).
By keycloak configuration do you mean the export of the metadata? I could
attach that as well. Kindly let me know

Thanks,
Robin

On Mon, Jun 6, 2016 at 1:22 PM, Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello Robin,
>
> do you have an example configuration for Shibboleth + Keycloak at hand?
>
> Cheers,
> Thomas
>
> 2016-06-06 19:18 GMT+02:00 robinfernandes . <robin1233 at gmail.com>:
>
>> Hi All,
>>
>> We have a situation where the customer is using Shibboleth IdP and
>> sending the NAMEID in the transient format to Keycloak which acts as an SP.
>> However, we use one of the SAML attributes which is email to store that as
>> the username for the user.
>>
>> However, after the first login, all subsequent logins fail with the error
>> "User with username already exists." I presume that this is because the
>> NAMEID which is transient is associated with that user somehow, and since
>> it is transient it is not able to associate that user correctly even though
>> we use email as the username?
>>
>> Any insights on this would be helpful.
>>
>> Thanks,
>> Robin
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/d7d6418b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attribute-filter.xml
Type: text/xml
Size: 2201 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/d7d6418b/attachment-0002.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attribute-resolver.xml
Type: text/xml
Size: 5333 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/d7d6418b/attachment-0003.xml 

From jessec at stytch.com  Wed Jun  8 20:05:11 2016
From: jessec at stytch.com (Jesse Chahal)
Date: Wed, 8 Jun 2016 17:05:11 -0700
Subject: [keycloak-user] Multi-org salesforce with single realm keycloak
Message-ID: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>

Hi,

I'm back again. I'm trying to figure out how scale Identity Providers.
We are planning on trying to integrate our App1 with salesforce. A
user who logs into salesforce should be able to have a native feel of
our App1 within it. Todo this we'll probably have to end up building
salesforce native apps. For every salesforce organization/licensee we
will have to register an Identity provider with keycloak to make sure
they can correctly use App1. Some configuration options we came up
with are listed below. Has anyone else solved a similar problem?

OPTION 1
########################################################
# Keycloak
                              #
# ---> master realm
                          #
# ---> realm 1
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org1_saml2.0_identity_provider                          #
# --- ---> salesforce_org2_saml2.0_identity_provider                          #
#
                                     #
# Salesforce
                              #
# ---> org1
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---> org 2
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---- ----> salesforce_appY (uses App1)
              #
# .....
                                     #
#
                                     #
# App 1
                                 #
# ---> OpenID to realm1 (using adapter)
              #
########################################################
benefits
- single login page
- single realm
cons
- login page with infinite number of identity provider buttons present


OPTION 2
########################################################
# Keycloak
                              #
# ---> master realm
                          #
# ---> realm 1
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org1_saml2.0_identity_provider                          #
# ---> realm 2
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org2_saml2.0_identity_provider                          #
#
                                     #
# Salesforce
                              #
# ---> org1
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---> org 2
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---- ----> salesforce_appY (uses App1)
              #
# .....
                                     #
#
                                     #
# App 1
                                 #
# ---> OpenID to realm1, realm2, realm#.... (using adapter)                #
########################################################
benefits
- single salesforce button per login page
- users are more isolated in single realm
cons
- very hard to get App1 to support multiple realms (no adapter or
keycloak support)

From anthony.fryer at gmail.com  Wed Jun  8 22:01:22 2016
From: anthony.fryer at gmail.com (Anthony Fryer)
Date: Thu, 9 Jun 2016 12:01:22 +1000
Subject: [keycloak-user] Fwd: Multi-org salesforce with single realm keycloak
In-Reply-To: <CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
References: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>
	<CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
Message-ID: <CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>

Why do you say "very hard to get App1 to support multiple realms (no
adapter or keycloak support)"?

Keycloak does provide multi-tenancy support via the
KeycloakConfigResolver.  See
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.

The issue would be if your app can't use a keycloak adapter.

On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com> wrote:

> Hi,
>
> I'm back again. I'm trying to figure out how scale Identity Providers.
> We are planning on trying to integrate our App1 with salesforce. A
> user who logs into salesforce should be able to have a native feel of
> our App1 within it. Todo this we'll probably have to end up building
> salesforce native apps. For every salesforce organization/licensee we
> will have to register an Identity provider with keycloak to make sure
> they can correctly use App1. Some configuration options we came up
> with are listed below. Has anyone else solved a similar problem?
>
> OPTION 1
> ########################################################
> # Keycloak
>                               #
> # ---> master realm
>                           #
> # ---> realm 1
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org1_saml2.0_identity_provider
>     #
> # --- ---> salesforce_org2_saml2.0_identity_provider
>     #
> #
>                                      #
> # Salesforce
>                               #
> # ---> org1
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---> org 2
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---- ----> salesforce_appY (uses App1)
>               #
> # .....
>                                      #
> #
>                                      #
> # App 1
>                                  #
> # ---> OpenID to realm1 (using adapter)
>               #
> ########################################################
> benefits
> - single login page
> - single realm
> cons
> - login page with infinite number of identity provider buttons present
>
>
> OPTION 2
> ########################################################
> # Keycloak
>                               #
> # ---> master realm
>                           #
> # ---> realm 1
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org1_saml2.0_identity_provider
>     #
> # ---> realm 2
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org2_saml2.0_identity_provider
>     #
> #
>                                      #
> # Salesforce
>                               #
> # ---> org1
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---> org 2
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---- ----> salesforce_appY (uses App1)
>               #
> # .....
>                                      #
> #
>                                      #
> # App 1
>                                  #
> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
> #
> ########################################################
> benefits
> - single salesforce button per login page
> - users are more isolated in single realm
> cons
> - very hard to get App1 to support multiple realms (no adapter or
> keycloak support)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160609/621f5b27/attachment.html 

From snehalata.nagaje at harbingergroup.com  Thu Jun  9 01:16:05 2016
From: snehalata.nagaje at harbingergroup.com (Snehalata Nagaje)
Date: Thu, 9 Jun 2016 10:46:05 +0530 (IST)
Subject: [keycloak-user] clustering error
Message-ID: <836403682.2028586.1465449365005.JavaMail.zimbra@harbingergroup.com>



Hi All, 


I have set up keycloak cluster. 

But somehow it is not working giving error as 

type=LOGIN_ERROR, realmId=TESTAUTH, clientId=null, userId=null, ipAddress=10.0.13.44, error=expired_code, restart_after_timeout=true 
error=expired_code, restart_after_timeout=true 



Thanks, 
Snehalata 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160609/e0b31511/attachment-0001.html 

From andrewv at melbpc.org.au  Thu Jun  9 02:53:12 2016
From: andrewv at melbpc.org.au (Andrew Voumard)
Date: Thu, 9 Jun 2016 06:53:12 +0000
Subject: [keycloak-user] Does Keycloak have any provision for defining role
 based user associations ?
Message-ID: <KL1PR0601MB141381EF28A8FB5EF55FB459FC5F0@KL1PR0601MB1413.apcprd06.prod.outlook.com>

Hi,

Suppose I have the following user / role model:
1. A user can have a role of: regular, admin, or super
2. There must be 1 super, and there can be 0..n admin and 0..m regular users
3. A regular user is associated with 1 admin user

For this usage model, would there be any way in Keycloak, that I could arbitrarily associate a regular user with an admin user, and then perform REST queries  such as "find all regular users for a given admin user", and "find the admin user for a given regular user"?

Thanks


From felipe.braun at intelbras.com.br  Thu Jun  9 07:41:55 2016
From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja)
Date: Thu, 9 Jun 2016 08:41:55 -0300
Subject: [keycloak-user] New user, same e-mail
Message-ID: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>

Hello all,

We have Keycloak connected to our Active Directory (read only),
everything working correctly, authenticating our employees. But there is
a case that is a little complicated.

When someone starts working here as a intern, the user has an employee
ID with four digits. If a person is a regular employee, it has five
digits. Windows login is made of the first 2 letters of the name, and
then the ID number, zero padded, as in *fe001173*. But there are times
that these interns are hired as employees, so the previous account is
*disabled* in AD and a new one is created.

The problem is that the e-mail address is the same. When this happens, I
can't even search the user in Keycloak admin interface, because it says
that it already has a user with the same e-mail. The old one is still
there, though; but if I go to its details, I can't change the e-mail
address, since it tries to sync it back to AD.

So far, the solution was changing it directly in the database and
restarting Keycloak, which is *not* a good thing to do.

Any thoughts on what we could do?


Thanks !
--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.


From Ming.Li at alcatel-lucent.com  Thu Jun  9 09:14:31 2016
From: Ming.Li at alcatel-lucent.com (LI Ming)
Date: Thu, 9 Jun 2016 13:14:31 +0000
Subject: [keycloak-user] When using Social Identity Provider,
 it failed with failure "Connection timed out"
In-Reply-To: <5757EE82.1000702@redhat.com>
References: <81FBAB8F05BC6F418853660D9326281E1F14271D@cnshjmbx03>
	<575674F8.9050603@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142885@cnshjmbx03>
	<575680A1.4000907@redhat.com>
	<81FBAB8F05BC6F418853660D9326281E1F142955@cnshjmbx03>
	<81FBAB8F05BC6F418853660D9326281E1F142B87@cnshjmbx03>
	<5757EE82.1000702@redhat.com>
Message-ID: <81FBAB8F05BC6F418853660D9326281E1F143189@cnshjmbx03>

Marek,

     After setting https.proxyHost and https.proxyPort of JVM, "Connection timed out" issue is fixed.

Thanks,

Ming Li
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, June 08, 2016 6:08 PM
To: LI Ming; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

The keycloak tries to send POST request to the endpoint specified as "token URL" in the configuration. In case of github provider, token URL is set to https://github.com/login/oauth/access_token .

TBH I don't know how exactly this works if you are behind proxy. However SimpleHttp class is using standard java.net.HttpURLConnection to send backchannel request and it seems that this is able to read system properties "http.proxyHost" and "http.proxyPort" as Niels pointed. I assume that system properties are working based on the http://stackoverflow.com/questions/1432961/how-do-i-make-httpurlconnection-use-a-proxy (see post from Sean Owen).

Marek

On 08/06/16 00:04, LI Ming wrote:
Marek,

Do you have idea on the failure reason ?
>From the call stack, Keycloak hung at the following function:
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228
    In the source code, Keycloak tried to send Post request to the below Url:
          tokenUrl:  https://135.1.34.23:8443/auth/realms/demo/protocol/openid-connect/token
It is local token authentication service, why reporting "Connection timed out"?

Ming Li
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of LI Ming
Sent: Tuesday, June 07, 2016 4:42 PM
To: Marek Posolda; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

No, github is not working.
BTW, my server needs set http_proxy/https_proxy to access github.com.

wget --secure-protocol=TLSv1 github.com

--2016-06-07 03:39:02--  http://github.com/
Resolving global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)... 135.245.48.33
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
--2016-06-07 03:39:03--  https://github.com/
Connecting to global.proxy.alcatel-lucent.com (global.proxy.alcatel-lucent.com)|135.245.48.33|:8000... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

    [ <=>                                                                                              ] 25,508      --.-K/s   in 0.03s

2016-06-07 03:39:03 (870 KB/s) - 'index.html' saved [25508]

Github.com can be accessible via http proxy. I do not know why keycloak will complain the certificate.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 4:07 PM
To: LI Ming; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

Hmm... is github working for you if you omit the "truststore" configuration in keycloak-server.json and use the default java cacerts file without any changes?

Marek

On 07/06/16 09:38, LI Ming wrote:
Marek,

I already set truststore file to the default java certificates file path in keycloak configuration file $KEYCLOAK_HOME/standalone/configuration/keycloak-server.json as below:
    "truststore": {
      "file": {
        "file": "/usr/java/jre/lib/security/cacerts",
        "password": "changeit",
        "hostname-verification-policy": "ANY",
        "disabled": false
      }
    }
   And I put my customer certificate file in it also.

Ming Li
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 07, 2016 3:17 PM
To: LI Ming; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] When using Social Identity Provider, it failed with failure "Connection timed out"

It seems that's because Keycloak is not able to send backchannel request to github due to github certificate not trusted.

Are you using custom truststore set with truststore SPI or with "javax.net.ssl.truststore" system property? I think that by default github SSL certificate is verified by well-known CA, so it shouldn't be the issue to connect to that if you use default Java file with certificates (cacerts). However if you have custom trustore set, then default java cacerts file is possibly not used, so well-known certificates like the one from github are not trusted. We should likely have a solution, which will allow to set custom truststore in addition to default java cacerts file. But until we have it, you probably need to manually create truststore file, where you import both the "well-known" certificates together with your custom certificates.

Marek

On 07/06/16 08:02, LI Ming wrote:
Hi,

  When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:

2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
        at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        ...
2016-06-07 00:49:05,355 WARN  [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure

   Can you help to identity the failure reason?

   Thanks,

Ming Li





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160609/28f1012e/attachment-0001.html 

From nielsbne at gmail.com  Thu Jun  9 17:58:14 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Fri, 10 Jun 2016 07:58:14 +1000
Subject: [keycloak-user] New user, same e-mail
In-Reply-To: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>
References: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>
Message-ID: <CAPLPygkYryk7ZOG=VUo0k8s7aNkJU+gRRF22i=25YKoPXcScqg@mail.gmail.com>

Hi Felipe,

this topic was discusses some time back on the user forum. Jira
KEYCLOAK-2141 <https://issues.jboss.org/browse/KEYCLOAK-2141> has some
background information on the issue you are facing. From what I can tell
one will have to change the attribute mapping on the LDAP user federation
provider to map email to a custom attribute (e.g. contact_email) and then
also change the email template to use that field for email distribution
instead.

Cheers,
Niels


On Thu, Jun 9, 2016 at 9:41 PM, Felipe Braun Azambuja <
felipe.braun at intelbras.com.br> wrote:

> Hello all,
>
> We have Keycloak connected to our Active Directory (read only),
> everything working correctly, authenticating our employees. But there is
> a case that is a little complicated.
>
> When someone starts working here as a intern, the user has an employee
> ID with four digits. If a person is a regular employee, it has five
> digits. Windows login is made of the first 2 letters of the name, and
> then the ID number, zero padded, as in *fe001173*. But there are times
> that these interns are hired as employees, so the previous account is
> *disabled* in AD and a new one is created.
>
> The problem is that the e-mail address is the same. When this happens, I
> can't even search the user in Keycloak admin interface, because it says
> that it already has a user with the same e-mail. The old one is still
> there, though; but if I go to its details, I can't change the e-mail
> address, since it tries to sync it back to AD.
>
> So far, the solution was changing it directly in the database and
> restarting Keycloak, which is *not* a good thing to do.
>
> Any thoughts on what we could do?
>
>
> Thanks !
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
> por engano, por favor informe o remetente respondendo imediatamente a este
> e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her work
> or by virtue thereof, and the institution accepts no liability from its
> undue use. If you have received this message by mistake, please notify us
> immediately by returning the e-mail and deleting this message from your
> system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160610/afe2bb26/attachment.html 

From lrxw at posteo.de  Fri Jun 10 03:07:09 2016
From: lrxw at posteo.de (lrxw)
Date: Fri, 10 Jun 2016 09:07:09 +0200
Subject: [keycloak-user] SAML request signature
Message-ID: <8a8ada0d559d802f89be33767c875c87@posteo.de>

Hi all,

I?m new to keycloak, but managed to set up keycloak (1.9.2) and realm 
with a SAML identidy provider. Everything seems fine, but the SAML 
Request sent to my IDP is signed with a RSAKeyValue instead of X509Data. 
Can anyone help me how to configure keycloak to use a X.509 certificate?

Greetings


From felipe.braun at intelbras.com.br  Fri Jun 10 08:10:34 2016
From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja)
Date: Fri, 10 Jun 2016 09:10:34 -0300
Subject: [keycloak-user] New user, same e-mail
In-Reply-To: <CAPLPygkYryk7ZOG=VUo0k8s7aNkJU+gRRF22i=25YKoPXcScqg@mail.gmail.com>
References: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>
	<CAPLPygkYryk7ZOG=VUo0k8s7aNkJU+gRRF22i=25YKoPXcScqg@mail.gmail.com>
Message-ID: <2cf32bc7-6ecf-6208-24a0-7e3db3ce65a1@intelbras.com.br>

Hi Niels,

I've read the JIRA issue, but it's not _exactly_ the case. The problem
I'm facing is because I have two entries with the same address in Active
Directory, and I can't change the old one in Keycloak because I have AD
federated in read only mode.

If I change the 'mail' entry in the AD object, it is not synced again if
the data already exists in Keycloak? I did a test now with my own user,
and it still shows the old value.

Il 09/06/2016 18:58, Niels Bertram ha scritto:
> Hi Felipe,
>
> this topic was discusses some time back on the user forum. Jira
> KEYCLOAK-2141 <https://issues.jboss.org/browse/KEYCLOAK-2141> has some
> background information on the issue you are facing. From what I can tell
> one will have to change the attribute mapping on the LDAP user
> federation provider to map email to a custom attribute (e.g.
> contact_email) and then also change the email template to use that field
> for email distribution instead.
>
> Cheers,
> Niels
>
>
> On Thu, Jun 9, 2016 at 9:41 PM, Felipe Braun Azambuja
> <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
> wrote:
>
>     Hello all,
>
>     We have Keycloak connected to our Active Directory (read only),
>     everything working correctly, authenticating our employees. But there is
>     a case that is a little complicated.
>
>     When someone starts working here as a intern, the user has an employee
>     ID with four digits. If a person is a regular employee, it has five
>     digits. Windows login is made of the first 2 letters of the name, and
>     then the ID number, zero padded, as in *fe001173*. But there are times
>     that these interns are hired as employees, so the previous account is
>     *disabled* in AD and a new one is created.
>
>     The problem is that the e-mail address is the same. When this happens, I
>     can't even search the user in Keycloak admin interface, because it says
>     that it already has a user with the same e-mail. The old one is still
>     there, though; but if I go to its details, I can't change the e-mail
>     address, since it tries to sync it back to AD.
>
>     So far, the solution was changing it directly in the database and
>     restarting Keycloak, which is *not* a good thing to do.
>
>     Any thoughts on what we could do?
>
>
>     Thanks !
>     --
>     Felipe Braun Azambuja
>     DBA
>     Tecnologia da Informa??o e Comunica??o
>     (48) 3281 9577
>     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
>     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>     recebido esta mensagem por engano, por favor informe o remetente
>     respondendo imediatamente a este e-mail, e em seguida apague-a do
>     seu computador.
>
>     The information contained in this e-mail and its attachments are
>     protected by law, subjected to privilege and/or confidentiality and
>     cannot be retransmitted, filed, disclosed or copied without
>     authorization from the sender. The sender uses the electronic mail
>     in the exercise of his/her work or by virtue thereof, and the
>     institution accepts no liability from its undue use. If you have
>     received this message by mistake, please notify us immediately by
>     returning the e-mail and deleting this message from your system.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.


From bburke at redhat.com  Fri Jun 10 09:32:58 2016
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Jun 2016 09:32:58 -0400
Subject: [keycloak-user] SAML request signature
In-Reply-To: <8a8ada0d559d802f89be33767c875c87@posteo.de>
References: <8a8ada0d559d802f89be33767c875c87@posteo.de>
Message-ID: <a97109a5-b9df-0764-a212-026525936468@redhat.com>

You are using Keycloak as the IDP with a pre-existing SP (client)?  Or 
are you using Keycloak IDP and the Keycloak SAML client adapter?


On 6/10/16 3:07 AM, lrxw wrote:
> Hi all,
>
> I?m new to keycloak, but managed to set up keycloak (1.9.2) and realm
> with a SAML identidy provider. Everything seems fine, but the SAML
> Request sent to my IDP is signed with a RSAKeyValue instead of X509Data.
> Can anyone help me how to configure keycloak to use a X.509 certificate?
>
> Greetings
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From adilelfahmi at gmail.com  Fri Jun 10 11:25:54 2016
From: adilelfahmi at gmail.com (Harits Elfahmi)
Date: Fri, 10 Jun 2016 22:25:54 +0700
Subject: [keycloak-user] Google Login Email Verification Error on Sending
Message-ID: <CAG_KPw1b5_zLk8_9HMdoA=k1OU0voXmyrNApQDYCRWUfJZuQqw@mail.gmail.com>

Hello all,

We tried to integrate keycloak with google login, and to reauthenticate we
send email verification to the user email. But when we tried the google
login process: login --> add existing user --> email failed to send with
the following error:

http://pastebin.com/eqytRtFp

Anyone know why this happens? Tried to find similar problems on google but
can't find any.

We use sendpulse.com as the SMTP server (with SSL), and in the login
setting we use enable request SSL for all requests, if that matters.

Thanks!

-- 
Cheers,

*Harits* Elfahmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160610/06727e23/attachment.html 

From jessec at stytch.com  Fri Jun 10 14:43:18 2016
From: jessec at stytch.com (Jesse Chahal)
Date: Fri, 10 Jun 2016 11:43:18 -0700
Subject: [keycloak-user] Fwd: Multi-org salesforce with single realm
	keycloak
In-Reply-To: <CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>
References: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>
	<CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
	<CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>
Message-ID: <CAP26fkf7QZjg=hTgopu1KC=St9cV7Rn+yiFZD+=H1Wabu14H7w@mail.gmail.com>

The keycloak config resolver works well when all realms are known in
advance. I was trying to imply in my diagram that all realms are not
known in advance as realms are going to be created for new customers
on demand. Doing a new production deployment whenever a SaaS product
has a new customer added is not a feasible solution.

On Wed, Jun 8, 2016 at 7:01 PM, Anthony Fryer <anthony.fryer at gmail.com> wrote:
> Why do you say "very hard to get App1 to support multiple realms (no adapter
> or keycloak support)"?
>
> Keycloak does provide multi-tenancy support via the KeycloakConfigResolver.
> See https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
>
> The issue would be if your app can't use a keycloak adapter.
>
> On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com> wrote:
>>
>> Hi,
>>
>> I'm back again. I'm trying to figure out how scale Identity Providers.
>> We are planning on trying to integrate our App1 with salesforce. A
>> user who logs into salesforce should be able to have a native feel of
>> our App1 within it. Todo this we'll probably have to end up building
>> salesforce native apps. For every salesforce organization/licensee we
>> will have to register an Identity provider with keycloak to make sure
>> they can correctly use App1. Some configuration options we came up
>> with are listed below. Has anyone else solved a similar problem?
>>
>> OPTION 1
>> ########################################################
>> # Keycloak
>>                               #
>> # ---> master realm
>>                           #
>> # ---> realm 1
>>                               #
>> # --- ---> app1_client (open ID)
>>                      #
>> # --- ---> salesforce_org1_saml2.0_identity_provider
>> #
>> # --- ---> salesforce_org2_saml2.0_identity_provider
>> #
>> #
>>                                      #
>> # Salesforce
>>                               #
>> # ---> org1
>>                                 #
>> # ---- ----> salesforce_appX (uses App1)
>>               #
>> # ---> org 2
>>                                 #
>> # ---- ----> salesforce_appX (uses App1)
>>               #
>> # ---- ----> salesforce_appY (uses App1)
>>               #
>> # .....
>>                                      #
>> #
>>                                      #
>> # App 1
>>                                  #
>> # ---> OpenID to realm1 (using adapter)
>>               #
>> ########################################################
>> benefits
>> - single login page
>> - single realm
>> cons
>> - login page with infinite number of identity provider buttons present
>>
>>
>> OPTION 2
>> ########################################################
>> # Keycloak
>>                               #
>> # ---> master realm
>>                           #
>> # ---> realm 1
>>                               #
>> # --- ---> app1_client (open ID)
>>                      #
>> # --- ---> salesforce_org1_saml2.0_identity_provider
>> #
>> # ---> realm 2
>>                               #
>> # --- ---> app1_client (open ID)
>>                      #
>> # --- ---> salesforce_org2_saml2.0_identity_provider
>> #
>> #
>>                                      #
>> # Salesforce
>>                               #
>> # ---> org1
>>                                 #
>> # ---- ----> salesforce_appX (uses App1)
>>               #
>> # ---> org 2
>>                                 #
>> # ---- ----> salesforce_appX (uses App1)
>>               #
>> # ---- ----> salesforce_appY (uses App1)
>>               #
>> # .....
>>                                      #
>> #
>>                                      #
>> # App 1
>>                                  #
>> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
>> #
>> ########################################################
>> benefits
>> - single salesforce button per login page
>> - users are more isolated in single realm
>> cons
>> - very hard to get App1 to support multiple realms (no adapter or
>> keycloak support)
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rllavallee at hotmail.com  Fri Jun 10 18:59:21 2016
From: rllavallee at hotmail.com (Richard Lavallee)
Date: Fri, 10 Jun 2016 22:59:21 +0000
Subject: [keycloak-user] how to get keycloak to connect to tomcat via saml ?
In-Reply-To: <mailman.55984.1465584200.3348.keycloak-user@lists.jboss.org>
References: <mailman.55984.1465584200.3348.keycloak-user@lists.jboss.org>
Message-ID: <BLU181-W873D1584DFC7F786965253CB500@phx.gbl>

Please advise: how to get keycloak to connect to tomcat via saml ?
Instructions?  Video?
-Richard
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160610/2d2b43f3/attachment.html 

From bburke at redhat.com  Fri Jun 10 19:58:06 2016
From: bburke at redhat.com (Bill Burke)
Date: Fri, 10 Jun 2016 19:58:06 -0400
Subject: [keycloak-user] how to get keycloak to connect to tomcat via
 saml ?
In-Reply-To: <BLU181-W873D1584DFC7F786965253CB500@phx.gbl>
References: <mailman.55984.1465584200.3348.keycloak-user@lists.jboss.org>
	<BLU181-W873D1584DFC7F786965253CB500@phx.gbl>
Message-ID: <f33c95a3-8220-24a9-2b7b-87d93b107eb1@redhat.com>

keycloak.org/docs



On 6/10/16 6:59 PM, Richard Lavallee wrote:
> Please advise: how to get keycloak to connect to tomcat via saml ?
>
> Instructions?  Video?
>
> -Richard
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160610/345adb6d/attachment.html 

From anthony.fryer at gmail.com  Fri Jun 10 22:15:44 2016
From: anthony.fryer at gmail.com (Anthony Fryer)
Date: Sat, 11 Jun 2016 12:15:44 +1000
Subject: [keycloak-user] Fwd: Multi-org salesforce with single realm
	keycloak
In-Reply-To: <CAP26fkf7QZjg=hTgopu1KC=St9cV7Rn+yiFZD+=H1Wabu14H7w@mail.gmail.com>
References: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>
	<CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
	<CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>
	<CAP26fkf7QZjg=hTgopu1KC=St9cV7Rn+yiFZD+=H1Wabu14H7w@mail.gmail.com>
Message-ID: <CAF4sgxJRcO8qWGygpRkjD2dQVgpt+4GnT9re2KDWue1H6V9o1A@mail.gmail.com>

You can implement a dynamic keycloak config resolver that can work with
realms not known in advance.  I've just been doing exactly the same thing.
My requirement was to use the host name to identify a realm, so
tenanta.mydomain.com/my-client would use realm "tenanta",
tenantb.mydomain.com/my-client would use "tenantb" etc and realms could be
created dynamically and my-client would immediately work with those new
realms without requiring a reboot or re-configuration.   There are
different KeycloakConfigResolver implementations you can use to do this,
depending on your client configuration.

If the client is configured as public (no client secret) or if the client
secret for the application is the same in each realm, then you can use a
keycloak template for configuration.  So you could deploy a
WEB-INF/keycloak-template.json file which looks something like this...
{

  "realm": "tenantA",  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB",
 "auth-server-url": "https://keycloak.mydomain.com/auth",
"ssl-required": "none",  "resource": "my-client",  "public-client":
true}


The KeycloakConfigResolver would use this template for each realm and just
overwrite the "realm" and "realm-public-key" values with the real values.
To get those real values, the KeycloakConfigResolver would first work out
the realm name.  In my case, I derive the realm name from the hostname, so
tenanta.mydomain.com would indicate "tenanta" was being used.  Once you
have derived the realm name, then you can do a http get request to
http://<keycloak_url>/auth/realms/<tenantname>
(eg. https://keycloak.mydomain.com/auth/realms/tenanta).  This endpoint
isn't secured and returns something similar to the following...

{

   - realm: "tenantA",
   - public_key:
   "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB"
   ,
   - token-service: "
   https://keycloak.mydomain.com/auth/realms/tenantA/protocol/openid-connect
   <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/protocol/openid-connect>
   ",
   - account-service: "
   https://keycloak.mydomain.com/auth/realms/tenantA/account
   <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/account>",
   - admin-api: "https://keycloak.mydomain.com/auth/admin
   <https://keycloak.cyberavenue.com.au/auth/admin>",
   - tokens-not-before: 0

}

The KeycloakConfigResolver then uses the "realm" and "public_key" values
from that response, overrides the values from the keycloak-template.json
file to create the KeycloakDeployment (using KeycloakDeploymentBuilder).

If your client isn't public and the client-secret differs and isn't known
in advance, then this solution wouldn't work.  In that case, another
solution can be used which is slightly more complicated.  The idea is the
KeycloakConfigResolver does the following...

1/ Get a token for the admin-cli client in the "master" realm.  This may
require configuring a username and password that can be used used to obtain
this token.
2/ Use the rest api to get a list of clients in the requested realm (ie.
http get to http://<keycloak_url>/auth/admin/realms/{realm}/clients using a
Bearer token obtained from step 1
3/ Iterate through the list and find the Client you're interested in (ie.
client.getClientId().equals("my-client") ).  You need the client UID
identifier from this.
4/ Use the rest api to get the keycloak deployment installation file by
doing a GET to http://<keycloak_url>/auth/admin/realms/{realm}/clients/{client-uid}/installation/providers/keycloak-oidc-keycloak-json,
using the Bearer token from step 1 and the client UID from step 3.  Then
use KeycloakDeploymentBuilder on the response body returned from this
service.



Regards,

Anthony


On 04:43, Sat, 11/06/2016 Jesse Chahal <jessec at stytch.com> wrote:

> The keycloak config resolver works well when all realms are known in
> advance. I was trying to imply in my diagram that all realms are not
> known in advance as realms are going to be created for new customers
> on demand. Doing a new production deployment whenever a SaaS product
> has a new customer added is not a feasible solution.
>
> On Wed, Jun 8, 2016 at 7:01 PM, Anthony Fryer <anthony.fryer at gmail.com>
> wrote:
> > Why do you say "very hard to get App1 to support multiple realms (no
> adapter
> > or keycloak support)"?
> >
> > Keycloak does provide multi-tenancy support via the
> KeycloakConfigResolver.
> > See
> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
> >
> > The issue would be if your app can't use a keycloak adapter.
> >
> > On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com> wrote:
> >>
> >> Hi,
> >>
> >> I'm back again. I'm trying to figure out how scale Identity Providers.
> >> We are planning on trying to integrate our App1 with salesforce. A
> >> user who logs into salesforce should be able to have a native feel of
> >> our App1 within it. Todo this we'll probably have to end up building
> >> salesforce native apps. For every salesforce organization/licensee we
> >> will have to register an Identity provider with keycloak to make sure
> >> they can correctly use App1. Some configuration options we came up
> >> with are listed below. Has anyone else solved a similar problem?
> >>
> >> OPTION 1
> >> ########################################################
> >> # Keycloak
> >>                               #
> >> # ---> master realm
> >>                           #
> >> # ---> realm 1
> >>                               #
> >> # --- ---> app1_client (open ID)
> >>                      #
> >> # --- ---> salesforce_org1_saml2.0_identity_provider
> >> #
> >> # --- ---> salesforce_org2_saml2.0_identity_provider
> >> #
> >> #
> >>                                      #
> >> # Salesforce
> >>                               #
> >> # ---> org1
> >>                                 #
> >> # ---- ----> salesforce_appX (uses App1)
> >>               #
> >> # ---> org 2
> >>                                 #
> >> # ---- ----> salesforce_appX (uses App1)
> >>               #
> >> # ---- ----> salesforce_appY (uses App1)
> >>               #
> >> # .....
> >>                                      #
> >> #
> >>                                      #
> >> # App 1
> >>                                  #
> >> # ---> OpenID to realm1 (using adapter)
> >>               #
> >> ########################################################
> >> benefits
> >> - single login page
> >> - single realm
> >> cons
> >> - login page with infinite number of identity provider buttons present
> >>
> >>
> >> OPTION 2
> >> ########################################################
> >> # Keycloak
> >>                               #
> >> # ---> master realm
> >>                           #
> >> # ---> realm 1
> >>                               #
> >> # --- ---> app1_client (open ID)
> >>                      #
> >> # --- ---> salesforce_org1_saml2.0_identity_provider
> >> #
> >> # ---> realm 2
> >>                               #
> >> # --- ---> app1_client (open ID)
> >>                      #
> >> # --- ---> salesforce_org2_saml2.0_identity_provider
> >> #
> >> #
> >>                                      #
> >> # Salesforce
> >>                               #
> >> # ---> org1
> >>                                 #
> >> # ---- ----> salesforce_appX (uses App1)
> >>               #
> >> # ---> org 2
> >>                                 #
> >> # ---- ----> salesforce_appX (uses App1)
> >>               #
> >> # ---- ----> salesforce_appY (uses App1)
> >>               #
> >> # .....
> >>                                      #
> >> #
> >>                                      #
> >> # App 1
> >>                                  #
> >> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
> >> #
> >> ########################################################
> >> benefits
> >> - single salesforce button per login page
> >> - users are more isolated in single realm
> >> cons
> >> - very hard to get App1 to support multiple realms (no adapter or
> >> keycloak support)
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/27c431e8/attachment-0001.html 

From kiwi.mec at gmail.com  Sat Jun 11 00:39:25 2016
From: kiwi.mec at gmail.com (Michael Chester)
Date: Sat, 11 Jun 2016 04:39:25 +0000
Subject: [keycloak-user] Is there a good JWK authorisation grant example?
Message-ID: <CAOFPorSkTokatZim5BCg=SEL4Q=X7E44vmCDMg2vLMcYQDXoeA@mail.gmail.com>

Hi all,

Could someone please point me in the direction of some sample code,
preferably Java, that illustrates a client generated JWT being used as a or
to generate an access token from Keycloak.  This page
http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html
seemed
to be a good start.  But  the link to documentation was dead. So far I have
been unable to Google a good code example.  Thank you.

Regards,
Michael Chester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/21a04150/attachment.html 

From jahenao at itroisolutions.com  Sat Jun 11 02:58:39 2016
From: jahenao at itroisolutions.com (Jairo Henao)
Date: Sat, 11 Jun 2016 06:58:39 +0000
Subject: [keycloak-user] Getting the user email before delete it
Message-ID: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>

Hello community:

I have a listener that is pending when an administrator deletes a user. How I can get the user email?

Apparently I can only get his ID, but I need his email to delete it in HubSpot.

There is something like a pre-delete event?

Thanks,


Jairo Henao Rojas
IT ROI Solutions
Software Architect
Mobile  : 314-738-6032
Office Colombia: + (571) 381-9185
Office Mexico: + 52-81-4624-4468
Office Chile: + 5622-582-2257
Office USA:  954-518-3330
Office Canada:  604-998-2280
jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>

[cid:image001.png at 01CFACA6.CA39D4D0]

[Description: Description: cid:image002.png at 01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png at 01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png at 01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>  [Description: Description: cid:image005.png at 01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2814 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2066 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2435 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3041 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2897 bytes
Desc: image005.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/58a8ed36/attachment-0009.png 

From rsoares at redhat.com  Sat Jun 11 19:10:45 2016
From: rsoares at redhat.com (Rafael Soares)
Date: Sat, 11 Jun 2016 20:10:45 -0300
Subject: [keycloak-user] Error enabling 'Sync Registrations' for LDAP
	(FreeIPA) User Federation
Message-ID: <CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com>

I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].

The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:


?

KC server.log in TRACE mode:

"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1 at example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
    at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
    at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)

    ... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
    ... 57 more"


FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors

[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""

----

It appears FreeIPA LDAP server is refusing the attribute 'UID'

Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:


?


I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:

"
[root at ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]

Add a new user.
Options:
  -h, --help            show this help message and exit
  --first=STR           First name
  --last=STR            Last name
  --cn=STR              Full name
  --displayname=STR     Display name
  --initials=STR        Initials
  --homedir=STR         Home directory
  --gecos=STR           GECOS
  --shell=STR           Login shell
  --principal=STR       Kerberos principal
  --principal-expiration=DATETIME
                        Kerberos principal expiration
  --email=STR           Email address
  --password            Prompt to set the user password
  --random              Generate a random user password
  --uid=INT             User ID Number (system will assign one if not
                        provided)
  --gidnumber=INT       Group ID Number
  --street=STR          Street address
  --city=STR            City
  --state=STR           State/Province
  --postalcode=STR      ZIP
  --phone=STR           Telephone Number
  --mobile=STR          Mobile Telephone Number
  --pager=STR           Pager Number
  --fax=STR             Fax Number
  --orgunit=STR         Org. Unit
  --title=STR           Job Title
  --manager=STR         Manager
  --carlicense=STR      Car License
  --sshpubkey=STR       SSH public key
  --user-auth-type=['password', 'radius', 'otp']
                        Types of supported user authentication
  --class=STR           User category (semantics placed on this attribute
are
                        for local interpretation)
  --radius=STR          RADIUS proxy configuration
  --radius-username=STR
                        RADIUS proxy username
  --departmentnumber=STR
                        Department Number
  --employeenumber=STR  Employee Number
  --employeetype=STR    Employee Type
  --preferredlanguage=STR
                        Preferred Language
  --certificate=BYTES   Base-64 encoded server certificate
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value.
The
                        attribute must be part of the schema.
  --noprivate           Don't create user private group
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.

                        [root at ipa /]# ipa user-add ipa_user3  --first 'IPA
3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
                        ----------------------
                        Added user "ipa_user3"
                        ----------------------
                          dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
                          uid: ipa_user3
                          givenname: IPA 3
                          sn: User3
                          cn: IPA 3 User3
                          initials: IU
                          homedirectory: /home/ipa_user3
                          gecos: IPA 3 User3
                          loginshell: /bin/sh
                          mail: ipa_user3 at example.test
                          uidnumber: 753200006
                          gidnumber: 753200006
                          has_password: FALSE
                          has_keytab: FALSE
                          displayName: IPA 3 User3
                          ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
                          krbPrincipalName: ipa_user3 at EXAMPLE.TEST
                          memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
                          mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
                          objectClass: ipaSshGroupOfPubKeys
                          objectClass: ipaobject
                          objectClass: mepOriginEntry
                          objectClass: person
                          objectClass: top
                          objectClass: ipasshuser
                          objectClass: inetorgperson
                          objectClass: organizationalperson
                          objectClass: krbticketpolicyaux
                          objectClass: krbprincipalaux
                          objectClass: inetuser
                          objectClass: posixaccount
"

Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?

Thanks in advance.

[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/

-- 

___
Rafael T. C. Soares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kc_add_new_user_error.png
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa_api_user_add.png
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/32abfc6f/attachment-0003.png 

From thomas_connolly at yahoo.com  Mon Jun 13 01:57:21 2016
From: thomas_connolly at yahoo.com (Thomas Connolly)
Date: Mon, 13 Jun 2016 05:57:21 +0000 (UTC)
Subject: [keycloak-user] Performance issues with Federation provider
	enabled
References: <315000034.1945497.1465797441058.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>

Hi Marek

I'm working with Fabricio on the federation performance issues with Keycloak.

In answer to your question we are using the latest KC 1.9.7 version (we upgraded this week from 1.9.2).

To give you some indication of the running a gatling direct access login test (results below).

As you can see below in (1) using KC out of the box. Great performance - we saw 110 tx per sec on a 4 core system.
In scenario (2) using a stubbed federator (simply an echo plugin not connecting to any back end services), performance is unacceptable.
1) Not using the federator - Stub federator (disabled) - while 29 tx per second we could easily get to a stable 110 tx per second.
??? 300 Users (hitting single server)
??? ---- Global Information --------------------------------------------------------
??? > request count?????????????????????????????????????? 9185 (OK=9185?? KO=0???? )
??? > min response time???????????????????????????????????? 18 (OK=18???? KO=-???? )
??? > max response time??????????????????????????????????? 723 (OK=723??? KO=-???? )
??? > mean response time??????????????????????????????????? 27 (OK=27???? KO=-???? )
??? > std deviation???????????????????????????????????????? 44 (OK=44???? KO=-???? )
??? > response time 50th percentile???????????????????????? 20 (OK=20???? KO=-???? )
??? > response time 75th percentile???????????????????????? 21 (OK=21???? KO=-???? )
??? > mean requests/sec???????????????????????????????? 29.626 (OK=29.626 KO=-???? )
??? ---- Response Time Distribution ------------------------------------------------
??? > t < 800 ms????????????????????????????????????????? 9185 (100%)
??? > 800 ms < t < 1200 ms?????????????????????????????????? 0 (? 0%)
??? > t > 1200 ms??????????????????????????????????????????? 0 (? 0%)
??? > failed???????????????????????????????????????????????? 0 (? 0%)

2) Stub federator (enabled)- if we brought test down to 12 tx per second (about 90 users) the response times dropped to < 1200 ms response times, however not even close to meeting out acceptance creteria.
??? 300 Users (hitting single server) 
??? ---- Global Information --------------------------------------------------------
??? > request count?????????????????????????????????????? 8496 (OK=8496?? KO=0???? )
??? > min response time??????????????????????????????????? 511 (OK=511??? KO=-???? )
??? > max response time????????????????????????????????? 11191 (OK=11191? KO=-???? )
??? > mean response time????????????????????????????????? 6832 (OK=6832?? KO=-???? )
??? > std deviation?????????????????????????????????????? 2329 (OK=2329?? KO=-???? )
??? > response time 50th percentile?????????????????????? 7194 (OK=7194?? KO=-???? )
??? > response time 75th percentile?????????????????????? 8690 (OK=8690?? KO=-???? )
??? > mean requests/sec???????????????????????????????? 27.404 (OK=27.404 KO=-???? )
??? ---- Response Time Distribution ------------------------------------------------
??? > t < 800 ms?????????????????????????????????????????? 154 (? 2%)
??? > 800 ms < t < 1200 ms????????????????????????????????? 85 (? 1%)
??? > t > 1200 ms???????????????????????????????????????? 8257 ( 97%)
??? > failed???????????????????????????????????????????????? 0 (? 0%)

This is currently a show stopper for us and is blocking our path to production.
Do you run similar tests and how can we help you optimise the performance?

Regards
Tom.


Date: Wed, 8 Jun 2016 12:28:19 +0200
From: Marek Posolda <mposolda at redhat.com>
Subject: Re: [keycloak-user] Performance issues with Federation
??? provider enabled
To: Fabricio Milone <fabricio.milone at shinetech.com>,??? keycloak-user
??? <keycloak-user at lists.jboss.org>
Message-ID: <5757F343.1040803 at redhat.com>
Content-Type: text/plain; charset="windows-1252"

Hi,

what's the keycloak version used? Could you try latest keycloak and 
check if performance is still the issue?

Marek

On 08/06/16 01:30, Fabricio Milone wrote:
> Hi all,
>
> I sent this email yesterday with 5 or more attachments, so I think it 
> was blocked or something... here I go again :)
>
> I've been running load tests on our application during the last few 
> weeks, and having some performance issues when my custom federator is 
> enabled.
>
> The performance issue does not exist when the federator is disabled.
> *Configuration*:
>
> I have a cluster of 2 instances of Keycloak, with a standalone DB, 
> we've verified the DB isn't an issue when the federator is disabled. 
> Both instances have a quad core CPU and they are in the same network. 
> We?ve left the memory at 512MB. The test script, database and API that 
> connects to the federator are in separate machines.
> *Federator*:
>
> We have a simple custom federator that makes calls to a very 
> performant api, which has been tested and is ok. Additionally, we've 
> tested stubbing the API so the performance is not a problem there. 
> This federator is using a jaxb marshaller to create a request, again 
> tested in isolation and is performing well.
>
> As the federator is doing a lot of calls to the API (3 per login 
> request), I've implemented a httpclient that uses a 
> PoolingHttpClientConnectionManager with 1000 connections available to 
> use, instead of using the standard apache httpclient from http 
> components. That hasn't improved a bit the performance of the system.
> *Tests*:
> It is a gatling scala script that could generate around ~300 (or more) 
> requests/second to the direct grants login endpoint using random 
> usernames from a list (all of them already registered using KC). The 
> script is doing a round robin across both instances of Keycloak with 
> an even distribution to each KC instance.
> The idea is simulate a load of 300 to 1500 concurrent users trying to 
> login into our systems.
> *Problem*:
>
> If I run the tests without using a federation I can see a very good 
> performance, but when I try to run the tests with the custom 
> federation code, the performance drops from ~150 requests/second to 22 
> req/sec using both instances.
> Memory wise, it seems to be ok. I've never seen an error related to 
> memory with this configuration, also if you take a look at the 
> attached visualVM screenshot you'll see that memory is not a problem 
> or it seems not to be.
> CPU utilisation is very low to my mind, I'd expect more than 80% of 
> usage or something like that.
> There is a method that is leading the CPU samples on VisualVM called 
> Semaphore.tryAcquire(). Not quite sure what's that for, still 
> investigating.
>
> I can see that a lot of new threads are being created when the test 
> starts, as it creates around 60requests/second to the direct grants 
> login call, but it seems to be a bottleneck at some point.
>
> So I'm wondering if there is some configuration I'm missing on 
> Keycloak side that could be affecting the cluster performance when a 
> federator is enabled. Maybe something related to jpa connections, 
> infinispan configuration or even wildfly.
>
> I'd really appreciate your help on this one as I'm out of ideas.
>
> I've attached some screenshots of visualVM and tests results from my 
> last run today.
>
>
> Sorry for the long email and please let me know if you need further 
> information.
>
> Thank you in advance,
>
> Regards,
> Fab
>
> -- 
> *Fabricio Milone*
> Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/86ef1139/attachment-0001.html 

From sthorger at redhat.com  Mon Jun 13 03:23:29 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 09:23:29 +0200
Subject: [keycloak-user] How to apply updates to keycloak instances
In-Reply-To: <CAP26fkcr+TmMU9vTN0JMy_7K-RbN5jggcv=tsHxFLrWoEPqP2Q@mail.gmail.com>
References: <CAP26fkdRznttbFGU9MZRgogpRhAxZarOY5gaYpK8o6UYOpvStg@mail.gmail.com>
	<CAJgngAeGECc+tpCbEVjkshvqixzhXftqvfoRO5rvkWst-AW3Tg@mail.gmail.com>
	<87CBA013-76D9-4A1D-B64D-70FF432D8720@smartling.com>
	<CAF4sgx+1YGJq5j5DQ-ig+67PLEdsbdDok=jX77TBOABnUG_1aw@mail.gmail.com>
	<097F53B6-6373-4E88-BF9F-8E1808B6295E@smartling.com>
	<CAF4sgxLx0LrSODXb4gQUVbctjSwijSucTOP_MXBSGZ+Uigg9=w@mail.gmail.com>
	<CAP26fkdPGfv_j7WvOd6q_q+rXMcxU+rf58vRvmzFRGtss7ceug@mail.gmail.com>
	<CAJgngAdC0Dw9yuZVS4MZ8Xig7ortCwW_gy=v_ujPJ_VLJeun=A@mail.gmail.com>
	<981E7D4A-6A00-47DC-9BD1-166C2C922E3F@smartling.com>
	<CAJgngAfA1ODmnvqk+PFhNfubpPZ6vONM57gpsamfzBu+tgFzxQ@mail.gmail.com>
	<A4288934-AFE5-4E5B-8255-3E12989F3591@smartling.com>
	<CAJgngAf12jybxhQHK404uKn3eF4Rvi7bD05YVZL3Ghm54OQLBg@mail.gmail.com>
	<CAP26fkcr+TmMU9vTN0JMy_7K-RbN5jggcv=tsHxFLrWoEPqP2Q@mail.gmail.com>
Message-ID: <CAJgngAfPrFuFDt6PjuH+kkq841kzJtQsxdekYjBfsFtvtcmr9g@mail.gmail.com>

Adding list back..

I don't see much value in a solution that doesn't also consider changes
done directly through admin console and/or admin endpoints. A proper
solution would use something along the lines of Liquibase/Git to have all
changes versioned and applied serially. That way they can be reproduced
fully.

On 10 June 2016 at 21:03, Jesse Chahal <jessec at stytch.com> wrote:

> I've been thinking about this problem for awhile and so far the
> solutions that I come up with all require that keycloak keeps tracks
> of changes in a database table (exactly how it works for liquibase).
> The GUI has a partial import feature. I haven't used it too
> extensively but I believe it probably does some sort of JSONtoPOJO
> serialization in order to figure out what the partial update it needs
> to be doing. Maybe we could add unique id identifiers to the
> existing/exported JSON files and have keycloaks import features
> determine whether the JSON file had already been applied or not. If
> there is a rest api for this as well then building an external cli or
> GUI tool would be much more feasible. Scott's solution requires either
> the external app to know the state of keycloak or keycloak's state to
> be blank. Its the best that could have been done with keycloak as it
> is now. Anyone have any comments regarding this possible solution?
>
> On Thu, May 26, 2016 at 11:19 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> > Can you give me some examples of issues around Dockerized deployments and
> > services that are located at runtime (do you mean services that are
> > provisioned at runtime?)?
> >
> > On 26 May 2016 at 19:47, Scott Rossillo <srossillo at smartling.com> wrote:
> >>
> >> Stian, that?s fair, it does solve the OP's CI/CD problem when moving in
> >> the dev -> stage -> prod direction.
> >>
> >> Scott Rossillo
> >> Smartling | Senior Software Engineer
> >> srossillo at smartling.com
> >>
> >> On May 26, 2016, at 1:41 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
> >>
> >>
> >>
> >> On 26 May 2016 at 19:11, Scott Rossillo <srossillo at smartling.com>
> wrote:
> >>>
> >>> I guess it?s a matter of requirements, but with micro service
> >>> architectures there?s usually some sort of discovery mechanism
> required to
> >>> locale services at runtime. Netflix offers Eureka and then there?s
> etcd from
> >>> CoreOS that?s being used by Kubernetes. My point is that even if
> Keycloak
> >>> devs build some sort of way of picking up changes from the filesystem
> on
> >>> startup, that doesn?t solve all use cases.
> >>
> >>
> >> The problem is continuous integration right, and pushing changes from a
> >> test environment into production? So you need a reliable way to apply
> >> changes to both environments.
> >>
> >>>
> >>>
> >>> It doesn?t solve issues with Dockerized deployments and it doesn?t
> solve
> >>> the issue where services have to be located at runtime
> >>
> >>
> >> What are the issues it doesn't solve?
> >>
> >>>
> >>>
> >>> Scott Rossillo
> >>> Smartling | Senior Software Engineer
> >>> srossillo at smartling.com
> >>>
> >>> On May 26, 2016, at 2:27 AM, Stian Thorgersen <sthorger at redhat.com>
> >>> wrote:
> >>>
> >>>
> >>>
> >>> On 26 May 2016 at 02:15, Jesse Chahal <jessec at stytch.com> wrote:
> >>>>
> >>>> @Stian
> >>>> The approach described sounds similar to liquibase to me but with json
> >>>> and specific to keycloak. I feel like a lot of possible bugs could
> >>>> arise from this approach or at least quite a few feature requests.
> >>>> Would each json file only contain a single change? Would order matter
> >>>> in how they get applied if you put a bunch of json files in this
> >>>> directory at once? Can the same file be applied multiple times? These
> >>>> are the kind of issues I would expect to come up with this type of
> >>>> change management system. When I mentioned write our own tool/script
> >>>> to do it I was kind of thinking of a writing a liquibase like system
> >>>> that calls keycloak's rest api.
> >>>
> >>>
> >>> We haven't figured out all the details, but what you are proposing
> sounds
> >>> better. A single document that lists all changes, that can also import
> other
> >>> files, sorts out the ordering and we could add same type of ids as
> Liquibase
> >>> does to changesets.
> >>>
> >>> You could write it to use the rest api, then use a separate db to store
> >>> what changes have been applied, but would be better if Keycloak deals
> with
> >>> loading the changes directly as it can write to the db what changes
> have
> >>> been applied.
> >>>
> >>> One big issue is what happens if manual changes are done through the
> >>> admin console. One though (although probably very tricky to get right)
> is
> >>> that changes done through the admin console is added to the changeset.
> >>>
> >>>>
> >>>>
> >>>> @ Scott
> >>>> If I would compare the solution you mentioned to one of the options I
> >>>> listed in my original question  "I've also considered writing my own
> >>>> updater tool using a scripting language (python/ruby) that calls
> >>>> keycloak's rest api." The worrying thing to me is that there is
> >>>> another piece of code that needs to maintained by our company and
> >>>> requires quite a bit of knowledge of keycloak's rest api. There would
> >>>> probably need to be some serious thought put into the architecture of
> >>>> the tool as well. Without a doubt it does provide the most control. We
> >>>> also live by a different methodology in regards to updating production
> >>>> clusters. From our perspective it is more of an issue to update
> >>>> manually as it becomes much easier to miss a step or in someway screw
> >>>> up if steps are performed manually. I'm not sure what the security
> >>>> implications would be from it occurring automatically, especially if
> >>>> during each step there is thorough testing (including from a security
> >>>> team). For our CI/CD pipeline our goal is to have it so every commit
> >>>> can automagically end up on production without human intervention.
> >>>>
> >>>> Currently we use a combination of an initial realm file to be included
> >>>> on startup and also use jq to modify the keycloak-server.json for new
> >>>> keycloak clusters. We don't need to generate realm or client keys as
> >>>> it is included in the initial realm file. That doesn't work for
> >>>> existing systems backed by a database that cannot be thrown away. That
> >>>> kind of leave me with the original option (and hardest) of "write a
> >>>> proprietary liquibase like system built ontop of keycloaks rest api".
> >>>> This is a hard problem to solve
> >>>
> >>>
> >>> Why proprietary? If we can agree on a design we'll happily accept a
> >>> contribution and maintain it as well.
> >>>
> >>>>
> >>>>
> >>>> On Mon, May 23, 2016 at 1:49 PM, Anthony Fryer <
> anthony.fryer at gmail.com>
> >>>> wrote:
> >>>> > Thanks, I'll check it out.
> >>>> >
> >>>> >
> >>>> > On 05:38, Tue, 24/05/2016 Scott Rossillo <srossillo at smartling.com>
> >>>> > wrote:
> >>>> >>
> >>>> >> We use Jose4J[0] to create the keys and then jq[1] to modify the
> >>>> >> realm
> >>>> >> file.
> >>>> >>
> >>>> >>  See the first line of code here for a super simple example of how
> to
> >>>> >> generate realm keys:
> >>>> >> https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
> >>>> >>
> >>>> >> PS - this may be doable with Keycloak but Jose4J is very
> lightweight
> >>>> >> for
> >>>> >> writing a simple script on a CI server.
> >>>> >>
> >>>> >> [0]: https://bitbucket.org/b_c/jose4j
> >>>> >> [1]: https://stedolan.github.io/jq/
> >>>> >>
> >>>> >>
> >>>> >> Scott Rossillo
> >>>> >> Smartling | Senior Software Engineer
> >>>> >> srossillo at smartling.com
> >>>> >>
> >>>> >> On May 21, 2016, at 10:20 PM, Anthony Fryer <
> anthony.fryer at gmail.com>
> >>>> >> wrote:
> >>>> >>
> >>>> >> Hi Scott,
> >>>> >>
> >>>> >> How do you generate the realm keys when creating the new keycloak
> dev
> >>>> >> instances?  Do you use a keycloak api or some other way?  I'm
> >>>> >> interested in
> >>>> >> having a standard realm template that is used to create new realms
> >>>> >> but would
> >>>> >> need to change the realm keys when importing this template into
> >>>> >> keycloak.
> >>>> >>
> >>>> >> Cheers,
> >>>> >>
> >>>> >> Anthony
> >>>> >>
> >>>> >> On Sat, May 21, 2016 at 3:43 AM, Scott Rossillo
> >>>> >> <srossillo at smartling.com>
> >>>> >> wrote:
> >>>> >>>
> >>>> >>> We?re using Keycloak on production, stage/QA, development
> >>>> >>> environments
> >>>> >>> and every developer?s workstation / laptop.
> >>>> >>>
> >>>> >>> While there will always be differing options on how to
> successfully
> >>>> >>> do
> >>>> >>> change management, we?ve found a very effective method for
> handling
> >>>> >>> Keycloak
> >>>> >>> provisioning in all environments so that developers don?t need to
> >>>> >>> mess
> >>>> >>> around with. We?re a continuous integration / deployment shop
> using
> >>>> >>> micro
> >>>> >>> services and everything has to ?just work? ? I?ll give an overview
> >>>> >>> of our
> >>>> >>> process here but please keep in mind a few things:
> >>>> >>>
> >>>> >>> 1. This approach works for us, I?m not saying it?s the best way
> >>>> >>> 2. We do _not_ allow production config changes to be automated due
> >>>> >>> to
> >>>> >>> security implications
> >>>> >>> 3. We're very opinionated in our approach to configuration
> >>>> >>> management and
> >>>> >>> we don?t ever modify 3rd party software databases directly. We
> >>>> >>> always use
> >>>> >>> APIs.
> >>>> >>>
> >>>> >>> We deploy Keycloak to all environments using Docker images. On
> >>>> >>> developer
> >>>> >>> workstations we use Docker Compose to orchestrate bringing up all
> >>>> >>> services a
> >>>> >>> developer may need, including Keycloak.
> >>>> >>>
> >>>> >>> We have 4 docker images for Keycloak:
> >>>> >>> - Keycloak Base
> >>>> >>>    \- Keycloak HA
> >>>> >>>    \- Keycloak Dev
> >>>> >>> - Keycloak config manager*
> >>>> >>>
> >>>> >>> The base image includes all customizations necessary to bring up a
> >>>> >>> Keycloak instance configured with our modules and themes
> installed.
> >>>> >>> The HA instance builds off base and configures Keycloak to run as
> a
> >>>> >>> cluster node. This is used on stage and prod.
> >>>> >>> The dev instance builds off base and includes our realm file. On
> >>>> >>> startup,
> >>>> >>> this instance loads our realm configuration if it?s not already
> >>>> >>> loaded.
> >>>> >>>
> >>>> >>> All docker images are built and published by the CI server and
> >>>> >>> Keycloak
> >>>> >>> HA can be deployed to stage and prod after a clean CI build.
> >>>> >>>
> >>>> >>> Developers are free to add clients for testing, do whatever they
> >>>> >>> want,
> >>>> >>> etc. to their running dev instance. If they want to get back to
> our
> >>>> >>> stock
> >>>> >>> build, they pull the latest Docker image from our private Docker
> >>>> >>> repo and
> >>>> >>> restart it.
> >>>> >>>
> >>>> >>> Adding clients to stage and prod requires approval and is done by
> a
> >>>> >>> hand.
> >>>> >>> This is for security reasons. Once a configuration change is
> >>>> >>> detected on
> >>>> >>> stage - say a client is added - our CI server exports the realm
> from
> >>>> >>> stage,
> >>>> >>> changes the realm keys, and creates a new Keycloak Dev instance
> with
> >>>> >>> the
> >>>> >>> updated realm file.
> >>>> >>>
> >>>> >>> *A word about configuration management:
> >>>> >>>
> >>>> >>> Obviously, the realm file we generate knows the URLs of staging
> >>>> >>> services,
> >>>> >>> not local or development environment URLs. To overcome this we
> >>>> >>> introduced
> >>>> >>> another Docker based service called the Keycloak configuration
> >>>> >>> manger. It
> >>>> >>> runs on development environments and workstations. It?s
> responsible
> >>>> >>> for
> >>>> >>> discovering running services and updating Keycloak via its admin
> >>>> >>> endpoints
> >>>> >>> to reflect the proper configuration for the given environment.
> >>>> >>>
> >>>> >>> That?s it. The whole process is automated with the exception of
> >>>> >>> configuration changes to stage and prod which require a security
> >>>> >>> review.
> >>>> >>>
> >>>> >>> Hope this helps. Let me know if you?d like me to elaborate on
> >>>> >>> anything.
> >>>> >>>
> >>>> >>> Best,
> >>>> >>> Scott
> >>>> >>>
> >>>> >>> Scott Rossillo
> >>>> >>> Smartling | Senior Software Engineer
> >>>> >>> srossillo at smartling.com
> >>>> >>>
> >>>> >>> On May 20, 2016, at 1:46 AM, Stian Thorgersen <
> sthorger at redhat.com>
> >>>> >>> wrote:
> >>>> >>>
> >>>> >>> Firstly, just wanted to highlight that core Keycloak team are
> devs,
> >>>> >>> not
> >>>> >>> sysadmins/ops guys, so we have limited experience in continuous
> >>>> >>> delivery and
> >>>> >>> maintenance of real production systems. Hence, we'd love input
> from
> >>>> >>> the
> >>>> >>> community on this.
> >>>> >>>
> >>>> >>> As it stands we don't really have a proper solution. I believe the
> >>>> >>> best
> >>>> >>> you can do at the moment is either using import feature, partial
> >>>> >>> import or
> >>>> >>> admin rest endpoints. Import is not going to work IMO as it
> requires
> >>>> >>> re-creating the whole realm. Partial import may work, but would
> work
> >>>> >>> best
> >>>> >>> for new resources rather than modifying existing resources as it
> >>>> >>> does a
> >>>> >>> delete/create operation rather than attempt to modify. With the
> >>>> >>> admin rest
> >>>> >>> endpoints you'd get the best control of what's going on, but
> >>>> >>> obviously that
> >>>> >>> leaves a fair amount of the work.
> >>>> >>>
> >>>> >>> In the future we have an idea of introducing an "import directory"
> >>>> >>> it
> >>>> >>> would be possible to drop json files in here that would add,
> modify
> >>>> >>> or
> >>>> >>> delete resources (realms, clients, roles, users, whatever). This
> >>>> >>> would allow
> >>>> >>> dropping json files before the server starts and the server would
> >>>> >>> then
> >>>> >>> import on startup. It would also be possible to do this at runtime
> >>>> >>> and new
> >>>> >>> files would be detected at runtime. Finally, we also had an idea
> of
> >>>> >>> an
> >>>> >>> offline mode to run import of this (it would basically start the
> >>>> >>> server
> >>>> >>> without http listener, import files, then stop, so it could be
> used
> >>>> >>> in a
> >>>> >>> script/tool). Import is probably not the best name for it, as it
> >>>> >>> would
> >>>> >>> support modify and delete as well as "importing" new things.
> >>>> >>>
> >>>> >>> On 19 May 2016 at 19:53, Jesse Chahal <jessec at stytch.com> wrote:
> >>>> >>>>
> >>>> >>>> Following some of the best practices for continuous Integration
> and
> >>>> >>>> continuous delivery there needs to be environments for build,
> test,
> >>>> >>>> and production. This would mean that following these practices
> >>>> >>>> would
> >>>> >>>> require you to have multiple versions of keycloak at different
> >>>> >>>> stages
> >>>> >>>> of development cycle. Some of these environments might not have
> >>>> >>>> important persistent data while others might. In order to have
> >>>> >>>> builds
> >>>> >>>> transition from one environment to another there may be
> >>>> >>>> configuration
> >>>> >>>> changes required for a build to be valid. This is especially true
> >>>> >>>> when
> >>>> >>>> new services (openid clients) are being added or "default"
> >>>> >>>> accounts.
> >>>> >>>> I'm trying to come up with a scripted way of updating keycloak
> >>>> >>>> instances that are backed up by an RDMS. This may include adding
> >>>> >>>> new
> >>>> >>>> clients, adding new users, updating realm config, etc...
> Originally
> >>>> >>>> I
> >>>> >>>> was planning on simply exporting the realm config and importing
> it
> >>>> >>>> every time keycloak starts. If I enabled the OVERWRITE option I
> >>>> >>>> might
> >>>> >>>> overwrite things that I do not want overridden. This is
> especially
> >>>> >>>> true if there is some config that differ's based on whether it
> is a
> >>>> >>>> build, test, or production instance. If I don't enable it then it
> >>>> >>>> is
> >>>> >>>> only useful for new/blank keycloak environments. I considered
> using
> >>>> >>>> liquibase but since I do not have control of schema changes
> created
> >>>> >>>> by
> >>>> >>>> the keycloak team I might run into issues with my liquibase file
> >>>> >>>> not
> >>>> >>>> being valid after a migration/liquibase update by the keycloak
> team
> >>>> >>>> as
> >>>> >>>> my liquibase file would run after keycloak's does. There might
> also
> >>>> >>>> be
> >>>> >>>> some other unknown issues our liquibase changes conflicting
> somehow
> >>>> >>>> with keycloak's liquibase changes. I've also considered writing
> my
> >>>> >>>> own
> >>>> >>>> updater tool using a scripting language (python/ruby) that calls
> >>>> >>>> keycloak's rest api. The issues with this mechanism is it feels
> >>>> >>>> like I
> >>>> >>>> am recreating the wheel as well as not being able to find good
> >>>> >>>> documentation on keycloak's openid endpoints/url's used for
> >>>> >>>> different
> >>>> >>>> oauth2 flows. Even if I did find this documentation it would also
> >>>> >>>> require me to find a good openid client for the scripting
> language.
> >>>> >>>> This doesn't matter for our normal clients as they simply use the
> >>>> >>>> keycloak subsystems and adapters instead. I've also looked at
> >>>> >>>> commonly
> >>>> >>>> used server configuration software such as chef, puppet, and
> >>>> >>>> ansible.
> >>>> >>>> I don't see a good solution using any of those tools yet either.
> >>>> >>>> What
> >>>> >>>> have other people done for cases like this? Please don't tell me
> >>>> >>>> there
> >>>> >>>> is someone who is doing this all manually because that doesn't
> work
> >>>> >>>> in
> >>>> >>>> modern software development.
> >>>> >>>>
> >>>> >>>> - doesn't accidentally delete users
> >>>> >>>> - doesn't accidentally delete clients
> >>>> >>>> - doesn't invalidate sessions (optional)
> >>>> >>>> - works to bring up new, correctly configured, keycloak instances
> >>>> >>>> - handles applying updates to existing keycloak instances
> >>>> >>>> - can handle minor differences between keycloak instances (build,
> >>>> >>>> test, production) when updating
> >>>> >>>> - preferably can work well in rolling deployment scenario's.
> >>>> >>>> -- I hope the keycloak team is taking these into consideration
> when
> >>>> >>>> doing database migration between 1-2 releases. It would be nice
> if
> >>>> >>>> they set some specific rules for rolling updates between versions
> >>>> >>>> (aka
> >>>> >>>> backwards breaking changes)
> >>>> >>>> _______________________________________________
> >>>> >>>> keycloak-user mailing list
> >>>> >>>> keycloak-user at lists.jboss.org
> >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>>
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> keycloak-user mailing list
> >>>> >>> keycloak-user at lists.jboss.org
> >>>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> keycloak-user mailing list
> >>>> >>> keycloak-user at lists.jboss.org
> >>>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> >
> >>>
> >>>
> >>>
> >>
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/bdc883d5/attachment-0001.html 

From sthorger at redhat.com  Mon Jun 13 03:25:21 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 09:25:21 +0200
Subject: [keycloak-user] Fwd: Multi-org salesforce with single realm
	keycloak
In-Reply-To: <CAF4sgxJRcO8qWGygpRkjD2dQVgpt+4GnT9re2KDWue1H6V9o1A@mail.gmail.com>
References: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>
	<CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
	<CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>
	<CAP26fkf7QZjg=hTgopu1KC=St9cV7Rn+yiFZD+=H1Wabu14H7w@mail.gmail.com>
	<CAF4sgxJRcO8qWGygpRkjD2dQVgpt+4GnT9re2KDWue1H6V9o1A@mail.gmail.com>
Message-ID: <CAJgngAc-c=_jw6C6U4k-PwbPF5+w1kKhQ6m5CdBRTV4Pptd1rA@mail.gmail.com>

I'm sorry but dynamically creating realms in this way is just crazy IMO.
You should have whatever provisions new customers also create a realm on
their behalf.

On 11 June 2016 at 04:15, Anthony Fryer <anthony.fryer at gmail.com> wrote:

> You can implement a dynamic keycloak config resolver that can work with
> realms not known in advance.  I've just been doing exactly the same
> thing.  My requirement was to use the host name to identify a realm, so
> tenanta.mydomain.com/my-client would use realm "tenanta",
> tenantb.mydomain.com/my-client would use "tenantb" etc and realms could
> be created dynamically and my-client would immediately work with those new
> realms without requiring a reboot or re-configuration.   There are
> different KeycloakConfigResolver implementations you can use to do this,
> depending on your client configuration.
>
> If the client is configured as public (no client secret) or if the client
> secret for the application is the same in each realm, then you can use a
> keycloak template for configuration.  So you could deploy a
> WEB-INF/keycloak-template.json file which looks something like this...
> {
>
>   "realm": "tenantA",  "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB",  "auth-server-url": "https://keycloak.mydomain.com/auth",  "ssl-required": "none",  "resource": "my-client",  "public-client": true}
>
>
> The KeycloakConfigResolver would use this template for each realm and
> just overwrite the "realm" and "realm-public-key" values with the real
> values.  To get those real values, the KeycloakConfigResolver would first
> work out the realm name.  In my case, I derive the realm name from the
> hostname, so tenanta.mydomain.com would indicate "tenanta" was being
> used.  Once you have derived the realm name, then you can do a http get
> request to http://<keycloak_url>/auth/realms/<tenantname> (eg.
> https://keycloak.mydomain.com/auth/realms/tenanta).  This endpoint isn't
> secured and returns something similar to the following...
>
> {
>
>    - realm: "tenantA",
>    - public_key:
>    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB"
>    ,
>    - token-service: "
>    https://keycloak.mydomain.com/auth/realms/tenantA/protocol/openid-connect
>    <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/protocol/openid-connect>
>    ",
>    - account-service: "
>    https://keycloak.mydomain.com/auth/realms/tenantA/account
>    <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/account>",
>    - admin-api: "https://keycloak.mydomain.com/auth/admin
>    <https://keycloak.cyberavenue.com.au/auth/admin>",
>    - tokens-not-before: 0
>
> }
>
> The KeycloakConfigResolver then uses the "realm" and "public_key" values
> from that response, overrides the values from the keycloak-template.json
> file to create the KeycloakDeployment (using KeycloakDeploymentBuilder).
>
> If your client isn't public and the client-secret differs and isn't known
> in advance, then this solution wouldn't work.  In that case, another
> solution can be used which is slightly more complicated.  The idea is the
> KeycloakConfigResolver does the following...
>
> 1/ Get a token for the admin-cli client in the "master" realm.  This may
> require configuring a username and password that can be used used to obtain
> this token.
> 2/ Use the rest api to get a list of clients in the requested realm (ie.
> http get to http://<keycloak_url>/auth/admin/realms/{realm}/clients using
> a Bearer token obtained from step 1
> 3/ Iterate through the list and find the Client you're interested in (ie.
> client.getClientId().equals("my-client") ).  You need the client UID
> identifier from this.
> 4/ Use the rest api to get the keycloak deployment installation file by
> doing a GET to http://<keycloak_url>/auth/admin/realms/{realm}/clients/{client-uid}/installation/providers/keycloak-oidc-keycloak-json,
> using the Bearer token from step 1 and the client UID from step 3.  Then
> use KeycloakDeploymentBuilder on the response body returned from this
> service.
>
>
>
> Regards,
>
> Anthony
>
>
> On 04:43, Sat, 11/06/2016 Jesse Chahal <jessec at stytch.com> wrote:
>
>> The keycloak config resolver works well when all realms are known in
>> advance. I was trying to imply in my diagram that all realms are not
>> known in advance as realms are going to be created for new customers
>> on demand. Doing a new production deployment whenever a SaaS product
>> has a new customer added is not a feasible solution.
>>
>> On Wed, Jun 8, 2016 at 7:01 PM, Anthony Fryer <anthony.fryer at gmail.com>
>> wrote:
>> > Why do you say "very hard to get App1 to support multiple realms (no
>> adapter
>> > or keycloak support)"?
>> >
>> > Keycloak does provide multi-tenancy support via the
>> KeycloakConfigResolver.
>> > See
>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
>> >
>> > The issue would be if your app can't use a keycloak adapter.
>> >
>> > On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm back again. I'm trying to figure out how scale Identity Providers.
>> >> We are planning on trying to integrate our App1 with salesforce. A
>> >> user who logs into salesforce should be able to have a native feel of
>> >> our App1 within it. Todo this we'll probably have to end up building
>> >> salesforce native apps. For every salesforce organization/licensee we
>> >> will have to register an Identity provider with keycloak to make sure
>> >> they can correctly use App1. Some configuration options we came up
>> >> with are listed below. Has anyone else solved a similar problem?
>> >>
>> >> OPTION 1
>> >> ########################################################
>> >> # Keycloak
>> >>                               #
>> >> # ---> master realm
>> >>                           #
>> >> # ---> realm 1
>> >>                               #
>> >> # --- ---> app1_client (open ID)
>> >>                      #
>> >> # --- ---> salesforce_org1_saml2.0_identity_provider
>> >> #
>> >> # --- ---> salesforce_org2_saml2.0_identity_provider
>> >> #
>> >> #
>> >>                                      #
>> >> # Salesforce
>> >>                               #
>> >> # ---> org1
>> >>                                 #
>> >> # ---- ----> salesforce_appX (uses App1)
>> >>               #
>> >> # ---> org 2
>> >>                                 #
>> >> # ---- ----> salesforce_appX (uses App1)
>> >>               #
>> >> # ---- ----> salesforce_appY (uses App1)
>> >>               #
>> >> # .....
>> >>                                      #
>> >> #
>> >>                                      #
>> >> # App 1
>> >>                                  #
>> >> # ---> OpenID to realm1 (using adapter)
>> >>               #
>> >> ########################################################
>> >> benefits
>> >> - single login page
>> >> - single realm
>> >> cons
>> >> - login page with infinite number of identity provider buttons present
>> >>
>> >>
>> >> OPTION 2
>> >> ########################################################
>> >> # Keycloak
>> >>                               #
>> >> # ---> master realm
>> >>                           #
>> >> # ---> realm 1
>> >>                               #
>> >> # --- ---> app1_client (open ID)
>> >>                      #
>> >> # --- ---> salesforce_org1_saml2.0_identity_provider
>> >> #
>> >> # ---> realm 2
>> >>                               #
>> >> # --- ---> app1_client (open ID)
>> >>                      #
>> >> # --- ---> salesforce_org2_saml2.0_identity_provider
>> >> #
>> >> #
>> >>                                      #
>> >> # Salesforce
>> >>                               #
>> >> # ---> org1
>> >>                                 #
>> >> # ---- ----> salesforce_appX (uses App1)
>> >>               #
>> >> # ---> org 2
>> >>                                 #
>> >> # ---- ----> salesforce_appX (uses App1)
>> >>               #
>> >> # ---- ----> salesforce_appY (uses App1)
>> >>               #
>> >> # .....
>> >>                                      #
>> >> #
>> >>                                      #
>> >> # App 1
>> >>                                  #
>> >> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
>> >> #
>> >> ########################################################
>> >> benefits
>> >> - single salesforce button per login page
>> >> - users are more isolated in single realm
>> >> cons
>> >> - very hard to get App1 to support multiple realms (no adapter or
>> >> keycloak support)
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3133eb2b/attachment-0001.html 

From amaeztu at tesicnor.com  Wed Jun  8 11:15:58 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Wed, 8 Jun 2016 17:15:58 +0200
Subject: [keycloak-user] Fwd: Re: Redirection issue with proxy behind
 keycloak
In-Reply-To: <78c6e629-d3ab-2ea7-b4bb-ac5d10478f7c@tesicnor.com>
References: <03225e22-5a31-d3c5-4285-69e355e1950e@tesicnor.com>
	<5e1b50b9-b7d0-5b2e-b16c-4df98da6f485@tesicnor.com>
	<CAJgngAfQUcz1hJwqkpOgr3j9DCxfxdgc_iA73Coyfc7j1EnLJQ@mail.gmail.com>
	<7a45ae5d-cf0f-a5d5-0ab5-1df8ee8aa9da@tesicnor.com>
	<D8C74651-F010-49A7-92AF-3A771D68C560@smartling.com>
	<895342cc-a03d-caff-ffa3-281cf9a25499@tesicnor.com>
	<11921D36-82CD-4B90-8E65-4C3209D5DE52@smartling.com>
	<d3fa1d7f-2d03-48a3-a8d9-f863dc42160d@tesicnor.com>
	<FAC29BBF-9791-4A46-AE8E-E4F164C6FB94@smartling.com>
	<78c6e629-d3ab-2ea7-b4bb-ac5d10478f7c@tesicnor.com>
Message-ID: <0cd5ba3b-d770-7010-df01-4f9c47030ac3@tesicnor.com>

Hello, any advice on this?


03/06/2016 14:20(e)an, Aritz Maeztu igorleak idatzi zuen:
>
> Hi all,
>
> Good work with the sample project Scott, it's a proper isolated code 
> where we might easily see what's going on. My previous problem was 
> nearly solved, it only keeps happening with FF, when user isn't logged 
> in[0].
>
> Scott, I've got no reason to avoid other traditional HTTP proxies, all 
> of this is because I'm a bit of newbie in this kind of topics about 
> distributed environments and having chosen the Spring Cloud utility I 
> thought I could implement everything I needed using Zuul. So that's 
> the design I was thinking in for production:
>
> Browser request -> Zuul proxy (80) -> UI Service (8099 and accesses 
> other services using the keycloak rest template) -> Backbone services 
> (80xx). They call each other using the keycloak rest template
>
> Mobile app request -> Zuul proxy (80) -> Backbone services (80xx). 
> They call each other using the keycloak rest template
>
> I've declared each backbone service in Keycloak as confidential 
> because that way I can access the service directly through the 
> browser. Like you say, it might be a properer option to use 
> bearer-only access, but how could I deal with the UI Service? This 
> could be a choice according to what you say, not adding any other proxy:
>
> Browser request -> UI Service (80)  -> Zuul proxy (8765) -> Backbone 
> services (80xx). They call each other using the keycloak rest template
>
> The only drawback I can think about this design is the case of needing 
> to have more UI replicas, I would need to manage them myself? If I add 
> a proxy on the top of it could I have it talking with Eureka to know 
> where the different instances of the UI Service are?
>
> Thanks!
>
>
> [0]https://github.com/xtremebiker/zuul-keycloak-test/pull/1
>
>
> 03/06/2016 6:05(e)an, Scott Rossillo igorleak idatzi zuen:
>> Hi Aritz,
>>
>> Your sample project was very helpful to understand the problems 
>> you?re facing with Zuul as a proxy server. I spent some time 
>> investigating and I?ve sent you a pull request[0] that will get your 
>> sample working.
>>
>> That being said, please do read the "Cookies and Sensitive Headers? 
>> documentation from Spring Cloud Netflix[1]. This applies to anyone 
>> thinking of using Zuul as a stateful proxy server. Zuul was designed 
>> by Netflix to proxy stateless services. In the Keycloak world, these 
>> would be clients with an access type of bearer-only.
>>
>> I'd strongly recommend against this setup in production. You could 
>> continue to use Zuul for stateless services but anything requiring an 
>> interactive login should really be behind a more traditional HTTP 
>> proxy (e.g. Nginx, Apache, etc).
>>
>> If you disagree, can you tell us the reason you?d want to proxy a 
>> stateful service with Zuul?
>>
>> Hope this helps clear things up a bit.
>>
>> Best,
>> Scott
>>
>> [0]: https://github.com/xtremebiker/zuul-keycloak-test/pull/1
>> [1]: 
>> http://cloud.spring.io/spring-cloud-netflix/spring-cloud-netflix.html
>>
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com
>>
>>> On Jun 2, 2016, at 4:08 PM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>>>
>>> Hi Scott and all,
>>>
>>> Tried removing the tomcat adapter from my project, it was my mistake 
>>> putting it with the Spring Security one, all together. Thanks for 
>>> the link to the question, it was a question I made in SO some time 
>>> ago and your answer worked that time. However, even I leave 
>>> /sso/login unprotected by Spring Security, the same behaviour 
>>> happens. So I tried creating a sample scenario from scratch and I 
>>> can reproduce the issue. Here it is, three maven projects, the 
>>> service discovery (Eureka), the proxy service (Zuul) and the sample 
>>> secured service:
>>>
>>> https://github.com/xtremebiker/zuul-keycloak-test
>>>
>>> The keycloak.json file in the secured service should be replaced by 
>>> the one for your client, of course. And here there is a filter 
>>> declaration that can be made in Spring Boot to show the request 
>>> dumper for Tomcat:
>>>
>>> http://stackoverflow.com/questions/23325389/spring-boot-enable-http-requests-logging/37523922#37523922
>>>
>>> The steps to reproduce it are:
>>>
>>> 1- Boot the three projects
>>>
>>> 2- Wait till the two services are registered in Eureka and navigate 
>>> to localhost:8765/secured-service/path
>>>
>>> 3- After logging in in Keycloak, the port changes to 8083
>>>
>>> I'll continue struggling and see if I can figure it out myself.
>>>
>>> Regards
>>>
>>>
>>> 31/05/2016 22:56(e)an, Scott Rossillo igorleak idatzi zuen:
>>>> Hi Artiz,
>>>>
>>>> If you?re using the Tomcat adapter and Spring Security adapter 
>>>> together, they may be interfering with each other. I?m not saying 
>>>> this is the problem you?re having but I?d avoid using both adapters 
>>>> together.
>>>>
>>>> Please also take a look at this Stack Overflow answer[0] related to 
>>>> redirect issues. If none of this helps I?ll try to debug with 
>>>> Eureka and Zuul.
>>>>
>>>> [0]: 
>>>> http://stackoverflow.com/questions/33543672/keycloak-redirects-me-to-my-index-url-instead-of-to-the-requested-one?answertab=votes#tab-top
>>>>
>>>> Scott Rossillo
>>>> Smartling | Senior Software Engineer
>>>> srossillo at smartling.com
>>>>
>>>>> On May 31, 2016, at 4:00 PM, Aritz Maeztu <amaeztu at tesicnor.com> 
>>>>> wrote:
>>>>>
>>>>> Hello Scott,
>>>>>
>>>>> I've got the spring security and tomcat keycloak adapters both as 
>>>>> a project dependency for each service (as I'm running the services 
>>>>> in Tomcat 8 embedded servers). Basically I want to base my 
>>>>> security in Spring Security, that's why I chose this adapter over 
>>>>> the Spring Boot adapter.
>>>>>
>>>>> As the behaviour states, a redirection is made first to the 
>>>>> /sso/login endpoint, then other one to the keycloak authorization 
>>>>> server. The question is, as a redirection is a mere instruction 
>>>>> stated from the server to the browser, which chances do I have to 
>>>>> send the original x-forwarded headers to the keycloak 
>>>>> authorization server, so that it can make the redirection to the 
>>>>> url requested at the very beginning (to the reverse proxy)?
>>>>>
>>>>> I could implement a playground scenario for you if you happen to 
>>>>> require it.
>>>>>
>>>>> Many thanks
>>>>>
>>>>>
>>>>> 31/05/2016 20:14(e)an, Scott Rossillo igorleak idatzi zuen:
>>>>>> Hi Artiz,
>>>>>>
>>>>>> So just to be clear, which Keycloak adapter are you using? The 
>>>>>> Spring Boot Adapter or the Spring Security Adapter?
>>>>>>
>>>>>> Scott Rossillo
>>>>>> Smartling | Senior Software Engineer
>>>>>> srossillo at smartling.com
>>>>>>
>>>>>>> On May 31, 2016, at 3:13 AM, Aritz Maeztu <amaeztu at tesicnor.com> 
>>>>>>> wrote:
>>>>>>>
>>>>>>> I've got some Spring Boot application instances with embeded 
>>>>>>> Tomcat servlet containers. Tomcat has a similar system to 
>>>>>>> Wildfly for request dumpering, that's what I have enabled for 
>>>>>>> getting the trace below. In short words that's the behaviour I'm 
>>>>>>> able to see:
>>>>>>>
>>>>>>> 1. Zuul Proxy (Spring Boot in Tomcat) -> Organization Service 
>>>>>>> (8083 port) : A forward request where X-forwarded headers are 
>>>>>>> included
>>>>>>>
>>>>>>> 2. Organization Service (localhost:8083) : Looks for a token and 
>>>>>>> if it's not available, the keycloak adapter redirects to the 
>>>>>>> /sso/login of the same service (Here the traceability from the 
>>>>>>> proxy gets losts)
>>>>>>>
>>>>>>> 3. localhost:8083/sso/login: Redirects to the keycloak wildfly 
>>>>>>> server, saving the requested url
>>>>>>>
>>>>>>> 4. Keycloak login: The user performs the authentication and the 
>>>>>>> redirectUri is localhost:8083/sso/login. Later on, the login 
>>>>>>> endpoint redirects the user to the url requested in point 2, not 
>>>>>>> the first one from the proxy.
>>>>>>>
>>>>>>> I only have this problem when my organization service needs to 
>>>>>>> verify the token (or a token doesn't exist) using the keycloak 
>>>>>>> adapter. When the /sso/login endpoint is not requested, 
>>>>>>> everything is working properly. Hope I've explained it well!
>>>>>>>
>>>>>>>
>>>>>>> 31/05/2016 7:15(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>>> Where is your app deployed? If it's on WildFly you can follow 
>>>>>>>> the same steps used to configure reverse proxy for Keycloak 
>>>>>>>> Server to configure WildFly. Check if getRequestURL returns the 
>>>>>>>> correct URL in your app.
>>>>>>>>
>>>>>>>> On 30 May 2016 at 15:08, Aritz Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     -------- Birbidalitako mezua --------
>>>>>>>>     Gaia: 	Re: [keycloak-user] Redirection issue with proxy
>>>>>>>>     behind keycloak
>>>>>>>>     Data: 	Mon, 30 May 2016 13:28:21 +0200
>>>>>>>>     Nork: 	Aritz Maeztu<amaeztu at tesicnor.com>
>>>>>>>>     Nori: 	stian at redhat.com
>>>>>>>>     CC: 	Niels Bertram<nielsbne at gmail.com>,
>>>>>>>>     keycloak-user<keycloak-user at lists.jboss.org>, Scott
>>>>>>>>     Rossillo<srossillo at smartling.com>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     I've done all the traceability from the proxy server till
>>>>>>>>     the login page is displayed:
>>>>>>>>
>>>>>>>>     First step, /organization/organizations is requested, so
>>>>>>>>     the proxy server knows it has to be forwarded to the 8083
>>>>>>>>     port (the one for the organization service). That's the
>>>>>>>>     first request received by my application's Tomcat:
>>>>>>>>
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 START TIME =30-may-2016 13:01:18
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 requestURI=/organizations
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 authType=null
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 characterEncoding=UTF-8
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 contentLength=-1
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 contentType=null
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 contextPath=
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=accept-language=es-ES,es;q=0.8
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=x-forwarded-host=mies-057:8765
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=x-forwarded-prefix=/organization
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=upgrade-insecure-requests=1
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=accept-encoding=gzip
>>>>>>>>     2016-05-30 13:01:18.888 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=user-agent=Mozilla/5.0 (Windows
>>>>>>>>     NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>>     Chrome/50.0.2661.102 Safari/537.36
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=netflix.nfhttpclient.version=1.0
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     header=x-netflix-httpclientname=organization
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=host=mies-057:8083
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=connection=Keep-Alive
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 locale=es_ES
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 method=GET
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 pathInfo=null
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 protocol=HTTP/1.1
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 queryString=null
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 remoteAddr=192.168.56.1
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 remoteHost=192.168.56.1
>>>>>>>>     2016-05-30 13:01:18.889 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 remoteUser=null
>>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 requestedSessionId=null
>>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 scheme=http
>>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 serverName=mies-057
>>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 serverPort=8083
>>>>>>>>     2016-05-30 13:01:18.890 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 servletPath=/organizations
>>>>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 isSecure=false
>>>>>>>>     2016-05-30 13:01:18.891 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     ------------------=--------------------------------------------
>>>>>>>>
>>>>>>>>     Here x-forwarded-host is mies-057:8765 (the proxy server)
>>>>>>>>     and x-forwarded-prefix is /organization. So the original
>>>>>>>>     request is kept in the headers. Well, now my service (8083)
>>>>>>>>     tries to check for authorization via the /sso/login
>>>>>>>>     endpoint from the keycloak spring security adapter:
>>>>>>>>
>>>>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.k.a.s.management.HttpSessionManager    : Session created:
>>>>>>>>     CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>>     2016-05-30 13:01:18.892 DEBUG 18096 --- [nio-8083-exec-9]
>>>>>>>>     k.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting to
>>>>>>>>     login URI /sso/login
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     ------------------=--------------------------------------------
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 authType=null
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 contentType=null
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=X-Content-Type-Options=nosniff
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=X-XSS-Protection=1; mode=block
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=Cache-Control=no-cache,
>>>>>>>>     no-store, max-age=0, must-revalidate
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=Pragma=no-cache
>>>>>>>>     2016-05-30 13:01:18.892 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=Expires=0
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 header=X-Frame-Options=DENY
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     header=Set-Cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752;
>>>>>>>>     Path=/; HttpOnly
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     header=Location=http://mies-057:8083/sso/login
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 remoteUser=null
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 status=302
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9 END TIME =30-may-2016 13:01:18
>>>>>>>>     2016-05-30 13:01:18.893 INFO 18096 --- [nio-8083-exec-9]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-9
>>>>>>>>     ===============================================================
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 START TIME =30-may-2016 13:01:18
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 requestURI=/sso/login
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 authType=null
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 characterEncoding=UTF-8
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 contentLength=-1
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 contentType=null
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 contextPath=
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10
>>>>>>>>     cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>>     2016-05-30 13:01:18.902 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=host=mies-057:8083
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=connection=keep-alive
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10
>>>>>>>>     header=accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=upgrade-insecure-requests=1
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=user-agent=Mozilla/5.0
>>>>>>>>     (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
>>>>>>>>     Gecko) Chrome/50.0.2661.102 Safari/537.36
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=accept-encoding=gzip, deflate,
>>>>>>>>     sdch
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 header=accept-language=es-ES,es;q=0.8
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10
>>>>>>>>     header=cookie=JSESSIONID=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 locale=es_ES
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 method=GET
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 pathInfo=null
>>>>>>>>     2016-05-30 13:01:18.903 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 protocol=HTTP/1.1
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 queryString=null
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 remoteAddr=192.168.56.1
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 remoteHost=192.168.56.1
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 remoteUser=null
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10
>>>>>>>>     requestedSessionId=CDCA7AD4439DE94BD0B3B5803DAA0752
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 scheme=http
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 serverName=mies-057
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 serverPort=8083
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 servletPath=/sso/login
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10 isSecure=false
>>>>>>>>     2016-05-30 13:01:18.904 INFO 18096 --- [io-8083-exec-10]
>>>>>>>>     o.a.c.filters.RequestDumperFilter        :
>>>>>>>>     http-nio-8083-exec-10
>>>>>>>>     ------------------=--------------------------------------------
>>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.PreAuthActionsHandler       :
>>>>>>>>     adminRequesthttp://mies-057:8083/sso/login
>>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Request is to
>>>>>>>>     process authentication
>>>>>>>>     2016-05-30 13:01:18.904 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Attempting
>>>>>>>>     Keycloak authentication
>>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.RequestAuthenticator        : --> authenticate()
>>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.RequestAuthenticator        : try bearer
>>>>>>>>     2016-05-30 13:01:18.904 TRACE 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.RequestAuthenticator        : try oauth
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.a.s.token.SpringSecurityTokenStore   : Checking if
>>>>>>>>     org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator at d328c2d
>>>>>>>>     is cached
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : there was no code
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : redirecting to
>>>>>>>>     auth server
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : callback
>>>>>>>>     uri:http://mies-057:8083/sso/login
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     f.KeycloakAuthenticationProcessingFilter : Auth outcome:
>>>>>>>>     NOT_ATTEMPTED
>>>>>>>>     2016-05-30 13:01:18.905 DEBUG 18096 --- [io-8083-exec-10]
>>>>>>>>     o.k.adapters.OAuthRequestAuthenticator   : Sending redirect
>>>>>>>>     to login
>>>>>>>>     page:http://mies-057.tesicnor.com:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=organization&redirect_uri=http%3A%2F%2Fmies-057%3A8083%2Fsso%2Flogin&state=1%2F21d709ec-1e69-41c5-ac6d-c705f8ce3907&login=true
>>>>>>>>
>>>>>>>>     As it's shown in the logs, the X-forwarded logs are not
>>>>>>>>     kept by the keycloak adapter (look at the lines
>>>>>>>>     belowk.a.s.a.KeycloakAuthenticationEntryPoint : Redirecting
>>>>>>>>     to login URI /sso/login). So could it be the proxy server
>>>>>>>>     itself being properly configured but the keycloak adapter
>>>>>>>>     losing the original headers while performing the redirection?
>>>>>>>>
>>>>>>>>     I've also set up the request dumper in the undertow server
>>>>>>>>     as Niels suggested, but obviously, X-forwarded headers are
>>>>>>>>     not reaching the keycloak server..
>>>>>>>>
>>>>>>>>     Thanks for your time, again ;-)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     25/05/2016 7:22(e)an, Stian Thorgersen igorleak idatzi zuen:
>>>>>>>>>     You need the Host and X-Forwarded-For headers to be
>>>>>>>>>     included and there's also some config to be done on the
>>>>>>>>>     Keycloak server (see
>>>>>>>>>     http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#proxy-address-forwarding)
>>>>>>>>>
>>>>>>>>>     On 24 May 2016 at 08:46, Aritz
>>>>>>>>>     Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>>>
>>>>>>>>>         Hi Niels and Scott. First of all, thank you very much
>>>>>>>>>         for your help. I'm currently using Zuul (Spring Cloud)
>>>>>>>>>         as the reverse proxy. All the services are registered
>>>>>>>>>         in a discovery service called Eureka and then Zuul
>>>>>>>>>         looks for the service id there and performs de
>>>>>>>>>         redirection. I read aboutX-Forwarded headers, but I
>>>>>>>>>         thought it might result in a security issue if not
>>>>>>>>>         included, not that it could affect the redirection
>>>>>>>>>         process.
>>>>>>>>>
>>>>>>>>>         As Scott says, I suppose the Host and the X-Real-Ip
>>>>>>>>>         headers are the relevant ones here, so I guess I
>>>>>>>>>         should instruct Zuul to send them when the service is
>>>>>>>>>         addressed (however I wonder why they are not already
>>>>>>>>>         being sent, as Zuul is a proxy service, all in all).
>>>>>>>>>
>>>>>>>>>         Here I include a preview of the first redirection made
>>>>>>>>>         to the keycloak login page, which shows the request
>>>>>>>>>         headers sent to the service /login endpoint (at port
>>>>>>>>>         8081 in localhost):
>>>>>>>>>
>>>>>>>>>         https://www.dropbox.com/s/iof9yefytzay6j2/screenshot.PNG?dl=0
>>>>>>>>>
>>>>>>>>>         24/05/2016 2:08(e)an, Niels Bertram igorleak idatzi zuen:
>>>>>>>>>>         Hi Artitz,
>>>>>>>>>>
>>>>>>>>>>         a great way to figure out what is sent from the
>>>>>>>>>>         reverse proxy to your keycloak server is to use the
>>>>>>>>>>         undertow request dumper.
>>>>>>>>>>
>>>>>>>>>>         From the jboss-cli just add the request dumper filter
>>>>>>>>>>         to your undertow configuration like this:
>>>>>>>>>>
>>>>>>>>>>         $KC_HOME/bin/jbpss-cli.sh -c
>>>>>>>>>>
>>>>>>>>>>         /subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
>>>>>>>>>>         module=io.undertow.core)
>>>>>>>>>>
>>>>>>>>>>         /subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add
>>>>>>>>>>
>>>>>>>>>>         /:reload
>>>>>>>>>>
>>>>>>>>>>         given your apache config looks something like this:
>>>>>>>>>>
>>>>>>>>>>         ProxyRequests Off
>>>>>>>>>>         ProxyPreserveHost On
>>>>>>>>>>         ProxyVia On
>>>>>>>>>>
>>>>>>>>>>         ProxyPass /auth ajp://127.0.0.1:8009/auth
>>>>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>>>>         ProxyPassReverse /auth ajp://127.0.0.1:8009/auth
>>>>>>>>>>         <http://127.0.0.1:8009/auth>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         you should see something like that (forwared info is
>>>>>>>>>>         somewhat rubbish in this example as I am running the
>>>>>>>>>>         hosts on Virtualbox - but you can see this request
>>>>>>>>>>         was put through 2 proxies from local pc 192.168.33.1
>>>>>>>>>>         to haproxy on 192.168.33.80 and then apache reverse
>>>>>>>>>>         proxy on 192.168.33.81 ):
>>>>>>>>>>
>>>>>>>>>>         ==============================================================
>>>>>>>>>>         23:47:20,563 INFO  [io.undertow.request.dump]
>>>>>>>>>>         (default task-14)
>>>>>>>>>>         ----------------------------REQUEST---------------------------
>>>>>>>>>>          URI=/auth/welcome-content/favicon.ico
>>>>>>>>>>          characterEncoding=null
>>>>>>>>>>          contentLength=-1
>>>>>>>>>>          contentType=null
>>>>>>>>>>         header=Accept=*/*
>>>>>>>>>>         header=Accept-Language=en-US,en;q=0.8,de;q=0.6
>>>>>>>>>>         header=Cache-Control=no-cache
>>>>>>>>>>         header=Accept-Encoding=gzip, deflate, sdch
>>>>>>>>>>         header=DNT=1
>>>>>>>>>>         header=Pragma=no-cache
>>>>>>>>>>         header=X-Original-To=192.168.33.80
>>>>>>>>>>         header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
>>>>>>>>>>         AppleWebKit/537.36 (KHTML, like Gecko)
>>>>>>>>>>         Chrome/50.0.2661.102 Safari/537.36
>>>>>>>>>>         header=Authorization=Basic
>>>>>>>>>>         bmljZSB0cnkgYnV0IGFtIG5vdCBmcm9tIHllc3RlcmRheQo=
>>>>>>>>>>         header=X-Forwarded-Proto=https
>>>>>>>>>>         header=X-Forwarded-Port=443
>>>>>>>>>>         header=X-Forwarded-For=192.168.33.1
>>>>>>>>>>         header=Referer=https://login.vagrant.dev/auth/
>>>>>>>>>>         header=Host=login.vagrant.dev
>>>>>>>>>>         locale=[en_US, en, de]
>>>>>>>>>>         method=GET
>>>>>>>>>>         protocol=HTTP/1.1
>>>>>>>>>>          queryString=
>>>>>>>>>>         remoteAddr=192.168.33.1:0 <http://192.168.33.1:0/>
>>>>>>>>>>         remoteHost=192.168.33.1
>>>>>>>>>>         scheme=https
>>>>>>>>>>         host=login.vagrant.dev
>>>>>>>>>>         serverPort=443
>>>>>>>>>>         --------------------------RESPONSE--------------------------
>>>>>>>>>>          contentLength=627
>>>>>>>>>>          contentType=application/octet-stream
>>>>>>>>>>         header=Cache-Control=max-age=2592000
>>>>>>>>>>         header=X-Powered-By=Undertow/1
>>>>>>>>>>         header=Server=WildFly/10
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>         Hope this helps diagnosing your issue. Niels
>>>>>>>>>>
>>>>>>>>>>         On Tue, May 24, 2016 at 1:20 AM, Aritz
>>>>>>>>>>         Maeztu<amaeztu at tesicnor.com>wrote:
>>>>>>>>>>
>>>>>>>>>>             I'm using keycloak to securize some Spring based
>>>>>>>>>>             services (with the keycloak spring security
>>>>>>>>>>             adapter). The adapter creates a `/login` endpoint
>>>>>>>>>>             in each of the services which redirects to the
>>>>>>>>>>             keycloak login page and then redirects back to
>>>>>>>>>>             the service when authentication is done. I also
>>>>>>>>>>             have a proxy service which I want to publish in
>>>>>>>>>>             the 80 port and will take care of routing all the
>>>>>>>>>>             requests to each service. The proxy performs a
>>>>>>>>>>             plain FORWARD to the service, but the problem
>>>>>>>>>>             comes when I securize the service with the
>>>>>>>>>>             keycloak adapter.
>>>>>>>>>>
>>>>>>>>>>             When I make a request, the adapter redirects to
>>>>>>>>>>             its login endpoint and then to the keycloak auth
>>>>>>>>>>             url. When keycloak sends the redirection, the url
>>>>>>>>>>             shown in the browser is the one from the service
>>>>>>>>>>             and not the one from the proxy. Do I have some
>>>>>>>>>>             choice to tell the adapter I want to redirect
>>>>>>>>>>             back to the first requested url?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>             --
>>>>>>>>>>             Aritz Maeztu Ota?o
>>>>>>>>>>             Departamento Desarrollo de Software 	<Mail
>>>>>>>>>>             Attachment.gif>
>>>>>>>>>>             <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>>>>
>>>>>>>>>>             <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>>>>
>>>>>>>>>>             Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110
>>>>>>>>>>             Noain (Navarra)
>>>>>>>>>>             Telf.: 948 21 40 40
>>>>>>>>>>             Fax.: 948 21 40 41
>>>>>>>>>>
>>>>>>>>>>             Antes de imprimir este e-mail piense bien si es
>>>>>>>>>>             necesario hacerlo: El medioambiente es cosa de
>>>>>>>>>>             todos.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>             _______________________________________________
>>>>>>>>>>             keycloak-user mailing list
>>>>>>>>>>             keycloak-user at lists.jboss.org
>>>>>>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         --
>>>>>>>>>         Aritz Maeztu Ota?o
>>>>>>>>>         Departamento Desarrollo de Software 	<Mail
>>>>>>>>>         Attachment.gif>
>>>>>>>>>         <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>>>
>>>>>>>>>         <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>>>
>>>>>>>>>         Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain
>>>>>>>>>         (Navarra)
>>>>>>>>>         Telf.: 948 21 40 40
>>>>>>>>>         Fax.: 948 21 40 41
>>>>>>>>>
>>>>>>>>>         Antes de imprimir este e-mail piense bien si es
>>>>>>>>>         necesario hacerlo: El medioambiente es cosa de todos.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         _______________________________________________
>>>>>>>>>         keycloak-user mailing list
>>>>>>>>>         keycloak-user at lists.jboss.org
>>>>>>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>     --
>>>>>>>>     Aritz Maeztu Ota?o
>>>>>>>>     Departamento Desarrollo de Software 	<Mail Attachment.gif>
>>>>>>>>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>>>
>>>>>>>>     <Mail Attachment.png> <http://www.tesicnor.com/> 	
>>>>>>>>
>>>>>>>>     Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>>>>     Telf.: 948 21 40 40
>>>>>>>>     Fax.: 948 21 40 41
>>>>>>>>
>>>>>>>>     Antes de imprimir este e-mail piense bien si es necesario
>>>>>>>>     hacerlo: El medioambiente es cosa de todos.
>>>>>>>>
>>>>>>>>
>>>>>>>>     _______________________________________________
>>>>>>>>     keycloak-user mailing list
>>>>>>>>     keycloak-user at lists.jboss.org
>>>>>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Aritz Maeztu Ota?o
>>>>>>> Departamento Desarrollo de Software 	<linkdin.gif> 
>>>>>>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>>>>>>> <logo.png> <http://www.tesicnor.com/> 	
>>>>>>>
>>>>>>> Pol. Ind. Mocholi.C/Rio Elorz, Nave 13E31110 Noain (Navarra)
>>>>>>> Telf.: 948 21 40 40
>>>>>>> Fax.: 948 21 40 41
>>>>>>>
>>>>>>> Antes de imprimir este e-mail piense bien si es necesario 
>>>>>>> hacerlo: El medioambiente es cosa de todos.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> Avast logo 
>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>>>> 	
>>>>>
>>>>> El software de antivirus Avast ha analizado este correo 
>>>>> electr?nico en busca de virus.
>>>>> www.avast.com 
>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Avast logo 
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>> 	
>>>
>>> El software de antivirus Avast ha analizado este correo electr?nico 
>>> en busca de virus.
>>> www.avast.com 
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
>>>
>>>
>>>
>>
>
> -- 
> Aritz Maeztu Ota?o
> Departamento Desarrollo de Software 
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com> 	
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
> medioambiente es cosa de todos.
>

-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b6c57461/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b6c57461/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b6c57461/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b6c57461/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160608/b6c57461/attachment-0003.png 

From rsoares at redhat.com  Sat Jun 11 19:01:22 2016
From: rsoares at redhat.com (Rafael Soares)
Date: Sat, 11 Jun 2016 20:01:22 -0300
Subject: [keycloak-user] Error enabling 'Sync Registrations' for LDAP
	(FreeIPA) User Federation
Message-ID: <CAK6emKMB9xGCTNjagud+oy3BTtSdZD9dVg88OB6hd2NKT2Tj0g@mail.gmail.com>

'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].

The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:


?

KC server.log in TRACE mode:

"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1 at example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5)   cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
    at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
    at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
    at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)
    at
org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
    at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)
    at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)
    at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)
    at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
    at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
    ... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
    at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
    at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
    at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
    at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
    ... 57 more"


FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors

[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""

----

It appears FreeIPA LDAP server is refusing the attribute 'UID'

Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:


?


I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:

"
[root at ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]

Add a new user.
Options:
  -h, --help            show this help message and exit
  --first=STR           First name
  --last=STR            Last name
  --cn=STR              Full name
  --displayname=STR     Display name
  --initials=STR        Initials
  --homedir=STR         Home directory
  --gecos=STR           GECOS
  --shell=STR           Login shell
  --principal=STR       Kerberos principal
  --principal-expiration=DATETIME
                        Kerberos principal expiration
  --email=STR           Email address
  --password            Prompt to set the user password
  --random              Generate a random user password
  --uid=INT             User ID Number (system will assign one if not
                        provided)
  --gidnumber=INT       Group ID Number
  --street=STR          Street address
  --city=STR            City
  --state=STR           State/Province
  --postalcode=STR      ZIP
  --phone=STR           Telephone Number
  --mobile=STR          Mobile Telephone Number
  --pager=STR           Pager Number
  --fax=STR             Fax Number
  --orgunit=STR         Org. Unit
  --title=STR           Job Title
  --manager=STR         Manager
  --carlicense=STR      Car License
  --sshpubkey=STR       SSH public key
  --user-auth-type=['password', 'radius', 'otp']
                        Types of supported user authentication
  --class=STR           User category (semantics placed on this attribute
are
                        for local interpretation)
  --radius=STR          RADIUS proxy configuration
  --radius-username=STR
                        RADIUS proxy username
  --departmentnumber=STR
                        Department Number
  --employeenumber=STR  Employee Number
  --employeetype=STR    Employee Type
  --preferredlanguage=STR
                        Preferred Language
  --certificate=BYTES   Base-64 encoded server certificate
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value.
The
                        attribute must be part of the schema.
  --noprivate           Don't create user private group
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.

                        [root at ipa /]# ipa user-add ipa_user3  --first 'IPA
3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
                        ----------------------
                        Added user "ipa_user3"
                        ----------------------
                          dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
                          uid: ipa_user3
                          givenname: IPA 3
                          sn: User3
                          cn: IPA 3 User3
                          initials: IU
                          homedirectory: /home/ipa_user3
                          gecos: IPA 3 User3
                          loginshell: /bin/sh
                          mail: ipa_user3 at example.test
                          uidnumber: 753200006
                          gidnumber: 753200006
                          has_password: FALSE
                          has_keytab: FALSE
                          displayName: IPA 3 User3
                          ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
                          krbPrincipalName: ipa_user3 at EXAMPLE.TEST
                          memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
                          mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
                          objectClass: ipaSshGroupOfPubKeys
                          objectClass: ipaobject
                          objectClass: mepOriginEntry
                          objectClass: person
                          objectClass: top
                          objectClass: ipasshuser
                          objectClass: inetorgperson
                          objectClass: organizationalperson
                          objectClass: krbticketpolicyaux
                          objectClass: krbprincipalaux
                          objectClass: inetuser
                          objectClass: posixaccount
"

Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?


?

Thanks in advance.

[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/

-- 

___
Rafael T. C. Soares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/3e38e882/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kc_add_new_user_error.png
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/3e38e882/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa_api_user_add.png
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/3e38e882/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kc-freeipa-userfederation-mappers_username_uid_attr.png
Type: image/png
Size: 28374 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160611/3e38e882/attachment-0005.png 

From mposolda at redhat.com  Mon Jun 13 03:47:44 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 13 Jun 2016 09:47:44 +0200
Subject: [keycloak-user] Performance issues with Federation provider
 enabled
In-Reply-To: <315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>
References: <315000034.1945497.1465797441058.JavaMail.yahoo.ref@mail.yahoo.com>
	<315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <575E6520.3080409@redhat.com>

Thanks, AFAIK we didn't tried much performance testing with 
federationProviders enabled. It's on todo list though. Also we plan some 
refactoring of userStorage + userFederation, so we will likely go into 
it later.

For your case, the performance bottleneck can be in your 
federationProvider implementation, so I am not sure if it's the issue in 
Keycloak or rather issue in your implementation.

One thing to note (maybe it's not an issue in your case, but just adding 
it to be sure you're aware): UserFederationProvider.close is currently 
not called. So if you are rely on this method to free any important 
resources related to your implementation, you shouldn't as it doesn't 
work right now. We are working on improving this for next version.

Marek

On 13/06/16 07:57, Thomas Connolly wrote:
> Hi Marek
>
> I'm working with Fabricio on the federation performance issues with 
> Keycloak.
>
> In answer to your question we are using the latest KC 1.9.7 version 
> (we upgraded this week from 1.9.2).
>
> To give you some indication of the running a gatling direct access 
> login test (results below).
>
> As you can see below in (1) using KC out of the box. Great performance 
> - we saw 110 tx per sec on a 4 core system.
> In scenario (2) using a stubbed federator (simply an echo plugin not 
> connecting to any back end services), performance is unacceptable.
>
> 1) Not using the federator - Stub federator (disabled) - while 29 tx 
> per second we could easily get to a stable 110 tx per second.
>     300 Users (hitting single server)
>     ---- Global Information 
> --------------------------------------------------------
>     > request count 9185 (OK=9185   KO=0     )
>     > min response time 18 (OK=18     KO=-     )
>     > max response time 723 (OK=723    KO=-     )
>     > mean response time 27 (OK=27     KO=-     )
>     > std deviation 44 (OK=44     KO=-     )
>     > response time 50th percentile 20 (OK=20     KO=-     )
>     > response time 75th percentile 21 (OK=21     KO=-     )
>     > mean requests/sec 29.626 (OK=29.626 KO=-     )
>     ---- Response Time Distribution 
> ------------------------------------------------
>     > t < 800 ms 9185 (100%)
>     > 800 ms < t < 1200 ms                                   0 (  0%)
>     > t > 1200 ms                                            0 (  0%)
>     > failed 0 (  0%)
>
> 2) Stub federator (enabled)- if we brought test down to 12 tx per 
> second (about 90 users) the response times dropped to < 1200 ms 
> response times, however not even close to meeting out acceptance creteria.
>     300 Users (hitting single server)
>     ---- Global Information 
> --------------------------------------------------------
>     > request count 8496 (OK=8496   KO=0     )
>     > min response time 511 (OK=511    KO=-     )
>     > max response time 11191 (OK=11191  KO=-     )
>     > mean response time 6832 (OK=6832   KO=-     )
>     > std deviation 2329 (OK=2329   KO=-     )
>     > response time 50th percentile 7194 (OK=7194   KO=-     )
>     > response time 75th percentile 8690 (OK=8690   KO=-     )
>     > mean requests/sec 27.404 (OK=27.404 KO=-     )
>     ---- Response Time Distribution 
> ------------------------------------------------
>     > t < 800 ms 154 (  2%)
>     > 800 ms < t < 1200 ms                                  85 (  1%)
>     > t > 1200 ms 8257 ( 97%)
>     > failed 0 (  0%)
>
> This is currently a show stopper for us and is blocking our path to 
> production.
> Do you run similar tests and how can we help you optimise the performance?
>
> Regards
> Tom.
>
>
> Date: Wed, 8 Jun 2016 12:28:19 +0200
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-user] Performance issues with Federation
>     provider enabled
> To: Fabricio Milone <fabricio.milone at shinetech.com>, keycloak-user
>     <keycloak-user at lists.jboss.org>
> Message-ID: <5757F343.1040803 at redhat.com>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi,
>
> what's the keycloak version used? Could you try latest keycloak and
> check if performance is still the issue?
>
> Marek
>
> On 08/06/16 01:30, Fabricio Milone wrote:
> > Hi all,
> >
> > I sent this email yesterday with 5 or more attachments, so I think it
> > was blocked or something... here I go again :)
> >
> > I've been running load tests on our application during the last few
> > weeks, and having some performance issues when my custom federator is
> > enabled.
> >
> > The performance issue does not exist when the federator is disabled.
> > *Configuration*:
> >
> > I have a cluster of 2 instances of Keycloak, with a standalone DB,
> > we've verified the DB isn't an issue when the federator is disabled.
> > Both instances have a quad core CPU and they are in the same network.
> > We?ve left the memory at 512MB. The test script, database and API that
> > connects to the federator are in separate machines.
> > *Federator*:
> >
> > We have a simple custom federator that makes calls to a very
> > performant api, which has been tested and is ok. Additionally, we've
> > tested stubbing the API so the performance is not a problem there.
> > This federator is using a jaxb marshaller to create a request, again
> > tested in isolation and is performing well.
> >
> > As the federator is doing a lot of calls to the API (3 per login
> > request), I've implemented a httpclient that uses a
> > PoolingHttpClientConnectionManager with 1000 connections available to
> > use, instead of using the standard apache httpclient from http
> > components. That hasn't improved a bit the performance of the system.
> > *Tests*:
> > It is a gatling scala script that could generate around ~300 (or more)
> > requests/second to the direct grants login endpoint using random
> > usernames from a list (all of them already registered using KC). The
> > script is doing a round robin across both instances of Keycloak with
> > an even distribution to each KC instance.
> > The idea is simulate a load of 300 to 1500 concurrent users trying to
> > login into our systems.
> > *Problem*:
> >
> > If I run the tests without using a federation I can see a very good
> > performance, but when I try to run the tests with the custom
> > federation code, the performance drops from ~150 requests/second to 22
> > req/sec using both instances.
> > Memory wise, it seems to be ok. I've never seen an error related to
> > memory with this configuration, also if you take a look at the
> > attached visualVM screenshot you'll see that memory is not a problem
> > or it seems not to be.
> > CPU utilisation is very low to my mind, I'd expect more than 80% of
> > usage or something like that.
> > There is a method that is leading the CPU samples on VisualVM called
> > Semaphore.tryAcquire(). Not quite sure what's that for, still
> > investigating.
> >
> > I can see that a lot of new threads are being created when the test
> > starts, as it creates around 60requests/second to the direct grants
> > login call, but it seems to be a bottleneck at some point.
> >
> > So I'm wondering if there is some configuration I'm missing on
> > Keycloak side that could be affecting the cluster performance when a
> > federator is enabled. Maybe something related to jpa connections,
> > infinispan configuration or even wildfly.
> >
> > I'd really appreciate your help on this one as I'm out of ideas.
> >
> > I've attached some screenshots of visualVM and tests results from my
> > last run today.
> >
> >
> > Sorry for the long email and please let me know if you need further
> > information.
> >
> > Thank you in advance,
> >
> > Regards,
> > Fab
> >
> > --
> > *Fabricio Milone*
> > Developer
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/371f3d6b/attachment.html 

From anthony.fryer at gmail.com  Mon Jun 13 03:51:59 2016
From: anthony.fryer at gmail.com (Anthony Fryer)
Date: Mon, 13 Jun 2016 17:51:59 +1000
Subject: [keycloak-user] Fwd: Multi-org salesforce with single realm
	keycloak
In-Reply-To: <CAJgngAc-c=_jw6C6U4k-PwbPF5+w1kKhQ6m5CdBRTV4Pptd1rA@mail.gmail.com>
References: <CAP26fke0sxXbj8eEfNuOw=NOp7auB_XUZQHEvTbzMoY5nN2EaQ@mail.gmail.com>
	<CAF4sgxKR9FWvscoKF7e72c12j513DFvdDe1_Ya3cHJcCrfCSQA@mail.gmail.com>
	<CAF4sgx+b0_ZcfO2X4-gW9KyjQ9dWphKR_G2aYnDQzdz22Gq5Yg@mail.gmail.com>
	<CAP26fkf7QZjg=hTgopu1KC=St9cV7Rn+yiFZD+=H1Wabu14H7w@mail.gmail.com>
	<CAF4sgxJRcO8qWGygpRkjD2dQVgpt+4GnT9re2KDWue1H6V9o1A@mail.gmail.com>
	<CAJgngAc-c=_jw6C6U4k-PwbPF5+w1kKhQ6m5CdBRTV4Pptd1rA@mail.gmail.com>
Message-ID: <CAF4sgxJhCByucb1-0--Gb=WHYwsdogtAE1iKzydgzRHQXQYBRA@mail.gmail.com>

I never said anything about how the realm is created (I agree whatever
creates a new customer should create the keycloak realm).  I was talking
about how to build a KeycloakConfigResolver that can work with new realms
that it doesn't know about in advance.

On Mon, Jun 13, 2016 at 5:25 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I'm sorry but dynamically creating realms in this way is just crazy IMO.
> You should have whatever provisions new customers also create a realm on
> their behalf.
>
> On 11 June 2016 at 04:15, Anthony Fryer <anthony.fryer at gmail.com> wrote:
>
>> You can implement a dynamic keycloak config resolver that can work with
>> realms not known in advance.  I've just been doing exactly the same
>> thing.  My requirement was to use the host name to identify a realm, so
>> tenanta.mydomain.com/my-client would use realm "tenanta",
>> tenantb.mydomain.com/my-client would use "tenantb" etc and realms could
>> be created dynamically and my-client would immediately work with those new
>> realms without requiring a reboot or re-configuration.   There are
>> different KeycloakConfigResolver implementations you can use to do this,
>> depending on your client configuration.
>>
>> If the client is configured as public (no client secret) or if the client
>> secret for the application is the same in each realm, then you can use a
>> keycloak template for configuration.  So you could deploy a
>> WEB-INF/keycloak-template.json file which looks something like this...
>> {
>>
>>   "realm": "tenantA",  "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB",  "auth-server-url": "https://keycloak.mydomain.com/auth",  "ssl-required": "none",  "resource": "my-client",  "public-client": true}
>>
>>
>> The KeycloakConfigResolver would use this template for each realm and
>> just overwrite the "realm" and "realm-public-key" values with the real
>> values.  To get those real values, the KeycloakConfigResolver would
>> first work out the realm name.  In my case, I derive the realm name from
>> the hostname, so tenanta.mydomain.com would indicate "tenanta" was being
>> used.  Once you have derived the realm name, then you can do a http get
>> request to http://<keycloak_url>/auth/realms/<tenantname> (eg.
>> https://keycloak.mydomain.com/auth/realms/tenanta).  This endpoint isn't
>> secured and returns something similar to the following...
>>
>> {
>>
>>    - realm: "tenantA",
>>    - public_key:
>>    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07H+1raA8G5lU9II9GwQ1r2yXzSeBpEC6Lz822iB+oZGi36KC6caVOyi1IVIWB/ZnxxoC8AHsn4ASYJnYUMNTjRvK9nwHCP825LD3nHFBHyQ0gUHBELRi6ZvmOu3TnyiIlnR2SCxwmND5ifgtDfKwldcdCTNWqJG5MkcOimhDEiZYLOrShH5pCcEkPE5JBj0GDGYs9AcUT8/OrJEvInVAfnMMxvzZfXhJQlXnq0HbkGPNL2LMq66bmfI7OTzWKpIIoa24DOcxvu5FEqnnfhEZ+RkhfrVVe876T7Jx9f128xOTAYgi98515+xeFGei1Qer1IJCtnE5vICKKVtDdJg1wIDAQAB"
>>    ,
>>    - token-service: "
>>    https://keycloak.mydomain.com/auth/realms/tenantA/protocol/openid-connect
>>    <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/protocol/openid-connect>
>>    ",
>>    - account-service: "
>>    https://keycloak.mydomain.com/auth/realms/tenantA/account
>>    <https://keycloak.cyberavenue.com.au/auth/realms/tenantA/account>",
>>    - admin-api: "https://keycloak.mydomain.com/auth/admin
>>    <https://keycloak.cyberavenue.com.au/auth/admin>",
>>    - tokens-not-before: 0
>>
>> }
>>
>> The KeycloakConfigResolver then uses the "realm" and "public_key" values
>> from that response, overrides the values from the keycloak-template.json
>> file to create the KeycloakDeployment (using KeycloakDeploymentBuilder).
>>
>> If your client isn't public and the client-secret differs and isn't known
>> in advance, then this solution wouldn't work.  In that case, another
>> solution can be used which is slightly more complicated.  The idea is the
>> KeycloakConfigResolver does the following...
>>
>> 1/ Get a token for the admin-cli client in the "master" realm.  This may
>> require configuring a username and password that can be used used to obtain
>> this token.
>> 2/ Use the rest api to get a list of clients in the requested realm (ie.
>> http get to http://<keycloak_url>/auth/admin/realms/{realm}/clients
>> using a Bearer token obtained from step 1
>> 3/ Iterate through the list and find the Client you're interested in (ie.
>> client.getClientId().equals("my-client") ).  You need the client UID
>> identifier from this.
>> 4/ Use the rest api to get the keycloak deployment installation file by
>> doing a GET to http://<keycloak_url>/auth/admin/realms/{realm}/clients/{client-uid}/installation/providers/keycloak-oidc-keycloak-json,
>> using the Bearer token from step 1 and the client UID from step 3.  Then
>> use KeycloakDeploymentBuilder on the response body returned from this
>> service.
>>
>>
>>
>> Regards,
>>
>> Anthony
>>
>>
>> On 04:43, Sat, 11/06/2016 Jesse Chahal <jessec at stytch.com> wrote:
>>
>>> The keycloak config resolver works well when all realms are known in
>>> advance. I was trying to imply in my diagram that all realms are not
>>> known in advance as realms are going to be created for new customers
>>> on demand. Doing a new production deployment whenever a SaaS product
>>> has a new customer added is not a feasible solution.
>>>
>>> On Wed, Jun 8, 2016 at 7:01 PM, Anthony Fryer <anthony.fryer at gmail.com>
>>> wrote:
>>> > Why do you say "very hard to get App1 to support multiple realms (no
>>> adapter
>>> > or keycloak support)"?
>>> >
>>> > Keycloak does provide multi-tenancy support via the
>>> KeycloakConfigResolver.
>>> > See
>>> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
>>> >
>>> > The issue would be if your app can't use a keycloak adapter.
>>> >
>>> > On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com>
>>> wrote:
>>> >>
>>> >> Hi,
>>> >>
>>> >> I'm back again. I'm trying to figure out how scale Identity Providers.
>>> >> We are planning on trying to integrate our App1 with salesforce. A
>>> >> user who logs into salesforce should be able to have a native feel of
>>> >> our App1 within it. Todo this we'll probably have to end up building
>>> >> salesforce native apps. For every salesforce organization/licensee we
>>> >> will have to register an Identity provider with keycloak to make sure
>>> >> they can correctly use App1. Some configuration options we came up
>>> >> with are listed below. Has anyone else solved a similar problem?
>>> >>
>>> >> OPTION 1
>>> >> ########################################################
>>> >> # Keycloak
>>> >>                               #
>>> >> # ---> master realm
>>> >>                           #
>>> >> # ---> realm 1
>>> >>                               #
>>> >> # --- ---> app1_client (open ID)
>>> >>                      #
>>> >> # --- ---> salesforce_org1_saml2.0_identity_provider
>>> >> #
>>> >> # --- ---> salesforce_org2_saml2.0_identity_provider
>>> >> #
>>> >> #
>>> >>                                      #
>>> >> # Salesforce
>>> >>                               #
>>> >> # ---> org1
>>> >>                                 #
>>> >> # ---- ----> salesforce_appX (uses App1)
>>> >>               #
>>> >> # ---> org 2
>>> >>                                 #
>>> >> # ---- ----> salesforce_appX (uses App1)
>>> >>               #
>>> >> # ---- ----> salesforce_appY (uses App1)
>>> >>               #
>>> >> # .....
>>> >>                                      #
>>> >> #
>>> >>                                      #
>>> >> # App 1
>>> >>                                  #
>>> >> # ---> OpenID to realm1 (using adapter)
>>> >>               #
>>> >> ########################################################
>>> >> benefits
>>> >> - single login page
>>> >> - single realm
>>> >> cons
>>> >> - login page with infinite number of identity provider buttons present
>>> >>
>>> >>
>>> >> OPTION 2
>>> >> ########################################################
>>> >> # Keycloak
>>> >>                               #
>>> >> # ---> master realm
>>> >>                           #
>>> >> # ---> realm 1
>>> >>                               #
>>> >> # --- ---> app1_client (open ID)
>>> >>                      #
>>> >> # --- ---> salesforce_org1_saml2.0_identity_provider
>>> >> #
>>> >> # ---> realm 2
>>> >>                               #
>>> >> # --- ---> app1_client (open ID)
>>> >>                      #
>>> >> # --- ---> salesforce_org2_saml2.0_identity_provider
>>> >> #
>>> >> #
>>> >>                                      #
>>> >> # Salesforce
>>> >>                               #
>>> >> # ---> org1
>>> >>                                 #
>>> >> # ---- ----> salesforce_appX (uses App1)
>>> >>               #
>>> >> # ---> org 2
>>> >>                                 #
>>> >> # ---- ----> salesforce_appX (uses App1)
>>> >>               #
>>> >> # ---- ----> salesforce_appY (uses App1)
>>> >>               #
>>> >> # .....
>>> >>                                      #
>>> >> #
>>> >>                                      #
>>> >> # App 1
>>> >>                                  #
>>> >> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
>>> >> #
>>> >> ########################################################
>>> >> benefits
>>> >> - single salesforce button per login page
>>> >> - users are more isolated in single realm
>>> >> cons
>>> >> - very hard to get App1 to support multiple realms (no adapter or
>>> >> keycloak support)
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/180b930b/attachment-0001.html 

From mposolda at redhat.com  Mon Jun 13 03:54:48 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 13 Jun 2016 09:54:48 +0200
Subject: [keycloak-user] Error enabling 'Sync Registrations' for LDAP
 (FreeIPA) User Federation
In-Reply-To: <CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com>
References: <CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com>
Message-ID: <575E66C8.1030204@redhat.com>

The "Sync registration" doesn't work with LDAP provider configured 
against FreeIPA.

We are currently working on improve FreeIPA integration. It seems the 
new users created in Keycloak will be registered to FreeIPA with SSSD, 
not with LDAP. Using SSSD seems to be the preferred and more proper way 
though.

Marek

On 12/06/16 01:10, Rafael Soares wrote:
> I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
> I'm using the same environment used by @mposolda [1] with the 
> @adelton's FreeIPA Docker container image [2].
>
> The integration (KC and FreeIPA) worked fine except for the sync for 
> new users created on KC side (new registrations). When I enable the 
> 'Sync Registrations' on the 'freeipa-ldap' User Federation and then 
> try to add a new user using the KC Web Console I get the following error:
>
>
> ?
>
> KC server.log in TRACE mode:
>
> "
> 2016-06-11 22:33:37,568 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) realm by name cache hit: master
> 2016-06-11 22:33:37,568 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> token active - active: true, issued-at: 1,465,684,397, not-before: 0
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) returning new cache adapter
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by name cache hit: security-admin-console
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> authenticated admin access for: admin
> 2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) 
> No origin returning
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) realm by name cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: freeipa
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) by id cache hit: master
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: freeipa-realm
> 2016-06-11 22:33:37,569 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: freeipa-realm
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) getUserByUsername: kc_user1
> 2016-06-11 22:33:37,570 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) query null
> 2016-06-11 22:33:37,571 TRACE 
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default 
> task-5) model from delegate null
> 2016-06-11 22:33:37,571 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] 
> (default task-5) Using filter for LDAP search: 
> (&(uid=kc_user1)(objectclass=person)) . Searching in DN: 
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,575 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] 
> (default task-5) Using filter for LDAP search: 
> (&(mail=kc_user1 at example.test)(objectclass=person)) . Searching in DN: 
> cn=users,cn=accounts,dc=example,dc=test
> 2016-06-11 22:33:37,577 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getRealmRoles cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClients cache hit: freeipa
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: broker
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: realm-management
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: liferay-saml-idp
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: security-admin-console
> 2016-06-11 22:33:37,578 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: kitchensink
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: admin-cli
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) client by id cache hit: account
> 2016-06-11 22:33:37,579 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,580 TRACE 
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
> task-5) getClientRoles cache hit: account
> 2016-06-11 22:33:37,581 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5) Creating entry 
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   objectclass = person
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   givenname =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   sn =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5)   cn =
> 2016-06-11 22:33:37,583 TRACE 
> [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] 
> (default task-5) ]
> 2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5) 
> UT005023: Exception handling request to 
> /auth/admin/realms/freeipa/users: 
> org.jboss.resteasy.spi.UnhandledException: 
> org.keycloak.models.ModelException: Error creating subcontext 
> [uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
>     at 
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>     at 
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>     at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>
>     ... 37 more
> Caused by: javax.naming.directory.SchemaViolationException: [LDAP: 
> error code 65 - attribute "uid" not allowed
> ]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
>     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
>     at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
>     at 
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
>     at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
>     at 
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
>     at 
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
>     at 
> javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
>     at 
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
>     ... 57 more"
>
>
> FreeIPA Server ldap srv log:
> ""
> tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
>
> [11/Jun/2016:22:33:37 +0000] - Entry 
> "uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute 
> "uid" not allowed
> ""
>
> ----
>
> It appears FreeIPA LDAP server is refusing the attribute 'UID'
>
> Interesting is that the FreeIPA 'user_add' API operation states the 
> 'uid' attributes is required:
>
>
> ?
>
>
> I tried to add a new user manually using the FreeIPA CLI and it worked 
> fine. See the FreeIPA CLI output:
>
> "
> [root at ipa /]# ipa help user-add
> Usage: ipa [global-options] user-add LOGIN [options]
>
> Add a new user.
> Options:
>   -h, --help            show this help message and exit
>   --first=STR           First name
>   --last=STR            Last name
>   --cn=STR              Full name
>   --displayname=STR     Display name
>   --initials=STR        Initials
>   --homedir=STR         Home directory
>   --gecos=STR           GECOS
>   --shell=STR           Login shell
>   --principal=STR       Kerberos principal
>   --principal-expiration=DATETIME
>                         Kerberos principal expiration
>   --email=STR           Email address
>   --password            Prompt to set the user password
>   --random              Generate a random user password
>   --uid=INT             User ID Number (system will assign one if not
>                         provided)
>   --gidnumber=INT       Group ID Number
>   --street=STR          Street address
>   --city=STR            City
>   --state=STR           State/Province
>   --postalcode=STR      ZIP
>   --phone=STR           Telephone Number
>   --mobile=STR          Mobile Telephone Number
>   --pager=STR           Pager Number
>   --fax=STR             Fax Number
>   --orgunit=STR         Org. Unit
>   --title=STR           Job Title
>   --manager=STR         Manager
>   --carlicense=STR      Car License
>   --sshpubkey=STR       SSH public key
>   --user-auth-type=['password', 'radius', 'otp']
>                         Types of supported user authentication
>   --class=STR           User category (semantics placed on this 
> attribute are
>                         for local interpretation)
>   --radius=STR          RADIUS proxy configuration
>   --radius-username=STR
>                         RADIUS proxy username
>   --departmentnumber=STR
>                         Department Number
>   --employeenumber=STR  Employee Number
>   --employeetype=STR    Employee Type
>   --preferredlanguage=STR
>                         Preferred Language
>   --certificate=BYTES   Base-64 encoded server certificate
>   --setattr=STR         Set an attribute to a name/value pair. Format is
>                         attr=value. For multi-valued attributes, the 
> command
>                         replaces the values already present.
>   --addattr=STR         Add an attribute/value pair. Format is 
> attr=value. The
>                         attribute must be part of the schema.
>   --noprivate           Don't create user private group
>   --all                 Retrieve and print all attributes from the server.
>                         Affects command output.
>   --raw                 Print entries as stored on the server. Only 
> affects
>                         output format.
>
>                         [root at ipa /]# ipa user-add ipa_user3  --first 
> 'IPA 3' --last 'User3' --email 'ipa_user3 at example.test' --all --raw
>                         ----------------------
>                         Added user "ipa_user3"
>                         ----------------------
>                           dn: 
> uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
>                           uid: ipa_user3
>                           givenname: IPA 3
>                           sn: User3
>                           cn: IPA 3 User3
>                           initials: IU
>                           homedirectory: /home/ipa_user3
>                           gecos: IPA 3 User3
>                           loginshell: /bin/sh
>                           mail: ipa_user3 at example.test
>                           uidnumber: 753200006
>                           gidnumber: 753200006
>                           has_password: FALSE
>                           has_keytab: FALSE
>                           displayName: IPA 3 User3
>                           ipaUniqueID: 
> 65f3f702-3021-11e6-b62c-0242ac110001
>                           krbPrincipalName: ipa_user3 at EXAMPLE.TEST
>                           memberof: 
> cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
>                           mepManagedEntry: 
> cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
>                           objectClass: ipaSshGroupOfPubKeys
>                           objectClass: ipaobject
>                           objectClass: mepOriginEntry
>                           objectClass: person
>                           objectClass: top
>                           objectClass: ipasshuser
>                           objectClass: inetorgperson
>                           objectClass: organizationalperson
>                           objectClass: krbticketpolicyaux
>                           objectClass: krbprincipalaux
>                           objectClass: inetuser
>                           objectClass: posixaccount
> "
>
> Can someone help me find what is wrong on KC side? Maybe the KC 
> mappers mechanism?
>
> Thanks in advance.
>
> [1] https://github.com/mposolda/keycloak-freeipa-docker
> [2] https://hub.docker.com/r/adelton/freeipa-server/
>
> -- 
> ___
> Rafael T. C. Soares
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 52000 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 78772 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/5f9dc64c/attachment-0003.png 

From mposolda at redhat.com  Mon Jun 13 04:03:03 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 13 Jun 2016 10:03:03 +0200
Subject: [keycloak-user] New user, same e-mail
In-Reply-To: <2cf32bc7-6ecf-6208-24a0-7e3db3ce65a1@intelbras.com.br>
References: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>
	<CAPLPygkYryk7ZOG=VUo0k8s7aNkJU+gRRF22i=25YKoPXcScqg@mail.gmail.com>
	<2cf32bc7-6ecf-6208-24a0-7e3db3ce65a1@intelbras.com.br>
Message-ID: <575E68B7.30306@redhat.com>

You can possibly add "Custom User LDAP Filter" in your LDAP provider in 
admin console and add filtering for "disabled" users? In that case, 
Keycloak won't find the "disabled" user in LDAP and hence will delete it 
in it's internal DB and then the new account with that email will be 
synced and created in Keycloak.

Marek

On 10/06/16 14:10, Felipe Braun Azambuja wrote:
> Hi Niels,
>
> I've read the JIRA issue, but it's not _exactly_ the case. The problem
> I'm facing is because I have two entries with the same address in Active
> Directory, and I can't change the old one in Keycloak because I have AD
> federated in read only mode.
>
> If I change the 'mail' entry in the AD object, it is not synced again if
> the data already exists in Keycloak? I did a test now with my own user,
> and it still shows the old value.
>
> Il 09/06/2016 18:58, Niels Bertram ha scritto:
>> Hi Felipe,
>>
>> this topic was discusses some time back on the user forum. Jira
>> KEYCLOAK-2141 <https://issues.jboss.org/browse/KEYCLOAK-2141> has some
>> background information on the issue you are facing. From what I can tell
>> one will have to change the attribute mapping on the LDAP user
>> federation provider to map email to a custom attribute (e.g.
>> contact_email) and then also change the email template to use that field
>> for email distribution instead.
>>
>> Cheers,
>> Niels
>>
>>
>> On Thu, Jun 9, 2016 at 9:41 PM, Felipe Braun Azambuja
>> <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
>> wrote:
>>
>>      Hello all,
>>
>>      We have Keycloak connected to our Active Directory (read only),
>>      everything working correctly, authenticating our employees. But there is
>>      a case that is a little complicated.
>>
>>      When someone starts working here as a intern, the user has an employee
>>      ID with four digits. If a person is a regular employee, it has five
>>      digits. Windows login is made of the first 2 letters of the name, and
>>      then the ID number, zero padded, as in *fe001173*. But there are times
>>      that these interns are hired as employees, so the previous account is
>>      *disabled* in AD and a new one is created.
>>
>>      The problem is that the e-mail address is the same. When this happens, I
>>      can't even search the user in Keycloak admin interface, because it says
>>      that it already has a user with the same e-mail. The old one is still
>>      there, though; but if I go to its details, I can't change the e-mail
>>      address, since it tries to sync it back to AD.
>>
>>      So far, the solution was changing it directly in the database and
>>      restarting Keycloak, which is *not* a good thing to do.
>>
>>      Any thoughts on what we could do?
>>
>>
>>      Thanks !
>>      --
>>      Felipe Braun Azambuja
>>      DBA
>>      Tecnologia da Informa??o e Comunica??o
>>      (48) 3281 9577
>>      felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
>>      Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>>      por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>>      ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>>      do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>>      do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>>      qualquer responsabilidade por utiliza??o indevida. Caso tenha
>>      recebido esta mensagem por engano, por favor informe o remetente
>>      respondendo imediatamente a este e-mail, e em seguida apague-a do
>>      seu computador.
>>
>>      The information contained in this e-mail and its attachments are
>>      protected by law, subjected to privilege and/or confidentiality and
>>      cannot be retransmitted, filed, disclosed or copied without
>>      authorization from the sender. The sender uses the electronic mail
>>      in the exercise of his/her work or by virtue thereof, and the
>>      institution accepts no liability from its undue use. If you have
>>      received this message by mistake, please notify us immediately by
>>      returning the e-mail and deleting this message from your system.
>>
>>      _______________________________________________
>>      keycloak-user mailing list
>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From nielsbne at gmail.com  Mon Jun 13 04:03:13 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 13 Jun 2016 18:03:13 +1000
Subject: [keycloak-user] New user, same e-mail
In-Reply-To: <2cf32bc7-6ecf-6208-24a0-7e3db3ce65a1@intelbras.com.br>
References: <2f370eab-5846-da3e-9750-edd1bd5431a4@intelbras.com.br>
	<CAPLPygkYryk7ZOG=VUo0k8s7aNkJU+gRRF22i=25YKoPXcScqg@mail.gmail.com>
	<2cf32bc7-6ecf-6208-24a0-7e3db3ce65a1@intelbras.com.br>
Message-ID: <CAPLPygkshyKZhh5rLj9Y-S5zm-mVkDG7A8t1Nj7v8ZzcuCanzQ@mail.gmail.com>

Hey Felipe,

not sure if this will work for your case BUT perhaps try the following:

1. In realm admin go to User Federation
2. select your AD provider
3. select mappers tab

4. click on create mapper
5. name is contactEmail
6. select type as User Attribute
7. user model attribute contactEmail
8. LDAP attribute: mail
9. Save

(you will also have to reconfigure email templates to use contactEmail
instead of user model email)

10. click on email attribute mapper
11. change user model attribute to "unknown" which hopefully is not a user
attribute in your ldap and will trigger email to be removed from user model
once you load it in admin console or elsewhere
12. switch on "always read value from ldap" ! important !
13. Save

14. try to lookup your users in the the admin console

I was able to "remove" the unique constraint email field from a AD user
that way, once this user model field is empty, you can work with these
users again.

Let me know if you have any questions.
Niels



On Fri, Jun 10, 2016 at 10:10 PM, Felipe Braun Azambuja <
felipe.braun at intelbras.com.br> wrote:

> Hi Niels,
>
> I've read the JIRA issue, but it's not _exactly_ the case. The problem
> I'm facing is because I have two entries with the same address in Active
> Directory, and I can't change the old one in Keycloak because I have AD
> federated in read only mode.
>
> If I change the 'mail' entry in the AD object, it is not synced again if
> the data already exists in Keycloak? I did a test now with my own user,
> and it still shows the old value.
>
> Il 09/06/2016 18:58, Niels Bertram ha scritto:
>
>> Hi Felipe,
>>
>> this topic was discusses some time back on the user forum. Jira
>> KEYCLOAK-2141 <https://issues.jboss.org/browse/KEYCLOAK-2141> has some
>> background information on the issue you are facing. From what I can tell
>> one will have to change the attribute mapping on the LDAP user
>> federation provider to map email to a custom attribute (e.g.
>> contact_email) and then also change the email template to use that field
>> for email distribution instead.
>>
>> Cheers,
>> Niels
>>
>>
>> On Thu, Jun 9, 2016 at 9:41 PM, Felipe Braun Azambuja
>> <felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>>
>>
>> wrote:
>>
>>     Hello all,
>>
>>     We have Keycloak connected to our Active Directory (read only),
>>     everything working correctly, authenticating our employees. But there
>> is
>>     a case that is a little complicated.
>>
>>     When someone starts working here as a intern, the user has an employee
>>     ID with four digits. If a person is a regular employee, it has five
>>     digits. Windows login is made of the first 2 letters of the name, and
>>     then the ID number, zero padded, as in *fe001173*. But there are times
>>     that these interns are hired as employees, so the previous account is
>>     *disabled* in AD and a new one is created.
>>
>>     The problem is that the e-mail address is the same. When this
>> happens, I
>>     can't even search the user in Keycloak admin interface, because it
>> says
>>     that it already has a user with the same e-mail. The old one is still
>>     there, though; but if I go to its details, I can't change the e-mail
>>     address, since it tries to sync it back to AD.
>>
>>     So far, the solution was changing it directly in the database and
>>     restarting Keycloak, which is *not* a good thing to do.
>>
>>     Any thoughts on what we could do?
>>
>>
>>     Thanks !
>>     --
>>     Felipe Braun Azambuja
>>     DBA
>>     Tecnologia da Informa??o e Comunica??o
>>     (48) 3281 9577
>>     felipe.braun at intelbras.com.br <mailto:felipe.braun at intelbras.com.br>
>>     Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas
>>     por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo
>>     ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o
>>     do remetente. O remetente utiliza o correio eletr?nico no exerc?cio
>>     do seu trabalho ou em raz?o dele, eximindo esta institui??o de
>>     qualquer responsabilidade por utiliza??o indevida. Caso tenha
>>     recebido esta mensagem por engano, por favor informe o remetente
>>     respondendo imediatamente a este e-mail, e em seguida apague-a do
>>     seu computador.
>>
>>     The information contained in this e-mail and its attachments are
>>     protected by law, subjected to privilege and/or confidentiality and
>>     cannot be retransmitted, filed, disclosed or copied without
>>     authorization from the sender. The sender uses the electronic mail
>>     in the exercise of his/her work or by virtue thereof, and the
>>     institution accepts no liability from its undue use. If you have
>>     received this message by mistake, please notify us immediately by
>>     returning the e-mail and deleting this message from your system.
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Felipe Braun Azambuja
> DBA
> Tecnologia da Informa??o e Comunica??o
> (48) 3281 9577
> felipe.braun at intelbras.com.br
> Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por
> lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser
> retransmitida, arquivada, divulgada ou copiada sem autoriza??o do
> remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu
> trabalho ou em raz?o dele, eximindo esta institui??o de qualquer
> responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem
> por engano, por favor informe o remetente respondendo imediatamente a este
> e-mail, e em seguida apague-a do seu computador.
>
> The information contained in this e-mail and its attachments are protected
> by law, subjected to privilege and/or confidentiality and cannot be
> retransmitted, filed, disclosed or copied without authorization from the
> sender. The sender uses the electronic mail in the exercise of his/her work
> or by virtue thereof, and the institution accepts no liability from its
> undue use. If you have received this message by mistake, please notify us
> immediately by returning the e-mail and deleting this message from your
> system.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/747b9b63/attachment.html 

From mposolda at redhat.com  Mon Jun 13 04:07:18 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 13 Jun 2016 10:07:18 +0200
Subject: [keycloak-user] Is there a good JWK authorisation grant example?
In-Reply-To: <CAOFPorSkTokatZim5BCg=SEL4Q=X7E44vmCDMg2vLMcYQDXoeA@mail.gmail.com>
References: <CAOFPorSkTokatZim5BCg=SEL4Q=X7E44vmCDMg2vLMcYQDXoeA@mail.gmail.com>
Message-ID: <575E69B6.3030203@redhat.com>

You can take a look at the "preconfigured-demo/service-account" example. 
Mainly at ProductSAClientSignedJWTServlet class. Sorry, we should rather 
have separate example for service-account and separate for "client 
generated JWT" to have examples more easy to understand. But hope you 
are able to understand it from there.

Marek

On 11/06/16 06:39, Michael Chester wrote:
> Hi all,
>
> Could someone please point me in the direction of some sample code, 
> preferably Java, that illustrates a client generated JWT being used as 
> a or to generate an access token from Keycloak.  This page 
> http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html seemed 
> to be a good start.  But  the link to documentation was dead. So far I 
> have been unable to Google a good code example. Thank you.
>
> Regards,
> Michael Chester
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/b728b4ee/attachment-0001.html 

From thomas_connolly at yahoo.com  Mon Jun 13 06:35:26 2016
From: thomas_connolly at yahoo.com (Thomas Connolly)
Date: Mon, 13 Jun 2016 10:35:26 +0000 (UTC)
Subject: [keycloak-user] Performance issues with Federation provider
 enabled
In-Reply-To: <575E6520.3080409@redhat.com>
References: <315000034.1945497.1465797441058.JavaMail.yahoo.ref@mail.yahoo.com>
	<315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>
	<575E6520.3080409@redhat.com>
Message-ID: <998128545.2041363.1465814126838.JavaMail.yahoo@mail.yahoo.com>

Hi Marek
> Thanks, AFAIK we didn't tried much performance testing with federationProviders enabled. It's on todo list though. Also we plan some refactoring of userStorage + userFederation, so we will likely go into it later.

Yes and we've found it is a major bottleneck in our system testing (using stub to remove internal back end dependencies).?Can you suggest any short term measures to improve performance, we're blocked from pushing this to production at the moment?This is a major feature of the system I'm guessing this affects the LDAP / AD integration / federator performance too.Do you have any timeframe around the priority to address this?
> For your case, the performance bottleneck can be in your federationProvider implementation, so I am not sure if it's the issue in Keycloak or rather issue in your implementation.?

As indicated we've created a stub implementation, code included below, to demonstrate there is an issue calling a federator in KC.
/** Code snippet **/public class StubFederationProvider implements UserFederationProvider { ? ? private static final Logger logger = Logger.getLogger(StubFederationProvider.class);? ? protected KeycloakSession session;? ? protected UserFederationProviderModel model;
 public StubFederationProvider(KeycloakSession session, UserFederationProviderModel model){? ? ? ? this.session = session;? ? ? ? this.model = model;? ? }
? ? public UserFederationProviderModel getModel() {? ? ? ? return model;? ? }
 @Override public UserModel getUserByUsername(RealmModel realm, String username) {
  UserModel userModel = addUserModelToUserStorage(realm, username);  userModel.setEnabled(true);  userModel.setFederationLink(model.getId());
  return userModel; }
 protected UserModel addUserModelToUserStorage(RealmModel realm, String username) {  return session.userStorage().addUser(realm, username); }
 @Override? ? public UserModel getUserByEmail(RealmModel realm, String email) {? ? ? ? return null;? ? }
? ? @Override? ? public List<UserModel> searchByAttributes(Map<String, String> attributes, RealmModel realm, int maxResults) {? ? ? ? return Collections.emptyList();? ? }
 @Override public List<UserModel> getGroupMembers(RealmModel realm, GroupModel group, int firstResult, int maxResults) {  return null; }
 @Override? ? public void preRemove(RealmModel realm) {?? ? ? // complete? We don't care about the realm being removed? ? }
? ? @Override? ? public void preRemove(RealmModel realm, RoleModel role) {? ? ? ? // complete we dont'care if a role is removed
? ? }
 @Override public void preRemove(RealmModel realmModel, GroupModel groupModel) {  // complete we dont'care if a role is removed }
@Override
 public boolean isValid(RealmModel realm, UserModel local) {
  return userExists(local.getUsername()); } ? ? /**?? ? * Returns supported credentials by this federator. PASSWORD is always supported but TOTP is optional for each user.?? ? *?? ? * @param user?? ? * @return?? ? */? ? @Override? ? public Set<String> getSupportedCredentialTypes(UserModel user) {  Set<String> supportedCredentialTypes = new HashSet<>();
  supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
  // check for any otp configured on this user  if (user.isOtpEnabled()) {   supportedCredentialTypes.add(UserCredentialModel.TOTP);   supportedCredentialTypes.add(UserCredentialModel.HOTP);  }
? ? ? ? return supportedCredentialTypes;? ? }
? ? @Override? ? public boolean validCredentials(RealmModel realm, UserModel user, List<UserCredentialModel> input) {? ? ? ? for (UserCredentialModel cred : input) {? ? ? ? ? ? if (cred.getType().equals(UserCredentialModel.PASSWORD)) {? ? ? ? ? ?  return validate(user, cred.getValue());? ? ? ? ? ? } else if (cred.getType().equals(UserCredentialModel.TOTP)) {    return CredentialValidation.validTOTP(realm, user, cred.getValue());   } else if (cred.getType().equals(UserCredentialModel.HOTP)) {    return CredentialValidation.validHOTP(realm, user, cred.getValue());   }? ? ? ? }? ? ? ? return false;? ? }
? ? @Override? ? public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {? ? ? ? for (UserCredentialModel cred : input) {? ? ? ? ? ? if (cred.getType().equals(UserCredentialModel.PASSWORD)) {? ? ? ? ? ?  return validate(user, cred.getValue());? ? ? ? ? ? } else if (cred.getType().equals(UserCredentialModel.TOTP)) {    return CredentialValidation.validTOTP(realm, user, cred.getValue());   } else if (cred.getType().equals(UserCredentialModel.HOTP)) {    return CredentialValidation.validHOTP(realm, user, cred.getValue());   }? ? ? ? }? ? ? ? return false;? ? }
? ? @Override? ? public void close() {
? ? }?? ?? ? /**?? ? * Keycloak will call this method if it finds an imported UserModel.? Here we proxy the UserModel with?? ? * a Readonly proxy which will barf if password is updated.?? ? *?? ? * @param local?? ? * @return?? ? */ @Override public UserModel validateAndProxy(RealmModel realm, UserModel local) {  if (isValid(realm, local)) {   getUserDetails(local);   return new StubUserModelProxy(local, this);  } else {   return null;  }? ? }
? ? @Override? ? public boolean synchronizeRegistrations() {? ? ? ? return true;? ? }
? ? /**?? ? * Called if this federation provider has priority and supports synchronized registrations.?? ? *?? ? * @param realm?? ? * @param user?? ? * @return?? ? */? ? @Override? ? public UserModel register(RealmModel realm, UserModel user) {
user.setSingleAttribute("status", "OK");  return user;? ? }
 @Override? ? public boolean removeUser(RealmModel realm, UserModel user) {  // Not supported. Used as a part of the Workaround to https://issues.jboss.org/browse/KEYCLOAK-1075  return true;? ? }
 /**  * Supported credentials by this federator. PASSWORD is a supported type. TOTP depends on the user.  *  * @return supportedCredentialTypes  */ @Override public Set<String> getSupportedCredentialTypes() {  Set<String> supportedCredentialTypes = new HashSet<>();  supportedCredentialTypes.add(UserCredentialModel.PASSWORD);  supportedCredentialTypes.add(UserCredentialModel.TOTP);  supportedCredentialTypes.add(UserCredentialModel.HOTP);  return supportedCredentialTypes; }
 @Override public CredentialValidationOutput validCredentials(RealmModel realm, UserCredentialModel credential) {? ? ? ? throw new IllegalStateException("validCredentials not supported"); }
 private boolean userExists(String username) {? ?  return true;? ? }  private void getUserDetails(UserModel user) {  user.setFirstName("first name");  user.setLastName("last name"); }
 public boolean validate(UserModel user, String password) {  return true; }
}
/** End Snippet **/?

Regards Tom Connolly.

      From: Marek Posolda <mposolda at redhat.com>
 To: Thomas Connolly <thomas_connolly at yahoo.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, June 13, 2016 5:47 PM
 Subject: Re: [keycloak-user] Performance issues with Federation provider enabled
   
 Thanks, AFAIK we didn't tried much performance testing with federationProviders enabled. It's on todo list though. Also we plan some refactoring of userStorage + userFederation, so we will likely go into it later.
 
 For your case, the performance bottleneck can be in your federationProvider implementation, so I am not sure if it's the issue in Keycloak or rather issue in your implementation. 
 
 One thing to note (maybe it's not an issue in your case, but just adding it to be sure you're aware): UserFederationProvider.close is currently not called. So if you are rely on this method to free any important resources related to your implementation, you shouldn't as it doesn't work right now. We are working on improving this for next version.
 
 Marek
 
 On 13/06/16 07:57, Thomas Connolly wrote:
  
 Hi Marek
 
 I'm working with Fabricio on the federation performance issues with Keycloak.
 
 In answer to your question we are using the latest KC 1.9.7 version (we upgraded this week from 1.9.2).
 
 To give you some indication of the running a gatling direct access login test (results below).
 
 As you can see below in (1) using KC out of the box. Great performance - we saw 110 tx per sec on a 4 core system.
 In scenario (2) using a stubbed federator (simply an echo plugin not connecting to any back end services), performance is unacceptable. 
 1) Not using the federator - Stub federator (disabled) - while 29 tx per second we could easily get to a stable 110 tx per second.
 ??? 300 Users (hitting single server)
 ??? ---- Global Information --------------------------------------------------------
 ??? > request count?????????????????????????????????????? 9185 (OK=9185?? KO=0???? )
 ??? > min response time???????????????????????????????????? 18 (OK=18???? KO=-???? )
 ??? > max response time??????????????????????????????????? 723 (OK=723??? KO=-???? )
 ??? > mean response time??????????????????????????????????? 27 (OK=27???? KO=-???? )
 ??? > std deviation???????????????????????????????????????? 44 (OK=44???? KO=-???? )
 ??? > response time 50th percentile???????????????????????? 20 (OK=20???? KO=-???? )
 ??? > response time 75th percentile???????????????????????? 21 (OK=21???? KO=-???? )
 ??? > mean requests/sec???????????????????????????????? 29.626 (OK=29.626 KO=-???? )
 ??? ---- Response Time Distribution ------------------------------------------------
 ??? > t < 800 ms????????????????????????????????????????? 9185 (100%)
 ??? > 800 ms < t < 1200 ms?????????????????????????????????? 0 (? 0%)
 ??? > t > 1200 ms??????????????????????????????????????????? 0 (? 0%)
 ??? > failed???????????????????????????????????????????????? 0 (? 0%)
 
 2) Stub federator (enabled)- if we brought test down to 12 tx per second (about 90 users) the response times dropped to < 1200 ms response times, however not even close to meeting out acceptance creteria.
 ??? 300 Users (hitting single server) 
 ??? ---- Global Information --------------------------------------------------------
 ??? > request count?????????????????????????????????????? 8496 (OK=8496?? KO=0???? )
 ??? > min response time??????????????????????????????????? 511 (OK=511??? KO=-???? )
 ??? > max response time????????????????????????????????? 11191 (OK=11191? KO=-???? )
 ??? > mean response time????????????????????????????????? 6832 (OK=6832?? KO=-???? )
 ??? > std deviation?????????????????????????????????????? 2329 (OK=2329?? KO=-???? )
 ??? > response time 50th percentile?????????????????????? 7194 (OK=7194?? KO=-???? )
 ??? > response time 75th percentile?????????????????????? 8690 (OK=8690?? KO=-???? )
 ??? > mean requests/sec???????????????????????????????? 27.404 (OK=27.404 KO=-???? )
 ??? ---- Response Time Distribution ------------------------------------------------
 ??? > t < 800 ms?????????????????????????????????????????? 154 (? 2%)
 ??? > 800 ms < t < 1200 ms????????????????????????????????? 85 (? 1%)
 ??? > t > 1200 ms???????????????????????????????????????? 8257 ( 97%)
 ??? > failed???????????????????????????????????????????????? 0 (? 0%)
 
 This is currently a show stopper for us and is blocking our path to production.
 Do you run similar tests and how can we help you optimise the performance?
 
 Regards
 Tom.
 
 
 Date: Wed, 8 Jun 2016 12:28:19 +0200
 From: Marek Posolda <mposolda at redhat.com>
 Subject: Re: [keycloak-user] Performance issues with Federation
 ??? provider enabled
 To: Fabricio Milone <fabricio.milone at shinetech.com>,??? keycloak-user
 ??? <keycloak-user at lists.jboss.org>
 Message-ID: <5757F343.1040803 at redhat.com>
 Content-Type: text/plain; charset="windows-1252"
 
 Hi,
 
 what's the keycloak version used? Could you try latest keycloak and 
 check if performance is still the issue?
 
 Marek
 
 On 08/06/16 01:30, Fabricio Milone wrote:
 > Hi all,
 >
 > I sent this email yesterday with 5 or more attachments, so I think it 
 > was blocked or something... here I go again :)
 >
 > I've been running load tests on our application during the last few 
 > weeks, and having some performance issues when my custom federator is 
 > enabled.
 >
 > The performance issue does not exist when the federator is disabled.
 > *Configuration*:
 >
 > I have a cluster of 2 instances of Keycloak, with a standalone DB, 
 > we've verified the DB isn't an issue when the federator is disabled. 
 > Both instances have a quad core CPU and they are in the same network. 
 > We?ve left the memory at 512MB. The test script, database and API that 
 > connects to the federator are in separate machines.
 > *Federator*:
 >
 > We have a simple custom federator that makes calls to a very 
 > performant api, which has been tested and is ok. Additionally, we've 
 > tested stubbing the API so the performance is not a problem there. 
 > This federator is using a jaxb marshaller to create a request, again 
 > tested in isolation and is performing well.
 >
 > As the federator is doing a lot of calls to the API (3 per login 
 > request), I've implemented a httpclient that uses a 
 > PoolingHttpClientConnectionManager with 1000 connections available to 
 > use, instead of using the standard apache httpclient from http 
 > components. That hasn't improved a bit the performance of the system.
 > *Tests*:
 > It is a gatling scala script that could generate around ~300 (or more) 
 > requests/second to the direct grants login endpoint using random 
 > usernames from a list (all of them already registered using KC). The 
 > script is doing a round robin across both instances of Keycloak with 
 > an even distribution to each KC instance.
 > The idea is simulate a load of 300 to 1500 concurrent users trying to 
 > login into our systems.
 > *Problem*:
 >
 > If I run the tests without using a federation I can see a very good 
 > performance, but when I try to run the tests with the custom 
 > federation code, the performance drops from ~150 requests/second to 22 
 > req/sec using both instances.
 > Memory wise, it seems to be ok. I've never seen an error related to 
 > memory with this configuration, also if you take a look at the 
 > attached visualVM screenshot you'll see that memory is not a problem 
 > or it seems not to be.
 > CPU utilisation is very low to my mind, I'd expect more than 80% of 
 > usage or something like that.
 > There is a method that is leading the CPU samples on VisualVM called 
 > Semaphore.tryAcquire(). Not quite sure what's that for, still 
 > investigating.
 >
 > I can see that a lot of new threads are being created when the test 
 > starts, as it creates around 60requests/second to the direct grants 
 > login call, but it seems to be a bottleneck at some point.
 >
 > So I'm wondering if there is some configuration I'm missing on 
 > Keycloak side that could be affecting the cluster performance when a 
 > federator is enabled. Maybe something related to jpa connections, 
 > infinispan configuration or even wildfly.
 >
 > I'd really appreciate your help on this one as I'm out of ideas.
 >
 > I've attached some screenshots of visualVM and tests results from my 
 > last run today.
 >
 >
 > Sorry for the long email and please let me know if you need further 
 > information.
 >
 > Thank you in advance,
 >
 > Regards,
 > Fab
 >
 > -- 
 > *Fabricio Milone*
 > Developer  
  
 _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 
 
 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/b22f9291/attachment-0001.html 

From vaibhav_naldurgkar at persistent.com  Mon Jun 13 05:48:30 2016
From: vaibhav_naldurgkar at persistent.com (Vaibhav Naldurgkar)
Date: Mon, 13 Jun 2016 09:48:30 +0000
Subject: [keycloak-user] Keycloak OAuth High CPU usage
In-Reply-To: <CAJgngAeP4BcKMp0wBV1X4ivwKBebQx2HT1u_q3ZhmFmcaOQS0A@mail.gmail.com>
References: <MA1PR01MB00085A4C2F5FCF544D40147A934A0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAfq+ejbxOwzmpYRxGMbUtpbLPg=TLFLUb1V+BPAyKWW-g@mail.gmail.com>
	<MA1PR01MB00089AE85334F22552FF7362934B0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdjaEQQS2TmCW7OD-5=QCEJpdMPTQoYgoUpd2hXg2zfyw@mail.gmail.com>
	<MA1PR01MB0008C6BB97D1340955B85D8E934B0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdYwQGv282EQm-aNaNYfkyhpt2SDN8Dhu2uPiFf0DsFOg@mail.gmail.com>
	<MA1PR01MB0008D9FEDC249AB063F86A5A934E0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdWFE84R9aeTu=fjjKoGUAJ1rtsTffPc5_P-e8_n9cpWA@mail.gmail.com>
	<EBB15208CF5F954A840A1119A832DC0D0B02DB6D@DEERLM99EX5MSX.ww931.my-it-solutions.net>
	<MA1PR01MB0008194AF321BEC3F0D7BBEE934F0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAddwWzgajOQdaK6U1LUB9c6Rt8Ta+VGPrQ1y3SY-Dm_zQ@mail.gmail.com>
	<MA1PR01MB00080768A7924984F03F82F193410@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAeP4BcKMp0wBV1X4ivwKBebQx2HT1u_q3ZhmFmcaOQS0A@mail.gmail.com>
Message-ID: <MA1PR01MB0008A2751673324AFFC63C5593530@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>

Stian,

I noticed that there is an Enhancement added for similar performance issues through 3057 https://issues.jboss.org/browse/KEYCLOAK-3057 . I am looking forward for the release of 2.0.X, could you let me know if this helps to improve performance issue which I am facing.

Thanks, Vaibhav

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Thursday, May 26, 2016 11:17 AM
To: Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage

Again, CPU load is expected to be high while having 20 threads send as many requests as they can. It's the total throughput that matters here.

There are loads of tuning you can do, but you should be able to get decent numbers without any tuning.

On 26 May 2016 at 07:09, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
I still wondering what odd configuration I am following on my RHEL VM which is not sustaining few user request when checked from the output of top command. Could you please suggest if there are any Java specific parameters needs to be tuned for performance improvement. If needed I will share my configuration files for reference.

Below is the screenshot of top output during one of the load test.


[cid:image001.png at 01D1C586.773ED0F0]


Thanks, Vaibhav





From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Wednesday, May 25, 2016 12:40 PM
To: Vaibhav Naldurgkar
Cc: Herzberg, Manuel; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage

I did some tests with Linux VM when investigating how Keycloak scales. I had Keycloak running on a VM that was permitted 50% of a single core and had a throughput of 50 scenarios. Where a scenario includes a login request, a code to token request and a logout request. In our performance lab with a single node and a not particularly beefy machine we're seeing 150+ scenarios/second.

On 24 May 2016 at 16:05, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
Hello,

What are the tests results on a Linux VM ? I just done same jmeter tests on AWS m4.xlarge instance; however far behind than the laptop tests results.
@Stian ? have you done tests using Linux VM ?


Thanks, Vaibhav

From: Herzberg, Manuel [mailto:manuel.herzberg at atos.net<mailto:manuel.herzberg at atos.net>]
Sent: Tuesday, May 24, 2016 5:52 PM
To: stian at redhat.com<mailto:stian at redhat.com>; Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: RE: [keycloak-user] Keycloak OAuth High CPU usage

Hello,

I am evaluating the Keycloak performance. Here my practical experience. My scenario is the same as Vaibhav?s:


?         Large amount of token have to be generated. This is done by requesting the Keycloak token REST endpoint via http. The different realms I am using have 1k 2k 3k and 4k keys for signing the tokens. (RSA) Longer keys result to longer runtime to generate these tokens.



?         I have more than 10k user each realm. Each request includes a new user.
Requests look like this:
host1:8080/auth/realms/demo-3072/protocol/openid-connect/token/
with data:
username=testuser1&password=password&client_id=customer-portal&grant_type=password



?         The response includes 3 tokens(access, refresh and id). In total more than 30 000 token have to be generated and signed.



@Stian. You wrote you are able to invoke 10000 token refreshes in under 60 seconds. A token refresh includes access, refresh and id token right? Can you explain us your scenario? How do you get such a high number?

Some more results: just signing 3000 Token (800 Byte each) with a 2k key takes me 20 seconds (laptop i5-4310U, 12gb ram). I am doing this outside Keycloak with my own java program, but with the same implementation Keycloak is using. (sign() method in RSAProvider).
The Keycloak implementation is signing tokens with RSA. HMAC and ECC are implemented as well as I saw in the code. Changing from RSA to HMAC or ECC is not possible in current release as i experienced. Are there plans to provide this in future? Defining this in a configuration file or via parameters would be nice.
Best regards, Manuel Herzberg


From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Tuesday, May 24, 2016 8:31 AM
To: Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage



On 23 May 2016 at 10:02, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
Yes, the direct access grant is ON for this client. I am trying to understand what you mean by ?not planning on using web based flow?? Could you provide more clarification on this.

If you are planning to do the web based flow (authorization code grant flow) you should test with that rather than direct grant. That being said the direct grant should still perform as well.


This is what the scenario I am trying to execute and still have high CPU usages for KeyCloak Java process.


?         The end point URL /auth/realms/master/protocol/openid-connect/token has been called by Jmeter for 20 concurrent users per seconds to generate the tokens.

?         Even if used with crul command like ?curl -X POST -d "=admin&password=admin&password&client_id=HelloTest&grant_type=password"  http://localhost:8080/auth/realms/master/protocol/openid-connect/token? , in this case also the CPU utilizations goes around 100%.

?          After around 3 seconds of the test, in the output of top command on the KeyCloak server the CPU% for keycloak java process goes beyond 100%.

Would it be possible for you to have a quick call for faster fix of this issue. This performance issue is holding to move KeyCloak to use as OAuth provider. If any other way is convenient for you please let me know for further discussion.

Your JMeter test is using 20 concurrent threads to send as many requests to the direct grant api as it can. This will obviously cause Keycloak to consume a high percentage of the CPU. Especially if you are running everything on localhost as the network isn't going to be a bottleneck. Neither will the database as Keycloak caches everything in memory. The bottleneck will be the CPU.

Authenticating users and obtaining a token requires password hashing as well as signing tokens, both are mainly CPU intensive. As you are using the direct grant api there's also less network traffic.

You need to add some reports to your JMeter test so you can see how many requests Keycloak can handle. That way you can find out how many users can be authenticated per-second on your machine.

If you only have 500 users remember they won't all login at the same time (seconds). Even if they all login at 9am sharp they will be spread out over 10 minutes or so, which would only be 1.2 logins/second.


Thanks, Vaibhav




From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Monday, May 23, 2016 12:01 PM

To: Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage

You are using direct grant to authenticate a user and obtain a token in the example above. This authenticates and creates a new session for each request. Are you not planning on using web based flow?

What do you have password hashing intervals set to? Verifying password is CPU intensive, more than signing tokens.

It shouldn't matter that user is stored in RedHat IdM as the user would be cached in Keycloak after first authentication, but it may be an idea to just double check by trying to authenticate to a user in Keycloak and not RH IdM.

What results are you actually getting?



On 20 May 2016 at 11:27, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
Hi Stian,

After reading your tests results of 10000 token refreshes in under 60 seconds on your laptop, I am sure I am not following correct configuration and the documents are missing for reference.

Could you please verify the below steps along with the screen-shots for the steps which I am following for the adding client and testing the Load performance using Jmeter. Please suggest if any changes are needed in the client configuration. In this case we are obtaining the token for user from KeyCloak.

In my case the user have been stored on RedHat IdM which has been federated using KeyCloak.


Step 1. Create new client called ?LoadTest? , use the Client Protocol as ?Openid-connect?.
Used all defaults values post save of the client action.

Step 2. Start the load tests using Jmeter and using the path as ?/auth/realms/master/protocol/openid-connect/token? . Used 20 Number of Threads and used Post method.


Below is the screen-shot for the step 1 related to Add Client.


[cid:image002.png at 01D1C586.773ED0F0]


Below is the screen shot for the load test using Jmeter. In this case the Client ID was used as HelloTest.


[cid:image003.png at 01D1C586.773ED0F0]

Http requests.

[cid:image004.png at 01D1C586.773ED0F0]


Thanks, Vaibhav


From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Friday, May 20, 2016 1:01 PM

To: Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage

Can you please elaborate a bit more on how your are testing scenario is? I'm a bit confused to what you are testing when you are talking about generating new tokens. Are you using OIDC or SAML? Are you talking about code->token exchanges, refresh token requests, or what?

To test if your hardware is capable to deal with the load you need to test logins (verifying passwords are CPU intensive) as well as obtaining tokens (both code->token, done after login, and refreshing token, done ~1 min or so by active users, but most users won't continuously use the application).

500 users should be no problem at all. As an example with a single thread (which will use a single core) I could invoke 10000 token refreshes in under 60 seconds on my laptop. So a single core on my laptop should be able to handle 500 users.

On 20 May 2016 at 08:00, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
Hi Stian,
Thank you for your reply.

The new tokens needs to be generated for each user, which is needed from security point of view. The performance tests were also conducted using single Admin user and token for admin user; however in that case the performance was not good. In between 15th to 20th admin token access requests ? the CPU usage of keycloak Java process was crossing 90 to 120% mark.


As you have mentioned, Creating tokes are expected to be a bit CPU intensive ? what should be the server configuration in terms of CPU to deal with more than 500 users to use keycloak as OAuth provider.


Thanks, Vaibhav



From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Thursday, May 19, 2016 6:28 PM
To: Vaibhav Naldurgkar
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak OAuth High CPU usage

Creating tokes are expected to be a bit CPU intensive as they need to be signed. When you say you try to generate tokens for 10-20 users are you doing performance tests and having 10-20 threads generating tokens? It shouldn't make any difference if you have 10 or if you have 200 users, it's the total number of tokens that can be generated that's an issue. Having 200 concurrent users with a access token timeout of 60 seconds should mean that you need to be able to generate roughly 200/60 tokens = 3.3 tokens/sec.

On 19 May 2016 at 13:24, Vaibhav Naldurgkar <vaibhav_naldurgkar at persistent.com<mailto:vaibhav_naldurgkar at persistent.com>> wrote:
Hi All,

I am using Keycloak 1.9.3 with default configuration. Keycloak server is installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and java version is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when we try and generate token(http:///auth/realms/master/protocol/openid-connect/token<http://auth/realms/master/protocol/openid-connect/token>) for more than 10-20 users the server gets too slow and cpu usage goes over 100%.
Any pointers on how to improve performance of keycloak OAuth provider. We need to support at least 200 concurrent users.


Thanks, Vaibhav

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.


DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/617af1b5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 28486 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/617af1b5/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 101405 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/617af1b5/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 11865 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/617af1b5/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 18447 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/617af1b5/attachment-0007.png 

From sthorger at redhat.com  Mon Jun 13 06:29:20 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 12:29:20 +0200
Subject: [keycloak-user] Keycloak OAuth High CPU usage
In-Reply-To: <MA1PR01MB0008A2751673324AFFC63C5593530@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
References: <MA1PR01MB00085A4C2F5FCF544D40147A934A0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAfq+ejbxOwzmpYRxGMbUtpbLPg=TLFLUb1V+BPAyKWW-g@mail.gmail.com>
	<MA1PR01MB00089AE85334F22552FF7362934B0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdjaEQQS2TmCW7OD-5=QCEJpdMPTQoYgoUpd2hXg2zfyw@mail.gmail.com>
	<MA1PR01MB0008C6BB97D1340955B85D8E934B0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdYwQGv282EQm-aNaNYfkyhpt2SDN8Dhu2uPiFf0DsFOg@mail.gmail.com>
	<MA1PR01MB0008D9FEDC249AB063F86A5A934E0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAdWFE84R9aeTu=fjjKoGUAJ1rtsTffPc5_P-e8_n9cpWA@mail.gmail.com>
	<EBB15208CF5F954A840A1119A832DC0D0B02DB6D@DEERLM99EX5MSX.ww931.my-it-solutions.net>
	<MA1PR01MB0008194AF321BEC3F0D7BBEE934F0@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAddwWzgajOQdaK6U1LUB9c6Rt8Ta+VGPrQ1y3SY-Dm_zQ@mail.gmail.com>
	<MA1PR01MB00080768A7924984F03F82F193410@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
	<CAJgngAeP4BcKMp0wBV1X4ivwKBebQx2HT1u_q3ZhmFmcaOQS0A@mail.gmail.com>
	<MA1PR01MB0008A2751673324AFFC63C5593530@MA1PR01MB0008.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <CAJgngAeS37z9pxQkDWRnFegGK74=0kTtTCpq2mSRfPn05xX2wg@mail.gmail.com>

As I stated several times before the server should be more than capable to
handle 200 concurrent users.

I don't understand what your issues are as we have no problems with that
type of load when we're benchmarking. We also have plenty of users of
Keycloak that has higher loads than you have. So I'm not sure what your
actually issues are. KEYCLOAK-3057 will not necessarily fix your issues,
it's not a high priority to add and won't be the default (RSA is the
expected signature format for JWTs).

On 13 June 2016 at 11:48, Vaibhav Naldurgkar <
vaibhav_naldurgkar at persistent.com> wrote:

> Stian,
>
>
>
> I noticed that there is an Enhancement added for similar performance
> issues through 3057 https://issues.jboss.org/browse/KEYCLOAK-3057 . I am
> looking forward for the release of 2.0.X, could you let me know if this
> helps to improve performance issue which I am facing.
>
>
>
> Thanks, Vaibhav
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Thursday, May 26, 2016 11:17 AM
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Again, CPU load is expected to be high while having 20 threads send as
> many requests as they can. It's the total throughput that matters here.
>
>
>
> There are loads of tuning you can do, but you should be able to get decent
> numbers without any tuning.
>
>
>
> On 26 May 2016 at 07:09, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> I still wondering what odd configuration I am following on my RHEL VM
> which is not sustaining few user request when checked from the output of
> top command. Could you please suggest if there are any Java specific
> parameters needs to be tuned for performance improvement. If needed I will
> share my configuration files for reference.
>
>
>
> Below is the screenshot of top output during one of the load test.
>
>
>
>
>
>
>
>
>
> *Thanks, Vaibhav*
>
>
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Wednesday, May 25, 2016 12:40 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* Herzberg, Manuel; keycloak-user at lists.jboss.org
>
>
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> I did some tests with Linux VM when investigating how Keycloak scales. I
> had Keycloak running on a VM that was permitted 50% of a single core and
> had a throughput of 50 scenarios. Where a scenario includes a login
> request, a code to token request and a logout request. In our performance
> lab with a single node and a not particularly beefy machine we're seeing
> 150+ scenarios/second.
>
>
>
> On 24 May 2016 at 16:05, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> Hello,
>
>
>
> What are the tests results on a Linux VM ? I just done same jmeter tests
> on AWS m4.xlarge instance; however far behind than the laptop tests results.
>
> @Stian ? have you done tests using Linux VM ?
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
> *From:* Herzberg, Manuel [mailto:manuel.herzberg at atos.net]
> *Sent:* Tuesday, May 24, 2016 5:52 PM
> *To:* stian at redhat.com; Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* RE: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Hello,
>
> I am evaluating the Keycloak performance. Here my practical experience. My
> scenario is the same as Vaibhav?s:
>
>
>
> ?         Large amount of token have to be generated. This is done by
> requesting the Keycloak token REST endpoint via http. The different realms
> I am using have 1k 2k 3k and 4k keys for signing the tokens. (RSA) Longer
> keys result to longer runtime to generate these tokens.
>
>
>
> ?         I have more than 10k user each realm. Each request includes a
> new user.
> Requests look like this:
> host1:8080/auth/realms/demo-3072/protocol/openid-connect/token/
> with data:
>
> username=testuser1&password=password&client_id=customer-portal&grant_type=password
>
>
>
> ?         The response includes 3 tokens(access, refresh and id). In
> total more than 30 000 token have to be generated and signed.
>
>
>
> @Stian. You wrote you are able to invoke 10000 token refreshes in under 60
> seconds. A token refresh includes access, refresh and id token right? Can
> you explain us your scenario? How do you get such a high number?
>
> Some more results: just signing 3000 Token (800 Byte each) with a 2k key
> takes me 20 seconds (laptop i5-4310U, 12gb ram). I am doing this outside
> Keycloak with my own java program, but with the same implementation
> Keycloak is using. (sign() method in RSAProvider).
>
> The Keycloak implementation is signing tokens with RSA. HMAC and ECC are
> implemented as well as I saw in the code. Changing from RSA to HMAC or ECC
> is not possible in current release as i experienced. Are there plans to
> provide this in future? Defining this in a configuration file or via
> parameters would be nice.
>
> Best regards, Manuel Herzberg
>
>
>
>
>
> *From:* keycloak-user-bounces at lists.jboss.org [
> mailto:keycloak-user-bounces at lists.jboss.org
> <keycloak-user-bounces at lists.jboss.org>] *On Behalf Of *Stian Thorgersen
> *Sent:* Tuesday, May 24, 2016 8:31 AM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
>
>
>
>
> On 23 May 2016 at 10:02, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> Yes, the direct access grant is ON for this client. I am trying to
> understand what you mean by ?not planning on using web based flow?? Could
> you provide more clarification on this.
>
>
>
> If you are planning to do the web based flow (authorization code grant
> flow) you should test with that rather than direct grant. That being said
> the direct grant should still perform as well.
>
>
>
>
>
> This is what the scenario I am trying to execute and still have high CPU
> usages for KeyCloak Java process.
>
>
>
> ?         The end point URL
> /auth/realms/master/protocol/openid-connect/token has been called by Jmeter
> for 20 concurrent users per seconds to generate the tokens.
>
> ?         Even if used with crul command like ?*curl -X POST -d
> "=admin&password=admin&password&client_id=HelloTest&grant_type=password"
> http://localhost:8080/auth/realms/master/protocol/openid-connect/token
> <http://localhost:8080/auth/realms/master/protocol/openid-connect/token>*?
> , in this case also the CPU utilizations goes around 100%.
>
> ?          After around 3 seconds of the test, in the output of top
> command on the KeyCloak server the CPU% for keycloak java process goes
> beyond 100%.
>
>
>
> Would it be possible for you to have a quick call for faster fix of this
> issue. This performance issue is holding to move KeyCloak to use as OAuth
> provider. If any other way is convenient for you please let me know for
> further discussion.
>
>
>
> Your JMeter test is using 20 concurrent threads to send as many requests
> to the direct grant api as it can. This will obviously cause Keycloak to
> consume a high percentage of the CPU. Especially if you are running
> everything on localhost as the network isn't going to be a bottleneck.
> Neither will the database as Keycloak caches everything in memory. The
> bottleneck will be the CPU.
>
>
>
> Authenticating users and obtaining a token requires password hashing as
> well as signing tokens, both are mainly CPU intensive. As you are using the
> direct grant api there's also less network traffic.
>
>
>
> You need to add some reports to your JMeter test so you can see how many
> requests Keycloak can handle. That way you can find out how many users can
> be authenticated per-second on your machine.
>
>
>
> If you only have 500 users remember they won't all login at the same time
> (seconds). Even if they all login at 9am sharp they will be spread out over
> 10 minutes or so, which would only be 1.2 logins/second.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Monday, May 23, 2016 12:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> You are using direct grant to authenticate a user and obtain a token in
> the example above. This authenticates and creates a new session for each
> request. Are you not planning on using web based flow?
>
>
>
> What do you have password hashing intervals set to? Verifying password is
> CPU intensive, more than signing tokens.
>
>
>
> It shouldn't matter that user is stored in RedHat IdM as the user would be
> cached in Keycloak after first authentication, but it may be an idea to
> just double check by trying to authenticate to a user in Keycloak and not
> RH IdM.
>
>
>
> What results are you actually getting?
>
>
>
>
>
>
>
> On 20 May 2016 at 11:27, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> Hi Stian,
>
>
>
> After reading your tests results of 10000 token refreshes in under 60
> seconds on your laptop, I am sure I am not following correct configuration
> and the documents are missing for reference.
>
>
>
> Could you please verify the below steps along with the screen-shots for
> the steps which I am following for the adding client and testing the Load
> performance using Jmeter. Please suggest if any changes are needed in the
> client configuration. In this case we are obtaining the token for user from
> KeyCloak.
>
>
>
> In my case the user have been stored on RedHat IdM which has been
> federated using KeyCloak.
>
>
>
>
>
> Step 1. Create new client called ?LoadTest? , use the Client Protocol as
> ?Openid-connect?.
>
> Used all defaults values post save of the client action.
>
>
>
> Step 2. Start the load tests using Jmeter and using the path as
> *?/auth/realms/master/protocol/openid-connect/token?* . Used 20 Number of
> Threads and used Post method.
>
>
>
>
>
> Below is the screen-shot for the step 1 related to Add Client.
>
>
>
>
>
>
>
>
>
> Below is the screen shot for the load test using Jmeter. In this case the
> Client ID was used as HelloTest.
>
>
>
>
>
>
>
> Http requests.
>
>
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Friday, May 20, 2016 1:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Can you please elaborate a bit more on how your are testing scenario is?
> I'm a bit confused to what you are testing when you are talking about
> generating new tokens. Are you using OIDC or SAML? Are you talking about
> code->token exchanges, refresh token requests, or what?
>
>
>
> To test if your hardware is capable to deal with the load you need to test
> logins (verifying passwords are CPU intensive) as well as obtaining tokens
> (both code->token, done after login, and refreshing token, done ~1 min or
> so by active users, but most users won't continuously use the application).
>
>
>
> 500 users should be no problem at all. As an example with a single thread
> (which will use a single core) I could invoke 10000 token refreshes in
> under 60 seconds on my laptop. So a single core on my laptop should be able
> to handle 500 users.
>
>
>
> On 20 May 2016 at 08:00, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> Hi Stian,
>
> Thank you for your reply.
>
>
>
> The new tokens needs to be generated for each user, which is needed from
> security point of view. The performance tests were also conducted using
> single Admin user and token for admin user; however in that case the
> performance was not good. In between 15th to 20th admin token access
> requests ? the CPU usage of keycloak Java process was crossing 90 to 120%
> mark.
>
>
>
>
>
> As you have mentioned, Creating tokes are expected to be a bit CPU
> intensive ? what should be the server configuration in terms of CPU to deal
> with more than 500 users to use keycloak as OAuth provider.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Thursday, May 19, 2016 6:28 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Creating tokes are expected to be a bit CPU intensive as they need to be
> signed. When you say you try to generate tokens for 10-20 users are you
> doing performance tests and having 10-20 threads generating tokens? It
> shouldn't make any difference if you have 10 or if you have 200 users, it's
> the total number of tokens that can be generated that's an issue. Having
> 200 concurrent users with a access token timeout of 60 seconds should mean
> that you need to be able to generate roughly 200/60 tokens = 3.3 tokens/sec.
>
>
>
> On 19 May 2016 at 13:24, Vaibhav Naldurgkar <
> vaibhav_naldurgkar at persistent.com> wrote:
>
> Hi All,
>
>
>
> I am using Keycloak 1.9.3 with default configuration. Keycloak server is
> installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and java version
> is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when
> we try and generate token(
> http:///auth/realms/master/protocol/openid-connect/token
> <http://auth/realms/master/protocol/openid-connect/token>) for more than
> 10-20 users the server gets too slow and cpu usage goes over 100%.
>
> Any pointers on how to improve performance of keycloak OAuth provider. We
> need to support at least 200 concurrent users.
>
>
>
>
>
> Thanks, Vaibhav
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f2036b74/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 28486 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f2036b74/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 18447 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f2036b74/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 11865 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f2036b74/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 101405 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f2036b74/attachment-0007.png 

From sthorger at redhat.com  Mon Jun 13 09:28:00 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 15:28:00 +0200
Subject: [keycloak-user] Getting the user email before delete it
In-Reply-To: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>
References: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>
Message-ID: <CAJgngAdvhnfr0HtdWvG-ibmxnvQkg+OouUNGvQcCd=me09_p5g@mail.gmail.com>

You can get the user object from session.users().getUserById(..), which
will give you the email.

On 11 June 2016 at 08:58, Jairo Henao <jahenao at itroisolutions.com> wrote:

> Hello community:
>
>
>
> I have a listener that is pending when an administrator deletes a user.
> How I can get the user email?
>
>
>
> Apparently I can only get his ID, but I need his email to delete it in
> HubSpot.
>
>
>
> There is something like a pre-delete event?
>
>
>
> Thanks,
>
>
>
>
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
> Software Architect
>
> Mobile  : 314-738-6032
>
> Office Colombia: + (571) 381-9185
>
> Office Mexico: + 52-81-4624-4468
>
> Office Chile: + 5622-582-2257
> Office USA:  954-518-3330
>
> Office Canada:  604-998-2280
>
> *jahenao at itroisolutions.com <jahenao at itroisolutions.com>*
>
>
>
> [image: cid:image001.png at 01CFACA6.CA39D4D0]
>
>
>
> [image: Description: Description: cid:image002.png at 01CD70CF.8782CD50]
> <https://twitter.com/ITROISolutions>[image: Description: Description:
> cid:image003.png at 01CD70CF.8782CD50]
> <http://www.linkedin.com/company/itroi-solutions> [image: Description:
> Description: cid:image004.png at 01CD70CF.8782CD50]
> <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>
>  [image: Description: Description: cid:image005.png at 01CD70CF.8782CD50]
> <http://www.youtube.com/user/ITROISolutions>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2066 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2814 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2897 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3041 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2435 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/3b047f6d/attachment-0004.png 

From sthorger at redhat.com  Mon Jun 13 09:34:42 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 15:34:42 +0200
Subject: [keycloak-user] Keycloak cluster question
In-Reply-To: <485985836.1814193.1465365913536.JavaMail.zimbra@harbingergroup.com>
References: <485985836.1814193.1465365913536.JavaMail.zimbra@harbingergroup.com>
Message-ID: <CAJgngAdwRnd3kGs3R=4mg1FJJtnckZoZDKW1PkDaGZv_3tFTAA@mail.gmail.com>

I assume this is an old version of Keycloak as the full profiles have been
removed. You should upgrade to the last release, or at least not use the
full profile at all.

On 8 June 2016 at 08:05, Snehalata Nagaje <
snehalata.nagaje at harbingergroup.com> wrote:

>
>
> Hi All,
>
>
> I am setting up keycloak cluster.
>
> As we are running the keycloak server in full-ha profile with domain mode,
> there is by default configuration for hornet queue cluster, do we need this
> for keycloak?
>
> Can we remove it?
>
> Thanks,
> Snehalata
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/a97b68f8/attachment-0001.html 

From sthorger at redhat.com  Mon Jun 13 09:36:36 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 15:36:36 +0200
Subject: [keycloak-user] clustering error
In-Reply-To: <836403682.2028586.1465449365005.JavaMail.zimbra@harbingergroup.com>
References: <836403682.2028586.1465449365005.JavaMail.zimbra@harbingergroup.com>
Message-ID: <CAJgngAeWRcNRJZ=-tZoDEjAJy7dgciLDY5EcpEx97V0-empyqQ@mail.gmail.com>

Doesn't look like you've got clustering setup properly. Are you using a
shared DB? Are nodes discovering each other (you'll see messages when you
start additional nodes)?

On 9 June 2016 at 07:16, Snehalata Nagaje <
snehalata.nagaje at harbingergroup.com> wrote:

>
>
> Hi All,
>
>
> I have set up keycloak cluster.
>
> But somehow it is not working giving error as
>
> type=LOGIN_ERROR, realmId=TESTAUTH, clientId=null, userId=null,
> ipAddress=10.0.13.44, error=expired_code, restart_after_timeout=true
> error=expired_code, restart_after_timeout=true
>
>
>
> Thanks,
> Snehalata
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/94d46584/attachment.html 

From rsoares at redhat.com  Mon Jun 13 09:47:29 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Mon, 13 Jun 2016 10:47:29 -0300
Subject: [keycloak-user] Error enabling 'Sync Registrations' for LDAP
 (FreeIPA) User Federation
In-Reply-To: <575E66C8.1030204@redhat.com>
References: <CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com>
	<575E66C8.1030204@redhat.com>
Message-ID: <575EB971.2060106@redhat.com>


___
Rafael T. C. Soares

On 06/13/2016 04:54 AM, Marek Posolda wrote:
> The "Sync registration" doesn't work with LDAP provider configured 
> against FreeIPA.
>
Is this issue specific for FreeIPA? Is it supposed to work for other 
LDAP Impl and MS AD?

Thanks!

From leo.nunes at gjccorp.com.br  Mon Jun 13 10:10:17 2016
From: leo.nunes at gjccorp.com.br (LEONARDO NUNES)
Date: Mon, 13 Jun 2016 14:10:17 +0000
Subject: [keycloak-user] Send verify email message
Message-ID: <D3844516.29720%leo.nunes@ojc.com.br>

Hi everyone,

How can I send an email verification with the email verification message?

I'm using /send-verify-email service to send email verification to users after I create their account from Rest API.
The problem is that the email sent goes with the message "executeActionsBodyHtml" not the "emailVerificationBodyHtml" as I would expect.
The message "executeActionsBodyHtml" is generic and can be used for password update also.


--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/a47d3b23/attachment.html 

From mposolda at redhat.com  Mon Jun 13 10:20:07 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 13 Jun 2016 16:20:07 +0200
Subject: [keycloak-user] Error enabling 'Sync Registrations' for LDAP
 (FreeIPA) User Federation
In-Reply-To: <575EB971.2060106@redhat.com>
References: <CAK6emKNiAtcYo6YCj8fZpy77W+74UqKL7pqKgx4m5mpkrgq3dQ@mail.gmail.com>
	<575E66C8.1030204@redhat.com> <575EB971.2060106@redhat.com>
Message-ID: <575EC117.5050803@redhat.com>

On 13/06/16 15:47, Rafael T. C. Soares wrote:
>
> ___
> Rafael T. C. Soares
>
> On 06/13/2016 04:54 AM, Marek Posolda wrote:
>> The "Sync registration" doesn't work with LDAP provider configured 
>> against FreeIPA.
>>
> Is this issue specific for FreeIPA? Is it supposed to work for other 
> LDAP Impl and MS AD?
Yes, it should work for other LDAP Impl.

The FreeIPA is a bit special, as the registration of user needs to be 
done properly through SSSD or something, not through calling LDAP API 
directly. SSSD updates LDAP and do some other required things to have 
user account in correct state. That's what FreeIPA CLI is doing as well 
AFAIK.

Marek
>
> Thanks!


From jahenao at itroisolutions.com  Mon Jun 13 12:31:48 2016
From: jahenao at itroisolutions.com (Jairo Henao)
Date: Mon, 13 Jun 2016 16:31:48 +0000
Subject: [keycloak-user] Getting the user email before delete it
In-Reply-To: <CAJgngAdvhnfr0HtdWvG-ibmxnvQkg+OouUNGvQcCd=me09_p5g@mail.gmail.com>
References: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>
	<CAJgngAdvhnfr0HtdWvG-ibmxnvQkg+OouUNGvQcCd=me09_p5g@mail.gmail.com>
Message-ID: <BY2PR04MB2056D9982B9B9F49F811F88ED0530@BY2PR04MB2056.namprd04.prod.outlook.com>

Thanks Stian:

Your suggestion works well for 'create' and 'update' events, but when I try to use the session.users().getUserById(userId, realm), the result is null.

?

if (event.getRealmId() != null && event.getAuthDetails().getUserId() != null && event.getResourcePath() != null && event.getResourcePath().startsWith("users/")) {
                     RealmModel realm = model.getRealm(event.getRealmId());
                     String userId = event.getResourcePath().substring(event.getResourcePath().lastIndexOf("/")+1);
            UserModel user = session.users().getUserById(userId, realm);

            if (user != null) {
                           if(OperationType.DELETE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Deleting the user (ID={0}) in Hubspot...", user.getEmail());
                           }else if(OperationType.UPDATE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Updating the user (ID={0}) in Hubspot...", user.getEmail());
                           }else if(OperationType.CREATE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Registering the user (ID={0}) in Hubspot...", user.getEmail());
                           }
            }else{
              log.errorv("No User found with ID={0}, Operation={1}", userId, event.getOperationType());
            }
              }else{
              log.errorv("No Realm ID or User ID found");
        }




2016-06-13 11:22:02,502 INFO  [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-56) Registering the user (ID=user500 at mail.com) in Hubspot...
2016-06-13 11:22:19,463 INFO  [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-64) Updating the user (ID=user500 at mail2.com) in Hubspot...
2016-06-13 11:22:32,403 ERROR [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-7) No User found with ID=179e55e6-5788-4a10-a640-6661485bfa95, Operation=DELETE


Jairo Henao Rojas
IT ROI Solutions
Software Architect
Mobile  : 314-738-6032
Office Colombia: + (571) 381-9185
Office Mexico: + 52-81-4624-4468
Office Chile: + 5622-582-2257
Office USA:  954-518-3330
Office Canada:  604-998-2280
jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>

[cid:image001.png at 01CFACA6.CA39D4D0]

[Description: Description: cid:image002.png at 01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png at 01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png at 01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>  [Description: Description: cid:image005.png at 01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, June 13, 2016 8:28 AM
To: Jairo Henao <jahenao at itroisolutions.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Getting the user email before delete it

You can get the user object from session.users().getUserById(..), which will give you the email.

On 11 June 2016 at 08:58, Jairo Henao <jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>> wrote:
Hello community:

I have a listener that is pending when an administrator deletes a user. How I can get the user email?

Apparently I can only get his ID, but I need his email to delete it in HubSpot.

There is something like a pre-delete event?

Thanks,


Jairo Henao Rojas
IT ROI Solutions
Software Architect
Mobile  : 314-738-6032<tel:314-738-6032>
Office Colombia: + (571) 381-9185<tel:%28571%29%20381-9185>
Office Mexico: + 52-81-4624-4468<tel:%2B%2052-81-4624-4468>
Office Chile: + 5622-582-2257
Office USA:  954-518-3330<tel:954-518-3330>
Office Canada:  604-998-2280<tel:604-998-2280>
jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>

[cid:image001.png at 01CFACA6.CA39D4D0]

[Description: Description: cid:image002.png at 01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png at 01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png at 01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>  [Description: Description: cid:image005.png at 01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2814 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2066 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2435 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3041 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2897 bytes
Desc: image005.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/c91351ec/attachment-0009.png 

From rllavallee at hotmail.com  Mon Jun 13 12:59:25 2016
From: rllavallee at hotmail.com (Richard Lavallee)
Date: Mon, 13 Jun 2016 16:59:25 +0000
Subject: [keycloak-user] Buffer overflow in keycloak.adapters.saml
In-Reply-To: <BLU181-W873D1584DFC7F786965253CB500@phx.gbl>
References: <mailman.55984.1465584200.3348.keycloak-user@lists.jboss.org>,
	<BLU181-W873D1584DFC7F786965253CB500@phx.gbl>
Message-ID: <BLU181-W39C7DAC79BE276D9DB27D7CB530@phx.gbl>

Is anyone familiar with the below stack trace trying to connect Keycloak to Tomcat, please?
type Exception reportmessage Could not create authentication request.description The server encountered an internal error that prevented it from fulfilling this request.exceptionjava.lang.RuntimeException: Could not create authentication request.
	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:63)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	java.lang.Thread.run(Thread.java:744)
root causejava.lang.RuntimeException: java.io.IOException: Buffer overflow, no sink 4096 4096
	org.keycloak.adapters.saml.CatalinaSamlSessionStore.saveRequest(CatalinaSamlSessionStore.java:226)
	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:58)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	java.lang.Thread.run(Thread.java:744)
root causejava.io.IOException: Buffer overflow, no sink 4096 4096
	org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:477)
	org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:366)
	org.apache.catalina.authenticator.FormAuthenticator.saveRequest(FormAuthenticator.java:664)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakSaveRequest(AbstractSamlAuthenticatorValve.java:253)
	org.keycloak.adapters.saml.CatalinaSamlSessionStore.saveRequest(CatalinaSamlSessionStore.java:224)
	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:58)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	java.lang.Thread.run(Thread.java:744)

 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/d950b8d5/attachment.html 

From sthorger at redhat.com  Mon Jun 13 13:32:47 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 19:32:47 +0200
Subject: [keycloak-user] Getting the user email before delete it
In-Reply-To: <BY2PR04MB2056D9982B9B9F49F811F88ED0530@BY2PR04MB2056.namprd04.prod.outlook.com>
References: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>
	<CAJgngAdvhnfr0HtdWvG-ibmxnvQkg+OouUNGvQcCd=me09_p5g@mail.gmail.com>
	<BY2PR04MB2056D9982B9B9F49F811F88ED0530@BY2PR04MB2056.namprd04.prod.outlook.com>
Message-ID: <CAJgngAfO9yiddDsbbw5414XYPA-0pC6mjOFo2AWuE7D7XsJ9KA@mail.gmail.com>

You're right, the event is fired after the user is deleted so it won't be
available. You can create a JIRA feature request if you want.

On 13 June 2016 at 18:31, Jairo Henao <jahenao at itroisolutions.com> wrote:

> Thanks Stian:
>
>
>
> Your suggestion works well for 'create' and 'update' events, but when I
> try to use the *session.users().getUserById(userId, realm), *the result
> is null.
>
>
>
> L
>
>
>
> *if* (event.getRealmId() != *null* && event.getAuthDetails().getUserId()
> != *null* && event.getResourcePath() != *null* && event
> .getResourcePath().startsWith("users/")) {
>
>                      RealmModel realm = model.getRealm(event
> .getRealmId());
>
>                      String userId = event.getResourcePath().substring(
> event.getResourcePath().lastIndexOf("/")+1);
>
>             UserModel user = session.users().getUserById(userId, realm);
>
>
>
>             *if* (user != *null*) {
>
>                            *if*(OperationType.*DELETE*.equals(event
> .getOperationType())){
>
>                                   //Deleting the user in Hubspot
>
>                                   *log*.infov("Deleting the user (ID={0})
> in Hubspot...", user.getEmail());
>
>                            }*else* *if*(OperationType.*UPDATE*.equals(
> event.getOperationType())){
>
>                                   //Deleting the user in Hubspot
>
>                                   *log*.infov("Updating the user (ID={0})
> in Hubspot...", user.getEmail());
>
>                            }*else* *if*(OperationType.*CREATE*.equals(
> event.getOperationType())){
>
>                                   //Deleting the user in Hubspot
>
>                                   *log*.infov("Registering the user
> (ID={0}) in Hubspot...", user.getEmail());
>
>                            }
>
>             }*else*{
>
>               *log*.errorv("No User found with ID={0}, Operation={1}",
> userId, event.getOperationType());
>
>             }
>
>               }*else*{
>
>               *log*.errorv("No Realm ID or User ID found");
>
>         }
>
>
>
>
>
>
>
>
>
> 2016-06-13 11:22:02,502 INFO
> [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default
> task-56) Registering the user (ID=user500 at mail.com) in Hubspot...
>
> 2016-06-13 11:22:19,463 INFO
> [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default
> task-64) Updating the user (ID=user500 at mail2.com) in Hubspot...
>
> 2016-06-13 11:22:32,403 ERROR
> [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default
> task-7) No User found with ID=179e55e6-5788-4a10-a640-6661485bfa95,
> Operation=DELETE
>
>
>
>
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
> Software Architect
>
> Mobile  : 314-738-6032
>
> Office Colombia: + (571) 381-9185
>
> Office Mexico: + 52-81-4624-4468
>
> Office Chile: + 5622-582-2257
> Office USA:  954-518-3330
>
> Office Canada:  604-998-2280
>
> jahenao at itroisolutions.com
>
>
>
> [image: cid:image001.png at 01CFACA6.CA39D4D0]
>
>
>
> [image: Description: Description: cid:image002.png at 01CD70CF.8782CD50]
> <https://twitter.com/ITROISolutions>[image: Description: Description:
> cid:image003.png at 01CD70CF.8782CD50]
> <http://www.linkedin.com/company/itroi-solutions> [image: Description:
> Description: cid:image004.png at 01CD70CF.8782CD50]
> <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>
>  [image: Description: Description: cid:image005.png at 01CD70CF.8782CD50]
> <http://www.youtube.com/user/ITROISolutions>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Monday, June 13, 2016 8:28 AM
> *To:* Jairo Henao <jahenao at itroisolutions.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Getting the user email before delete it
>
>
>
> You can get the user object from session.users().getUserById(..), which
> will give you the email.
>
>
>
> On 11 June 2016 at 08:58, Jairo Henao <jahenao at itroisolutions.com> wrote:
>
> Hello community:
>
>
>
> I have a listener that is pending when an administrator deletes a user.
> How I can get the user email?
>
>
>
> Apparently I can only get his ID, but I need his email to delete it in
> HubSpot.
>
>
>
> There is something like a pre-delete event?
>
>
>
> Thanks,
>
>
>
>
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
> Software Architect
>
> Mobile  : 314-738-6032
>
> Office Colombia: + (571) 381-9185
>
> Office Mexico: + 52-81-4624-4468
>
> Office Chile: + 5622-582-2257
> Office USA:  954-518-3330
>
> Office Canada:  604-998-2280
>
> *jahenao at itroisolutions.com <jahenao at itroisolutions.com>*
>
>
>
> [image: cid:image001.png at 01CFACA6.CA39D4D0]
>
>
>
> [image: Description: Description: cid:image002.png at 01CD70CF.8782CD50]
> <https://twitter.com/ITROISolutions>[image: Description: Description:
> cid:image003.png at 01CD70CF.8782CD50]
> <http://www.linkedin.com/company/itroi-solutions> [image: Description:
> Description: cid:image004.png at 01CD70CF.8782CD50]
> <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>
>  [image: Description: Description: cid:image005.png at 01CD70CF.8782CD50]
> <http://www.youtube.com/user/ITROISolutions>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2814 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3041 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2066 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2435 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2897 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/09d2919c/attachment-0009.png 

From sthorger at redhat.com  Mon Jun 13 14:29:28 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 13 Jun 2016 20:29:28 +0200
Subject: [keycloak-user] Performance issues with Federation provider
	enabled
In-Reply-To: <998128545.2041363.1465814126838.JavaMail.yahoo@mail.yahoo.com>
References: <315000034.1945497.1465797441058.JavaMail.yahoo.ref@mail.yahoo.com>
	<315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>
	<575E6520.3080409@redhat.com>
	<998128545.2041363.1465814126838.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAeqjmR=n=xk93YMz7f3Fd+nyYTyDXXmhG+iwdMyBiZV3g@mail.gmail.com>

Can you create a JIRA for this issue? If you could also make the source for
your stub provider available that would be helpful.

On 13 June 2016 at 12:35, Thomas Connolly <thomas_connolly at yahoo.com> wrote:

> Hi Marek
>
> > Thanks, AFAIK we didn't tried much performance testing with
> federationProviders enabled. It's on todo list though. Also we plan some
> refactoring of userStorage + userFederation, so we will likely go into it
> later.
>
> Yes and we've found it is a major bottleneck in our system testing (using
> stub to remove internal back end dependencies).
> Can you suggest any short term measures to improve performance, we're
> blocked from pushing this to production at the moment?
> This is a major feature of the system I'm guessing this affects the LDAP /
> AD integration / federator performance too.
> Do you have any timeframe around the priority to address this?
>
> > For your case, the performance bottleneck can be in your
> federationProvider implementation, so I am not sure if it's the issue in
> Keycloak or rather issue in your implementation.
>
> As indicated we've created a stub implementation, code included below, to
> demonstrate there is an issue calling a federator in KC.
>
> /** Code snippet **/
> public class StubFederationProvider implements UserFederationProvider {
>     private static final Logger logger =
> Logger.getLogger(StubFederationProvider.class);
>     protected KeycloakSession session;
>     protected UserFederationProviderModel model;
>
> public StubFederationProvider(KeycloakSession session,
> UserFederationProviderModel model){
>         this.session = session;
>         this.model = model;
>     }
>
>     public UserFederationProviderModel getModel() {
>         return model;
>     }
>
> @Override
> public UserModel getUserByUsername(RealmModel realm, String username) {
>
> UserModel userModel = addUserModelToUserStorage(realm, username);
> userModel.setEnabled(true);
> userModel.setFederationLink(model.getId());
>
> return userModel;
> }
>
> protected UserModel addUserModelToUserStorage(RealmModel realm, String
> username) {
> return session.userStorage().addUser(realm, username);
> }
>
> @Override
>     public UserModel getUserByEmail(RealmModel realm, String email) {
>         return null;
>     }
>
>     @Override
>     public List<UserModel> searchByAttributes(Map<String, String>
> attributes, RealmModel realm, int maxResults) {
>         return Collections.emptyList();
>     }
>
> @Override
> public List<UserModel> getGroupMembers(RealmModel realm, GroupModel group,
> int firstResult, int maxResults) {
> return null;
> }
>
> @Override
>     public void preRemove(RealmModel realm) {
>        // complete  We don't care about the realm being removed
>     }
>
>     @Override
>     public void preRemove(RealmModel realm, RoleModel role) {
>         // complete we dont'care if a role is removed
>
>     }
>
> @Override
> public void preRemove(RealmModel realmModel, GroupModel groupModel) {
> // complete we dont'care if a role is removed
> }
>
> @Override
> public boolean isValid(RealmModel realm, UserModel local) {
>
> return userExists(local.getUsername());
> }
>     /**
>      * Returns supported credentials by this federator. PASSWORD is
> always supported but TOTP is optional for each user.
>      *
>      * @param user
>      * @return
>      */
>     @Override
>     public Set<String> getSupportedCredentialTypes(UserModel user) {
> Set<String> supportedCredentialTypes = new HashSet<>();
>
> supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
>
> // check for any otp configured on this user
> if (user.isOtpEnabled()) {
> supportedCredentialTypes.add(UserCredentialModel.TOTP);
> supportedCredentialTypes.add(UserCredentialModel.HOTP);
> }
>
>         return supportedCredentialTypes;
>     }
>
>     @Override
>     public boolean validCredentials(RealmModel realm, UserModel user,
> List<UserCredentialModel> input) {
>         for (UserCredentialModel cred : input) {
>             if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
>             return validate(user, cred.getValue());
>             } else if (cred.getType().equals(UserCredentialModel.TOTP)) {
> return CredentialValidation.validTOTP(realm, user, cred.getValue());
> } else if (cred.getType().equals(UserCredentialModel.HOTP)) {
> return CredentialValidation.validHOTP(realm, user, cred.getValue());
> }
>         }
>         return false;
>     }
>
>     @Override
>     public boolean validCredentials(RealmModel realm, UserModel user,
> UserCredentialModel... input) {
>         for (UserCredentialModel cred : input) {
>             if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
>             return validate(user, cred.getValue());
>             } else if (cred.getType().equals(UserCredentialModel.TOTP)) {
> return CredentialValidation.validTOTP(realm, user, cred.getValue());
> } else if (cred.getType().equals(UserCredentialModel.HOTP)) {
> return CredentialValidation.validHOTP(realm, user, cred.getValue());
> }
>         }
>         return false;
>     }
>
>     @Override
>     public void close() {
>
>     }
>
>     /**
>      * Keycloak will call this method if it finds an imported UserModel.
> Here we proxy the UserModel with
>      * a Readonly proxy which will barf if password is updated.
>      *
>      * @param local
>      * @return
>      */
> @Override
> public UserModel validateAndProxy(RealmModel realm, UserModel local) {
> if (isValid(realm, local)) {
> getUserDetails(local);
> return new StubUserModelProxy(local, this);
> } else {
> return null;
> }
>     }
>
>     @Override
>     public boolean synchronizeRegistrations() {
>         return true;
>     }
>
>     /**
>      * Called if this federation provider has priority and supports
> synchronized registrations.
>      *
>      * @param realm
>      * @param user
>      * @return
>      */
>     @Override
>     public UserModel register(RealmModel realm, UserModel user) {
>
> user.setSingleAttribute("status", "OK");
> return user;
>     }
>
> @Override
>     public boolean removeUser(RealmModel realm, UserModel user) {
> // Not supported. Used as a part of the Workaround to
> https://issues.jboss.org/browse/KEYCLOAK-1075
> return true;
>     }
>
> /**
> * Supported credentials by this federator. PASSWORD is a supported type.
> TOTP depends on the user.
> *
> * @return supportedCredentialTypes
> */
> @Override
> public Set<String> getSupportedCredentialTypes() {
> Set<String> supportedCredentialTypes = new HashSet<>();
> supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
> supportedCredentialTypes.add(UserCredentialModel.TOTP);
> supportedCredentialTypes.add(UserCredentialModel.HOTP);
> return supportedCredentialTypes;
> }
>
> @Override
> public CredentialValidationOutput validCredentials(RealmModel realm,
> UserCredentialModel credential) {
>         throw new IllegalStateException("validCredentials not supported");
> }
>
> private boolean userExists(String username) {
>     return true;
>     }
> private void getUserDetails(UserModel user) {
> user.setFirstName("first name");
> user.setLastName("last name");
> }
>
> public boolean validate(UserModel user, String password) {
> return true;
> }
>
> }
>
> /** End Snippet **/
>
> Regards Tom Connolly.
>
>
> ------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *To:* Thomas Connolly <thomas_connolly at yahoo.com>; "
> keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, June 13, 2016 5:47 PM
>
> *Subject:* Re: [keycloak-user] Performance issues with Federation
> provider enabled
>
> Thanks, AFAIK we didn't tried much performance testing with
> federationProviders enabled. It's on todo list though. Also we plan some
> refactoring of userStorage + userFederation, so we will likely go into it
> later.
>
> For your case, the performance bottleneck can be in your
> federationProvider implementation, so I am not sure if it's the issue in
> Keycloak or rather issue in your implementation.
>
> One thing to note (maybe it's not an issue in your case, but just adding
> it to be sure you're aware): UserFederationProvider.close is currently not
> called. So if you are rely on this method to free any important resources
> related to your implementation, you shouldn't as it doesn't work right now.
> We are working on improving this for next version.
>
> Marek
>
> On 13/06/16 07:57, Thomas Connolly wrote:
>
> Hi Marek
>
> I'm working with Fabricio on the federation performance issues with
> Keycloak.
>
> In answer to your question we are using the latest KC 1.9.7 version (we
> upgraded this week from 1.9.2).
>
> To give you some indication of the running a gatling direct access login
> test (results below).
>
> As you can see below in (1) using KC out of the box. Great performance -
> we saw 110 tx per sec on a 4 core system.
> In scenario (2) using a stubbed federator (simply an echo plugin not
> connecting to any back end services), performance is unacceptable.
>
> 1) Not using the federator - Stub federator (disabled) - while 29 tx per
> second we could easily get to a stable 110 tx per second.
>     300 Users (hitting single server)
>     ---- Global Information
> --------------------------------------------------------
>     > request count                                       9185 (OK=9185
> KO=0     )
>     > min response time                                     18 (OK=18
> KO=-     )
>     > max response time                                    723 (OK=723
> KO=-     )
>     > mean response time                                    27 (OK=27
> KO=-     )
>     > std deviation                                         44 (OK=44
> KO=-     )
>     > response time 50th percentile                         20 (OK=20
> KO=-     )
>     > response time 75th percentile                         21 (OK=21
> KO=-     )
>     > mean requests/sec                                 29.626 (OK=29.626
> KO=-     )
>     ---- Response Time Distribution
> ------------------------------------------------
>     > t < 800 ms                                          9185 (100%)
>     > 800 ms < t < 1200 ms                                   0 (  0%)
>     > t > 1200 ms                                            0 (  0%)
>     > failed                                                 0 (  0%)
>
> 2) Stub federator (enabled)- if we brought test down to 12 tx per second
> (about 90 users) the response times dropped to < 1200 ms response times,
> however not even close to meeting out acceptance creteria.
>     300 Users (hitting single server)
>     ---- Global Information
> --------------------------------------------------------
>     > request count                                       8496 (OK=8496
> KO=0     )
>     > min response time                                    511 (OK=511
> KO=-     )
>     > max response time                                  11191 (OK=11191
> KO=-     )
>     > mean response time                                  6832 (OK=6832
> KO=-     )
>     > std deviation                                       2329 (OK=2329
> KO=-     )
>     > response time 50th percentile                       7194 (OK=7194
> KO=-     )
>     > response time 75th percentile                       8690 (OK=8690
> KO=-     )
>     > mean requests/sec                                 27.404 (OK=27.404
> KO=-     )
>     ---- Response Time Distribution
> ------------------------------------------------
>     > t < 800 ms                                           154 (  2%)
>     > 800 ms < t < 1200 ms                                  85 (  1%)
>     > t > 1200 ms                                         8257 ( 97%)
>     > failed                                                 0 (  0%)
>
> This is currently a show stopper for us and is blocking our path to
> production.
> Do you run similar tests and how can we help you optimise the performance?
>
> Regards
> Tom.
>
>
> Date: Wed, 8 Jun 2016 12:28:19 +0200
> From: Marek Posolda <mposolda at redhat.com> <mposolda at redhat.com>
> Subject: Re: [keycloak-user] Performance issues with Federation
>     provider enabled
> To: Fabricio Milone <fabricio.milone at shinetech.com>
> <fabricio.milone at shinetech.com>,    keycloak-user
>     <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
> Message-ID: <5757F343.1040803 at redhat.com> <5757F343.1040803 at redhat.com>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi,
>
> what's the keycloak version used? Could you try latest keycloak and
> check if performance is still the issue?
>
> Marek
>
> On 08/06/16 01:30, Fabricio Milone wrote:
> > Hi all,
> >
> > I sent this email yesterday with 5 or more attachments, so I think it
> > was blocked or something... here I go again :)
> >
> > I've been running load tests on our application during the last few
> > weeks, and having some performance issues when my custom federator is
> > enabled.
> >
> > The performance issue does not exist when the federator is disabled.
> > *Configuration*:
> >
> > I have a cluster of 2 instances of Keycloak, with a standalone DB,
> > we've verified the DB isn't an issue when the federator is disabled.
> > Both instances have a quad core CPU and they are in the same network.
> > We?ve left the memory at 512MB. The test script, database and API that
> > connects to the federator are in separate machines.
> > *Federator*:
> >
> > We have a simple custom federator that makes calls to a very
> > performant api, which has been tested and is ok. Additionally, we've
> > tested stubbing the API so the performance is not a problem there.
> > This federator is using a jaxb marshaller to create a request, again
> > tested in isolation and is performing well.
> >
> > As the federator is doing a lot of calls to the API (3 per login
> > request), I've implemented a httpclient that uses a
> > PoolingHttpClientConnectionManager with 1000 connections available to
> > use, instead of using the standard apache httpclient from http
> > components. That hasn't improved a bit the performance of the system.
> > *Tests*:
> > It is a gatling scala script that could generate around ~300 (or more)
> > requests/second to the direct grants login endpoint using random
> > usernames from a list (all of them already registered using KC). The
> > script is doing a round robin across both instances of Keycloak with
> > an even distribution to each KC instance.
> > The idea is simulate a load of 300 to 1500 concurrent users trying to
> > login into our systems.
> > *Problem*:
> >
> > If I run the tests without using a federation I can see a very good
> > performance, but when I try to run the tests with the custom
> > federation code, the performance drops from ~150 requests/second to 22
> > req/sec using both instances.
> > Memory wise, it seems to be ok. I've never seen an error related to
> > memory with this configuration, also if you take a look at the
> > attached visualVM screenshot you'll see that memory is not a problem
> > or it seems not to be.
> > CPU utilisation is very low to my mind, I'd expect more than 80% of
> > usage or something like that.
> > There is a method that is leading the CPU samples on VisualVM called
> > Semaphore.tryAcquire(). Not quite sure what's that for, still
> > investigating.
> >
> > I can see that a lot of new threads are being created when the test
> > starts, as it creates around 60requests/second to the direct grants
> > login call, but it seems to be a bottleneck at some point.
> >
> > So I'm wondering if there is some configuration I'm missing on
> > Keycloak side that could be affecting the cluster performance when a
> > federator is enabled. Maybe something related to jpa connections,
> > infinispan configuration or even wildfly.
> >
> > I'd really appreciate your help on this one as I'm out of ideas.
> >
> > I've attached some screenshots of visualVM and tests results from my
> > last run today.
> >
> >
> > Sorry for the long email and please let me know if you need further
> > information.
> >
> > Thank you in advance,
> >
> > Regards,
> > Fab
> >
> > --
> > *Fabricio Milone*
> > Developer
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/a717323b/attachment-0001.html 

From bburke at redhat.com  Mon Jun 13 15:36:00 2016
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jun 2016 15:36:00 -0400
Subject: [keycloak-user] Buffer overflow in keycloak.adapters.saml
In-Reply-To: <BLU181-W39C7DAC79BE276D9DB27D7CB530@phx.gbl>
References: <mailman.55984.1465584200.3348.keycloak-user@lists.jboss.org>
	<BLU181-W873D1584DFC7F786965253CB500@phx.gbl>
	<BLU181-W39C7DAC79BE276D9DB27D7CB530@phx.gbl>
Message-ID: <e772c129-b5da-d3b1-3d93-33d11810842c@redhat.com>

Probably you are doing a very large POST or PUT to a secure URL, the 
adapter is trying to save the request in the HttpSession and running 
into buffer limits.  getMaxSavePostSize()  Probably a tomcat setting 
somewhere.


On 6/13/16 12:59 PM, Richard Lavallee wrote:
>
> *Is anyone familiar with the below stack trace trying to connect 
> Keycloak to Tomcat, please?*
>
> *
> *
>
> *type* Exception report
>
> *message* _Could not create authentication request._
>
> *description* _The server encountered an internal error that prevented 
> it from fulfilling this request._
>
> *exception*
>
> java.lang.RuntimeException: Could not create authentication request.
> 	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:63)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
> 	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
> 	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
> 	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> 	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> 	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> 	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
> 	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> 	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> 	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	java.lang.Thread.run(Thread.java:744)
>
> *root cause*
>
> java.lang.RuntimeException: java.io.IOException: Buffer overflow, no sink 4096 4096
> 	org.keycloak.adapters.saml.CatalinaSamlSessionStore.saveRequest(CatalinaSamlSessionStore.java:226)
> 	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:58)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
> 	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
> 	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
> 	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> 	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> 	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> 	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
> 	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> 	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> 	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	java.lang.Thread.run(Thread.java:744)
>
> *root cause*
>
> java.io.IOException: Buffer overflow, no sink 4096 4096
> 	org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:477)
> 	org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:366)
> 	org.apache.catalina.authenticator.FormAuthenticator.saveRequest(FormAuthenticator.java:664)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakSaveRequest(AbstractSamlAuthenticatorValve.java:253)
> 	org.keycloak.adapters.saml.CatalinaSamlSessionStore.saveRequest(CatalinaSamlSessionStore.java:224)
> 	org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:58)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
> 	org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:42)
> 	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
> 	org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
> 	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> 	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> 	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> 	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
> 	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> 	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
> 	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 	java.lang.Thread.run(Thread.java:744)
> ------------------------------------------------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/d1d79a92/attachment.html 

From bburke at redhat.com  Mon Jun 13 15:47:53 2016
From: bburke at redhat.com (Bill Burke)
Date: Mon, 13 Jun 2016 15:47:53 -0400
Subject: [keycloak-user] Performance issues with Federation provider
 enabled
In-Reply-To: <998128545.2041363.1465814126838.JavaMail.yahoo@mail.yahoo.com>
References: <315000034.1945497.1465797441058.JavaMail.yahoo.ref@mail.yahoo.com>
	<315000034.1945497.1465797441058.JavaMail.yahoo@mail.yahoo.com>
	<575E6520.3080409@redhat.com>
	<998128545.2041363.1465814126838.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <ba45bb8c-dd94-d35f-9023-50faa8a6e3da@redhat.com>

In your validateAndProxy() method you call getUserDetails() which is 
calling user.setFirstName, setLastName.  So, basically every time the 
user is queried via getUserByUsername(), you are doing

1) A database update

2) Invalidating the user cache across the cluster




On 6/13/16 6:35 AM, Thomas Connolly wrote:
> Hi Marek
>
> > Thanks, AFAIK we didn't tried much performance testing with 
> federationProviders enabled. It's on todo list though. Also we plan 
> some refactoring of userStorage + userFederation, so we will likely go 
> into it later.
>
> Yes and we've found it is a major bottleneck in our system testing 
> (using stub to remove internal back end dependencies).
> Can you suggest any short term measures to improve performance, we're 
> blocked from pushing this to production at the moment?
> This is a major feature of the system I'm guessing this affects the 
> LDAP / AD integration / federator performance too.
> Do you have any timeframe around the priority to address this?
>
> > For your case, the performance bottleneck can be in your federationProvider 
> implementation, so I am not sure if it's the issue in Keycloak or 
> rather issue in your implementation.
>
> As indicated we've created a stub implementation, code included below, 
> to demonstrate there is an issue calling a federator in KC.
>
> /** Code snippet **/
> public class StubFederationProvider implements UserFederationProvider {
> private static final Logger logger = 
> Logger.getLogger(StubFederationProvider.class);
> protected KeycloakSession session;
> protected UserFederationProviderModel model;
>
> public StubFederationProvider(KeycloakSession session, 
> UserFederationProviderModel model){
> this.session = session;
> this.model = model;
>     }
>
> public UserFederationProviderModel getModel() {
> return model;
>     }
>
> @Override
> public UserModel getUserByUsername(RealmModel realm, String username) {
>
> UserModel userModel = addUserModelToUserStorage(realm, username);
> userModel.setEnabled(true);
> userModel.setFederationLink(model.getId());
>
> returnuserModel;
> }
>
> protected UserModel addUserModelToUserStorage(RealmModel realm, String 
> username) {
> return session.userStorage().addUser(realm, username);
> }
>
> @Override
> public UserModel getUserByEmail(RealmModel realm, String email) {
> return null;
>     }
>
> @Override
> public List<UserModel> searchByAttributes(Map<String, String> 
> attributes, RealmModel realm, int maxResults) {
> return Collections.emptyList();
>     }
>
> @Override
> public List<UserModel> getGroupMembers(RealmModel realm, GroupModel 
> group, int firstResult, int maxResults) {
> returnnull;
> }
>
> @Override
> public void preRemove(RealmModel realm) {
> // complete  We don't care about the realm being removed
>     }
>
> @Override
> public void preRemove(RealmModel realm, RoleModel role) {
> // complete we dont'care if a role is removed
>
>     }
>
> @Override
> public void preRemove(RealmModel realmModel, GroupModel groupModel) {
> // complete we dont'care if a role is removed
> }
>
> @Override
> public boolean isValid(RealmModel realm, UserModel local) {
>
> return userExists(local.getUsername());
> }
> /**
>      * Returns supported credentials by this federator. PASSWORD is 
> always supported but TOTP is optional for each user.
>      *
>      * @param user
>      * @return
>      */
> @Override
> public Set<String> getSupportedCredentialTypes(UserModel user) {
> Set<String> supportedCredentialTypes = new HashSet<>();
>
> supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
>
> // check for any otp configured on this user
> if (user.isOtpEnabled()) {
> supportedCredentialTypes.add(UserCredentialModel.TOTP);
> supportedCredentialTypes.add(UserCredentialModel.HOTP);
> }
>
> returnsupportedCredentialTypes;
>     }
>
> @Override
> public boolean validCredentials(RealmModel realm, UserModel user, 
> List<UserCredentialModel> input) {
> for (UserCredentialModel cred : input) {
> if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
> return validate(user, cred.getValue());
>             } else if (cred.getType().equals(UserCredentialModel.TOTP)) {
> return CredentialValidation.validTOTP(realm, user, cred.getValue());
> } else if (cred.getType().equals(UserCredentialModel.HOTP)) {
> return CredentialValidation.validHOTP(realm, user, cred.getValue());
> }
>         }
> returnfalse;
>     }
>
> @Override
> public boolean validCredentials(RealmModel realm, UserModel user, 
> UserCredentialModel... input) {
> for (UserCredentialModel cred : input) {
> if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
> return validate(user, cred.getValue());
>             } else if (cred.getType().equals(UserCredentialModel.TOTP)) {
> return CredentialValidation.validTOTP(realm, user, cred.getValue());
> } else if (cred.getType().equals(UserCredentialModel.HOTP)) {
> return CredentialValidation.validHOTP(realm, user, cred.getValue());
> }
>         }
> returnfalse;
>     }
>
> @Override
> public void close() {
>
>     }
> /**
>      * Keycloak will call this method if it finds an imported 
> UserModel.  Here we proxy the UserModel with
>      * a Readonly proxy which will barf if password is updated.
>      *
>      * @param local
>      * @return
>      */
> @Override
> public UserModel validateAndProxy(RealmModel realm, UserModel local) {
> if (isValid(realm, local)) {
> getUserDetails(local);
> return new StubUserModelProxy(local, this);
> } else {
> returnnull;
> }
>     }
>
> @Override
> public boolean synchronizeRegistrations() {
> return true;
>     }
>
> /**
>      * Called if this federation provider has priority and supports 
> synchronized registrations.
>      *
>      * @param realm
>      * @param user
>      * @return
>      */
> @Override
> public UserModel register(RealmModel realm, UserModel user) {
>
> user.setSingleAttribute("status", "OK");
> returnuser;
>     }
>
> @Override
> public boolean removeUser(RealmModel realm, UserModel user) {
> // Not supported. Used as a part of the Workaround to 
> https://issues.jboss.org/browse/KEYCLOAK-1075
> returntrue;
>     }
>
> /**
> * Supported credentials by this federator. PASSWORD is a supported 
> type. TOTP depends on the user.
> *
> * @return supportedCredentialTypes
> */
> @Override
> public Set<String> getSupportedCredentialTypes() {
> Set<String> supportedCredentialTypes = new HashSet<>();
> supportedCredentialTypes.add(UserCredentialModel.PASSWORD);
> supportedCredentialTypes.add(UserCredentialModel.TOTP);
> supportedCredentialTypes.add(UserCredentialModel.HOTP);
> returnsupportedCredentialTypes;
> }
>
> @Override
> public CredentialValidationOutput validCredentials(RealmModel realm, 
> UserCredentialModel credential) {
> throw new IllegalStateException("validCredentials not supported");
> }
>
> private boolean userExists(String username){
> returntrue;
>     }
> private void getUserDetails(UserModel user) {
> user.setFirstName("first name");
> user.setLastName("last name");
> }
>
> public boolean validate(UserModel user, String password) {
> returntrue;
> }
>
> }
>
> /** End Snippet **/
>
> Regards Tom Connolly.
>
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *To:* Thomas Connolly <thomas_connolly at yahoo.com>; 
> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Sent:* Monday, June 13, 2016 5:47 PM
> *Subject:* Re: [keycloak-user] Performance issues with Federation 
> provider enabled
>
> Thanks, AFAIK we didn't tried much performance testing with 
> federationProviders enabled. It's on todo list though. Also we plan 
> some refactoring of userStorage + userFederation, so we will likely go 
> into it later.
>
> For your case, the performance bottleneck can be in your 
> federationProvider implementation, so I am not sure if it's the issue 
> in Keycloak or rather issue in your implementation.
>
> One thing to note (maybe it's not an issue in your case, but just 
> adding it to be sure you're aware): UserFederationProvider.close is 
> currently not called. So if you are rely on this method to free any 
> important resources related to your implementation, you shouldn't as 
> it doesn't work right now. We are working on improving this for next 
> version.
>
> Marek
>
> On 13/06/16 07:57, Thomas Connolly wrote:
>> Hi Marek
>>
>> I'm working with Fabricio on the federation performance issues with 
>> Keycloak.
>>
>> In answer to your question we are using the latest KC 1.9.7 version 
>> (we upgraded this week from 1.9.2).
>>
>> To give you some indication of the running a gatling direct access 
>> login test (results below).
>>
>> As you can see below in (1) using KC out of the box. Great 
>> performance - we saw 110 tx per sec on a 4 core system.
>> In scenario (2) using a stubbed federator (simply an echo plugin not 
>> connecting to any back end services), performance is unacceptable.
>>
>> 1) Not using the federator - Stub federator (disabled) - while 29 tx 
>> per second we could easily get to a stable 110 tx per second.
>>     300 Users (hitting single server)
>>     ---- Global Information 
>> --------------------------------------------------------
>>     > request count 9185 (OK=9185   KO=0     )
>>     > min response time                                     18 
>> (OK=18     KO=-     )
>>     > max response time                                    723 
>> (OK=723    KO=-     )
>>     > mean response time                                    27 
>> (OK=27     KO=-     )
>>     > std deviation 44 (OK=44     KO=-     )
>>     > response time 50th percentile                         20 
>> (OK=20     KO=-     )
>>     > response time 75th percentile                         21 
>> (OK=21     KO=-     )
>>     > mean requests/sec 29.626 (OK=29.626 KO=-     )
>>     ---- Response Time Distribution 
>> ------------------------------------------------
>>     > t < 800 ms 9185 (100%)
>>     > 800 ms < t < 1200 ms                                   0 (  0%)
>>     > t > 1200 ms 0 (  0%)
>>     > failed 0 (  0%)
>>
>> 2) Stub federator (enabled)- if we brought test down to 12 tx per 
>> second (about 90 users) the response times dropped to < 1200 ms 
>> response times, however not even close to meeting out acceptance 
>> creteria.
>>     300 Users (hitting single server)
>>     ---- Global Information 
>> --------------------------------------------------------
>>     > request count 8496 (OK=8496   KO=0     )
>>     > min response time                                    511 
>> (OK=511    KO=-     )
>>     > max response time                                  11191 
>> (OK=11191  KO=-     )
>>     > mean response time                                  6832 
>> (OK=6832   KO=-     )
>>     > std deviation 2329 (OK=2329   KO=-     )
>>     > response time 50th percentile                       7194 
>> (OK=7194   KO=-     )
>>     > response time 75th percentile                       8690 
>> (OK=8690   KO=-     )
>>     > mean requests/sec 27.404 (OK=27.404 KO=-     )
>>     ---- Response Time Distribution 
>> ------------------------------------------------
>>     > t < 800 ms 154 (  2%)
>>     > 800 ms < t < 1200 ms                                  85 (  1%)
>>     > t > 1200 ms 8257 ( 97%)
>>     > failed 0 (  0%)
>>
>> This is currently a show stopper for us and is blocking our path to 
>> production.
>> Do you run similar tests and how can we help you optimise the 
>> performance?
>>
>> Regards
>> Tom.
>>
>>
>> Date: Wed, 8 Jun 2016 12:28:19 +0200
>> From: Marek Posolda <mposolda at redhat.com> <mailto:mposolda at redhat.com>
>> Subject: Re: [keycloak-user] Performance issues with Federation
>>     provider enabled
>> To: Fabricio Milone <fabricio.milone at shinetech.com> 
>> <mailto:fabricio.milone at shinetech.com>, keycloak-user
>> <keycloak-user at lists.jboss.org> <mailto:keycloak-user at lists.jboss.org>
>> Message-ID: <5757F343.1040803 at redhat.com> 
>> <mailto:5757F343.1040803 at redhat.com>
>> Content-Type: text/plain; charset="windows-1252"
>>
>> Hi,
>>
>> what's the keycloak version used? Could you try latest keycloak and
>> check if performance is still the issue?
>>
>> Marek
>>
>> On 08/06/16 01:30, Fabricio Milone wrote:
>> > Hi all,
>> >
>> > I sent this email yesterday with 5 or more attachments, so I think it
>> > was blocked or something... here I go again :)
>> >
>> > I've been running load tests on our application during the last few
>> > weeks, and having some performance issues when my custom federator is
>> > enabled.
>> >
>> > The performance issue does not exist when the federator is disabled.
>> > *Configuration*:
>> >
>> > I have a cluster of 2 instances of Keycloak, with a standalone DB,
>> > we've verified the DB isn't an issue when the federator is disabled.
>> > Both instances have a quad core CPU and they are in the same network.
>> > We?ve left the memory at 512MB. The test script, database and API that
>> > connects to the federator are in separate machines.
>> > *Federator*:
>> >
>> > We have a simple custom federator that makes calls to a very
>> > performant api, which has been tested and is ok. Additionally, we've
>> > tested stubbing the API so the performance is not a problem there.
>> > This federator is using a jaxb marshaller to create a request, again
>> > tested in isolation and is performing well.
>> >
>> > As the federator is doing a lot of calls to the API (3 per login
>> > request), I've implemented a httpclient that uses a
>> > PoolingHttpClientConnectionManager with 1000 connections available to
>> > use, instead of using the standard apache httpclient from http
>> > components. That hasn't improved a bit the performance of the system.
>> > *Tests*:
>> > It is a gatling scala script that could generate around ~300 (or more)
>> > requests/second to the direct grants login endpoint using random
>> > usernames from a list (all of them already registered using KC). The
>> > script is doing a round robin across both instances of Keycloak with
>> > an even distribution to each KC instance.
>> > The idea is simulate a load of 300 to 1500 concurrent users trying to
>> > login into our systems.
>> > *Problem*:
>> >
>> > If I run the tests without using a federation I can see a very good
>> > performance, but when I try to run the tests with the custom
>> > federation code, the performance drops from ~150 requests/second to 22
>> > req/sec using both instances.
>> > Memory wise, it seems to be ok. I've never seen an error related to
>> > memory with this configuration, also if you take a look at the
>> > attached visualVM screenshot you'll see that memory is not a problem
>> > or it seems not to be.
>> > CPU utilisation is very low to my mind, I'd expect more than 80% of
>> > usage or something like that.
>> > There is a method that is leading the CPU samples on VisualVM called
>> > Semaphore.tryAcquire(). Not quite sure what's that for, still
>> > investigating.
>> >
>> > I can see that a lot of new threads are being created when the test
>> > starts, as it creates around 60requests/second to the direct grants
>> > login call, but it seems to be a bottleneck at some point.
>> >
>> > So I'm wondering if there is some configuration I'm missing on
>> > Keycloak side that could be affecting the cluster performance when a
>> > federator is enabled. Maybe something related to jpa connections,
>> > infinispan configuration or even wildfly.
>> >
>> > I'd really appreciate your help on this one as I'm out of ideas.
>> >
>> > I've attached some screenshots of visualVM and tests results from my
>> > last run today.
>> >
>> >
>> > Sorry for the long email and please let me know if you need further
>> > information.
>> >
>> > Thank you in advance,
>> >
>> > Regards,
>> > Fab
>> >
>> > --
>> > *Fabricio Milone*
>> > Developer
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/e13afa3f/attachment-0001.html 

From jahenao at itroisolutions.com  Mon Jun 13 15:48:20 2016
From: jahenao at itroisolutions.com (Jairo Henao)
Date: Mon, 13 Jun 2016 19:48:20 +0000
Subject: [keycloak-user] Getting the user email before delete it
In-Reply-To: <CAJgngAfO9yiddDsbbw5414XYPA-0pC6mjOFo2AWuE7D7XsJ9KA@mail.gmail.com>
References: <SN1PR04MB2061FEB5F520A62A63943470D0510@SN1PR04MB2061.namprd04.prod.outlook.com>
	<CAJgngAdvhnfr0HtdWvG-ibmxnvQkg+OouUNGvQcCd=me09_p5g@mail.gmail.com>
	<BY2PR04MB2056D9982B9B9F49F811F88ED0530@BY2PR04MB2056.namprd04.prod.outlook.com>
	<CAJgngAfO9yiddDsbbw5414XYPA-0pC6mjOFo2AWuE7D7XsJ9KA@mail.gmail.com>
Message-ID: <BY2PR04MB205692C872B11358F11C31D3D0530@BY2PR04MB2056.namprd04.prod.outlook.com>

Ok, the report has already been sent

https://issues.jboss.org/browse/KEYCLOAK-3107



Jairo Henao Rojas
IT ROI Solutions
Software Architect

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, June 13, 2016 12:33 PM
To: Jairo Henao <jahenao at itroisolutions.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Getting the user email before delete it

You're right, the event is fired after the user is deleted so it won't be available. You can create a JIRA feature request if you want.

On 13 June 2016 at 18:31, Jairo Henao <jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>> wrote:
Thanks Stian:

Your suggestion works well for 'create' and 'update' events, but when I try to use the session.users().getUserById(userId, realm), the result is null.

?

if (event.getRealmId() != null && event.getAuthDetails().getUserId() != null && event.getResourcePath() != null && event.getResourcePath().startsWith("users/")) {
                     RealmModel realm = model.getRealm(event.getRealmId());
                     String userId = event.getResourcePath().substring(event.getResourcePath().lastIndexOf("/")+1);
            UserModel user = session.users().getUserById(userId, realm);

            if (user != null) {
                           if(OperationType.DELETE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Deleting the user (ID={0}) in Hubspot...", user.getEmail());
                           }else if(OperationType.UPDATE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Updating the user (ID={0}) in Hubspot...", user.getEmail());
                           }else if(OperationType.CREATE.equals(event.getOperationType())){
                                  //Deleting the user in Hubspot
                                  log.infov("Registering the user (ID={0}) in Hubspot...", user.getEmail());
                           }
            }else{
              log.errorv("No User found with ID={0}, Operation={1}", userId, event.getOperationType());
            }
              }else{
              log.errorv("No Realm ID or User ID found");
        }




2016-06-13 11:22:02,502 INFO  [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-56) Registering the user (ID=user500 at mail.com<mailto:user500 at mail.com>) in Hubspot...
2016-06-13 11:22:19,463 INFO  [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-64) Updating the user (ID=user500 at mail2.com<mailto:user500 at mail2.com>) in Hubspot...
2016-06-13 11:22:32,403 ERROR [com.itroi.keycloak.events.hubspot.HubspotEventListenerProvider] (default task-7) No User found with ID=179e55e6-5788-4a10-a640-6661485bfa95, Operation=DELETE


Jairo Henao Rojas
IT ROI Solutions
Software Architect
Mobile  : 314-738-6032<tel:314-738-6032>
Office Colombia: + (571) 381-9185<tel:%28571%29%20381-9185>
Office Mexico: + 52-81-4624-4468<tel:%2B%2052-81-4624-4468>
Office Chile: + 5622-582-2257
Office USA:  954-518-3330<tel:954-518-3330>
Office Canada:  604-998-2280<tel:604-998-2280>
jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>

[cid:image001.png at 01CFACA6.CA39D4D0]

[Description: Description: cid:image002.png at 01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png at 01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png at 01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>  [Description: Description: cid:image005.png at 01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>

From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Monday, June 13, 2016 8:28 AM
To: Jairo Henao <jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Getting the user email before delete it

You can get the user object from session.users().getUserById(..), which will give you the email.

On 11 June 2016 at 08:58, Jairo Henao <jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>> wrote:
Hello community:

I have a listener that is pending when an administrator deletes a user. How I can get the user email?

Apparently I can only get his ID, but I need his email to delete it in HubSpot.

There is something like a pre-delete event?

Thanks,


Jairo Henao Rojas
IT ROI Solutions
Software Architect
Mobile  : 314-738-6032<tel:314-738-6032>
Office Colombia: + (571) 381-9185<tel:%28571%29%20381-9185>
Office Mexico: + 52-81-4624-4468<tel:%2B%2052-81-4624-4468>
Office Chile: + 5622-582-2257
Office USA:  954-518-3330<tel:954-518-3330>
Office Canada:  604-998-2280<tel:604-998-2280>
jahenao at itroisolutions.com<mailto:jahenao at itroisolutions.com>

[cid:image001.png at 01CFACA6.CA39D4D0]

[Description: Description: cid:image002.png at 01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png at 01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png at 01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110571835703154>  [Description: Description: cid:image005.png at 01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2814 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2066 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2435 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3041 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2897 bytes
Desc: image005.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/f7e1d21d/attachment-0009.png 

From draganj at gmail.com  Mon Jun 13 18:01:58 2016
From: draganj at gmail.com (Dragan Jotanovic)
Date: Mon, 13 Jun 2016 23:01:58 +0100
Subject: [keycloak-user] Basic auth and Authentication popup
Message-ID: <CAJSsW4pYziNVK4D8y+10TMnx-JjzmwMzBtcMp=P1dFSD12us4A@mail.gmail.com>

Hi there,

I have a war application deployed to tomcat that is currently secured with
BASIC authentication through tomcat's realm. When I try to access secured
page, the authentication popup appears.
I would like to switch to keycloak securitu but I'm not sure if it is
possible to configure keycloak to force this authentication popup.
I tried setting it up but when I try to access the secured page, instead of
authentication popup I am redirected to keycloak page "Client is not
allowed to initiate browser login with given response_type. Standard flow
is disabled for the client."
I've followed the instructions from
https://github.com/keycloak/keycloak/tree/master/examples/basic-auth and
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#tomcat-adapter
.

Is it possible to setup tomcat and keycloak so that the authentication
popup would be forced to appear?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160613/72566605/attachment.html 

From mposolda at redhat.com  Tue Jun 14 04:54:40 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 14 Jun 2016 10:54:40 +0200
Subject: [keycloak-user] Basic auth and Authentication popup
In-Reply-To: <CAJSsW4pYziNVK4D8y+10TMnx-JjzmwMzBtcMp=P1dFSD12us4A@mail.gmail.com>
References: <CAJSsW4pYziNVK4D8y+10TMnx-JjzmwMzBtcMp=P1dFSD12us4A@mail.gmail.com>
Message-ID: <575FC650.9090203@redhat.com>

Hi,

The main point of Keycloak is to provide SSO for browser based apps. 
BASIC authentication is currently supported just for REST endpoints, so 
no authentication popup. And it's generally not recommended. So if you 
have opportunity to redesign and avoid BASIC authentication and 
authentication popup, that would be the preferred way IMO.

Otherwise if you really need BASIC authentication with the popup, then 
it will be better to avoid use Keycloak adapter at all in your WAR. 
Instead you can likely use Tomcat JAAS realm and configure the Keycloak 
JAAS login module (probably DirectAccessGrantsLoginModule) - 
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jaas.html

Marek

Not sure why you want authentication popup?
On 14/06/16 00:01, Dragan Jotanovic wrote:
> Hi there,
>
> I have a war application deployed to tomcat that is currently secured 
> with BASIC authentication through tomcat's realm. When I try to access 
> secured page, the authentication popup appears.
> I would like to switch to keycloak securitu but I'm not sure if it is 
> possible to configure keycloak to force this authentication popup.
> I tried setting it up but when I try to access the secured page, 
> instead of authentication popup I am redirected to keycloak page 
> "Client is not allowed to initiate browser login with given 
> response_type. Standard flow is disabled for the client."
> I've followed the instructions from 
> https://github.com/keycloak/keycloak/tree/master/examples/basic-auth 
> and 
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#tomcat-adapter.
>
> Is it possible to setup tomcat and keycloak so that the authentication 
> popup would be forced to appear?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160614/10b99064/attachment.html 

From draganj at gmail.com  Tue Jun 14 05:56:31 2016
From: draganj at gmail.com (Dragan Jotanovic)
Date: Tue, 14 Jun 2016 10:56:31 +0100
Subject: [keycloak-user] Basic auth and Authentication popup
In-Reply-To: <575FC650.9090203@redhat.com>
References: <CAJSsW4pYziNVK4D8y+10TMnx-JjzmwMzBtcMp=P1dFSD12us4A@mail.gmail.com>
	<575FC650.9090203@redhat.com>
Message-ID: <CAJSsW4rsxOyL9ew0BE=dezoungiSAo4XF=qpZZwKBPmZFP5bdQ@mail.gmail.com>

Thanks, Marek,
I will try out the JAAS Real approach. I need authentication popup for some
legacy flex application which we can not change.

Thanks,
Dragan

On Tue, Jun 14, 2016 at 9:54 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> The main point of Keycloak is to provide SSO for browser based apps. BASIC
> authentication is currently supported just for REST endpoints, so no
> authentication popup. And it's generally not recommended. So if you have
> opportunity to redesign and avoid BASIC authentication and authentication
> popup, that would be the preferred way IMO.
>
> Otherwise if you really need BASIC authentication with the popup, then it
> will be better to avoid use Keycloak adapter at all in your WAR. Instead
> you can likely use Tomcat JAAS realm and configure the Keycloak JAAS login
> module (probably DirectAccessGrantsLoginModule) -
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jaas.html
>
> Marek
>
> Not sure why you want authentication popup?
> On 14/06/16 00:01, Dragan Jotanovic wrote:
>
> Hi there,
>
> I have a war application deployed to tomcat that is currently secured with
> BASIC authentication through tomcat's realm. When I try to access secured
> page, the authentication popup appears.
> I would like to switch to keycloak securitu but I'm not sure if it is
> possible to configure keycloak to force this authentication popup.
> I tried setting it up but when I try to access the secured page, instead
> of authentication popup I am redirected to keycloak page "Client is not
> allowed to initiate browser login with given response_type. Standard flow
> is disabled for the client."
> I've followed the instructions from
> <https://github.com/keycloak/keycloak/tree/master/examples/basic-auth>
> https://github.com/keycloak/keycloak/tree/master/examples/basic-auth and
> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#tomcat-adapter
> .
>
> Is it possible to setup tomcat and keycloak so that the authentication
> popup would be forced to appear?
>
> Thanks
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160614/d0c7a319/attachment.html 

From lrxw at posteo.de  Tue Jun 14 11:43:30 2016
From: lrxw at posteo.de (lrxw)
Date: Tue, 14 Jun 2016 17:43:30 +0200
Subject: [keycloak-user] SAML request signature
In-Reply-To: <a97109a5-b9df-0764-a212-026525936468@redhat.com>
References: <8a8ada0d559d802f89be33767c875c87@posteo.de>
	<a97109a5-b9df-0764-a212-026525936468@redhat.com>
Message-ID: <e4c6198ce622cac916f9f8a5450096b4@posteo.de>

Im using keycloak as the IDP(with an IBM Data Power + ADS behind it) 
with a pre-existing SP.

Am 10.06.2016 15:32 schrieb Bill Burke:
> You are using Keycloak as the IDP with a pre-existing SP (client)?  Or
> are you using Keycloak IDP and the Keycloak SAML client adapter?
> 
> 
> On 6/10/16 3:07 AM, lrxw wrote:
>> Hi all,
>> 
>> I?m new to keycloak, but managed to set up keycloak (1.9.2) and realm
>> with a SAML identidy provider. Everything seems fine, but the SAML
>> Request sent to my IDP is signed with a RSAKeyValue instead of 
>> X509Data.
>> Can anyone help me how to configure keycloak to use a X.509 
>> certificate?
>> 
>> Greetings
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From kiwi.mec at gmail.com  Tue Jun 14 21:53:07 2016
From: kiwi.mec at gmail.com (Michael Chester)
Date: Wed, 15 Jun 2016 01:53:07 +0000
Subject: [keycloak-user] Can Keycloak be clustered without multicast?
Message-ID: <CAOFPorS4y5w9NcU3xpQ=9O-NXwak6UMisS+fHR-oxdZKNHuudQ@mail.gmail.com>

Hi,

I would like to deploy a Keycloak cluster in AWS but AWS does not support
multicast.  There is a note here:

https://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3460

That seems to indicate that Infinispan, Keycloak's shared memory solution,
relies on multicast to work.  So I have some questions:

1. Is there a standard pattern for clustering deployment to AWS?
2. Can Keycloak support clustering without multicast?
3. Does Keycloak clustering support autoscale groups?

Thank you.

Regards,
Michael Chester
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/6b40f47b/attachment-0001.html 

From nielsbne at gmail.com  Tue Jun 14 22:22:13 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Wed, 15 Jun 2016 12:22:13 +1000
Subject: [keycloak-user] Can Keycloak be clustered without multicast?
In-Reply-To: <CAOFPorS4y5w9NcU3xpQ=9O-NXwak6UMisS+fHR-oxdZKNHuudQ@mail.gmail.com>
References: <CAOFPorS4y5w9NcU3xpQ=9O-NXwak6UMisS+fHR-oxdZKNHuudQ@mail.gmail.com>
Message-ID: <CAPLPygmQesYJ3OUH7wAdhkz9sa1H25SKJ1zYLmqBuydzzmFMhg@mail.gmail.com>

Hi Michael,

Infinispan uses JGroups for cluster formation. Checkout this link
<https://github.com/meltmedia/jgroups-aws>that explains how to form JGroups
clusters on AWS. I would be interested to hear how you got your
configuration to work. I am currently looking at jgroups cluster setup in
an on-prem environment withyout uni/multicast support which is also a bit
out of the ordinary.

Cheers Niels

On Wed, Jun 15, 2016 at 11:53 AM, Michael Chester <kiwi.mec at gmail.com>
wrote:

> Hi,
>
> I would like to deploy a Keycloak cluster in AWS but AWS does not support
> multicast.  There is a note here:
>
>
> https://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3460
>
> That seems to indicate that Infinispan, Keycloak's shared memory solution,
> relies on multicast to work.  So I have some questions:
>
> 1. Is there a standard pattern for clustering deployment to AWS?
> 2. Can Keycloak support clustering without multicast?
> 3. Does Keycloak clustering support autoscale groups?
>
> Thank you.
>
> Regards,
> Michael Chester
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/63ec9201/attachment.html 

From haimv at perfectomobile.com  Wed Jun 15 02:44:38 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Wed, 15 Jun 2016 06:44:38 +0000
Subject: [keycloak-user] ClassCastException on UsersResource search API
Message-ID: <HE1PR03MB138578CDA90E09364DA230F4D2550@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi,

We are using KeyCloak 1.9.3, when trying to search a user with the API (usersResource.search) we are getting ClassCastException.

The problem is that KeyCloak resteasy (version 3.0.16) ClientWebTarget is explicitly using ResteasyUriBuilder and at runtime we are getting our Jersey JerseyUriBuilder.

Any idea how to overcome it ? assuming we can't remove the Jersey dependency.

Exception stack trace:
java.lang.ClassCastException: org.glassfish.jersey.uri.internal.JerseyUriBuilder cannot be cast to org.jboss.resteasy.specimpl.ResteasyUriBuilder
                at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.queryParamNoTemplate(ClientWebTarget.java:289)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:23)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:12)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.AbstractCollectionProcessor.buildIt(AbstractCollectionProcessor.java:76)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.AbstractWebTargetCollectionProcessor.build(AbstractWebTargetCollectionProcessor.java:22)


Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/a647babc/attachment.html 

From sthorger at redhat.com  Wed Jun 15 06:58:18 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 15 Jun 2016 12:58:18 +0200
Subject: [keycloak-user] ClassCastException on UsersResource search API
In-Reply-To: <HE1PR03MB138578CDA90E09364DA230F4D2550@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB138578CDA90E09364DA230F4D2550@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAfwiHXukCNZH0__jcopf5=WYsZDcTKqBVgcK1oZ9-WpKQ@mail.gmail.com>

Admin client lib requires RestEasy. If you're using WildFly or JBoss EAP
you can create a module for the admin client library and add RestEasy
dependencies to that.

On 15 June 2016 at 08:44, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
>
>
> We are using KeyCloak 1.9.3, when trying to search a user with the API
> (usersResource.search) we are getting ClassCastException.
>
> The problem is that KeyCloak resteasy (version 3.0.16) ClientWebTarget is explicitly using ResteasyUriBuilder and at runtime we are getting our Jersey JerseyUriBuilder.
>
>
> Any idea how to overcome it ? assuming we can't remove the Jersey dependency.
>
>
>
> Exception stack trace:
>
> java.lang.ClassCastException:
> org.glassfish.jersey.uri.internal.JerseyUriBuilder cannot be cast to
> org.jboss.resteasy.specimpl.ResteasyUriBuilder
>
>                 at
> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.queryParamNoTemplate(ClientWebTarget.java:289)
>
>                 at
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:23)
>
>                 at
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:12)
>
>                 at
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.AbstractCollectionProcessor.buildIt(AbstractCollectionProcessor.java:76)
>
>                 at
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.AbstractWebTargetCollectionProcessor.build(AbstractWebTargetCollectionProcessor.java:22)
>
>
>
>
>
> Thanks,
>
> Haim.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/e7b7a1fb/attachment.html 

From haimv at perfectomobile.com  Wed Jun 15 07:03:24 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Wed, 15 Jun 2016 11:03:24 +0000
Subject: [keycloak-user] ClassCastException on UsersResource search API
In-Reply-To: <CAJgngAfwiHXukCNZH0__jcopf5=WYsZDcTKqBVgcK1oZ9-WpKQ@mail.gmail.com>
References: <HE1PR03MB138578CDA90E09364DA230F4D2550@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAJgngAfwiHXukCNZH0__jcopf5=WYsZDcTKqBVgcK1oZ9-WpKQ@mail.gmail.com>
Message-ID: <HE1PR03MB13851D0DD9166E643DD5BD34D2550@HE1PR03MB1385.eurprd03.prod.outlook.com>

We have rest easy dependencies ? see below, the problem is that in addition to it we also have Jersey dependency, and at runtime the RuntimeDelegate picks up the Jersey implementation.

<dependency>
   <groupId>org.jboss.resteasy</groupId>
   <artifactId>resteasy-client</artifactId>
</dependency>
<dependency>
   <groupId>org.jboss.resteasy</groupId>
   <artifactId>resteasy-jackson2-provider</artifactId>
</dependency>
<dependency>
   <groupId>org.jboss.resteasy</groupId>
   <artifactId>resteasy-multipart-provider</artifactId>
</dependency>


Haim.

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Wednesday, June 15, 2016 1:58 PM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] ClassCastException on UsersResource search API

Admin client lib requires RestEasy. If you're using WildFly or JBoss EAP you can create a module for the admin client library and add RestEasy dependencies to that.

On 15 June 2016 at 08:44, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

We are using KeyCloak 1.9.3, when trying to search a user with the API (usersResource.search) we are getting ClassCastException.

The problem is that KeyCloak resteasy (version 3.0.16) ClientWebTarget is explicitly using ResteasyUriBuilder and at runtime we are getting our Jersey JerseyUriBuilder.

Any idea how to overcome it ? assuming we can't remove the Jersey dependency.

Exception stack trace:
java.lang.ClassCastException: org.glassfish.jersey.uri.internal.JerseyUriBuilder cannot be cast to org.jboss.resteasy.specimpl.ResteasyUriBuilder
                at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.queryParamNoTemplate(ClientWebTarget.java:289)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:23)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:12)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.AbstractCollectionProcessor.buildIt(AbstractCollectionProcessor.java:76)
                at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.AbstractWebTargetCollectionProcessor.build(AbstractWebTargetCollectionProcessor.java:22)


Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7ca9370477d9ce449e7bf308d3950bf64e%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=9QN2%2bItkI4HjwH0%2f6UZmMSOg8KJjyYxbfQJgz0QHbvs%3d>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/b4a3d7f8/attachment-0001.html 

From olivier.lievre at altran.com  Wed Jun 15 10:03:56 2016
From: olivier.lievre at altran.com (LIEVRE Olivier)
Date: Wed, 15 Jun 2016 14:03:56 +0000
Subject: [keycloak-user]  how get info from adapterConfig
Message-ID: <5E0EBD68B410924EADA89C5CBD233CD064720790@XMB-DCFR-35.europe.corp.altran.com>

Hello,

I've secured a REST server with keycloak 1.9.7, and I would like to implement a public REST GET method for an non-authenticated user to get the adapderConfig info linked to my war.

My war adapter is configured in my standalone.xml.

Is there an  easy way to read the adapterConfig info from standalone in that case?

When a user makes an authenticated request, I can get that info with getting RefreshableKeycloakSecurityContext from httprequest.

KR,
Olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/5cf3f4f0/attachment.html 

From s.hoeks at gouwit.nl  Wed Jun 15 11:32:50 2016
From: s.hoeks at gouwit.nl (Sjef Hoeks)
Date: Wed, 15 Jun 2016 15:32:50 +0000
Subject: [keycloak-user] Problem Saml IdP
Message-ID: <343086f82e794ae8868c0486be92a158@za-vm-185.gouwit.local>

Hi,

I'm trying to integrate Keycloak with a SAML SP, but unfortunately it is not working yet. I created a Identity Provider in the admin interface.

I guess the problem is that in the AuthnRequest which is send by a http post to the SP the AuthnRequest contains a NameIDPolicy:


<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

    ....

    <samlp:NameIDPolicy AllowCreate="true"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                        />
</samlp:AuthnRequest>




But according to the documentation of the SP I must send



<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

    ....

<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>


Is this possible with Keycloak? And if so, how can this be done?

Kind regards,

Sjef Hoeks




Sjef Hoeks
Technisch Architect

[cid:GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg]

Gouw Informatie Technologie bv
Hogeweg 5, 5301 LB Zaltbommel
Postbus 98, 5300 AB Zaltbommel
T 0418 511 522
M
E s.hoeks at gouwit.nl
I www.gouwit.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/738e7893/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg
Type: image/jpeg
Size: 69071 bytes
Desc: GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/738e7893/attachment-0001.jpg 

From shaun.willows at iblocks.co.uk  Wed Jun 15 11:35:32 2016
From: shaun.willows at iblocks.co.uk (Shaun Willows)
Date: Wed, 15 Jun 2016 15:35:32 +0000
Subject: [keycloak-user] Help regarding Picketlink Feature Migration
Message-ID: <4F0A68C4564FBB40A9AD1ACB5C350CC1034B202031@AD-IB-WIN01.iblocks.co.uk>

We are evaluating security frameworks for new application(s) within our organisation. Picketlink provides a number of features that are desirable to us as an organisation. However, as I understand, Picketlink is being migrated into Keycloak, and this process started in March 2015. Is it possible to provide any updates regarding the migration of the following features:

*         Picketlink's Java EE integration (particularly its integration with the DeltaSpike security interceptor) is especially useful to us. Will Keycloak provide similar CDI / Java EE integration? The FAQ at http://picketlink.org/keycloak-merge-faq/ indicates that this was planned to be the case, but I cannot see any progress on this issue in the Keycloak Github or JIRA.

*         Picketlink's IDM capabilities included a JPA IDM and the ability to easily create new IDMs. How can this be achieved in Keycloak?

*         Picketlink's capability to provide custom authenticators and token providers is also useful to us. How can this be achieved in Keycloak?

I appreciate the need to consolidate projects within Red Hat, however as Picketlink is not being actively developed and there is no clear migration path from Picketlink to Keycloak for a number of features, users of both frameworks are left with no interim solution.

Thanks for any help in this regard

Shaun Willows

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/647d6cd7/attachment.html 

From David.Everson at state.mn.us  Wed Jun 15 16:14:22 2016
From: David.Everson at state.mn.us (Everson, David (MNIT))
Date: Wed, 15 Jun 2016 20:14:22 +0000
Subject: [keycloak-user] Display all password rule failures at once
Message-ID: <072EABBC7C3CAB46835445106D102971609B4C@055-CH1MPN1-013.055d.mgd.msft.net>

Hi,

Our users are User Acceptance Testing a Keycloak secured website.  We have defined strong password rules.

Our users reported:
"Staff have requested some modifications to how password validation is presented to the user. Right now if a user submits a password that does not meet all criteria, such as requiring both an Upper case letter and a number, it will not tell you that both are required, just that and Upper case letter is required. When that is added, THEN it will notify you that a number is also needed.

Staff would like the error message to note all issues with the submitted password, or otherwise note somewhere on the Change Password screen what all the criteria for a proper password are, so the user does not have to guess."

We could update the template to include all the rules.  That is probably the quickest.
Is it possible for Keycloak to return all the unsuccessful rules when it validates a password?

Thanks!
Dave

Dave Everson  |  DIVISION OF ENVIRONMENTAL HEALTH
MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
651-201-5146 (w)  |    david.everson at state.mn.us<mailto:david.everson at state.mn.us>

[cid:image001.jpg at 01CE4005.70B223E0]<http://www.mn.gov/oet>


Information Technology for Minnesota Government   |   mn.gov/oet<http://www.mn.gov/oet>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/ccc57619/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1712 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/ccc57619/attachment-0001.jpg 

From tomas at intrahouse.com  Wed Jun 15 16:49:51 2016
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Wed, 15 Jun 2016 21:49:51 +0100
Subject: [keycloak-user] Note about the documentation - Valid account
 guessing with the "forgot password" feature in Keycloak
Message-ID: <CALgk1P+RgzMDTXn-AMtQ7YLqHU7QL0NdsAozWQxqijAYna=JgQ@mail.gmail.com>

Hi,

In this url:
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003

, it says:

"This form *WILL NOT* re-ask the user to enter in an email or username if
the previous email or username did not exist. You need to prevent attackers
from being able to guess valid users. So, if
AuthenticationFlowContext.getUser() returns null, you should proceed with
the flow to make it look like a valid user was selected."
And I totally agree with that, but it doesn't apply to all cases
unfortunately. If the admin enables "User registration", the user
registration form will tell the a possible malicious guy if the email
combinations she's trying already exists, invalidating what the above
paragraph says. And I don't think there's a way to do the same as in the
"forgot password" feature with the registration form, because after
registration, there's an autologin.

Actually it's confusing for users telling them an email was sent event if
it's not... People sometimes can forget that they're not registered in the
Keycloak system, so the "forgot password" feature as it is today will make
them wait forever. At least, sending them an email telling them "You're not
registered. You can register visiting this link." if "User registration" is
enabled or "Ask your admin to register your email in the system" if it's
not, would be definitely better.

Thanks.

-- 


*Tom?s Garc?a P?rez*

*Software Developer*

*IntraHouse*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160615/534cc0dc/attachment.html 

From bburke at redhat.com  Wed Jun 15 17:10:58 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Jun 2016 17:10:58 -0400
Subject: [keycloak-user] Display all password rule failures at once
In-Reply-To: <072EABBC7C3CAB46835445106D102971609B4C@055-CH1MPN1-013.055d.mgd.msft.net>
References: <072EABBC7C3CAB46835445106D102971609B4C@055-CH1MPN1-013.055d.mgd.msft.net>
Message-ID: <6095aeee-db71-63e1-21d3-4041a8916221@redhat.com>

Log a JIRA please, or better yet, Log a jira, submit a PR with tests.

On 6/15/16 4:14 PM, Everson, David (MNIT) wrote:
> Hi,
>
>
>
> Our users are User Acceptance Testing a Keycloak secured website.  We
> have defined strong password rules.
>
>
>
> Our users reported:
>
> ?Staff have requested some modifications to how password validation is
> presented to the user. Right now if a user submits a password that does
> not meet all criteria, such as requiring both an Upper case letter and a
> number, it will not tell you that both are required, just that and Upper
> case letter is required. When that is added, THEN it will notify you
> that a number is also needed.
>
>
>
> Staff would like the error message to note all issues with the submitted
> password, or otherwise note somewhere on the Change Password screen what
> all the criteria for a proper password are, so the user does not have to
> guess.?
>
>
>
> We could update the template to include all the rules.  That is probably
> the quickest.
>
> Is it possible for Keycloak to return all the unsuccessful rules when it
> validates a password?
>
>
>
> Thanks!
>
> Dave
>
>
>
> *Dave Everson  | * DIVISION OF ENVIRONMENTAL HEALTH
>
> MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
>
> 651-201-5146 (w)  *| *   _david.everson at state.mn.us
> <mailto:david.everson at state.mn.us>_
>
> /cid:image001.jpg at 01CE4005.70B223E0/ <http://www.mn.gov/oet>//
>
> 	
>
>
>
> Information Technology for Minnesota Government   *|*   mn.gov/oet
> <http://www.mn.gov/oet>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Wed Jun 15 17:12:25 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 15 Jun 2016 17:12:25 -0400
Subject: [keycloak-user] Note about the documentation - Valid account
 guessing with the "forgot password" feature in Keycloak
In-Reply-To: <CALgk1P+RgzMDTXn-AMtQ7YLqHU7QL0NdsAozWQxqijAYna=JgQ@mail.gmail.com>
References: <CALgk1P+RgzMDTXn-AMtQ7YLqHU7QL0NdsAozWQxqijAYna=JgQ@mail.gmail.com>
Message-ID: <e9348876-7543-757b-783c-024596d04cf8@redhat.com>

Feel free to extend the plugin then. :)

On 6/15/16 4:49 PM, Tom?s Garc?a wrote:
> Hi,
>
> In this url:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003
>
> , it says:
>
> "This form *WILL NOT* re-ask the user to enter in an email or username
> if the previous email or username did not exist. You need to prevent
> attackers from being able to guess valid users. So, if
> AuthenticationFlowContext.getUser() returns null, you should proceed
> with the flow to make it look like a valid user was selected."
>
> And I totally agree with that, but it doesn't apply to all cases
> unfortunately. If the admin enables "User registration", the user
> registration form will tell the a possible malicious guy if the email
> combinations she's trying already exists, invalidating what the above
> paragraph says. And I don't think there's a way to do the same as in the
> "forgot password" feature with the registration form, because after
> registration, there's an autologin.
>
> Actually it's confusing for users telling them an email was sent event
> if it's not... People sometimes can forget that they're not registered
> in the Keycloak system, so the "forgot password" feature as it is today
> will make them wait forever. At least, sending them an email telling
> them "You're not registered. You can register visiting this link." if
> "User registration" is enabled or "Ask your admin to register your email
> in the system" if it's not, would be definitely better.
>
> Thanks.
>
> --
>
> *Tom?s Garc?a P?rez
> *
>
> *Software Developer*
>
> *IntraHouse*
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tomas at intrahouse.com  Wed Jun 15 19:01:39 2016
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 16 Jun 2016 00:01:39 +0100
Subject: [keycloak-user] Note about the documentation - Valid account
 guessing with the "forgot password" feature in Keycloak
Message-ID: <CALgk1PK7GrmoiMDqSViHO-E=kmhe0pNikEViapLZvd2xpbaNcw@mail.gmail.com>

Yes, we already did our own authentication flow here a couple of weeks
ago, but I decided today to communicate this situation.


The question is that part of the documentation should be clarified,
because at least I was confused after I saw the inconsistency

when seeing the behaviour of the registration form: A malicious user
will still be capable of guessing valid users, so it's something that
should

be warned to developers / admins.


(Sorry I activated the digest mode of the mailing list and I don't
really know how to properly reply to a thread without receiving the
original email)

------------------

Feel free to extend the plugin then. :)

On 6/15/16 4:49 PM, Tom?s Garc?a wrote:
>* Hi,
*>>* In this url:
*>* http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003
<http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e4003>
*>>* , it says:
*>>* "This form *WILL NOT* re-ask the user to enter in an email or username
*>* if the previous email or username did not exist. You need to prevent
*>* attackers from being able to guess valid users. So, if
*>* AuthenticationFlowContext.getUser() returns null, you should proceed
*>* with the flow to make it look like a valid user was selected."
*>>* And I totally agree with that, but it doesn't apply to all cases
*>* unfortunately. If the admin enables "User registration", the user
*>* registration form will tell the a possible malicious guy if the email
*>* combinations she's trying already exists, invalidating what the above
*>* paragraph says. And I don't think there's a way to do the same as in the
*>* "forgot password" feature with the registration form, because after
*>* registration, there's an autologin.
*>>* Actually it's confusing for users telling them an email was sent event
*>* if it's not... People sometimes can forget that they're not registered
*>* in the Keycloak system, so the "forgot password" feature as it is today
*>* will make them wait forever. At least, sending them an email telling
*>* them "You're not registered. You can register visiting this link." if
*>* "User registration" is enabled or "Ask your admin to register your email
*>* in the system" if it's not, would be definitely better.
*>>* Thanks.
*>>* --
*>>* *Tom?s Garc?a P?rez
*>* *
*>>* *Software Developer*
*>>* *IntraHouse*
*>>>>* _______________________________________________
*>* keycloak-user mailing list
*>* keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>* https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>


-- 


*Tom?s Garc?a P?rez*

*Software Developer*

 IntraHouse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160616/af9c0c4c/attachment.html 

From arjan.schaaf at luminis.eu  Thu Jun 16 01:25:05 2016
From: arjan.schaaf at luminis.eu (Arjan Schaaf)
Date: Thu, 16 Jun 2016 05:25:05 +0000
Subject: [keycloak-user] automated Sync Keycloak Roles To LDAP
Message-ID: <B957CC14-7DB6-4180-8AC0-353F1C0D774B@luminis.eu>

Hi there,

I?m integrating Keycloak in an environment where a have a couple of ?legacy? applications that allow for LDAP based external authentication, but do not support Keycloak or oauth / OpenID connect out-of-the-box.
So I?m creating a setup where I use Keycloak as the primary repository for storing users and groups/roles, but I connect a LDAP server that is kept in sync with Keycloak and bind these applications to the LDAP service.

That setup works decent enough: newly created users in keycloak are synced to LDAP and so on.
However syncing Keycloak roles to LDAP doesn?t seem to work as convenient. I?ve created a User Federation Mapper of type Role mappings and when I use the ?Sync Keycloak Roles To LDAP? button, the roles are synced with LDAP. Great!
But when I create a new role in Keycloak I expected it to be synced automatically, just like a new Keycloak user is synced directly to LDAP. I need to use the  ?Sync Keycloak Roles To LDAP? manually again to update LDAP. Is this how it is designed to work or is there are way to update LDAP directly after changing something to Keycloak roles?


Cheers,
Arjan


From didier.romelot at renault.com  Thu Jun 16 02:19:34 2016
From: didier.romelot at renault.com (ROMELOT Didier)
Date: Thu, 16 Jun 2016 06:19:34 +0000
Subject: [keycloak-user] reverse proxy support of Keycloak saml filter
	adapter
Message-ID: <ab7c716697934e959f7a9a885fbe95f1@S0931AOC.renault.mail.noxiane.net>

Hi, we deploy applications that use keycloak SAML filter to handle SAML authentication.

We face some trouble when configuring the app acting behind a reverse proxy. In that situation keycloak library raises an exception :

WebBrowserSsoAuthenticationHandler ERROR Request URI does not match SAML request destination

We try to fix it with configuration on reverse proxy but whithout success.

Does anyone faced with such problem ?

regards


[http://collaboration2010.sharepoint.renault.fr/is/fsc/places/blog/Lists/Photos/Logo/Alliance_logo_low_ok_tcm1253-923195.jpg]

Didier ROMELOT
DIA-AT -  Technical Architecture
API : FR EQV NOV 3 39
13, avenue Paul Langevin
92359 Le Plessis Robinson Cedex - FRANCE
T?l. : +33 1 76 84 95 28



-- Disclaimer ------------------------------------ 
Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme.

*** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160616/2159ca1a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 8005 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160616/2159ca1a/attachment.jpg 

From mposolda at redhat.com  Thu Jun 16 06:41:53 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 16 Jun 2016 12:41:53 +0200
Subject: [keycloak-user] automated Sync Keycloak Roles To LDAP
In-Reply-To: <B957CC14-7DB6-4180-8AC0-353F1C0D774B@luminis.eu>
References: <B957CC14-7DB6-4180-8AC0-353F1C0D774B@luminis.eu>
Message-ID: <57628271.4070801@redhat.com>

On 16/06/16 07:25, Arjan Schaaf wrote:
> Hi there,
>
> I?m integrating Keycloak in an environment where a have a couple of ?legacy? applications that allow for LDAP based external authentication, but do not support Keycloak or oauth / OpenID connect out-of-the-box.
> So I?m creating a setup where I use Keycloak as the primary repository for storing users and groups/roles, but I connect a LDAP server that is kept in sync with Keycloak and bind these applications to the LDAP service.
>
> That setup works decent enough: newly created users in keycloak are synced to LDAP and so on.
> However syncing Keycloak roles to LDAP doesn?t seem to work as convenient. I?ve created a User Federation Mapper of type Role mappings and when I use the ?Sync Keycloak Roles To LDAP? button, the roles are synced with LDAP. Great!
> But when I create a new role in Keycloak I expected it to be synced automatically, just like a new Keycloak user is synced directly to LDAP. I need to use the  ?Sync Keycloak Roles To LDAP? manually again to update LDAP. Is this how it is designed to work or is there are way to update LDAP directly after changing something to Keycloak roles?
yes, ATM it's not done immediately. Feel free to create JIRA for this.

Currently to propagate creation of role to LDAP, you need to either:
- Click "Sync Keycloak role to LDAP" as you mentioned
- In keycloak admin console, assign some LDAP mapped user to this role. 
In this case, role will be created in LDAP and role mapping for the user 
will created as well. Is it sufficient for your usecase?

Marek
>
>
> Cheers,
> Arjan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From adilelfahmi at gmail.com  Fri Jun 17 02:46:07 2016
From: adilelfahmi at gmail.com (Harits Elfahmi)
Date: Fri, 17 Jun 2016 13:46:07 +0700
Subject: [keycloak-user] Allow google login without reauthentication
Message-ID: <CAG_KPw2F_LZXk6MWCjqit1rCQfb3NshfKkz7at556iBSax-LMg@mail.gmail.com>

Hello,

Currently we use google login using the identity provider in keycloak. The
first broker login states that we must verify existing account and then
reauthenticate using user password form. Is it possible to use the already
available executions/flows and skip the reauthentication part?

So if the google email already exist in a keycloak account, we allow them
to login without the form.

Or must we create a custom execution? Is it possible using custom execution?

Thanks
-- 
Cheers,

*Harits* Elfahmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160617/297e3d73/attachment-0001.html 

From ramon at humanswitch.io  Mon Jun 20 11:12:04 2016
From: ramon at humanswitch.io (Ramon Rockx)
Date: Mon, 20 Jun 2016 17:12:04 +0200
Subject: [keycloak-user] User federation and password reset
Message-ID: <CABfMt5cjUXgqRu4gdhxMHLi8S-A+E-+Ofh4UQMQ2-t=phVD1_g@mail.gmail.com>

Hi,

Currently I am working on a user federation provider which should help us
out migrating from our old authentication application to Keycloak. All this
is done basically by following this great blog
https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime .
The blogs offers a way of migrating user accounts with hashed passwords in
your legacy authentication application, without resetting the passwords of
all users in Keycloak.
In short, when authenticating a user, first Keycloak checks it's own local
storage. If the user does not exists already, it will try to authenticate
using our legacy authentication application and will copy the user data
from the legacy application. When authentication fails the user will be
federated.
If successful, the entered password will be set for the Keycloak user. From
now on the user is migrated and not federated any longer.

However, there is still one scenario I can't figure out how to deal with:
we still want to offer our users the possibility to reset their passwords.
For non-federated users Keycloak will do just fine. For federated users
Keycloak also offers the password reset, but the user will still remain
federated. In this case I would like to remove the federation and update
the credentials in the Keycloak local storage (so the user is migrated).
So, long story short, I think the UserFederationProvider should also offer
the possibility to anticipate on a password change. This way you can update
the credentials and/or remove the federation link.
Or is there some other solution?

Regards,
Ramon Rockx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160620/f45037bf/attachment.html 

From s.hoeks at gouwit.nl  Mon Jun 20 11:41:57 2016
From: s.hoeks at gouwit.nl (Sjef Hoeks)
Date: Mon, 20 Jun 2016 15:41:57 +0000
Subject: [keycloak-user] Idp and authenticate by default
Message-ID: <0e7f5ee31f0146e19c34e7c9316392d7@za-vm-185.gouwit.local>

Hi,

I setup Keycloak for using an Identity Provider. Everything works fine, i.e. when I open my application, I see the Keycloak login screen, choose the Identity Provider (e.g. GitHub), login and I can use my application. When I open the application again in a new tab, I'm already logged in and I can use the application without logging in again.

But I always want to use the Identity Provider, so I check Authenticate by Default in the settings tab of the Identity Provider. Everything seems to work fine, but when I open the application in a second tab, the first tab is reauthenticating. And then the second tab is reauthenticating. And so on.

I tried this with my own implemented Identity Provider and with GitHub. I expected that the only difference is that I don't have to choose the Identity Provider. According to the docs only step 3 and 4 from the base flow are skipped (show list of identity providers and select identity provider). But the behaviour is very different.

Is this expected behaviour or a bug?


Kind regards,
Sjef



Sjef Hoeks
Technisch Architect

[cid:GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg]

Gouw Informatie Technologie bv
Hogeweg 5, 5301 LB Zaltbommel
Postbus 98, 5300 AB Zaltbommel
T 0418 511 522
M
E s.hoeks at gouwit.nl
I www.gouwit.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160620/16cc08cf/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg
Type: image/jpeg
Size: 69071 bytes
Desc: GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160620/16cc08cf/attachment-0001.jpg 

From cpitman at redhat.com  Mon Jun 20 18:13:06 2016
From: cpitman at redhat.com (Chris Pitman)
Date: Mon, 20 Jun 2016 18:13:06 -0400 (EDT)
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <289441808.584391.1466460472588.JavaMail.zimbra@redhat.com>
Message-ID: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>

Hey everyone,

I'm running into an issue with an application that I've ported over to using Keycloak. I believe that the token issued by keycloak is expiring, which causes XMLHttpRequest's from my front end to be redirected to KeyCloak which then tries to redirect to Google (my identity provider). By the time it gets to google, there have been redirects across two different domains causing the browser to not set an origin header in the request to google, which then causes the browser to not process the response.

What is the general way of handling a javascript ajax request when a token expires? Or to have a UI get a new token without requiring the entire ui to refresh to force the browser to redirect?

For further background, here is my setup: I am using Google OpenID Connect as the identity provider. The application is protected with keycloak-proxy, which then passes requests on to the application. keycloak-proxy is the piece detecting the token is no longer valid and redirecting the ui to keycloak.

Chris Pitman
Architect, Red Hat Consulting


From mposolda at redhat.com  Tue Jun 21 01:41:12 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 21 Jun 2016 07:41:12 +0200
Subject: [keycloak-user] User federation and password reset
In-Reply-To: <CABfMt5cjUXgqRu4gdhxMHLi8S-A+E-+Ofh4UQMQ2-t=phVD1_g@mail.gmail.com>
References: <CABfMt5cjUXgqRu4gdhxMHLi8S-A+E-+Ofh4UQMQ2-t=phVD1_g@mail.gmail.com>
Message-ID: <5768D378.2030301@redhat.com>

UserFederationProvider has method "getSupportedCredentialTypes(UserModel 
user)" . There are those scenarios:
- Your federated user still has old password in your legacy storage. 
Then you return "password" in the set of supported credentials. Keycloak 
will then try to validate user password against your legacy storage
- Your federated user has already reseted password in keycloak database. 
Then you don't return "password" in the set. Keycloak will then try to 
validate user password against it's local database (not against your 
storage)

For inspiration, see the code of our LDAPFEderationProvider, which is 
doing the same (in case that edit mode is UNSYNCED for ldap provider) : 
https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java#L143-L154

Marek

On 20/06/16 17:12, Ramon Rockx wrote:
> Hi,
>
> Currently I am working on a user federation provider which should help 
> us out migrating from our old authentication application to Keycloak. 
> All this is done basically by following this great blog 
> https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime .
> The blogs offers a way of migrating user accounts with hashed 
> passwords in your legacy authentication application, without resetting 
> the passwords of all users in Keycloak.
> In short, when authenticating a user, first Keycloak checks it's own 
> local storage. If the user does not exists already, it will try to 
> authenticate using our legacy authentication application and will copy 
> the user data from the legacy application. When authentication fails 
> the user will be federated.
> If successful, the entered password will be set for the Keycloak user. 
> From now on the user is migrated and not federated any longer.
>
> However, there is still one scenario I can't figure out how to deal 
> with: we still want to offer our users the possibility to reset their 
> passwords. For non-federated users Keycloak will do just fine. For 
> federated users Keycloak also offers the password reset, but the user 
> will still remain federated. In this case I would like to remove the 
> federation and update the credentials in the Keycloak local storage 
> (so the user is migrated).
> So, long story short, I think the UserFederationProvider should also 
> offer the possibility to anticipate on a password change. This way you 
> can update the credentials and/or remove the federation link.
> Or is there some other solution?
>
> Regards,
> Ramon Rockx
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/9ea0eaa8/attachment.html 

From mposolda at redhat.com  Tue Jun 21 01:52:26 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 21 Jun 2016 07:52:26 +0200
Subject: [keycloak-user] Idp and authenticate by default
In-Reply-To: <0e7f5ee31f0146e19c34e7c9316392d7@za-vm-185.gouwit.local>
References: <0e7f5ee31f0146e19c34e7c9316392d7@za-vm-185.gouwit.local>
Message-ID: <5768D61A.9060208@redhat.com>

Yes, It might be a bug.

It seems that when you click to second tab with application and you are 
already authenticated, keycloak should automatically authenticate you 
through SSO cookie. However it looks that keycloak is instead 
redirecting to Identity provider (even if user is already authenticated).

It seems that "authenticateByDefault" logic for redirecting to 
identityProvider is implemented in 
AuthorizationEndpointBase.handleBrowserAuthenticationRequest , which is 
always triggered earlier than authentication flows (which checks SSO 
cookie). It looks that "authenticateByDefault" should be rather moved to 
UsernamePasswordAuthenticator and done before the username-password form 
is going to be shown.

So feel free to create JIRA.
Marek

On 20/06/16 17:41, Sjef Hoeks wrote:
>
> Hi,
>
> I setup Keycloak for using an Identity Provider. Everything works 
> fine, i.e. when I open my application, I see the Keycloak login 
> screen, choose the Identity Provider (e.g. GitHub), login and I can 
> use my application. When I open the application again in a new tab, 
> I?m already logged in and I can use the application without logging in 
> again.
>
> But I always want to use the Identity Provider, so I check 
> Authenticate by Default in the settings tab of the Identity Provider. 
> Everything seems to work fine, but when I open the application in a 
> second tab, the first tab is reauthenticating. And then the second tab 
> is reauthenticating. And so on.
>
> I tried this with my own implemented Identity Provider and with 
> GitHub. I expected that the only difference is that I don?t have to 
> choose the Identity Provider. According to the docs only step 3 and 4 
> from the base flow are skipped (show list of identity providers and 
> select identity provider). But the behaviour is very different.
>
> Is this expected behaviour or a bug?
>
> Kind regards,
>
> Sjef
>
> *Sjef Hoeks
> *Technisch Architect
>
> *Gouw Informatie Technologie bv
> *Hogeweg 5, 5301 LB Zaltbommel
> Postbus 98, 5300 AB Zaltbommel
> T 0418 511 522
> M
> E s.hoeks at gouwit.nl
> I www.gouwit.nl
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/3584f87d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 69071 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/3584f87d/attachment-0001.jpe 

From mposolda at redhat.com  Tue Jun 21 02:08:04 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 21 Jun 2016 08:08:04 +0200
Subject: [keycloak-user] Allow google login without reauthentication
In-Reply-To: <CAG_KPw2F_LZXk6MWCjqit1rCQfb3NshfKkz7at556iBSax-LMg@mail.gmail.com>
References: <CAG_KPw2F_LZXk6MWCjqit1rCQfb3NshfKkz7at556iBSax-LMg@mail.gmail.com>
Message-ID: <5768D9C4.3000308@redhat.com>

You mean that if in keycloak database is already existing user 
"john at gmail.com" and you authenticate the same user "john at gmail.com" 
with google identity provider, you want to automatically link google 
provider with this keycloak account?

We didn't want to support this OOTB because of possible security 
implications. For example if identity provider doesn't verify emails, 
you can see security issues similar to this:
- There is user "john at gmail.com" in keycloak
- Attacker registers the account on identity provider side with email 
"john at gmail.com" . If identity provider doesn't verify emails, attacker 
can easily do it.
- Now attacker login to keycloak with identity provider and keycloak 
will automatically link with the existing keycloak account 
"john at gmail.com" . So now attacker was able to login to keycloak as user 
"john at gmail.com" because 3rd party identity provider didn't verify 
emails and accounts were linked automatically just based on emails.

You can admit that this one issue doesn't exist in case that identity 
provider properly verify emails. However there are still in theory some 
other issues...

So feel free to implement your own authenticator, which will do the 
linking automatically based on email and then configure "first broker 
login" flow with your authenticator. See docs for "First broker login" 
and "Authentication SPI" for more details.

Also feel free to create JIRA if you really want this OOTB. We may 
eventually add it if there is big requirement for this. However we will 
never change the default "first broker login" flow to behave like this 
and automatically link accounts.

Marek

On 17/06/16 08:46, Harits Elfahmi wrote:
> Hello,
>
> Currently we use google login using the identity provider in keycloak. 
> The first broker login states that we must verify existing account and 
> then reauthenticate using user password form. Is it possible to use 
> the already available executions/flows and skip the reauthentication 
> part?
>
> So if the google email already exist in a keycloak account, we allow 
> them to login without the form.
>
> Or must we create a custom execution? Is it possible using custom 
> execution?
>
> Thanks
> -- 
> Cheers,
> *
> *
> *Harits* Elfahmi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/38fcaa6d/attachment.html 

From mposolda at redhat.com  Tue Jun 21 02:21:58 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 21 Jun 2016 08:21:58 +0200
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
References: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
Message-ID: <5768DD06.2070600@redhat.com>

On 21/06/16 00:13, Chris Pitman wrote:
> Hey everyone,
>
> I'm running into an issue with an application that I've ported over to using Keycloak. I believe that the token issued by keycloak is expiring, which causes XMLHttpRequest's from my front end to be redirected to KeyCloak which then tries to redirect to Google (my identity provider). By the time it gets to google, there have been redirects across two different domains causing the browser to not set an origin header in the request to google, which then causes the browser to not process the response.
Since keycloak automatically redirects to Google, it seems that you have 
"Authenticate by default" switch enabled for your google identity 
provider, right? Just replied to some other thread where user mentions 
some issue. We may have a bug in keycloak regarding this : 
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html

>
> What is the general way of handling a javascript ajax request when a token expires? Or to have a UI get a new token without requiring the entire ui to refresh to force the browser to redirect?
>
> For further background, here is my setup: I am using Google OpenID Connect as the identity provider. The application is protected with keycloak-proxy, which then passes requests on to the application. keycloak-proxy is the piece detecting the token is no longer valid and redirecting the ui to keycloak.
Hmm... for javascript apps, it's usually best to use keycloak.js 
adapter. Not sure why you need keycloak-proxy?

In keycloak.js you can automatically refresh tokens . Right before you 
send request to REST endpoint, you can call "keycloak.updateToken" which 
automatically refreshes token if it's expired or is going to expire in 5 
seconds or so (exact time is configurable based on argument to 
"updateToken" method. See docs or our examples - for example this 
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app-js/src/main/webapp/customers/view.html#L93 
) .

Also in keycloak.js you can define callback "onTokenExpired" which is 
called when accessToken expires. Here you can implement sending refresh 
request as well.

In shortcut, you don't need to go through login flows and browser 
redirections to keycloak etc, but instead rely on refreshing tokens.

Marek
>
> Chris Pitman
> Architect, Red Hat Consulting
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From christopher.james.davies at gmail.com  Tue Jun 21 04:21:33 2016
From: christopher.james.davies at gmail.com (Christopher Davies)
Date: Tue, 21 Jun 2016 08:21:33 +0000
Subject: [keycloak-user] Active Directory
Message-ID: <CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com>

I am looking to use KeyCloak backed by an AD server.
Can I check a few things that I understand are correct.

1) Using the  User Federation SPI I import the following from
ActiveDirectory into the KeyCloak database : first name, surname, email,
username and password.
2) Password checks are made against the Keycloak database and not the
ActiveDirectory
system
3) Enabling kerberos authentication will allow me to do paswordless login
using my web browser from my windows box

Hope I am not to far from the mark

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/11ebad36/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Jun 21 08:45:24 2016
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 21 Jun 2016 15:45:24 +0300
Subject: [keycloak-user] Cannot update Client using clients-registrations
	endpoint
Message-ID: <CABjN76-RaoyC+14LukQGJ+Az-8rDHXc50eitzjdHQD8KqvBVQA@mail.gmail.com>

Hello,

I'm trying to update a keycloak Client using the client-registrations
endpoint as described here:

http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1569

All seems fine and client creation as retrieval work but *update* keeps
failing.

Here is what i do:

1. Create a new bearer-only Client with ClientID -> newclient

2. I 'Regenerate registration access token' here is what i get:
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0MGM1ZWIyNy1mYTNmLTRiNjktYjlmZC01NTIyYWM2NzYxZDkiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNDY2NTExNzEyLCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwODEvYXV0aC9yZWFsbXMvcmVzdGNvbW0tdGVzdCIsImF1ZCI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MS9hdXRoL3JlYWxtcy9yZXN0Y29tbS10ZXN0IiwidHlwIjoiUmVnaXN0cmF0aW9uQWNjZXNzVG9rZW4ifQ.bI2JQLOAwWdxgtaNgAXw8aliWRJRs7RviNJRPHPHyVFI6AfuBsEpZ9c5e_v6vFD0hWoNjneUnDmS-CUrzPKcBWrITXkrUwxwEQAJpQD-ONWim6AiVVOxr3sizgwxRyBX__Cny8IMm8BWjUIIIkRviSc9QE7tYscTRTE4AP5ZRlsmB7hsmfkRSgzmd5SF2ZQWj8DriSou_-ivzZ9wnlwENoewePOK1b6oZhhGQiGo4SM0pLkTWGkN8kuO3aYei6OKiol2eJn9B4bA7wr6uUruEAg03symAaDFWscpmHIl27sxF3XkYdn8F-vJwNdhFJx_t84IEKucwZEwdgNFuWZuIQ

3. I make the update request to:

http://127.0.0.1:8081/auth/realms/restcomm-test/clients-registrations/default/newclient

here is the curl command:
 curl -i -X PUT \
>    -H "Authorization:Bearer
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNDc3NzA3Yi1hOGM4LTRjMGItYjExYi0xZWE4ZTgyNTNkYTgiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNDY2NTEyMDc4LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwODEvYXV0aC9yZWFsbXMvcmVzdGNvbW0tdGVzdCIsImF1ZCI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MS9hdXRoL3JlYWxtcy9yZXN0Y29tbS10ZXN0IiwidHlwIjoiUmVnaXN0cmF0aW9uQWNjZXNzVG9rZW4ifQ.G33SBIhvFay8YAMkGxeyWMDSfeM9slS7pv49hWNxmmvaNUmUOFhP8e2-WcQJW2NZEumOKSm-UGk-2VH5EiB24F8DWn9hGVOlJdIysewbyei94Xqcu-xoOAhSRdcU3xOEEKrVBQxTAQRWahp5Jil1A_jHoY1bLcQk1Keu1WAOKDBgUyGu2pO7sfs1hjUHQ2V_pC9xOeC7rf3rpdXF7OAb9Xf8pD1_xfuUwMSGJzey0Mqs3dp9qS_v4g6CaOQvcMOVgf0_cb0RKkeSyqgxcTO0Laxrz7NNP4I9ZojLQE_8bEyPQyrREfWZj8zQp4hLO89k_O_xzv3iOYOj064xiEX6nA"
\
>    -H "Content-Type:application/json" \
>    -d \
> '{"clientId":"newclient","enabled":false}
> ' \
>  '
http://127.0.0.1:8081/auth/realms/restcomm-test/clients-registrations/default/newclient
'

4. I get a 500 Internal Server error response with the following error in
the logs:

RESTEASY002005: Failed executing PUT
/realms/restcomm-test/clients-registrations/default/newclient:
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
MessageBodyWriter for response object of type:
org.keycloak.representations.idm.ClientRepresentation of media type:
application/octet-stream

5. If i run again i get a 401 so it seems that authorization passes the
first time but something breaks afterwards. Next time, the one-time token
is already consumed so i get a 401. Ok, that makes sense.

As you may have noticed i'm using a pretty reduced version of the
ClientRepresentation but i've also experienced with others that are more or
less complete and also by sending the *exact json response as returned when
retrieving the client*. Same result :-(

Also, the rest of the HTTP methods (POST on /default,DELETE, GET) work fine
with the registration access token. So it seems that either i'm sending
crap or sth else happens.

Any ideas what may be wrong?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/421a144c/attachment.html 

From daniele.capasso at dnshosting.it  Tue Jun 21 09:38:20 2016
From: daniele.capasso at dnshosting.it (Daniele Capasso Barbato)
Date: Tue, 21 Jun 2016 15:38:20 +0200
Subject: [keycloak-user] different datasource
Message-ID: <20160621133823.30C2EDB0@mail.colt-engine.it>

Hi,

I want to use in the same keycloak, different datasource to store in 
different database the eventsStore, realm and user data.

I configure 3 different mysql connections KeycloakDS, KeycloakLocal and 
KeycloakRemote jndi source in standalone.xml for wildfly and it works 
correctly.

In the keycloak-server.json there are this line for definition

"eventsStore": {
         "provider": "jpa",
         "jpa": {
             "exclude-events": [ "REFRESH_TOKEN" ]
         }
     },

     "realm": {
         "provider": "jpa"
     },

     "user": {
         "provider": "jpa"
     },

and for connections


  "connectionsJpa": {
         "default": {
             "dataSource": "java:jboss/datasources/KeycloakDS",
             "databaseSchema": "update"
         } ,


     },


but how is possible specify a different connectionsJpa and use it for 
realm,user and eventsStore ?

I try to modify the jpa connections declaration like this

"connectionsJpa": {
         "default": {
             "dataSource": "java:jboss/datasources/KeycloakDS",
             "databaseSchema": "update"
         } ,
         "second": {
             "dataSource": "java:jboss/datasources/KeycloakLocal",
             "databaseSchema": "update"
         },
         "third": {
             "dataSource": "java:jboss/datasources/KeycloakRemote",
             "databaseSchema": "update"
         }

     },

and no errors appears but all data and table are created in KeycloakDS only.

How can I configure to use the second a jpa connection for "realm data" 
and  to use third  jpa connection for "users data" ?


Thank you very much


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/cc56802e/attachment-0001.html 

From chairfield at gmail.com  Tue Jun 21 18:29:34 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Tue, 21 Jun 2016 22:29:34 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating Many
	Users
Message-ID: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>

Hello,

When testing Keycloak 1.9.8 by ingesting a few million users, we find that
Keycloak leaks memory until it is rendered unresponsive (see graph).
Increasing JVM memory only increases the time it takes to encounter this
issue.

We have put together a test project here
<https://github.com/anaerobic/keycloak-leakage> and opened an issue here
<https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
investigate. As we are relying on Keycloak as a central infrastructural
component, any help would be greatly appreciated.

We'll update with more information as we find it.

Thanks,
Chris

[image: mem-cpu.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/11b6f4a9/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/11b6f4a9/attachment-0001.png 

From thomas.darimont at googlemail.com  Wed Jun 22 02:31:10 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 22 Jun 2016 08:31:10 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
Message-ID: <CAK-7U1hidvL9j0ZHfPehJzPNzw+LaTnF_E2MDsozegwFSRLNAQ@mail.gmail.com>

Hello Chris,

which database did you use for Keycloak?

Cheers,
Thomas

2016-06-22 0:29 GMT+02:00 Chris Hairfield <chairfield at gmail.com>:

> Hello,
>
> When testing Keycloak 1.9.8 by ingesting a few million users, we find that
> Keycloak leaks memory until it is rendered unresponsive (see graph).
> Increasing JVM memory only increases the time it takes to encounter this
> issue.
>
> We have put together a test project here
> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
> investigate. As we are relying on Keycloak as a central infrastructural
> component, any help would be greatly appreciated.
>
> We'll update with more information as we find it.
>
> Thanks,
> Chris
>
> [image: mem-cpu.png]
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/2174faa0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/2174faa0/attachment-0001.png 

From cpitman at redhat.com  Wed Jun 22 02:44:11 2016
From: cpitman at redhat.com (Chris Pitman)
Date: Wed, 22 Jun 2016 02:44:11 -0400 (EDT)
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <5768DD06.2070600@redhat.com>
References: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
	<5768DD06.2070600@redhat.com>
Message-ID: <699662277.1174065.1466577851220.JavaMail.zimbra@redhat.com>



----- Original Message -----
> On 21/06/16 00:13, Chris Pitman wrote:
> > Hey everyone,
> >
> > I'm running into an issue with an application that I've ported over to
> > using Keycloak. I believe that the token issued by keycloak is expiring,
> > which causes XMLHttpRequest's from my front end to be redirected to
> > KeyCloak which then tries to redirect to Google (my identity provider). By
> > the time it gets to google, there have been redirects across two different
> > domains causing the browser to not set an origin header in the request to
> > google, which then causes the browser to not process the response.
> Since keycloak automatically redirects to Google, it seems that you have
> "Authenticate by default" switch enabled for your google identity
> provider, right? Just replied to some other thread where user mentions
> some issue. We may have a bug in keycloak regarding this :
> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html
> 

Thanks Marek, this is exactly the behavior I am seeing. I do have "Authenticate by Default" enabled. I setup CORS (allow-origin, allow-credentials) so that the browser would forward keycloak's cookies after the redirect, thinking that would cause keycloak to immediately issue a new token. Instead, it still redirects to google.


> >
> > What is the general way of handling a javascript ajax request when a token
> > expires? Or to have a UI get a new token without requiring the entire ui
> > to refresh to force the browser to redirect?
> >
> > For further background, here is my setup: I am using Google OpenID Connect
> > as the identity provider. The application is protected with
> > keycloak-proxy, which then passes requests on to the application.
> > keycloak-proxy is the piece detecting the token is no longer valid and
> > redirecting the ui to keycloak.
> Hmm... for javascript apps, it's usually best to use keycloak.js
> adapter. Not sure why you need keycloak-proxy?

The application has a javascript front-end and a rails back end, and the back end is where we do authentication traditionally. I may need to look into this more to understand why we would do the flow from the client. My understanding is that refresh tokens should also not be issued to client side applications, since they can just reauth anyways. Either way, the defect above would still cause an issue with the multi-step CORS.


> 
> In keycloak.js you can automatically refresh tokens . Right before you
> send request to REST endpoint, you can call "keycloak.updateToken" which
> automatically refreshes token if it's expired or is going to expire in 5
> seconds or so (exact time is configurable based on argument to
> "updateToken" method. See docs or our examples - for example this
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app-js/src/main/webapp/customers/view.html#L93
> ) .
> 
> Also in keycloak.js you can define callback "onTokenExpired" which is
> called when accessToken expires. Here you can implement sending refresh
> request as well.
> 
> In shortcut, you don't need to go through login flows and browser
> redirections to keycloak etc, but instead rely on refreshing tokens.
> 
> Marek
> >
> > Chris Pitman
> > Architect, Red Hat Consulting
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From sthorger at redhat.com  Wed Jun 22 02:49:02 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jun 2016 08:49:02 +0200
Subject: [keycloak-user] different datasource
In-Reply-To: <20160621133823.30C2EDB0@mail.colt-engine.it>
References: <20160621133823.30C2EDB0@mail.colt-engine.it>
Message-ID: <CAJgngAd4FSkHOL7fPui_BXy9njW_OgX3EWo+HkQbsfH6J19R+Q@mail.gmail.com>

It's not supported to have multiple datasources and the connection is
always shared between all JPA providers.

On 21 June 2016 at 15:38, Daniele Capasso Barbato <
daniele.capasso at dnshosting.it> wrote:

> Hi,
>
>
>
> I want to use in the same keycloak, different datasource to store in
>
> different database the eventsStore, realm and user data.
>
>
>
> I configure 3 different mysql connections KeycloakDS, KeycloakLocal and
>
> KeycloakRemote jndi source in standalone.xml for wildfly and it works
>
> correctly.
>
>
>
> In the keycloak-server.json there are this line for definition
>
>
>
> "eventsStore": {
>
>          "provider": "jpa",
>
>          "jpa": {
>
>              "exclude-events": [ "REFRESH_TOKEN" ]
>
>          }
>
>      },
>
>
>
>      "realm": {
>
>          "provider": "jpa"
>
>      },
>
>
>
>      "user": {
>
>          "provider": "jpa"
>
>      },
>
>
>
> and for connections
>
>
>
>
>
>   "connectionsJpa": {
>
>          "default": {
>
>              "dataSource": "java:jboss/datasources/KeycloakDS",
>
>              "databaseSchema": "update"
>
>          } ,
>
>
>
>
>
>      },
>
>
>
>
>
> but how is possible specify a different connectionsJpa and use it for
>
> realm,user and eventsStore ?
>
>
>
> I try to modify the jpa connections declaration like this
>
>
>
> "connectionsJpa": {
>
>          "default": {
>
>              "dataSource": "java:jboss/datasources/KeycloakDS",
>
>              "databaseSchema": "update"
>
>          } ,
>
>          "second": {
>
>              "dataSource": "java:jboss/datasources/KeycloakLocal",
>
>              "databaseSchema": "update"
>
>          },
>
>          "third": {
>
>              "dataSource": "java:jboss/datasources/KeycloakRemote",
>
>              "databaseSchema": "update"
>
>          }
>
>
>
>      },
>
>
>
> and no errors appears but all data and table are created in KeycloakDS
> only.
>
>
>
> How can I configure to use the second a jpa connection for "realm data"
>
> and  to use third  jpa connection for "users data" ?
>
>
>
>
>
> Thank you very much
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/b5db6441/attachment.html 

From sthorger at redhat.com  Wed Jun 22 02:53:49 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jun 2016 08:53:49 +0200
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <699662277.1174065.1466577851220.JavaMail.zimbra@redhat.com>
References: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
	<5768DD06.2070600@redhat.com>
	<699662277.1174065.1466577851220.JavaMail.zimbra@redhat.com>
Message-ID: <CAJgngAf6S6rSFtS+jo4EG-MiKObeJZmh1CrzOxDzVCkMAX6rbQ@mail.gmail.com>

On 22 June 2016 at 08:44, Chris Pitman <cpitman at redhat.com> wrote:

>
>
> ----- Original Message -----
> > On 21/06/16 00:13, Chris Pitman wrote:
> > > Hey everyone,
> > >
> > > I'm running into an issue with an application that I've ported over to
> > > using Keycloak. I believe that the token issued by keycloak is
> expiring,
> > > which causes XMLHttpRequest's from my front end to be redirected to
> > > KeyCloak which then tries to redirect to Google (my identity
> provider). By
> > > the time it gets to google, there have been redirects across two
> different
> > > domains causing the browser to not set an origin header in the request
> to
> > > google, which then causes the browser to not process the response.
> > Since keycloak automatically redirects to Google, it seems that you have
> > "Authenticate by default" switch enabled for your google identity
> > provider, right? Just replied to some other thread where user mentions
> > some issue. We may have a bug in keycloak regarding this :
> > http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html
> >
>
> Thanks Marek, this is exactly the behavior I am seeing. I do have
> "Authenticate by Default" enabled. I setup CORS (allow-origin,
> allow-credentials) so that the browser would forward keycloak's cookies
> after the redirect, thinking that would cause keycloak to immediately issue
> a new token. Instead, it still redirects to google.
>

Quite likely it's the session that is no longer valid, not just the token.
If the access token is not valid (this is 5min by default) it will be
refreshed by the proxy (valid as long as the user session is valid).

Once the user session is no longer valid the user is required to
re-authenticate to Keycloak which causes the redirect to Google. This
happens by default after the session has been idle 30 min (no token
refreshes) or after 10 hours. You can change the timeouts through the admin
console.



>
>
> > >
> > > What is the general way of handling a javascript ajax request when a
> token
> > > expires? Or to have a UI get a new token without requiring the entire
> ui
> > > to refresh to force the browser to redirect?
> > >
> > > For further background, here is my setup: I am using Google OpenID
> Connect
> > > as the identity provider. The application is protected with
> > > keycloak-proxy, which then passes requests on to the application.
> > > keycloak-proxy is the piece detecting the token is no longer valid and
> > > redirecting the ui to keycloak.
> > Hmm... for javascript apps, it's usually best to use keycloak.js
> > adapter. Not sure why you need keycloak-proxy?
>
> The application has a javascript front-end and a rails back end, and the
> back end is where we do authentication traditionally. I may need to look
> into this more to understand why we would do the flow from the client. My
> understanding is that refresh tokens should also not be issued to client
> side applications, since they can just reauth anyways. Either way, the
> defect above would still cause an issue with the multi-step CORS.
>
>
> >
> > In keycloak.js you can automatically refresh tokens . Right before you
> > send request to REST endpoint, you can call "keycloak.updateToken" which
> > automatically refreshes token if it's expired or is going to expire in 5
> > seconds or so (exact time is configurable based on argument to
> > "updateToken" method. See docs or our examples - for example this
> >
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app-js/src/main/webapp/customers/view.html#L93
> > ) .
> >
> > Also in keycloak.js you can define callback "onTokenExpired" which is
> > called when accessToken expires. Here you can implement sending refresh
> > request as well.
> >
> > In shortcut, you don't need to go through login flows and browser
> > redirections to keycloak etc, but instead rely on refreshing tokens.
> >
> > Marek
> > >
> > > Chris Pitman
> > > Architect, Red Hat Consulting
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/23ec0af4/attachment-0001.html 

From sthorger at redhat.com  Wed Jun 22 02:56:56 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 22 Jun 2016 08:56:56 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
Message-ID: <CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>

Keycloak by default caches users in-memory, by default it will keep up to
10000 entries cached. You can verify that there's no leak by disabling the
user cache provider. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187

If you're planning on having millions of users I suggest you increase the
allocated memory for the JVM (512MB which it seems you have is not
sufficient).

On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com> wrote:

> Hello,
>
> When testing Keycloak 1.9.8 by ingesting a few million users, we find that
> Keycloak leaks memory until it is rendered unresponsive (see graph).
> Increasing JVM memory only increases the time it takes to encounter this
> issue.
>
> We have put together a test project here
> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
> investigate. As we are relying on Keycloak as a central infrastructural
> component, any help would be greatly appreciated.
>
> We'll update with more information as we find it.
>
> Thanks,
> Chris
>
> [image: mem-cpu.png]
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/77b676e0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/77b676e0/attachment-0001.png 

From paal.oliver at gmail.com  Wed Jun 22 03:47:32 2016
From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=)
Date: Wed, 22 Jun 2016 07:47:32 +0000
Subject: [keycloak-user] Encrypted SAML response
Message-ID: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>

Hi!

We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
Everything works well out of the box, but when we activate encryption of
assertions, we get an error on the
BigIP side.

So in order to investigate the situation, I'm trying to understand the
process of SAML assertion response encryption.
And I am a bit confused when reading the Keycloak documentation and
comparing that to what I see in the Keycloak admin console.
Here is what I mean; in the documentation (
https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html),
activating
assertion response encryption is described like this:

"Encrypt Assertions
Encrypt assertions in SAML documents with the realm's private key. The AES
algorithm is used with a key size of 128 bits."

But in the admin console (under clients) it is described like this in the
tooltip:

"Encrypt Assertions
Should SAML assertions be encrypted with client's public key using AES?"

So basically, which key is used for encrypting the assertion response?

I have inspected the actual HTTP post and it looks something like this:

<samlp:Response>
...
  <saml:EncryptedAssertion>
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <xenc:EncryptedKey>
            <xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
            <xenc:CipherData>
              <xenc:CipherValue>---[block of cipher
text]---</xenc:CipherValue>
            </xenc:CipherData>
          </xenc:EncryptedKey>
        </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </saml:EncryptedAssertion>
</samlp:Response>

So it at least looks like the key to decrypt the encrypted response is
included. It is encrypted using RSA, but with which key?
My understanding was something like this:

1. The encryption of a SAML assertion response is done using AES-128, with
some key.
2. The key is added alongside the encrypted assertion response and
encrypted using the SP's public key.
3. The SP receives the encrypted assertion response and the encrypted key,
decrypts the key using its' private key and uses
this decrypted key to decrypt the actual assertion response.

Is this generally correct?

The error we get from BigIP is this: "failed to process encrypted
assertion, error: RSA decrypt"
Which leads me to think that maybe the decryption of the included key did
not work out.
Any ideas or tips to how to approach this?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/abcd72ca/attachment.html 

From orestis.tsakiridis at telestax.com  Wed Jun 22 07:23:03 2016
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Wed, 22 Jun 2016 14:23:03 +0300
Subject: [keycloak-user] Typo in Client Registration documentation
Message-ID: <CABjN769b0+Vjv6YQpyCWjGXk8QUffUovfGSEXtPwzxNn+etpog@mail.gmail.com>

All, it seems there is a typo in the Client Registration documentation
lying at:

http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1563

Existing snippet:

String initialAccessToken =
"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....";

ClientRepresentation client = new ClientRepresentation();
client.setClientId(CLIENT_ID);

ClientRegistration reg = ClientRegistration.create().url("
http://keycloak/auth/realms/myrealm/clients").build();
reg.auth(Auth.token(initialAccessToken));

client = reg.create(client);

String registrationAccessToken = client.getRegistrationAccessToken();

Corrected snippet:

String initialAccessToken =
"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....";

ClientRepresentation client = new ClientRepresentation();
client.setClientId(CLIENT_ID);

ClientRegistration reg = ClientRegistration.create().url("
http://keycloak/auth/realms/myrealm/*clients-registrations*").build();
reg.auth(Auth.token(initialAccessToken));

client = reg.create(client);

String registrationAccessToken = client.getRegistrationAccessToken();


Please confirm and if valid, take care with that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/4c73549d/attachment.html 

From orestis.tsakiridis at telestax.com  Wed Jun 22 07:27:39 2016
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Wed, 22 Jun 2016 14:27:39 +0300
Subject: [keycloak-user] Cannot update Client using
	clients-registrations endpoint
Message-ID: <CABjN769eSiZWNyG2roYMnrJLYwfTuxPdvxXjRYZGT+GBRx9UGg@mail.gmail.com>

Ok, seems like some more troubleshooting payed out.

Seems like i missed the Accept header in the request :-)

*Accept: application/json*

The issue is now solved.

On Tue, Jun 21, 2016 at 3:45 PM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello,
>
> I'm trying to update a keycloak Client using the client-registrations
> endpoint as described here:
>
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1569
>
> All seems fine and client creation as retrieval work but *update* keeps
> failing.
>
> Here is what i do:
>
> 1. Create a new bearer-only Client with ClientID -> newclient
>
> 2. I 'Regenerate registration access token' here is what i get:
>
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0MGM1ZWIyNy1mYTNmLTRiNjktYjlmZC01NTIyYWM2NzYxZDkiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNDY2NTExNzEyLCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwODEvYXV0aC9yZWFsbXMvcmVzdGNvbW0tdGVzdCIsImF1ZCI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MS9hdXRoL3JlYWxtcy9yZXN0Y29tbS10ZXN0IiwidHlwIjoiUmVnaXN0cmF0aW9uQWNjZXNzVG9rZW4ifQ.bI2JQLOAwWdxgtaNgAXw8aliWRJRs7RviNJRPHPHyVFI6AfuBsEpZ9c5e_v6vFD0hWoNjneUnDmS-CUrzPKcBWrITXkrUwxwEQAJpQD-ONWim6AiVVOxr3sizgwxRyBX__Cny8IMm8BWjUIIIkRviSc9QE7tYscTRTE4AP5ZRlsmB7hsmfkRSgzmd5SF2ZQWj8DriSou_-ivzZ9wnlwENoewePOK1b6oZhhGQiGo4SM0pLkTWGkN8kuO3aYei6OKiol2eJn9B4bA7wr6uUruEAg03symAaDFWscpmHIl27sxF3XkYdn8F-vJwNdhFJx_t84IEKucwZEwdgNFuWZuIQ
>
> 3. I make the update request to:
>
>
> http://127.0.0.1:8081/auth/realms/restcomm-test/clients-registrations/default/newclient
>
> here is the curl command:
>  curl -i -X PUT \
> >    -H "Authorization:Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNDc3NzA3Yi1hOGM4LTRjMGItYjExYi0xZWE4ZTgyNTNkYTgiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNDY2NTEyMDc4LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwODEvYXV0aC9yZWFsbXMvcmVzdGNvbW0tdGVzdCIsImF1ZCI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MS9hdXRoL3JlYWxtcy9yZXN0Y29tbS10ZXN0IiwidHlwIjoiUmVnaXN0cmF0aW9uQWNjZXNzVG9rZW4ifQ.G33SBIhvFay8YAMkGxeyWMDSfeM9slS7pv49hWNxmmvaNUmUOFhP8e2-WcQJW2NZEumOKSm-UGk-2VH5EiB24F8DWn9hGVOlJdIysewbyei94Xqcu-xoOAhSRdcU3xOEEKrVBQxTAQRWahp5Jil1A_jHoY1bLcQk1Keu1WAOKDBgUyGu2pO7sfs1hjUHQ2V_pC9xOeC7rf3rpdXF7OAb9Xf8pD1_xfuUwMSGJzey0Mqs3dp9qS_v4g6CaOQvcMOVgf0_cb0RKkeSyqgxcTO0Laxrz7NNP4I9ZojLQE_8bEyPQyrREfWZj8zQp4hLO89k_O_xzv3iOYOj064xiEX6nA"
> \
> >    -H "Content-Type:application/json" \
> >    -d \
> > '{"clientId":"newclient","enabled":false}
> > ' \
> >  '
> http://127.0.0.1:8081/auth/realms/restcomm-test/clients-registrations/default/newclient
> '
>
> 4. I get a 500 Internal Server error response with the following error in
> the logs:
>
> RESTEASY002005: Failed executing PUT
> /realms/restcomm-test/clients-registrations/default/newclient:
> org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
> MessageBodyWriter for response object of type:
> org.keycloak.representations.idm.ClientRepresentation of media type:
> application/octet-stream
>
> 5. If i run again i get a 401 so it seems that authorization passes the
> first time but something breaks afterwards. Next time, the one-time token
> is already consumed so i get a 401. Ok, that makes sense.
>
> As you may have noticed i'm using a pretty reduced version of the
> ClientRepresentation but i've also experienced with others that are more or
> less complete and also by sending the *exact json response as returned
> when retrieving the client*. Same result :-(
>
> Also, the rest of the HTTP methods (POST on /default,DELETE, GET) work
> fine with the registration access token. So it seems that either i'm
> sending crap or sth else happens.
>
> Any ideas what may be wrong?
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/ed61b5e3/attachment.html 

From guybowdler at dorsetnetworks.com  Wed Jun 22 08:22:42 2016
From: guybowdler at dorsetnetworks.com (Guy Bowdler)
Date: Wed, 22 Jun 2016 12:22:42 +0000
Subject: [keycloak-user] Redirect Issue with keycloak behind proxy and app
 behind Keycloak security proxy
Message-ID: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>

hi all,

We have the following set up with two DMZ boxes, one running a single 
KeyCloak security proxy and sending requests to a local NGINX proxy 
which farms out requests to internal applications.  This should allow us 
to maintain a single namespace for all applications (<hostname>/appname 
redirects to appname.local) and gives authenticated visibility of who's 
accessing what at the front end proxy.


    DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080]  ---> TRUST: [Various 
applications]
                                                ---> TRUST: [Various 
applications]



Keycloak runs on its own server and is published via an NGINX proxy in 
the DMZ


    DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]


So clients hit the KeyCloak security Proxy, are redirected to KeyCloak 
and then after logging in, we get an "invalid Redirect URI" error from 
Keycloak.   We've found that for some reason, the redirect URL from 
KeyCloak is appending the :8080 port value from the KeyCloak Security 
proxy (verified as if we change this port number, the value changes in 
the redirect URL).  It's like KeyCloak is redirecting back to the 
NGINX:8080 proxy direct rather than back to the KeyCloak security proxy, 
which is what we were expecting.   This is possibly by design, or 
possibly a bug, or possibly a side effect of our configuration.

Has anyone tried using the KeyCloak security proxy in this manner?  It's 
clear that the intended use is as a single instance adapter for a single 
local application, whereas our application happens to be an nginx proxy 
redirecting to different applications using location directives.


From psilva at redhat.com  Wed Jun 22 08:25:38 2016
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 22 Jun 2016 08:25:38 -0400 (EDT)
Subject: [keycloak-user] Encrypted SAML response
In-Reply-To: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
References: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
Message-ID: <1850802997.1283900.1466598338105.JavaMail.zimbra@redhat.com>

It is using AES:128 to encrypt the message and RSA for secure communication.

Are you using signatures as well ? If so, can you tell me if you are signing only the assertion, the whole response or both ?

Also, are you sure that both public and private keys are correlated ?

----- Original Message -----
From: "P?l Oliver Kristiansen" <paal.oliver at gmail.com>
To: keycloak-user at lists.jboss.org
Sent: Wednesday, June 22, 2016 4:47:32 AM
Subject: [keycloak-user] Encrypted SAML response

Hi! 

We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP. 
Everything works well out of the box, but when we activate encryption of assertions, we get an error on the 
BigIP side. 

So in order to investigate the situation, I'm trying to understand the process of SAML assertion response encryption. 
And I am a bit confused when reading the Keycloak documentation and comparing that to what I see in the Keycloak admin console. 
Here is what I mean; in the documentation ( https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html ), activating 
assertion response encryption is described like this: 

"Encrypt Assertions 
Encrypt assertions in SAML documents with the realm's private key. The AES algorithm is used with a key size of 128 bits." 

But in the admin console (under clients) it is described like this in the tooltip: 

"Encrypt Assertions 
Should SAML assertions be encrypted with client's public key using AES?" 

So basically, which key is used for encrypting the assertion response? 

I have inspected the actual HTTP post and it looks something like this: 

<samlp:Response> 
... 
<saml:EncryptedAssertion> 
<xenc:EncryptedData xmlns:xenc=" http://www.w3.org/2001/04/xmlenc# " Type=" http://www.w3.org/2001/04/xmlenc#Element "> 
<xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#aes128-cbc "/> 
<ds:KeyInfo xmlns:ds=" http://www.w3.org/2000/09/xmldsig# "> 
<xenc:EncryptedKey> 
<xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-1_5 "/> 
<xenc:CipherData> 
<xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue> 
</xenc:CipherData> 
</xenc:EncryptedKey> 
</ds:KeyInfo> 
<xenc:CipherData> 
<xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue> 
</xenc:CipherData> 
</xenc:EncryptedData> 
</saml:EncryptedAssertion> 
</samlp:Response> 

So it at least looks like the key to decrypt the encrypted response is included. It is encrypted using RSA, but with which key? 
My understanding was something like this: 

1. The encryption of a SAML assertion response is done using AES-128, with some key. 
2. The key is added alongside the encrypted assertion response and encrypted using the SP's public key. 
3. The SP receives the encrypted assertion response and the encrypted key, decrypts the key using its' private key and uses 
this decrypted key to decrypt the actual assertion response. 

Is this generally correct? 

The error we get from BigIP is this: "failed to process encrypted assertion, error: RSA decrypt" 
Which leads me to think that maybe the decryption of the included key did not work out. 
Any ideas or tips to how to approach this? 

Thanks! 

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Wed Jun 22 09:02:20 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 22 Jun 2016 09:02:20 -0400
Subject: [keycloak-user] Encrypted SAML response
In-Reply-To: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
References: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
Message-ID: <45eb6a33-43be-1740-74f9-be9cc638b6f2@redhat.com>

Once you've enabled encryption, you have to go to the 'SAML Keys' tab. 
There is an Encryption Key at the bottom of that screen.  You can have 
Keycloak generate the private key and cert for the SP, or you can import 
the SP's certificate that is stored in a PEM file, JKS, or PKCS12 file.

On 6/22/16 3:47 AM, P?l Oliver Kristiansen wrote:
> Hi!
>
> We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
> Everything works well out of the box, but when we activate encryption of
> assertions, we get an error on the
> BigIP side.
>
> So in order to investigate the situation, I'm trying to understand the
> process of SAML assertion response encryption.
> And I am a bit confused when reading the Keycloak documentation and
> comparing that to what I see in the Keycloak admin console.
> Here is what I mean; in the documentation
> (https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html),
> activating
> assertion response encryption is described like this:
>
> "Encrypt Assertions
> Encrypt assertions in SAML documents with the realm's private key. The
> AES algorithm is used with a key size of 128 bits."
>
> But in the admin console (under clients) it is described like this in
> the tooltip:
>
> "Encrypt Assertions
> Should SAML assertions be encrypted with client's public key using AES?"
>
> So basically, which key is used for encrypting the assertion response?
>
> I have inspected the actual HTTP post and it looks something like this:
>
> <samlp:Response>
> ...
>   <saml:EncryptedAssertion>
>     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Type="http://www.w3.org/2001/04/xmlenc#Element">
>       <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>           <xenc:EncryptedKey>
>             <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>             <xenc:CipherData>
>               <xenc:CipherValue>---[block of cipher
> text]---</xenc:CipherValue>
>             </xenc:CipherData>
>           </xenc:EncryptedKey>
>         </ds:KeyInfo>
>       <xenc:CipherData>
>         <xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedData>
>   </saml:EncryptedAssertion>
> </samlp:Response>
>
> So it at least looks like the key to decrypt the encrypted response is
> included. It is encrypted using RSA, but with which key?
> My understanding was something like this:
>
> 1. The encryption of a SAML assertion response is done using AES-128,
> with some key.
> 2. The key is added alongside the encrypted assertion response and
> encrypted using the SP's public key.
> 3. The SP receives the encrypted assertion response and the encrypted
> key, decrypts the key using its' private key and uses
> this decrypted key to decrypt the actual assertion response.
>
> Is this generally correct?
>
> The error we get from BigIP is this: "failed to process encrypted
> assertion, error: RSA decrypt"
> Which leads me to think that maybe the decryption of the included key
> did not work out.
> Any ideas or tips to how to approach this?
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From paal.oliver at gmail.com  Wed Jun 22 09:34:48 2016
From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=)
Date: Wed, 22 Jun 2016 13:34:48 +0000
Subject: [keycloak-user] Encrypted SAML response
In-Reply-To: <45eb6a33-43be-1740-74f9-be9cc638b6f2@redhat.com>
References: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
	<45eb6a33-43be-1740-74f9-be9cc638b6f2@redhat.com>
Message-ID: <CAHT+r5j4d+fFWYQR1qsmdnnDA-Qrf1NJjt6L=vjHPfEaVO4aOQ@mail.gmail.com>

Thanks Bill!

What we did was to crate the client in Keycloak by importing the SP
metadata file. So the "Encryption Key" and "Signing Key" have the values
from the SP's metadata file already.
>From what I can gather, the values in this part of the client definition in
Keycloak, matches the values in the meta data file when looking at the
elements:

<SPSSODescriptor>
  <KeyDescriptor use="encryption">
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>---[Key found in certificate]---
</ds:X509Certificate>

Would this work or am I missing something?

I can double check that the private key on the SP side actually is
correlated with the public one in the meta data file.

ons. 22. jun. 2016 kl. 15.03 skrev Bill Burke <bburke at redhat.com>:

> Once you've enabled encryption, you have to go to the 'SAML Keys' tab.
> There is an Encryption Key at the bottom of that screen.  You can have
> Keycloak generate the private key and cert for the SP, or you can import
> the SP's certificate that is stored in a PEM file, JKS, or PKCS12 file.
>
> On 6/22/16 3:47 AM, P?l Oliver Kristiansen wrote:
> > Hi!
> >
> > We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
> > Everything works well out of the box, but when we activate encryption of
> > assertions, we get an error on the
> > BigIP side.
> >
> > So in order to investigate the situation, I'm trying to understand the
> > process of SAML assertion response encryption.
> > And I am a bit confused when reading the Keycloak documentation and
> > comparing that to what I see in the Keycloak admin console.
> > Here is what I mean; in the documentation
> > (
> https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html),
> > activating
> > assertion response encryption is described like this:
> >
> > "Encrypt Assertions
> > Encrypt assertions in SAML documents with the realm's private key. The
> > AES algorithm is used with a key size of 128 bits."
> >
> > But in the admin console (under clients) it is described like this in
> > the tooltip:
> >
> > "Encrypt Assertions
> > Should SAML assertions be encrypted with client's public key using AES?"
> >
> > So basically, which key is used for encrypting the assertion response?
> >
> > I have inspected the actual HTTP post and it looks something like this:
> >
> > <samlp:Response>
> > ...
> >   <saml:EncryptedAssertion>
> >     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> > Type="http://www.w3.org/2001/04/xmlenc#Element">
> >       <xenc:EncryptionMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
> >         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> >           <xenc:EncryptedKey>
> >             <xenc:EncryptionMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> >             <xenc:CipherData>
> >               <xenc:CipherValue>---[block of cipher
> > text]---</xenc:CipherValue>
> >             </xenc:CipherData>
> >           </xenc:EncryptedKey>
> >         </ds:KeyInfo>
> >       <xenc:CipherData>
> >         <xenc:CipherValue>---[block of cipher text]---</xenc:CipherValue>
> >       </xenc:CipherData>
> >     </xenc:EncryptedData>
> >   </saml:EncryptedAssertion>
> > </samlp:Response>
> >
> > So it at least looks like the key to decrypt the encrypted response is
> > included. It is encrypted using RSA, but with which key?
> > My understanding was something like this:
> >
> > 1. The encryption of a SAML assertion response is done using AES-128,
> > with some key.
> > 2. The key is added alongside the encrypted assertion response and
> > encrypted using the SP's public key.
> > 3. The SP receives the encrypted assertion response and the encrypted
> > key, decrypts the key using its' private key and uses
> > this decrypted key to decrypt the actual assertion response.
> >
> > Is this generally correct?
> >
> > The error we get from BigIP is this: "failed to process encrypted
> > assertion, error: RSA decrypt"
> > Which leads me to think that maybe the decryption of the included key
> > did not work out.
> > Any ideas or tips to how to approach this?
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/ffa254c8/attachment.html 

From mposolda at redhat.com  Wed Jun 22 10:23:25 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 22 Jun 2016 16:23:25 +0200
Subject: [keycloak-user] Active Directory
In-Reply-To: <CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com>
References: <CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com>
Message-ID: <576A9F5D.6060008@redhat.com>

On 21/06/16 10:21, Christopher Davies wrote:
> I am looking to use KeyCloak backed by an AD server.
> Can I check a few things that I understand are correct.
>
> 1) Using the  User Federation SPI I import the following from 
> ActiveDirectory into the KeyCloak database : first name, surname, 
> email, username and password.
By default you are importing first name, surname, email and username. 
You can import more attributes by creating additional LDAP mappers. But 
no password imported from MSAD to Keycloak DB
> 2) Password checks are made against the Keycloak database and not the 
> ActiveDirectory system
No, password checks are made against ActiveDirectory. Just if you have 
editMode UNSYNCED and you change the password of the user (or he change 
it himself in account management), then the new password will be saved 
into Keycloak DB and will be used in favor of the old password from MSAD.
> 3) Enabling kerberos authentication will allow me to do paswordless 
> login using my web browser from my windows box
Yes. See our Kerberos documentation for more details [1].

[1] 
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html

Marek
>
> Hope I am not to far from the mark
>
> Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/3d91f0bb/attachment-0001.html 

From geo at uberops.com  Wed Jun 22 11:14:23 2016
From: geo at uberops.com (Geo Miller)
Date: Wed, 22 Jun 2016 15:14:23 +0000
Subject: [keycloak-user] Documentation down
Message-ID: <CAHFVnAesYLpnRz3v9REM9dMo8RbbGMrv9P9HSLRGojVU4r8MsA@mail.gmail.com>

It seems that keycloak.github.io forwards to keyclock.jboss.org and the
links for docs do not work:

http://keycloak.jboss.org/docs/userguide/keycloak-server/html/index.html
http://keycloak.jboss.org/docs/rest-api/index.html

I did not see this posted in the list or elsewhere, apologies if this is
the wrong place.

Geo
-- 

Geo Miller

Developer @ UberOps <http://www.uberops.com/>

mobile: 404-530-9561 | geo at uberops.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/a23354d3/attachment.html 

From chairfield at gmail.com  Wed Jun 22 14:38:09 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 22 Jun 2016 18:38:09 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
Message-ID: <CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>

Thomas, this test is run with whatever local database Keycloak defaults to.
We're using Postgres generally, and we will have more information
pertaining to tests against Postgres soon.

Stian, thanks for the tips. I am currently running a test to ingest about
50m users into the default database with the user cache disabled, 8gb mem
(Xmx and Xms), and parallel GC threads == processor count.

Though my test is young (430k users ingested), I'm noticing memory
allocation increasing in lockstep with the number of ingested users. Is it
expected to continue in this fashion, or is Keycloak designed to level off
in its memory usage?

[image: increasing-heap.png]


On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Keycloak by default caches users in-memory, by default it will keep up to
> 10000 entries cached. You can verify that there's no leak by disabling the
> user cache provider. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>
> If you're planning on having millions of users I suggest you increase the
> allocated memory for the JVM (512MB which it seems you have is not
> sufficient).
>
> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com> wrote:
>
>> Hello,
>>
>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>> Increasing JVM memory only increases the time it takes to encounter this
>> issue.
>>
>> We have put together a test project here
>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
>> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
>> investigate. As we are relying on Keycloak as a central infrastructural
>> component, any help would be greatly appreciated.
>>
>> We'll update with more information as we find it.
>>
>> Thanks,
>> Chris
>>
>> [image: mem-cpu.png]
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/bd4281cb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/bd4281cb/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/bd4281cb/attachment-0003.png 

From bruno at abstractj.org  Wed Jun 22 16:23:50 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 22 Jun 2016 17:23:50 -0300
Subject: [keycloak-user] Documentation down
In-Reply-To: <CAHFVnAesYLpnRz3v9REM9dMo8RbbGMrv9P9HSLRGojVU4r8MsA@mail.gmail.com>
References: <CAHFVnAesYLpnRz3v9REM9dMo8RbbGMrv9P9HSLRGojVU4r8MsA@mail.gmail.com>
Message-ID: <20160622202350.GA24203@abstractj.org>

Take a look at this: https://www.gitbook.com/@keycloak. I hope it helps.

On 2016-06-22, Geo Miller wrote:
> It seems that keycloak.github.io forwards to keyclock.jboss.org and the
> links for docs do not work:
>
> http://keycloak.jboss.org/docs/userguide/keycloak-server/html/index.html
> http://keycloak.jboss.org/docs/rest-api/index.html
>
> I did not see this posted in the list or elsewhere, apologies if this is
> the wrong place.
>
> Geo
> --
>
> Geo Miller
>
> Developer @ UberOps <http://www.uberops.com/>
>
> mobile: 404-530-9561 | geo at uberops.com

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


--

abstractj
PGP: 0x84DC9914

From geo at uberops.com  Wed Jun 22 16:30:33 2016
From: geo at uberops.com (Geo Miller)
Date: Wed, 22 Jun 2016 20:30:33 +0000
Subject: [keycloak-user] Documentation down
In-Reply-To: <20160622202350.GA24203@abstractj.org>
References: <CAHFVnAesYLpnRz3v9REM9dMo8RbbGMrv9P9HSLRGojVU4r8MsA@mail.gmail.com>
	<20160622202350.GA24203@abstractj.org>
Message-ID: <CAHFVnAekKr+z5y51CQ12FMrus0ZFAk8Go51Sf+8UpEyQzwe6Kg@mail.gmail.com>

Thank you.  I note this is temporary due to a new keycloak website.

On Wed, Jun 22, 2016 at 4:23 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Take a look at this: https://www.gitbook.com/@keycloak. I hope it helps.
>
> On 2016-06-22, Geo Miller wrote:
> > It seems that keycloak.github.io forwards to keyclock.jboss.org and the
> > links for docs do not work:
> >
> > http://keycloak.jboss.org/docs/userguide/keycloak-server/html/index.html
> > http://keycloak.jboss.org/docs/rest-api/index.html
> >
> > I did not see this posted in the list or elsewhere, apologies if this is
> > the wrong place.
> >
> > Geo
> > --
> >
> > Geo Miller
> >
> > Developer @ UberOps <http://www.uberops.com/>
> >
> > mobile: 404-530-9561 | geo at uberops.com
>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-- 

Geo Miller

Developer @ UberOps <http://www.uberops.com/>

mobile: 404-530-9561 | geo at uberops.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/b858b768/attachment.html 

From chairfield at gmail.com  Wed Jun 22 19:10:35 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 22 Jun 2016 23:10:35 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
Message-ID: <CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>

Scratch the results of the graph I posted. I was running the test
incorrectly. I'll post back with the results of the test run properly.

On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
wrote:

> Thomas, this test is run with whatever local database Keycloak defaults
> to. We're using Postgres generally, and we will have more information
> pertaining to tests against Postgres soon.
>
> Stian, thanks for the tips. I am currently running a test to ingest about
> 50m users into the default database with the user cache disabled, 8gb mem
> (Xmx and Xms), and parallel GC threads == processor count.
>
> Though my test is young (430k users ingested), I'm noticing memory
> allocation increasing in lockstep with the number of ingested users. Is it
> expected to continue in this fashion, or is Keycloak designed to level off
> in its memory usage?
>
> [image: increasing-heap.png]
>
>
> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Keycloak by default caches users in-memory, by default it will keep up to
>> 10000 entries cached. You can verify that there's no leak by disabling the
>> user cache provider. See
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>
>> If you're planning on having millions of users I suggest you increase the
>> allocated memory for the JVM (512MB which it seems you have is not
>> sufficient).
>>
>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>>> Increasing JVM memory only increases the time it takes to encounter this
>>> issue.
>>>
>>> We have put together a test project here
>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue here
>>> <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
>>> investigate. As we are relying on Keycloak as a central infrastructural
>>> component, any help would be greatly appreciated.
>>>
>>> We'll update with more information as we find it.
>>>
>>> Thanks,
>>> Chris
>>>
>>> [image: mem-cpu.png]
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/164e88a6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/164e88a6/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160622/164e88a6/attachment-0003.png 

From lanabe.lanabe at gmail.com  Wed Jun 22 20:21:38 2016
From: lanabe.lanabe at gmail.com (lanabe)
Date: Thu, 23 Jun 2016 00:21:38 +0000
Subject: [keycloak-user] Documentation down
In-Reply-To: <CAHFVnAekKr+z5y51CQ12FMrus0ZFAk8Go51Sf+8UpEyQzwe6Kg@mail.gmail.com>
References: <CAHFVnAesYLpnRz3v9REM9dMo8RbbGMrv9P9HSLRGojVU4r8MsA@mail.gmail.com>
	<20160622202350.GA24203@abstractj.org>
	<CAHFVnAekKr+z5y51CQ12FMrus0ZFAk8Go51Sf+8UpEyQzwe6Kg@mail.gmail.com>
Message-ID: <CAKhWDPTKQ-4Vm2OBAWi2bCXH68YrvSJ7eL06=igJgxmO=YD_UA@mail.gmail.com>

Good to know! I found you can also download them here.
http://www.keycloak.org/documentation.html

On Thu, Jun 23, 2016 at 5:31 AM Geo Miller <geo at uberops.com> wrote:

> Thank you.  I note this is temporary due to a new keycloak website.
>
> On Wed, Jun 22, 2016 at 4:23 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> Take a look at this: https://www.gitbook.com/@keycloak. I hope it helps.
>>
>> On 2016-06-22, Geo Miller wrote:
>> > It seems that keycloak.github.io forwards to keyclock.jboss.org and the
>> > links for docs do not work:
>> >
>> >
>> http://keycloak.jboss.org/docs/userguide/keycloak-server/html/index.html
>> > http://keycloak.jboss.org/docs/rest-api/index.html
>> >
>> > I did not see this posted in the list or elsewhere, apologies if this is
>> > the wrong place.
>> >
>> > Geo
>> > --
>> >
>> > Geo Miller
>> >
>> > Developer @ UberOps <http://www.uberops.com/>
>> >
>> > mobile: 404-530-9561 | geo at uberops.com
>>
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>>
> --
>
> Geo Miller
>
> Developer @ UberOps <http://www.uberops.com/>
>
> mobile: 404-530-9561 | geo at uberops.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/8981d3fb/attachment.html 

From cpitman at redhat.com  Wed Jun 22 20:59:08 2016
From: cpitman at redhat.com (Chris Pitman)
Date: Wed, 22 Jun 2016 20:59:08 -0400 (EDT)
Subject: [keycloak-user] Redirect Issue with keycloak behind proxy and
 app behind Keycloak security proxy
In-Reply-To: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>
References: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>
Message-ID: <121169975.1671380.1466643548270.JavaMail.zimbra@redhat.com>

Hey Guy,

I also use KeyCloak Proxy, pointing to many port numbers that would blow up if they were included in redirect urls. I haven't had any problems, so I'm thinking this may be an issue with your proxy configuration file. Can you share what that looks like?

Chris Pitman
Architect, Red Hat Consulting

----- Original Message -----
> hi all,
> 
> We have the following set up with two DMZ boxes, one running a single
> KeyCloak security proxy and sending requests to a local NGINX proxy
> which farms out requests to internal applications.  This should allow us
> to maintain a single namespace for all applications (<hostname>/appname
> redirects to appname.local) and gives authenticated visibility of who's
> accessing what at the front end proxy.
> 
> 
>     DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080]  ---> TRUST: [Various
> applications]
>                                                 ---> TRUST: [Various
> applications]
> 
> 
> 
> Keycloak runs on its own server and is published via an NGINX proxy in
> the DMZ
> 
> 
>     DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080]
> 
> 
> So clients hit the KeyCloak security Proxy, are redirected to KeyCloak
> and then after logging in, we get an "invalid Redirect URI" error from
> Keycloak.   We've found that for some reason, the redirect URL from
> KeyCloak is appending the :8080 port value from the KeyCloak Security
> proxy (verified as if we change this port number, the value changes in
> the redirect URL).  It's like KeyCloak is redirecting back to the
> NGINX:8080 proxy direct rather than back to the KeyCloak security proxy,
> which is what we were expecting.   This is possibly by design, or
> possibly a bug, or possibly a side effect of our configuration.
> 
> Has anyone tried using the KeyCloak security proxy in this manner?  It's
> clear that the intended use is as a single instance adapter for a single
> local application, whereas our application happens to be an nginx proxy
> redirecting to different applications using location directives.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From cpitman at redhat.com  Wed Jun 22 21:04:52 2016
From: cpitman at redhat.com (Chris Pitman)
Date: Wed, 22 Jun 2016 21:04:52 -0400 (EDT)
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <CAJgngAf6S6rSFtS+jo4EG-MiKObeJZmh1CrzOxDzVCkMAX6rbQ@mail.gmail.com>
References: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
	<5768DD06.2070600@redhat.com>
	<699662277.1174065.1466577851220.JavaMail.zimbra@redhat.com>
	<CAJgngAf6S6rSFtS+jo4EG-MiKObeJZmh1CrzOxDzVCkMAX6rbQ@mail.gmail.com>
Message-ID: <24963419.1672749.1466643892158.JavaMail.zimbra@redhat.com>



----- Original Message -----

> 
> Quite likely it's the session that is no longer valid, not just the token.
> If the access token is not valid (this is 5min by default) it will be
> refreshed by the proxy (valid as long as the user session is valid).
> 
> Once the user session is no longer valid the user is required to
> re-authenticate to Keycloak which causes the redirect to Google. This
> happens by default after the session has been idle 30 min (no token
> refreshes) or after 10 hours. You can change the timeouts through the admin
> console.
> 

I've tried setting both "SSO Session Idle" and "SSO Session Max" to 1 Day, but see this issue where the proxy redirects to keycloak which redirects to google after about 1 hour. Is there another setting I need to change?

From akaya at expedia.com  Wed Jun 22 22:06:52 2016
From: akaya at expedia.com (Sarp Kaya)
Date: Thu, 23 Jun 2016 02:06:52 +0000
Subject: [keycloak-user] Keycloak Adapter Set/Remove Cookies Depending on
	Path
Message-ID: <D391815B.5BCA%akaya@expedia.com>

According to this code:
<https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100><https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100>https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100

The cookie is only reset at the place where the logout path is. For instance:

Applications serve at /foo/app and /bar/app
And logout path is just /logout

In that case that won't work because cookiePath for removeCookie would be /logout.

The problem is the user is still logged in within the period of Access Token Lifespan.

It doesn't make sense to have different logout URL for each application as such /bar/logout and /foo/logout .

Is there a way to just keep single logout which logs out the user for each application?

Thanks,
Sarp Kaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/fe5ad8f7/attachment.html 

From sthorger at redhat.com  Thu Jun 23 01:59:14 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jun 2016 07:59:14 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
Message-ID: <CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>

Are you only creating users or are you also authenticating users? User
sessions are kept purely in memory so obviously the more you create the
more memory is used. Only creating users should not continue to increase,
but will do so for a while at least due to the way Java garbage collection
works.

I would only have the user cache disabled for testing memory leak.
Re-enable it and retest with it before you eventually go into production as
it will have a significant impact on performance.

On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:

> Scratch the results of the graph I posted. I was running the test
> incorrectly. I'll post back with the results of the test run properly.
>
> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
>> Thomas, this test is run with whatever local database Keycloak defaults
>> to. We're using Postgres generally, and we will have more information
>> pertaining to tests against Postgres soon.
>>
>> Stian, thanks for the tips. I am currently running a test to ingest about
>> 50m users into the default database with the user cache disabled, 8gb mem
>> (Xmx and Xms), and parallel GC threads == processor count.
>>
>> Though my test is young (430k users ingested), I'm noticing memory
>> allocation increasing in lockstep with the number of ingested users. Is it
>> expected to continue in this fashion, or is Keycloak designed to level off
>> in its memory usage?
>>
>> [image: increasing-heap.png]
>>
>>
>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Keycloak by default caches users in-memory, by default it will keep up
>>> to 10000 entries cached. You can verify that there's no leak by disabling
>>> the user cache provider. See
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>
>>> If you're planning on having millions of users I suggest you increase
>>> the allocated memory for the JVM (512MB which it seems you have is not
>>> sufficient).
>>>
>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>>>> Increasing JVM memory only increases the time it takes to encounter this
>>>> issue.
>>>>
>>>> We have put together a test project here
>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue
>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue to
>>>> investigate. As we are relying on Keycloak as a central infrastructural
>>>> component, any help would be greatly appreciated.
>>>>
>>>> We'll update with more information as we find it.
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>> [image: mem-cpu.png]
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/27a45221/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/27a45221/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/27a45221/attachment-0003.png 

From ramon at humanswitch.io  Thu Jun 23 09:35:03 2016
From: ramon at humanswitch.io (Ramon Rockx)
Date: Thu, 23 Jun 2016 15:35:03 +0200
Subject: [keycloak-user] WildFly overlay not recommended for production?
Message-ID: <CABfMt5fNjaEiEAU5Ued4nKkhjE5QYmRGX9ci2KvVDpq7yv_=GA@mail.gmail.com>

Hello,

First of all, Keycloak team, congratulations with your new website. It's
looking good!
When visiting the download page I saw the the text "Not recommended in
production." which refers to the WildFly overlay. I was wondering why it is
not recommended?

Regards,
Ramon Rockx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/592f3fb3/attachment.html 

From sthorger at redhat.com  Thu Jun 23 09:52:58 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jun 2016 15:52:58 +0200
Subject: [keycloak-user] WildFly overlay not recommended for production?
In-Reply-To: <CABfMt5fNjaEiEAU5Ued4nKkhjE5QYmRGX9ci2KvVDpq7yv_=GA@mail.gmail.com>
References: <CABfMt5fNjaEiEAU5Ued4nKkhjE5QYmRGX9ci2KvVDpq7yv_=GA@mail.gmail.com>
Message-ID: <CAJgngAf+aH=9fgQMoVudKKKngvPgaJqCoLBzKZfqjXquuj6aEQ@mail.gmail.com>

We don't recommend deploying your applications alongside Keycloak for
several reasons:

* Keycloak is not just for JEE applications
* Applications can interfere with Keycloak which would result in hard to
debug issues
* Keycloak overlay only supports a specific version of WildFly. You may not
always want to upgrade the WildFly used by your applications when upgrading
Keycloak
* Keycloak requires specific configuration of the underlying WildFly
instance. Any changes you do may break it and again cause hard to debug
issues

In the supported version of Keycloak there is no overlay at all, only the
standalone distribution. The overlay distribution is purely meant as a
convenience thing for JEE developers.

On 23 June 2016 at 15:35, Ramon Rockx <ramon at humanswitch.io> wrote:

> Hello,
>
> First of all, Keycloak team, congratulations with your new website. It's
> looking good!
> When visiting the download page I saw the the text "Not recommended in
> production." which refers to the WildFly overlay. I was wondering why it is
> not recommended?
>
> Regards,
> Ramon Rockx
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/e8d59787/attachment.html 

From James_Saxton at ao.uscourts.gov  Thu Jun 23 15:05:59 2016
From: James_Saxton at ao.uscourts.gov (James_Saxton at ao.uscourts.gov)
Date: Thu, 23 Jun 2016 15:05:59 -0400
Subject: [keycloak-user] Help - two issues
Message-ID: <OF884781A3.42E2E261-ON85257FDB.006843FF-85257FDB.0068EA6A@uscmail.uscourts.gov>

Good Day,

Today I was trying to front-end KeyCloak with Apache.
Background
Keycloak 1.9.5 is installed successfully on linix, I can tuunel to it and 
log in using admin creds I set up.

I installed a webserver and configured SSL for the webserver and Keycloak 
as outlined in 3.2.6. SSL/HTTPS Requirement/Modes  through 
3.2.8.2. Configure Wildfly undertow subsystem
I restarted the webserver and the keycloak server.
The webserver shows the credential  pop up stating the site is "strictly 
private".  Creds do not allow me to log in through a webserver, only if I 
use the SSH tunnel.
Not sure were to go - the instruction are pretty simple, I suspect a 
config issue - not sure where though.

Second issue, using the SSH tunnel, I enable require "ALL SSL"  as a test 
knowing full well I could get locked out completely.  How can I reset the 
require ALL SSL without using the console?

Thanks in advance.

James Saxton
Software Infrastructure Division
Administrative Office of the U.S. Courts
One Columbus Circle, N.E.
Washington, DC 20544
(C) 908-910-5566
Teamwork makes the dream work!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/44f27093/attachment.html 

From sthorger at redhat.com  Thu Jun 23 15:58:29 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jun 2016 21:58:29 +0200
Subject: [keycloak-user] Productized Keycloak now available from Red Hat
Message-ID: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>

For nearly 4 years ago Bill Burke and myself started two individual proof
of concepts, both focusing on making it easier for developers to securing
applications and services. Keycloak was born out of combining these two
proof of concepts. There was barely any overlap and the two perfectly
complemented each other.

Fast forward to today and we now have a huge community with over 100
contributors and over 400 forks of our Github repository. It's no longer
just myself and Bill working on Keycloak, we now have a strong team working
on it and I'm very exited about the future of the project.

You may have noticed that lately we've stopped adding new features and
focused on improvements and testing. There's a good reason behind that!
We've been working on creating a productized and supported version of
Keycloak.

I'm extremely pleased to announce that Red Hat now offers a productized and
supported version of Keycloak!

For more details on how to get support for Keycloak check out the product
pages at:
https://access.redhat.com/products/red-hat-single-sign-on

Finally, I'd like to thank everyone that's been involved. All the core
developers, quality engineers, others at Red Hat and last but not least our
community!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/43d8fb7c/attachment.html 

From sthorger at redhat.com  Thu Jun 23 16:06:02 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 23 Jun 2016 22:06:02 +0200
Subject: [keycloak-user] Keycloak 2.0.0.CR1 Released
Message-ID: <CAJgngAfkPq=pbDAPyDZnQfZHq4gcZezJ79aUu4jiU+MtUOoWXg@mail.gmail.com>

We're finally back to adding new features. This release is just the
beginning and we've planned loads of existing new features in the coming
months.

I'm really exited to introduce the authorization services we've just added.
Through the authorization services you can centrally define and manage
fine-grained permissions for your services. For more details check out
the Authorization
Services Guide
<https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.0/>.

There's a brand new website at www.keycloak.org.

Finally we've also completely reworked and significantly improved our
documentation <http://www.keycloak.org/documentation.html>.

For the full list of resolved issues check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.0.0.CR1>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>. Before you upgrade refer to the migration
guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/6378220a/attachment.html 

From chairfield at gmail.com  Thu Jun 23 18:52:34 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Thu, 23 Jun 2016 22:52:34 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
Message-ID: <CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>

I am only testing creating users. With the user cache disabled, I see no
evidence of a memory leak at many JVM heap-size settings.

Things get interesting when re-enabling the user cache. Performance seems
to take a major hit in lower-memory scenarios, with some very worrisome
scenarios where the rate at which I ingest continuously decreases.

I am able to create users at a high rate of speed with a max heap size of
4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
the Xmx setting, which goes against official JBoss GC performance tuning
documentation
<http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
.

Though speeds are high with a large heap, I *do* see the possibility of a
memory leak with the user cache enabled and no authentication happening. I
will be running a test overnight to attempt to confirm or deny.

Thanks for your help so far, Stian. I will be on vacation tomorrow through
Sunday, so I will pick this back up on Monday.

P.S. I will be thinking of ways to better the documentation around
performance tuning, as my tests indicate that standard JVM options cause
Keycloak to run in a very sub-optimal state.

On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Are you only creating users or are you also authenticating users? User
> sessions are kept purely in memory so obviously the more you create the
> more memory is used. Only creating users should not continue to increase,
> but will do so for a while at least due to the way Java garbage collection
> works.
>
> I would only have the user cache disabled for testing memory leak.
> Re-enable it and retest with it before you eventually go into production as
> it will have a significant impact on performance.
>
> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:
>
>> Scratch the results of the graph I posted. I was running the test
>> incorrectly. I'll post back with the results of the test run properly.
>>
>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
>> wrote:
>>
>>> Thomas, this test is run with whatever local database Keycloak defaults
>>> to. We're using Postgres generally, and we will have more information
>>> pertaining to tests against Postgres soon.
>>>
>>> Stian, thanks for the tips. I am currently running a test to ingest
>>> about 50m users into the default database with the user cache disabled, 8gb
>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>
>>> Though my test is young (430k users ingested), I'm noticing memory
>>> allocation increasing in lockstep with the number of ingested users. Is it
>>> expected to continue in this fashion, or is Keycloak designed to level off
>>> in its memory usage?
>>>
>>> [image: increasing-heap.png]
>>>
>>>
>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Keycloak by default caches users in-memory, by default it will keep up
>>>> to 10000 entries cached. You can verify that there's no leak by disabling
>>>> the user cache provider. See
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>
>>>> If you're planning on having millions of users I suggest you increase
>>>> the allocated memory for the JVM (512MB which it seems you have is not
>>>> sufficient).
>>>>
>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>>>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>>>>> Increasing JVM memory only increases the time it takes to encounter this
>>>>> issue.
>>>>>
>>>>> We have put together a test project here
>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue
>>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue
>>>>> to investigate. As we are relying on Keycloak as a central infrastructural
>>>>> component, any help would be greatly appreciated.
>>>>>
>>>>> We'll update with more information as we find it.
>>>>>
>>>>> Thanks,
>>>>> Chris
>>>>>
>>>>> [image: mem-cpu.png]
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/367b13ae/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/367b13ae/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/367b13ae/attachment-0003.png 

From jfalkner at redhat.com  Thu Jun 23 19:34:23 2016
From: jfalkner at redhat.com (James Falkner)
Date: Thu, 23 Jun 2016 19:34:23 -0400
Subject: [keycloak-user] Productized Keycloak now available from Red Hat
In-Reply-To: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
Message-ID: <576C71FF.7090808@redhat.com>

Congrats, Stian & Team! I've used a few SSO projects in the past, and 
Keycloak was and is by far superior in terms of documentation, 
debuggability, and simplicity. Thanks for all your hard work!

--
James

> Stian Thorgersen <mailto:sthorger at redhat.com>
> June 23, 2016 at 3:58 PM
> For nearly 4 years ago Bill Burke and myself started two individual 
> proof of concepts, both focusing on making it easier for developers to 
> securing applications and services. Keycloak was born out of combining 
> these two proof of concepts. There was barely any overlap and the two 
> perfectly complemented each other.
>
> Fast forward to today and we now have a huge community with over 100 
> contributors and over 400 forks of our Github repository. It's no 
> longer just myself and Bill working on Keycloak, we now have a strong 
> team working on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and 
> focused on improvements and testing. There's a good reason behind 
> that! We've been working on creating a productized and supported 
> version of Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a 
> productized and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the 
> product pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core 
> developers, quality engineers, others at Red Hat and last but not 
> least our community!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160623/5ff649fb/attachment.html 

From chairfield at gmail.com  Fri Jun 24 00:52:18 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Fri, 24 Jun 2016 04:52:18 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
Message-ID: <CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>

There seems to be a leak when enabling the user cache, even when providing
Keycloak with all the memory it needs to perform admirably (initially). My
heap drops to 3.4 GB when I perform a manual GC.

I'm now seeing a number of PessimisticLockExceptions as it fails to lock
the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
morning.[image: test8-graph.png]

On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
wrote:

> I am only testing creating users. With the user cache disabled, I see no
> evidence of a memory leak at many JVM heap-size settings.
>
> Things get interesting when re-enabling the user cache. Performance seems
> to take a major hit in lower-memory scenarios, with some very worrisome
> scenarios where the rate at which I ingest continuously decreases.
>
> I am able to create users at a high rate of speed with a max heap size of
> 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
> the Xmx setting, which goes against official JBoss GC performance tuning
> documentation
> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
> .
>
> Though speeds are high with a large heap, I *do* see the possibility of a
> memory leak with the user cache enabled and no authentication happening. I
> will be running a test overnight to attempt to confirm or deny.
>
> Thanks for your help so far, Stian. I will be on vacation tomorrow through
> Sunday, so I will pick this back up on Monday.
>
> P.S. I will be thinking of ways to better the documentation around
> performance tuning, as my tests indicate that standard JVM options cause
> Keycloak to run in a very sub-optimal state.
>
> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Are you only creating users or are you also authenticating users? User
>> sessions are kept purely in memory so obviously the more you create the
>> more memory is used. Only creating users should not continue to increase,
>> but will do so for a while at least due to the way Java garbage collection
>> works.
>>
>> I would only have the user cache disabled for testing memory leak.
>> Re-enable it and retest with it before you eventually go into production as
>> it will have a significant impact on performance.
>>
>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:
>>
>>> Scratch the results of the graph I posted. I was running the test
>>> incorrectly. I'll post back with the results of the test run properly.
>>>
>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
>>> wrote:
>>>
>>>> Thomas, this test is run with whatever local database Keycloak defaults
>>>> to. We're using Postgres generally, and we will have more information
>>>> pertaining to tests against Postgres soon.
>>>>
>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>
>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>> in its memory usage?
>>>>
>>>> [image: increasing-heap.png]
>>>>
>>>>
>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Keycloak by default caches users in-memory, by default it will keep up
>>>>> to 10000 entries cached. You can verify that there's no leak by disabling
>>>>> the user cache provider. See
>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>
>>>>> If you're planning on having millions of users I suggest you increase
>>>>> the allocated memory for the JVM (512MB which it seems you have is not
>>>>> sufficient).
>>>>>
>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we find
>>>>>> that Keycloak leaks memory until it is rendered unresponsive (see graph).
>>>>>> Increasing JVM memory only increases the time it takes to encounter this
>>>>>> issue.
>>>>>>
>>>>>> We have put together a test project here
>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue
>>>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue
>>>>>> to investigate. As we are relying on Keycloak as a central infrastructural
>>>>>> component, any help would be greatly appreciated.
>>>>>>
>>>>>> We'll update with more information as we find it.
>>>>>>
>>>>>> Thanks,
>>>>>> Chris
>>>>>>
>>>>>> [image: mem-cpu.png]
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/2e7e215f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/2e7e215f/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/2e7e215f/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/2e7e215f/attachment-0005.png 

From paal.oliver at gmail.com  Fri Jun 24 02:50:32 2016
From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=)
Date: Fri, 24 Jun 2016 06:50:32 +0000
Subject: [keycloak-user] Encrypted SAML response
In-Reply-To: <CAHT+r5j4d+fFWYQR1qsmdnnDA-Qrf1NJjt6L=vjHPfEaVO4aOQ@mail.gmail.com>
References: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
	<45eb6a33-43be-1740-74f9-be9cc638b6f2@redhat.com>
	<CAHT+r5j4d+fFWYQR1qsmdnnDA-Qrf1NJjt6L=vjHPfEaVO4aOQ@mail.gmail.com>
Message-ID: <CAHT+r5i+NN_+bK_DzW7NaiG7C4Q047epYR6HqeN1iWjEZOmdzQ@mail.gmail.com>

We figured out what was happening with some help from F5 (BigIP)
technicians.
Keycloak uses RSA v1.5 for key transport algorithm but this is not
supported in BigIP APM.

It also seems like v1.5 is largely deprecated and BigIP requires RSA-OAEP
for this.

This seems to be set
in XMLEncryptionUtil.getXMLEncryptionURLForKeyUnwrap(...)
returning XMLCipher.RSA_v1dot5 if the public SP key was a RSA key.

Is there any way to easily change from RSAv1.5 to RSA-OAEP?

References:
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-0-0.html#A534555-1

https://tools.ietf.org/html/rfc3560

Thanks!

ons. 22. jun. 2016 kl. 15.34 skrev P?l Oliver Kristiansen <
paal.oliver at gmail.com>:

> Thanks Bill!
>
> What we did was to crate the client in Keycloak by importing the SP
> metadata file. So the "Encryption Key" and "Signing Key" have the values
> from the SP's metadata file already.
> From what I can gather, the values in this part of the client definition
> in Keycloak, matches the values in the meta data file when looking at the
> elements:
>
> <SPSSODescriptor>
>   <KeyDescriptor use="encryption">
>     <ds:KeyInfo>
>       <ds:X509Data>
>         <ds:X509Certificate>---[Key found in certificate]---
> </ds:X509Certificate>
>
> Would this work or am I missing something?
>
> I can double check that the private key on the SP side actually is
> correlated with the public one in the meta data file.
>
> ons. 22. jun. 2016 kl. 15.03 skrev Bill Burke <bburke at redhat.com>:
>
>> Once you've enabled encryption, you have to go to the 'SAML Keys' tab.
>> There is an Encryption Key at the bottom of that screen.  You can have
>> Keycloak generate the private key and cert for the SP, or you can import
>> the SP's certificate that is stored in a PEM file, JKS, or PKCS12 file.
>>
>> On 6/22/16 3:47 AM, P?l Oliver Kristiansen wrote:
>> > Hi!
>> >
>> > We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
>> > Everything works well out of the box, but when we activate encryption of
>> > assertions, we get an error on the
>> > BigIP side.
>> >
>> > So in order to investigate the situation, I'm trying to understand the
>> > process of SAML assertion response encryption.
>> > And I am a bit confused when reading the Keycloak documentation and
>> > comparing that to what I see in the Keycloak admin console.
>> > Here is what I mean; in the documentation
>> > (
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html
>> ),
>> > activating
>> > assertion response encryption is described like this:
>> >
>> > "Encrypt Assertions
>> > Encrypt assertions in SAML documents with the realm's private key. The
>> > AES algorithm is used with a key size of 128 bits."
>> >
>> > But in the admin console (under clients) it is described like this in
>> > the tooltip:
>> >
>> > "Encrypt Assertions
>> > Should SAML assertions be encrypted with client's public key using AES?"
>> >
>> > So basically, which key is used for encrypting the assertion response?
>> >
>> > I have inspected the actual HTTP post and it looks something like this:
>> >
>> > <samlp:Response>
>> > ...
>> >   <saml:EncryptedAssertion>
>> >     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> > Type="http://www.w3.org/2001/04/xmlenc#Element">
>> >       <xenc:EncryptionMethod
>> > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>> >         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> >           <xenc:EncryptedKey>
>> >             <xenc:EncryptionMethod
>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>> >             <xenc:CipherData>
>> >               <xenc:CipherValue>---[block of cipher
>> > text]---</xenc:CipherValue>
>> >             </xenc:CipherData>
>> >           </xenc:EncryptedKey>
>> >         </ds:KeyInfo>
>> >       <xenc:CipherData>
>> >         <xenc:CipherValue>---[block of cipher
>> text]---</xenc:CipherValue>
>> >       </xenc:CipherData>
>> >     </xenc:EncryptedData>
>> >   </saml:EncryptedAssertion>
>> > </samlp:Response>
>> >
>> > So it at least looks like the key to decrypt the encrypted response is
>> > included. It is encrypted using RSA, but with which key?
>> > My understanding was something like this:
>> >
>> > 1. The encryption of a SAML assertion response is done using AES-128,
>> > with some key.
>> > 2. The key is added alongside the encrypted assertion response and
>> > encrypted using the SP's public key.
>> > 3. The SP receives the encrypted assertion response and the encrypted
>> > key, decrypts the key using its' private key and uses
>> > this decrypted key to decrypt the actual assertion response.
>> >
>> > Is this generally correct?
>> >
>> > The error we get from BigIP is this: "failed to process encrypted
>> > assertion, error: RSA decrypt"
>> > Which leads me to think that maybe the decryption of the included key
>> > did not work out.
>> > Any ideas or tips to how to approach this?
>> >
>> > Thanks!
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/ff88f949/attachment.html 

From jannik.huels at googlemail.com  Fri Jun 24 04:08:37 2016
From: jannik.huels at googlemail.com (=?utf-8?Q?Jannik_H=C3=BCls?=)
Date: Fri, 24 Jun 2016 10:08:37 +0200
Subject: [keycloak-user] keycloak access token caching?
Message-ID: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>

Hi,

I use the /auth/realms/{realm}/protocol/openid-connect/token  endpoint to create a User Session. The Session is shown inside keycloak and i get the access_token, refresh_token and id_token.
When I now call the /auth/realms/{realm}/protocol/openid-connect/token/introspect I get a valid response containing ?active?:?true? amongst others. I call it using POST method and providing cient_id, client_secret and token parameter as data. The token parameter contains the access_token value. 

I now log in to keycloak administrator and logout the User. Now I again call the introspection endpoint but still get a response containing "active":?true?. It seems that keycloak is caching the User Session and after some time I get ?active?:?false?. May I be able to disable caching and to immediately get a introspection response that indicates that the User Session does not longer exist?

Btw.: The same happens when I call the /auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= endpoint. I provided the access_token in the header. POST parameters are client_id, client_secret and refresh_token is this case.

I use the introspection endpoint in the different RPs I use to validate whether the access_token is revoked in order to introduce single logout. Hence it would be nice to disable the caching to have less inconsistence. 

Bests
Jannik





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/ef045a69/attachment.html 

From thomas.raehalme at aitiofinland.com  Fri Jun 24 04:14:40 2016
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Fri, 24 Jun 2016 11:14:40 +0300
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
Message-ID: <CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>

Congrats to both of you for creating such a great open source product!

Best regards,
Thomas
On Jun 23, 2016 22:59, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/ef6573af/attachment-0001.html 

From thomas.darimont at googlemail.com  Fri Jun 24 04:17:38 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 24 Jun 2016 10:17:38 +0200
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
Message-ID: <CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>

Congratulations to everyone involved! Well done!

Cheers,
Thomas

2016-06-24 10:14 GMT+02:00 Thomas Raehalme <thomas.raehalme at aitiofinland.com
>:

> Congrats to both of you for creating such a great open source product!
>
> Best regards,
> Thomas
> On Jun 23, 2016 22:59, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> For nearly 4 years ago Bill Burke and myself started two individual proof
>> of concepts, both focusing on making it easier for developers to securing
>> applications and services. Keycloak was born out of combining these two
>> proof of concepts. There was barely any overlap and the two perfectly
>> complemented each other.
>>
>> Fast forward to today and we now have a huge community with over 100
>> contributors and over 400 forks of our Github repository. It's no longer
>> just myself and Bill working on Keycloak, we now have a strong team working
>> on it and I'm very exited about the future of the project.
>>
>> You may have noticed that lately we've stopped adding new features and
>> focused on improvements and testing. There's a good reason behind that!
>> We've been working on creating a productized and supported version of
>> Keycloak.
>>
>> I'm extremely pleased to announce that Red Hat now offers a productized
>> and supported version of Keycloak!
>>
>> For more details on how to get support for Keycloak check out the product
>> pages at:
>> https://access.redhat.com/products/red-hat-single-sign-on
>>
>> Finally, I'd like to thank everyone that's been involved. All the core
>> developers, quality engineers, others at Red Hat and last but not least our
>> community!
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/01aa096d/attachment.html 

From suseendhiran.t at nokia.com  Fri Jun 24 05:32:25 2016
From: suseendhiran.t at nokia.com (T, Suseendhiran (Nokia - IN/Bangalore))
Date: Fri, 24 Jun 2016 09:32:25 +0000
Subject: [keycloak-user] Need help: Configuring keycloak to work with IBM
 Websphere Application Server
Message-ID: <DB5PR0701MB2055FC23A2AF36178F5A70DB8E2E0@DB5PR0701MB2055.eurprd07.prod.outlook.com>

Hello All,

I am trying to configure Keycloak as openID connect provider and IBM Websphere Application Server as Relying Party.
During authentication, keycloak sends the JWT. But IBM Websphere Application Server could not verify the token.

Below Exception is thrown:
com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
        at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:428)
        ...<skipping trace>
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: com.ibm.ws.security.oidc.client.RelyingPartyException: Failed to validate id token, exception thrown during verify [key is invalid]
        at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:352)
        at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:411)
        ... 28 more
Caused by: java.lang.IllegalStateException: key is invalid
        at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:45)
        at com.ibm.ws.security.openidconnect.token.JWT.getJsonTokenParser(JWT.java:1017)
        at com.ibm.ws.security.openidconnect.token.JWT.verify(JWT.java:881)
        at com.ibm.ws.security.openidconnect.token.IDToken.verify(IDToken.java:578)
        at com.ibm.ws.security.oidc.client.SessionData.setIdToken(SessionData.java:294)
        at com.ibm.ws.security.oidc.client.SessionData.update(SessionData.java:131)
        at com.ibm.ws.security.oidc.client.SessionCache.updateEntryUsingStateId(SessionCache.java:343)
        ... 29 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: (null)
        at java.security.Signature$Delegate.chooseProvider(Signature.java:1139)
        at java.security.Signature$Delegate.engineInitVerify(Signature.java:1172)
        at java.security.Signature.initVerify(Signature.java:462)
        at net.oauth.jsontoken.crypto.RsaSHA256Verifier.<init>(RsaSHA256Verifier.java:41)
        ... 35 more
. Make sure that the setup is correct and that the user credentials are valid.
[6/7/16 8:58:30:493 IST] 000002bb WebCollaborat A   SECJ0056E: Authentication failed for reason CWTAI2007E: The OpenID Connect replying party (RP) encountered a failure during the login. The exception is [Failed to validate id token, exception thrown during verify [key is invalid]]. Check the logs for details that lead to this exception.
-------------------------------------------------------------------------------------------------------------------------------------------

I have attached the Websphere log during authentication, Could someone help me analyse the issue?

Versions used:
Keycloak -1.9.4.Final
IBM WebSphere Application Server Network Deployment - Version 8.5.5.8

Please let me know if any information needed.

Regards,
Suseendhiran T



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/7c3454ea/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SystemOut.log
Type: application/octet-stream
Size: 6403 bytes
Desc: SystemOut.log
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/7c3454ea/attachment-0001.obj 

From ivan at akvo.org  Fri Jun 24 08:48:40 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Fri, 24 Jun 2016 14:48:40 +0200
Subject: [keycloak-user] Keycloak 2.0.0.CR1 Released
In-Reply-To: <CAJgngAfkPq=pbDAPyDZnQfZHq4gcZezJ79aUu4jiU+MtUOoWXg@mail.gmail.com>
References: <CAJgngAfkPq=pbDAPyDZnQfZHq4gcZezJ79aUu4jiU+MtUOoWXg@mail.gmail.com>
Message-ID: <755b695c-b705-a3c6-bdf2-157306f0566a@akvo.org>

Congratulations to everyone who contributed to this release.

Looking forward to test the new authorization services.

On 06/23/2016 10:06 PM, Stian Thorgersen wrote:
> We're finally back to adding new features. This release is just the
> beginning and we've planned loads of existing new features in the coming
> months.
> 
> I'm really exited to introduce the authorization services we've just
> added. Through the authorization services you can centrally define and
> manage fine-grained permissions for your services. For more details
> check out the Authorization Services Guide
> <https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.0/>.
> 
> There's a brand new website at www.keycloak.org <http://www.keycloak.org/>.
> 
> Finally we've also completely reworked and significantly improved
> our documentation <http://www.keycloak.org/documentation.html>.
> 
> For the full list of resolved issues check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.0.0.CR1> and
> to download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>. Before you upgrade refer to
> the migration guide
> <https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html>
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-- 
Iv?n

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/67fd98a1/attachment.bin 

From srossillo at smartling.com  Fri Jun 24 13:36:28 2016
From: srossillo at smartling.com (Scott Rossillo)
Date: Fri, 24 Jun 2016 13:36:28 -0400
Subject: [keycloak-user] MDC log messages not showing up
Message-ID: <8B014D08-BE11-4942-8E9B-F710BBEEC2D3@smartling.com>


I?m trying to use a use the Mapped Diagnostic Context (MDC) on org.jboss.logging.MDC to register a custom header for logging. I?m populating the MDC from an Undertow HttpHandler. This part is working, however, the value set in the MDC is never logged. I?m using %X{MDC_KEY} in standalone.xml.

Does anyone know why MDC values aren?t logged?


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/9e7dd447/attachment.html 

From raymond.zhou at moneris.com  Fri Jun 24 14:22:47 2016
From: raymond.zhou at moneris.com (Zhou, Limin (Ray))
Date: Fri, 24 Jun 2016 18:22:47 +0000
Subject: [keycloak-user] Keycloak single sign on with Keberos(AD)
Message-ID: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051DCDD@sq9bmexpr03.MONAD.MONERIS.COM>

Hello everyone

I am new to Keycloak and new to here

Our web application is running on Jboss EAP 7, We have configured KeyCloak standalone server 1.9.7 running on different port(same server box) to manage the user authentication and authorization, behind KeyCloak we have configured Keberos in User Federation to talk our company AD server, we are able to login by using our AD account, but not in single sign on way, each time when we hitting the our app URL, the Keycloak login page will show up.

It looks like the TGT or ST hand shake was not successful, is there any document I can reference it to debug the issue?

Any comments or suggestion would be very welcome

thanks in advance
raymond
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialit? de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA>.

Ce courriel peut contenir des renseignements confidentiels ou privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune obligation connexe. La distribution, l?utilisation ou la reproduction du pr?sent courriel ou des renseignements qu?il contient par une personne autre que son destinataire pr?vu sont interdites. Si vous avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement (par retour de courriel ou autrement).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/5bfc698b/attachment.html 

From srossillo at smartling.com  Fri Jun 24 15:01:38 2016
From: srossillo at smartling.com (Scott Rossillo)
Date: Fri, 24 Jun 2016 15:01:38 -0400
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
	<CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
Message-ID: <8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>

Well done, guys! Great work and congratulations. Looking forward to continuing to work with the entire team.

PS - what Keycloak version is RH SSO based?

Best,
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Jun 24, 2016, at 4:17 AM, Thomas Darimont <thomas.darimont at googlemail.com> wrote:
> 
> Congratulations to everyone involved! Well done!
> 
> Cheers,
> Thomas
> 
> 2016-06-24 10:14 GMT+02:00 Thomas Raehalme <thomas.raehalme at aitiofinland.com <mailto:thomas.raehalme at aitiofinland.com>>:
> Congrats to both of you for creating such a great open source product!
> 
> Best regards,
> Thomas
> 
> On Jun 23, 2016 22:59, "Stian Thorgersen" <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
> For nearly 4 years ago Bill Burke and myself started two individual proof of concepts, both focusing on making it easier for developers to securing applications and services. Keycloak was born out of combining these two proof of concepts. There was barely any overlap and the two perfectly complemented each other.
> 
> Fast forward to today and we now have a huge community with over 100 contributors and over 400 forks of our Github repository. It's no longer just myself and Bill working on Keycloak, we now have a strong team working on it and I'm very exited about the future of the project.
> 
> You may have noticed that lately we've stopped adding new features and focused on improvements and testing. There's a good reason behind that! We've been working on creating a productized and supported version of Keycloak.
> 
> I'm extremely pleased to announce that Red Hat now offers a productized and supported version of Keycloak!
> 
> For more details on how to get support for Keycloak check out the product pages at:
> https://access.redhat.com/products/red-hat-single-sign-on <https://access.redhat.com/products/red-hat-single-sign-on>
> 
> Finally, I'd like to thank everyone that's been involved. All the core developers, quality engineers, others at Red Hat and last but not least our community!
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/4a82d91a/attachment-0001.html 

From leo.nunes at gjccorp.com.br  Fri Jun 24 15:26:19 2016
From: leo.nunes at gjccorp.com.br (LEONARDO NUNES)
Date: Fri, 24 Jun 2016 19:26:19 +0000
Subject: [keycloak-user] Email timeout error
Message-ID: <D3930FA6.2A58F%leo.nunes@ojc.com.br>

Hi, i'm getting the error below when sending the verification email. An error page is shown, but I always receive the email.
Most of the times it works fine, but sometimes it returns the error.
Around 7 out of 10 times it works.
I use the same SMTP host for other applications and I don't have this problem.

For the Email configuration I only have Host and From configured.

Is there a way to configure the timeout?


15:51:47,736 ERROR [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default task-4) Failed to send verification email: org.keycloak.email.EmailException: Failed to template email
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573)
at org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
at org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
at org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
at org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException: javax.mail.MessagingException: Exception reading response;
  nested exception is:
java.net.SocketTimeoutException: Read timed out
at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Caused by: javax.mail.MessagingException: Exception reading response;
  nested exception is:
java.net.SocketTimeoutException: Read timed out
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351)
at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228)
at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242)
at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
... 59 more
Caused by: java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:170)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92)
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331)
... 63 more




--

Att,
Leonardo Nunes
Analista de Sistemas
leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>
Skype: leonardo.puc
+55 (62) 3250-1462

Grupo Jaime C?mara
www.gjccorp.com.br<applewebdata://B0E38BB5-8499-4F51-929B-00F21C9F6683/www.gjccorp.com.br>
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/c65d5e5f/attachment-0001.html 

From delkant at gmail.com  Fri Jun 24 16:36:16 2016
From: delkant at gmail.com (Rodrigo Del Canto)
Date: Fri, 24 Jun 2016 16:36:16 -0400
Subject: [keycloak-user] Tomcat WebApp and MS AD
Message-ID: <CAHedXPb3WNudyUbo6gp4VL6W6kEOvti_W4xC83GYrtteixe3yQ@mail.gmail.com>

Hello All,

Can anyone tell me how to find a documentation on how to integrate Keycloak
with MS Active Directory (if there is anything specific to Tomcat it will
be very nice!).

All the reference on google to documentation about LDAP or MSAD  are
broken. If I am going to be switching over to Keycloak I would like to use
the latest stable release and its corresponding documentation. But I
couldn't find any reference on http://www.keycloak.org/documentation.html

Thanks a lot for your time!!


Rod.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/6899c953/attachment.html 

From bruno at abstractj.org  Fri Jun 24 18:45:36 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 24 Jun 2016 22:45:36 +0000
Subject: [keycloak-user] Email timeout error
In-Reply-To: <D3930FA6.2A58F%leo.nunes@ojc.com.br>
References: <D3930FA6.2A58F%leo.nunes@ojc.com.br>
Message-ID: <CAM5SUC61kHRT3T1LJv941V-paQt-8WZ5xK10dML-LtbCxTERhA@mail.gmail.com>

This line looks suspicious for me:

Exception reading response;
nested exception is:
java.net.SocketTimeoutException: Read timed out

It looks like a connectivity issue with your SMTP server.

On Fri, Jun 24, 2016, 4:26 PM LEONARDO NUNES <leo.nunes at gjccorp.com.br>
wrote:

> Hi, i'm getting the error below when sending the verification email. An
> error page is shown, but I always receive the email.
> Most of the times it works fine, but sometimes it returns the error.
> Around 7 out of 10 times it works.
> I use the same SMTP host for other applications and I don't have this
> problem.
>
> For the Email configuration I only have Host and From configured.
>
> Is there a way to configure the timeout?
>
>
> 15:51:47,736 ERROR
> [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
> task-4) Failed to send verification email:
> org.keycloak.email.EmailException: Failed to template email
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
> at
> org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
> at
> org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
> at
> org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573)
> at
> org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
> at
> org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
> at
> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
> at
> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
> at
> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.keycloak.email.EmailException:
> javax.mail.MessagingException: Exception reading response;
>   nested exception is:
> java.net.SocketTimeoutException: Read timed out
> at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
> at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
> ... 57 more
> Caused by: javax.mail.MessagingException: Exception reading response;
>   nested exception is:
> java.net.SocketTimeoutException: Read timed out
> at
> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351)
> at
> com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228)
> at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027)
> at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242)
> at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
> ... 59 more
> Caused by: java.net.SocketTimeoutException: Read timed out
> at java.net.SocketInputStream.socketRead0(Native Method)
> at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
> at java.net.SocketInputStream.read(SocketInputStream.java:170)
> at java.net.SocketInputStream.read(SocketInputStream.java:141)
> at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124)
> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
> at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
> at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92)
> at
> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331)
> ... 63 more
>
>
>
>
> --
>
> Att,
> *Leonardo Nunes*
> Analista de Sistemas
> leo.nunes at gjccorp.com.br
> Skype: leonardo.puc
> +55 (62) 3250-1462
>
> *Grupo Jaime C?mara*
> www.gjccorp.com.br
> ------------------------------
>
>
> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se
> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem,
> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar
> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por
> engano, por favor avise imediatamente o remetente, respondendo o e-mail e
> em seguida apague-o. Agradecemos sua coopera??o. This message may contain
> confidential and/or privileged information. If you are not the addressee or
> authorized to receive this for the addressee, you must not use, copy,
> disclose or take any action based on this message or any information
> herein. If you have received this message in error, please advise the
> sender immediately by reply e-mail and delete this message. Thank you for
> your cooperation*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160624/bb37d071/attachment-0001.html 

From tomas at intrahouse.com  Sat Jun 25 05:44:15 2016
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Sat, 25 Jun 2016 10:44:15 +0100
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
Message-ID: <77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com>

Hi,

 I wonder if it's possible to just check the SSO state with a
confidential client. My use case is the following one:

- I have a website which uses a confidential client to login with Keycloak.

- I want to add autologin to this website.

- So I use the javascript adapter with the following option object for
the init method: { onLoad: 'check-sso' }. The javascript adapter is
built without the secret key in its constructor (obviously if I put the
secret key in there, there's no point to use a confidential client at all).

But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
error=invalid_client_credentials" error.

So I don't know how feasible or secure is to just check that the
Keycloak session inside the cookie of the user's browser is still valid.
In my case, the browser doesn't need to get the user info, access token,
etc, because what I'll do is redirect the user to the Keycloak login
page with the confidential client afterwards is the operation is
successful. Since the Keycloak session is valid, Keycloak should
redirect back with the authentication code without asking credentials to
the user.

Additional note: the CORS header isn't added to 400 responses in
Keycloak, so it was a bit confusing looking at the JS console in the
browser, because it complained about CORS but it was just Keycloak
giving the 400 response without the allow-origin header.

Thanks.

-- 

*Tom?s Garc?a P?rez
*

*Software Developer*

*Intra**House***


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160625/07289689/attachment.html 

From bburke at redhat.com  Sat Jun 25 12:04:37 2016
From: bburke at redhat.com (Bill Burke)
Date: Sat, 25 Jun 2016 12:04:37 -0400
Subject: [keycloak-user] Tomcat WebApp and MS AD
In-Reply-To: <CAHedXPb3WNudyUbo6gp4VL6W6kEOvti_W4xC83GYrtteixe3yQ@mail.gmail.com>
References: <CAHedXPb3WNudyUbo6gp4VL6W6kEOvti_W4xC83GYrtteixe3yQ@mail.gmail.com>
Message-ID: <35183003-fa87-e255-b409-48e78011874a@redhat.com>

YOu configure the server to connect to LDAP, you integrate the tomcat 
adapter with tomcat.  All new docs are up and contain all this information.

On 6/24/16 4:36 PM, Rodrigo Del Canto wrote:
> Hello All,
>
> Can anyone tell me how to find a documentation on how to integrate
> Keycloak with MS Active Directory (if there is anything specific to
> Tomcat it will be very nice!).
>
> All the reference on google to documentation about LDAP or MSAD  are
> broken. If I am going to be switching over to Keycloak I would like to
> use the latest stable release and its corresponding documentation. But I
> couldn't find any reference on http://www.keycloak.org/documentation.html
>
> Thanks a lot for your time!!
>
>
> Rod.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jfalkner at redhat.com  Sat Jun 25 12:12:39 2016
From: jfalkner at redhat.com (James Falkner)
Date: Sat, 25 Jun 2016 12:12:39 -0400
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
 available from Red Hat
In-Reply-To: <8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
	<CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
	<8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>
Message-ID: <576EAD77.10903@redhat.com>

Looks like 1.9.8 <https://access.redhat.com/articles/2342881>.

-James

> Scott Rossillo <mailto:srossillo at smartling.com>
> June 24, 2016 at 3:01 PM
> Well done, guys! Great work and congratulations. Looking forward to 
> continuing to work with the entire team.
>
> PS - what Keycloak version is RH SSO based?
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Darimont <mailto:thomas.darimont at googlemail.com>
> June 24, 2016 at 4:17 AM
> Congratulations to everyone involved! Well done!
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Raehalme <mailto:thomas.raehalme at aitiofinland.com>
> June 24, 2016 at 4:14 AM
>
> Congrats to both of you for creating such a great open source product!
>
> Best regards,
> Thomas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Stian Thorgersen <mailto:sthorger at redhat.com>
> June 23, 2016 at 3:58 PM
> For nearly 4 years ago Bill Burke and myself started two individual 
> proof of concepts, both focusing on making it easier for developers to 
> securing applications and services. Keycloak was born out of combining 
> these two proof of concepts. There was barely any overlap and the two 
> perfectly complemented each other.
>
> Fast forward to today and we now have a huge community with over 100 
> contributors and over 400 forks of our Github repository. It's no 
> longer just myself and Bill working on Keycloak, we now have a strong 
> team working on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and 
> focused on improvements and testing. There's a good reason behind 
> that! We've been working on creating a productized and supported 
> version of Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a 
> productized and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the 
> product pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core 
> developers, quality engineers, others at Red Hat and last but not 
> least our community!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160625/0610fa62/attachment.html 

From jorsol at gmail.com  Sat Jun 25 12:33:48 2016
From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=)
Date: Sat, 25 Jun 2016 10:33:48 -0600
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
Message-ID: <CA+cVU8NBqubhMmKG12-UMSnhHiXGhp4wTpFC2PmCiAmZCu4j=Q@mail.gmail.com>

Congratulations and excelent work!!!

Looking forward to the backport of Authorization Services from KC 2.x,
maybe in RH-SSO 7.1.0.

Best regards,

Jorge Sol?rzano
me.jorsol.com

On Thu, Jun 23, 2016 at 1:58 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160625/75d85f1e/attachment-0001.html 

From ygorcastor at gmail.com  Sat Jun 25 21:08:41 2016
From: ygorcastor at gmail.com (Ygor Castor)
Date: Sun, 26 Jun 2016 01:08:41 +0000
Subject: [keycloak-user] Karaf Features problem
Message-ID: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>

I'm trying to install the keycloak adapter at Karaf 4.0.5, but i'm running
in some problems, this one i'm not being able to solve:

karaf at root()> feature:install keycloak-adapter-core
Error executing command: Unable to resolve root: missing requirement [root]
osgi.identity; osgi.identity=keycloak-adapter-core; type=karaf.feature;
version="[2.0.0.CR1,2.0.0.CR1]";
filter:="(&(osgi.identity=keycloak-adapter-core)(type=karaf.feature)(version>=2.0.0.CR1)(version<=2.0.0.CR1))"
[caused by: Unable to resolve keycloak-adapter-core/2.0.0.CR1: missing
requirement [keycloak-adapter-core/2.0.0.CR1] osgi.identity;
osgi.identity=org.keycloak.keycloak-adapter-core; type=osgi.bundle;
version="[2.0.0.CR1,2.0.0.CR1]"; resolution:=mandatory [caused by: Unable
to resolve org.keycloak.keycloak-adapter-core/2.0.0.CR1: missing
requirement [org.keycloak.keycloak-adapter-core/2.0.0.CR1]
osgi.wiring.package;
filter:="(&(osgi.wiring.package=org.keycloak.authorization.client)(version>=2.0.0.CR1))"]]

It seems that the feature can't find the "org.keycloak.authorization"
bundle, how can i fix this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160626/31362e97/attachment.html 

From sthorger at redhat.com  Mon Jun 27 02:12:06 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 27 Jun 2016 08:12:06 +0200
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
 available from Red Hat
In-Reply-To: <576EAD77.10903@redhat.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
	<CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
	<8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>
	<576EAD77.10903@redhat.com>
Message-ID: <CAJgngAdjFcYJ=if04yotAwAUBtiVzVhqs_adtDiTozLWz6dzmg@mail.gmail.com>

Yes, it's 1.9.8.Final

On 25 June 2016 at 18:12, James Falkner <jfalkner at redhat.com> wrote:

> Looks like 1.9.8 <https://access.redhat.com/articles/2342881>.
>
> -James
>
> Scott Rossillo <srossillo at smartling.com>
> June 24, 2016 at 3:01 PM
> Well done, guys! Great work and congratulations. Looking forward to
> continuing to work with the entire team.
>
> PS - what Keycloak version is RH SSO based?
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Darimont <thomas.darimont at googlemail.com>
> June 24, 2016 at 4:17 AM
> Congratulations to everyone involved! Well done!
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Raehalme <thomas.raehalme at aitiofinland.com>
> June 24, 2016 at 4:14 AM
>
> Congrats to both of you for creating such a great open source product!
>
> Best regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Stian Thorgersen <sthorger at redhat.com>
> June 23, 2016 at 3:58 PM
> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/63e9d790/attachment.html 

From jdennis at redhat.com  Thu Jun 23 16:10:38 2016
From: jdennis at redhat.com (John Dennis)
Date: Thu, 23 Jun 2016 16:10:38 -0400
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
Message-ID: <258226fc-f60c-7fef-2e86-87183a3b25db@redhat.com>

Congratulations to Stian, Bill and the entire Keycloak team. You've 
produced an impressive and vital product. A job well done, thank you to 
everyone for all the hard work.

-- 
John

From marc.savy at redhat.com  Sun Jun 26 06:20:53 2016
From: marc.savy at redhat.com (Marc Savy)
Date: Sun, 26 Jun 2016 11:20:53 +0100
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
	available from Red Hat
In-Reply-To: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
Message-ID: <CAA7j38JiuqcXeVC8h-jXrsbmYpNNOxXjbuTXAnKvZz+USbCY0A@mail.gmail.com>

Huge congratulations to the team! This is a fantastic project, and
undoubtedly will be a successful product. I think you're in the right place
at the right time, with the right team and the right technological
approach.

I hope everyone who's thinking that they'd like support goes out there and
buys it :-).

On 23 June 2016 at 20:58, Stian Thorgersen <sthorger at redhat.com> wrote:

> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160626/d09a7e98/attachment.html 

From Stefan.Kasala at posam.sk  Mon Jun 27 03:18:00 2016
From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=)
Date: Mon, 27 Jun 2016 07:18:00 +0000
Subject: [keycloak-user] Getting 401 if trying to access app via loadbalancer
In-Reply-To: <e9697e5dcf3a4115813cd89a527246a5@posam.sk>
References: <e9697e5dcf3a4115813cd89a527246a5@posam.sk>
Message-ID: <b50a0d0dfffe402f81d7163b8ec3745a@posam.sk>

Hello,
we have installed JBoss Overlord Rtgov 2.1.0 which is using Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with hostname app01. We have a load balancer under another hostname lbapp in front of the deployed app. I am able to call the rest interface of RtGov directly on machine app01 but not using lbapp, I get 401 - Unauthorized from Keycloak. My guess is there is some check against hostname in http request. Is there some possibility to register aliases with the keycloak to enable calls via load balancer? Thanks.
Stefan Kasala

________________________________

T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?.

This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/4e42ca1d/attachment-0001.html 

From mposolda at redhat.com  Mon Jun 27 05:49:30 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 27 Jun 2016 11:49:30 +0200
Subject: [keycloak-user] Karaf Features problem
In-Reply-To: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>
References: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>
Message-ID: <5770F6AA.6020006@redhat.com>

Hi,

it looks the fuse/karaf adapter might be broken in latest 2.0.0.CR1 
release. Could you please create JIRA for it?

Thanks,
Marek

On 26/06/16 03:08, Ygor Castor wrote:
> I'm trying to install the keycloak adapter at Karaf 4.0.5, but i'm 
> running in some problems, this one i'm not being able to solve:
>
> karaf at root()> feature:install keycloak-adapter-core
> Error executing command: Unable to resolve root: missing requirement 
> [root] osgi.identity; osgi.identity=keycloak-adapter-core; 
> type=karaf.feature; version="[2.0.0.CR1,2.0.0.CR1]"; 
> filter:="(&(osgi.identity=keycloak-adapter-core)(type=karaf.feature)(version>=2.0.0.CR1)(version<=2.0.0.CR1))" 
> [caused by: Unable to resolve keycloak-adapter-core/2.0.0.CR1: missing 
> requirement [keycloak-adapter-core/2.0.0.CR1] osgi.identity; 
> osgi.identity=org.keycloak.keycloak-adapter-core; type=osgi.bundle; 
> version="[2.0.0.CR1,2.0.0.CR1]"; resolution:=mandatory [caused by: 
> Unable to resolve org.keycloak.keycloak-adapter-core/2.0.0.CR1: 
> missing requirement [org.keycloak.keycloak-adapter-core/2.0.0.CR1] 
> osgi.wiring.package; 
> filter:="(&(osgi.wiring.package=org.keycloak.authorization.client)(version>=2.0.0.CR1))"]]
>
> It seems that the feature can't find the "org.keycloak.authorization" 
> bundle, how can i fix this?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/5f690b57/attachment.html 

From mposolda at redhat.com  Mon Jun 27 05:54:53 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 27 Jun 2016 11:54:53 +0200
Subject: [keycloak-user] Keycloak single sign on with Keberos(AD)
In-Reply-To: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051DCDD@sq9bmexpr03.MONAD.MONERIS.COM>
References: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051DCDD@sq9bmexpr03.MONAD.MONERIS.COM>
Message-ID: <5770F7ED.3070901@redhat.com>

It may help if you enable all the possible debug/trace logging and post 
the log here. This may give more info what is the issue. See docs how to 
enable logging : 
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/authentication/kerberos.html

Try to send the log from the point once you trigger the authentication 
request (or from the point when you hit your app URL)

Thanks,
Marek

On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
>
> Hello everyone
>
> I am new to Keycloak and new to here
>
> Our web application is running on Jboss EAP 7, We have configured 
> KeyCloak standalone server 1.9.7 running on different port(same server 
> box) to manage the user authentication and authorization, behind 
> KeyCloak we have configured Keberos in User Federation to talk our 
> company AD server, we are able to login by using our AD account, but 
> not in single sign on way, each time when we hitting the our app URL, 
> the Keycloak login page will show up.
>
> It looks like the TGT or ST hand shake was not successful, is there 
> any document I can reference it to debug the issue?
>
> Any comments or suggestion would be very welcome
>
> thanks in advance
>
> raymond
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please 
> click here 
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. 
> Please see the Moneris Privacy Policy here 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does 
> not waive any related rights and obligations. Any distribution, use or 
> copying of this e-mail or the information it contains by other than an 
> intended recipient is unauthorized. If you received this e-mail in 
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, 
> veuillez cliquer ici 
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. 
> Veuillez consulter la Politique de confidentialit? de Moneris ici 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>. 
>
>
> Ce courriel peut contenir des renseignements confidentiels ou 
> privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune 
> obligation connexe. La distribution, l?utilisation ou la reproduction 
> du pr?sent courriel ou des renseignements qu?il contient par une 
> personne autre que son destinataire pr?vu sont interdites. Si vous 
> avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement 
> (par retour de courriel ou autrement).
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/3ab9f1ca/attachment.html 

From haimv at perfectomobile.com  Mon Jun 27 05:59:10 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Mon, 27 Jun 2016 09:59:10 +0000
Subject: [keycloak-user] Listing all realm users programmatically
Message-ID: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>

Hi,

Is there a way to list all realm users programmatically via the API ? also is there a way to delete all of them ?

I think I should use the below, however what should I insert in the search method for getting all the users ?

keyCloakClient.realms().realm(realmName).users().search()


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/d9083dec/attachment.html 

From ygorcastor at gmail.com  Mon Jun 27 07:09:13 2016
From: ygorcastor at gmail.com (Ygor Castor)
Date: Mon, 27 Jun 2016 11:09:13 +0000
Subject: [keycloak-user] Karaf Features problem
In-Reply-To: <5770F6AA.6020006@redhat.com>
References: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>
	<5770F6AA.6020006@redhat.com>
Message-ID: <CAN13MdT6mBRps5rKMNaTew31_u1cBj+hGki1Sf56jOOcKpM8Kw@mail.gmail.com>

Done! Issue KEYCLOAK-3194.

Em seg, 27 de jun de 2016 ?s 06:49, Marek Posolda <mposolda at redhat.com>
escreveu:

> Hi,
>
> it looks the fuse/karaf adapter might be broken in latest 2.0.0.CR1
> release. Could you please create JIRA for it?
>
> Thanks,
> Marek
>
>
> On 26/06/16 03:08, Ygor Castor wrote:
>
> I'm trying to install the keycloak adapter at Karaf 4.0.5, but i'm running
> in some problems, this one i'm not being able to solve:
>
> karaf at root()> feature:install keycloak-adapter-core
> Error executing command: Unable to resolve root: missing requirement
> [root] osgi.identity; osgi.identity=keycloak-adapter-core;
> type=karaf.feature; version="[2.0.0.CR1,2.0.0.CR1]";
> filter:="(&(osgi.identity=keycloak-adapter-core)(type=karaf.feature)(version>=2.0.0.CR1)(version<=2.0.0.CR1))"
> [caused by: Unable to resolve keycloak-adapter-core/2.0.0.CR1: missing
> requirement [keycloak-adapter-core/2.0.0.CR1] osgi.identity;
> osgi.identity=org.keycloak.keycloak-adapter-core; type=osgi.bundle;
> version="[2.0.0.CR1,2.0.0.CR1]"; resolution:=mandatory [caused by: Unable
> to resolve org.keycloak.keycloak-adapter-core/2.0.0.CR1: missing
> requirement [org.keycloak.keycloak-adapter-core/2.0.0.CR1]
> osgi.wiring.package;
> filter:="(&(osgi.wiring.package=org.keycloak.authorization.client)(version>=2.0.0.CR1))"]]
>
> It seems that the feature can't find the "org.keycloak.authorization"
> bundle, how can i fix this?
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/a774c0d1/attachment-0001.html 

From mposolda at redhat.com  Mon Jun 27 08:07:29 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 27 Jun 2016 14:07:29 +0200
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com>
References: <77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com>
Message-ID: <57711701.6020207@redhat.com>

I think your possibilities are either:
- Use different client for keycloak.js (public client) and different 
client for your confidential servlet application
- Don't use keycloak.js at all, but instead do some HTTP Filter to deal 
with "autologin" . You will manually try to redirect to keycloak with 
"prompt=none" . If user is not logged, keycloak will redirect back to 
the callback redirect_uri, where you recognize if there is "code" or 
"error" parameter and based on that, you know if user is logged or not. 
If user is logged, you can redirect to secured URL to properly trigger 
authentication process (maybe you can optimize this step by reuse the 
"code", which you already have and directly open the secured URI with 
it, but I am not 100% sure if it works with considering that you also 
need correct "state" etc.) Otherwise, you can set some state or 
something, to recognize that autologin has been already unsuccessfully 
tried.

Maybe you can create JIRA to request support "autologin" for other types 
of clients then public keycloak.js clients.

Marek

On 25/06/16 11:44, Tom?s Garc?a wrote:
>
> Hi,
>
>  I wonder if it's possible to just check the SSO state with a 
> confidential client. My use case is the following one:
>
> - I have a website which uses a confidential client to login with 
> Keycloak.
>
> - I want to add autologin to this website.
>
> - So I use the javascript adapter with the following option object for 
> the init method: { onLoad: 'check-sso' }. The javascript adapter is 
> built without the secret key in its constructor (obviously if I put 
> the secret key in there, there's no point to use a confidential client 
> at all).
>
> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
> error=invalid_client_credentials" error.
>
> So I don't know how feasible or secure is to just check that the 
> Keycloak session inside the cookie of the user's browser is still 
> valid. In my case, the browser doesn't need to get the user info, 
> access token, etc, because what I'll do is redirect the user to the 
> Keycloak login page with the confidential client afterwards is the 
> operation is successful. Since the Keycloak session is valid, Keycloak 
> should redirect back with the authentication code without asking 
> credentials to the user.
>
> Additional note: the CORS header isn't added to 400 responses in 
> Keycloak, so it was a bit confusing looking at the JS console in the 
> browser, because it complained about CORS but it was just Keycloak 
> giving the 400 response without the allow-origin header.
>
> Thanks.
>
> -- 
>
> *Tom?s Garc?a P?rez
> *
>
> *Software Developer*
>
> *Intra**House***
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/8bf9a720/attachment.html 

From thomas.darimont at googlemail.com  Mon Jun 27 08:49:29 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 27 Jun 2016 14:49:29 +0200
Subject: [keycloak-user] Listing all realm users programmatically
In-Reply-To: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <CAK-7U1jqZ3XK9=z_zXwscjzjSepz7wvSKYQqQvPuPa39xmadkA@mail.gmail.com>

Hello Haim,

I think the following does what you are look for.

int pageIndex = 0;
int pageSize = 1000;
String realmName = "master";

List<UserRepresentation> results =
 keycloak.realm(realmName).users().search(null, null, null, null, pageIndex
* pageSize, pageSize)

where Keycloak is org.keycloak.admin.client.Keycloak.

Cheers,
Thomas

2016-06-27 11:59 GMT+02:00 Haim Vana <haimv at perfectomobile.com>:

> Hi,
>
>
>
> Is there a way to list all realm users programmatically via the API ? also
> is there a way to delete all of them ?
>
>
>
> I think I should use the below, however what should I insert in the search
> method for getting all the users ?
>
>
>
> *keyCloakClient.realms().realm(realmName).users().search()*
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/6344fad2/attachment.html 

From haimv at perfectomobile.com  Mon Jun 27 08:51:37 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Mon, 27 Jun 2016 12:51:37 +0000
Subject: [keycloak-user] Listing all realm users programmatically
In-Reply-To: <CAK-7U1jqZ3XK9=z_zXwscjzjSepz7wvSKYQqQvPuPa39xmadkA@mail.gmail.com>
References: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAK-7U1jqZ3XK9=z_zXwscjzjSepz7wvSKYQqQvPuPa39xmadkA@mail.gmail.com>
Message-ID: <HE1PR03MB1385C421CE0225624538FE94D2210@HE1PR03MB1385.eurprd03.prod.outlook.com>

Thanks ? it will work.

I wonder if they have bulk operations in the API, for example for deleting all users, now I have to get all of them and delete them one by one.

From: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Sent: Monday, June 27, 2016 3:49 PM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Listing all realm users programmatically

Hello Haim,

I think the following does what you are look for.

int pageIndex = 0;
int pageSize = 1000;
String realmName = "master";

List<UserRepresentation> results =  keycloak.realm(realmName).users().search(null, null, null, null, pageIndex * pageSize, pageSize)

where Keycloak is org.keycloak.admin.client.Keycloak.

Cheers,
Thomas

2016-06-27 11:59 GMT+02:00 Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>:
Hi,

Is there a way to list all realm users programmatically via the API ? also is there a way to delete all of them ?

I think I should use the below, however what should I insert in the search method for getting all the users ?

keyCloakClient.realms().realm(realmName).users().search()


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c98803c82d8774a42632a08d39e8986b0%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=mwtkqt04R%2bkcj6V9tGCBFdI818kB%2fgEYY1oNx4elTHA%3d>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/cb91d11b/attachment-0001.html 

From lholmqui at redhat.com  Mon Jun 27 08:51:41 2016
From: lholmqui at redhat.com (Luke Holmquist)
Date: Mon, 27 Jun 2016 08:51:41 -0400
Subject: [keycloak-user] Listing all realm users programmatically
In-Reply-To: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <CALD3Fd0qxFwLGSesUazE96EYDFMuEZqmXG=4z=M3kzKHkMf59g@mail.gmail.com>

if you are opening to using javascript, you could also use some of the
methods here:  https://github.com/bucharest-gold/keycloak-admin-client

On Mon, Jun 27, 2016 at 5:59 AM, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
>
>
> Is there a way to list all realm users programmatically via the API ? also
> is there a way to delete all of them ?
>
>
>
> I think I should use the below, however what should I insert in the search
> method for getting all the users ?
>
>
>
> *keyCloakClient.realms().realm(realmName).users().search()*
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/dba43410/attachment.html 

From leo.nunes at gjccorp.com.br  Mon Jun 27 09:38:08 2016
From: leo.nunes at gjccorp.com.br (LEONARDO NUNES)
Date: Mon, 27 Jun 2016 13:38:08 +0000
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <57711701.6020207@redhat.com>
Message-ID: <D396AF65.2A7A4%leo.nunes@ojc.com.br>

Marek, I tried to manually call keycloak login url with prompt=none but it didn't redirect back to my redirect_uri, instead it stayed at the login page.
Below is an example of the login url i'm calling.

http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&prompt=none

I need an URL to call to know if the user is logged in or not without being redirected to the login page.
I need this because KeycloakSecurityContext is not available at not restricted URLs.


--
Leonardo Nunes


From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: segunda-feira, 27 de junho de 2016 09:07
To: Tom?s Garc?a <tomas at intrahouse.com<mailto:tomas at intrahouse.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client

I think your possibilities are either:
- Use different client for keycloak.js (public client) and different client for your confidential servlet application
- Don't use keycloak.js at all, but instead do some HTTP Filter to deal with "autologin" . You will manually try to redirect to keycloak with "prompt=none" . If user is not logged, keycloak will redirect back to the callback redirect_uri, where you recognize if there is "code" or "error" parameter and based on that, you know if user is logged or not. If user is logged, you can redirect to secured URL to properly trigger authentication process (maybe you can optimize this step by reuse the "code", which you already have and directly open the secured URI with it, but I am not 100% sure if it works with considering that you also need correct "state" etc.) Otherwise, you can set some state or something, to recognize that autologin has been already unsuccessfully tried.

Maybe you can create JIRA to request support "autologin" for other types of clients then public keycloak.js clients.

Marek

On 25/06/16 11:44, Tom?s Garc?a wrote:

Hi,

 I wonder if it's possible to just check the SSO state with a confidential client. My use case is the following one:

- I have a website which uses a confidential client to login with Keycloak.

- I want to add autologin to this website.

- So I use the javascript adapter with the following option object for the init method: { onLoad: 'check-sso' }. The javascript adapter is built without the secret key in its constructor (obviously if I put the secret key in there, there's no point to use a confidential client at all).

But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, error=invalid_client_credentials" error.

So I don't know how feasible or secure is to just check that the Keycloak session inside the cookie of the user's browser is still valid. In my case, the browser doesn't need to get the user info, access token, etc, because what I'll do is redirect the user to the Keycloak login page with the confidential client afterwards is the operation is successful. Since the Keycloak session is valid, Keycloak should redirect back with the authentication code without asking credentials to the user.

Additional note: the CORS header isn't added to 400 responses in Keycloak, so it was a bit confusing looking at the JS console in the browser, because it complained about CORS but it was just Keycloak giving the 400 response without the allow-origin header.

Thanks.

--

Tom?s Garc?a P?rez

Software Developer

IntraHouse




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/31a6af46/attachment.html 

From aikeaguinea at xsmail.com  Mon Jun 27 10:44:17 2016
From: aikeaguinea at xsmail.com (Aikeaguinea)
Date: Mon, 27 Jun 2016 10:44:17 -0400
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
 available from Red Hat
In-Reply-To: <CAJgngAdjFcYJ=if04yotAwAUBtiVzVhqs_adtDiTozLWz6dzmg@mail.gmail.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
	<CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
	<8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>
	<576EAD77.10903@redhat.com>
	<CAJgngAdjFcYJ=if04yotAwAUBtiVzVhqs_adtDiTozLWz6dzmg@mail.gmail.com>
Message-ID: <1467038657.421478.649728969.64CF544D@webmail.messagingengine.com>

Great news! Thanks for all the work you've done.
 
I'm noticing on the "Component Details" page that Twitter4j and Zebra
Crossing are listed as integrated into Red Hat SSO. I would be
interested in knowing the role these components play.
 
 
On Mon, Jun 27, 2016, at 02:12 AM, Stian Thorgersen wrote:
> Yes, it's 1.9.8.Final
>
> On 25 June 2016 at 18:12, James Falkner <jfalkner at redhat.com> wrote:
>> Looks like 1.9.8[1].
>>
>>  -James
>>
>>
>>> Scott Rossillo[2]
>>> June 24, 2016 at 3:01 PM
>>> Well done, guys! Great work and congratulations. Looking forward to
>>> continuing to work with the entire team.
>>>
>>> PS - what Keycloak version is RH SSO based?
>>>
>>> Best,
>>> Scott
>>>
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo at smartling.com
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> Thomas Darimont[3]
>>> June 24, 2016 at 4:17 AM
>>>
>>> Congratulations to everyone involved! Well done!
>>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> Thomas Raehalme[4]
>>> June 24, 2016 at 4:14 AM
>>>
>>> Congrats to both of you for creating such a great open source
>>> product!
>>> Best regards, Thomas
>>>
>>> _______________________________________________
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> Stian Thorgersen[5]
>>> June 23, 2016 at 3:58 PM
>>>
>>>
>>> For nearly 4 years ago Bill Burke and myself started two individual
>>> proof of concepts, both focusing on making it easier for developers
>>> to securing applications and services. Keycloak was born out of
>>> combining these two proof of concepts. There was barely any overlap
>>> and the two perfectly complemented each other.
>>>
>>> Fast forward to today and we now have a huge community with over 100
>>> contributors and over 400 forks of our Github repository. It's no
>>> longer just myself and Bill working on Keycloak, we now have a
>>> strong team working on it and I'm very exited about the future of
>>> the project.
>>>
>>> You may have noticed that lately we've stopped adding new features
>>> and focused on improvements and testing. There's a good reason
>>> behind that! We've been working on creating a productized and
>>> supported version of Keycloak.
>>>
>>> I'm extremely pleased to announce that Red Hat now offers a
>>> productized and supported version of Keycloak!
>>>
>>> For more details on how to get support for Keycloak check out the
>>> product pages at:
>>> https://access.redhat.com/products/red-hat-single-sign-on
>>>
>>> Finally, I'd like to thank everyone that's been involved. All the
>>> core developers, quality engineers, others at Red Hat and last but
>>> not least our community!
>>>
>>> _______________________________________________
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>>  keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _________________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
 
--
Aikeaguinea
aikeaguinea at xsmail.com
 
 

Links:

  1. https://access.redhat.com/articles/2342881
  2. mailto:srossillo at smartling.com
  3. mailto:thomas.darimont at googlemail.com
  4. mailto:thomas.raehalme at aitiofinland.com
  5. mailto:sthorger at redhat.com

-- 
http://www.fastmail.com - Or how I learned to stop worrying and
                          love email again

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/2646557f/attachment-0001.html 

From chairfield at gmail.com  Mon Jun 27 11:45:00 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Mon, 27 Jun 2016 15:45:00 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
Message-ID: <CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>

Stian,

I've noticed some interesting things:

   - When the user cache in enabled, creating a user allocates a block on
   memory that cannot be GC'd
   - When I restart Keycloak after creating those users, that memory is not
   re-allocated

This begs the question: what is the purpose of the memory allocation on
user creation if it doesn't need to stick around upon restart?

It seems to me that the user cache is keeping more than 10k users on user
creation. Does this hypothesis agree with your understanding of Keycloak's
design?

Thanks,
Chris

P.S. I have yet to test authentication load.

On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
wrote:

> There seems to be a leak when enabling the user cache, even when providing
> Keycloak with all the memory it needs to perform admirably (initially). My
> heap drops to 3.4 GB when I perform a manual GC.
>
> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
> morning.[image: test8-graph.png]
>
>
> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
>> I am only testing creating users. With the user cache disabled, I see no
>> evidence of a memory leak at many JVM heap-size settings.
>>
>> Things get interesting when re-enabling the user cache. Performance seems
>> to take a major hit in lower-memory scenarios, with some very worrisome
>> scenarios where the rate at which I ingest continuously decreases.
>>
>> I am able to create users at a high rate of speed with a max heap size of
>> 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower than
>> the Xmx setting, which goes against official JBoss GC performance tuning
>> documentation
>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>> .
>>
>> Though speeds are high with a large heap, I *do* see the possibility of
>> a memory leak with the user cache enabled and no authentication happening.
>> I will be running a test overnight to attempt to confirm or deny.
>>
>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>> through Sunday, so I will pick this back up on Monday.
>>
>> P.S. I will be thinking of ways to better the documentation around
>> performance tuning, as my tests indicate that standard JVM options cause
>> Keycloak to run in a very sub-optimal state.
>>
>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Are you only creating users or are you also authenticating users? User
>>> sessions are kept purely in memory so obviously the more you create the
>>> more memory is used. Only creating users should not continue to increase,
>>> but will do so for a while at least due to the way Java garbage collection
>>> works.
>>>
>>> I would only have the user cache disabled for testing memory leak.
>>> Re-enable it and retest with it before you eventually go into production as
>>> it will have a significant impact on performance.
>>>
>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:
>>>
>>>> Scratch the results of the graph I posted. I was running the test
>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>
>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
>>>> wrote:
>>>>
>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>> information pertaining to tests against Postgres soon.
>>>>>
>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>
>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>> in its memory usage?
>>>>>
>>>>> [image: increasing-heap.png]
>>>>>
>>>>>
>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Keycloak by default caches users in-memory, by default it will keep
>>>>>> up to 10000 entries cached. You can verify that there's no leak by
>>>>>> disabling the user cache provider. See
>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>
>>>>>> If you're planning on having millions of users I suggest you increase
>>>>>> the allocated memory for the JVM (512MB which it seems you have is not
>>>>>> sufficient).
>>>>>>
>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>> this issue.
>>>>>>>
>>>>>>> We have put together a test project here
>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an issue
>>>>>>> here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we continue
>>>>>>> to investigate. As we are relying on Keycloak as a central infrastructural
>>>>>>> component, any help would be greatly appreciated.
>>>>>>>
>>>>>>> We'll update with more information as we find it.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Chris
>>>>>>>
>>>>>>> [image: mem-cpu.png]
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/5555d0ae/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/5555d0ae/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/5555d0ae/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/5555d0ae/attachment-0005.png 

From chairfield at gmail.com  Mon Jun 27 12:03:36 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Mon, 27 Jun 2016 16:03:36 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
Message-ID: <CALr83iDO=OebMTTU4iAeL7Ub07v_oaTaTrEyyUJ7H8SiTqHssw@mail.gmail.com>

One more important note: that memory cannot be GC'd even *after* I manually
clear the user and realm caches.

To be specific, upon adding 71k users, I noticed an extra 50mb was
allocated. Clearing the user and realm caches allowed me to GC 3mb of that.
The only way I know how to clear the remaining 47mb is by restarting
Keycloak.

On Mon, Jun 27, 2016 at 9:44 AM Chris Hairfield <chairfield at gmail.com>
wrote:

> Stian,
>
> I've noticed some interesting things:
>
>    - When the user cache in enabled, creating a user allocates a block on
>    memory that cannot be GC'd
>    - When I restart Keycloak after creating those users, that memory is
>    not re-allocated
>
> This begs the question: what is the purpose of the memory allocation on
> user creation if it doesn't need to stick around upon restart?
>
> It seems to me that the user cache is keeping more than 10k users on user
> creation. Does this hypothesis agree with your understanding of Keycloak's
> design?
>
> Thanks,
> Chris
>
> P.S. I have yet to test authentication load.
>
> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
>> There seems to be a leak when enabling the user cache, even when
>> providing Keycloak with all the memory it needs to perform admirably
>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>
>> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
>> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
>> morning.[image: test8-graph.png]
>>
>>
>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>> wrote:
>>
>>> I am only testing creating users. With the user cache disabled, I see no
>>> evidence of a memory leak at many JVM heap-size settings.
>>>
>>> Things get interesting when re-enabling the user cache. Performance
>>> seems to take a major hit in lower-memory scenarios, with some very
>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>
>>> I am able to create users at a high rate of speed with a max heap size
>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>>> than the Xmx setting, which goes against official JBoss GC performance
>>> tuning documentation
>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>> .
>>>
>>> Though speeds are high with a large heap, I *do* see the possibility of
>>> a memory leak with the user cache enabled and no authentication happening.
>>> I will be running a test overnight to attempt to confirm or deny.
>>>
>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>> through Sunday, so I will pick this back up on Monday.
>>>
>>> P.S. I will be thinking of ways to better the documentation around
>>> performance tuning, as my tests indicate that standard JVM options cause
>>> Keycloak to run in a very sub-optimal state.
>>>
>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Are you only creating users or are you also authenticating users? User
>>>> sessions are kept purely in memory so obviously the more you create the
>>>> more memory is used. Only creating users should not continue to increase,
>>>> but will do so for a while at least due to the way Java garbage collection
>>>> works.
>>>>
>>>> I would only have the user cache disabled for testing memory leak.
>>>> Re-enable it and retest with it before you eventually go into production as
>>>> it will have a significant impact on performance.
>>>>
>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:
>>>>
>>>>> Scratch the results of the graph I posted. I was running the test
>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>
>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>> information pertaining to tests against Postgres soon.
>>>>>>
>>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>
>>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>>> in its memory usage?
>>>>>>
>>>>>> [image: increasing-heap.png]
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Keycloak by default caches users in-memory, by default it will keep
>>>>>>> up to 10000 entries cached. You can verify that there's no leak by
>>>>>>> disabling the user cache provider. See
>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>
>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>> not sufficient).
>>>>>>>
>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>> this issue.
>>>>>>>>
>>>>>>>> We have put together a test project here
>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>> continue to investigate. As we are relying on Keycloak as a central
>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>
>>>>>>>> We'll update with more information as we find it.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> [image: mem-cpu.png]
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/0421952a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/0421952a/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/0421952a/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/0421952a/attachment-0005.png 

From guydavis.ca at gmail.com  Mon Jun 27 15:19:03 2016
From: guydavis.ca at gmail.com (Guy Davis)
Date: Mon, 27 Jun 2016 13:19:03 -0600
Subject: [keycloak-user] Does Keycloak's SPNEGO support include fall-back to
 NTLM in absence of Kerberos?
Message-ID: <CAAgmn1rVQntds5GALAvq5+Gaf4yxdz+Ug4SUn3=rrvFehM-_Rw@mail.gmail.com>

Good day,

For sake of argument, assume that someone has set up a MS Active Directory
domain with Kerberos disabled, but NTLM still enabled.  In that situation,
would a user browsing to a Keycloak-protected application, with LDAP+SPNEGO
enabled (against that MS AD system) still allow for Integrated Windows
Authentication (auto-login without prompt) to web application?

Thanks much,
Guy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/93315e66/attachment.html 

From tomas at intrahouse.com  Mon Jun 27 18:20:12 2016
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Mon, 27 Jun 2016 23:20:12 +0100
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <57711701.6020207@redhat.com>
References: <77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com>
	<57711701.6020207@redhat.com>
Message-ID: <30d2a697-e2a4-cc71-dfac-d8309599f16d@intrahouse.com>

On 06/27/2016 01:07 PM, Marek Posolda wrote:
> I think your possibilities are either:
> - Use different client for keycloak.js (public client) and different
> client for your confidential servlet application

I thought about it, but at the moment I thought about what is the point
of having the confidential client if the public one is needed, I
discarded that option. Since the autologin affects the same website,
there's no point to have two clients attacking the same resource. The
public client is the weakest link of the chain, so having a secret key
doesn't add anything to security; only for accountability, maybe.

> - Don't use keycloak.js at all, but instead do some HTTP Filter to
> deal with "autologin" . You will manually try to redirect to keycloak
> with "prompt=none" . If user is not logged, keycloak will redirect
> back to the callback redirect_uri, where you recognize if there is
> "code" or "error" parameter and based on that, you know if user is
> logged or not. If user is logged, you can redirect to secured URL to
> properly trigger authentication process (maybe you can optimize this
> step by reuse the "code", which you already have and directly open the
> secured URI with it, but I am not 100% sure if it works with
> considering that you also need correct "state" etc.) Otherwise, you
> can set some state or something, to recognize that autologin has been
> already unsuccessfully tried.

Oh well, it's a website made in PHP, not a servlet, but the same idea
can be applied. But I had to discard that option too due to technical
reasons: I'm not exactly in control of the whole website, since I'm
adding the autologin to a project I didn't work on in the past, which
isn't as well engineered for extensibility as Keycloak :).
>
> Maybe you can create JIRA to request support "autologin" for other
> types of clients then public keycloak.js clients.

Thanks, Marek. I'll think about it. It's very likely that I'll open a
JIRA issue to discuss this further.

>
> Marek
>
> On 25/06/16 11:44, Tom?s Garc?a wrote:
>>
>> Hi,
>>
>>  I wonder if it's possible to just check the SSO state with a
>> confidential client. My use case is the following one:
>>
>> - I have a website which uses a confidential client to login with
>> Keycloak.
>>
>> - I want to add autologin to this website.
>>
>> - So I use the javascript adapter with the following option object
>> for the init method: { onLoad: 'check-sso' }. The javascript adapter
>> is built without the secret key in its constructor (obviously if I
>> put the secret key in there, there's no point to use a confidential
>> client at all).
>>
>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
>> error=invalid_client_credentials" error.
>>
>> So I don't know how feasible or secure is to just check that the
>> Keycloak session inside the cookie of the user's browser is still
>> valid. In my case, the browser doesn't need to get the user info,
>> access token, etc, because what I'll do is redirect the user to the
>> Keycloak login page with the confidential client afterwards is the
>> operation is successful. Since the Keycloak session is valid,
>> Keycloak should redirect back with the authentication code without
>> asking credentials to the user.
>>
>> Additional note: the CORS header isn't added to 400 responses in
>> Keycloak, so it was a bit confusing looking at the JS console in the
>> browser, because it complained about CORS but it was just Keycloak
>> giving the 400 response without the allow-origin header.
>>
>> Thanks.
>>
>> -- 
>>
>> *Tom?s Garc?a P?rez
>> *
>>
>> *Software Developer*
>>
>> *Intra**House***
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

*Tom?s Garc?a P?rez
*

*Software Developer*

*Intra**House***

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160627/52f544d7/attachment.html 

From mposolda at redhat.com  Tue Jun 28 02:00:56 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 28 Jun 2016 08:00:56 +0200
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <D396AF65.2A7A4%leo.nunes@ojc.com.br>
References: <D396AF65.2A7A4%leo.nunes@ojc.com.br>
Message-ID: <57721298.50909@redhat.com>

Not sure why prompt=none doesn't work as expected...

Are you manually opening this URL? Maybe it will help if you url-encode 
the value of redirect_uri parameter (in your example it's not encoded).

Marek

On 27/06/16 15:38, LEONARDO NUNES wrote:
> Marek, I tried to manually call keycloak login url with prompt=none 
> but it didn't redirect back to my redirect_uri, instead it stayed at 
> the login page.
> Below is an example of the login url i'm calling.
>
> http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&*prompt=none*
>
> I need an URL to call to know if the user is logged in or not without 
> being redirected to the login page.
> I need this because KeycloakSecurityContext is not available at not 
> restricted URLs.
>
>
> -- 
> Leonardo Nunes
>
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: segunda-feira, 27 de junho de 2016 09:07
> To: Tom?s Garc?a <tomas at intrahouse.com <mailto:tomas at intrahouse.com>>, 
> "keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>" 
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Question about the javascript-adapter and 
> the check-sso option with a confidential client
>
> I think your possibilities are either:
> - Use different client for keycloak.js (public client) and different 
> client for your confidential servlet application
> - Don't use keycloak.js at all, but instead do some HTTP Filter to 
> deal with "autologin" . You will manually try to redirect to keycloak 
> with "prompt=none" . If user is not logged, keycloak will redirect 
> back to the callback redirect_uri, where you recognize if there is 
> "code" or "error" parameter and based on that, you know if user is 
> logged or not. If user is logged, you can redirect to secured URL to 
> properly trigger authentication process (maybe you can optimize this 
> step by reuse the "code", which you already have and directly open the 
> secured URI with it, but I am not 100% sure if it works with 
> considering that you also need correct "state" etc.) Otherwise, you 
> can set some state or something, to recognize that autologin has been 
> already unsuccessfully tried.
>
> Maybe you can create JIRA to request support "autologin" for other 
> types of clients then public keycloak.js clients.
>
> Marek
>
> On 25/06/16 11:44, Tom?s Garc?a wrote:
>>
>> Hi,
>>
>>  I wonder if it's possible to just check the SSO state with a 
>> confidential client. My use case is the following one:
>>
>> - I have a website which uses a confidential client to login with 
>> Keycloak.
>>
>> - I want to add autologin to this website.
>>
>> - So I use the javascript adapter with the following option object 
>> for the init method: { onLoad: 'check-sso' }. The javascript adapter 
>> is built without the secret key in its constructor (obviously if I 
>> put the secret key in there, there's no point to use a confidential 
>> client at all).
>>
>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
>> error=invalid_client_credentials" error.
>>
>> So I don't know how feasible or secure is to just check that the 
>> Keycloak session inside the cookie of the user's browser is still 
>> valid. In my case, the browser doesn't need to get the user info, 
>> access token, etc, because what I'll do is redirect the user to the 
>> Keycloak login page with the confidential client afterwards is the 
>> operation is successful. Since the Keycloak session is valid, 
>> Keycloak should redirect back with the authentication code without 
>> asking credentials to the user.
>>
>> Additional note: the CORS header isn't added to 400 responses in 
>> Keycloak, so it was a bit confusing looking at the JS console in the 
>> browser, because it complained about CORS but it was just Keycloak 
>> giving the 400 response without the allow-origin header.
>>
>> Thanks.
>>
>> -- 
>>
>> *Tom?s Garc?a P?rez
>> *
>>
>> *Software Developer*
>>
>> *Intra**House***
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
> /Esta mensagem pode conter informa??o confidencial e/ou privilegiada. 
> Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta 
> mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela 
> contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? 
> recebeu esta mensagem por engano, por favor avise imediatamente o 
> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua 
> coopera??o.
>
> This message may contain confidential and/or privileged information. 
> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose or take any action based 
> on this message or any information herein. If you have received this 
> message in error, please advise the sender immediately by reply e-mail 
> and delete this message. Thank you for your cooperation/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/6c8a0fb6/attachment-0001.html 

From mposolda at redhat.com  Tue Jun 28 02:03:40 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 28 Jun 2016 08:03:40 +0200
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <30d2a697-e2a4-cc71-dfac-d8309599f16d@intrahouse.com>
References: <77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com>
	<57711701.6020207@redhat.com>
	<30d2a697-e2a4-cc71-dfac-d8309599f16d@intrahouse.com>
Message-ID: <5772133C.9060501@redhat.com>

On 28/06/16 00:20, Tom?s Garc?a wrote:
> On 06/27/2016 01:07 PM, Marek Posolda wrote:
>> I think your possibilities are either:
>> - Use different client for keycloak.js (public client) and different 
>> client for your confidential servlet application
>
> I thought about it, but at the moment I thought about what is the 
> point of having the confidential client if the public one is needed, I 
> discarded that option. Since the autologin affects the same website, 
> there's no point to have two clients attacking the same resource. The 
> public client is the weakest link of the chain, so having a secret key 
> doesn't add anything to security; only for accountability, maybe.
>
>> - Don't use keycloak.js at all, but instead do some HTTP Filter to 
>> deal with "autologin" . You will manually try to redirect to keycloak 
>> with "prompt=none" . If user is not logged, keycloak will redirect 
>> back to the callback redirect_uri, where you recognize if there is 
>> "code" or "error" parameter and based on that, you know if user is 
>> logged or not. If user is logged, you can redirect to secured URL to 
>> properly trigger authentication process (maybe you can optimize this 
>> step by reuse the "code", which you already have and directly open 
>> the secured URI with it, but I am not 100% sure if it works with 
>> considering that you also need correct "state" etc.) Otherwise, you 
>> can set some state or something, to recognize that autologin has been 
>> already unsuccessfully tried.
>
> Oh well, it's a website made in PHP, not a servlet, but the same idea 
> can be applied. But I had to discard that option too due to technical 
> reasons: I'm not exactly in control of the whole website, since I'm 
> adding the autologin to a project I didn't work on in the past, which 
> isn't as well engineered for extensibility as Keycloak :).
If you don't have control under the web-app, then I am not seeing much 
other possibilities then using some other "helper" client. Doesn't 
matter if it's public or not. The only purpose of helper client will be 
to check "prompt=none" and then either redirect to secured URI of real 
client (if logged) or public URI of real client (if not logged).

Sorry, no better ideas atm :/

Marek
>>
>> Maybe you can create JIRA to request support "autologin" for other 
>> types of clients then public keycloak.js clients.
>
> Thanks, Marek. I'll think about it. It's very likely that I'll open a 
> JIRA issue to discuss this further.
>
>>
>> Marek
>>
>> On 25/06/16 11:44, Tom?s Garc?a wrote:
>>>
>>> Hi,
>>>
>>>  I wonder if it's possible to just check the SSO state with a 
>>> confidential client. My use case is the following one:
>>>
>>> - I have a website which uses a confidential client to login with 
>>> Keycloak.
>>>
>>> - I want to add autologin to this website.
>>>
>>> - So I use the javascript adapter with the following option object 
>>> for the init method: { onLoad: 'check-sso' }. The javascript adapter 
>>> is built without the secret key in its constructor (obviously if I 
>>> put the secret key in there, there's no point to use a confidential 
>>> client at all).
>>>
>>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
>>> error=invalid_client_credentials" error.
>>>
>>> So I don't know how feasible or secure is to just check that the 
>>> Keycloak session inside the cookie of the user's browser is still 
>>> valid. In my case, the browser doesn't need to get the user info, 
>>> access token, etc, because what I'll do is redirect the user to the 
>>> Keycloak login page with the confidential client afterwards is the 
>>> operation is successful. Since the Keycloak session is valid, 
>>> Keycloak should redirect back with the authentication code without 
>>> asking credentials to the user.
>>>
>>> Additional note: the CORS header isn't added to 400 responses in 
>>> Keycloak, so it was a bit confusing looking at the JS console in the 
>>> browser, because it complained about CORS but it was just Keycloak 
>>> giving the 400 response without the allow-origin header.
>>>
>>> Thanks.
>>>
>>> -- 
>>>
>>> *Tom?s Garc?a P?rez
>>> *
>>>
>>> *Software Developer*
>>>
>>> *Intra**House***
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> -- 
>
> *Tom?s Garc?a P?rez
> *
>
> *Software Developer*
>
> *Intra**House***
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/03f6aaa2/attachment.html 

From sthorger at redhat.com  Tue Jun 28 02:29:22 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 08:29:22 +0200
Subject: [keycloak-user] [keycloak-dev] Productized Keycloak now
 available from Red Hat
In-Reply-To: <1467038657.421478.649728969.64CF544D@webmail.messagingengine.com>
References: <CAJgngAd0QehZK9JgDvXL5FTj0NtYKRTF=eMpoYLkh46o78Poxw@mail.gmail.com>
	<CAPyAMoYA=baG3UHzCyPrkJF5tW1OdkO7VzyKLyzYtf9i6hAiwA@mail.gmail.com>
	<CAK-7U1gTnNdK-g2Hz5Yzc1fU6B5qO1iT5o4+5-8ZRfOQTruXnA@mail.gmail.com>
	<8229327E-240A-44C9-B00C-847A6214BF76@smartling.com>
	<576EAD77.10903@redhat.com>
	<CAJgngAdjFcYJ=if04yotAwAUBtiVzVhqs_adtDiTozLWz6dzmg@mail.gmail.com>
	<1467038657.421478.649728969.64CF544D@webmail.messagingengine.com>
Message-ID: <CAJgngAcZ-tAcm=zekKvXtRj-5GgCcQnUoUALOLu+aOVQcbqhdA@mail.gmail.com>

Twitter4j is used for social login with Twitter.

ZXing is used to create QR-codes to let users easily setup FreeOTP / Google
Authenticator for OTP.

On 27 June 2016 at 16:44, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> Great news! Thanks for all the work you've done.
>
> I'm noticing on the "Component Details" page that Twitter4j and Zebra
> Crossing are listed as integrated into Red Hat SSO. I would be interested
> in knowing the role these components play.
>
>
> On Mon, Jun 27, 2016, at 02:12 AM, Stian Thorgersen wrote:
>
> Yes, it's 1.9.8.Final
>
> On 25 June 2016 at 18:12, James Falkner <jfalkner at redhat.com> wrote:
>
> Looks like 1.9.8 <https://access.redhat.com/articles/2342881>.
>
> -James
>
>
>
> Scott Rossillo <srossillo at smartling.com>
> June 24, 2016 at 3:01 PM
> Well done, guys! Great work and congratulations. Looking forward to
> continuing to work with the entire team.
>
> PS - what Keycloak version is RH SSO based?
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> Thomas Darimont <thomas.darimont at googlemail.com>
> June 24, 2016 at 4:17 AM
>
> Congratulations to everyone involved! Well done!
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> Thomas Raehalme <thomas.raehalme at aitiofinland.com>
> June 24, 2016 at 4:14 AM
>
>
> Congrats to both of you for creating such a great open source product!
>
> Best regards,
> Thomas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> Stian Thorgersen <sthorger at redhat.com>
> June 23, 2016 at 3:58 PM
>
>
> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> *_______________________________________________*
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>   Aikeaguinea
>   aikeaguinea at xsmail.com
>
>
>
> -- http://www.fastmail.com - Or how I learned to stop worrying and
>                           love email again
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/3fe6f07c/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 02:47:48 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 08:47:48 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
Message-ID: <CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>

We have had our QE guys confirm this issue and it looks like
something ominous is going on.

On 27 June 2016 at 17:45, Chris Hairfield <chairfield at gmail.com> wrote:

> Stian,
>
> I've noticed some interesting things:
>
>    - When the user cache in enabled, creating a user allocates a block on
>    memory that cannot be GC'd
>    - When I restart Keycloak after creating those users, that memory is
>    not re-allocated
>
> This begs the question: what is the purpose of the memory allocation on
> user creation if it doesn't need to stick around upon restart?
>

Creating a new user is expected to consume memory that can't be GC'd due to
the caching. Upon restart the users are loaded on demand into the cache
(user logs in or through admin console/endpoints).


>
> It seems to me that the user cache is keeping more than 10k users on user
> creation. Does this hypothesis agree with your understanding of Keycloak's
> design?
>

By default it should only keep 10K users in memory. Once it hits 10K the
least recently used should entries should be evicted from the cache.
However, it seems this is not working properly.


>
> Thanks,
> Chris
>
> P.S. I have yet to test authentication load.
>
> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
>> There seems to be a leak when enabling the user cache, even when
>> providing Keycloak with all the memory it needs to perform admirably
>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>
>> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
>> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
>> morning.[image: test8-graph.png]
>>
>>
>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>> wrote:
>>
>>> I am only testing creating users. With the user cache disabled, I see no
>>> evidence of a memory leak at many JVM heap-size settings.
>>>
>>> Things get interesting when re-enabling the user cache. Performance
>>> seems to take a major hit in lower-memory scenarios, with some very
>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>
>>> I am able to create users at a high rate of speed with a max heap size
>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>>> than the Xmx setting, which goes against official JBoss GC performance
>>> tuning documentation
>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>> .
>>>
>>> Though speeds are high with a large heap, I *do* see the possibility of
>>> a memory leak with the user cache enabled and no authentication happening.
>>> I will be running a test overnight to attempt to confirm or deny.
>>>
>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>> through Sunday, so I will pick this back up on Monday.
>>>
>>> P.S. I will be thinking of ways to better the documentation around
>>> performance tuning, as my tests indicate that standard JVM options cause
>>> Keycloak to run in a very sub-optimal state.
>>>
>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Are you only creating users or are you also authenticating users? User
>>>> sessions are kept purely in memory so obviously the more you create the
>>>> more memory is used. Only creating users should not continue to increase,
>>>> but will do so for a while at least due to the way Java garbage collection
>>>> works.
>>>>
>>>> I would only have the user cache disabled for testing memory leak.
>>>> Re-enable it and retest with it before you eventually go into production as
>>>> it will have a significant impact on performance.
>>>>
>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com> wrote:
>>>>
>>>>> Scratch the results of the graph I posted. I was running the test
>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>
>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>> information pertaining to tests against Postgres soon.
>>>>>>
>>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>
>>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>>> in its memory usage?
>>>>>>
>>>>>> [image: increasing-heap.png]
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Keycloak by default caches users in-memory, by default it will keep
>>>>>>> up to 10000 entries cached. You can verify that there's no leak by
>>>>>>> disabling the user cache provider. See
>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>
>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>> not sufficient).
>>>>>>>
>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>> this issue.
>>>>>>>>
>>>>>>>> We have put together a test project here
>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>> continue to investigate. As we are relying on Keycloak as a central
>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>
>>>>>>>> We'll update with more information as we find it.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Chris
>>>>>>>>
>>>>>>>> [image: mem-cpu.png]
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60eef221/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60eef221/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60eef221/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60eef221/attachment-0005.png 

From sthorger at redhat.com  Tue Jun 28 04:13:14 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 10:13:14 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
	<CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>
Message-ID: <CAJgngAcDGVUxNQg-whnX9+cwFTbPkmAD=5PZdJXgCWvP_=k72A@mail.gmail.com>

I've confirmed the issue now and found the cause:
https://issues.jboss.org/browse/KEYCLOAK-3202

The leak is in realmVersion cache. A workaround is to set a eviction policy
on this cache, for example LRU 10000.

On 28 June 2016 at 08:47, Stian Thorgersen <sthorger at redhat.com> wrote:

> We have had our QE guys confirm this issue and it looks like
> something ominous is going on.
>
> On 27 June 2016 at 17:45, Chris Hairfield <chairfield at gmail.com> wrote:
>
>> Stian,
>>
>> I've noticed some interesting things:
>>
>>    - When the user cache in enabled, creating a user allocates a block
>>    on memory that cannot be GC'd
>>    - When I restart Keycloak after creating those users, that memory is
>>    not re-allocated
>>
>> This begs the question: what is the purpose of the memory allocation on
>> user creation if it doesn't need to stick around upon restart?
>>
>
> Creating a new user is expected to consume memory that can't be GC'd due
> to the caching. Upon restart the users are loaded on demand into the cache
> (user logs in or through admin console/endpoints).
>
>
>>
>> It seems to me that the user cache is keeping more than 10k users on user
>> creation. Does this hypothesis agree with your understanding of Keycloak's
>> design?
>>
>
> By default it should only keep 10K users in memory. Once it hits 10K the
> least recently used should entries should be evicted from the cache.
> However, it seems this is not working properly.
>
>
>>
>> Thanks,
>> Chris
>>
>> P.S. I have yet to test authentication load.
>>
>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
>> wrote:
>>
>>> There seems to be a leak when enabling the user cache, even when
>>> providing Keycloak with all the memory it needs to perform admirably
>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>
>>> I'm now seeing a number of PessimisticLockExceptions as it fails to lock
>>> the USER_ENTITY table. I expect Keycloak to have ground to a halt by the
>>> morning.[image: test8-graph.png]
>>>
>>>
>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>>> wrote:
>>>
>>>> I am only testing creating users. With the user cache disabled, I see
>>>> no evidence of a memory leak at many JVM heap-size settings.
>>>>
>>>> Things get interesting when re-enabling the user cache. Performance
>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>>
>>>> I am able to create users at a high rate of speed with a max heap size
>>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>>>> than the Xmx setting, which goes against official JBoss GC performance
>>>> tuning documentation
>>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>>> .
>>>>
>>>> Though speeds are high with a large heap, I *do* see the possibility
>>>> of a memory leak with the user cache enabled and no authentication
>>>> happening. I will be running a test overnight to attempt to confirm or deny.
>>>>
>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>> through Sunday, so I will pick this back up on Monday.
>>>>
>>>> P.S. I will be thinking of ways to better the documentation around
>>>> performance tuning, as my tests indicate that standard JVM options cause
>>>> Keycloak to run in a very sub-optimal state.
>>>>
>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> Are you only creating users or are you also authenticating users? User
>>>>> sessions are kept purely in memory so obviously the more you create the
>>>>> more memory is used. Only creating users should not continue to increase,
>>>>> but will do so for a while at least due to the way Java garbage collection
>>>>> works.
>>>>>
>>>>> I would only have the user cache disabled for testing memory leak.
>>>>> Re-enable it and retest with it before you eventually go into production as
>>>>> it will have a significant impact on performance.
>>>>>
>>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Scratch the results of the graph I posted. I was running the test
>>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>>
>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>> chairfield at gmail.com> wrote:
>>>>>>
>>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>
>>>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>>
>>>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>>>> in its memory usage?
>>>>>>>
>>>>>>> [image: increasing-heap.png]
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> Keycloak by default caches users in-memory, by default it will keep
>>>>>>>> up to 10000 entries cached. You can verify that there's no leak by
>>>>>>>> disabling the user cache provider. See
>>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>>
>>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>>> not sufficient).
>>>>>>>>
>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>>> this issue.
>>>>>>>>>
>>>>>>>>> We have put together a test project here
>>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>>> continue to investigate. As we are relying on Keycloak as a central
>>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>>
>>>>>>>>> We'll update with more information as we find it.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1590b4c4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1590b4c4/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1590b4c4/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1590b4c4/attachment-0005.png 

From gyalai at mail.thot-soft.com  Tue Jun 28 04:39:32 2016
From: gyalai at mail.thot-soft.com (=?UTF-8?Q?Gyalai_Mil=c3=a1n?=)
Date: Tue, 28 Jun 2016 10:39:32 +0200
Subject: [keycloak-user] Help problem with Bad request
Message-ID: <577237C4.2010400@mail.thot-soft.com>

Hello,

I have problem with the Bad request when the user login.

I have a simple War with JSP-s. With the following keycloak.json

{
     "realm": "test",
     "realm-public-key": "...",
     "auth-server-url": "keycloak-url",
     "ssl-required": "none",
     "resource": "dashboard-app",
     "public-client": true,
     "use-resource-role-mappings": false,
     "principal-attribute": "preferred_username"
}

The wildfly redirects to the keycloak perfectly and adds a status 
parameter to the URL. After the login we get a 400 Bad request error. In 
the wildfly log I found these lines.

WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
task-111) state parameter invalid
WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
task-111) cookie: 151/af93b54d-6b04-4d82-9a8b-1fe7203b279e
  WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
task-111) queryParam: 150/e946fb78-9902-4449-8c33-687fcaf98d3d

What did I configure wrong?

The Keycloak version is 1.9.8.Final .

Any ideas ?

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/511fed1a/attachment.html 

From sthorger at redhat.com  Tue Jun 28 04:49:47 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 10:49:47 +0200
Subject: [keycloak-user] how get info from adapterConfig
In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD064720790@XMB-DCFR-35.europe.corp.altran.com>
References: <5E0EBD68B410924EADA89C5CBD233CD064720790@XMB-DCFR-35.europe.corp.altran.com>
Message-ID: <CAJgngAdvzXG9o4XPjBJMGwvA2DDn5eDO5AvPim+zrs4V8JyOCA@mail.gmail.com>

By adapterConfig I assume you mean the information from keycloak.json. As
that contains the credentials for the service you should not expose this
publicly.

What is the use-case? I would rather suggest you load keycloak.json
yourself and carefully expose selected details from it.

On 15 June 2016 at 16:03, LIEVRE Olivier <olivier.lievre at altran.com> wrote:

> Hello,
>
>
>
> I?ve secured a REST server with keycloak 1.9.7, and I would like to
> implement a public REST GET method for an non-authenticated user to get the
> adapderConfig info linked to my war.
>
>
>
> My war adapter is configured in my standalone.xml.
>
>
>
> Is there an  easy way to read the adapterConfig info from standalone in
> that case?
>
>
>
> When a user makes an authenticated request, I can get that info with
> getting RefreshableKeycloakSecurityContext from httprequest.
>
>
>
> KR,
>
> Olivier
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/c61e0531/attachment.html 

From sthorger at redhat.com  Tue Jun 28 07:03:11 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 13:03:11 +0200
Subject: [keycloak-user] Email timeout error
In-Reply-To: <CAM5SUC61kHRT3T1LJv941V-paQt-8WZ5xK10dML-LtbCxTERhA@mail.gmail.com>
References: <D3930FA6.2A58F%leo.nunes@ojc.com.br>
	<CAM5SUC61kHRT3T1LJv941V-paQt-8WZ5xK10dML-LtbCxTERhA@mail.gmail.com>
Message-ID: <CAJgngAedwdZCm+bTfXG+5Ntof9iX5ya0hh3bAs+7mnu7an1L4A@mail.gmail.com>

What version? Could be related to
https://issues.jboss.org/browse/KEYCLOAK-2770

On 25 June 2016 at 00:45, Bruno Oliveira <bruno at abstractj.org> wrote:

> This line looks suspicious for me:
>
> Exception reading response;
> nested exception is:
> java.net.SocketTimeoutException: Read timed out
>
> It looks like a connectivity issue with your SMTP server.
>
> On Fri, Jun 24, 2016, 4:26 PM LEONARDO NUNES <leo.nunes at gjccorp.com.br>
> wrote:
>
>> Hi, i'm getting the error below when sending the verification email. An
>> error page is shown, but I always receive the email.
>> Most of the times it works fine, but sometimes it returns the error.
>> Around 7 out of 10 times it works.
>> I use the same SMTP host for other applications and I don't have this
>> problem.
>>
>> For the Email configuration I only have Host and From configured.
>>
>> Is there a way to configure the timeout?
>>
>>
>> 15:51:47,736 ERROR
>> [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
>> task-4) Failed to send verification email:
>> org.keycloak.email.EmailException: Failed to template email
>> at
>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
>> at
>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
>> at
>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
>> at
>> org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
>> at
>> org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
>> at
>> org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573)
>> at
>> org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
>> at
>> org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
>> at
>> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
>> at
>> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
>> at
>> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:497)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: org.keycloak.email.EmailException:
>> javax.mail.MessagingException: Exception reading response;
>>   nested exception is:
>> java.net.SocketTimeoutException: Read timed out
>> at
>> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128)
>> at
>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
>> at
>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
>> ... 57 more
>> Caused by: javax.mail.MessagingException: Exception reading response;
>>   nested exception is:
>> java.net.SocketTimeoutException: Read timed out
>> at
>> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351)
>> at
>> com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228)
>> at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027)
>> at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242)
>> at
>> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
>> ... 59 more
>> Caused by: java.net.SocketTimeoutException: Read timed out
>> at java.net.SocketInputStream.socketRead0(Native Method)
>> at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
>> at java.net.SocketInputStream.read(SocketInputStream.java:170)
>> at java.net.SocketInputStream.read(SocketInputStream.java:141)
>> at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124)
>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>> at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
>> at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92)
>> at
>> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331)
>> ... 63 more
>>
>>
>>
>>
>> --
>>
>> Att,
>> *Leonardo Nunes*
>> Analista de Sistemas
>> leo.nunes at gjccorp.com.br
>> Skype: leonardo.puc
>> +55 (62) 3250-1462
>>
>> *Grupo Jaime C?mara*
>> www.gjccorp.com.br
>> ------------------------------
>>
>>
>> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se
>> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem,
>> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar
>> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por
>> engano, por favor avise imediatamente o remetente, respondendo o e-mail e
>> em seguida apague-o. Agradecemos sua coopera??o. This message may contain
>> confidential and/or privileged information. If you are not the addressee or
>> authorized to receive this for the addressee, you must not use, copy,
>> disclose or take any action based on this message or any information
>> herein. If you have received this message in error, please advise the
>> sender immediately by reply e-mail and delete this message. Thank you for
>> your cooperation*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/87254e60/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 07:23:04 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 13:23:04 +0200
Subject: [keycloak-user] Typo in Client Registration documentation
In-Reply-To: <CABjN769b0+Vjv6YQpyCWjGXk8QUffUovfGSEXtPwzxNn+etpog@mail.gmail.com>
References: <CABjN769b0+Vjv6YQpyCWjGXk8QUffUovfGSEXtPwzxNn+etpog@mail.gmail.com>
Message-ID: <CAJgngAfszwyRD=zqGGT-xLr41x-XzCDfR-PkB0=m_ya3nN9n5Q@mail.gmail.com>

Fixed in new docs (
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/master/topics/client-registration.html
).

On 22 June 2016 at 13:23, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> All, it seems there is a typo in the Client Registration documentation
> lying at:
>
>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html#d4e1563
>
> Existing snippet:
>
> String initialAccessToken =
> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....";
>
> ClientRepresentation client = new ClientRepresentation();
> client.setClientId(CLIENT_ID);
>
> ClientRegistration reg = ClientRegistration.create().url("
> http://keycloak/auth/realms/myrealm/clients").build();
> reg.auth(Auth.token(initialAccessToken));
>
> client = reg.create(client);
>
> String registrationAccessToken = client.getRegistrationAccessToken();
>
> Corrected snippet:
>
> String initialAccessToken =
> "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....";
>
> ClientRepresentation client = new ClientRepresentation();
> client.setClientId(CLIENT_ID);
>
> ClientRegistration reg = ClientRegistration.create().url("
> http://keycloak/auth/realms/myrealm/*clients-registrations*").build();
> reg.auth(Auth.token(initialAccessToken));
>
> client = reg.create(client);
>
> String registrationAccessToken = client.getRegistrationAccessToken();
>
>
> Please confirm and if valid, take care with that.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/fd2974ac/attachment.html 

From leo.nunes at gjccorp.com.br  Tue Jun 28 07:57:17 2016
From: leo.nunes at gjccorp.com.br (LEONARDO NUNES)
Date: Tue, 28 Jun 2016 11:57:17 +0000
Subject: [keycloak-user] Email timeout error
In-Reply-To: <CAJgngAedwdZCm+bTfXG+5Ntof9iX5ya0hh3bAs+7mnu7an1L4A@mail.gmail.com>
Message-ID: <D397EA9D.2A91B%leo.nunes@ojc.com.br>

I was having this problem with version 1.9.1.Final and I recently updated to version 1.9.8.Final and still have the problem.
In my case I don't need to kill the keycloak server.
The e-mail is sent a few seconds after the error page.
I've seen the problem with email verification and reset credential email, I think it's with all types of emails.

For how long does it waits for a response before throwing the read timed out exception?


--

Att,
Leonardo Nunes
Analista de Sistemas
leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>
Skype: leonardo.puc
+55 (62) 3250-1462

Grupo Jaime C?mara
www.gjccorp.com.br<applewebdata://B0E38BB5-8499-4F51-929B-00F21C9F6683/www.gjccorp.com.br>

From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Reply-To: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Date: ter?a-feira, 28 de junho de 2016 08:03
To: Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>>
Cc: Leonardo Nunes <leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Email timeout error

What version? Could be related to https://issues.jboss.org/browse/KEYCLOAK-2770

On 25 June 2016 at 00:45, Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>> wrote:
This line looks suspicious for me:

Exception reading response;
nested exception is:
java.net.SocketTimeoutException: Read timed out

It looks like a connectivity issue with your SMTP server.

On Fri, Jun 24, 2016, 4:26 PM LEONARDO NUNES <leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>> wrote:
Hi, i'm getting the error below when sending the verification email. An error page is shown, but I always receive the email.
Most of the times it works fine, but sometimes it returns the error.
Around 7 out of 10 times it works.
I use the same SMTP host for other applications and I don't have this problem.

For the Email configuration I only have Host and From configured.

Is there a way to configure the timeout?


15:51:47,736 ERROR [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default task-4) Failed to send verification email: org.keycloak.email.EmailException: Failed to template email
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573)
at org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
at org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
at org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
at org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException: javax.mail.MessagingException: Exception reading response;
  nested exception is:
java.net.SocketTimeoutException: Read timed out
at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Caused by: javax.mail.MessagingException: Exception reading response;
  nested exception is:
java.net.SocketTimeoutException: Read timed out
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351)
at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228)
at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242)
at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
... 59 more
Caused by: java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
at java.net.SocketInputStream.read(SocketInputStream.java:170)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92)
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331)
... 63 more




--

Att,
Leonardo Nunes
Analista de Sistemas
leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>
Skype: leonardo.puc
+55 (62) 3250-1462<tel:%2B55%20%2862%29%203250-1462>

Grupo Jaime C?mara
www.gjccorp.com.br
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/c81326ba/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 08:50:45 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 14:50:45 +0200
Subject: [keycloak-user] Email timeout error
In-Reply-To: <D397EA9D.2A91B%leo.nunes@ojc.com.br>
References: <CAJgngAedwdZCm+bTfXG+5Ntof9iX5ya0hh3bAs+7mnu7an1L4A@mail.gmail.com>
	<D397EA9D.2A91B%leo.nunes@ojc.com.br>
Message-ID: <CAJgngAfSpef4NkMr9fH-Gam=gV2RzxzeYvnCGqPgZ2gGJifHAg@mail.gmail.com>

It waits for 10 seconds [1]

[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/email/DefaultEmailSenderProvider.java#L89

On 28 June 2016 at 13:57, LEONARDO NUNES <leo.nunes at gjccorp.com.br> wrote:

> I was having this problem with version 1.9.1.Final and I recently updated
> to version 1.9.8.Final and still have the problem.
> In my case I don't need to kill the keycloak server.
> The e-mail is sent a few seconds after the error page.
> I've seen the problem with email verification and reset credential email,
> I think it's with all types of emails.
>
> For how long does it waits for a response before throwing the read timed
> out exception?
>
>
> --
>
> Att,
> *Leonardo Nunes*
> Analista de Sistemas
> leo.nunes at gjccorp.com.br
> Skype: leonardo.puc
> +55 (62) 3250-1462
>
> *Grupo Jaime C?mara*
> www.gjccorp.com.br
>
> From: Stian Thorgersen <sthorger at redhat.com>
> Reply-To: "stian at redhat.com" <stian at redhat.com>
> Date: ter?a-feira, 28 de junho de 2016 08:03
> To: Bruno Oliveira <bruno at abstractj.org>
> Cc: Leonardo Nunes <leo.nunes at gjccorp.com.br>, "
> keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Email timeout error
>
> What version? Could be related to
> https://issues.jboss.org/browse/KEYCLOAK-2770
>
> On 25 June 2016 at 00:45, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> This line looks suspicious for me:
>>
>> Exception reading response;
>> nested exception is:
>> java.net.SocketTimeoutException: Read timed out
>>
>> It looks like a connectivity issue with your SMTP server.
>>
>> On Fri, Jun 24, 2016, 4:26 PM LEONARDO NUNES <leo.nunes at gjccorp.com.br>
>> wrote:
>>
>>> Hi, i'm getting the error below when sending the verification email. An
>>> error page is shown, but I always receive the email.
>>> Most of the times it works fine, but sometimes it returns the error.
>>> Around 7 out of 10 times it works.
>>> I use the same SMTP host for other applications and I don't have this
>>> problem.
>>>
>>> For the Email configuration I only have Host and From configured.
>>>
>>> Is there a way to configure the timeout?
>>>
>>>
>>> 15:51:47,736 ERROR
>>> [org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
>>> task-4) Failed to send verification email:
>>> org.keycloak.email.EmailException: Failed to template email
>>> at
>>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
>>> at
>>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
>>> at
>>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
>>> at
>>> org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
>>> at
>>> org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
>>> at
>>> org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:573)
>>> at
>>> org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:504)
>>> at
>>> org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:426)
>>> at
>>> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:302)
>>> at
>>> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:856)
>>> at
>>> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:849)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:497)
>>> at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>> at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>> at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: org.keycloak.email.EmailException:
>>> javax.mail.MessagingException: Exception reading response;
>>>   nested exception is:
>>> java.net.SocketTimeoutException: Read timed out
>>> at
>>> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:128)
>>> at
>>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
>>> at
>>> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
>>> ... 57 more
>>> Caused by: javax.mail.MessagingException: Exception reading response;
>>>   nested exception is:
>>> java.net.SocketTimeoutException: Read timed out
>>> at
>>> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2351)
>>> at
>>> com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:2228)
>>> at com.sun.mail.smtp.SMTPTransport.finishData(SMTPTransport.java:2027)
>>> at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1242)
>>> at
>>> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
>>> ... 59 more
>>> Caused by: java.net.SocketTimeoutException: Read timed out
>>> at java.net.SocketInputStream.socketRead0(Native Method)
>>> at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
>>> at java.net.SocketInputStream.read(SocketInputStream.java:170)
>>> at java.net.SocketInputStream.read(SocketInputStream.java:141)
>>> at com.sun.mail.util.TraceInputStream.read(TraceInputStream.java:124)
>>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
>>> at java.io.BufferedInputStream.read(BufferedInputStream.java:265)
>>> at com.sun.mail.util.LineInputStream.readLine(LineInputStream.java:92)
>>> at
>>> com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:2331)
>>> ... 63 more
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Att,
>>> *Leonardo Nunes*
>>> Analista de Sistemas
>>> leo.nunes at gjccorp.com.br
>>> Skype: leonardo.puc
>>> +55 (62) 3250-1462
>>>
>>> *Grupo Jaime C?mara*
>>> www.gjccorp.com.br
>>> ------------------------------
>>>
>>>
>>> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se
>>> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem,
>>> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar
>>> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por
>>> engano, por favor avise imediatamente o remetente, respondendo o e-mail e
>>> em seguida apague-o. Agradecemos sua coopera??o. This message may contain
>>> confidential and/or privileged information. If you are not the addressee or
>>> authorized to receive this for the addressee, you must not use, copy,
>>> disclose or take any action based on this message or any information
>>> herein. If you have received this message in error, please advise the
>>> sender immediately by reply e-mail and delete this message. Thank you for
>>> your cooperation*
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1b3405d6/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 09:00:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:00:46 +0200
Subject: [keycloak-user] reverse proxy support of Keycloak saml filter
	adapter
In-Reply-To: <ab7c716697934e959f7a9a885fbe95f1@S0931AOC.renault.mail.noxiane.net>
References: <ab7c716697934e959f7a9a885fbe95f1@S0931AOC.renault.mail.noxiane.net>
Message-ID: <CAJgngAfoNo7XRRrJ=nG29aOYvSvvJ+Hct5bSH7MtvDZfJdAqGQ@mail.gmail.com>

Answer depends on what application server you are using, but in summary you
need to make sure the reverse proxy is configured to include correct
headers and application server is configured to use the headers. This is
required so HttpServletRequest.getRequestURL returns the URL used by the
user and not the internal URL used by the proxy.

On 16 June 2016 at 08:19, ROMELOT Didier <didier.romelot at renault.com> wrote:

> Hi, we deploy applications that use keycloak SAML filter to handle SAML
> authentication.
>
>
>
> We face some trouble when configuring the app acting behind a reverse
> proxy. In that situation keycloak library raises an exception :
>
>
>
> WebBrowserSsoAuthenticationHandler ERROR Request URI does not match SAML
> request destination
>
>
>
> We try to fix it with configuration on reverse proxy but whithout success.
>
>
>
> Does anyone faced with such problem ?
>
>
>
> regards
>
>
>
>
>
> [image:
> http://collaboration2010.sharepoint.renault.fr/is/fsc/places/blog/Lists/Photos/Logo/Alliance_logo_low_ok_tcm1253-923195.jpg]
>
> *Didier ROMELOT*
> DIA-AT -  Technical Architecture
> API : FR EQV NOV 3 39
> 13, avenue Paul Langevin
> 92359 Le Plessis Robinson Cedex - FRANCE
> T?l. : +33 1 76 84 95 28
>
>
>
>
>
> -- Disclaimer ------------------------------------
> Ce message ainsi que les eventuelles pieces jointes constituent une
> correspondance privee et confidentielle a l'attention exclusive du
> destinataire designe ci-dessus. Si vous n'etes pas le destinataire du
> present message ou une personne susceptible de pouvoir le lui delivrer, il
> vous est signifie que toute divulgation, distribution ou copie de cette
> transmission est strictement interdite. Si vous avez recu ce message par
> erreur, nous vous remercions d'en informer l'expediteur par telephone ou de
> lui retourner le present message, puis d'effacer immediatement ce message
> de votre systeme.
>
> *** This e-mail and any attachments is a confidential correspondence
> intended only for use of the individual or entity named above. If you are
> not the intended recipient or the agent responsible for delivering the
> message to the intended recipient, you are hereby notified that any
> disclosure, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, please notify
> the sender by phone or by replying this message, and then delete this
> message from your system.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/994aa647/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 8005 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/994aa647/attachment.jpg 

From sthorger at redhat.com  Tue Jun 28 09:19:26 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:19:26 +0200
Subject: [keycloak-user] How to restore session for UI to REST API
In-Reply-To: <24963419.1672749.1466643892158.JavaMail.zimbra@redhat.com>
References: <2050154768.584737.1466460786043.JavaMail.zimbra@redhat.com>
	<5768DD06.2070600@redhat.com>
	<699662277.1174065.1466577851220.JavaMail.zimbra@redhat.com>
	<CAJgngAf6S6rSFtS+jo4EG-MiKObeJZmh1CrzOxDzVCkMAX6rbQ@mail.gmail.com>
	<24963419.1672749.1466643892158.JavaMail.zimbra@redhat.com>
Message-ID: <CAJgngAf8ySJbm0UEiCNyJ-5_eCNy8O6mtU-PHD4iZ3km2V+A1A@mail.gmail.com>

I suspect the issue is down to the HTTP sessions ot the Keycloak Proxy
timing out. The default timeout is 30 minutes and we don't currently have a
way of configuring that in the Keycloak Proxy. Can you create a JIRA for it?

On 23 June 2016 at 03:04, Chris Pitman <cpitman at redhat.com> wrote:

>
>
> ----- Original Message -----
>
> >
> > Quite likely it's the session that is no longer valid, not just the
> token.
> > If the access token is not valid (this is 5min by default) it will be
> > refreshed by the proxy (valid as long as the user session is valid).
> >
> > Once the user session is no longer valid the user is required to
> > re-authenticate to Keycloak which causes the redirect to Google. This
> > happens by default after the session has been idle 30 min (no token
> > refreshes) or after 10 hours. You can change the timeouts through the
> admin
> > console.
> >
>
> I've tried setting both "SSO Session Idle" and "SSO Session Max" to 1 Day,
> but see this issue where the proxy redirects to keycloak which redirects to
> google after about 1 hour. Is there another setting I need to change?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/b1d3926f/attachment.html 

From leo.nunes at gjccorp.com.br  Tue Jun 28 09:35:50 2016
From: leo.nunes at gjccorp.com.br (LEONARDO NUNES)
Date: Tue, 28 Jun 2016 13:35:50 +0000
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <57721298.50909@redhat.com>
Message-ID: <D3980182.2A93A%leo.nunes@ojc.com.br>

Marek, after I encoded the redirect_uri parameter it worked.

When I try to access a restricted page and I'm not logged in I saw that an AuthChallenge with a redirect uri is returned.
Is there a way to configure prompt=none to be added to this redirect uri?

I'm my case I wouldn't like to be automatically redirected to the login page when i'm not logged in.
Instead I would like to be redirected back to my page when the user is not logged in.


--
Leonardo Nunes


From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: ter?a-feira, 28 de junho de 2016 03:00
To: Leonardo Nunes <leo.nunes at gjccorp.com.br<mailto:leo.nunes at gjccorp.com.br>>, Tom?s Garc?a <tomas at intrahouse.com<mailto:tomas at intrahouse.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client

Not sure why prompt=none doesn't work as expected...

Are you manually opening this URL? Maybe it will help if you url-encode the value of redirect_uri parameter (in your example it's not encoded).

Marek

On 27/06/16 15:38, LEONARDO NUNES wrote:
Marek, I tried to manually call keycloak login url with prompt=none but it didn't redirect back to my redirect_uri, instead it stayed at the login page.
Below is an example of the login url i'm calling.

http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&prompt=none

I need an URL to call to know if the user is logged in or not without being redirected to the login page.
I need this because KeycloakSecurityContext is not available at not restricted URLs.


--
Leonardo Nunes


From: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>
Date: segunda-feira, 27 de junho de 2016 09:07
To: Tom?s Garc?a <<mailto:tomas at intrahouse.com>tomas at intrahouse.com<mailto:tomas at intrahouse.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client

I think your possibilities are either:
- Use different client for keycloak.js (public client) and different client for your confidential servlet application
- Don't use keycloak.js at all, but instead do some HTTP Filter to deal with "autologin" . You will manually try to redirect to keycloak with "prompt=none" . If user is not logged, keycloak will redirect back to the callback redirect_uri, where you recognize if there is "code" or "error" parameter and based on that, you know if user is logged or not. If user is logged, you can redirect to secured URL to properly trigger authentication process (maybe you can optimize this step by reuse the "code", which you already have and directly open the secured URI with it, but I am not 100% sure if it works with considering that you also need correct "state" etc.) Otherwise, you can set some state or something, to recognize that autologin has been already unsuccessfully tried.

Maybe you can create JIRA to request support "autologin" for other types of clients then public keycloak.js clients.

Marek

On 25/06/16 11:44, Tom?s Garc?a wrote:

Hi,

 I wonder if it's possible to just check the SSO state with a confidential client. My use case is the following one:

- I have a website which uses a confidential client to login with Keycloak.

- I want to add autologin to this website.

- So I use the javascript adapter with the following option object for the init method: { onLoad: 'check-sso' }. The javascript adapter is built without the secret key in its constructor (obviously if I put the secret key in there, there's no point to use a confidential client at all).

But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, error=invalid_client_credentials" error.

So I don't know how feasible or secure is to just check that the Keycloak session inside the cookie of the user's browser is still valid. In my case, the browser doesn't need to get the user info, access token, etc, because what I'll do is redirect the user to the Keycloak login page with the confidential client afterwards is the operation is successful. Since the Keycloak session is valid, Keycloak should redirect back with the authentication code without asking credentials to the user.

Additional note: the CORS header isn't added to 400 responses in Keycloak, so it was a bit confusing looking at the JS console in the browser, because it complained about CORS but it was just Keycloak giving the 400 response without the allow-origin header.

Thanks.

--

Tom?s Garc?a P?rez

Software Developer

IntraHouse




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.

This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/707e9461/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 09:38:19 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:38:19 +0200
Subject: [keycloak-user] Listing all realm users programmatically
In-Reply-To: <HE1PR03MB1385C421CE0225624538FE94D2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
References: <HE1PR03MB1385E3263019CBF18399BDEDD2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
	<CAK-7U1jqZ3XK9=z_zXwscjzjSepz7wvSKYQqQvPuPa39xmadkA@mail.gmail.com>
	<HE1PR03MB1385C421CE0225624538FE94D2210@HE1PR03MB1385.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAedOL6s2Gmf4Z1HGUwHwtuoaj-u+zEf_Yk0UBN-Uf4ADw@mail.gmail.com>

There's no bulk operations available yet I'm afraid

On 27 June 2016 at 14:51, Haim Vana <haimv at perfectomobile.com> wrote:

> Thanks ? it will work.
>
>
>
> I wonder if they have bulk operations in the API, for example for deleting
> all users, now I have to get all of them and delete them one by one.
>
>
>
> *From:* Thomas Darimont [mailto:thomas.darimont at googlemail.com]
> *Sent:* Monday, June 27, 2016 3:49 PM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Listing all realm users programmatically
>
>
>
> Hello Haim,
>
>
>
> I think the following does what you are look for.
>
>
>
> int pageIndex = 0;
>
> int pageSize = 1000;
>
> String realmName = "master";
>
>
>
> List<UserRepresentation> results =
>  keycloak.realm(realmName).users().search(null, null, null, null, pageIndex
> * pageSize, pageSize)
>
>
>
> where Keycloak is org.keycloak.admin.client.Keycloak.
>
>
>
> Cheers,
>
> Thomas
>
>
>
> 2016-06-27 11:59 GMT+02:00 Haim Vana <haimv at perfectomobile.com>:
>
> Hi,
>
>
>
> Is there a way to list all realm users programmatically via the API ? also
> is there a way to delete all of them ?
>
>
>
> I think I should use the below, however what should I insert in the search
> method for getting all the users ?
>
>
>
> *keyCloakClient.realms().realm(realmName).users().search()*
>
>
>
>
>
> Thanks,
>
> Haim.
>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.jboss.org%2fmailman%2flistinfo%2fkeycloak-user&data=01%7c01%7chaimv%40perfectomobile.com%7c98803c82d8774a42632a08d39e8986b0%7cceb4c662d6994e7da0bd272619a46977%7c1&sdata=mwtkqt04R%2bkcj6V9tGCBFdI818kB%2fgEYY1oNx4elTHA%3d>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/6f7c1ab3/attachment.html 

From sthorger at redhat.com  Tue Jun 28 09:41:18 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:41:18 +0200
Subject: [keycloak-user] Help - two issues
In-Reply-To: <OF884781A3.42E2E261-ON85257FDB.006843FF-85257FDB.0068EA6A@uscmail.uscourts.gov>
References: <OF884781A3.42E2E261-ON85257FDB.006843FF-85257FDB.0068EA6A@uscmail.uscourts.gov>
Message-ID: <CAJgngAfK+AQjDYf-dFz2ARbFpLZf-rWkG8rEz=ZJrYU2tf7kTw@mail.gmail.com>

On 23 June 2016 at 21:05, <James_Saxton at ao.uscourts.gov> wrote:

> Good Day,
>
> Today I was trying to front-end KeyCloak with Apache.
> Background
> Keycloak 1.9.5 is installed successfully on linix, I can tuunel to it and
> log in using admin creds I set up.
>
> I installed a webserver and configured SSL for the webserver and Keycloak
> as outlined in *3.2.6. SSL/HTTPS Requirement/Modes*  through *3.2.8.2. Configure
> Wildfly undertow subsystem*
> I restarted the webserver and the keycloak server.
> The webserver shows the credential  pop up stating the site is "strictly
> private".  Creds do not allow me to log in through a webserver, only if I
> use the SSH tunnel.
> Not sure were to go - the instruction are pretty simple, I suspect a
> config issue - not sure where though.
>

If you have a reverse proxy configured in front of Keycloak you need to
configure it correctly. Please refer to
https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html,
specifically "Enable HTTPS/SSL with a Reverse Proxy".


>
> Second issue, using the SSH tunnel, I enable require "ALL SSL"  as a test
> knowing full well I could get locked out completely.  How can I reset the
> require ALL SSL without using the console?
>

You'll have to change it directly in the database.


>
> Thanks in advance.
>
> James Saxton
> Software Infrastructure Division
> Administrative Office of the U.S. Courts
> One Columbus Circle, N.E.
> Washington, DC 20544
> (C) 908-910-5566
> *Teamwork makes the dream work!*
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/5ce83a0c/attachment.html 

From sthorger at redhat.com  Tue Jun 28 09:45:31 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:45:31 +0200
Subject: [keycloak-user] Keycloak Adapter Set/Remove Cookies Depending
	on Path
In-Reply-To: <D391815B.5BCA%akaya@expedia.com>
References: <D391815B.5BCA%akaya@expedia.com>
Message-ID: <CAJgngAcq9jR+GdYpUVB28B-dgE22Yj34by=RGP+w9Lc7Xs9m6Q@mail.gmail.com>

Sounds like you have two separate applications? If so they'll have separate
cookies, sessions, etc.. and would have to be logged-out separately. Not
quite sure where you're getting '/logout' from either.

To logout you should use HttpServletRequest.logout which will redirect to
Keycloak to properly do the logout. This will logout the application that
the user initiated the logout from, as well as send a backchannel request
to other applications to log them out.

On 23 June 2016 at 04:06, Sarp Kaya <akaya at expedia.com> wrote:

> According to this code:
>
> <https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100>
> <https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100>
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java#L100
>
> The cookie is only reset at the place where the logout path is. For
> instance:
>
> Applications serve at /foo/app and /bar/app
> And logout path is just /logout
>
> In that case that won?t work because cookiePath for removeCookie would be
> /logout.
>
> The problem is the user is still logged in within the period of Access
> Token Lifespan.
>
> It doesn?t make sense to have different logout URL for each application as
> such /bar/logout and /foo/logout .
>
> Is there a way to just keep single logout which logs out the user for each
> application?
>
> Thanks,
> Sarp Kaya
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/4ee8bb5c/attachment.html 

From sthorger at redhat.com  Tue Jun 28 09:49:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:49:46 +0200
Subject: [keycloak-user] keycloak access token caching?
In-Reply-To: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>
References: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>
Message-ID: <CAJgngAc-0=3QV=_HPB1BC0w9aEO17h-QEXQKmUJRfvuzOWnEsw@mail.gmail.com>

Direct grant (tokens obtained directly
from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
user session being created. This session is not tied to the browser session
in any way. To do that you should use the proper redirect based login.

The token introspection endpoint returns that the token is still valid
after you've logged from the admin console because you have two separate
user sessions. To invalidate the token obtain directly from 'token'
endpoint you'd have to call logout on that separately.

On 24 June 2016 at 10:08, Jannik H?ls <jannik.huels at googlemail.com> wrote:

> Hi,
>
> I use the */auth/realms/{realm}/protocol/openid-connect/token*  endpoint
> to create a User Session. The Session is shown inside keycloak and i get
> the access_token, refresh_token and id_token.
> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
> *I get a valid response containing *?active?:?true? *amongst others. I
> call it using POST method and providing *cient_id*, *client_secret* and
> *token* parameter as data. The *token* parameter contains the
> *access_token* value.
>
> I now log in to keycloak administrator and logout the User. Now I again
> call the introspection endpoint but still get a response containing
> *"active":?true?*. It seems that keycloak is caching the User Session and
> after some time I get *?active?:?false?. *May I be able to disable
> caching and to immediately get a introspection response that indicates that
> the User Session does not longer exist?
>
> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
> *endpoint. I provided the *access_token* in the header. POST parameters
> are *client_id*, *client_secret* and *refresh_token* is this case.
>
> I use the introspection endpoint in the different RPs I use to validate
> whether the access_token is revoked in order to introduce single logout.
> Hence it would be nice to disable the caching to have less inconsistence.
>
> Bests
> Jannik
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/60e2233e/attachment-0001.html 

From sthorger at redhat.com  Tue Jun 28 09:50:58 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 28 Jun 2016 15:50:58 +0200
Subject: [keycloak-user] Getting 401 if trying to access app via
	loadbalancer
In-Reply-To: <b50a0d0dfffe402f81d7163b8ec3745a@posam.sk>
References: <e9697e5dcf3a4115813cd89a527246a5@posam.sk>
	<b50a0d0dfffe402f81d7163b8ec3745a@posam.sk>
Message-ID: <CAJgngAfprinCPA30pKvACqf2cmvUhHMY-TVfWTc3Jpwxng_L7w@mail.gmail.com>

Firstly, please upgrade to a more recent Keycloak version. Then refer to
https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html
for details on how to setup a reverse proxy / load balancer in front of
Keycloak.

On 27 June 2016 at 09:18, KASALA ?tefan <Stefan.Kasala at posam.sk> wrote:

> Hello,
>
> we have installed JBoss Overlord Rtgov 2.1.0 which is using
> Keycloak 1.2.0.Beta1. It is running on JBoss EAP 6.3, I will name it with
> hostname app01. We have a load balancer under another hostname lbapp in
> front of the deployed app. I am able to call the rest interface of RtGov
> directly on machine app01 but not using lbapp, I get 401 - Unauthorized
> from Keycloak. My guess is there is some check against hostname in http
> request. Is there some possibility to register aliases with the keycloak to
> enable calls via load balancer? Thanks.
>
> Stefan Kasala
>
> ------------------------------
>
> T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern?
> alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom
> pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto
> e-mailu je zak?zan?.
>
> This message is for the designated recipient only and may contain
> confidential or internal information. If you have received it in error,
> please notify the sender immediately and delete the original. Any other use
> of the e-mail by you is prohibited.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/1758800e/attachment.html 

From guydavis.ca at gmail.com  Tue Jun 28 11:47:56 2016
From: guydavis.ca at gmail.com (Guy Davis)
Date: Tue, 28 Jun 2016 17:47:56 +0200
Subject: [keycloak-user] Does Keycloak's SPNEGO support include
 fall-back to NTLM in absence of Kerberos?
In-Reply-To: <CAAgmn1rVQntds5GALAvq5+Gaf4yxdz+Ug4SUn3=rrvFehM-_Rw@mail.gmail.com>
References: <CAAgmn1rVQntds5GALAvq5+Gaf4yxdz+Ug4SUn3=rrvFehM-_Rw@mail.gmail.com>
Message-ID: <CAAgmn1o2_H=Zsvmg8C1isTXNRjLB8ffTVWm=rTTHWHhY23FZ9w@mail.gmail.com>

Good day,

For sake of argument, assume that someone has set up a MS Active Directory
domain with Kerberos disabled, but NTLM still enabled.  In that situation,
would a user browsing to a Keycloak-protected application, with LDAP+SPNEGO
enabled (against that MS AD system) still allow for Integrated Windows
Authentication (auto-login without prompt) to web application?

Thanks much,
Guy

<re-sending today as same message yesterday didn't make it through to the
list>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/3a4efeea/attachment.html 

From chairfield at gmail.com  Tue Jun 28 12:40:04 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Tue, 28 Jun 2016 16:40:04 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CAJgngAcDGVUxNQg-whnX9+cwFTbPkmAD=5PZdJXgCWvP_=k72A@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
	<CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>
	<CAJgngAcDGVUxNQg-whnX9+cwFTbPkmAD=5PZdJXgCWvP_=k72A@mail.gmail.com>
Message-ID: <CALr83iB-nftkxjY55iSNAb2fSmBrqPuq1QshTRM_vNYa4jvpYA@mail.gmail.com>

I can confirm that adding the eviction policy clears the issue. Thank you
so much for your assistance, Stian. This clears the major hurdle in our
path to using Keycloak as our sole identity management store :)

On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> I've confirmed the issue now and found the cause:
> https://issues.jboss.org/browse/KEYCLOAK-3202
>
> The leak is in realmVersion cache. A workaround is to set a eviction
> policy on this cache, for example LRU 10000.
>
> On 28 June 2016 at 08:47, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> We have had our QE guys confirm this issue and it looks like
>> something ominous is going on.
>>
>> On 27 June 2016 at 17:45, Chris Hairfield <chairfield at gmail.com> wrote:
>>
>>> Stian,
>>>
>>> I've noticed some interesting things:
>>>
>>>    - When the user cache in enabled, creating a user allocates a block
>>>    on memory that cannot be GC'd
>>>    - When I restart Keycloak after creating those users, that memory is
>>>    not re-allocated
>>>
>>> This begs the question: what is the purpose of the memory allocation on
>>> user creation if it doesn't need to stick around upon restart?
>>>
>>
>> Creating a new user is expected to consume memory that can't be GC'd due
>> to the caching. Upon restart the users are loaded on demand into the cache
>> (user logs in or through admin console/endpoints).
>>
>>
>>>
>>> It seems to me that the user cache is keeping more than 10k users on
>>> user creation. Does this hypothesis agree with your understanding of
>>> Keycloak's design?
>>>
>>
>> By default it should only keep 10K users in memory. Once it hits 10K the
>> least recently used should entries should be evicted from the cache.
>> However, it seems this is not working properly.
>>
>>
>>>
>>> Thanks,
>>> Chris
>>>
>>> P.S. I have yet to test authentication load.
>>>
>>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
>>> wrote:
>>>
>>>> There seems to be a leak when enabling the user cache, even when
>>>> providing Keycloak with all the memory it needs to perform admirably
>>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>>
>>>> I'm now seeing a number of PessimisticLockExceptions as it fails to
>>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a halt by
>>>> the morning.[image: test8-graph.png]
>>>>
>>>>
>>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>>>> wrote:
>>>>
>>>>> I am only testing creating users. With the user cache disabled, I see
>>>>> no evidence of a memory leak at many JVM heap-size settings.
>>>>>
>>>>> Things get interesting when re-enabling the user cache. Performance
>>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>>>
>>>>> I am able to create users at a high rate of speed with a max heap size
>>>>> of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting lower
>>>>> than the Xmx setting, which goes against official JBoss GC performance
>>>>> tuning documentation
>>>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>>>> .
>>>>>
>>>>> Though speeds are high with a large heap, I *do* see the possibility
>>>>> of a memory leak with the user cache enabled and no authentication
>>>>> happening. I will be running a test overnight to attempt to confirm or deny.
>>>>>
>>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>>> through Sunday, so I will pick this back up on Monday.
>>>>>
>>>>> P.S. I will be thinking of ways to better the documentation around
>>>>> performance tuning, as my tests indicate that standard JVM options cause
>>>>> Keycloak to run in a very sub-optimal state.
>>>>>
>>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Are you only creating users or are you also authenticating users?
>>>>>> User sessions are kept purely in memory so obviously the more you create
>>>>>> the more memory is used. Only creating users should not continue to
>>>>>> increase, but will do so for a while at least due to the way Java garbage
>>>>>> collection works.
>>>>>>
>>>>>> I would only have the user cache disabled for testing memory leak.
>>>>>> Re-enable it and retest with it before you eventually go into production as
>>>>>> it will have a significant impact on performance.
>>>>>>
>>>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Scratch the results of the graph I posted. I was running the test
>>>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>>>
>>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>>> chairfield at gmail.com> wrote:
>>>>>>>
>>>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>>
>>>>>>>> Stian, thanks for the tips. I am currently running a test to ingest
>>>>>>>> about 50m users into the default database with the user cache disabled, 8gb
>>>>>>>> mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>>>
>>>>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>>>>> in its memory usage?
>>>>>>>>
>>>>>>>> [image: increasing-heap.png]
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Keycloak by default caches users in-memory, by default it will
>>>>>>>>> keep up to 10000 entries cached. You can verify that there's no leak by
>>>>>>>>> disabling the user cache provider. See
>>>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>>>
>>>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>>>> not sufficient).
>>>>>>>>>
>>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>>>> this issue.
>>>>>>>>>>
>>>>>>>>>> We have put together a test project here
>>>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as we
>>>>>>>>>> continue to investigate. As we are relying on Keycloak as a central
>>>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>>>
>>>>>>>>>> We'll update with more information as we find it.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Chris
>>>>>>>>>>
>>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/4d0cfd8a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/4d0cfd8a/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/4d0cfd8a/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/4d0cfd8a/attachment-0005.png 

From charlee.ch at gmail.com  Tue Jun 28 22:53:11 2016
From: charlee.ch at gmail.com (Charlee Chitsuk)
Date: Wed, 29 Jun 2016 09:53:11 +0700
Subject: [keycloak-user] Keycloak minimal for integration test
Message-ID: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>

Hi,

I would like to test my application via the Arquillian. Does keycloak
provide the minimal server for integration test?

--
   Best Regards,

   Charlee Ch

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
Virus-free.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/4d2048ac/attachment.html 

From thomas.darimont at googlemail.com  Wed Jun 29 01:26:00 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 29 Jun 2016 07:26:00 +0200
Subject: [keycloak-user] Keycloak minimal for integration test
In-Reply-To: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
References: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
Message-ID: <CAK-7U1ifVmPv27jPk20wayxLtZH2Waurv1jE5BSodGx7Fudp_A@mail.gmail.com>

Hello Charlee,

just try:
mvn -f testsuite/integration/pom.xml exec:java -Pkeycloak-server

Or search for the "KeycloakServer" class in the Integration Test Module.

Cheers,
Thomas
Am 29.06.2016 4:54 vorm. schrieb "Charlee Chitsuk" <charlee.ch at gmail.com>:

> Hi,
>
> I would like to test my application via the Arquillian. Does keycloak
> provide the minimal server for integration test?
>
> --
>    Best Regards,
>
>    Charlee Ch
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
> <#m_-2937710803025272973_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/cc2221fd/attachment.html 

From sthorger at redhat.com  Wed Jun 29 02:13:26 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 08:13:26 +0200
Subject: [keycloak-user] Keycloak minimal for integration test
In-Reply-To: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
References: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
Message-ID: <CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>

Not sure what you mean about minimal server, but Keycloak can be used with
Arquillian. We use it ourselves in the new testsuite.

On 29 June 2016 at 04:53, Charlee Chitsuk <charlee.ch at gmail.com> wrote:

> Hi,
>
> I would like to test my application via the Arquillian. Does keycloak
> provide the minimal server for integration test?
>
> --
>    Best Regards,
>
>    Charlee Ch
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
> <#m_-8974110243762289522_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/2d097dc6/attachment.html 

From lanabe.lanabe at gmail.com  Wed Jun 29 02:28:59 2016
From: lanabe.lanabe at gmail.com (lanabe)
Date: Wed, 29 Jun 2016 06:28:59 +0000
Subject: [keycloak-user] Keycloak minimal for integration test
In-Reply-To: <CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>
References: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
	<CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>
Message-ID: <CAKhWDPRmuBuizPO7co7nw1nr8NGU0MuAio+-UFZj+T1bY1qvQA@mail.gmail.com>

How about using Docker(docker-maven-plugin)? you can run keycloak container
pre-integration phase.

https://github.com/emag/wildfly-swarm-tour/blob/master/code/keycloak/complete/pom.xml#L178-L202

On Wed, Jun 29, 2016 at 3:14 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Not sure what you mean about minimal server, but Keycloak can be used with
> Arquillian. We use it ourselves in the new testsuite.
>
> On 29 June 2016 at 04:53, Charlee Chitsuk <charlee.ch at gmail.com> wrote:
>
>> Hi,
>>
>> I would like to test my application via the Arquillian. Does keycloak
>> provide the minimal server for integration test?
>>
>> --
>>    Best Regards,
>>
>>    Charlee Ch
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
>> www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>> <#m_-7331798523122190945_m_-8974110243762289522_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/71edc2ad/attachment.html 

From charlee.ch at gmail.com  Wed Jun 29 02:29:57 2016
From: charlee.ch at gmail.com (Charlee Chitsuk)
Date: Wed, 29 Jun 2016 13:29:57 +0700
Subject: [keycloak-user] Keycloak minimal for integration test
In-Reply-To: <CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>
References: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
	<CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>
Message-ID: <CAFBJWv592-dgtvw8E1wYpEXrp5T9CUzuzkF-sN-=E_GBtKFr5w@mail.gmail.com>

Hi Thomas and Stain,

Thank you for your response. I would like to start the keycloak when I
start testing my application via Arquillian.

I hope it may be something like

KeyCloak keyCloak = new KeyCloak();
keyCloak.start();
//do some tests
keyCloak.stop();

note: The start and stop may be called by @BeforeClass and @AfterClass

At the moment I've tried to read the "/testsuite/integration" [1] and
"/testsuite/integration-arquillian" [2]. I'm still confused how to apply
them to my project. Could you please help to advise further? Thank you very
much for your help in advance. I'm looking forward to hearing from you soon.

[1] https://github.com/keycloak/keycloak/tree/master/testsuite/integration
[2]
https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian

--
   Best Regards,

   Charlee Ch.

2016-06-29 13:13 GMT+07:00 Stian Thorgersen <sthorger at redhat.com>:

> Not sure what you mean about minimal server, but Keycloak can be used with
> Arquillian. We use it ourselves in the new testsuite.
>
> On 29 June 2016 at 04:53, Charlee Chitsuk <charlee.ch at gmail.com> wrote:
>
>> Hi,
>>
>> I would like to test my application via the Arquillian. Does keycloak
>> provide the minimal server for integration test?
>>
>> --
>>    Best Regards,
>>
>>    Charlee Ch
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
>> www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>> <#m_8856438731553818385_m_-8974110243762289522_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/a025379a/attachment-0001.html 

From jannik.huels at googlemail.com  Wed Jun 29 02:35:01 2016
From: jannik.huels at googlemail.com (=?utf-8?Q?Jannik_H=C3=BCls?=)
Date: Wed, 29 Jun 2016 08:35:01 +0200
Subject: [keycloak-user] keycloak access token caching?
In-Reply-To: <CAJgngAc-0=3QV=_HPB1BC0w9aEO17h-QEXQKmUJRfvuzOWnEsw@mail.gmail.com>
References: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>
	<CAJgngAc-0=3QV=_HPB1BC0w9aEO17h-QEXQKmUJRfvuzOWnEsw@mail.gmail.com>
Message-ID: <94090C5C-E07B-407F-8E08-8AAB8D7841DB@googlemail.com>

What logout url do I have to call? After call I the /auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= endpoint still the session is valid. (But removed in the admin console) 

> On 28 Jun 2016, at 15:49, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Direct grant (tokens obtained directly from /auth/realms/{realm}/protocol/openid-connect/token) results in a new user session being created. This session is not tied to the browser session in any way. To do that you should use the proper redirect based login. 
> 
> The token introspection endpoint returns that the token is still valid after you've logged from the admin console because you have two separate user sessions. To invalidate the token obtain directly from 'token' endpoint you'd have to call logout on that separately.
> 
> On 24 June 2016 at 10:08, Jannik H?ls <jannik.huels at googlemail.com <mailto:jannik.huels at googlemail.com>> wrote:
> Hi,
> 
> I use the /auth/realms/{realm}/protocol/openid-connect/token  endpoint to create a User Session. The Session is shown inside keycloak and i get the access_token, refresh_token and id_token.
> When I now call the /auth/realms/{realm}/protocol/openid-connect/token/introspect I get a valid response containing ?active?:?true? amongst others. I call it using POST method and providing cient_id, client_secret and token parameter as data. The token parameter contains the access_token value. 
> 
> I now log in to keycloak administrator and logout the User. Now I again call the introspection endpoint but still get a response containing "active":?true?. It seems that keycloak is caching the User Session and after some time I get ?active?:?false?. May I be able to disable caching and to immediately get a introspection response that indicates that the User Session does not longer exist?
> 
> Btw.: The same happens when I call the /auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= endpoint. I provided the access_token in the header. POST parameters are client_id, client_secret and refresh_token is this case.
> 
> I use the introspection endpoint in the different RPs I use to validate whether the access_token is revoked in order to introduce single logout. Hence it would be nice to disable the caching to have less inconsistence. 
> 
> Bests
> Jannik
> 
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/c9008a51/attachment.html 

From sthorger at redhat.com  Wed Jun 29 02:52:47 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 08:52:47 +0200
Subject: [keycloak-user] Keycloak minimal for integration test
In-Reply-To: <CAFBJWv592-dgtvw8E1wYpEXrp5T9CUzuzkF-sN-=E_GBtKFr5w@mail.gmail.com>
References: <CAFBJWv6gVN43F3+KhdxOLZLkX4kjEh_t=Q6YQamQAJBwnyjE-w@mail.gmail.com>
	<CAJgngAfVRuH2m_zXDaf9MaxjSmUKeTbbeMfnEiprcW=ubZri0A@mail.gmail.com>
	<CAFBJWv592-dgtvw8E1wYpEXrp5T9CUzuzkF-sN-=E_GBtKFr5w@mail.gmail.com>
Message-ID: <CAJgngAc0rVK=SwBopfJQJ_2i-ScYCp4xZy223EVZ1vCi0+tSOg@mail.gmail.com>

KeycloakServer is just start/stop. I would recommend using Arquillian
instead though as you are then testing with a proper Keycloak server.
Arquilian can start/stop multiple containers and you'd just have Keycloak
standalone server as one of the managed containers.

On 29 June 2016 at 08:29, Charlee Chitsuk <charlee.ch at gmail.com> wrote:

> Hi Thomas and Stain,
>
> Thank you for your response. I would like to start the keycloak when I
> start testing my application via Arquillian.
>
> I hope it may be something like
>
> KeyCloak keyCloak = new KeyCloak();
> keyCloak.start();
> //do some tests
> keyCloak.stop();
>
> note: The start and stop may be called by @BeforeClass and @AfterClass
>
> At the moment I've tried to read the "/testsuite/integration" [1] and
> "/testsuite/integration-arquillian" [2]. I'm still confused how to apply
> them to my project. Could you please help to advise further? Thank you very
> much for your help in advance. I'm looking forward to hearing from you soon.
>
> [1] https://github.com/keycloak/keycloak/tree/master/testsuite/integration
> [2]
> https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian
>
> --
>    Best Regards,
>
>    Charlee Ch.
>
> 2016-06-29 13:13 GMT+07:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Not sure what you mean about minimal server, but Keycloak can be used
>> with Arquillian. We use it ourselves in the new testsuite.
>>
>> On 29 June 2016 at 04:53, Charlee Chitsuk <charlee.ch at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I would like to test my application via the Arquillian. Does keycloak
>>> provide the minimal server for integration test?
>>>
>>> --
>>>    Best Regards,
>>>
>>>    Charlee Ch
>>>
>>>
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon> Virus-free.
>>> www.avast.com
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>
>>> <#m_8214467387200622157_m_8856438731553818385_m_-8974110243762289522_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/0030ce1b/attachment.html 

From chairfield at gmail.com  Tue Jun 28 23:31:37 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 29 Jun 2016 03:31:37 +0000
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iB-nftkxjY55iSNAb2fSmBrqPuq1QshTRM_vNYa4jvpYA@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
	<CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>
	<CAJgngAcDGVUxNQg-whnX9+cwFTbPkmAD=5PZdJXgCWvP_=k72A@mail.gmail.com>
	<CALr83iB-nftkxjY55iSNAb2fSmBrqPuq1QshTRM_vNYa4jvpYA@mail.gmail.com>
Message-ID: <CALr83iAoY-4qGffCRmsuR1b+hKUbUNgowuc8g3O7wPnr4N3fVQ@mail.gmail.com>

Stian,

We don't seem to be out of the woods yet. The leak is resolved with your
workaround, but performance suffers mightily when an eviction policy is
set. Perhaps you have suggestions on how to get similar performance while
employing this workaround?

Details of test run:

   - Eviction policy set at 1 million entries with LRU strategy for
   realmVersions cache (no eviction policy on other caches)
   - No statistics enabled (to simplify test)
   - 1g Xms, 4g Xmx, parallel GC at 4 cores
   - No authentication, only user creation

Observations:

   - Account creation speeds start out at about half of what I am able to
   get without the workaround (~170/s rather than ~350/s)
   - I have only been able to create 132k users over a span of ~6 hours
   - Memory seems to thrash at a much higher rate than I've seen in
   previous tests

Thoughts?

[image: test15-term2.png]

On Tue, Jun 28, 2016 at 10:40 AM Chris Hairfield <chairfield at gmail.com>
wrote:

> I can confirm that adding the eviction policy clears the issue. Thank you
> so much for your assistance, Stian. This clears the major hurdle in our
> path to using Keycloak as our sole identity management store :)
>
> On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I've confirmed the issue now and found the cause:
>> https://issues.jboss.org/browse/KEYCLOAK-3202
>>
>> The leak is in realmVersion cache. A workaround is to set a eviction
>> policy on this cache, for example LRU 10000.
>>
>> On 28 June 216 at 08:47, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>>> We have had our QE guys confirm this issue and it looks like
>>> something ominous is going on.
>>>
>>> On 27 June 2016 at 17:45, Chris Hairfield <chairfield at gmail.com> wrote:
>>>
>>>> Stian,
>>>>
>>>> I've noticed some interesting things:
>>>>
>>>>    - When the user cache in enabled, creating a user allocates a block
>>>>    on memory that cannot be GC'd
>>>>    - When I restart Keycloak after creating those users, that memory
>>>>    is not re-allocated
>>>>
>>>> This begs the question: what is the purpose of the memory allocation on
>>>> user creation if it doesn't need to stick around upon restart?
>>>>
>>>
>>> Creating a new user is expected to consume memory that can't be GC'd due
>>> to the caching. Upon restart the users are loaded on demand into the cache
>>> (user logs in or through admin console/endpoints).
>>>
>>>
>>>>
>>>> It seems to me that the user cache is keeping more than 10k users on
>>>> user creation. Does this hypothesis agree with your understanding of
>>>> Keycloak's design?
>>>>
>>>
>>> By default it should only keep 10K users in memory. Once it hits 10K the
>>> least recently used should entries should be evicted from the cache.
>>> However, it seems this is not working properly.
>>>
>>>
>>>>
>>>> Thanks,
>>>> Chris
>>>>
>>>> P.S. I have yet to test authentication load.
>>>>
>>>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
>>>> wrote:
>>>>
>>>>> There seems to be a leak when enabling the user cache, even when
>>>>> providing Keycloak with all the memory it needs to perform admirably
>>>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>>>
>>>>> I'm now seeing a number of PessimisticLockExceptions as it fails to
>>>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a halt by
>>>>> the morning.[image: test8-graph.png]
>>>>>
>>>>>
>>>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I am only testing creating users. With the user cache disabled, I see
>>>>>> no evidence of a memory leak at many JVM heap-size settings.
>>>>>>
>>>>>> Things get interesting when re-enabling the user cache. Performance
>>>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>>>>
>>>>>> I am able to create users at a high rate of speed with a max heap
>>>>>> size of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting
>>>>>> lower than the Xmx setting, which goes against official JBoss GC
>>>>>> performance tuning documentation
>>>>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>>>>> .
>>>>>>
>>>>>> Though speeds are high with a large heap, I *do* see the possibility
>>>>>> of a memory leak with the user cache enabled and no authentication
>>>>>> happening. I will be running a test overnight to attempt to confirm or deny.
>>>>>>
>>>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>>>> through Sunday, so I will pick this back up on Monday.
>>>>>>
>>>>>> P.S. I will be thinking of ways to better the documentation around
>>>>>> performance tuning, as my tests indicate that standard JVM options cause
>>>>>> Keycloak to run in a very sub-optimal state.
>>>>>>
>>>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> Are you only creating users or are you also authenticating users?
>>>>>>> User sessions are kept purely in memory so obviously the more you create
>>>>>>> the more memory is used. Only creating users should not continue to
>>>>>>> increase, but will do so for a while at least due to the way Java garbage
>>>>>>> collection works.
>>>>>>>
>>>>>>> I would only have the user cache disabled for testing memory leak.
>>>>>>> Re-enable it and retest with it before you eventually go into production as
>>>>>>> it will have a significant impact on performance.
>>>>>>>
>>>>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Scratch the results of the graph I posted. I was running the test
>>>>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>>>>
>>>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>>>> chairfield at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>>>
>>>>>>>>> Stian, thanks for the tips. I am currently running a test to
>>>>>>>>> ingest about 50m users into the default database with the user cache
>>>>>>>>> disabled, 8gb mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>>>>
>>>>>>>>> Though my test is young (430k users ingested), I'm noticing memory
>>>>>>>>> allocation increasing in lockstep with the number of ingested users. Is it
>>>>>>>>> expected to continue in this fashion, or is Keycloak designed to level off
>>>>>>>>> in its memory usage?
>>>>>>>>>
>>>>>>>>> [image: increasing-heap.png]
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Keycloak by default caches users in-memory, by default it will
>>>>>>>>>> keep up to 10000 entries cached. You can verify that there's no leak by
>>>>>>>>>> disabling the user cache provider. See
>>>>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>>>>
>>>>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>>>>> not sufficient).
>>>>>>>>>>
>>>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users, we
>>>>>>>>>>> find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>>>>> this issue.
>>>>>>>>>>>
>>>>>>>>>>> We have put together a test project here
>>>>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as
>>>>>>>>>>> we continue to investigate. As we are relying on Keycloak as a central
>>>>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>>>>
>>>>>>>>>>> We'll update with more information as we find it.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Chris
>>>>>>>>>>>
>>>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/162e2fc5/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/162e2fc5/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/162e2fc5/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/162e2fc5/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test15-term2.png
Type: image/png
Size: 25646 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/162e2fc5/attachment-0007.png 

From sthorger at redhat.com  Wed Jun 29 02:18:01 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 08:18:01 +0200
Subject: [keycloak-user] Major Memory Leak/Consumption When Creating
	Many Users
In-Reply-To: <CALr83iAoY-4qGffCRmsuR1b+hKUbUNgowuc8g3O7wPnr4N3fVQ@mail.gmail.com>
References: <CALr83iBQadcPf7DcQnTuiBRZKr5LB8-4Uex7UJff=Q=PijqGWA@mail.gmail.com>
	<CAJgngAd5k9DNc8sMMh38QpD+=Dm0WrvLnpF9E00j7UA45zfLOQ@mail.gmail.com>
	<CALr83iCbzxy76eeTo+JYhxfizsjRXKU9wctcSWkNu7B7Q6P-YA@mail.gmail.com>
	<CALr83iB5yCNerd0oO9DVmwJg65+FZoXEhAZGBnQqzM-dVg73NQ@mail.gmail.com>
	<CAJgngAecTjVYWoAOB9-ckcGpYF3W5h6ikhjwHZWNDPDe77=fpQ@mail.gmail.com>
	<CALr83iCW2kurtdLZo9PmLHsPus2o1ncphZe6mvKksJD1R6g+Tg@mail.gmail.com>
	<CALr83iBrr3iR6QOxh4+qjv4t=kwdhpJ88JTBsJ2KGY3XUdfQVg@mail.gmail.com>
	<CALr83iDpPHvyKSGRA6T==qoEXrDr=kpfWds3Cxzi-EWnZ08FkQ@mail.gmail.com>
	<CAJgngAcQdWZRTFjKtndtiS7mB-_jQ_Cy_BJnXuSFzG8QG=qscA@mail.gmail.com>
	<CAJgngAcDGVUxNQg-whnX9+cwFTbPkmAD=5PZdJXgCWvP_=k72A@mail.gmail.com>
	<CALr83iB-nftkxjY55iSNAb2fSmBrqPuq1QshTRM_vNYa4jvpYA@mail.gmail.com>
	<CALr83iAoY-4qGffCRmsuR1b+hKUbUNgowuc8g3O7wPnr4N3fVQ@mail.gmail.com>
Message-ID: <CAJgngAe_fH09AGHNM-2WvuOpG++FyN1smFkhnqFFX1oNirtgLg@mail.gmail.com>

I was worried that the workaround would have some impact on performance,
but would never have thought it would be anywhere near this bad.

We're still investigating a proper solution. Afraid it's not going to be
resolved for 2.0.0.Final, but most likely will be in 2.1.0.CR1.

On 29 June 2016 at 05:31, Chris Hairfield <chairfield at gmail.com> wrote:

> Stian,
>
> We don't seem to be out of the woods yet. The leak is resolved with your
> workaround, but performance suffers mightily when an eviction policy is
> set. Perhaps you have suggestions on how to get similar performance while
> employing this workaround?
>
> Details of test run:
>
>    - Eviction policy set at 1 million entries with LRU strategy for
>    realmVersions cache (no eviction policy on other caches)
>    - No statistics enabled (to simplify test)
>    - 1g Xms, 4g Xmx, parallel GC at 4 cores
>    - No authentication, only user creation
>
> Observations:
>
>    - Account creation speeds start out at about half of what I am able to
>    get without the workaround (~170/s rather than ~350/s)
>    - I have only been able to create 132k users over a span of ~6 hours
>    - Memory seems to thrash at a much higher rate than I've seen in
>    previous tests
>
> Thoughts?
>
> [image: test15-term2.png]
>
> On Tue, Jun 28, 2016 at 10:40 AM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
>> I can confirm that adding the eviction policy clears the issue. Thank you
>> so much for your assistance, Stian. This clears the major hurdle in our
>> path to using Keycloak as our sole identity management store :)
>>
>> On Tue, Jun 28, 2016 at 2:13 AM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I've confirmed the issue now and found the cause:
>>> https://issues.jboss.org/browse/KEYCLOAK-3202
>>>
>>> The leak is in realmVersion cache. A workaround is to set a eviction
>>> policy on this cache, for example LRU 10000.
>>>
>>> On 28 June 216 at 08:47, Stian Thorgersen <sthorger at redhat.com> wrote:
>>>
>>>> We have had our QE guys confirm this issue and it looks like
>>>> something ominous is going on.
>>>>
>>>> On 27 June 2016 at 17:45, Chris Hairfield <chairfield at gmail.com> wrote:
>>>>
>>>>> Stian,
>>>>>
>>>>> I've noticed some interesting things:
>>>>>
>>>>>    - When the user cache in enabled, creating a user allocates a
>>>>>    block on memory that cannot be GC'd
>>>>>    - When I restart Keycloak after creating those users, that memory
>>>>>    is not re-allocated
>>>>>
>>>>> This begs the question: what is the purpose of the memory allocation
>>>>> on user creation if it doesn't need to stick around upon restart?
>>>>>
>>>>
>>>> Creating a new user is expected to consume memory that can't be GC'd
>>>> due to the caching. Upon restart the users are loaded on demand into the
>>>> cache (user logs in or through admin console/endpoints).
>>>>
>>>>
>>>>>
>>>>> It seems to me that the user cache is keeping more than 10k users on
>>>>> user creation. Does this hypothesis agree with your understanding of
>>>>> Keycloak's design?
>>>>>
>>>>
>>>> By default it should only keep 10K users in memory. Once it hits 10K
>>>> the least recently used should entries should be evicted from the cache.
>>>> However, it seems this is not working properly.
>>>>
>>>>
>>>>>
>>>>> Thanks,
>>>>> Chris
>>>>>
>>>>> P.S. I have yet to test authentication load.
>>>>>
>>>>> On Thu, Jun 23, 2016 at 10:52 PM Chris Hairfield <chairfield at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> There seems to be a leak when enabling the user cache, even when
>>>>>> providing Keycloak with all the memory it needs to perform admirably
>>>>>> (initially). My heap drops to 3.4 GB when I perform a manual GC.
>>>>>>
>>>>>> I'm now seeing a number of PessimisticLockExceptions as it fails to
>>>>>> lock the USER_ENTITY table. I expect Keycloak to have ground to a halt by
>>>>>> the morning.[image: test8-graph.png]
>>>>>>
>>>>>>
>>>>>> On Thu, Jun 23, 2016 at 4:52 PM Chris Hairfield <chairfield at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I am only testing creating users. With the user cache disabled, I
>>>>>>> see no evidence of a memory leak at many JVM heap-size settings.
>>>>>>>
>>>>>>> Things get interesting when re-enabling the user cache. Performance
>>>>>>> seems to take a major hit in lower-memory scenarios, with some very
>>>>>>> worrisome scenarios where the rate at which I ingest continuously decreases.
>>>>>>>
>>>>>>> I am able to create users at a high rate of speed with a max heap
>>>>>>> size of 4g or 8g. Interestingly, Keycloak seems to prefer an Xms setting
>>>>>>> lower than the Xmx setting, which goes against official JBoss GC
>>>>>>> performance tuning documentation
>>>>>>> <http://www.mastertheboss.com/jboss-server/jboss-performance/jboss-performance-tuning-part-1>
>>>>>>> .
>>>>>>>
>>>>>>> Though speeds are high with a large heap, I *do* see the
>>>>>>> possibility of a memory leak with the user cache enabled and no
>>>>>>> authentication happening. I will be running a test overnight to attempt to
>>>>>>> confirm or deny.
>>>>>>>
>>>>>>> Thanks for your help so far, Stian. I will be on vacation tomorrow
>>>>>>> through Sunday, so I will pick this back up on Monday.
>>>>>>>
>>>>>>> P.S. I will be thinking of ways to better the documentation around
>>>>>>> performance tuning, as my tests indicate that standard JVM options cause
>>>>>>> Keycloak to run in a very sub-optimal state.
>>>>>>>
>>>>>>> On Wed, Jun 22, 2016 at 11:59 PM Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> Are you only creating users or are you also authenticating users?
>>>>>>>> User sessions are kept purely in memory so obviously the more you create
>>>>>>>> the more memory is used. Only creating users should not continue to
>>>>>>>> increase, but will do so for a while at least due to the way Java garbage
>>>>>>>> collection works.
>>>>>>>>
>>>>>>>> I would only have the user cache disabled for testing memory leak.
>>>>>>>> Re-enable it and retest with it before you eventually go into production as
>>>>>>>> it will have a significant impact on performance.
>>>>>>>>
>>>>>>>> On 23 June 2016 at 01:10, Chris Hairfield <chairfield at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Scratch the results of the graph I posted. I was running the test
>>>>>>>>> incorrectly. I'll post back with the results of the test run properly.
>>>>>>>>>
>>>>>>>>> On Wed, Jun 22, 2016 at 12:38 PM Chris Hairfield <
>>>>>>>>> chairfield at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Thomas, this test is run with whatever local database Keycloak
>>>>>>>>>> defaults to. We're using Postgres generally, and we will have more
>>>>>>>>>> information pertaining to tests against Postgres soon.
>>>>>>>>>>
>>>>>>>>>> Stian, thanks for the tips. I am currently running a test to
>>>>>>>>>> ingest about 50m users into the default database with the user cache
>>>>>>>>>> disabled, 8gb mem (Xmx and Xms), and parallel GC threads == processor count.
>>>>>>>>>>
>>>>>>>>>> Though my test is young (430k users ingested), I'm noticing
>>>>>>>>>> memory allocation increasing in lockstep with the number of ingested users.
>>>>>>>>>> Is it expected to continue in this fashion, or is Keycloak designed to
>>>>>>>>>> level off in its memory usage?
>>>>>>>>>>
>>>>>>>>>> [image: increasing-heap.png]
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Jun 21, 2016 at 4:29 PM Stian Thorgersen <
>>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Keycloak by default caches users in-memory, by default it will
>>>>>>>>>>> keep up to 10000 entries cached. You can verify that there's no leak by
>>>>>>>>>>> disabling the user cache provider. See
>>>>>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server_cache.html#d4e3187
>>>>>>>>>>>
>>>>>>>>>>> If you're planning on having millions of users I suggest you
>>>>>>>>>>> increase the allocated memory for the JVM (512MB which it seems you have is
>>>>>>>>>>> not sufficient).
>>>>>>>>>>>
>>>>>>>>>>> On 22 June 2016 at 00:29, Chris Hairfield <chairfield at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> When testing Keycloak 1.9.8 by ingesting a few million users,
>>>>>>>>>>>> we find that Keycloak leaks memory until it is rendered unresponsive (see
>>>>>>>>>>>> graph). Increasing JVM memory only increases the time it takes to encounter
>>>>>>>>>>>> this issue.
>>>>>>>>>>>>
>>>>>>>>>>>> We have put together a test project here
>>>>>>>>>>>> <https://github.com/anaerobic/keycloak-leakage> and opened an
>>>>>>>>>>>> issue here <https://issues.jboss.org/browse/KEYCLOAK-3146> as
>>>>>>>>>>>> we continue to investigate. As we are relying on Keycloak as a central
>>>>>>>>>>>> infrastructural component, any help would be greatly appreciated.
>>>>>>>>>>>>
>>>>>>>>>>>> We'll update with more information as we find it.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Chris
>>>>>>>>>>>>
>>>>>>>>>>>> [image: mem-cpu.png]
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9fcf5df6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: increasing-heap.png
Type: image/png
Size: 11436 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9fcf5df6/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test8-graph.png
Type: image/png
Size: 46063 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9fcf5df6/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mem-cpu.png
Type: image/png
Size: 100050 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9fcf5df6/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test15-term2.png
Type: image/png
Size: 25646 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9fcf5df6/attachment-0007.png 

From sthorger at redhat.com  Wed Jun 29 02:56:16 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 08:56:16 +0200
Subject: [keycloak-user] keycloak access token caching?
In-Reply-To: <94090C5C-E07B-407F-8E08-8AAB8D7841DB@googlemail.com>
References: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>
	<CAJgngAc-0=3QV=_HPB1BC0w9aEO17h-QEXQKmUJRfvuzOWnEsw@mail.gmail.com>
	<94090C5C-E07B-407F-8E08-8AAB8D7841DB@googlemail.com>
Message-ID: <CAJgngAeXZB0D+2pntnLriAiPoJfvaHc4-b18N1MnMbVvpAPGiA@mail.gmail.com>

You need to do a post to that URL rather than a redirect/GET. It should
include the param refresh_token with the value of the refresh token you
retrieved from "../token".

On 29 June 2016 at 08:35, Jannik H?ls <jannik.huels at googlemail.com> wrote:

> What logout url do I have to call? After call I the
> */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= *endpoint
> still the session is valid. (But removed in the admin console)
>
> On 28 Jun 2016, at 15:49, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Direct grant (tokens obtained directly
> from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
> user session being created. This session is not tied to the browser session
> in any way. To do that you should use the proper redirect based login.
>
> The token introspection endpoint returns that the token is still valid
> after you've logged from the admin console because you have two separate
> user sessions. To invalidate the token obtain directly from 'token'
> endpoint you'd have to call logout on that separately.
>
> On 24 June 2016 at 10:08, Jannik H?ls <jannik.huels at googlemail.com> wrote:
>
>> Hi,
>>
>> I use the */auth/realms/{realm}/protocol/openid-connect/token*  endpoint
>> to create a User Session. The Session is shown inside keycloak and i get
>> the access_token, refresh_token and id_token.
>> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
>> *I get a valid response containing *?active?:?true? *amongst others. I
>> call it using POST method and providing *cient_id*, *client_secret* and
>> *token* parameter as data. The *token* parameter contains the
>> *access_token* value.
>>
>> I now log in to keycloak administrator and logout the User. Now I again
>> call the introspection endpoint but still get a response containing
>> *"active":?true?*. It seems that keycloak is caching the User Session
>> and after some time I get *?active?:?false?. *May I be able to disable
>> caching and to immediately get a introspection response that indicates that
>> the User Session does not longer exist?
>>
>> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
>> *endpoint. I provided the *access_token* in the header. POST parameters
>> are *client_id*, *client_secret* and *refresh_token* is this case.
>>
>> I use the introspection endpoint in the different RPs I use to validate
>> whether the access_token is revoked in order to introduce single logout.
>> Hence it would be nice to disable the caching to have less inconsistence.
>>
>> Bests
>> Jannik
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b29a95e1/attachment.html 

From sthorger at redhat.com  Wed Jun 29 02:56:58 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 08:56:58 +0200
Subject: [keycloak-user] keycloak access token caching?
In-Reply-To: <CAJgngAeXZB0D+2pntnLriAiPoJfvaHc4-b18N1MnMbVvpAPGiA@mail.gmail.com>
References: <6E53A5D1-C422-4A13-9191-7E8FCF3F0D88@googlemail.com>
	<CAJgngAc-0=3QV=_HPB1BC0w9aEO17h-QEXQKmUJRfvuzOWnEsw@mail.gmail.com>
	<94090C5C-E07B-407F-8E08-8AAB8D7841DB@googlemail.com>
	<CAJgngAeXZB0D+2pntnLriAiPoJfvaHc4-b18N1MnMbVvpAPGiA@mail.gmail.com>
Message-ID: <CAJgngAfcyuSV+d=QG90zBmfR7i_D=wsEBUGN12Hoeqbpz-vkwA@mail.gmail.com>

I would recommend that you use the redirect based login though.

On 29 June 2016 at 08:56, Stian Thorgersen <sthorger at redhat.com> wrote:

> You need to do a post to that URL rather than a redirect/GET. It should
> include the param refresh_token with the value of the refresh token you
> retrieved from "../token".
>
> On 29 June 2016 at 08:35, Jannik H?ls <jannik.huels at googlemail.com> wrote:
>
>> What logout url do I have to call? After call I the
>> */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri= *endpoint
>> still the session is valid. (But removed in the admin console)
>>
>> On 28 Jun 2016, at 15:49, Stian Thorgersen <sthorger at redhat.com> wrote:
>>
>> Direct grant (tokens obtained directly
>> from /auth/realms/{realm}/protocol/openid-connect/token) results in a new
>> user session being created. This session is not tied to the browser session
>> in any way. To do that you should use the proper redirect based login.
>>
>> The token introspection endpoint returns that the token is still valid
>> after you've logged from the admin console because you have two separate
>> user sessions. To invalidate the token obtain directly from 'token'
>> endpoint you'd have to call logout on that separately.
>>
>> On 24 June 2016 at 10:08, Jannik H?ls <jannik.huels at googlemail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I use the */auth/realms/{realm}/protocol/openid-connect/token*
>>> endpoint to create a User Session. The Session is shown inside keycloak and
>>> i get the access_token, refresh_token and id_token.
>>> When I now call the */auth/realms/{realm}/protocol/openid-connect/token/introspect
>>> *I get a valid response containing *?active?:?true? *amongst others. I
>>> call it using POST method and providing *cient_id*, *client_secret* and
>>> *token* parameter as data. The *token* parameter contains the
>>> *access_token* value.
>>>
>>> I now log in to keycloak administrator and logout the User. Now I again
>>> call the introspection endpoint but still get a response containing
>>> *"active":?true?*. It seems that keycloak is caching the User Session
>>> and after some time I get *?active?:?false?. *May I be able to disable
>>> caching and to immediately get a introspection response that indicates that
>>> the User Session does not longer exist?
>>>
>>> Btw.: The same happens when I call the */auth/realms/{realm}/protocol/openid-connect/logout?redirect_uri=
>>> *endpoint. I provided the *access_token* in the header. POST parameters
>>> are *client_id*, *client_secret* and *refresh_token* is this case.
>>>
>>> I use the introspection endpoint in the different RPs I use to validate
>>> whether the access_token is revoked in order to introduce single logout.
>>> Hence it would be nice to disable the caching to have less inconsistence.
>>>
>>> Bests
>>> Jannik
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b9a76331/attachment.html 

From mposolda at redhat.com  Wed Jun 29 03:01:09 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Jun 2016 09:01:09 +0200
Subject: [keycloak-user] Question about the javascript-adapter and the
 check-sso option with a confidential client
In-Reply-To: <D3980182.2A93A%leo.nunes@ojc.com.br>
References: <D3980182.2A93A%leo.nunes@ojc.com.br>
Message-ID: <57737235.4030300@redhat.com>

On 28/06/16 15:35, LEONARDO NUNES wrote:
> Marek, after I encoded the redirect_uri parameter it worked.
>
> When I try to access a restricted page and I'm not logged in I saw 
> that an AuthChallenge with a redirect uri is returned.
> Is there a way to configure prompt=none to be added to this redirect uri?
I don't think it's possible ATM.

What we can possibly do is add "prompt" parameter to the list of 
parameters, which adapters are able to attach to the 
authorizationEndpoint sent to Keycloak (this is done in 
OAuthRequestAuthenticator.getRedirectUri ). Then request to Keycloak 
with "prompt=none" will be sent and if you are not logged, Keycloak will 
redirect back with status 400 and some "error" parameter. You will be 
able to configure the error page in your web.xml where you will be able 
to deal with the error and do what you want (for example, redirect to 
your anonymous page).

Could you please create JIRA for adding "prompt" to the parameters?

Marek
>
> I'm my case I wouldn't like to be automatically redirected to the 
> login page when i'm not logged in.
> Instead I would like to be redirected back to my page when the user is 
> not logged in.
>
>
> -- 
> Leonardo Nunes
>
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: ter?a-feira, 28 de junho de 2016 03:00
> To: Leonardo Nunes <leo.nunes at gjccorp.com.br 
> <mailto:leo.nunes at gjccorp.com.br>>, Tom?s Garc?a <tomas at intrahouse.com 
> <mailto:tomas at intrahouse.com>>, "keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Question about the javascript-adapter and 
> the check-sso option with a confidential client
>
> Not sure why prompt=none doesn't work as expected...
>
> Are you manually opening this URL? Maybe it will help if you 
> url-encode the value of redirect_uri parameter (in your example it's 
> not encoded).
>
> Marek
>
> On 27/06/16 15:38, LEONARDO NUNES wrote:
>> Marek, I tried to manually call keycloak login url with prompt=none 
>> but it didn't redirect back to my redirect_uri, instead it stayed at 
>> the login page.
>> Below is an example of the login url i'm calling.
>>
>> http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&*prompt=none*
>>
>> I need an URL to call to know if the user is logged in or not without 
>> being redirected to the login page.
>> I need this because KeycloakSecurityContext is not available at not 
>> restricted URLs.
>>
>>
>> -- 
>> Leonardo Nunes
>>
>>
>> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
>> Date: segunda-feira, 27 de junho de 2016 09:07
>> To: Tom?s Garc?a <tomas at intrahouse.com>, 
>> "keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>" 
>> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Subject: Re: [keycloak-user] Question about the javascript-adapter 
>> and the check-sso option with a confidential client
>>
>> I think your possibilities are either:
>> - Use different client for keycloak.js (public client) and different 
>> client for your confidential servlet application
>> - Don't use keycloak.js at all, but instead do some HTTP Filter to 
>> deal with "autologin" . You will manually try to redirect to keycloak 
>> with "prompt=none" . If user is not logged, keycloak will redirect 
>> back to the callback redirect_uri, where you recognize if there is 
>> "code" or "error" parameter and based on that, you know if user is 
>> logged or not. If user is logged, you can redirect to secured URL to 
>> properly trigger authentication process (maybe you can optimize this 
>> step by reuse the "code", which you already have and directly open 
>> the secured URI with it, but I am not 100% sure if it works with 
>> considering that you also need correct "state" etc.) Otherwise, you 
>> can set some state or something, to recognize that autologin has been 
>> already unsuccessfully tried.
>>
>> Maybe you can create JIRA to request support "autologin" for other 
>> types of clients then public keycloak.js clients.
>>
>> Marek
>>
>> On 25/06/16 11:44, Tom?s Garc?a wrote:
>>>
>>> Hi,
>>>
>>>  I wonder if it's possible to just check the SSO state with a 
>>> confidential client. My use case is the following one:
>>>
>>> - I have a website which uses a confidential client to login with 
>>> Keycloak.
>>>
>>> - I want to add autologin to this website.
>>>
>>> - So I use the javascript adapter with the following option object 
>>> for the init method: { onLoad: 'check-sso' }. The javascript adapter 
>>> is built without the secret key in its constructor (obviously if I 
>>> put the secret key in there, there's no point to use a confidential 
>>> client at all).
>>>
>>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
>>> error=invalid_client_credentials" error.
>>>
>>> So I don't know how feasible or secure is to just check that the 
>>> Keycloak session inside the cookie of the user's browser is still 
>>> valid. In my case, the browser doesn't need to get the user info, 
>>> access token, etc, because what I'll do is redirect the user to the 
>>> Keycloak login page with the confidential client afterwards is the 
>>> operation is successful. Since the Keycloak session is valid, 
>>> Keycloak should redirect back with the authentication code without 
>>> asking credentials to the user.
>>>
>>> Additional note: the CORS header isn't added to 400 responses in 
>>> Keycloak, so it was a bit confusing looking at the JS console in the 
>>> browser, because it complained about CORS but it was just Keycloak 
>>> giving the 400 response without the allow-origin header.
>>>
>>> Thanks.
>>>
>>> -- 
>>>
>>> *Tom?s Garc?a P?rez
>>> *
>>>
>>> *Software Developer*
>>>
>>> *Intra**House***
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> ------------------------------------------------------------------------
>> /Esta mensagem pode conter informa??o confidencial e/ou privilegiada. 
>> Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta 
>> mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela 
>> contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? 
>> recebeu esta mensagem por engano, por favor avise imediatamente o 
>> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos 
>> sua coopera??o.
>>
>> This message may contain confidential and/or privileged information. 
>> If you are not the addressee or authorized to receive this for the 
>> addressee, you must not use, copy, disclose or take any action based 
>> on this message or any information herein. If you have received this 
>> message in error, please advise the sender immediately by reply 
>> e-mail and delete this message. Thank you for your cooperation/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b3a5f457/attachment-0001.html 

From mposolda at redhat.com  Wed Jun 29 03:05:51 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Jun 2016 09:05:51 +0200
Subject: [keycloak-user] Does Keycloak's SPNEGO support include
 fall-back to NTLM in absence of Kerberos?
In-Reply-To: <CAAgmn1o2_H=Zsvmg8C1isTXNRjLB8ffTVWm=rTTHWHhY23FZ9w@mail.gmail.com>
References: <CAAgmn1rVQntds5GALAvq5+Gaf4yxdz+Ug4SUn3=rrvFehM-_Rw@mail.gmail.com>
	<CAAgmn1o2_H=Zsvmg8C1isTXNRjLB8ffTVWm=rTTHWHhY23FZ9w@mail.gmail.com>
Message-ID: <5773734F.8020302@redhat.com>

I afraid that it won't work ATM. You can create JIRA for this though. 
However I am not sure if it's priority for us to do that.

Alternatively you can try to contribute this yourself. Maybe the only 
required thing will be to add NTLM OID ( 1.3.6.1.4.1.311.2.2.10 ) to the 
list here 
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/SPNEGOAuthenticator.java#L169 
. However I afraid it likely won't be that easy...

Marek

On 28/06/16 17:47, Guy Davis wrote:
> Good day,
>
> For sake of argument, assume that someone has set up a MS Active 
> Directory domain with Kerberos disabled, but NTLM still enabled.  In 
> that situation, would a user browsing to a Keycloak-protected 
> application, with LDAP+SPNEGO enabled (against that MS AD system) 
> still allow for Integrated Windows Authentication (auto-login without 
> prompt) to web application?
>
> Thanks much,
> Guy
>
> <re-sending today as same message yesterday didn't make it through to 
> the list>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/d44ad489/attachment.html 

From mposolda at redhat.com  Wed Jun 29 03:32:56 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Jun 2016 09:32:56 +0200
Subject: [keycloak-user] Help problem with Bad request
In-Reply-To: <577237C4.2010400@mail.thot-soft.com>
References: <577237C4.2010400@mail.thot-soft.com>
Message-ID: <577379A8.9080205@redhat.com>

Interesting issue.

What is happening is, that state cookie with value "150/..." is set and 
then your application redirects to keycloak login screen. However it 
looks that "something" else set the new value of state cookie (in you 
case "151/..."), so after keycloak login is finished, adapter can see 
the value of cookie "151/...", but it still expects the old value 
"150/..." .

I can see 2 possibilities how it can happen:
1) your application is opening more HTTP requests for secured URL at the 
same time. For example you have HTML publicly available, which opens 
some XHR requests (or images) under secured URL. When the securedPage1 ( 
image1 ) is open, it redirects to keycloak, however browser already also 
sent request to securedPage2 ( image2 ), which rewrite the cookie set by 
securedPage1.
2) The new cookie value is set after successful keycloak login and 
redirect to your application.

I suspect it's likely case 1. You can confirm it by doing this:
- Open secured URL
- Be redirected to keycloak login screen
- At this point, you will check if value of "state" parameter in the 
browser line is same as  the value of "OAUTH_TOKEN_REQUEST_STATE" cookie 
in your application (you will need to check browser cookies). If it's 
different then the issue is case 1. If it's same than it's rather case 2.

Marek

On 28/06/16 10:39, Gyalai Mil?n wrote:
> Hello,
>
> I have problem with the Bad request when the user login.
>
> I have a simple War with JSP-s. With the following keycloak.json
>
> {
>     "realm": "test",
>     "realm-public-key": "...",
>     "auth-server-url": "keycloak-url",
>     "ssl-required": "none",
>     "resource": "dashboard-app",
>     "public-client": true,
>     "use-resource-role-mappings": false,
>     "principal-attribute": "preferred_username"
> }
>
> The wildfly redirects to the keycloak perfectly and adds a status 
> parameter to the URL. After the login we get a 400 Bad request error. 
> In the wildfly log I found these lines.
>
> WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) state parameter invalid
> WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) cookie: 151/af93b54d-6b04-4d82-9a8b-1fe7203b279e
>  WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default 
> task-111) queryParam: 150/e946fb78-9902-4449-8c33-687fcaf98d3d
>
> What did I configure wrong?
>
> The Keycloak version is 1.9.8.Final .
>
> Any ideas ?
>
> Regards
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/51c11ea3/attachment.html 

From mposolda at redhat.com  Wed Jun 29 04:00:52 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Jun 2016 10:00:52 +0200
Subject: [keycloak-user] Keycloak single sign on with Keberos(AD)
In-Reply-To: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051E202@sq9bmexpr03.MONAD.MONERIS.COM>
References: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051DCDD@sq9bmexpr03.MONAD.MONERIS.COM>
	<5770F7ED.3070901@redhat.com>
	<0ABE2BE06E188B4FA117BC5D9D11ECCF5051DFCA@sq9bmexpr03.MONAD.MONERIS.COM>
	<57720E66.50307@redhat.com>
	<0ABE2BE06E188B4FA117BC5D9D11ECCF5051E202@sq9bmexpr03.MONAD.MONERIS.COM>
Message-ID: <57738034.2090108@redhat.com>

Hi Raymond,

returning keycloak-user list back for tracking purposes.

What I can see in the server.log is happening is that:
- Keycloak ask browser to send SPNEGO token (by sending 401 with 
"WWW-Authenticate: Negotiate" header). So far everything as expected
- Browser replies with SPNEGO token, however it uses NTLM as the 
preferred choice ( First OID is 1.3.6.1.4.1.311.2.2.10 ) together with 
NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported 
mechanisms too.
- Keycloak replies with NegTokenTarg token when it's asking for sending 
SPNEGO token backed by KRB5 instead of NTLM (as Keycloak doesn't 
understant NTLM atm. There is related discussion on keycloak-user 
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006758.html )
- Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore

Not sure what are your possibilities TBH. Either somehow setup browser 
to reply to second request with NegTokenTarg and send SPNEGO+KRB5 token. 
Or re-configure your Windows domain (or client machines + browser) to 
skip using NTLM. Right now, I don't have any clue how to do that TBH.

Marek

On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
>
> Hi Marek
>
> If you haven?t looked at my previous server.log, then use this one 
> instead, in this log we were getting an exception
>
> *GSSException: Defective token detected (Mechanism level: GSSHeader 
> did not find the right tag)***
>
> When we hit the url, maybe this will make things easier
>
> Please let me know if you need anything more
>
> Thanks a lot
>
> Raymond
>
> *From:*Zhou, Limin (Ray)
> *Sent:* Tuesday, June 28, 2016 10:00 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Hi Marek
>
> I have attached my keycloak server log to you, after adding the two 
> properties, we can see an exception shows up  when I hitting my url, 
> after the exception, I think the default keycloak login page shows up, 
> and rest of the log were generated by my manual login
>
> Hope this can give us some clue
>
> Thanks a lot
>
> Raymond
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 28, 2016 1:43 AM
> *To:* Zhou, Limin (Ray)
> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Thanks Raymond,
>
> is it possible to also enable the system properties 
> |-Dsun.security.krb5.debug=true| and |-Dsun.security.spnego.debug=true 
> and see if there are some more details in the log? You can add system 
> properties either directly to standalone/configuration/standalone.xml 
> file or by adding them to java opts in bin/standalone.conf|
>
> |Thanks,|
> |Marek|
>
> On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
>
>     Hello Marek
>
>     Thanks for answering my post, following are the log piece after
>     hitting the first page, hope this helps.
>
>     Please let me know if you need anything more
>
>     Thank you so much
>
>     Raymond
>
>     2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) Debug is
>     true storeKey true useTicketCache false useKeyTab true doNotPrompt
>     true ticketCache is null isInitiator false KeyTab is
>     C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false principal
>     is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
>     <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
>     tryFirstPass is false useFirstPass is false storePass is false
>     clearPass is false
>
>     2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) principal
>     is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
>     <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
>
>     2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) Will use
>     keytab
>
>     2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) Commit
>     Succeeded
>
>     2016-06-27 17:11:13,453 INFO  [stdout] (default task-24)
>
>     2016-06-27 17:11:13,454 INFO  [stdout] (default task-24)
>                                   [Krb5LoginModule]: Entering logout
>
>     2016-06-27 17:11:13,454 INFO  [stdout] (default task-24)
>                                   [Krb5LoginModule]: logged out Subject
>
>     *From:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Sent:* Monday, June 27, 2016 5:55 AM
>     *To:* Zhou, Limin (Ray); keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     *Subject:* Re: [keycloak-user] Keycloak single sign on with
>     Keberos(AD)
>
>     It may help if you enable all the possible debug/trace logging and
>     post the log here. This may give more info what is the issue. See
>     docs how to enable logging :
>     https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/authentication/kerberos.html
>
>     Try to send the log from the point once you trigger the
>     authentication request (or from the point when you hit your app URL)
>
>     Thanks,
>     Marek
>
>     On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
>
>         Hello everyone
>
>         I am new to Keycloak and new to here
>
>         Our web application is running on Jboss EAP 7, We have
>         configured KeyCloak standalone server 1.9.7 running on
>         different port(same server box) to manage the user
>         authentication and authorization, behind KeyCloak we have
>         configured Keberos in User Federation to talk our company AD
>         server, we are able to login by using our AD account, but not
>         in single sign on way, each time when we hitting the our app
>         URL, the Keycloak login page will show up.
>
>         It looks like the TGT or ST hand shake was not successful, is
>         there any document I can reference it to debug the issue?
>
>         Any comments or suggestion would be very welcome
>
>         thanks in advance
>
>         raymond
>
>         ------------------------------------------------------------------------
>
>         Moneris Solutions Corporation | 3300 Bloor Street West |
>         Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>         <http://www.moneris.com> 1-866-319-7450
>         If you wish to unsubscribe from future updates from Moneris,
>         please click here
>         <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>         Please see the Moneris Privacy Policy here
>         <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
>         This e-mail may be privileged and/or confidential, and the
>         sender does not waive any related rights and obligations. Any
>         distribution, use or copying of this e-mail or the information
>         it contains by other than an intended recipient is
>         unauthorized. If you received this e-mail in error, please
>         advise me (by return e-mail or otherwise) immediately.
>
>         ------------------------------------------------------------------------
>
>         Corporation Solutions Moneris | 3300, rue Bloor Ouest |
>         Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>         <http://www.moneris.com> 1-866-319-7450
>         Si vous d?sirez enlever votre nom de la liste d?envoi de
>         Moneris, veuillez cliquer ici
>         <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>         Veuillez consulter la Politique de confidentialit? de Moneris
>         ici
>         <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
>         Ce courriel peut contenir des renseignements confidentiels ou
>         privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ?
>         aucune obligation connexe. La distribution, l?utilisation ou
>         la reproduction du pr?sent courriel ou des renseignements
>         qu?il contient par une personne autre que son destinataire
>         pr?vu sont interdites. Si vous avez re?u ce courriel par
>         erreur, veuillez m?en aviser imm?diatement (par retour de
>         courriel ou autrement).
>
>
>         _______________________________________________
>
>         keycloak-user mailing list
>
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     ------------------------------------------------------------------------
>
>     Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
>     Ontario | M8X 2X2 | Canada www.moneris.com
>     <http://www.moneris.com> 1-866-319-7450
>     If you wish to unsubscribe from future updates from Moneris,
>     please click here
>     <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>     Please see the Moneris Privacy Policy here
>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
>     This e-mail may be privileged and/or confidential, and the sender
>     does not waive any related rights and obligations. Any
>     distribution, use or copying of this e-mail or the information it
>     contains by other than an intended recipient is unauthorized. If
>     you received this e-mail in error, please advise me (by return
>     e-mail or otherwise) immediately.
>
>     ------------------------------------------------------------------------
>
>     Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
>     Ontario | M8X 2X2 | Canada www.moneris.com
>     <http://www.moneris.com> 1-866-319-7450
>     Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris,
>     veuillez cliquer ici
>     <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>     Veuillez consulter la Politique de confidentialit? de Moneris ici
>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
>     Ce courriel peut contenir des renseignements confidentiels ou
>     privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ?
>     aucune obligation connexe. La distribution, l?utilisation ou la
>     reproduction du pr?sent courriel ou des renseignements qu?il
>     contient par une personne autre que son destinataire pr?vu sont
>     interdites. Si vous avez re?u ce courriel par erreur, veuillez
>     m?en aviser imm?diatement (par retour de courriel ou autrement).
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please 
> click here 
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. 
> Please see the Moneris Privacy Policy here 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does 
> not waive any related rights and obligations. Any distribution, use or 
> copying of this e-mail or the information it contains by other than an 
> intended recipient is unauthorized. If you received this e-mail in 
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, 
> veuillez cliquer ici 
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. 
> Veuillez consulter la Politique de confidentialit? de Moneris ici 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>. 
>
>
> Ce courriel peut contenir des renseignements confidentiels ou 
> privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune 
> obligation connexe. La distribution, l?utilisation ou la reproduction 
> du pr?sent courriel ou des renseignements qu?il contient par une 
> personne autre que son destinataire pr?vu sont interdites. Si vous 
> avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement 
> (par retour de courriel ou autrement). 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/3a725939/attachment-0001.html 

From us3r at mailbox.org  Wed Jun 29 05:43:53 2016
From: us3r at mailbox.org (us3r at mailbox.org)
Date: Wed, 29 Jun 2016 11:43:53 +0200 (CEST)
Subject: [keycloak-user] Karaf Features problem
In-Reply-To: <CAN13MdT6mBRps5rKMNaTew31_u1cBj+hGki1Sf56jOOcKpM8Kw@mail.gmail.com>
References: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>
	<5770F6AA.6020006@redhat.com>
	<CAN13MdT6mBRps5rKMNaTew31_u1cBj+hGki1Sf56jOOcKpM8Kw@mail.gmail.com>
Message-ID: <546128335.2813.1467193433328@office.mailbox.org>

We had the same (or a similar) problem that the versions were 4.0.0 and 4.0.5 and not considered compatible. As a hack you can patch the version in MANIFEST.MF.

The documentation about the OSGi adapter is rather short compared to other integrations. It basically says look in the code. I consider it as undocument even though there is a section in the ref guide because it tells you nothing.

The OSGi adapter would need more love. A major demotivator is that this little plugin has CXF as a dependency (and we don't use CXF in our application) and thus drags in dozens or hundreds of other bundles that we don't really want to care about but need some kind of setup which we couldn't get to work. I understand that were are here in RedHat land and CXF is one of their favourites but not mine. 

We gave up on this and use the standalone security proxy. The 4.0.x version problem and the huge dependencies (CXF) show how fragile this setup is. Even if you get it to work I'd guarantee that it breaks quickly when you update some other bundles. Version hell. 

us3r

> Ygor Castor <ygorcastor at gmail.com> hat am 27. Juni 2016 um 13:09 geschrieben:
> 
>     Done! Issue KEYCLOAK-3194.
> 
>     Em seg, 27 de jun de 2016 ?s 06:49, Marek Posolda <mposolda at redhat.com mailto:mposolda at redhat.com > escreveu:
> 
>         > >         Hi,
> > 
> >         it looks the fuse/karaf adapter might be broken in latest 2.0.0.CR1 release. Could you please create JIRA for it?
> > 
> >         Thanks,
> >         Marek
> > 
> > 
> >         On 26/06/16 03:08, Ygor Castor wrote:
> > 
> >             > > >             I'm trying to install the keycloak adapter at Karaf 4.0.5, but i'm running in some problems, this one i'm not being able to solve: 
> > > 
> > >             karaf at root()> feature:install keycloak-adapter-core
> > >             Error executing command: Unable to resolve root: missing requirement [root] osgi.identity; osgi.identity=keycloak-adapter-core; type=karaf.feature; version="[2.0.0.CR1,2.0.0.CR1]"; filter:="(&(osgi.identity=keycloak-adapter-core)(type=karaf.feature)(version>=2.0.0.CR1)(version<=2.0.0.CR1))" [caused by: Unable to resolve keycloak-adapter-core/2.0.0.CR1: missing requirement [keycloak-adapter-core/2.0.0.CR1] osgi.identity; osgi.identity=org.keycloak.keycloak-adapter-core; type=osgi.bundle; version="[2.0.0.CR1,2.0.0.CR1]"; resolution:=mandatory [caused by: Unable to resolve org.keycloak.keycloak-adapter-core/2.0.0.CR1: missing requirement [org.keycloak.keycloak-adapter-core/2.0.0.CR1] osgi.wiring.package; filter:="(&(osgi.wiring.package=org.keycloak.authorization.client)(version>=2.0.0.CR1))"]]
> > > 
> > >             It seems that the feature can't find the "org.keycloak.authorization" bundle, how can i fix this?
> > > 
> > > 
> > > 
> > >         > > 
> >             > > > 
> > >             _______________________________________________
> > >             keycloak-user mailing list
> > >             keycloak-user at lists.jboss.org mailto:keycloak-user at lists.jboss.org
> > >             https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > >         > > 
> >     >     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/92ddb700/attachment.html 

From thomas.darimont at googlemail.com  Wed Jun 29 05:51:45 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 29 Jun 2016 11:51:45 +0200
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
	<CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
Message-ID: <CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>

Hello,

any updates here?

Keycloak Mailing-list is still not searchable via http://search.jboss.org/

Cheers,
Thomas

2016-06-07 14:59 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> I sent an email to the JBoss.org guys to ask them to add our mailing lists
> to search.jboss.org.
>
> On 7 June 2016 at 14:03, Thomas Darimont <thomas.darimont at googlemail.com>
> wrote:
>
>> I asked for it here:
>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>>
>> Would be really useful to have - I downloaded the news archives locally
>> and search through with thunderbird.
>>
>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>>
>>> How can I search for something on keycloak mailing lists archive?
>>> It appears keycloak lists are not indexed by JBoss Community Search
>>> engine [1][2]
>>>
>>> [1] http://search.jboss.org
>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>>
>>> --
>>> ___
>>> Rafael T. C. Soares | Solution Architect
>>> JBoss Enterprise Middleware | Red Hat Brazil
>>> Mobile: +55 71 98181-3636
>>> Phone:  +55 11 3529-6096
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/2995791d/attachment.html 

From sthorger at redhat.com  Wed Jun 29 06:39:56 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 12:39:56 +0200
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
	<CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
	<CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>
Message-ID: <CAJgngAdRb1QFqQVqYYB6nDFsR_zW6u8QF0LsBAjOYCYrbMHHAA@mail.gmail.com>

Waiting for response on the ticket.. Might be a bit delayed due to
DevNation/Summit.

On 29 June 2016 at 11:51, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Hello,
>
> any updates here?
>
> Keycloak Mailing-list is still not searchable via http://search.jboss.org/
>
> Cheers,
> Thomas
>
> 2016-06-07 14:59 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> I sent an email to the JBoss.org guys to ask them to add our mailing
>> lists to search.jboss.org.
>>
>> On 7 June 2016 at 14:03, Thomas Darimont <thomas.darimont at googlemail.com>
>> wrote:
>>
>>> I asked for it here:
>>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>>>
>>> Would be really useful to have - I downloaded the news archives locally
>>> and search through with thunderbird.
>>>
>>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>>>
>>>> How can I search for something on keycloak mailing lists archive?
>>>> It appears keycloak lists are not indexed by JBoss Community Search
>>>> engine [1][2]
>>>>
>>>> [1] http://search.jboss.org
>>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>>>
>>>> --
>>>> ___
>>>> Rafael T. C. Soares | Solution Architect
>>>> JBoss Enterprise Middleware | Red Hat Brazil
>>>> Mobile: +55 71 98181-3636
>>>> Phone:  +55 11 3529-6096
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/3a4baaa7/attachment.html 

From sthorger at redhat.com  Wed Jun 29 07:17:05 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 13:17:05 +0200
Subject: [keycloak-user] Encrypted SAML response
In-Reply-To: <CAHT+r5i+NN_+bK_DzW7NaiG7C4Q047epYR6HqeN1iWjEZOmdzQ@mail.gmail.com>
References: <CAHT+r5goHCRu=5weFQCLkwmS4bE-bqc8Ey8-Dc31nmhBKP_FNw@mail.gmail.com>
	<45eb6a33-43be-1740-74f9-be9cc638b6f2@redhat.com>
	<CAHT+r5j4d+fFWYQR1qsmdnnDA-Qrf1NJjt6L=vjHPfEaVO4aOQ@mail.gmail.com>
	<CAHT+r5i+NN_+bK_DzW7NaiG7C4Q047epYR6HqeN1iWjEZOmdzQ@mail.gmail.com>
Message-ID: <CAJgngAcUL8S+K_Vc9p0VMhxytATCrMQAnFa2heKchLX5d4ixxg@mail.gmail.com>

I'm pretty sure this isn't possible at the moment, so please create a JIRA
feature request.

On 24 June 2016 at 08:50, P?l Oliver Kristiansen <paal.oliver at gmail.com>
wrote:

> We figured out what was happening with some help from F5 (BigIP)
> technicians.
> Keycloak uses RSA v1.5 for key transport algorithm but this is not
> supported in BigIP APM.
>
> It also seems like v1.5 is largely deprecated and BigIP requires RSA-OAEP
> for this.
>
> This seems to be set
> in XMLEncryptionUtil.getXMLEncryptionURLForKeyUnwrap(...)
> returning XMLCipher.RSA_v1dot5 if the public SP key was a RSA key.
>
> Is there any way to easily change from RSAv1.5 to RSA-OAEP?
>
> References:
>
> https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-hotfix-bigip-12-0-0.html#A534555-1
>
> https://tools.ietf.org/html/rfc3560
>
> Thanks!
>
> ons. 22. jun. 2016 kl. 15.34 skrev P?l Oliver Kristiansen <
> paal.oliver at gmail.com>:
>
>> Thanks Bill!
>>
>> What we did was to crate the client in Keycloak by importing the SP
>> metadata file. So the "Encryption Key" and "Signing Key" have the values
>> from the SP's metadata file already.
>> From what I can gather, the values in this part of the client definition
>> in Keycloak, matches the values in the meta data file when looking at the
>> elements:
>>
>> <SPSSODescriptor>
>>   <KeyDescriptor use="encryption">
>>     <ds:KeyInfo>
>>       <ds:X509Data>
>>         <ds:X509Certificate>---[Key found in certificate]---
>> </ds:X509Certificate>
>>
>> Would this work or am I missing something?
>>
>> I can double check that the private key on the SP side actually is
>> correlated with the public one in the meta data file.
>>
>> ons. 22. jun. 2016 kl. 15.03 skrev Bill Burke <bburke at redhat.com>:
>>
>>> Once you've enabled encryption, you have to go to the 'SAML Keys' tab.
>>> There is an Encryption Key at the bottom of that screen.  You can have
>>> Keycloak generate the private key and cert for the SP, or you can import
>>> the SP's certificate that is stored in a PEM file, JKS, or PKCS12 file.
>>>
>>> On 6/22/16 3:47 AM, P?l Oliver Kristiansen wrote:
>>> > Hi!
>>> >
>>> > We have set up Keycloak as an IDP with a F5 BigIP APM as a SAML SP.
>>> > Everything works well out of the box, but when we activate encryption
>>> of
>>> > assertions, we get an error on the
>>> > BigIP side.
>>> >
>>> > So in order to investigate the situation, I'm trying to understand the
>>> > process of SAML assertion response encryption.
>>> > And I am a bit confused when reading the Keycloak documentation and
>>> > comparing that to what I see in the Keycloak admin console.
>>> > Here is what I mean; in the documentation
>>> > (
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/saml.html
>>> ),
>>> > activating
>>> > assertion response encryption is described like this:
>>> >
>>> > "Encrypt Assertions
>>> > Encrypt assertions in SAML documents with the realm's private key. The
>>> > AES algorithm is used with a key size of 128 bits."
>>> >
>>> > But in the admin console (under clients) it is described like this in
>>> > the tooltip:
>>> >
>>> > "Encrypt Assertions
>>> > Should SAML assertions be encrypted with client's public key using
>>> AES?"
>>> >
>>> > So basically, which key is used for encrypting the assertion response?
>>> >
>>> > I have inspected the actual HTTP post and it looks something like this:
>>> >
>>> > <samlp:Response>
>>> > ...
>>> >   <saml:EncryptedAssertion>
>>> >     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> > Type="http://www.w3.org/2001/04/xmlenc#Element">
>>> >       <xenc:EncryptionMethod
>>> > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>>> >         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> >           <xenc:EncryptedKey>
>>> >             <xenc:EncryptionMethod
>>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>>> >             <xenc:CipherData>
>>> >               <xenc:CipherValue>---[block of cipher
>>> > text]---</xenc:CipherValue>
>>> >             </xenc:CipherData>
>>> >           </xenc:EncryptedKey>
>>> >         </ds:KeyInfo>
>>> >       <xenc:CipherData>
>>> >         <xenc:CipherValue>---[block of cipher
>>> text]---</xenc:CipherValue>
>>> >       </xenc:CipherData>
>>> >     </xenc:EncryptedData>
>>> >   </saml:EncryptedAssertion>
>>> > </samlp:Response>
>>> >
>>> > So it at least looks like the key to decrypt the encrypted response is
>>> > included. It is encrypted using RSA, but with which key?
>>> > My understanding was something like this:
>>> >
>>> > 1. The encryption of a SAML assertion response is done using AES-128,
>>> > with some key.
>>> > 2. The key is added alongside the encrypted assertion response and
>>> > encrypted using the SP's public key.
>>> > 3. The SP receives the encrypted assertion response and the encrypted
>>> > key, decrypts the key using its' private key and uses
>>> > this decrypted key to decrypt the actual assertion response.
>>> >
>>> > Is this generally correct?
>>> >
>>> > The error we get from BigIP is this: "failed to process encrypted
>>> > assertion, error: RSA decrypt"
>>> > Which leads me to think that maybe the decryption of the included key
>>> > did not work out.
>>> > Any ideas or tips to how to approach this?
>>> >
>>> > Thanks!
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/bd388cd7/attachment-0001.html 

From afroufeq at grancanaria.com  Wed Jun 29 08:35:05 2016
From: afroufeq at grancanaria.com (afroufeq)
Date: Wed, 29 Jun 2016 13:35:05 +0100
Subject: [keycloak-user] Keycloak dies every few days for high memory usage
Message-ID: <98b45a71-69b8-9936-e89e-595cc59659af@grancanaria.com>

Victor has post this question in StackOverflow.

http://serverfault.com/questions/786895/keycloak-dies-every-few-days-for-high-memory-usage

Does anyone know the answer?

Cheers,

From sthorger at redhat.com  Wed Jun 29 09:29:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 29 Jun 2016 15:29:46 +0200
Subject: [keycloak-user] Keycloak dies every few days for high memory
	usage
In-Reply-To: <98b45a71-69b8-9936-e89e-595cc59659af@grancanaria.com>
References: <98b45a71-69b8-9936-e89e-595cc59659af@grancanaria.com>
Message-ID: <CAJgngAeUdo2iMfKB6zEpgVnOGqSx_j-1pY46y+cTQreZETkASg@mail.gmail.com>

The only memory leak we are aware of is the one that is being discussed in
"Major Memory Leak/Consumption When Creating Many Users" /
https://issues.jboss.org/browse/KEYCLOAK-3202.

There are two things you can try, first is to disable caches (performance
will suffer) the other is to add an eviction policy on realmVersion cache.

On 29 June 2016 at 14:35, afroufeq <afroufeq at grancanaria.com> wrote:

> Victor has post this question in StackOverflow.
>
>
> http://serverfault.com/questions/786895/keycloak-dies-every-few-days-for-high-memory-usage
>
> Does anyone know the answer?
>
> Cheers,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/f7738e6c/attachment.html 

From jayblanc at gmail.com  Wed Jun 29 09:35:35 2016
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Wed, 29 Jun 2016 13:35:35 +0000
Subject: [keycloak-user] Hardcoded Role Mapper Problem
Message-ID: <CAPNq5vYj9QHOtAC8ScNF-WDMBqO0C+S2xqAdr2HZZ_v4iY6s5g@mail.gmail.com>

Hi,

I use a Role Mapper on an Identity Provider but it's not working as
expected :
- If the account does not exists and Identity Provider Auth is used to
create a new account, Role is applied to the newly created keycloak account.
- But if an account already exists and that I use the Identity Provider
Association, the Role is not applied to the already existing keycloak
account and the mapper has no effect, leaving the account in a unconsistent
state for me...

Is it a normal behaviour, is it fixed in latest releases (I use 1.7.0) ??

Thanks, J?r?me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/217c18ba/attachment.html 

From srossillo at smartling.com  Wed Jun 29 11:04:00 2016
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 29 Jun 2016 11:04:00 -0400
Subject: [keycloak-user] keycloak-nodejs-connect with Express routes
Message-ID: <16084981-BA6A-41A9-9D70-73C5B9D1B427@smartling.com>

Hey,

I?m trying to register the NodeJS Keycloak Connect (0.22) with Express routes, such as:

var foo = require('./routes/foo?);
app.use(?/foo?, foo);

The problems are:

1. Adding the Keycloak protect middleware with "app.use(?foo?, keycloak.protect(), foo)? causes infinite redirects
2. It can?t be registered in the route javascript file because keycloak.protect() expects the already initialized keycloak function.

When dealing with large applications, it?s not feasible to register all routes in the main Express file.

Any pointers or am I missing something?

Thanks in advance,
Scott


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/ad0cc7b3/attachment.html 

From lholmqui at redhat.com  Wed Jun 29 11:06:47 2016
From: lholmqui at redhat.com (Luke Holmquist)
Date: Wed, 29 Jun 2016 11:06:47 -0400
Subject: [keycloak-user] keycloak-nodejs-connect with Express routes
In-Reply-To: <16084981-BA6A-41A9-9D70-73C5B9D1B427@smartling.com>
References: <16084981-BA6A-41A9-9D70-73C5B9D1B427@smartling.com>
Message-ID: <CALD3Fd251kb=62gfuk3f-oSWiRjww=GosVnfGZahwNkx_u3Ekw@mail.gmail.com>

On Wed, Jun 29, 2016 at 11:04 AM, Scott Rossillo <srossillo at smartling.com>
wrote:

> Hey,
>
> I?m trying to register the NodeJS Keycloak Connect (0.22) with Express
> routes, such as:
>
> var foo = require('./routes/foo?);
> app.use(?/foo?, foo);
>
> The problems are:
>
> 1. Adding the Keycloak protect middleware with "app.use(?foo?,
> keycloak.protect(), foo)? causes infinite redirects
>
https://issues.jboss.org/browse/KEYCLOAK-3199

almost fixed:  https://github.com/keycloak/keycloak-nodejs-connect/pull/43


> 2. It can?t be registered in the route javascript file because
> keycloak.protect() expects the already initialized keycloak function.
>
> When dealing with large applications, it?s not feasible to register all
> routes in the main Express file.
>
> Any pointers or am I missing something?
>
> Thanks in advance,
> Scott
>
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/2482d7f8/attachment.html 

From lholmqui at redhat.com  Wed Jun 29 11:51:30 2016
From: lholmqui at redhat.com (Luke Holmquist)
Date: Wed, 29 Jun 2016 11:51:30 -0400
Subject: [keycloak-user] keycloak-nodejs-connect with Express routes
In-Reply-To: <CALD3Fd251kb=62gfuk3f-oSWiRjww=GosVnfGZahwNkx_u3Ekw@mail.gmail.com>
References: <16084981-BA6A-41A9-9D70-73C5B9D1B427@smartling.com>
	<CALD3Fd251kb=62gfuk3f-oSWiRjww=GosVnfGZahwNkx_u3Ekw@mail.gmail.com>
Message-ID: <CALD3Fd33N3vK6=8+iUhZQXELzVYo+-142gs6iV=sLrAzMuMe-w@mail.gmail.com>

On Wed, Jun 29, 2016 at 11:06 AM, Luke Holmquist <lholmqui at redhat.com>
wrote:

>
>
> On Wed, Jun 29, 2016 at 11:04 AM, Scott Rossillo <srossillo at smartling.com>
> wrote:
>
>> Hey,
>>
>> I?m trying to register the NodeJS Keycloak Connect (0.22) with Express
>> routes, such as:
>>
>> var foo = require('./routes/foo?);
>> app.use(?/foo?, foo);
>>
>> The problems are:
>>
>> 1. Adding the Keycloak protect middleware with "app.use(?foo?,
>> keycloak.protect(), foo)? causes infinite redirects
>>
> https://issues.jboss.org/browse/KEYCLOAK-3199
>
> almost fixed:  https://github.com/keycloak/keycloak-nodejs-connect/pull/43
>

a 0.2.1 version was just released on npm that should fix that infinite
redirect issue

>
>
>
>> 2. It can?t be registered in the route javascript file because
>> keycloak.protect() expects the already initialized keycloak function.
>>
>> When dealing with large applications, it?s not feasible to register all
>> routes in the main Express file.
>>
>> Any pointers or am I missing something?
>>
>> Thanks in advance,
>> Scott
>>
>>
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/458a50e3/attachment-0001.html 

From chairfield at gmail.com  Wed Jun 29 11:51:24 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 29 Jun 2016 15:51:24 +0000
Subject: [keycloak-user] Stian: Continuation of Memory Leak Investigation
Message-ID: <CALr83iCceeQBPWBBM2y6GfMZbQF4cX-gMmFQnjm-giXaGCQ9=w@mail.gmail.com>

*My replies started bouncing; guess I sent too many pictures ;)*

I'd be perfectly happy with that throughput. What other parameters did you
run it under?

JAVA_OPTS: "-server -Xms1g -Xmx4g -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
-XX:+UseParallelGC -XX:ParallelGCThreads=4"

Run command: bin/standalone.sh -c standalone.xml

My standalone.xml:
            <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                <local-cache name="realms"/>
                <local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <local-cache name="sessions"/>
                <local-cache name="offlineSessions"/>
                <local-cache name="loginFailures"/>
                <local-cache name="work"/>
                <local-cache name="realmVersions">
                    <transaction mode="BATCH" locking="PESSIMISTIC"/>
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
            </cache-container>

You can see memory starting to thrash at a higher rate (up to 1.4 GB). I
only created 22k users in this test.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/70e54d75/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test16-graph.png
Type: image/png
Size: 41624 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/70e54d75/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test16-term.png
Type: image/png
Size: 6319 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/70e54d75/attachment-0003.png 

From srossillo at smartling.com  Wed Jun 29 11:57:22 2016
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 29 Jun 2016 11:57:22 -0400
Subject: [keycloak-user] keycloak-nodejs-connect with Express routes
In-Reply-To: <CALD3Fd33N3vK6=8+iUhZQXELzVYo+-142gs6iV=sLrAzMuMe-w@mail.gmail.com>
References: <16084981-BA6A-41A9-9D70-73C5B9D1B427@smartling.com>
	<CALD3Fd251kb=62gfuk3f-oSWiRjww=GosVnfGZahwNkx_u3Ekw@mail.gmail.com>
	<CALD3Fd33N3vK6=8+iUhZQXELzVYo+-142gs6iV=sLrAzMuMe-w@mail.gmail.com>
Message-ID: <9D964D47-EC2D-4A92-9C7E-E2F065AC4EC2@smartling.com>

You?re the best. 0.2.1 fixed both issues!

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

> On Jun 29, 2016, at 11:51 AM, Luke Holmquist <lholmqui at redhat.com> wrote:
> 
> 
> 
> On Wed, Jun 29, 2016 at 11:06 AM, Luke Holmquist <lholmqui at redhat.com <mailto:lholmqui at redhat.com>> wrote:
> 
> 
> On Wed, Jun 29, 2016 at 11:04 AM, Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>> wrote:
> Hey,
> 
> I?m trying to register the NodeJS Keycloak Connect (0.22) with Express routes, such as:
> 
> var foo = require('./routes/foo?);
> app.use(?/foo?, foo);
> 
> The problems are:
> 
> 1. Adding the Keycloak protect middleware with "app.use(?foo?, keycloak.protect(), foo)? causes infinite redirects
> https://issues.jboss.org/browse/KEYCLOAK-3199 <https://issues.jboss.org/browse/KEYCLOAK-3199>
>  
> almost fixed:  https://github.com/keycloak/keycloak-nodejs-connect/pull/43 <https://github.com/keycloak/keycloak-nodejs-connect/pull/43>
> 
> a 0.2.1 version was just released on npm that should fix that infinite redirect issue 
> 
>  
> 2. It can?t be registered in the route javascript file because keycloak.protect() expects the already initialized keycloak function.
> 
> When dealing with large applications, it?s not feasible to register all routes in the main Express file.
> 
> Any pointers or am I missing something?
> 
> Thanks in advance,
> Scott
> 
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/9dd9a068/attachment.html 

From chairfield at gmail.com  Wed Jun 29 12:08:08 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 29 Jun 2016 16:08:08 +0000
Subject: [keycloak-user] Disallow Join via OAuth?
Message-ID: <CALr83iAn_ahbbkiUwRAd6yR=PdSZHntySOwYJCqcJcb0WnBZXw@mail.gmail.com>

I don't expect this is possible, but does anyone know whether one can
prevent new account creation when Identity Brokering with Facebook and
Google while still allowing sign-in?

We are attempting to migrate our legacy IDM solution to Keycloak slowly and
wish, for the time being, for all new account creation to still go through
the legacy app. We have HAProxy in front of Keycloak. Is there a way to
redirect users attempting to join via Facebook or Google to our legacy join
page?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/c7f3902e/attachment.html 

From bburke at redhat.com  Wed Jun 29 12:33:32 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 29 Jun 2016 12:33:32 -0400
Subject: [keycloak-user] Disallow Join via OAuth?
In-Reply-To: <CALr83iAn_ahbbkiUwRAd6yR=PdSZHntySOwYJCqcJcb0WnBZXw@mail.gmail.com>
References: <CALr83iAn_ahbbkiUwRAd6yR=PdSZHntySOwYJCqcJcb0WnBZXw@mail.gmail.com>
Message-ID: <48e7e8e7-b9a1-13b5-f0b3-e89375771239@redhat.com>

Our social identity providers require an import of the user right now.  
You can hook into this flow and interact with the legacy system in the 
background if you want.

On 6/29/16 12:08 PM, Chris Hairfield wrote:
> I don't expect this is possible, but does anyone know whether one can 
> prevent new account creation when Identity Brokering with Facebook and 
> Google while still allowing sign-in?
>
> We are attempting to migrate our legacy IDM solution to Keycloak 
> slowly and wish, for the time being, for all new account creation to 
> still go through the legacy app. We have HAProxy in front of Keycloak. 
> Is there a way to redirect users attempting to join via Facebook or 
> Google to our legacy join page?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/512e7b05/attachment.html 

From chairfield at gmail.com  Wed Jun 29 12:48:35 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Wed, 29 Jun 2016 16:48:35 +0000
Subject: [keycloak-user] Disallow Join via OAuth?
In-Reply-To: <48e7e8e7-b9a1-13b5-f0b3-e89375771239@redhat.com>
References: <CALr83iAn_ahbbkiUwRAd6yR=PdSZHntySOwYJCqcJcb0WnBZXw@mail.gmail.com>
	<48e7e8e7-b9a1-13b5-f0b3-e89375771239@redhat.com>
Message-ID: <CALr83iATT9asqZzRpa5-fqB-MJCKh+ADbeCi3Kx=pVYya+DNMQ@mail.gmail.com>

Interesting possibility. Which SPI would we modify to make this change?

On Wed, Jun 29, 2016, 10:34 AM Bill Burke <bburke at redhat.com> wrote:

> Our social identity providers require an import of the user right now.
> You can hook into this flow and interact with the legacy system in the
> background if you want.
>
>
> On 6/29/16 12:08 PM, Chris Hairfield wrote:
>
> I don't expect this is possible, but does anyone know whether one can
> prevent new account creation when Identity Brokering with Facebook and
> Google while still allowing sign-in?
>
> We are attempting to migrate our legacy IDM solution to Keycloak slowly
> and wish, for the time being, for all new account creation to still go
> through the legacy app. We have HAProxy in front of Keycloak. Is there a
> way to redirect users attempting to join via Facebook or Google to our
> legacy join page?
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/35a7979d/attachment-0001.html 

From mposolda at redhat.com  Wed Jun 29 12:49:21 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 29 Jun 2016 18:49:21 +0200
Subject: [keycloak-user] Karaf Features problem
In-Reply-To: <546128335.2813.1467193433328@office.mailbox.org>
References: <CAN13MdRDF4P+druxHbjPuQEAenR2vdLE0gZbCT8x0TLpPSsJWA@mail.gmail.com>
	<5770F6AA.6020006@redhat.com>
	<CAN13MdT6mBRps5rKMNaTew31_u1cBj+hGki1Sf56jOOcKpM8Kw@mail.gmail.com>
	<546128335.2813.1467193433328@office.mailbox.org>
Message-ID: <5773FC11.6080506@redhat.com>

On 29/06/16 11:43, us3r at mailbox.org wrote:
>
> We had the same (or a similar) problem that the versions were 4.0.0 
> and 4.0.5 and not considered compatible. As a hack you can patch the 
> version in MANIFEST.MF.
>
> The documentation about the OSGi adapter is rather short compared to 
> other integrations. It basically says look in the code. I consider it 
> as undocument even though there is a section in the ref guide because 
> it tells you nothing.
>
The more detailed docs was added in latest release. See 
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/fuse-adapter.html 
. But note that even in old release, there is bigger example with 
extensive README (it's referenced from the official docs).
>
> The OSGi adapter would need more love. A major demotivator is that 
> this little plugin has CXF as a dependency (and we don't use CXF in 
> our application) and thus drags in dozens or hundreds of other bundles 
> that we don't really want to care about but need some kind of setup 
> which we couldn't get to work. I understand that were are here in 
> RedHat land and CXF is one of their favourites but not mine.
>
> We gave up on this and use the standalone security proxy. The 4.0.x 
> version problem and the huge dependencies (CXF) show how fragile this 
> setup is. Even if you get it to work I'd guarantee that it breaks 
> quickly when you update some other bundles. Version hell.
>
You can create JIRA for this issue and then we can possibly improve. On 
the other hand, we focus mostly on JBoss Fuse rather than standalone 
Apache Karaf (we just don't have possibility to test all versions as 
each supported version adds some overhead etc) . And in JBoss Fuse is 
Apache CXF already included, so it's not so big issue in comparison to 
standalone karaf.

Thanks,
Marek
>
> us3r
>
>> Ygor Castor <ygorcastor at gmail.com> hat am 27. Juni 2016 um 13:09 
>> geschrieben:
>>
>> Done! Issue KEYCLOAK-3194.
>>
>> Em seg, 27 de jun de 2016 ?s 06:49, Marek Posolda 
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> escreveu:
>>
>>     Hi,
>>
>>     it looks the fuse/karaf adapter might be broken in latest
>>     2.0.0.CR1 release. Could you please create JIRA for it?
>>
>>     Thanks,
>>     Marek
>>
>>
>>     On 26/06/16 03:08, Ygor Castor wrote:
>>>     I'm trying to install the keycloak adapter at Karaf 4.0.5, but
>>>     i'm running in some problems, this one i'm not being able to solve:
>>>
>>>     karaf at root()> feature:install keycloak-adapter-core
>>>     Error executing command: Unable to resolve root: missing
>>>     requirement [root] osgi.identity;
>>>     osgi.identity=keycloak-adapter-core; type=karaf.feature;
>>>     version="[2.0.0.CR1,2.0.0.CR1]";
>>>     filter:="(&(osgi.identity=keycloak-adapter-core)(type=karaf.feature)(version>=2.0.0.CR1)(version<=2.0.0.CR1))"
>>>     [caused by: Unable to resolve keycloak-adapter-core/2.0.0.CR1:
>>>     missing requirement [keycloak-adapter-core/2.0.0.CR1]
>>>     osgi.identity; osgi.identity=org.keycloak.keycloak-adapter-core;
>>>     type=osgi.bundle; version="[2.0.0.CR1,2.0.0.CR1]";
>>>     resolution:=mandatory [caused by: Unable to resolve
>>>     org.keycloak.keycloak-adapter-core/2.0.0.CR1: missing
>>>     requirement [org.keycloak.keycloak-adapter-core/2.0.0.CR1]
>>>     osgi.wiring.package;
>>>     filter:="(&(osgi.wiring.package=org.keycloak.authorization.client)(version>=2.0.0.CR1))"]]
>>>
>>>     It seems that the feature can't find the
>>>     "org.keycloak.authorization" bundle, how can i fix this?
>>>
>>>
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/8056412b/attachment.html 

From petervn1 at yahoo.com  Wed Jun 29 20:29:40 2016
From: petervn1 at yahoo.com (Peter Nalyvayko)
Date: Thu, 30 Jun 2016 00:29:40 +0000 (UTC)
Subject: [keycloak-user] Keycloak and Salesforce IdP identity brokering
References: <206335081.4376505.1467246580929.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <206335081.4376505.1467246580929.JavaMail.yahoo@mail.yahoo.com>

Hello,
I am trying to integrate keycloak and Salesforce using Salesforce as an identity provider. It seems some of the information required to properly set up the Salesforce as SAML IdP is ?missing in the keycloak's SAML identity provider configuration. For example, "Entity Id", according to the Salesforce documentation, is "This value comes from the service provider. Each entity ID in an organization must be unique. If you?re accessing multiple apps from your service provider, you only need to define the service provider once, and then use the?RelayState?parameter to append the URL values to direct the user to the correct app after signing in." (https://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&language=en_US). The SAML identity provider configuration in keycloak does not have a setting to specify "Entity Id". Another missing attribute is "ACS URL" (The ACS, or assertion consumer service, URL comes from the SAML service provider.).?Has anyone been able to set up Salesforce as IdP and keycloak as SP using keycloak's SAML identity provider? Is this even possible given that some required parameters are missing?ThxPeter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/52932f49/attachment.html 

From sthorger at redhat.com  Thu Jun 30 00:19:28 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 30 Jun 2016 06:19:28 +0200
Subject: [keycloak-user] Stian: Continuation of Memory Leak Investigation
In-Reply-To: <CALr83iCceeQBPWBBM2y6GfMZbQF4cX-gMmFQnjm-giXaGCQ9=w@mail.gmail.com>
References: <CALr83iCceeQBPWBBM2y6GfMZbQF4cX-gMmFQnjm-giXaGCQ9=w@mail.gmail.com>
Message-ID: <CAJgngAfri9RJR5TQa+URn8UQpR1xeXe8mSfARXOZmR5aL+kS_A@mail.gmail.com>

I've ran with a standard 2.0.0.CR1 server and only changes are adding
"<eviction max-entries="10000" strategy="LRU"/>" to realmVersions cache.

I've now created 10 million users over night and still have steady
throughput of 200 user/sec and memory around 150. What db are you using?
I'm just using default H2 db at the moment,

On 29 June 2016 at 17:51, Chris Hairfield <chairfield at gmail.com> wrote:

> *My replies started bouncing; guess I sent too many pictures ;)*
>
> I'd be perfectly happy with that throughput. What other parameters did you
> run it under?
>
> JAVA_OPTS: "-server -Xms1g -Xmx4g -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> -XX:+UseParallelGC -XX:ParallelGCThreads=4"
>
> Run command: bin/standalone.sh -c standalone.xml
>
> My standalone.xml:
>             <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">
>                 <local-cache name="realms"/>
>                 <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="sessions"/>
>                 <local-cache name="offlineSessions"/>
>                 <local-cache name="loginFailures"/>
>                 <local-cache name="work"/>
>                 <local-cache name="realmVersions">
>                     <transaction mode="BATCH" locking="PESSIMISTIC"/>
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>             </cache-container>
>
> You can see memory starting to thrash at a higher rate (up to 1.4 GB). I
> only created 22k users in this test.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/e40f3feb/attachment.html 

From sthorger at redhat.com  Thu Jun 30 00:31:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 30 Jun 2016 06:31:46 +0200
Subject: [keycloak-user] Stian: Continuation of Memory Leak Investigation
In-Reply-To: <CAJgngAfri9RJR5TQa+URn8UQpR1xeXe8mSfARXOZmR5aL+kS_A@mail.gmail.com>
References: <CALr83iCceeQBPWBBM2y6GfMZbQF4cX-gMmFQnjm-giXaGCQ9=w@mail.gmail.com>
	<CAJgngAfri9RJR5TQa+URn8UQpR1xeXe8mSfARXOZmR5aL+kS_A@mail.gmail.com>
Message-ID: <CAJgngAcYzQAk0BwY3sAUA_SVO_Wnz_2NeXP7uWvdRZbPKFp1Uw@mail.gmail.com>

I'm just adding basic users though. Are you adding more attributes,
credentials and role mappings at the same time?

Also, are you running clustered or just standalone?

On 30 June 2016 at 06:19, Stian Thorgersen <sthorger at redhat.com> wrote:

> I've ran with a standard 2.0.0.CR1 server and only changes are adding
> "<eviction max-entries="10000" strategy="LRU"/>" to realmVersions cache.
>
> I've now created 10 million users over night and still have steady
> throughput of 200 user/sec and memory around 150. What db are you using?
> I'm just using default H2 db at the moment,
>
> On 29 June 2016 at 17:51, Chris Hairfield <chairfield at gmail.com> wrote:
>
>> *My replies started bouncing; guess I sent too many pictures ;)*
>>
>> I'd be perfectly happy with that throughput. What other parameters did
>> you run it under?
>>
>> JAVA_OPTS: "-server -Xms1g -Xmx4g -XX:MetaspaceSize=96M
>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>> -XX:+UseParallelGC -XX:ParallelGCThreads=4"
>>
>> Run command: bin/standalone.sh -c standalone.xml
>>
>> My standalone.xml:
>>             <cache-container name="keycloak"
>> jndi-name="infinispan/Keycloak">
>>                 <local-cache name="realms"/>
>>                 <local-cache name="users">
>>                     <eviction max-entries="10000" strategy="LRU"/>
>>                 </local-cache>
>>                 <local-cache name="sessions"/>
>>                 <local-cache name="offlineSessions"/>
>>                 <local-cache name="loginFailures"/>
>>                 <local-cache name="work"/>
>>                 <local-cache name="realmVersions">
>>                     <transaction mode="BATCH" locking="PESSIMISTIC"/>
>>                     <eviction max-entries="10000" strategy="LRU"/>
>>                 </local-cache>
>>             </cache-container>
>>
>> You can see memory starting to thrash at a higher rate (up to 1.4 GB). I
>> only created 22k users in this test.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/3bb56c8b/attachment-0001.html 

From bruno at abstractj.org  Thu Jun 30 00:51:31 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 30 Jun 2016 04:51:31 +0000
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAJgngAdRb1QFqQVqYYB6nDFsR_zW6u8QF0LsBAjOYCYrbMHHAA@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
	<CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
	<CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>
	<CAJgngAdRb1QFqQVqYYB6nDFsR_zW6u8QF0LsBAjOYCYrbMHHAA@mail.gmail.com>
Message-ID: <CAM5SUC4F5j6xpY3Gy6gdM9DReE_UzNfhzaBhQRuzv_NM1kaSAQ@mail.gmail.com>

In the worst case scenario, give http://markmail.org/ or
http://www.nabble.com/ a try.

On Wed, Jun 29, 2016 at 3:40 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Waiting for response on the ticket.. Might be a bit delayed due to
> DevNation/Summit.
>
> On 29 June 2016 at 11:51, Thomas Darimont <thomas.darimont at googlemail.com>
> wrote:
>
>> Hello,
>>
>> any updates here?
>>
>> Keycloak Mailing-list is still not searchable via
>> http://search.jboss.org/
>>
>> Cheers,
>> Thomas
>>
>> 2016-06-07 14:59 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> I sent an email to the JBoss.org guys to ask them to add our mailing
>>> lists to search.jboss.org.
>>>
>>> On 7 June 2016 at 14:03, Thomas Darimont <thomas.darimont at googlemail.com
>>> > wrote:
>>>
>>>> I asked for it here:
>>>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>>>>
>>>> Would be really useful to have - I downloaded the news archives locally
>>>> and search through with thunderbird.
>>>>
>>>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>>>>
>>>>> How can I search for something on keycloak mailing lists archive?
>>>>> It appears keycloak lists are not indexed by JBoss Community Search
>>>>> engine [1][2]
>>>>>
>>>>> [1] http://search.jboss.org
>>>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>>>>
>>>>> --
>>>>> ___
>>>>> Rafael T. C. Soares | Solution Architect
>>>>> JBoss Enterprise Middleware | Red Hat Brazil
>>>>> Mobile: +55 71 98181-3636
>>>>> Phone:  +55 11 3529-6096
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/d78b635a/attachment.html 

From bruno at abstractj.org  Thu Jun 30 01:28:08 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 29 Jun 2016 22:28:08 -0700
Subject: [keycloak-user] Hardcoded Role Mapper Problem
In-Reply-To: <CAPNq5vYj9QHOtAC8ScNF-WDMBqO0C+S2xqAdr2HZZ_v4iY6s5g@mail.gmail.com>
References: <CAPNq5vYj9QHOtAC8ScNF-WDMBqO0C+S2xqAdr2HZZ_v4iY6s5g@mail.gmail.com>
Message-ID: <20160630052808.GB29127@abstractj.org>

Hi J?r?me, is strongly encouraged to upgrade if you can. For example, I
tested what you said against 2.0.0.CR1 and it worked here.

On 2016-06-29, J?r?me Blanchard wrote:
> Hi,
>
> I use a Role Mapper on an Identity Provider but it's not working as
> expected :
> - If the account does not exists and Identity Provider Auth is used to
> create a new account, Role is applied to the newly created keycloak account.
> - But if an account already exists and that I use the Identity Provider
> Association, the Role is not applied to the already existing keycloak
> account and the mapper has no effect, leaving the account in a unconsistent
> state for me...
>
> Is it a normal behaviour, is it fixed in latest releases (I use 1.7.0) ??
>
> Thanks, J?r?me.

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


--

abstractj
PGP: 0x84DC9914

From sthorger at redhat.com  Thu Jun 30 02:10:37 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 30 Jun 2016 08:10:37 +0200
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAM5SUC4F5j6xpY3Gy6gdM9DReE_UzNfhzaBhQRuzv_NM1kaSAQ@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
	<CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
	<CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>
	<CAJgngAdRb1QFqQVqYYB6nDFsR_zW6u8QF0LsBAjOYCYrbMHHAA@mail.gmail.com>
	<CAM5SUC4F5j6xpY3Gy6gdM9DReE_UzNfhzaBhQRuzv_NM1kaSAQ@mail.gmail.com>
Message-ID: <CAJgngAfogCc2XN0X93HDjXjA1RgFF8D6C7_bZ2z8nGR8u_yM4Q@mail.gmail.com>

MarkMail seems to limit what lists they index. I've sent an email asking if
they can add Keycloak lists.

Nabble is a forum and we don't want to add a forum. The issue is that we'd
end up with people asking questions there as well and we can't handle both
locations.

On 30 June 2016 at 06:51, Bruno Oliveira <bruno at abstractj.org> wrote:

> In the worst case scenario, give http://markmail.org/ or
> http://www.nabble.com/ a try.
>
> On Wed, Jun 29, 2016 at 3:40 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Waiting for response on the ticket.. Might be a bit delayed due to
>> DevNation/Summit.
>>
>> On 29 June 2016 at 11:51, Thomas Darimont <thomas.darimont at googlemail.com
>> > wrote:
>>
>>> Hello,
>>>
>>> any updates here?
>>>
>>> Keycloak Mailing-list is still not searchable via
>>> http://search.jboss.org/
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-06-07 14:59 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> I sent an email to the JBoss.org guys to ask them to add our mailing
>>>> lists to search.jboss.org.
>>>>
>>>> On 7 June 2016 at 14:03, Thomas Darimont <
>>>> thomas.darimont at googlemail.com> wrote:
>>>>
>>>>> I asked for it here:
>>>>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>>>>>
>>>>> Would be really useful to have - I downloaded the news archives
>>>>> locally and search through with thunderbird.
>>>>>
>>>>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>>>>>
>>>>>> How can I search for something on keycloak mailing lists archive?
>>>>>> It appears keycloak lists are not indexed by JBoss Community Search
>>>>>> engine [1][2]
>>>>>>
>>>>>> [1] http://search.jboss.org
>>>>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>>>>>
>>>>>> --
>>>>>> ___
>>>>>> Rafael T. C. Soares | Solution Architect
>>>>>> JBoss Enterprise Middleware | Red Hat Brazil
>>>>>> Mobile: +55 71 98181-3636
>>>>>> Phone:  +55 11 3529-6096
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/fa6f63be/attachment.html 

From mposolda at redhat.com  Thu Jun 30 05:14:15 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 30 Jun 2016 11:14:15 +0200
Subject: [keycloak-user] Keycloak single sign on with Keberos(AD)
In-Reply-To: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051E30E@sq9bmexpr03.MONAD.MONERIS.COM>
References: <0ABE2BE06E188B4FA117BC5D9D11ECCF5051DCDD@sq9bmexpr03.MONAD.MONERIS.COM>
	<5770F7ED.3070901@redhat.com>
	<0ABE2BE06E188B4FA117BC5D9D11ECCF5051DFCA@sq9bmexpr03.MONAD.MONERIS.COM>
	<57720E66.50307@redhat.com>
	<0ABE2BE06E188B4FA117BC5D9D11ECCF5051E202@sq9bmexpr03.MONAD.MONERIS.COM>
	<57738034.2090108@redhat.com>
	<0ABE2BE06E188B4FA117BC5D9D11ECCF5051E30E@sq9bmexpr03.MONAD.MONERIS.COM>
Message-ID: <5774E2E7.3060204@redhat.com>

||Adding list back again for tracking (Ray, please use "Reply all" when 
reply to the mails).

 From my googling, it seems that DefectiveTokenDetected can happen for 
NTLM requests as well. Btv. I found some tips on StackOverflow how to 
prevent use NTLM instead of Kerberos5 
http://stackoverflow.com/questions/2973355/defective-token-deteced-error-ntlm-not-kerberos-with-kerberos-spring-securit 
. Maybe something from those will help:
- Use different machines for client (browser) and keycloak server
- Ensure both machines are in windows domain
- Use some different encryptions in kerberos client file. ( krb5.ini ) 
file. The post mentions "arcfour-hmac-md5" however the post is 6 years 
old :) Still it might help to add/remove some encryptions from krb5.ini 
file and check if client machine and IE will use krb5 ticket instead of NTLM
- Fix DNS records or "SPN records" (I don't have a clue what it is :) So 
see post for more details)

Marek

On 29/06/16 16:41, Zhou, Limin (Ray) wrote:
>
> Marek
>
> I sent you two log files yesterday via two emails, I am able to see 
> your analysis(such OID etc.) from the first log, but not the second 
> logs, in the second log we were getting GSSException instead of the 
> hand shake message,  I am wondering why it likes this, and are they 
> the same thing regarding my issues?
>
> Sorry to disturb you again
>
> Raymond
>
> P.S I have attached the two logs again for you to reference
>
> *From:*Zhou, Limin (Ray)
> *Sent:* Wednesday, June 29, 2016 10:18 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Marek
>
> Thank you so much for your analysis, I am wondering whether you can 
> tell me how you mapped your diagnose with the server.log line#? I 
> think this will help us more when we tuning either our bowser and 
> domain setting, because I cannot see any 401 heading, first OID, the 
> KRB5 OLD from the log file
>
> Really appreciate your help
>
> Raymond
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Wednesday, June 29, 2016 4:01 AM
> *To:* Zhou, Limin (Ray)
> *Cc:* keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Hi Raymond,
>
> returning keycloak-user list back for tracking purposes.
>
> What I can see in the server.log is happening is that:
> - Keycloak ask browser to send SPNEGO token (by sending 401 with 
> "WWW-Authenticate: Negotiate" header). So far everything as expected
> - Browser replies with SPNEGO token, however it uses NTLM as the 
> preferred choice ( First OID is 1.3.6.1.4.1.311.2.2.10 ) together with 
> NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported 
> mechanisms too.
> - Keycloak replies with NegTokenTarg token when it's asking for 
> sending SPNEGO token backed by KRB5 instead of NTLM (as Keycloak 
> doesn't understant NTLM atm. There is related discussion on 
> keycloak-user 
> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006758.html )
> - Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore
>
> Not sure what are your possibilities TBH. Either somehow setup browser 
> to reply to second request with NegTokenTarg and send SPNEGO+KRB5 
> token. Or re-configure your Windows domain (or client machines + 
> browser) to skip using NTLM. Right now, I don't have any clue how to 
> do that TBH.
>
> Marek
>
> On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
>
>     Hi Marek
>
>     If you haven?t looked at my previous server.log, then use this one
>     instead, in this log we were getting an exception
>
>     *GSSException: Defective token detected (Mechanism level:
>     GSSHeader did not find the right tag)*
>
>     When we hit the url, maybe this will make things easier
>
>     Please let me know if you need anything more
>
>     Thanks a lot
>
>     Raymond
>
>     *From:*Zhou, Limin (Ray)
>     *Sent:* Tuesday, June 28, 2016 10:00 AM
>     *To:* 'Marek Posolda'
>     *Subject:* RE: [keycloak-user] Keycloak single sign on with
>     Keberos(AD)
>
>     Hi Marek
>
>     I have attached my keycloak server log to you, after adding the
>     two properties, we can see an exception shows up  when I hitting
>     my url, after the exception, I think the default keycloak login
>     page shows up, and rest of the log were generated by my manual login
>
>     Hope this can give us some clue
>
>     Thanks a lot
>
>     Raymond
>
>     *From:*Marek Posolda [mailto:mposolda at redhat.com]
>     *Sent:* Tuesday, June 28, 2016 1:43 AM
>     *To:* Zhou, Limin (Ray)
>     *Subject:* Re: [keycloak-user] Keycloak single sign on with
>     Keberos(AD)
>
>     Thanks Raymond,
>
>     is it possible to also enable the system properties
>     |-Dsun.security.krb5.debug=true| and
>     |-Dsun.security.spnego.debug=true and see if there are some more
>     details in the log? You can add system properties either directly
>     to standalone/configuration/standalone.xml file or by adding them
>     to java opts in bin/standalone.conf|
>
>     |Thanks,|
>     |Marek|
>
>     On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
>
>         Hello Marek
>
>         Thanks for answering my post, following are the log piece
>         after hitting the first page, hope this helps.
>
>         Please let me know if you need anything more
>
>         Thank you so much
>
>         Raymond
>
>         2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) Debug
>         is true storeKey true useTicketCache false useKeyTab true
>         doNotPrompt true ticketCache is null isInitiator false KeyTab
>         is C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false
>         principal is
>         HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
>         <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
>         tryFirstPass is false useFirstPass is false storePass is false
>         clearPass is false
>
>         2016-06-27 17:11:13,453 INFO  [stdout] (default task-24)
>         principal is
>         HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
>         <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
>
>         2016-06-27 17:11:13,453 INFO  [stdout] (default task-24) Will
>         use keytab
>
>         2016-06-27 17:11:13,453 INFO  [stdout] (default task-24)
>         Commit Succeeded
>
>         2016-06-27 17:11:13,453 INFO  [stdout] (default task-24)
>
>         2016-06-27 17:11:13,454 INFO  [stdout] (default task-24)
>                                       [Krb5LoginModule]: Entering logout
>
>         2016-06-27 17:11:13,454 INFO  [stdout] (default task-24)
>                                       [Krb5LoginModule]: logged out
>         Subject
>
>         *From:*Marek Posolda [mailto:mposolda at redhat.com]
>         *Sent:* Monday, June 27, 2016 5:55 AM
>         *To:* Zhou, Limin (Ray); keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         *Subject:* Re: [keycloak-user] Keycloak single sign on with
>         Keberos(AD)
>
>         It may help if you enable all the possible debug/trace logging
>         and post the log here. This may give more info what is the
>         issue. See docs how to enable logging :
>         https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/authentication/kerberos.html
>
>         Try to send the log from the point once you trigger the
>         authentication request (or from the point when you hit your
>         app URL)
>
>         Thanks,
>         Marek
>
>         On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
>
>             Hello everyone
>
>             I am new to Keycloak and new to here
>
>             Our web application is running on Jboss EAP 7, We have
>             configured KeyCloak standalone server 1.9.7 running on
>             different port(same server box) to manage the user
>             authentication and authorization, behind KeyCloak we have
>             configured Keberos in User Federation to talk our company
>             AD server, we are able to login by using our AD account,
>             but not in single sign on way, each time when we hitting
>             the our app URL, the Keycloak login page will show up.
>
>             It looks like the TGT or ST hand shake was not successful,
>             is there any document I can reference it to debug the issue?
>
>             Any comments or suggestion would be very welcome
>
>             thanks in advance
>
>             raymond
>
>             ------------------------------------------------------------------------
>
>             Moneris Solutions Corporation | 3300 Bloor Street West |
>             Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>             <http://www.moneris.com> 1-866-319-7450
>             If you wish to unsubscribe from future updates from
>             Moneris, please click here
>             <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>             Please see the Moneris Privacy Policy here
>             <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
>             This e-mail may be privileged and/or confidential, and the
>             sender does not waive any related rights and obligations.
>             Any distribution, use or copying of this e-mail or the
>             information it contains by other than an intended
>             recipient is unauthorized. If you received this e-mail in
>             error, please advise me (by return e-mail or otherwise)
>             immediately.
>
>             ------------------------------------------------------------------------
>
>             Corporation Solutions Moneris | 3300, rue Bloor Ouest |
>             Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>             <http://www.moneris.com> 1-866-319-7450
>             Si vous d?sirez enlever votre nom de la liste d?envoi de
>             Moneris, veuillez cliquer ici
>             <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>             Veuillez consulter la Politique de confidentialit? de
>             Moneris ici
>             <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
>             Ce courriel peut contenir des renseignements confidentiels
>             ou privil?gi?s, et son exp?diteur ne renonce ? aucun droit
>             ni ? aucune obligation connexe. La distribution,
>             l?utilisation ou la reproduction du pr?sent courriel ou
>             des renseignements qu?il contient par une personne autre
>             que son destinataire pr?vu sont interdites. Si vous avez
>             re?u ce courriel par erreur, veuillez m?en aviser
>             imm?diatement (par retour de courriel ou autrement).
>
>
>             _______________________________________________
>
>             keycloak-user mailing list
>
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>         ------------------------------------------------------------------------
>
>         Moneris Solutions Corporation | 3300 Bloor Street West |
>         Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>         <http://www.moneris.com> 1-866-319-7450
>         If you wish to unsubscribe from future updates from Moneris,
>         please click here
>         <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>         Please see the Moneris Privacy Policy here
>         <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
>         This e-mail may be privileged and/or confidential, and the
>         sender does not waive any related rights and obligations. Any
>         distribution, use or copying of this e-mail or the information
>         it contains by other than an intended recipient is
>         unauthorized. If you received this e-mail in error, please
>         advise me (by return e-mail or otherwise) immediately.
>
>         ------------------------------------------------------------------------
>
>         Corporation Solutions Moneris | 3300, rue Bloor Ouest |
>         Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
>         <http://www.moneris.com> 1-866-319-7450
>         Si vous d?sirez enlever votre nom de la liste d?envoi de
>         Moneris, veuillez cliquer ici
>         <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>         Veuillez consulter la Politique de confidentialit? de Moneris
>         ici
>         <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
>         Ce courriel peut contenir des renseignements confidentiels ou
>         privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ?
>         aucune obligation connexe. La distribution, l?utilisation ou
>         la reproduction du pr?sent courriel ou des renseignements
>         qu?il contient par une personne autre que son destinataire
>         pr?vu sont interdites. Si vous avez re?u ce courriel par
>         erreur, veuillez m?en aviser imm?diatement (par retour de
>         courriel ou autrement).
>
>     ------------------------------------------------------------------------
>
>     Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
>     Ontario | M8X 2X2 | Canada www.moneris.com
>     <http://www.moneris.com> 1-866-319-7450
>     If you wish to unsubscribe from future updates from Moneris,
>     please click here
>     <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
>     Please see the Moneris Privacy Policy here
>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
>     This e-mail may be privileged and/or confidential, and the sender
>     does not waive any related rights and obligations. Any
>     distribution, use or copying of this e-mail or the information it
>     contains by other than an intended recipient is unauthorized. If
>     you received this e-mail in error, please advise me (by return
>     e-mail or otherwise) immediately.
>
>     ------------------------------------------------------------------------
>
>     Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
>     Ontario | M8X 2X2 | Canada www.moneris.com
>     <http://www.moneris.com> 1-866-319-7450
>     Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris,
>     veuillez cliquer ici
>     <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
>     Veuillez consulter la Politique de confidentialit? de Moneris ici
>     <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
>     Ce courriel peut contenir des renseignements confidentiels ou
>     privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ?
>     aucune obligation connexe. La distribution, l?utilisation ou la
>     reproduction du pr?sent courriel ou des renseignements qu?il
>     contient par une personne autre que son destinataire pr?vu sont
>     interdites. Si vous avez re?u ce courriel par erreur, veuillez
>     m?en aviser imm?diatement (par retour de courriel ou autrement).
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please 
> click here 
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. 
> Please see the Moneris Privacy Policy here 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does 
> not waive any related rights and obligations. Any distribution, use or 
> copying of this e-mail or the information it contains by other than an 
> intended recipient is unauthorized. If you received this e-mail in 
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | 
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, 
> veuillez cliquer ici 
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. 
> Veuillez consulter la Politique de confidentialit? de Moneris ici 
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>. 
>
>
> Ce courriel peut contenir des renseignements confidentiels ou 
> privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune 
> obligation connexe. La distribution, l?utilisation ou la reproduction 
> du pr?sent courriel ou des renseignements qu?il contient par une 
> personne autre que son destinataire pr?vu sont interdites. Si vous 
> avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement 
> (par retour de courriel ou autrement). 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/31175370/attachment-0001.html 

From sthorger at redhat.com  Thu Jun 30 05:36:43 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 30 Jun 2016 11:36:43 +0200
Subject: [keycloak-user] Keycloak 2.0.0.Final released
Message-ID: <CAJgngAfPY0TrGw7ZXWMh2VHYXZkhUL_eHOLzWzBX3nfEsxaOxg@mail.gmail.com>

Keycloak 2.0.0.Final has just been released. This release only contains
some minor fixes since 2.0.0.CR1.

For the full list of resolved issues check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.0.0.Final>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>. Before you upgrade refer to the migration
guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/61a490f8/attachment.html 

From watson409 at gmail.com  Thu Jun 30 10:41:08 2016
From: watson409 at gmail.com (Brian Watson)
Date: Thu, 30 Jun 2016 10:41:08 -0400
Subject: [keycloak-user] Obtaining full profile from "userinfo" endpoint
Message-ID: <CAC9D9d9SW-Kzo8k1uFY_WDMUtmBQ2N_NrqqZJft4Mw4eZ5+1Ww@mail.gmail.com>

Hi all,

Keycloak version: 1.9.8

Here is my use case: I want to keep the access token JWS as lean as
possible, only containing user roles and a few custom claims I have added.
I want no PII in the access token. However, I would like my internal
services to obtain the full user profile (name, email, etc...) from the
OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the
"sub" claim and the few custom claims that already exist in the access
token. I don't see any support for adding scope values to the request.

Is there any way to accomplish what I would like, or any other ways of
obtaining this info that I may be missing?

Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/6c953771/attachment.html 

From bruno at abstractj.org  Thu Jun 30 13:54:10 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 30 Jun 2016 17:54:10 +0000
Subject: [keycloak-user] Searching on Keycloak mailing list archive
In-Reply-To: <CAJgngAfogCc2XN0X93HDjXjA1RgFF8D6C7_bZ2z8nGR8u_yM4Q@mail.gmail.com>
References: <57557345.2060409@redhat.com>
	<CAK-7U1hAUbwsQAafMuiuUpdCP6P3N2Fp17COyMTOoo6YV4aQWA@mail.gmail.com>
	<CAJgngAeDzRChYezuJYEMO2peC3+GEY7axgDxf7j_mboTBTE1YA@mail.gmail.com>
	<CAK-7U1jxx8fmYAYJdsvxRB7G8NwDy0tN-5s1OanbHWu=1YFyvA@mail.gmail.com>
	<CAJgngAdRb1QFqQVqYYB6nDFsR_zW6u8QF0LsBAjOYCYrbMHHAA@mail.gmail.com>
	<CAM5SUC4F5j6xpY3Gy6gdM9DReE_UzNfhzaBhQRuzv_NM1kaSAQ@mail.gmail.com>
	<CAJgngAfogCc2XN0X93HDjXjA1RgFF8D6C7_bZ2z8nGR8u_yM4Q@mail.gmail.com>
Message-ID: <CAM5SUC7UEWTuvtNRj7LhU-pfTBtAoq8AQCB0Y8uJ-8=4Saw_dg@mail.gmail.com>

Not only for forums, aerogear is indexed with Nabble[1].

That's just an alternative.

[1] - http://aerogear-dev.1069024.n5.nabble.com

On Wed, Jun 29, 2016, 11:10 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> MarkMail seems to limit what lists they index. I've sent an email asking
> if they can add Keycloak lists.
>
> Nabble is a forum and we don't want to add a forum. The issue is that we'd
> end up with people asking questions there as well and we can't handle both
> locations.
>
> On 30 June 2016 at 06:51, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> In the worst case scenario, give http://markmail.org/ or
>> http://www.nabble.com/ a try.
>>
>> On Wed, Jun 29, 2016 at 3:40 AM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Waiting for response on the ticket.. Might be a bit delayed due to
>>> DevNation/Summit.
>>>
>>> On 29 June 2016 at 11:51, Thomas Darimont <
>>> thomas.darimont at googlemail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> any updates here?
>>>>
>>>> Keycloak Mailing-list is still not searchable via
>>>> http://search.jboss.org/
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> 2016-06-07 14:59 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>>
>>>>> I sent an email to the JBoss.org guys to ask them to add our mailing
>>>>> lists to search.jboss.org.
>>>>>
>>>>> On 7 June 2016 at 14:03, Thomas Darimont <
>>>>> thomas.darimont at googlemail.com> wrote:
>>>>>
>>>>>> I asked for it here:
>>>>>> https://developer.jboss.org/wiki/JBossCommunitySearchHelp
>>>>>>
>>>>>> Would be really useful to have - I downloaded the news archives
>>>>>> locally and search through with thunderbird.
>>>>>>
>>>>>> 2016-06-06 14:57 GMT+02:00 Rafael T. C. Soares <rsoares at redhat.com>:
>>>>>>
>>>>>>> How can I search for something on keycloak mailing lists archive?
>>>>>>> It appears keycloak lists are not indexed by JBoss Community Search
>>>>>>> engine [1][2]
>>>>>>>
>>>>>>> [1] http://search.jboss.org
>>>>>>> [2] https://developer.jboss.org/wiki/JBossCommunitySearchFAQ
>>>>>>>
>>>>>>> --
>>>>>>> ___
>>>>>>> Rafael T. C. Soares | Solution Architect
>>>>>>> JBoss Enterprise Middleware | Red Hat Brazil
>>>>>>> Mobile: +55 71 98181-3636
>>>>>>> Phone:  +55 11 3529-6096
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/d026fb4d/attachment.html 

From jayblanc at gmail.com  Thu Jun 30 16:07:15 2016
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Thu, 30 Jun 2016 20:07:15 +0000
Subject: [keycloak-user] Hardcoded Role Mapper Problem
In-Reply-To: <20160630052808.GB29127@abstractj.org>
References: <CAPNq5vYj9QHOtAC8ScNF-WDMBqO0C+S2xqAdr2HZZ_v4iY6s5g@mail.gmail.com>
	<20160630052808.GB29127@abstractj.org>
Message-ID: <CAPNq5vb9excT1m6qd57o1=O-DnYOiiBJBY7Lt8SmhskjR3Fi4Q@mail.gmail.com>

Hi bruno,
I have a patched version of keycloak 1.7.0 and I don't know if the patch is
portable to 2.0.0...
By the way, thanks a lot for this answer, I will test 2.0.0 ASAP to see if
it solve.
BEst regards, J?r?me.

Le jeu. 30 juin 2016 ? 07:28, Bruno Oliveira <bruno at abstractj.org> a ?crit :

> Hi J?r?me, is strongly encouraged to upgrade if you can. For example, I
> tested what you said against 2.0.0.CR1 and it worked here.
>
> On 2016-06-29, J?r?me Blanchard wrote:
> > Hi,
> >
> > I use a Role Mapper on an Identity Provider but it's not working as
> > expected :
> > - If the account does not exists and Identity Provider Auth is used to
> > create a new account, Role is applied to the newly created keycloak
> account.
> > - But if an account already exists and that I use the Identity Provider
> > Association, the Role is not applied to the already existing keycloak
> > account and the mapper has no effect, leaving the account in a
> unconsistent
> > state for me...
> >
> > Is it a normal behaviour, is it fixed in latest releases (I use 1.7.0) ??
> >
> > Thanks, J?r?me.
>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/b110f706/attachment.html 

From john.bartko at drillinginfo.com  Thu Jun 30 18:16:35 2016
From: john.bartko at drillinginfo.com (John Bartko)
Date: Thu, 30 Jun 2016 17:16:35 -0500
Subject: [keycloak-user] Mongo and 2.0.0.Final
Message-ID: <CABk1SXmVgBmySGU6qvEiyMgxSP=fBbhuf6DxMU8S-m=s68iyUQ@mail.gmail.com>

Hello all,

I get the following stack trace attempting to use 2.0.0.Final against a
MongoDB backend. Following the keycloak-mongo
<https://github.com/jboss-dockerfiles/keycloak/tree/master/server-mongo>
readme should reproduce the behavior.



21:58:31,802 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 47) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to
be specified in the configuration
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:131)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:60)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:48)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:54)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:35)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:32)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.getStoreFactory(CachedPolicyStore.java:193)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.getDelegate(CachedPolicyStore.java:201)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.findByType(CachedPolicyStore.java:179)
at
org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:64)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:130)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more

21:58:31,809 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./auth" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs
to be specified in the configuration"}}


Any thoughts?

Thanks,
-John Bartko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/c1764052/attachment-0001.html 

From psilva at redhat.com  Thu Jun 30 19:19:48 2016
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 30 Jun 2016 19:19:48 -0400 (EDT)
Subject: [keycloak-user] Mongo and 2.0.0.Final
In-Reply-To: <CABk1SXmVgBmySGU6qvEiyMgxSP=fBbhuf6DxMU8S-m=s68iyUQ@mail.gmail.com>
References: <CABk1SXmVgBmySGU6qvEiyMgxSP=fBbhuf6DxMU8S-m=s68iyUQ@mail.gmail.com>
Message-ID: <25333792.5332896.1467328788071.JavaMail.zimbra@redhat.com>

There is an issue with keycloak-mongo image. It is missing the configuration for 'authorizationPersister.provider' [2].

[2] https://issues.jboss.org/browse/KEYCLOAK-3230

----- Original Message -----
From: "John Bartko" <john.bartko at drillinginfo.com>
To: keycloak-user at lists.jboss.org
Sent: Thursday, June 30, 2016 7:16:35 PM
Subject: [keycloak-user] Mongo and 2.0.0.Final

Hello all, 

I get the following stack trace attempting to use 2.0.0.Final against a MongoDB backend. Following the keycloak-mongo readme should reproduce the behavior. 



21:58:31,802 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 47) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) 
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
at java.lang.Thread.run(Thread.java:745) 
at org.jboss.threads.JBossThread.run(JBossThread.java:320) 
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) 
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) 
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) 
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) 
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) 
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) 
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) 
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) 
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) 
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) 
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) 
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) 
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) 
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) 
... 6 more 
Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration 
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:131) 
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:60) 
at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:48) 
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) 
at org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:54) 
at org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:35) 
at org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:32) 
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) 
at org.keycloak.models.authorization.infinispan.CachedPolicyStore.getStoreFactory(CachedPolicyStore.java:193) 
at org.keycloak.models.authorization.infinispan.CachedPolicyStore.getDelegate(CachedPolicyStore.java:201) 
at org.keycloak.models.authorization.infinispan.CachedPolicyStore.findByType(CachedPolicyStore.java:179) 
at org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75) 
at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:64) 
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:130) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) 
... 19 more 

21:58:31,809 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 
Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to be specified in the configuration"}} 


Any thoughts? 

Thanks, 
-John Bartko 


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From bruno at abstractj.org  Thu Jun 30 20:20:12 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 30 Jun 2016 17:20:12 -0700
Subject: [keycloak-user] how get info from adapterConfig
In-Reply-To: <CAJgngAdvzXG9o4XPjBJMGwvA2DDn5eDO5AvPim+zrs4V8JyOCA@mail.gmail.com>
References: <5E0EBD68B410924EADA89C5CBD233CD064720790@XMB-DCFR-35.europe.corp.altran.com>
	<CAJgngAdvzXG9o4XPjBJMGwvA2DDn5eDO5AvPim+zrs4V8JyOCA@mail.gmail.com>
Message-ID: <20160701002012.GB3081@abstractj.org>

Do you mean something like this: https://github.com/aerogear/aerogear-unifiedpush-server/blob/462c722b3dba72e5becfe3bf93f8623fa27a38f5/jaxrs/src/main/java/org/jboss/aerogear/unifiedpush/rest/config/KeycloakConfigurationEndpoint.java#L33-L40 ?

Not sure what's your use case.

On 2016-06-28, Stian Thorgersen wrote:
> By adapterConfig I assume you mean the information from keycloak.json. As
> that contains the credentials for the service you should not expose this
> publicly.
>
> What is the use-case? I would rather suggest you load keycloak.json
> yourself and carefully expose selected details from it.
>
> On 15 June 2016 at 16:03, LIEVRE Olivier <olivier.lievre at altran.com> wrote:
>
> > Hello,
> >
> >
> >
> > I?ve secured a REST server with keycloak 1.9.7, and I would like to
> > implement a public REST GET method for an non-authenticated user to get the
> > adapderConfig info linked to my war.
> >
> >
> >
> > My war adapter is configured in my standalone.xml.
> >
> >
> >
> > Is there an  easy way to read the adapterConfig info from standalone in
> > that case?
> >
> >
> >
> > When a user makes an authenticated request, I can get that info with
> > getting RefreshableKeycloakSecurityContext from httprequest.
> >
> >
> >
> > KR,
> >
> > Olivier
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


--

abstractj
PGP: 0x84DC9914

From john.bartko at drillinginfo.com  Thu Jun 30 20:24:38 2016
From: john.bartko at drillinginfo.com (John Bartko)
Date: Thu, 30 Jun 2016 19:24:38 -0500
Subject: [keycloak-user] Mongo and 2.0.0.Final
In-Reply-To: <25333792.5332896.1467328788071.JavaMail.zimbra@redhat.com>
References: <CABk1SXmVgBmySGU6qvEiyMgxSP=fBbhuf6DxMU8S-m=s68iyUQ@mail.gmail.com>
	<25333792.5332896.1467328788071.JavaMail.zimbra@redhat.com>
Message-ID: <CABk1SXnpaey=6-RYerf2nkJ0s-u1qKzKeyJ4Yjx+eWFZBu12ag@mail.gmail.com>

Thanks! Here's an example workaround for running Keycloak
2.0.0.Final+MongoDB in the meantime:
https://github.com/jbartko/keycloak/blob/feature/mongo-authpersister/server-mongo/changeDatabase.jq#L2

On Thu, Jun 30, 2016 at 6:19 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> There is an issue with keycloak-mongo image. It is missing the
> configuration for 'authorizationPersister.provider' [2].
>
> [2] https://issues.jboss.org/browse/KEYCLOAK-3230
>
> ----- Original Message -----
> From: "John Bartko" <john.bartko at drillinginfo.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, June 30, 2016 7:16:35 PM
> Subject: [keycloak-user] Mongo and 2.0.0.Final
>
> Hello all,
>
> I get the following stack trace attempting to use 2.0.0.Final against a
> MongoDB backend. Following the keycloak-mongo readme should reproduce the
> behavior.
>
>
>
> 21:58:31,802 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 47) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
> public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ... 6 more
> Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to
> be specified in the configuration
> at
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:131)
> at
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:60)
> at
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:48)
> at
> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
> at
> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:54)
> at
> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:35)
> at
> org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:32)
> at
> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
> at
> org.keycloak.models.authorization.infinispan.CachedPolicyStore.getStoreFactory(CachedPolicyStore.java:193)
> at
> org.keycloak.models.authorization.infinispan.CachedPolicyStore.getDelegate(CachedPolicyStore.java:201)
> at
> org.keycloak.models.authorization.infinispan.CachedPolicyStore.findByType(CachedPolicyStore.java:179)
> at
> org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75)
> at
> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:64)
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:130)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> ... 19 more
>
> 21:58:31,809 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]) - failure description:
> {"WFLYCTL0080: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./auth" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
> public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to
> be specified in the configuration"}}
>
>
> Any thoughts?
>
> Thanks,
> -John Bartko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160630/9836b257/attachment-0001.html