From bruno at abstractj.org Tue Mar 1 00:28:52 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 01 Mar 2016 05:28:52 +0000 Subject: [keycloak-user] Multiple security Q&As for a user In-Reply-To: <3B545404-0DBB-4495-8F36-F434FA4A4513@carboniteinc.com> References: <3B545404-0DBB-4495-8F36-F434FA4A4513@carboniteinc.com> Message-ID: Hi, I think Marko answered it last month http://lists.jboss.org/pipermail/keycloak-user/2016-February/004801.html. Not sure if it helps to your case. On Tue, Mar 1, 2016 at 1:14 AM Riddhi Rathod wrote: > Hi all, > > If security question option is enabled in the login flow, then the user > has to save answer to it (Default question: ?What is your mother?s name??). > This question is asked to user in the event of ?forget password? for > additional level of security. However, in the current system, there is > provision of storing only one security Q&A. I am looking to modify this to > include the following: > > Could this functionality be extended to include 3 security Q&As which is > popular practice. I modified the keycloak secret-question.ftl to include 2 > more questions. But there is no way to store the additional questions and > answers extracted from the ui form in the UserCredentialValueModel > (SecretQuestionRequiredAction.java). > The security questions are not fixed i.e. a dropdown menu of questions > will be displayed to users and they will be able to select whichever > questions they want to. > > Does keycloak support storing of multiple security Q&As for a user? Has > anyone tried this before? > > > Thank you, > Riddhi Rathod > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/a2c6808f/attachment.html From sthorger at redhat.com Tue Mar 1 02:44:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 1 Mar 2016 08:44:34 +0100 Subject: [keycloak-user] Keycloak on Openshift with custom domain and SSL certificate In-Reply-To: <56D4403D.2000002@first8.nl> References: <56D4403D.2000002@first8.nl> Message-ID: You need to configure a truststore for the adapter. See http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config . On 29 February 2016 at 13:57, Mark Hayen wrote: > Hi, > > We're running our application on Openshift Online. > Of course it is secured by keycloak running in the same gear. > > The openshift webconsole offers the possibility to import the > certificate etc. > but when trying to access the application it throws the following error. > > ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default > task-48) failed to turn code into token: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > > What do I have to do to enable keycloak to find the stuf it needs? > > Thank you > Mark Hayen > first8.nl > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/b77e57c8/attachment-0001.html From adrianmatei at gmail.com Tue Mar 1 02:48:44 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Tue, 1 Mar 2016 08:48:44 +0100 Subject: [keycloak-user] LDAP Query Failed - AD connection reset In-Reply-To: References: Message-ID: Thanks Edgar, I had also found that resource (atlassian) - I am glad it is working by you... I will try the same and see what happens.... Best regards Adrian On Mon, Feb 29, 2016 at 3:17 PM, Edgar Vonk - Info.nl wrote: > Yes, we had the same issue. For us the solution was: > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004961.html > > cheers > > Edgar > > > > On 29 Feb 2016, at 10:58, Adrian Matei wrote: > > > > Hi everyone, > > > > From time to time we are experiencing the following error : > > "LDAP Query Failed" (connection resets) for example by user > registration, but by the second try it usually works.... > > > > Connection to AD takes place via ldaps and keycloak (1.7.0.Final) > running on a JBoss EAP 6.4 with Java 8 installed. > > > > The complete stacktrace from server.log: > > 08:47:05,029 ERROR > [org.keycloak.services.resources.ModelExceptionMapper] > (http-/159.232.186.74:8443-7) LDAP Query failed: > org.keycloak.models.ModelException: LDAP Query failed > > at > org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:153) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:160) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:440) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:230) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:89) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:130) > [keycloak-model-api-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163) > [keycloak-model-api-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.models.sessions.infinispan.compat.UserSessionAdapter.getUser(UserSessionAdapter.java:62) > [keycloak-model-sessions-infinispan-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:732) > [keycloak-services-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:798) > [keycloak-services-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.services.resources.LoginActionsService.requiredActionPOST(LoginActionsService.java:750) > [keycloak-services-1.7.0.Final.jar:1.7.0.Final] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.8.0_66] > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > [rt.jar:1.8.0_66] > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.8.0_66] > > at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_66] > > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:561) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:543) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:128) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > [keycloak-services-1.7.0.Final.jar:1.7.0.Final] > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_66] > > Caused by: org.keycloak.models.ModelException: Querying of LDAP failed > org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 7434dc3b > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:158) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:149) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > ... 42 more > > Caused by: javax.naming.CommunicationException: simple bind failed: > ldaps.AD_hostname:636 [Root exception is java.net.SocketException: > Connection reset] > > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) [rt.jar:1.8.0_66] > > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > [rt.jar:1.8.0_66] > > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > [rt.jar:1.8.0_66] > > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > [rt.jar:1.8.0_66] > > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > [rt.jar:1.8.0_66] > > at > org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122) > > at org.jboss.as.naming.InitialContext.init(InitialContext.java:107) > > at > javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > [rt.jar:1.8.0_66] > > at org.jboss.as.naming.InitialContext.(InitialContext.java:98) > > at > org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:44) > > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > [rt.jar:1.8.0_66] > > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > [rt.jar:1.8.0_66] > > at javax.naming.InitialContext.init(InitialContext.java:244) > [rt.jar:1.8.0_66] > > at > javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > [rt.jar:1.8.0_66] > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:453) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:518) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:148) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:149) > [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] > > ... 43 more > > Caused by: java.net.SocketException: Connection reset > > at java.net.SocketInputStream.read(SocketInputStream.java:209) > [rt.jar:1.8.0_66] > > at java.net.SocketInputStream.read(SocketInputStream.java:141) > [rt.jar:1.8.0_66] > > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > [jsse.jar:1.8.0_66] > > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > [jsse.jar:1.8.0_66] > > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > [jsse.jar:1.8.0_66] > > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > [jsse.jar:1.8.0_66] > > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > [jsse.jar:1.8.0_66] > > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > [jsse.jar:1.8.0_66] > > at > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > [rt.jar:1.8.0_66] > > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > [rt.jar:1.8.0_66] > > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > [rt.jar:1.8.0_66] > > ... 62 more > > > > Anybody else experienced and fixed this? > > > > Thanks, > > Adrian > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/97b9e9e0/attachment.html From Edgar at info.nl Tue Mar 1 03:39:47 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 1 Mar 2016 08:39:47 +0000 Subject: [keycloak-user] Typical memory usage Keycloak in production? Message-ID: <5AFDE9A3-563F-4266-8AEA-30F7AD6EEEB1@info.nl> Hi, I was wondering what would be typical (max) memory usage for a Keycloak instance running in production for a customer portal with average (whatever that means..) usage and thousands of users in Keycloak (with maybe a few dozen active at any one time)? We are running Keycloak in a Docker container on Mesos/Marathon with Oracle as database and Active Directory as user store. We are wondering whether to configure this Docker container to have say 512MB of memory or maybe even 1024MB. Any advice? cheers From Edgar at info.nl Tue Mar 1 04:14:52 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 1 Mar 2016 09:14:52 +0000 Subject: [keycloak-user] Database errors since Keycloak 1.9.0.Final (?) Message-ID: Hi, Since upgrading to Keycloak 1.9.0 Final (I think) we get a lot of database related errors. E.g.: [0m09:03:25,648 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 942, SQLState: 42000 09:03:25,649 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) ORA-00942: table or view does not exist 09:03:25,656 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (Timer-2) HHH000327: Error performing load command : org.hibernate.exception.SQLGrammarException: could not extract ResultSet 09:03:25,666 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0062: Error occurred during sync of changed users: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not extract ResultSet at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy64.find(Unknown Source) at org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:86) at org.keycloak.models.cache.infinispan.RealmAdapter.getDelegateForUpdate(RealmAdapter.java:56) at org.keycloak.models.cache.infinispan.RealmAdapter.updateUserFederationProvider(RealmAdapter.java:734) at org.keycloak.services.managers.UsersSyncManager$6.run(UsersSyncManager.java:248) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.services.managers.UsersSyncManager.updateLastSyncInterval(UsersSyncManager.java:237) at org.keycloak.services.managers.UsersSyncManager.access$100(UsersSyncManager.java:44) at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:138) at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:130) at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) at org.keycloak.services.managers.UsersSyncManager$3.run(UsersSyncManager.java:130) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.services.managers.UsersSyncManager.syncChangedUsers(UsersSyncManager.java:120) at org.keycloak.services.managers.UsersSyncManager$5.run(UsersSyncManager.java:200) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:46) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Any ideas on what could cause this? cheers From Edgar at info.nl Tue Mar 1 07:26:24 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 1 Mar 2016 12:26:24 +0000 Subject: [keycloak-user] Database errors since Keycloak 1.9.0.Final (?) In-Reply-To: References: Message-ID: <11EAB81C-C4BF-4135-B0CB-68AFCB6CABFE@info.nl> Hi, Never mind about this. It was our fault. Nothing to do with Keycloak. :-) > On 01 Mar 2016, at 10:14, Edgar Vonk - Info.nl wrote: > > Hi, > > Since upgrading to Keycloak 1.9.0 Final (I think) we get a lot of database related errors. E.g.: > > [0m09:03:25,648 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 942, SQLState: 42000 > 09:03:25,649 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) ORA-00942: table or view does not exist > > 09:03:25,656 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (Timer-2) HHH000327: Error performing load command : org.hibernate.exception.SQLGrammarException: could not extract ResultSet > 09:03:25,666 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0062: Error occurred during sync of changed users: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not extract ResultSet > at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) > at com.sun.proxy.$Proxy64.find(Unknown Source) > at org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:86) > at org.keycloak.models.cache.infinispan.RealmAdapter.getDelegateForUpdate(RealmAdapter.java:56) > at org.keycloak.models.cache.infinispan.RealmAdapter.updateUserFederationProvider(RealmAdapter.java:734) > at org.keycloak.services.managers.UsersSyncManager$6.run(UsersSyncManager.java:248) > at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > at org.keycloak.services.managers.UsersSyncManager.updateLastSyncInterval(UsersSyncManager.java:237) > at org.keycloak.services.managers.UsersSyncManager.access$100(UsersSyncManager.java:44) > at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:138) > at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:130) > at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) > at org.keycloak.services.managers.UsersSyncManager$3.run(UsersSyncManager.java:130) > at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > at org.keycloak.services.managers.UsersSyncManager.syncChangedUsers(UsersSyncManager.java:120) > at org.keycloak.services.managers.UsersSyncManager$5.run(UsersSyncManager.java:200) > at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:46) > at java.util.TimerThread.mainLoop(Timer.java:555) > at java.util.TimerThread.run(Timer.java:505) > > Any ideas on what could cause this? > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Mar 1 08:27:30 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 1 Mar 2016 08:27:30 -0500 Subject: [keycloak-user] Typical memory usage Keycloak in production? In-Reply-To: <5AFDE9A3-563F-4266-8AEA-30F7AD6EEEB1@info.nl> References: <5AFDE9A3-563F-4266-8AEA-30F7AD6EEEB1@info.nl> Message-ID: <56D598C2.6030404@redhat.com> Depends how much you want to cache. Given how cheap memory is nowadays, I'd shoot for having enough memory that can cache the entire DB. Minimally enough memory to house all the realm metdata (realm attribute, clients, roles, groups, etc...) I actually have no idea how much memory a single user would grab. 10k? 10K * 10K is 100 Meg? On 3/1/2016 3:39 AM, Edgar Vonk - Info.nl wrote: > Hi, > > I was wondering what would be typical (max) memory usage for a Keycloak instance running in production for a customer portal with average (whatever that means..) usage and thousands of users in Keycloak (with maybe a few dozen active at any one time)? We are running Keycloak in a Docker container on Mesos/Marathon with Oracle as database and Active Directory as user store. We are wondering whether to configure this Docker container to have say 512MB of memory or maybe even 1024MB. Any advice? > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Mar 1 09:17:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 1 Mar 2016 15:17:38 +0100 Subject: [keycloak-user] Upgrade error - 1.8.0 to 1.8.1 In-Reply-To: References: <56D3FE76.40809@redhat.com> Message-ID: <56D5A482.9040000@redhat.com> Thanks. Strange as I couldn't see it. Few questions: - Do you see it during startup of 1.9.0 against clean DB too? Or just during migration from 1.8.0 ? - Could you try with datasource settings like this? [1] - Could you try with JDBC driver 5.1.29 ? [1] jdbc:mysql://localhost/keycloak mysql keycloak keycloak org.h2.jdbcx.JdbcDataSource com.mysql.jdbc.jdbc2.optional.MysqlXADataSource Marek On 29/02/16 14:57, Darcy Welsh wrote: > Hey Marek, > > I am using MySQL 5.6.23 with JDBC driver version 5.1.33. > > Darcy > > >> On Feb 29, 2016, at 2:16 AM, Marek Posolda > > wrote: >> >> Which JDBC driver and DB version are you using? Just found this >> thread during googling: >> http://liquibase-user.narkive.com/njIDqyEC/incorrect-database-name-on-generatechangelog >> . Wonder if it can be related to your issue... >> >> I am testing MySQL with JDBC driver version 5.1.29 and never saw the >> issue like this. >> >> Marek >> >> On 28/02/16 06:00, Darcy Welsh wrote: >>> Hi, >>> >>> I successfully upgraded from 1.7.0 to 1.8.0, however, seeing the >>> following error when attempting to upgrade from 1.8.0 to either >>> 1.8.1 or 1.9.0: >>> >>> 22:45:48,803 ERROR >>> [org.keycloak.services.resources.KeycloakApplication] (ServerService >>> Thread Pool -- 51) Failed to migrate datamodel: >>> java.lang.RuntimeException: Failed to update database >>> at >>> org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) >>> at >>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) >>> at >>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) >>> at >>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) >>> at >>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>> at >>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) >>> at >>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) >>> at >>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>> at >>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) >>> at >>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) >>> at >>> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) >>> at >>> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) >>> at >>> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>> at >>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>> at >>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>> at >>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>> at >>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>> at >>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>> Caused by: liquibase.exception.DatabaseException: Incorrect database >>> name '' [Failed SQL: CREATE TABLE ``.DATABASECHANGELOG (ID >>> VARCHAR(255) NOT NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME >>> VARCHAR(255) NOT NULL, DATEEXECUTED datetime NOT NULL, ORDEREXECUTED >>> INT NOT NULL, EXECTYPE VARCHAR(10) NOT NULL, MD5SUM VARCHAR(35) >>> NULL, DESCRIPTION VARCHAR(255) NULL, COMMENTS VARCHAR(255) NULL, TAG >>> VARCHAR(255) NULL, LIQUIBASE VARCHAR(20) NULL, CONTEXTS VARCHAR(255) >>> NULL, LABELS VARCHAR(255) NULL)] >>> at >>> liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) >>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) >>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:112) >>> at >>> liquibase.changelog.StandardChangeLogHistoryService.init(StandardChangeLogHistoryService.java:214) >>> at liquibase.Liquibase.checkLiquibaseTables(Liquibase.java:1074) >>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1136) >>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1126) >>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1122) >>> at >>> org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:63) >>> ... 36 more >>> Caused by: >>> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Incorrect >>> database name '' >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>> at com.mysql.jdbc.Util.handleNewInstance(Util.java:377) >>> at com.mysql.jdbc.Util.getInstance(Util.java:360) >>> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:978) >>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3887) >>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3823) >>> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) >>> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) >>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) >>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) >>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) >>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) >>> at >>> org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) >>> at >>> liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) >>> ... 45 more >>> >>> Any ideas as to the potential cause/resolution? >>> >>> The MySQL datasource is configured as follows: >>> >>> >> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" >>> enabled="true" use-java-context="true"> >>> jdbc:mysql://localhost:3306/keycloak >>> >>> 1000 >>> >>> mysql >>> >>> 20 >>> >>> >>> keycloak >>> keycloakrocks! >>> >>> >>> true >>> >>> >>> 100 >>> true >>> >>> >>> >>> >>> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >>> com.mysql.jdbc.jdbc2.optional.MysqlDataSource >>> >>> . >>> . >>> . >>> >>> >>> >>> >>> Any help would be much appreciated. >>> >>> Thank-you in advance, >>> Darcy Welsh >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/d6916e2e/attachment-0001.html From aikeaguinea at xsmail.com Tue Mar 1 09:53:47 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 01 Mar 2016 09:53:47 -0500 Subject: [keycloak-user] Multiple security Q&As for a user In-Reply-To: References: <3B545404-0DBB-4495-8F36-F434FA4A4513@carboniteinc.com> Message-ID: <1456844027.1391486.536250226.09782629@webmail.messagingengine.com> This would be of interest to me too. Riddhi, if you do a custom implementation for this purpose, might you be willing to blog about it? On Tue, Mar 1, 2016, at 12:28 AM, Bruno Oliveira wrote: > Hi, I think Marko answered it last month > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004801.html. > Not sure if it helps to your case. > > > On Tue, Mar 1, 2016 at 1:14 AM Riddhi Rathod > wrote: >> Hi all, >> >> If security question option is enabled in the login flow, then the >> user has to save answer to it (Default question: ?What is your >> mother?s name??). This question is asked to user in the event of >> ?forget password? for additional level of security. However, in the current system, there is provision of storing only one security Q&A. I am looking to modify this to include the following: >> >> Could this functionality be extended to include 3 security Q&As which >> is popular practice. I modified the keycloak secret-question.ftl to >> include 2 more questions. But there is no way to store the additional >> questions and answers extracted from the ui form in the UserCredentialValueModel (SecretQuestionRequiredAction.java). >> The security questions are not fixed i.e. a dropdown menu of >> questions will be displayed to users and they will be able to select >> whichever questions they want to. >> >> Does keycloak support storing of multiple security Q&As for a user? >> Has anyone tried this before? >> >> >> Thank you, Riddhi Rathod >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _________________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- ? Aikeaguinea ? aikeaguinea at xsmail.com -- http://www.fastmail.com - Same, same, but different... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/23869158/attachment.html From darcy_welsh at yahoo.com Tue Mar 1 11:32:08 2016 From: darcy_welsh at yahoo.com (Darcy Welsh) Date: Tue, 1 Mar 2016 10:32:08 -0600 Subject: [keycloak-user] Upgrade error - 1.8.0 to 1.8.1 In-Reply-To: <56D5A482.9040000@redhat.com> References: <56D3FE76.40809@redhat.com> <56D5A482.9040000@redhat.com> Message-ID: <1D0F022B-C90C-425D-A1E7-601ADA411073@yahoo.com> Hi Marek, Thank-you for the response and suggestions, much appreciated. Unfortunately, I tried all of them (clean db, datasource settings and JDBC driver 5.1.29) and still see the issue. It?s very strange indeed - I have no issue with Keycloak 1.5.x, 1.6.x, 1,7.x, 1.8.0 - I suspect it may have something to do with the change to Wildfly 10 starting in Keycloak 1.8.1. I am using JRE 1.8.0_25, not sure if that is relevant. Darcy > On Mar 1, 2016, at 8:17 AM, Marek Posolda wrote: > > Thanks. Strange as I couldn't see it. > > Few questions: > > - Do you see it during startup of 1.9.0 against clean DB too? Or just during migration from 1.8.0 ? > > - Could you try with datasource settings like this? [1] > > - Could you try with JDBC driver 5.1.29 ? > > [1] > > jndi-name="java:jboss/datasources/KeycloakDS" > pool-name="KeycloakDS" > enabled="true" > use-java-context="true"> > jdbc:mysql://localhost/keycloak > mysql > > keycloak > keycloak > > > > > org.h2.jdbcx.JdbcDataSource > > > com.mysql.jdbc.jdbc2.optional.MysqlXADataSource > > > > > > Marek > > On 29/02/16 14:57, Darcy Welsh wrote: >> Hey Marek, >> >> I am using MySQL 5.6.23 with JDBC driver version 5.1.33. >> >> Darcy >> >> >>> On Feb 29, 2016, at 2:16 AM, Marek Posolda < mposolda at redhat.com > wrote: >>> >>> Which JDBC driver and DB version are you using? Just found this thread during googling: http://liquibase-user.narkive.com/njIDqyEC/incorrect-database-name-on-generatechangelog . Wonder if it can be related to your issue... >>> >>> I am testing MySQL with JDBC driver version 5.1.29 and never saw the issue like this. >>> >>> Marek >>> >>> On 28/02/16 06:00, Darcy Welsh wrote: >>>> Hi, >>>> >>>> I successfully upgraded from 1.7.0 to 1.8.0, however, seeing the following error when attempting to upgrade from 1.8.0 to either 1.8.1 or 1.9.0: >>>> >>>> 22:45:48,803 ERROR [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 51) Failed to migrate datamodel: java.lang.RuntimeException: Failed to update database >>>> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) >>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) >>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) >>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) >>>> at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) >>>> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) >>>> at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>> at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) >>>> at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) >>>> at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) >>>> at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) >>>> at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>>> at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>> at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >>>> at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>> at java.lang.Thread.run(Thread.java:745) >>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>> Caused by: liquibase.exception.DatabaseException: Incorrect database name '' [Failed SQL: CREATE TABLE ``.DATABASECHANGELOG (ID VARCHAR(255) NOT NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME VARCHAR(255) NOT NULL, DATEEXECUTED datetime NOT NULL, ORDEREXECUTED INT NOT NULL, EXECTYPE VARCHAR(10) NOT NULL, MD5SUM VARCHAR(35) NULL, DESCRIPTION VARCHAR(255) NULL, COMMENTS VARCHAR(255) NULL, TAG VARCHAR(255) NULL, LIQUIBASE VARCHAR(20) NULL, CONTEXTS VARCHAR(255) NULL, LABELS VARCHAR(255) NULL)] >>>> at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) >>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) >>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:112) >>>> at liquibase.changelog.StandardChangeLogHistoryService.init(StandardChangeLogHistoryService.java:214) >>>> at liquibase.Liquibase.checkLiquibaseTables(Liquibase.java:1074) >>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1136) >>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1126) >>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1122) >>>> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:63) >>>> ... 36 more >>>> Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Incorrect database name '' >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>> at com.mysql.jdbc.Util.handleNewInstance(Util.java:377) >>>> at com.mysql.jdbc.Util.getInstance(Util.java:360) >>>> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:978) >>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3887) >>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3823) >>>> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) >>>> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) >>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) >>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) >>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) >>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) >>>> at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) >>>> at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) >>>> ... 45 more >>>> >>>> Any ideas as to the potential cause/resolution? >>>> >>>> The MySQL datasource is configured as follows: >>>> >>>> >>>> jdbc:mysql://localhost:3306/keycloak >>>> >>>> 1000 >>>> >>>> mysql >>>> >>>> 20 >>>> >>>> >>>> keycloak >>>> keycloakrocks! >>>> >>>> >>>> true >>>> >>>> >>>> 100 >>>> true >>>> >>>> >>>> >>>> >>>> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >>>> com.mysql.jdbc.jdbc2.optional.MysqlDataSource >>>> >>>> . >>>> . >>>> . >>>> >>>> >>>> >>>> >>>> Any help would be much appreciated. >>>> >>>> Thank-you in advance, >>>> Darcy Welsh >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/84097af7/attachment-0001.html From bburke at redhat.com Tue Mar 1 12:36:21 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 1 Mar 2016 12:36:21 -0500 Subject: [keycloak-user] Database errors since Keycloak 1.9.0.Final (?) In-Reply-To: <11EAB81C-C4BF-4135-B0CB-68AFCB6CABFE@info.nl> References: <11EAB81C-C4BF-4135-B0CB-68AFCB6CABFE@info.nl> Message-ID: <56D5D315.4070901@redhat.com> My favorite kind of email :) On 3/1/2016 7:26 AM, Edgar Vonk - Info.nl wrote: > Hi, > > Never mind about this. It was our fault. Nothing to do with Keycloak. :-) > > > >> On 01 Mar 2016, at 10:14, Edgar Vonk - Info.nl wrote: >> >> Hi, >> >> Since upgrading to Keycloak 1.9.0 Final (I think) we get a lot of database related errors. E.g.: >> >> [0m09:03:25,648 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 942, SQLState: 42000 >> 09:03:25,649 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) ORA-00942: table or view does not exist >> >> 09:03:25,656 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (Timer-2) HHH000327: Error performing load command : org.hibernate.exception.SQLGrammarException: could not extract ResultSet >> 09:03:25,666 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0062: Error occurred during sync of changed users: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not extract ResultSet >> at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) >> at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) >> at com.sun.proxy.$Proxy64.find(Unknown Source) >> at org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:86) >> at org.keycloak.models.cache.infinispan.RealmAdapter.getDelegateForUpdate(RealmAdapter.java:56) >> at org.keycloak.models.cache.infinispan.RealmAdapter.updateUserFederationProvider(RealmAdapter.java:734) >> at org.keycloak.services.managers.UsersSyncManager$6.run(UsersSyncManager.java:248) >> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) >> at org.keycloak.services.managers.UsersSyncManager.updateLastSyncInterval(UsersSyncManager.java:237) >> at org.keycloak.services.managers.UsersSyncManager.access$100(UsersSyncManager.java:44) >> at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:138) >> at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:130) >> at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) >> at org.keycloak.services.managers.UsersSyncManager$3.run(UsersSyncManager.java:130) >> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) >> at org.keycloak.services.managers.UsersSyncManager.syncChangedUsers(UsersSyncManager.java:120) >> at org.keycloak.services.managers.UsersSyncManager$5.run(UsersSyncManager.java:200) >> at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:46) >> at java.util.TimerThread.mainLoop(Timer.java:555) >> at java.util.TimerThread.run(Timer.java:505) >> >> Any ideas on what could cause this? >> >> cheers >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From sthorger at redhat.com Tue Mar 1 14:20:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 1 Mar 2016 20:20:05 +0100 Subject: [keycloak-user] Database errors since Keycloak 1.9.0.Final (?) In-Reply-To: <56D5D315.4070901@redhat.com> References: <11EAB81C-C4BF-4135-B0CB-68AFCB6CABFE@info.nl> <56D5D315.4070901@redhat.com> Message-ID: +1 On 1 March 2016 at 18:36, Bill Burke wrote: > My favorite kind of email :) > > On 3/1/2016 7:26 AM, Edgar Vonk - Info.nl wrote: > > Hi, > > > > Never mind about this. It was our fault. Nothing to do with Keycloak. :-) > > > > > > > >> On 01 Mar 2016, at 10:14, Edgar Vonk - Info.nl wrote: > >> > >> Hi, > >> > >> Since upgrading to Keycloak 1.9.0 Final (I think) we get a lot of > database related errors. E.g.: > >> > >> [0m [33m09:03:25,648 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: > 942, SQLState: 42000 > >> [0m [31m09:03:25,649 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) ORA-00942: > table or view does not exist > >> > >> [0m [0m09:03:25,656 INFO > [org.hibernate.event.internal.DefaultLoadEventListener] (Timer-2) > HHH000327: Error performing load command : > org.hibernate.exception.SQLGrammarException: could not extract ResultSet > >> [0m [31m09:03:25,666 ERROR [org.keycloak.services] (Timer-2) > KC-SERVICES0062: Error occurred during sync of changed users: > org.keycloak.models.ModelException: javax.persistence.PersistenceException: > org.hibernate.exception.SQLGrammarException: could not extract ResultSet > >> at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > >> at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) > >> at com.sun.proxy.$Proxy64.find(Unknown Source) > >> at > org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:86) > >> at > org.keycloak.models.cache.infinispan.RealmAdapter.getDelegateForUpdate(RealmAdapter.java:56) > >> at > org.keycloak.models.cache.infinispan.RealmAdapter.updateUserFederationProvider(RealmAdapter.java:734) > >> at > org.keycloak.services.managers.UsersSyncManager$6.run(UsersSyncManager.java:248) > >> at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > >> at > org.keycloak.services.managers.UsersSyncManager.updateLastSyncInterval(UsersSyncManager.java:237) > >> at > org.keycloak.services.managers.UsersSyncManager.access$100(UsersSyncManager.java:44) > >> at > org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:138) > >> at > org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:130) > >> at > org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) > >> at > org.keycloak.services.managers.UsersSyncManager$3.run(UsersSyncManager.java:130) > >> at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > >> at > org.keycloak.services.managers.UsersSyncManager.syncChangedUsers(UsersSyncManager.java:120) > >> at > org.keycloak.services.managers.UsersSyncManager$5.run(UsersSyncManager.java:200) > >> at > org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:46) > >> at java.util.TimerThread.mainLoop(Timer.java:555) > >> at java.util.TimerThread.run(Timer.java:505) > >> > >> Any ideas on what could cause this? > >> > >> cheers > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/7abdcde1/attachment.html From Edgar at info.nl Tue Mar 1 14:56:23 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 1 Mar 2016 19:56:23 +0000 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> Message-ID: Hi all, What would we need to do to make Keycloak user sessions persistent in the database? I think the information in: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is not relevant anymore with Keycloak 1.9.0? Specifically: "userSessions": { "provider": "jpa" } Does not seem to work (?Failed to find provider jpa for userSessions?). User sessions are now managed using Infinispan by default if I understand correctly: http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 ? Is there a way to make user sessions persistent? Our issue is that we send out a lot of activation (?update password?) emails from our (single) Keycloak server to new users and since we have a continuous delivery pipeline Keycloak does down and up quite a bit and every time it restarts all temporary log in tokens used for these update password actions are lost (since they are stored in memory only). And if I understand correctly these tokens are actually a sort of user sessions. cheers Edgar > On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl wrote: > > Hi, > > See if I understand this correctly: in the default set up of Keycloak sessions and temporary tokens are not persisted in the Keycloak database? So consider this scenario: > > 1/ login as admin to master realm > 2/ go to Users - Credentials and send a ?Update Password? reset action email > 3/ user receives an email with a link with a unique token to update his/her password in Keycloak > 4/ Keycloak server is restarted for whatever reason > 5/ the temporary ?login action token? no longer exists and the link from 3/ no longer works > > Is this correct and expected behaviour? > > And if so, can somebody maybe point us in the direction to solve this? I.e. by making sessions/tokens by persistent I guess. > > cheers > > Edgar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/1b8dbb9c/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160301/1b8dbb9c/attachment.bin From mposolda at redhat.com Wed Mar 2 02:11:09 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 2 Mar 2016 08:11:09 +0100 Subject: [keycloak-user] Upgrade error - 1.8.0 to 1.8.1 In-Reply-To: <1D0F022B-C90C-425D-A1E7-601ADA411073@yahoo.com> References: <56D3FE76.40809@redhat.com> <56D5A482.9040000@redhat.com> <1D0F022B-C90C-425D-A1E7-601ADA411073@yahoo.com> Message-ID: <56D6920D.1030200@redhat.com> On 01/03/16 17:32, Darcy Welsh wrote: > Hi Marek, > > Thank-you for the response and suggestions, much appreciated. > Unfortunately, I tried all of them (clean db, datasource settings and > JDBC driver 5.1.29) and still see the issue. ah, so just to clearify. Even if you start Keycloak 1.9.0 with empty MySQL DB, the startup will fail with this error? > > It?s very strange indeed - I have no issue with Keycloak 1.5.x, 1.6.x, > 1,7.x, 1.8.0 - I suspect it may have something to do with the change > to Wildfly 10 starting in Keycloak 1.8.1. > > I am using JRE 1.8.0_25, not sure if that is relevant. Guess wildfly version or JDK version is not too relevant here. Hard to say without being able to reproduce. Marek > > > Darcy > > > > > >> On Mar 1, 2016, at 8:17 AM, Marek Posolda > > wrote: >> >> Thanks. Strange as I couldn't see it. >> >> Few questions: >> >> - Do you see it during startup of 1.9.0 against clean DB too? Or just >> during migration from 1.8.0 ? >> >> - Could you try with datasource settings like this? [1] >> >> - Could you try with JDBC driver 5.1.29 ? >> >> [1] >> >> > jndi-name="java:jboss/datasources/KeycloakDS" >> pool-name="KeycloakDS" >> enabled="true" >> use-java-context="true"> >> jdbc:mysql://localhost/keycloak >> mysql >> >> keycloak >> keycloak >> >> >> >> >> org.h2.jdbcx.JdbcDataSource >> >> >> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >> >> >> >> >> >> Marek >> >> On 29/02/16 14:57, Darcy Welsh wrote: >>> Hey Marek, >>> >>> I am using MySQL 5.6.23 with JDBC driver version 5.1.33. >>> >>> Darcy >>> >>> >>>> On Feb 29, 2016, at 2:16 AM, Marek Posolda wrote: >>>> >>>> Which JDBC driver and DB version are you using? Just found this >>>> thread during googling: >>>> http://liquibase-user.narkive.com/njIDqyEC/incorrect-database-name-on-generatechangelog >>>> . Wonder if it can be related to your issue... >>>> >>>> I am testing MySQL with JDBC driver version 5.1.29 and never saw >>>> the issue like this. >>>> >>>> Marek >>>> >>>> On 28/02/16 06:00, Darcy Welsh wrote: >>>>> Hi, >>>>> >>>>> I successfully upgraded from 1.7.0 to 1.8.0, however, seeing the >>>>> following error when attempting to upgrade from 1.8.0 to either >>>>> 1.8.1 or 1.9.0: >>>>> >>>>> 22:45:48,803 ERROR >>>>> [org.keycloak.services.resources.KeycloakApplication] >>>>> (ServerService Thread Pool -- 51) Failed to migrate datamodel: >>>>> java.lang.RuntimeException: Failed to update database >>>>> at >>>>> org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) >>>>> at >>>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) >>>>> at >>>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) >>>>> at >>>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) >>>>> at >>>>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>>> at >>>>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) >>>>> at >>>>> org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) >>>>> at >>>>> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>>> at >>>>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) >>>>> at >>>>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) >>>>> at >>>>> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) >>>>> at >>>>> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) >>>>> at >>>>> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) >>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>> Method) >>>>> at >>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>> at >>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>>> at >>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>>> at >>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >>>>> at >>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >>>>> at >>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >>>>> at >>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >>>>> at >>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>>>> at >>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>>>> at >>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>>>> at >>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>>>> at >>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>>>> at >>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >>>>> at >>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >>>>> at >>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>>>> at >>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>> Caused by: liquibase.exception.DatabaseException: Incorrect >>>>> database name '' [Failed SQL: CREATE TABLE ``.DATABASECHANGELOG >>>>> (ID VARCHAR(255) NOT NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME >>>>> VARCHAR(255) NOT NULL, DATEEXECUTED datetime NOT NULL, >>>>> ORDEREXECUTED INT NOT NULL, EXECTYPE VARCHAR(10) NOT NULL, MD5SUM >>>>> VARCHAR(35) NULL, DESCRIPTION VARCHAR(255) NULL, COMMENTS >>>>> VARCHAR(255) NULL, TAG VARCHAR(255) NULL, LIQUIBASE VARCHAR(20) >>>>> NULL, CONTEXTS VARCHAR(255) NULL, LABELS VARCHAR(255) NULL)] >>>>> at >>>>> liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) >>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) >>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:112) >>>>> at >>>>> liquibase.changelog.StandardChangeLogHistoryService.init(StandardChangeLogHistoryService.java:214) >>>>> at liquibase.Liquibase.checkLiquibaseTables(Liquibase.java:1074) >>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1136) >>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1126) >>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1122) >>>>> at >>>>> org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:63) >>>>> ... 36 more >>>>> Caused by: >>>>> com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: >>>>> Incorrect database name '' >>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>> Method) >>>>> at >>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>> at >>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>>> at com.mysql.jdbc.Util.handleNewInstance(Util.java:377) >>>>> at com.mysql.jdbc.Util.getInstance(Util.java:360) >>>>> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:978) >>>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3887) >>>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3823) >>>>> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) >>>>> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) >>>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) >>>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) >>>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) >>>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) >>>>> at >>>>> org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) >>>>> at >>>>> liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) >>>>> ... 45 more >>>>> >>>>> Any ideas as to the potential cause/resolution? >>>>> >>>>> The MySQL datasource is configured as follows: >>>>> >>>>> >>>> jndi-name="java:jboss/datasources/KeycloakDS" >>>>> pool-name="KeycloakDS" enabled="true" use-java-context="true"> >>>>> jdbc:mysql://localhost:3306/keycloak >>>>> >>>>> 1000 >>>>> >>>>> mysql >>>>> >>>>> 20 >>>>> >>>>> >>>>> keycloak >>>>> keycloakrocks! >>>>> >>>>> >>>>> true >>>>> >>>>> >>>>> 100 >>>>> true >>>>> >>>>> >>>>> >>>>> >>>>> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >>>>> com.mysql.jdbc.jdbc2.optional.MysqlDataSource >>>>> >>>>> . >>>>> . >>>>> . >>>>> >>>>> >>>>> >>>>> >>>>> Any help would be much appreciated. >>>>> >>>>> Thank-you in advance, >>>>> Darcy Welsh >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/75b62ed1/attachment-0001.html From ado.boj.83 at gmail.com Wed Mar 2 04:13:19 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Wed, 2 Mar 2016 10:13:19 +0100 Subject: [keycloak-user] How to add Admin User Message-ID: Hi, I would like to summary information about How to add Admin User - chapter 3.2.1. My questions are: 1.) From which version (including) is new concept, that there is no built in user? 2a.) What is exact command via add-user script (add-user.sh) for create admin user ? 2b.) Same question like in 2a, but in keycloak-overlay (add-user-keycloak.sh )? Thanks and Best Regards, Andrej. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/c998c6b7/attachment.html From bruno at abstractj.org Wed Mar 2 04:38:05 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 02 Mar 2016 09:38:05 +0000 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: Message-ID: Hi Andrej, answers inline On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky wrote: > Hi, > > I would like to summary information about How to add Admin User - chapter > 3.2.1. > > My questions are: > 1.) From which version (including) is new concept, that there is no built > in user? > 1.8.0 See: http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 > 2a.) What is exact command via add-user script (add-user.sh) for create > admin user ? > See: http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > 2b.) Same question like in 2a, but in keycloak-overlay ( > add-user-keycloak.sh)? > You are correct. Maybe this is an inconsistency to be fixed. > > Thanks and Best Regards, > Andrej. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/ed721f7f/attachment.html From ado.boj.83 at gmail.com Wed Mar 2 05:03:47 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Wed, 2 Mar 2016 11:03:47 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: Message-ID: Hi Bruno, thanks for answer. But from http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 and section: *...you can use the add-user script from the command-line.* is my question is how exactly should looks like command with add-user script? Because in past we used this command: add-user.sh ?container -u admin -p admin Andrej. On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira wrote: > Hi Andrej, answers inline > > On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky > wrote: > >> Hi, >> >> I would like to summary information about How to add Admin User - chapter >> 3.2.1. >> >> My questions are: >> 1.) From which version (including) is new concept, that there is no built >> in user? >> > > 1.8.0 See: > http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 > > >> 2a.) What is exact command via add-user script (add-user.sh) for create >> admin user ? >> > > See: > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > > >> 2b.) Same question like in 2a, but in keycloak-overlay ( >> add-user-keycloak.sh)? >> > > You are correct. Maybe this is an inconsistency to be fixed. > >> >> Thanks and Best Regards, >> Andrej. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/b9501f74/attachment.html From bruno at abstractj.org Wed Mar 2 05:10:28 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 02 Mar 2016 10:10:28 +0000 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: Message-ID: I'm not sure if I follow your question but './add-user.sh -u admin -p admin' or './add-user.sh -u admin' should work. On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky wrote: > Hi Bruno, > > thanks for answer. > But from > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > and section: *...you can use the add-user script from the command-line.* > is my question is how exactly should looks like command with add-user > script? > Because in past we used this command: add-user.sh ?container -u admin -p > admin > > Andrej. > > > On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira > wrote: > >> Hi Andrej, answers inline >> >> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >> wrote: >> >>> Hi, >>> >>> I would like to summary information about How to add Admin User - >>> chapter 3.2.1. >>> >>> My questions are: >>> 1.) From which version (including) is new concept, that there is no >>> built in user? >>> >> >> 1.8.0 See: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >> >> >>> 2a.) What is exact command via add-user script (add-user.sh) for create >>> admin user ? >>> >> >> See: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >> >> >>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>> add-user-keycloak.sh)? >>> >> >> You are correct. Maybe this is an inconsistency to be fixed. >> >>> >>> Thanks and Best Regards, >>> Andrej. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/4bc55146/attachment-0001.html From yelata at blulogix.com Wed Mar 2 05:26:30 2016 From: yelata at blulogix.com (Yasser El-ata) Date: Wed, 2 Mar 2016 12:26:30 +0200 Subject: [keycloak-user] CRUD Using KeyCloak Message-ID: Hello , i wan't to create CRUD using KeyCloak , i have an angularJS application and it's use KeyCloak My case is : i have screens in my application that contain sub screens and every sub screen contain CRUD roles (CREATE , READ , UPDATE , DELETE) , it's may contain multi levels the screenshot may make the case more clear the normal client roles is not enough for me or maybe i miss understand some thing could you please help me how to create these roles in KeyCloak , or if KeyCloak is support roles like this or if there is any other way to create them ? Thanks -- Yasser El-Ata Java Developer BluLogix 737 Walker Rd Ste 3, Great Falls, VA 22066 t: 443.333.4100 | f: 443.333.4101 *www.blulogix.com * The information transmitted is intended only for the person(s) to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/16df1758/attachment.html From sthorger at redhat.com Wed Mar 2 07:00:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:00:03 +0100 Subject: [keycloak-user] Upgrade error - 1.8.0 to 1.8.1 In-Reply-To: <56D6920D.1030200@redhat.com> References: <56D3FE76.40809@redhat.com> <56D5A482.9040000@redhat.com> <1D0F022B-C90C-425D-A1E7-601ADA411073@yahoo.com> <56D6920D.1030200@redhat.com> Message-ID: Maybe it's down to MySQL config? For example storage engine. On 2 March 2016 at 08:11, Marek Posolda wrote: > On 01/03/16 17:32, Darcy Welsh wrote: > > Hi Marek, > > Thank-you for the response and suggestions, much appreciated. > Unfortunately, I tried all of them (clean db, datasource settings and JDBC > driver 5.1.29) and still see the issue. > > ah, so just to clearify. Even if you start Keycloak 1.9.0 with empty MySQL > DB, the startup will fail with this error? > > > It?s very strange indeed - I have no issue with Keycloak 1.5.x, 1.6.x, > 1,7.x, 1.8.0 - I suspect it may have something to do with the change to > Wildfly 10 starting in Keycloak 1.8.1. > > I am using JRE 1.8.0_25, not sure if that is relevant. > > Guess wildfly version or JDK version is not too relevant here. Hard to say > without being able to reproduce. > > Marek > > > > Darcy > > > > > > On Mar 1, 2016, at 8:17 AM, Marek Posolda < > mposolda at redhat.com> wrote: > > Thanks. Strange as I couldn't see it. > > Few questions: > > - Do you see it during startup of 1.9.0 against clean DB too? Or just > during migration from 1.8.0 ? > > - Could you try with datasource settings like this? [1] > > - Could you try with JDBC driver 5.1.29 ? > > [1] > > jndi-name="java:jboss/datasources/KeycloakDS" > pool-name="KeycloakDS" > enabled="true" > use-java-context="true"> > > jdbc:mysql://localhost/keycloak > mysql > > keycloak > keycloak > > > > > > org.h2.jdbcx.JdbcDataSource > > > > com.mysql.jdbc.jdbc2.optional.MysqlXADataSource > > > > > > Marek > > On 29/02/16 14:57, Darcy Welsh wrote: > > Hey Marek, > > I am using MySQL 5.6.23 with JDBC driver version 5.1.33. > > Darcy > > > On Feb 29, 2016, at 2:16 AM, Marek Posolda wrote: > > Which JDBC driver and DB version are you using? Just found this thread > during googling: > > http://liquibase-user.narkive.com/njIDqyEC/incorrect-database-name-on-generatechangelog > . Wonder if it can be related to your issue... > > I am testing MySQL with JDBC driver version 5.1.29 and never saw the issue > like this. > > Marek > > On 28/02/16 06:00, Darcy Welsh wrote: > > Hi, > > I successfully upgraded from 1.7.0 to 1.8.0, however, seeing the following > error when attempting to upgrade from 1.8.0 to either 1.8.1 or 1.9.0: > > 22:45:48,803 ERROR [org.keycloak.services.resources.KeycloakApplication] > (ServerService Thread Pool -- 51) Failed to migrate datamodel: > java.lang.RuntimeException: Failed to update database > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:408) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: liquibase.exception.DatabaseException: Incorrect database name > '' [Failed SQL: CREATE TABLE ``.DATABASECHANGELOG (ID VARCHAR(255) NOT > NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME VARCHAR(255) NOT NULL, > DATEEXECUTED datetime NOT NULL, ORDEREXECUTED INT NOT NULL, EXECTYPE > VARCHAR(10) NOT NULL, MD5SUM VARCHAR(35) NULL, DESCRIPTION VARCHAR(255) > NULL, COMMENTS VARCHAR(255) NULL, TAG VARCHAR(255) NULL, LIQUIBASE > VARCHAR(20) NULL, CONTEXTS VARCHAR(255) NULL, LABELS VARCHAR(255) NULL)] > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:112) > at > liquibase.changelog.StandardChangeLogHistoryService.init(StandardChangeLogHistoryService.java:214) > at liquibase.Liquibase.checkLiquibaseTables(Liquibase.java:1074) > at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1136) > at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1126) > at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1122) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:63) > ... 36 more > Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: > Incorrect database name '' > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:408) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:377) > at com.mysql.jdbc.Util.getInstance(Util.java:360) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:978) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3887) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3823) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) > at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) > at > org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) > ... 45 more > > Any ideas as to the potential cause/resolution? > > The MySQL datasource is configured as follows: > > jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" > enabled="true" use-java-context="true"> > > jdbc:mysql://localhost:3306/keycloak > > 1000 > > mysql > > 20 > > > keycloak > keycloakrocks! > > > true > > > > 100 > > true > > > > > > com.mysql.jdbc.jdbc2.optional.MysqlXADataSource > > com.mysql.jdbc.jdbc2.optional.MysqlDataSource > > . > . > . > > > > > Any help would be much appreciated. > > Thank-you in advance, > Darcy Welsh > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/e2571f4d/attachment-0001.html From sthorger at redhat.com Wed Mar 2 07:02:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:02:37 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: Message-ID: In overlay the script should be add-user-keycloak. The overlay adds Keycloak server to an existing WildFly installation so we don't want to overwrite any existing files. I appreciate this may be confusing and inconsistent, but at the same time if we did overwrite people would probably complain about us overwriting the existing script. In the server dist this doesn't apply as the server is purely a Keycloak server, not a WildFly server. On 2 March 2016 at 11:10, Bruno Oliveira wrote: > I'm not sure if I follow your question but './add-user.sh -u admin -p > admin' or './add-user.sh -u admin' should work. > > On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky > wrote: > >> Hi Bruno, >> >> thanks for answer. >> But from >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >> and section: *...you can use the add-user script from the command-line.* >> is my question is how exactly should looks like command with add-user >> script? >> Because in past we used this command: add-user.sh ?container -u admin -p >> admin >> >> Andrej. >> >> >> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >> wrote: >> >>> Hi Andrej, answers inline >>> >>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >>> wrote: >>> >>>> Hi, >>>> >>>> I would like to summary information about How to add Admin User - >>>> chapter 3.2.1. >>>> >>>> My questions are: >>>> 1.) From which version (including) is new concept, that there is no >>>> built in user? >>>> >>> >>> 1.8.0 See: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>> >>> >>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>> create admin user ? >>>> >>> >>> See: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>> >>> >>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>> add-user-keycloak.sh)? >>>> >>> >>> You are correct. Maybe this is an inconsistency to be fixed. >>> >>>> >>>> Thanks and Best Regards, >>>> Andrej. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/b6cce1a1/attachment.html From siva.b at knowledgeflux.com Wed Mar 2 07:02:56 2016 From: siva.b at knowledgeflux.com (Siva) Date: Wed, 2 Mar 2016 22:02:56 +1000 Subject: [keycloak-user] REST(MicroServices) authentication through SAML 2.0 In-Reply-To: <1943685689.31440514.1456747444352.JavaMail.zimbra@redhat.com> References: <15a24101d17031$35c052c0$a140f840$@knowledgeflux.com> <330317876.30771350.1456494303748.JavaMail.zimbra@redhat.com> <834401d17118$7c6f5580$754e0080$@knowledgeflux.com> <1943685689.31440514.1456747444352.JavaMail.zimbra@redhat.com> Message-ID: <14059e01d1747b$7c439ba0$74cad2e0$@knowledgeflux.com> Thanks Pedro. Your input gives us a good lead to plan our project execution. :) Regards, Siva. -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: 29 February 2016 22:04 To: Siva Cc: mposolda at redhat.com; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] REST(MicroServices) authentication through SAML 2.0 ----- Original Message ----- > From: "Siva" > To: "Pedro Igor Silva" , mposolda at redhat.com > Cc: keycloak-user at lists.jboss.org > Sent: Saturday, February 27, 2016 1:36:42 AM > Subject: RE: [keycloak-user] REST(MicroServices) authentication > through SAML 2.0 > > Thanks Pedro & Marek for your valuable inputs. > > More questions: > > Based on your response for question 1 in the below mail chain, I'm > 100% with you on the brokering scenario if we own the client layer. I > think I've not explained my scenario and questions very well in the > previous mail; let me try to rearticulate my challenges here. > > As I specified in the below mail ,we completely own the business > systems(Server side) which will have a client UI. But the UI layer is > loosely coupled through REST(microservice) for the server and client > interaction to support dynamic client interaction(Our own[Primary] > client UI or through business partners[Secondary] portal UI). > > Here there are 2 cases, > > Case 1: > We bind our client UI in KC for authentication process through SAML > 2.0(using IDP brokering). I'm clear on this process implementation ( since > I've tested this approach in KC for simple web application). +1, that makes sense. Now your clients can access your service layer using OAuth2. > Case 2: > My challenge here is encapsulating the REST endpoints of our server side > services for the authentication & authorization process; irrespective of > whether the request is coming from our own UI client or from business > partner client; it's going to bring the token for authentication & > authorization process (if we assume the client has received the SAML 2.0 > tokens from their respective IDP[authorization server]). when the clients > are sharing the SAML 2.0 tokens to the REST end points how exactly this > request need to be handled or how this token should be validated through > the SAML 2.0 broker IDP configured in KC? This is where I'm puzzled at and > I'm looking for your support to crack this issue. > > As you have mentioned, even I'm not personally positive on using the > SAML 2.0 for REST security; but unfortunately the enterprises which we > work with doesn't support any other protocols and we are left with no choice here. The broker can't help you here. Case #2 is more about authorization, where you need to build a security context based on an existing token and use that to access your protected resources (business layer). Like I said, there is that SAML 2.0 profile, which would provide a better an standardized security design. In this case, your protected resources would be protected by a single bearer token format, eg.: access_token. Another thing you can do is customize the KC adapter to support both types of bearer tokens: SAML assertion or OAuth2 access_token. In this case, you would need to implement the necessary validations around the SAML assertions that you trust and keep the contract with your application intact regarding how you obtain the necessary claims to perform authorization checks. > > Your comment in the below mail chain : " An interesting solution would > be the Security Assertion Markup Language (SAML) 2.0 Profile for OAuth > 2.0 Client Authentication and Authorization Grants [1]." If this is > the only solution for case 2, do we have any plan on when exactly this > will be implemented in KC? That I'll leave to Stian :) He is the best person to answer that. > > Regards, > Siva. > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 27 February 2016 06:37 > To: Pedro Igor Silva; Siva > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] REST(MicroServices) authentication > through SAML > 2.0 > > On 26/02/16 14:45, Pedro Igor Silva wrote: > >> >2) Does keycloak support Apache karaf container? I couldn?t find > >> >any adapter for this under SAML adapter category. > > I don't think so, but someone can give you more input on that. > > > We have Fuse/karaf adapters and also the examples for them, but that's > all related to OIDC. It mostly leverages our OIDC Jetty adapter. See > docs [1] and examples distribution (examples in "fuse" folder). > > We have SAML Jetty adapter, so there might be a possibility to inject > the SAML adapter to jetty in similar ways like we're doing for OIDC... > > [1] > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.htm > l#fuse-adapter > > Marek > ====================================================================== > =========================== > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: 26 February 2016 23:45 > To: Siva > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] REST(MicroServices) authentication > through SAML > 2.0 > > Hi Siva, > > Some comments inline. > > > ----- Original Message ----- > > From: "Siva" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, February 25, 2016 10:01:15 PM > > Subject: [keycloak-user] REST(MicroServices) authentication through > > SAML 2.0 > > > > > > > > Hi Experts, > > > > > > > > I?ve got scenario, seeking your valuable inputs to take this in > > right direction. > > > > > > > > My application is complete server side solution which has 6 > > different modules and it expose only the REST(Microservices) end > > points(5 modules are hosted in tomcat 8 container and 1 is hosted in > > Apache Karaf [OSGI bundle] ) to the external world ; which will be > > accessed by different enterprise and they need to integrate their > > SAML 2.0 IDP for authentication. > > > > > > > > These Microservices end points could be integrated with their > > existing portals or could be integrated with their existing mobile > > app applications, in some scenario?s it could be an exclusive client > > application built to consume our REST end points which could > > potentially be a browser based and Mobile app. > > > > > > > > The challenge here is, for now we could use only SAML 2.0 based > > authentication since not all the organizations support OIDC/OAuth2.0 > > and as well our application could be flexible enough to be > > integrated with the existing client portals which uses SAML 2.0 authentication. > > > > > > > > We are planning to use keycloak as IDP broker to secure our endpoints. > > > > > > > > Questions : > > > > > > > > 1) Can this be achieved in keycloak? If yes, could you please > > provide some inputs on architectural directions in keycloak; like > > should all the modules need to be configured under 1 relam and need > > to have a separate brokering relam? > > I don't think that brokering is the best solution to address your > requirements. If I understood your problem correctly, the clients > trying to access your APIs belong to your partners and not you. > Brokering is useful when you own the clients and want to create an > indirection layer in order to integrate with external identity > providers (pretty much the inverse of your use case). Or even during a > migration plan when you already have some investments on SAML and want > to gradually adopt OpenID Connect for new deployments. > > In your case, what you need is something that can utilize an existing > trust relationship in order to give to your clients the proper > security token to access your APIs. > > > > > 2) Does keycloak support Apache karaf container? I couldn?t find any > > adapter for this under SAML adapter category. > > I don't think so, but someone can give you more input on that. > > > > > 3) For REST style endpoints, how should the user credential/Token > > details need to shared? Any example links? kerberos is not a > > complete solution here, since it need to work on all the > > devices(Desktop,Laptop & handheld). > > Well, there is no sharing of user credentials, but security tokens. > > > > > 4) For the REST based solution, can the application completely rely > > on keycloak for the session management, after the first time the > > user is authenticated? > > > > > > > > Any inputs on this will be highly valued. > > > > An interesting solution would be the Security Assertion Markup > Language > (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and > Authorization Grants [1]. Very useful when a client wishes to utilize > an existing trust relationship, expressed through the semantics of the > SAML Assertion, without a direct user approval step at the authorization server. > > But, IIRC, that spec is not yet supported in KC. > > I've also seem some people using SAML assertions to access RESTful resources. > Personally, I don't think it is a good approach, since there is no > SAML binding (standard) targeting RESTful resources. > > There is also the SAML ECP profile, which we added recently. However, > it is targeted for specific use cases where you need to issue a SAML > Assertion based on some user credentials (so you must own the users, > not your case I think). It also provides some very basic support for > the SP side of things, but I don't think it can help you either. > > [1] https://tools.ietf.org/html/rfc7522 > > > > > > > Regards, > > > > Siva. > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sthorger at redhat.com Wed Mar 2 07:04:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:04:57 +0100 Subject: [keycloak-user] XACML support ? In-Reply-To: <56D43051.80204@redhat.com> References: <56D41E2D.9020603@redhat.com> <56D43051.80204@redhat.com> Message-ID: We are planning on providing an early preview of this feature soon (within a month or two), so stay tuned. It will be announced on blog.keycloak.org when it's available. The aim of the prototype is to find out if this is something users are interested in or not. On 29 February 2016 at 12:49, Charles Moulliard wrote: > Is there a jira ticket opened in Keycloak for that ("adding authorization > services to Keycloak") ? > > > On 29/02/16 11:56, Stian Thorgersen wrote: > > The functionality that was going to be merged from PicketLink was mainly > SAML support, which has been merged. > > For XACML we are considering adding support for that in the future by > adding authorization services to Keycloak. It'll be a while until that is > ready though. > > On 29 February 2016 at 11:32, Charles Moulliard > wrote: > >> Hi, >> >> The project picketlink provides a servlet able to that can read SOAP >> messages that contain an XACML query in saml payload >> >> https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/servlets/saml/SOAPSAMLXACMLServlet.java#L56-L62 >> >> https://developer.jboss.org/wiki/XACMLPDPSOAPService >> >> As the project picketlink is going to be merged with Keycloak, I'm >> wondering if XACML will be supported with Keycloak or not ? >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/b99e01a3/attachment-0001.html From sthorger at redhat.com Wed Mar 2 07:10:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:10:07 +0100 Subject: [keycloak-user] CRUD Using KeyCloak In-Reply-To: References: Message-ID: If you have a limited number of screens then it can a good idea to create roles for these, and you can just create these a client roles using the admin console or admin endpoints. You can use a delimiter in the role name to specify the screen (for example 'screen-a/read'. However, if you have a large number of screens then the roles approach will quickly become unmanageable and you may be better of using an ACL or something in your application itself. What you are asking for is more often implemented as ACLs rather than RBAC. RBAC is usually used for things like 'manager' has read/write access to a group of resources, rather than 'user-a' has read access to 'resource-a'. On 2 March 2016 at 11:26, Yasser El-ata wrote: > Hello , i wan't to create CRUD using KeyCloak , i have an angularJS > application and it's use KeyCloak > > My case is : i have screens in my application that contain sub screens and > every sub screen contain CRUD roles (CREATE , READ , UPDATE , DELETE) , > it's may contain multi levels > > the screenshot may make the case more clear > > the normal client roles is not enough for me or maybe i miss understand > some thing > > could you please help me how to create these roles in KeyCloak , or if > KeyCloak is support roles like this or if there is any other way to create > them ? > > Thanks > > -- > Yasser El-Ata > Java Developer > BluLogix > 737 Walker Rd Ste 3, Great Falls, VA 22066 > t: 443.333.4100 | f: 443.333.4101 > *www.blulogix.com * > > The information transmitted is intended only for the person(s) to whom it > is addressed and may contain confidential and/or privileged material. Any > review, retransmission, dissemination or other use of, or taking of any > action in reliance upon, this information by persons or entities other than > the intended recipient is prohibited. If you received this in error, please > contact the sender and delete the material from any computer. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/954b5355/attachment.html From sthorger at redhat.com Wed Mar 2 07:11:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:11:25 +0100 Subject: [keycloak-user] Client Mappers. Can I define mappers programmatically? In-Reply-To: <56AE8D52-DEB6-4000-BF2B-600124C4AE3C@carbonite.com> References: <2697F06A-E3A8-408E-B949-AC25194BFAD9@carbonite.com> <56AE8D52-DEB6-4000-BF2B-600124C4AE3C@carbonite.com> Message-ID: Take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and also take a look at example providers in the examples download (there's no protocol mapper, but all providers are deployed in the same way). On 26 February 2016 at 18:49, Reed Lewis wrote: > Can someone provide (if there is one out there) of an example of adding an > additional OIDC mapper to Keycloak? I have tried to compile and load a > module to add an additional mapper, and cannot seem to get it working. My > new mapper does not appear as a choice for modifying the clJWT claim. > > Or do I need to add it to the main source tree and recompile the whole > Keycloak project? > > Thanks, > > Reed > > From: Thomas Darimont > Date: Wednesday, February 24, 2016 at 4:31 PM > To: Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Client Mappers. Can I define mappers > programmatically? > > Hello Reed, > > yes you should be able to do that via the: > org.keycloak.protocol.ProtocolMapperSpi > > You can provide your own org.keycloak.protocol.ProtocolMapper > (org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper) to introduce > computed attributes to the access tokens. > > You can find the predefined mappers in the package: > org/keycloak/protocol/oidc/mappers within the keycloak-services project. > > Cheers, > Thomas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/76a485ec/attachment.html From cmoulliard at redhat.com Wed Mar 2 07:12:11 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Wed, 2 Mar 2016 13:12:11 +0100 Subject: [keycloak-user] Where to report an issue - docker image ? Message-ID: <56D6D89B.4070705@redhat.com> Hi The existing keycloak example docker image is not longer up to date as the repo containing the code has moved from sourceforge to downloads.jboss.org and maven version 3.0.5 is not supported sing 1.9.0.Final Where can I open a ticket to propose a new Dockerfile ? Regards Charles From prabhalar at yahoo.com Wed Mar 2 07:13:18 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Wed, 2 Mar 2016 12:13:18 +0000 (UTC) Subject: [keycloak-user] XACML support ? In-Reply-To: References: Message-ID: <182101760.1730416.1456920798058.JavaMail.yahoo@mail.yahoo.com> Yes,absolutely. We are interested :-). I am presuming you are also going to support the UMA standard. From: Stian Thorgersen To: Charles Moulliard Cc: keycloak-user Sent: Wednesday, March 2, 2016 7:04 AM Subject: Re: [keycloak-user] XACML support ? We are planning on providing an early preview of this feature soon (within a month or two), so stay tuned. It will be announced on blog.keycloak.org when it's available. The aim of the prototype is to find out if this is something users are interested in or not. On 29 February 2016 at 12:49, Charles Moulliard wrote: Is there a jira ticket opened in Keycloak for that ("adding authorization services to Keycloak") ? On 29/02/16 11:56, Stian Thorgersen wrote: The functionality that was going to be merged from PicketLink was mainly SAML support, which has been merged. For XACML we are considering adding support for that in the future by adding authorization services to Keycloak. It'll be a while until that is ready though. On 29 February 2016 at 11:32, Charles Moulliard wrote: Hi, The project picketlink provides a servlet able to that can read SOAP messages that contain an XACML query in saml payload https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/servlets/saml/SOAPSAMLXACMLServlet.java#L56-L62 https://developer.jboss.org/wiki/XACMLPDPSOAPService As the project picketlink is going to be merged with Keycloak, I'm wondering if XACML will be supported with Keycloak or not ? Regards, Charles _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/7716b979/attachment-0001.html From Edgar at info.nl Wed Mar 2 07:15:59 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 2 Mar 2016 12:15:59 +0000 Subject: [keycloak-user] Exporting a realm as JSON file should not contain user groups? Message-ID: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> Hi, We notice that when we export our custom realm to a JSON file (to a directory) that this file also contains all User Groups. We do not want this as we synchronise these User Groups from AD/LDAP just like our users. We want to have realm configuration in the realm JSON file only and not any ?run-time? managed data such as users and user groups. Currently only users are exported to a different JSON file (http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html) but groups are not. Does it make sense to create a feature request to also export user groups separately? We have hundreds of groups in AD/LDAP which we sync to Keycloak so we really do not want these in the realm JSON. cheers Edgar From sthorger at redhat.com Wed Mar 2 07:17:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:17:52 +0100 Subject: [keycloak-user] Where to report an issue - docker image ? In-Reply-To: <56D6D89B.4070705@redhat.com> References: <56D6D89B.4070705@redhat.com> Message-ID: The Keycloak docker image (it's not an example) has never been hosted on sourceforge nor downloads.jboss.org. The Docker files are located here https://github.com/jboss-dockerfiles/keycloak and the images are released to Docker hub here https://hub.docker.com/r/jboss/keycloak/ (which is updated to 1.9.0.Final). On 2 March 2016 at 13:12, Charles Moulliard wrote: > Hi > > The existing keycloak example docker image is not longer up to date as > the repo containing the code has moved from sourceforge to > downloads.jboss.org and maven version 3.0.5 is not supported sing > 1.9.0.Final > Where can I open a ticket to propose a new Dockerfile ? > > Regards > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/47403a07/attachment.html From cmoulliard at redhat.com Wed Mar 2 07:20:11 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Wed, 2 Mar 2016 13:20:11 +0100 Subject: [keycloak-user] Where to report an issue - docker image ? In-Reply-To: References: <56D6D89B.4070705@redhat.com> Message-ID: <56D6DA7B.9040909@redhat.com> This dockerfile refers to sourceforge server to download the keycloak examples https://github.com/jboss-dockerfiles/keycloak/blob/master/examples/Dockerfile Moved : https://www.dropbox.com/s/3wu9j7prcck1tgw/Screenshot%202016-03-02%2013.19.53.png?dl=0 On 02/03/16 13:17, Stian Thorgersen wrote: > The Keycloak docker image (it's not an example) has never been hosted > on sourceforge nor downloads.jboss.org . > The Docker files are located here > https://github.com/jboss-dockerfiles/keycloak and the images are > released to Docker hub here https://hub.docker.com/r/jboss/keycloak/ > (which is updated to 1.9.0.Final). > > On 2 March 2016 at 13:12, Charles Moulliard > wrote: > > Hi > > The existing keycloak example docker image is not longer up to date as > the repo containing the code has moved from sourceforge to > downloads.jboss.org and maven version > 3.0.5 is not supported sing > 1.9.0.Final > Where can I open a ticket to propose a new Dockerfile ? > > Regards > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/bb1485ae/attachment.html From sthorger at redhat.com Wed Mar 2 07:23:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:23:44 +0100 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> Message-ID: The tokens themselves are not stored, but can be verified by Keycloak as long as the user session is active. So your question is how to make user sessions persisted. We do not support persisting user sessions at the moment. You have two choices: 1. Add an additional node and configure set owners to 2 for the user session caches, or change it to a replicated cache. See the clustering section in the docs for more details. 2. Try to configure Infinispan to persist the sessions. See https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for more details. On 1 March 2016 at 20:56, Edgar Vonk - Info.nl wrote: > Hi all, > > What would we need to do to make Keycloak user sessions persistent in the > database? > > I think the information in: > http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is > not relevant anymore with Keycloak 1.9.0? Specifically: > > "userSessions": { > "provider": "jpa" > } > > > Does not seem to work (?Failed to find provider jpa for userSessions?). > User sessions are now managed using Infinispan by default if I understand > correctly: > http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 > ? > > Is there a way to make user sessions persistent? > > Our issue is that we send out a lot of activation (?update password?) > emails from our (single) Keycloak server to new users and since we have a > continuous delivery pipeline Keycloak does down and up quite a bit and > every time it restarts all temporary log in tokens used for these update > password actions are lost (since they are stored in memory only). And if I > understand correctly these tokens are actually a sort of user sessions. > > cheers > > Edgar > > > On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl < > Edgar at info.nl> wrote: > > Hi, > > See if I understand this correctly: in the default set up of Keycloak > sessions and temporary tokens are not persisted in the Keycloak database? > So consider this scenario: > > 1/ login as admin to master realm > 2/ go to Users - Credentials and send a ?Update Password? reset action > email > 3/ user receives an email with a link with a unique token to update > his/her password in Keycloak > 4/ Keycloak server is restarted for whatever reason > 5/ the temporary ?login action token? no longer exists and the link from > 3/ no longer works > > Is this correct and expected behaviour? > > And if so, can somebody maybe point us in the direction to solve this? > I.e. by making sessions/tokens by persistent I guess. > > cheers > > Edgar > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/b75aa388/attachment.html From sthorger at redhat.com Wed Mar 2 07:25:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:25:15 +0100 Subject: [keycloak-user] Exporting a realm as JSON file should not contain user groups? In-Reply-To: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> References: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> Message-ID: Roles and groups should be exported to the realm export, while role mappings and group mappings should be exported to the user export. On 2 March 2016 at 13:15, Edgar Vonk - Info.nl wrote: > Hi, > > We notice that when we export our custom realm to a JSON file (to a > directory) that this file also contains all User Groups. We do not want > this as we synchronise these User Groups from AD/LDAP just like our users. > We want to have realm configuration in the realm JSON file only and not any > ?run-time? managed data such as users and user groups. > > Currently only users are exported to a different JSON file ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html) > but groups are not. Does it make sense to create a feature request to also > export user groups separately? > > We have hundreds of groups in AD/LDAP which we sync to Keycloak so we > really do not want these in the realm JSON. > > cheers > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/730a685a/attachment-0001.html From sthorger at redhat.com Wed Mar 2 07:26:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:26:23 +0100 Subject: [keycloak-user] Where to report an issue - docker image ? In-Reply-To: <56D6DA7B.9040909@redhat.com> References: <56D6D89B.4070705@redhat.com> <56D6DA7B.9040909@redhat.com> Message-ID: Ah, I completely misunderstood you. Sorry. Create a JIRA, https://issues.jboss.org/browse/KEYCLOAK. Even better submit a PR as well. On 2 March 2016 at 13:20, Charles Moulliard wrote: > This dockerfile refers to sourceforge server to download the keycloak > examples > > > https://github.com/jboss-dockerfiles/keycloak/blob/master/examples/Dockerfile > > Moved : > https://www.dropbox.com/s/3wu9j7prcck1tgw/Screenshot%202016-03-02%2013.19.53.png?dl=0 > > > On 02/03/16 13:17, Stian Thorgersen wrote: > > The Keycloak docker image (it's not an example) has never been hosted on > sourceforge nor downloads.jboss.org. The Docker files are located here > https://github.com/jboss-dockerfiles/keycloak and the images are released > to Docker hub here > https://hub.docker.com/r/jboss/keycloak/ (which is updated to > 1.9.0.Final). > > On 2 March 2016 at 13:12, Charles Moulliard wrote: > >> Hi >> >> The existing keycloak example docker image is not longer up to date as >> the repo containing the code has moved from sourceforge to >> downloads.jboss.org and maven version 3.0.5 is not supported sing >> 1.9.0.Final >> Where can I open a ticket to propose a new Dockerfile ? >> >> Regards >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/7ca1cc2f/attachment.html From sthorger at redhat.com Wed Mar 2 07:29:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:29:17 +0100 Subject: [keycloak-user] Multiple security Q&As for a user In-Reply-To: <3B545404-0DBB-4495-8F36-F434FA4A4513@carboniteinc.com> References: <3B545404-0DBB-4495-8F36-F434FA4A4513@carboniteinc.com> Message-ID: The security questions option you are referring to is only an example on how you can implement your own. It's not a built-in feature of Keycloak, nor is it aimed for use as is. It's intended to be simple and focus on showing how to write a custom authenticator, so with that in mind 1 question makes more sense than 3. On 1 March 2016 at 05:13, Riddhi Rathod wrote: > Hi all, > > If security question option is enabled in the login flow, then the user > has to save answer to it (Default question: ?What is your mother?s name??). > This question is asked to user in the event of ?forget password? for > additional level of security. However, in the current system, there is > provision of storing only one security Q&A. I am looking to modify this to > include the following: > > Could this functionality be extended to include 3 security Q&As which is > popular practice. I modified the keycloak secret-question.ftl to include 2 > more questions. But there is no way to store the additional questions and > answers extracted from the ui form in the UserCredentialValueModel > (SecretQuestionRequiredAction.java). > The security questions are not fixed i.e. a dropdown menu of questions > will be displayed to users and they will be able to select whichever > questions they want to. > > Does keycloak support storing of multiple security Q&As for a user? Has > anyone tried this before? > > > Thank you, > Riddhi Rathod > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/055d7944/attachment.html From Edgar at info.nl Wed Mar 2 07:33:14 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 2 Mar 2016 12:33:14 +0000 Subject: [keycloak-user] Exporting a realm as JSON file should not contain user groups? In-Reply-To: References: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> Message-ID: Hi Stian, I understand. And typically this would indeed by what you want. However in our specific case groups are not part of our realm data as such but belong to our run-time data and are managed in exactly the same way as our users, role mappings and group mappings. But I guess you cannot cater for all needs so it?s ok. Another, probably related thing, is that with the LDAP group synching (using the user federation group mapper) groups synched from LDAP to Keycloak are never removed from Keycloak. When a group is deleted from LDAP and the sync is done again the group remains in Keycloak. Not what you want but I guess the issue is that Keycloak cannot make the distinction between a group synched from LDAP versus a group created from Keycloak itself? The LDAP group mapping is set up quite different from the user synching of course. cheers On 02 Mar 2016, at 13:25, Stian Thorgersen > wrote: Roles and groups should be exported to the realm export, while role mappings and group mappings should be exported to the user export. On 2 March 2016 at 13:15, Edgar Vonk - Info.nl > wrote: Hi, We notice that when we export our custom realm to a JSON file (to a directory) that this file also contains all User Groups. We do not want this as we synchronise these User Groups from AD/LDAP just like our users. We want to have realm configuration in the realm JSON file only and not any ?run-time? managed data such as users and user groups. Currently only users are exported to a different JSON file (http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html) but groups are not. Does it make sense to create a feature request to also export user groups separately? We have hundreds of groups in AD/LDAP which we sync to Keycloak so we really do not want these in the realm JSON. cheers Edgar _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/abc9e2ac/attachment.html From Edgar at info.nl Wed Mar 2 07:39:22 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 2 Mar 2016 12:39:22 +0000 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> Message-ID: Thanks Stian! We will have a look at both options. Concerning clustering we have a different challenge which is that we currently re-import all Keycloak realm data on every start up of Keycloak (and because we do continuous delivery and are developing actively this is multiple times a day). This because we treat all (realm) configuration as source code for which our Git repo is leading. Effectively this means that we recreate the Keycloak database for every new deployment and of course a cluster is not going to help us here when it comes to uptime. Not sure how to deal with this as yet. Ideally we would want some sort of realm update/patch mechanism instead of a full import but that sounds rather complex to implement. cheers On 02 Mar 2016, at 13:23, Stian Thorgersen > wrote: The tokens themselves are not stored, but can be verified by Keycloak as long as the user session is active. So your question is how to make user sessions persisted. We do not support persisting user sessions at the moment. You have two choices: 1. Add an additional node and configure set owners to 2 for the user session caches, or change it to a replicated cache. See the clustering section in the docs for more details. 2. Try to configure Infinispan to persist the sessions. See https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for more details. On 1 March 2016 at 20:56, Edgar Vonk - Info.nl > wrote: Hi all, What would we need to do to make Keycloak user sessions persistent in the database? I think the information in: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is not relevant anymore with Keycloak 1.9.0? Specifically: "userSessions": { "provider": "jpa" } Does not seem to work (?Failed to find provider jpa for userSessions?). User sessions are now managed using Infinispan by default if I understand correctly: http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 ? Is there a way to make user sessions persistent? Our issue is that we send out a lot of activation (?update password?) emails from our (single) Keycloak server to new users and since we have a continuous delivery pipeline Keycloak does down and up quite a bit and every time it restarts all temporary log in tokens used for these update password actions are lost (since they are stored in memory only). And if I understand correctly these tokens are actually a sort of user sessions. cheers Edgar On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl > wrote: Hi, See if I understand this correctly: in the default set up of Keycloak sessions and temporary tokens are not persisted in the Keycloak database? So consider this scenario: 1/ login as admin to master realm 2/ go to Users - Credentials and send a ?Update Password? reset action email 3/ user receives an email with a link with a unique token to update his/her password in Keycloak 4/ Keycloak server is restarted for whatever reason 5/ the temporary ?login action token? no longer exists and the link from 3/ no longer works Is this correct and expected behaviour? And if so, can somebody maybe point us in the direction to solve this? I.e. by making sessions/tokens by persistent I guess. cheers Edgar _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/431f44fc/attachment-0001.html From sthorger at redhat.com Wed Mar 2 07:48:42 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 13:48:42 +0100 Subject: [keycloak-user] Exporting a realm as JSON file should not contain user groups? In-Reply-To: References: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> Message-ID: As it stands Keycloak syncs this to its own database and as the export is a dump of the database it wouldn't work to remove it. In the future we are planning on providing an option to use LDAP without syncing to the Keycloak database. It'll be a while to we get to it though. With regards to the deletion of groups synced from LDAP I'm not sure how we do that for roles either, I believe the roles remain as well. Maybe Marek can comment on this? On 2 March 2016 at 13:33, Edgar Vonk - Info.nl wrote: > Hi Stian, > > I understand. And typically this would indeed by what you want. However in > our specific case groups are not part of our realm data as such but belong > to our run-time data and are managed in exactly the same way as our users, > role mappings and group mappings. But I guess you cannot cater for all > needs so it?s ok. > > Another, probably related thing, is that with the LDAP group synching > (using the user federation group mapper) groups synched from LDAP to > Keycloak are never removed from Keycloak. When a group is deleted from LDAP > and the sync is done again the group remains in Keycloak. Not what you want > but I guess the issue is that Keycloak cannot make the distinction between > a group synched from LDAP versus a group created from Keycloak itself? The > LDAP group mapping is set up quite different from the user synching of > course. > > cheers > > On 02 Mar 2016, at 13:25, Stian Thorgersen wrote: > > Roles and groups should be exported to the realm export, while role > mappings and group mappings should be exported to the user export. > > On 2 March 2016 at 13:15, Edgar Vonk - Info.nl < > Edgar at info.nl> wrote: > >> Hi, >> >> We notice that when we export our custom realm to a JSON file (to a >> directory) that this file also contains all User Groups. We do not want >> this as we synchronise these User Groups from AD/LDAP just like our users. >> We want to have realm configuration in the realm JSON file only and not any >> ?run-time? managed data such as users and user groups. >> >> Currently only users are exported to a different JSON file ( >> http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html) >> but groups are not. Does it make sense to create a feature request to also >> export user groups separately? >> >> We have hundreds of groups in AD/LDAP which we sync to Keycloak so we >> really do not want these in the realm JSON. >> >> cheers >> >> Edgar >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/26a5fe92/attachment.html From sthorger at redhat.com Wed Mar 2 08:00:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 14:00:20 +0100 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> Message-ID: Re-importing everything on each startup is not really something we're supporting. Keycloak wasn't really designed for that and the focus is more on run-time configuration. Do you re-import users as well? On 2 March 2016 at 13:39, Edgar Vonk - Info.nl wrote: > Thanks Stian! > > We will have a look at both options. > > Concerning clustering we have a different challenge which is that we > currently re-import all Keycloak realm data on every start up of Keycloak > (and because we do continuous delivery and are developing actively this is > multiple times a day). This because we treat all (realm) configuration as > source code for which our Git repo is leading. > > Effectively this means that we recreate the Keycloak database for every > new deployment and of course a cluster is not going to help us here when it > comes to uptime. Not sure how to deal with this as yet. Ideally we would > want some sort of realm update/patch mechanism instead of a full import but > that sounds rather complex to implement. > > cheers > > On 02 Mar 2016, at 13:23, Stian Thorgersen wrote: > > The tokens themselves are not stored, but can be verified by Keycloak as > long as the user session is active. So your question is how to make user > sessions persisted. We do not support persisting user sessions at the > moment. You have two choices: > > 1. Add an additional node and configure set owners to 2 for the user > session caches, or change it to a replicated cache. See the clustering > section in the docs for more details. > 2. Try to configure Infinispan to persist the sessions. See > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for > more details. > > On 1 March 2016 at 20:56, Edgar Vonk - Info.nl < > Edgar at info.nl> wrote: > >> Hi all, >> >> What would we need to do to make Keycloak user sessions persistent in the >> database? >> >> I think the information in: >> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is >> not relevant anymore with Keycloak 1.9.0? Specifically: >> >> "userSessions": { >> "provider": "jpa" >> } >> >> >> Does not seem to work (?Failed to find provider jpa for userSessions?). >> User sessions are now managed using Infinispan by default if I understand >> correctly: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 >> ? >> >> Is there a way to make user sessions persistent? >> >> Our issue is that we send out a lot of activation (?update password?) >> emails from our (single) Keycloak server to new users and since we have a >> continuous delivery pipeline Keycloak does down and up quite a bit and >> every time it restarts all temporary log in tokens used for these update >> password actions are lost (since they are stored in memory only). And if I >> understand correctly these tokens are actually a sort of user sessions. >> >> cheers >> >> Edgar >> >> >> On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl < >> Edgar at info.nl> wrote: >> >> Hi, >> >> See if I understand this correctly: in the default set up of Keycloak >> sessions and temporary tokens are not persisted in the Keycloak database? >> So consider this scenario: >> >> 1/ login as admin to master realm >> 2/ go to Users - Credentials and send a ?Update Password? reset action >> email >> 3/ user receives an email with a link with a unique token to update >> his/her password in Keycloak >> 4/ Keycloak server is restarted for whatever reason >> 5/ the temporary ?login action token? no longer exists and the link from >> 3/ no longer works >> >> Is this correct and expected behaviour? >> >> And if so, can somebody maybe point us in the direction to solve this? >> I.e. by making sessions/tokens by persistent I guess. >> >> cheers >> >> Edgar >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/2b628e68/attachment.html From ssilvert at redhat.com Wed Mar 2 08:12:39 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 02 Mar 2016 08:12:39 -0500 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: Message-ID: <56D6E6C7.4050609@redhat.com> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: > In overlay the script should be add-user-keycloak. The overlay adds > Keycloak server to an existing WildFly installation so we don't want > to overwrite any existing files. I appreciate this may be confusing > and inconsistent, but at the same time if we did overwrite people > would probably complain about us overwriting the existing script. > > In the server dist this doesn't apply as the server is purely a > Keycloak server, not a WildFly server. I guess the solution would be to make server dist consistent with overlay, so both are add-user-keycloak. Not sure how I feel about that. > > On 2 March 2016 at 11:10, Bruno Oliveira > wrote: > > I'm not sure if I follow your question but './add-user.sh -u admin > -p admin' or './add-user.sh -u admin' should work. > > On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky > > wrote: > > Hi Bruno, > > thanks for answer. > But from > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > and section: *...you can use the add-user script from the > command-line.* > is my question is how exactly should looks like command with > add-user script? > Because in past we used this command: add-user.sh --container > -u admin -p admin > > Andrej. > > > On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira > > wrote: > > Hi Andrej, answers inline > > On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky > > wrote: > > Hi, > > I would like to summary information about How to add > Admin User - chapter 3.2.1. > > My questions are: > 1.) From which version (including) is new concept, > that there is no built in user? > > > 1.8.0 See: > http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 > > 2a.) What is exact command via add-user script > (add-user.sh) for create admin user ? > > > See: > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > > 2b.) Same question like in 2a, but in keycloak-overlay > (add-user-keycloak.sh)? > > > You are correct. Maybe this is an inconsistency to be fixed. > > > Thanks and Best Regards, > Andrej. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/bb5b7e2f/attachment-0001.html From Edgar at info.nl Wed Mar 2 08:15:49 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 2 Mar 2016 13:15:49 +0000 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> Message-ID: <8238133B-CA90-4F80-ADBF-9BF59E5DA030@info.nl> Hi Stian, I realise that. However so far it is working ok for us. We do the re-importing because we really want a continuous delivery pipeline and doing run-time configuration is very different from that. We really only perform run-time configuration to develop and test stuff, immediately after which we export it so that we can update the resulting realm JSON in Git. We work in a similar fashion with other products like content management systems where we make a very clear distinction between configuration (=source code) and run-time managed content. Our CMS of choice (Magnolia) offers a nice upgrade mechanism that we use to re-import all our configuration on every upgrade. No, we do not re-import users. We see users (just like user groups, role mappings, group mappings and of course sessions) as run-time data (?content? to make the link to a CMS). In our set-up we store all this run-time data in Active Directory (well, except the sessions, which we do not store persistently yet) and therefore this re-importing in the Keycloak database works for us (to some degree). A question for you/the Keycloak team: how do you see Keycloak fit into a fully automated continuous delivery pipeline? Most configuration changes in Keycloak are so fundamental to the set-up that I cannot see that you would want to change these on the fly on a production environment at all. It would be very easy to break stuff in my opinion. cheers Edgar On 02 Mar 2016, at 14:00, Stian Thorgersen > wrote: Re-importing everything on each startup is not really something we're supporting. Keycloak wasn't really designed for that and the focus is more on run-time configuration. Do you re-import users as well? On 2 March 2016 at 13:39, Edgar Vonk - Info.nl > wrote: Thanks Stian! We will have a look at both options. Concerning clustering we have a different challenge which is that we currently re-import all Keycloak realm data on every start up of Keycloak (and because we do continuous delivery and are developing actively this is multiple times a day). This because we treat all (realm) configuration as source code for which our Git repo is leading. Effectively this means that we recreate the Keycloak database for every new deployment and of course a cluster is not going to help us here when it comes to uptime. Not sure how to deal with this as yet. Ideally we would want some sort of realm update/patch mechanism instead of a full import but that sounds rather complex to implement. cheers On 02 Mar 2016, at 13:23, Stian Thorgersen > wrote: The tokens themselves are not stored, but can be verified by Keycloak as long as the user session is active. So your question is how to make user sessions persisted. We do not support persisting user sessions at the moment. You have two choices: 1. Add an additional node and configure set owners to 2 for the user session caches, or change it to a replicated cache. See the clustering section in the docs for more details. 2. Try to configure Infinispan to persist the sessions. See https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for more details. On 1 March 2016 at 20:56, Edgar Vonk - Info.nl > wrote: Hi all, What would we need to do to make Keycloak user sessions persistent in the database? I think the information in: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is not relevant anymore with Keycloak 1.9.0? Specifically: "userSessions": { "provider": "jpa" } Does not seem to work (?Failed to find provider jpa for userSessions?). User sessions are now managed using Infinispan by default if I understand correctly: http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 ? Is there a way to make user sessions persistent? Our issue is that we send out a lot of activation (?update password?) emails from our (single) Keycloak server to new users and since we have a continuous delivery pipeline Keycloak does down and up quite a bit and every time it restarts all temporary log in tokens used for these update password actions are lost (since they are stored in memory only). And if I understand correctly these tokens are actually a sort of user sessions. cheers Edgar On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl > wrote: Hi, See if I understand this correctly: in the default set up of Keycloak sessions and temporary tokens are not persisted in the Keycloak database? So consider this scenario: 1/ login as admin to master realm 2/ go to Users - Credentials and send a ?Update Password? reset action email 3/ user receives an email with a link with a unique token to update his/her password in Keycloak 4/ Keycloak server is restarted for whatever reason 5/ the temporary ?login action token? no longer exists and the link from 3/ no longer works Is this correct and expected behaviour? And if so, can somebody maybe point us in the direction to solve this? I.e. by making sessions/tokens by persistent I guess. cheers Edgar _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/c316dbdd/attachment.html From yelata at blulogix.com Wed Mar 2 08:38:09 2016 From: yelata at blulogix.com (Yasser El-ata) Date: Wed, 2 Mar 2016 15:38:09 +0200 Subject: [keycloak-user] CRUD Using KeyCloak In-Reply-To: References: Message-ID: Thanks for your fast response I've another question please is there any third-party application may help me in this case (provide ACL CRUD) , and can be easily integrated with KeyCloak ? On Wed, Mar 2, 2016 at 2:10 PM, Stian Thorgersen wrote: > If you have a limited number of screens then it can a good idea to create > roles for these, and you can just create these a client roles using the > admin console or admin endpoints. You can use a delimiter in the role name > to specify the screen (for example 'screen-a/read'. However, if you have a > large number of screens then the roles approach will quickly become > unmanageable and you may be better of using an ACL or something in your > application itself. > > What you are asking for is more often implemented as ACLs rather than > RBAC. RBAC is usually used for things like 'manager' has read/write access > to a group of resources, rather than 'user-a' has read access to > 'resource-a'. > > On 2 March 2016 at 11:26, Yasser El-ata wrote: > >> Hello , i wan't to create CRUD using KeyCloak , i have an angularJS >> application and it's use KeyCloak >> >> My case is : i have screens in my application that contain sub screens >> and every sub screen contain CRUD roles (CREATE , READ , UPDATE , DELETE) , >> it's may contain multi levels >> >> the screenshot may make the case more clear >> >> the normal client roles is not enough for me or maybe i miss understand >> some thing >> >> could you please help me how to create these roles in KeyCloak , or if >> KeyCloak is support roles like this or if there is any other way to create >> them ? >> >> Thanks >> >> -- >> Yasser El-Ata >> Java Developer >> BluLogix >> 737 Walker Rd Ste 3, Great Falls, VA 22066 >> t: 443.333.4100 | f: 443.333.4101 >> *www.blulogix.com * >> >> The information transmitted is intended only for the person(s) to whom it >> is addressed and may contain confidential and/or privileged material. Any >> review, retransmission, dissemination or other use of, or taking of any >> action in reliance upon, this information by persons or entities other than >> the intended recipient is prohibited. If you received this in error, please >> contact the sender and delete the material from any computer. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Yasser El-Ata Java Developer BluLogix 737 Walker Rd Ste 3, Great Falls, VA 22066 t: 443.333.4100 | f: 443.333.4101 *www.blulogix.com * The information transmitted is intended only for the person(s) to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/97330048/attachment-0001.html From mposolda at redhat.com Wed Mar 2 09:02:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 2 Mar 2016 15:02:11 +0100 Subject: [keycloak-user] Exporting a realm as JSON file should not contain user groups? In-Reply-To: References: <7466A876-5220-4DB7-A128-A068AB6A3F4F@info.nl> Message-ID: <56D6F263.60509@redhat.com> On 02/03/16 13:48, Stian Thorgersen wrote: > As it stands Keycloak syncs this to its own database and as the export > is a dump of the database it wouldn't work to remove it. In the future > we are planning on providing an option to use LDAP without syncing to > the Keycloak database. It'll be a while to we get to it though. > > With regards to the deletion of groups synced from LDAP I'm not sure > how we do that for roles either, I believe the roles remain as well. > Maybe Marek can comment on this? Yeah, both groups and roles currently remain. You can create JIRA to request removing them, however not sure when it will be done. Currently there are some limitations like: * We don't have any proper federation SPI for roles or groups. So we just create roles/groups from LDAP but we don't track which roles/groups belong to LDAP. This would require adding some attribute like "federationLink" to both roles and groups. Or at least some generic attribute (accessible via setAttribute/getAttribute - but this won't work for roles as RoleModel don't have attributes ATM) * There is no easy way to track roles/groups removed from LDAP. It may require query all groups from Keycloak DB and doublecheck if particular group still exists in LDAP. Similarly during sync of users, we don't currently remove users, which were removed from LDAP in the meantime (User is deleted later once it's queried by Keycloak). There is easy and generic way to send query to LDAP like "Return all users (groups,roles) created or modified since 2015-02-15 10:00:00" but there is no query to track removed objects. Some LDAP servers support changelogs though, but this is vendor specific AFAIK * Finally there are various other corner cases, so automatically deleting synced roles/groups is maybe not a good idea anyway. Will require to be configurable IMO Btv. If you quickly want removing groups, you can create subclass of GroupLDAPFederationMapper and override method "syncDataFromFederationProviderToKeycloak()" . You don't need to deal with corner cases as you can do it in best way according to requirements of your deployment. Marek > On 2 March 2016 at 13:33, Edgar Vonk - Info.nl > wrote: > > Hi Stian, > > I understand. And typically this would indeed by what you want. > However in our specific case groups are not part of our realm data > as such but belong to our run-time data and are managed in exactly > the same way as our users, role mappings and group mappings. But I > guess you cannot cater for all needs so it?s ok. > > Another, probably related thing, is that with the LDAP group > synching (using the user federation group mapper) groups synched > from LDAP to Keycloak are never removed from Keycloak. When a > group is deleted from LDAP and the sync is done again the group > remains in Keycloak. Not what you want but I guess the issue is > that Keycloak cannot make the distinction between a group synched > from LDAP versus a group created from Keycloak itself? The LDAP > group mapping is set up quite different from the user synching of > course. > > cheers > >> On 02 Mar 2016, at 13:25, Stian Thorgersen > > wrote: >> >> Roles and groups should be exported to the realm export, while >> role mappings and group mappings should be exported to the user >> export. >> >> On 2 March 2016 at 13:15, Edgar Vonk - Info.nl >> > wrote: >> >> Hi, >> >> We notice that when we export our custom realm to a JSON file >> (to a directory) that this file also contains all User >> Groups. We do not want this as we synchronise these User >> Groups from AD/LDAP just like our users. We want to have >> realm configuration in the realm JSON file only and not any >> ?run-time? managed data such as users and user groups. >> >> Currently only users are exported to a different JSON file >> (http://keycloak.github.io/docs/userguide/keycloak-server/html/export-import.html) >> but groups are not. Does it make sense to create a feature >> request to also export user groups separately? >> >> We have hundreds of groups in AD/LDAP which we sync to >> Keycloak so we really do not want these in the realm JSON. >> >> cheers >> >> Edgar >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/e07855d5/attachment.html From jpicklyk at gmail.com Wed Mar 2 09:10:15 2016 From: jpicklyk at gmail.com (Jeff Picklyk) Date: Wed, 2 Mar 2016 09:10:15 -0500 Subject: [keycloak-user] Migration issues from KC 1.5 to 1.9 Message-ID: Hi all, I have an Java EE7 application using KC on wildfly and I'm porting it over to work on KC 1.9.0.Final and Wildfly 10. The issue I'm running into has the following stack trace: 15:36:18,209 INFO [org.hibernate.orm.deprecation] (ServerService Thread Pool -- 78) HHH90000001: Found usage of deprecated setting for specifying Scanner [hibernate.ejb.resource_scanner]; use [hibernate.archive.scanner] instead 15:36:18,452 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service jboss.deployment.unit."portal.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."portal.war".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "portal.war" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting reflective information for class net.sbs.portal.business.registrar.control.UserAsyncManager with ClassLoader ModuleClassLoader for Module "deployment.portal.war:main" from Service Module Loader at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70) at org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57) at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:106) at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:91) at org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:76) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) ... 5 more Caused by: java.lang.NoClassDefFoundError: org/keycloak/representations/idm/UserRepresentation at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2693) at java.lang.Class.getDeclaredMethods(Class.java:1967) at org.jboss.as.server.deployment.reflect.ClassReflectionIndex.(ClassReflectionIndex.java:80) at org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66) ... 10 more Caused by: java.lang.ClassNotFoundException: org.keycloak.representations.idm.UserRepresentation from [Module "deployment.portal.war:main" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) ... 15 more My UserAsyncManager class is just a SLSB with an @Asynchronous method to take the KC UserRepresentation and save it to my application database for further usage. I am using the Keycloak-admin-client in my application to retrieve the user representation from the KC server. I've been struggling to find a solution to this problem for a few days and need some help from the community. The relevant POM dependency versions are the following: 2.5.4 3.0.14.Final 1.5.0 1.9.0.Final I can include the full POM if needed. Any thoughts? Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/7e36585d/attachment-0001.html From cmoulliard at redhat.com Wed Mar 2 09:59:23 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Wed, 2 Mar 2016 15:59:23 +0100 Subject: [keycloak-user] How to define the user/password about the Keycloak Admin console (docker container) Message-ID: <56D6FFCB.2080809@redhat.com> Hi, I'm testing a new Docker image to run the Keycloak Demo 1.9.0.Final. The docker container has been started as such docker run -dti -p 8080:8080 -p 9990:9990 --name keycloak-examples cmoulliard/keycloak-examples I can access from the host (= MacOs machine) the Widlfly console at this address : http://127.0.0.1:9990/console (with the the user/pwd added using the script add-user.sh added within the Dockerfile) like also the Keycloak Admin console : http://localhost:8080/auth/ Unfortunately, I can't encode the admin user and its password as we can do when we run on a standalone machine the keycloak demo server - https://www.dropbox.com/s/wrx6px48eoaoeeh/Screenshot%202016-03-02%2015.52.01.png?dl=0. No popup screen allows me to add a user + password Is there a workaround ? Regards Charles From cmoulliard at redhat.com Wed Mar 2 10:28:42 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Wed, 2 Mar 2016 16:28:42 +0100 Subject: [keycloak-user] How to define the user/password about the Keycloak Admin console (docker container) In-Reply-To: <56D6FFCB.2080809@redhat.com> References: <56D6FFCB.2080809@redhat.com> Message-ID: <56D706AA.1090503@redhat.com> The keycloak demo distribution contains an additional ./add-user-keycloak.sh script. So I have solved my problem after adding 2 new lines to the dockerfile RUN /opt/jboss/keycloak-demo/keycloak/bin/add-user.sh -u admin -p xxxxxxx --silent RUN /opt/jboss/keycloak-demo/keycloak/bin/add-user-keycloak.sh -u admin -p xxxxxxx On 02/03/16 15:59, Charles Moulliard wrote: > Hi, > > I'm testing a new Docker image to run the Keycloak Demo 1.9.0.Final. > The docker container has been started as such > > docker run -dti -p 8080:8080 -p 9990:9990 --name keycloak-examples > cmoulliard/keycloak-examples > > I can access from the host (= MacOs machine) the Widlfly console at > this address : http://127.0.0.1:9990/console (with the the user/pwd > added using the script add-user.sh added within the Dockerfile) like > also the Keycloak Admin console : http://localhost:8080/auth/ > > Unfortunately, I can't encode the admin user and its password as we > can do when we run on a standalone machine the keycloak demo server - > https://www.dropbox.com/s/wrx6px48eoaoeeh/Screenshot%202016-03-02%2015.52.01.png?dl=0. > No popup screen allows me to add a user + password > > Is there a workaround ? > > Regards > > Charles From darcy_welsh at yahoo.com Wed Mar 2 10:30:34 2016 From: darcy_welsh at yahoo.com (Darcy Welsh) Date: Wed, 2 Mar 2016 09:30:34 -0600 Subject: [keycloak-user] Upgrade error - 1.8.0 to 1.8.1 In-Reply-To: References: <56D3FE76.40809@redhat.com> <56D5A482.9040000@redhat.com> <1D0F022B-C90C-425D-A1E7-601ADA411073@yahoo.com> <56D6920D.1030200@redhat.com> Message-ID: <8A9DB75B-2AA6-4B61-B091-05C215E50292@yahoo.com> Correct, still see the error when starting Keycloak 1.9.0 with empty MySQL DB. I?m confounded as Keycloak 1.5.x, 1.6.x, 1.7x. and 1.8.0 all work just fine with the same MySQL instance, only 1.8.1 and 1.9.0 have the issue. And I?m using the same version of the MySql JDBC driver in all cases (5.1.33). Will report back if I find anything. Thanks, Darcy > On Mar 2, 2016, at 6:00 AM, Stian Thorgersen wrote: > > Maybe it's down to MySQL config? For example storage engine. > > On 2 March 2016 at 08:11, Marek Posolda > wrote: > On 01/03/16 17:32, Darcy Welsh wrote: >> Hi Marek, >> >> Thank-you for the response and suggestions, much appreciated. Unfortunately, I tried all of them (clean db, datasource settings and JDBC driver 5.1.29) and still see the issue. > ah, so just to clearify. Even if you start Keycloak 1.9.0 with empty MySQL DB, the startup will fail with this error? >> >> It?s very strange indeed - I have no issue with Keycloak 1.5.x, 1.6.x, 1,7.x, 1.8.0 - I suspect it may have something to do with the change to Wildfly 10 starting in Keycloak 1.8.1. >> >> I am using JRE 1.8.0_25, not sure if that is relevant. > Guess wildfly version or JDK version is not too relevant here. Hard to say without being able to reproduce. > > Marek > >> >> >> Darcy >> >> >> >> >> >>> On Mar 1, 2016, at 8:17 AM, Marek Posolda < mposolda at redhat.com > wrote: >>> >>> Thanks. Strange as I couldn't see it. >>> >>> Few questions: >>> >>> - Do you see it during startup of 1.9.0 against clean DB too? Or just during migration from 1.8.0 ? >>> >>> - Could you try with datasource settings like this? [1] >>> >>> - Could you try with JDBC driver 5.1.29 ? >>> >>> [1] >>> >>> >> jndi-name="java:jboss/datasources/KeycloakDS" >>> pool-name="KeycloakDS" >>> enabled="true" >>> use-java-context="true"> >>> jdbc:mysql://localhost/keycloak >>> mysql >>> >>> keycloak >>> keycloak >>> >>> >>> >>> >>> org.h2.jdbcx.JdbcDataSource >>> >>> >>> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >>> >>> >>> >>> >>> >>> Marek >>> >>> On 29/02/16 14:57, Darcy Welsh wrote: >>>> Hey Marek, >>>> >>>> I am using MySQL 5.6.23 with JDBC driver version 5.1.33. >>>> >>>> Darcy >>>> >>>> >>>>> On Feb 29, 2016, at 2:16 AM, Marek Posolda > wrote: >>>>> >>>>> Which JDBC driver and DB version are you using? Just found this thread during googling: http://liquibase-user.narkive.com/njIDqyEC/incorrect-database-name-on-generatechangelog . Wonder if it can be related to your issue... >>>>> >>>>> I am testing MySQL with JDBC driver version 5.1.29 and never saw the issue like this. >>>>> >>>>> Marek >>>>> >>>>> On 28/02/16 06:00, Darcy Welsh wrote: >>>>>> Hi, >>>>>> >>>>>> I successfully upgraded from 1.7.0 to 1.8.0, however, seeing the following error when attempting to upgrade from 1.8.0 to either 1.8.1 or 1.9.0: >>>>>> >>>>>> 22:45:48,803 ERROR [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 51) Failed to migrate datamodel: java.lang.RuntimeException: Failed to update database >>>>>> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:87) >>>>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) >>>>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) >>>>>> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) >>>>>> at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>>>> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) >>>>>> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) >>>>>> at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >>>>>> at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) >>>>>> at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) >>>>>> at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) >>>>>> at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) >>>>>> at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>>>> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>>>>> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >>>>>> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >>>>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >>>>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>>>>> at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>>>>> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>>>>> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>>>>> at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >>>>>> at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >>>>>> at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>>>>> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>>>>> Caused by: liquibase.exception.DatabaseException: Incorrect database name '' [Failed SQL: CREATE TABLE ``.DATABASECHANGELOG (ID VARCHAR(255) NOT NULL, AUTHOR VARCHAR(255) NOT NULL, FILENAME VARCHAR(255) NOT NULL, DATEEXECUTED datetime NOT NULL, ORDEREXECUTED INT NOT NULL, EXECTYPE VARCHAR(10) NOT NULL, MD5SUM VARCHAR(35) NULL, DESCRIPTION VARCHAR(255) NULL, COMMENTS VARCHAR(255) NULL, TAG VARCHAR(255) NULL, LIQUIBASE VARCHAR(20) NULL, CONTEXTS VARCHAR(255) NULL, LABELS VARCHAR(255) NULL)] >>>>>> at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) >>>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) >>>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >>>>>> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:112) >>>>>> at liquibase.changelog.StandardChangeLogHistoryService.init(StandardChangeLogHistoryService.java:214) >>>>>> at liquibase.Liquibase.checkLiquibaseTables(Liquibase.java:1074) >>>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1136) >>>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1126) >>>>>> at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1122) >>>>>> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:63) >>>>>> ... 36 more >>>>>> Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Incorrect database name '' >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:408) >>>>>> at com.mysql.jdbc.Util.handleNewInstance(Util.java:377) >>>>>> at com.mysql.jdbc.Util.getInstance(Util.java:360) >>>>>> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:978) >>>>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3887) >>>>>> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3823) >>>>>> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) >>>>>> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) >>>>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) >>>>>> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) >>>>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) >>>>>> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) >>>>>> at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) >>>>>> at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) >>>>>> ... 45 more >>>>>> >>>>>> Any ideas as to the potential cause/resolution? >>>>>> >>>>>> The MySQL datasource is configured as follows: >>>>>> >>>>>> >>>>>> jdbc:mysql://localhost:3306/keycloak >>>>>> >>>>>> 1000 >>>>>> >>>>>> mysql >>>>>> >>>>>> 20 >>>>>> >>>>>> >>>>>> keycloak >>>>>> keycloakrocks! >>>>>> >>>>>> >>>>>> true >>>>>> >>>>>> >>>>>> 100 >>>>>> true >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> com.mysql.jdbc.jdbc2.optional.MysqlXADataSource >>>>>> com.mysql.jdbc.jdbc2.optional.MysqlDataSource >>>>>> >>>>>> . >>>>>> . >>>>>> . >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Any help would be much appreciated. >>>>>> >>>>>> Thank-you in advance, >>>>>> Darcy Welsh >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/fd453189/attachment-0001.html From cmoulliard at redhat.com Wed Mar 2 13:02:24 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Wed, 2 Mar 2016 19:02:24 +0100 Subject: [keycloak-user] Keycloak SAML end to end Demo Message-ID: <56D72AB0.9010009@redhat.com> Hi, Within the keycloak examples saml project, we have some use cases covering SAML with authentication, encryption, ... but hey don't allow us to have a end to end test/demo case post-with-encryption post-with-signature redirect-with-signature servlet-filter Do we have "somewhere" a more complex project covering end to end use case (SP to IDP) like Spring http://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html ? Regards, Charles From sthorger at redhat.com Wed Mar 2 13:50:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 19:50:19 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: <56D6E6C7.4050609@redhat.com> References: <56D6E6C7.4050609@redhat.com> Message-ID: Not a chance. In server dist we want to hide WildFly's add-user script. On 2 March 2016 at 14:12, Stan Silvert wrote: > On 3/2/2016 7:02 AM, Stian Thorgersen wrote: > > In overlay the script should be add-user-keycloak. The overlay adds > Keycloak server to an existing WildFly installation so we don't want to > overwrite any existing files. I appreciate this may be confusing and > inconsistent, but at the same time if we did overwrite people would > probably complain about us overwriting the existing script. > > In the server dist this doesn't apply as the server is purely a Keycloak > server, not a WildFly server. > > I guess the solution would be to make server dist consistent with overlay, > so both are add-user-keycloak. Not sure how I feel about that. > > > > > On 2 March 2016 at 11:10, Bruno Oliveira wrote: > >> I'm not sure if I follow your question but './add-user.sh -u admin -p >> admin' or './add-user.sh -u admin' should work. >> >> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >> wrote: >> >>> Hi Bruno, >>> >>> thanks for answer. >>> But from >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>> and section: *...you can use the add-user script from the command-line.* >>> is my question is how exactly should looks like command with add-user >>> script? >>> Because in past we used this command: add-user.sh ?container -u admin >>> -p admin >>> >>> Andrej. >>> >>> >>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>> wrote: >>> >>>> Hi Andrej, answers inline >>>> >>>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I would like to summary information about How to add Admin User - >>>>> chapter 3.2.1. >>>>> >>>>> My questions are: >>>>> 1.) From which version (including) is new concept, that there is no >>>>> built in user? >>>>> >>>> >>>> 1.8.0 See: >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>>> >>>> >>>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>>> create admin user ? >>>>> >>>> >>>> See: >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>> >>>> >>>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>>> add-user-keycloak.sh)? >>>>> >>>> >>>> You are correct. Maybe this is an inconsistency to be fixed. >>>> >>>>> >>>>> Thanks and Best Regards, >>>>> Andrej. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/0252dc89/attachment.html From ssilvert at redhat.com Wed Mar 2 14:00:31 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 02 Mar 2016 14:00:31 -0500 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: <56D6E6C7.4050609@redhat.com> Message-ID: <56D7384F.8080709@redhat.com> On 3/2/2016 1:50 PM, Stian Thorgersen wrote: > Not a chance. In server dist we want to hide WildFly's add-user script. I could guess, but I have to ask, why? > > On 2 March 2016 at 14:12, Stan Silvert > wrote: > > On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >> In overlay the script should be add-user-keycloak. The overlay >> adds Keycloak server to an existing WildFly installation so we >> don't want to overwrite any existing files. I appreciate this may >> be confusing and inconsistent, but at the same time if we did >> overwrite people would probably complain about us overwriting the >> existing script. >> >> In the server dist this doesn't apply as the server is purely a >> Keycloak server, not a WildFly server. > I guess the solution would be to make server dist consistent with > overlay, so both are add-user-keycloak. Not sure how I feel about > that. > > > >> >> On 2 March 2016 at 11:10, Bruno Oliveira > > wrote: >> >> I'm not sure if I follow your question but './add-user.sh -u >> admin -p admin' or './add-user.sh -u admin' should work. >> >> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >> > wrote: >> >> Hi Bruno, >> >> thanks for answer. >> But from >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >> and section: *...you can use the add-user script from the >> command-line.* >> is my question is how exactly should looks like command >> with add-user script? >> Because in past we used this command: add-user.sh >> ?container -u admin -p admin >> >> Andrej. >> >> >> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >> > wrote: >> >> Hi Andrej, answers inline >> >> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >> > >> wrote: >> >> Hi, >> >> I would like to summary information about How to >> add Admin User - chapter 3.2.1. >> >> My questions are: >> 1.) From which version (including) is new >> concept, that there is no built in user? >> >> >> 1.8.0 See: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >> >> 2a.) What is exact command via add-user script >> (add-user.sh) for create admin user ? >> >> >> See: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >> >> 2b.) Same question like in 2a, but in >> keycloak-overlay (add-user-keycloak.sh)? >> >> >> You are correct. Maybe this is an inconsistency to be >> fixed. >> >> >> Thanks and Best Regards, >> Andrej. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/a0154a99/attachment-0001.html From sthorger at redhat.com Wed Mar 2 14:02:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 2 Mar 2016 20:02:19 +0100 Subject: [keycloak-user] Update account - login action tokens - how to make them persistent In-Reply-To: <8238133B-CA90-4F80-ADBF-9BF59E5DA030@info.nl> References: <07136B17-275D-4949-8C94-28C62EED1FC5@info.nl> <8238133B-CA90-4F80-ADBF-9BF59E5DA030@info.nl> Message-ID: You tell us ;) I had in mind a while back that we'd support storing "configuration" such as realm settings in a config file. Then we'd store only clients, users, roles, etc.. in the database. How realistic it is that we'd implement it is unsure though. On 2 March 2016 at 14:15, Edgar Vonk - Info.nl wrote: > Hi Stian, > > I realise that. However so far it is working ok for us. We do the > re-importing because we really want a continuous delivery pipeline and > doing run-time configuration is very different from that. We really only > perform run-time configuration to develop and test stuff, immediately after > which we export it so that we can update the resulting realm JSON in Git. > We work in a similar fashion with other products like content management > systems where we make a very clear distinction between configuration > (=source code) and run-time managed content. Our CMS of choice (Magnolia) > offers a nice upgrade mechanism that we use to re-import all our > configuration on every upgrade. > > No, we do not re-import users. We see users (just like user groups, role > mappings, group mappings and of course sessions) as run-time data > (?content? to make the link to a CMS). > > In our set-up we store all this run-time data in Active Directory (well, > except the sessions, which we do not store persistently yet) and therefore > this re-importing in the Keycloak database works for us (to some degree). > > A question for you/the Keycloak team: how do you see Keycloak fit into a > fully automated continuous delivery pipeline? Most configuration changes in > Keycloak are so fundamental to the set-up that I cannot see that you would > want to change these on the fly on a production environment at all. It > would be very easy to break stuff in my opinion. > > cheers > > Edgar > > > On 02 Mar 2016, at 14:00, Stian Thorgersen wrote: > > Re-importing everything on each startup is not really something we're > supporting. Keycloak wasn't really designed for that and the focus is more > on run-time configuration. Do you re-import users as well? > > On 2 March 2016 at 13:39, Edgar Vonk - Info.nl < > Edgar at info.nl> wrote: > >> Thanks Stian! >> >> We will have a look at both options. >> >> Concerning clustering we have a different challenge which is that we >> currently re-import all Keycloak realm data on every start up of Keycloak >> (and because we do continuous delivery and are developing actively this is >> multiple times a day). This because we treat all (realm) configuration as >> source code for which our Git repo is leading. >> >> Effectively this means that we recreate the Keycloak database for every >> new deployment and of course a cluster is not going to help us here when it >> comes to uptime. Not sure how to deal with this as yet. Ideally we would >> want some sort of realm update/patch mechanism instead of a full import but >> that sounds rather complex to implement. >> >> cheers >> >> On 02 Mar 2016, at 13:23, Stian Thorgersen wrote: >> >> The tokens themselves are not stored, but can be verified by Keycloak as >> long as the user session is active. So your question is how to make user >> sessions persisted. We do not support persisting user sessions at the >> moment. You have two choices: >> >> 1. Add an additional node and configure set owners to 2 for the user >> session caches, or change it to a replicated cache. See the clustering >> section in the docs for more details. >> 2. Try to configure Infinispan to persist the sessions. See >> https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem for >> more details. >> >> On 1 March 2016 at 20:56, Edgar Vonk - Info.nl < >> Edgar at info.nl> wrote: >> >>> Hi all, >>> >>> What would we need to do to make Keycloak user sessions persistent in >>> the database? >>> >>> I think the information in: >>> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html is >>> not relevant anymore with Keycloak 1.9.0? Specifically: >>> >>> "userSessions": { >>> "provider": "jpa" >>> } >>> >>> >>> Does not seem to work (?Failed to find provider jpa for userSessions?). >>> User sessions are now managed using Infinispan by default if I understand >>> correctly: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html#d4e3292 >>> ? >>> >>> Is there a way to make user sessions persistent? >>> >>> Our issue is that we send out a lot of activation (?update password?) >>> emails from our (single) Keycloak server to new users and since we have a >>> continuous delivery pipeline Keycloak does down and up quite a bit and >>> every time it restarts all temporary log in tokens used for these update >>> password actions are lost (since they are stored in memory only). And if I >>> understand correctly these tokens are actually a sort of user sessions. >>> >>> cheers >>> >>> Edgar >>> >>> >>> On 29 Feb 2016, at 17:52, Edgar Vonk - Info.nl < >>> Edgar at info.nl> wrote: >>> >>> Hi, >>> >>> See if I understand this correctly: in the default set up of Keycloak >>> sessions and temporary tokens are not persisted in the Keycloak database? >>> So consider this scenario: >>> >>> 1/ login as admin to master realm >>> 2/ go to Users - Credentials and send a ?Update Password? reset action >>> email >>> 3/ user receives an email with a link with a unique token to update >>> his/her password in Keycloak >>> 4/ Keycloak server is restarted for whatever reason >>> 5/ the temporary ?login action token? no longer exists and the link from >>> 3/ no longer works >>> >>> Is this correct and expected behaviour? >>> >>> And if so, can somebody maybe point us in the direction to solve this? >>> I.e. by making sessions/tokens by persistent I guess. >>> >>> cheers >>> >>> Edgar >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160302/4c7338e4/attachment.html From dev at sgordon.totalise.co.uk Wed Mar 2 15:42:22 2016 From: dev at sgordon.totalise.co.uk (Simon Gordon) Date: 02 Mar 2016 20:42:22 +0000 Subject: [keycloak-user] Remove username/password fields from login Message-ID: Hi there (Thanks for the fast help on the Openshift Catridge btw) In our scenarios, there is no intention for users to have a username and password within KeyCloak - hence just use identities from Identity Providers. Within the 'Authentication' settings, choose 'Browser' as flow type, I can see 'Username Password form', but it is always 'Required'. I can see that some kind of login form is needed (we will not have a default) so users choose IdP, but really don't want the username/password fields. Do I resort to just removing them from the login template? I ask because the setting is a bit odd to have if it is always 'Required', so I'm concerned that I'm missing a general issue which pushes me towards giving all of our users passwords for KC. Which I'm keen to avoid. Maybe the console setting could do with a rename? Regards, Simon From tech at psynd.net Wed Mar 2 16:29:31 2016 From: tech at psynd.net (Tech @ PSYND) Date: Wed, 02 Mar 2016 22:29:31 +0100 Subject: [keycloak-user] SAML - Error processing request Message-ID: <5f5681ef6ae811456d1e34096cc7f1f7@psynd.net> Hello everybody, I'm working with the KeyCloak (1.8.1.Final) examples and trying to publishing "Customer-portal" using SAML. We get stuck with a SAM error "Error processing request", and here down the error. Could you please advice? Thanks! From bburke at redhat.com Wed Mar 2 16:35:52 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 2 Mar 2016 16:35:52 -0500 Subject: [keycloak-user] Remove username/password fields from login In-Reply-To: References: Message-ID: <56D75CB8.8060806@redhat.com> To be "clean", create a new, flow, authenticator and form. But the simplest thing to do is to just create a new theme, copy the login.ftl and modify it to remove the html form (username/password fields). I know some people have created their own username page where a user enters in an email and based on the domain are routed to a specific IDP. On 3/2/2016 3:42 PM, Simon Gordon wrote: > Hi there > > (Thanks for the fast help on the Openshift Catridge btw) > > In our scenarios, there is no intention for users to have a username and > password within KeyCloak - hence just use identities from Identity > Providers. > > Within the 'Authentication' settings, choose 'Browser' as flow type, I can > see 'Username Password form', but it is always 'Required'. > > I can see that some kind of login form is needed (we will not have a > default) so users choose IdP, but really don't want the username/password > fields. Do I resort to just removing them from the login template? > > I ask because the setting is a bit odd to have if it is always 'Required', > so I'm concerned that I'm missing a general issue which pushes me towards > giving all of our users passwords for KC. Which I'm keen to avoid. > > Maybe the console setting could do with a rename? > > Regards, > Simon > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From sthorger at redhat.com Thu Mar 3 00:09:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 06:09:56 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: <56D7384F.8080709@redhat.com> References: <56D6E6C7.4050609@redhat.com> <56D7384F.8080709@redhat.com> Message-ID: The standard add-user script adds WildFly users, we want the standard script to add Keycloak users. It's a Keycloak server after all. On 2 March 2016 at 20:00, Stan Silvert wrote: > On 3/2/2016 1:50 PM, Stian Thorgersen wrote: > > Not a chance. In server dist we want to hide WildFly's add-user script. > > I could guess, but I have to ask, why? > > > > On 2 March 2016 at 14:12, Stan Silvert wrote: > >> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >> >> In overlay the script should be add-user-keycloak. The overlay adds >> Keycloak server to an existing WildFly installation so we don't want to >> overwrite any existing files. I appreciate this may be confusing and >> inconsistent, but at the same time if we did overwrite people would >> probably complain about us overwriting the existing script. >> >> In the server dist this doesn't apply as the server is purely a Keycloak >> server, not a WildFly server. >> >> I guess the solution would be to make server dist consistent with >> overlay, so both are add-user-keycloak. Not sure how I feel about that. >> >> >> >> >> On 2 March 2016 at 11:10, Bruno Oliveira wrote: >> >>> I'm not sure if I follow your question but './add-user.sh -u admin -p >>> admin' or './add-user.sh -u admin' should work. >>> >>> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >>> wrote: >>> >>>> Hi Bruno, >>>> >>>> thanks for answer. >>>> But from >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>> and section: *...you can use the add-user script from the >>>> command-line.* >>>> is my question is how exactly should looks like command with add-user >>>> script? >>>> Because in past we used this command: add-user.sh ?container -u admin >>>> -p admin >>>> >>>> Andrej. >>>> >>>> >>>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>>> wrote: >>>> >>>>> Hi Andrej, answers inline >>>>> >>>>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I would like to summary information about How to add Admin User - >>>>>> chapter 3.2.1. >>>>>> >>>>>> My questions are: >>>>>> 1.) From which version (including) is new concept, that there is no >>>>>> built in user? >>>>>> >>>>> >>>>> 1.8.0 See: >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>>>> >>>>> >>>>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>>>> create admin user ? >>>>>> >>>>> >>>>> See: >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>> >>>>> >>>>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>>>> add-user-keycloak.sh)? >>>>>> >>>>> >>>>> You are correct. Maybe this is an inconsistency to be fixed. >>>>> >>>>>> >>>>>> Thanks and Best Regards, >>>>>> Andrej. >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/3651e586/attachment-0001.html From sthorger at redhat.com Thu Mar 3 01:26:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 07:26:20 +0100 Subject: [keycloak-user] Migration issues from KC 1.5 to 1.9 In-Reply-To: References: Message-ID: Do you have the Keycloak adapter subsystem installed? Is your WAR secured by Keycloak? If so it should have the required dependencies with the exception of the admin client. If no to those questions you need to add a dependency to keycloak-core. On 2 March 2016 at 15:10, Jeff Picklyk wrote: > Hi all, > > I have an Java EE7 application using KC on wildfly and I'm porting it over > to work on KC 1.9.0.Final and Wildfly 10. The issue I'm running into has > the following stack trace: > > 15:36:18,209 INFO [org.hibernate.orm.deprecation] (ServerService Thread > Pool -- 78) HHH90000001: Found usage of deprecated setting for specifying > Scanner [hibernate.ejb.resource_scanner]; use [hibernate.archive.scanner] > instead > 15:36:18,452 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) > MSC000001: Failed to start service > jboss.deployment.unit."portal.war".POST_MODULE: > org.jboss.msc.service.StartException in service > jboss.deployment.unit."portal.war".POST_MODULE: WFLYSRV0153: Failed to > process phase POST_MODULE of deployment "portal.war" > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting > reflective information for class > net.sbs.portal.business.registrar.control.UserAsyncManager with ClassLoader > ModuleClassLoader for Module "deployment.portal.war:main" from Service > Module Loader > at > org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70) > at > org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57) > at > org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:106) > at > org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:91) > at > org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:76) > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > ... 5 more > Caused by: java.lang.NoClassDefFoundError: > org/keycloak/representations/idm/UserRepresentation > at java.lang.Class.getDeclaredMethods0(Native Method) > at java.lang.Class.privateGetDeclaredMethods(Class.java:2693) > at java.lang.Class.getDeclaredMethods(Class.java:1967) > at > org.jboss.as.server.deployment.reflect.ClassReflectionIndex.(ClassReflectionIndex.java:80) > at > org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66) > ... 10 more > Caused by: java.lang.ClassNotFoundException: > org.keycloak.representations.idm.UserRepresentation from [Module > "deployment.portal.war:main" from Service Module Loader] > at > org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at > org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) > at > org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) > ... 15 more > > > > My UserAsyncManager class is just a SLSB with an @Asynchronous method to > take the KC UserRepresentation and save it to my application database for > further usage. I am using the Keycloak-admin-client in my application to > retrieve the user representation from the KC server. > > I've been struggling to find a solution to this problem for a few days and > need some help from the community. The relevant POM dependency versions > are the following: > > 2.5.4 > 3.0.14.Final > 1.5.0 > 1.9.0.Final > > I can include the full POM if needed. > > Any thoughts? > > Thanks, > Jeff > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/815e2c99/attachment.html From tech at psynd.net Thu Mar 3 03:53:52 2016 From: tech at psynd.net (Tech @ PSYND) Date: Thu, 03 Mar 2016 09:53:52 +0100 Subject: [keycloak-user] SAML - Error processing request In-Reply-To: <5f5681ef6ae811456d1e34096cc7f1f7@psynd.net> References: <5f5681ef6ae811456d1e34096cc7f1f7@psynd.net> Message-ID: <25cbb3ec52dea261572070f25078bf13@psynd.net> On 2016-03-02 22:29, Tech @ PSYND wrote: > Hello everybody, > > I'm working with the KeyCloak (1.8.1.Final) examples and trying to > publishing "Customer-portal" using SAML. > > We get stuck with a SAM error "Error processing request", and here > down the error. > > Could you please advice? > > Thanks! Here the stack trace: Error processing request Context Path:/customer-portal Servlet Path:/customers/view.jsp Path Info:null Query String:null Stack Trace org.apache.jasper.JasperException: java.lang.NullPointerException org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) javax.servlet.http.HttpServlet.service(HttpServlet.java:790) From ssilvert at redhat.com Thu Mar 3 07:48:21 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 03 Mar 2016 07:48:21 -0500 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: <56D6E6C7.4050609@redhat.com> <56D7384F.8080709@redhat.com> Message-ID: <56D83295.6090105@redhat.com> On 3/3/2016 12:09 AM, Stian Thorgersen wrote: > The standard add-user script adds WildFly users, we want the standard > script to add Keycloak users. It's a Keycloak server after all. You still need WildFly users if you want to use CLI (remotely) or web console. As far as I know, we can't secure those things with Keycloak yet. There are workarounds, but I'm just saying, WildFly add-user.sh is a useful tool that we might want to still ship in some form until such time that CLI and web console is fully integrated with Keycloak. > > On 2 March 2016 at 20:00, Stan Silvert > wrote: > > On 3/2/2016 1:50 PM, Stian Thorgersen wrote: >> Not a chance. In server dist we want to hide WildFly's add-user >> script. > I could guess, but I have to ask, why? > > >> >> On 2 March 2016 at 14:12, Stan Silvert > > wrote: >> >> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >>> In overlay the script should be add-user-keycloak. The >>> overlay adds Keycloak server to an existing WildFly >>> installation so we don't want to overwrite any existing >>> files. I appreciate this may be confusing and inconsistent, >>> but at the same time if we did overwrite people would >>> probably complain about us overwriting the existing script. >>> >>> In the server dist this doesn't apply as the server is >>> purely a Keycloak server, not a WildFly server. >> I guess the solution would be to make server dist consistent >> with overlay, so both are add-user-keycloak. Not sure how I >> feel about that. >> >> >> >>> >>> On 2 March 2016 at 11:10, Bruno Oliveira >>> > wrote: >>> >>> I'm not sure if I follow your question but >>> './add-user.sh -u admin -p admin' or './add-user.sh -u >>> admin' should work. >>> >>> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >>> > wrote: >>> >>> Hi Bruno, >>> >>> thanks for answer. >>> But from >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>> and section: *...you can use the add-user script >>> from the command-line.* >>> is my question is how exactly should looks like >>> command with add-user script? >>> Because in past we used this command: add-user.sh >>> ?container -u admin -p admin >>> >>> Andrej. >>> >>> >>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>> > >>> wrote: >>> >>> Hi Andrej, answers inline >>> >>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky >>> >> > wrote: >>> >>> Hi, >>> >>> I would like to summary information about >>> How to add Admin User - chapter 3.2.1. >>> >>> My questions are: >>> 1.) From which version (including) is new >>> concept, that there is no built in user? >>> >>> >>> 1.8.0 See: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>> >>> 2a.) What is exact command via add-user >>> script (add-user.sh) for create admin user ? >>> >>> >>> See: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>> >>> 2b.) Same question like in 2a, but in >>> keycloak-overlay (add-user-keycloak.sh)? >>> >>> >>> You are correct. Maybe this is an inconsistency >>> to be fixed. >>> >>> >>> Thanks and Best Regards, >>> Andrej. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/39173162/attachment-0001.html From sthorger at redhat.com Thu Mar 3 07:50:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 13:50:17 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: <56D83295.6090105@redhat.com> References: <56D6E6C7.4050609@redhat.com> <56D7384F.8080709@redhat.com> <56D83295.6090105@redhat.com> Message-ID: On 3 March 2016 at 13:48, Stan Silvert wrote: > On 3/3/2016 12:09 AM, Stian Thorgersen wrote: > > The standard add-user script adds WildFly users, we want the standard > script to add Keycloak users. It's a Keycloak server after all. > > You still need WildFly users if you want to use CLI (remotely) or web > console. As far as I know, we can't secure those things with Keycloak yet. > In the future we will secure it with Keycloak, in the mean time the add-user has a '--container' option. > > There are workarounds, but I'm just saying, WildFly add-user.sh is a > useful tool that we might want to still ship in some form until such time > that CLI and web console is fully integrated with Keycloak. > > > On 2 March 2016 at 20:00, Stan Silvert wrote: > >> On 3/2/2016 1:50 PM, Stian Thorgersen wrote: >> >> Not a chance. In server dist we want to hide WildFly's add-user script. >> >> I could guess, but I have to ask, why? >> >> >> >> On 2 March 2016 at 14:12, Stan Silvert wrote: >> >>> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >>> >>> In overlay the script should be add-user-keycloak. The overlay adds >>> Keycloak server to an existing WildFly installation so we don't want to >>> overwrite any existing files. I appreciate this may be confusing and >>> inconsistent, but at the same time if we did overwrite people would >>> probably complain about us overwriting the existing script. >>> >>> In the server dist this doesn't apply as the server is purely a Keycloak >>> server, not a WildFly server. >>> >>> I guess the solution would be to make server dist consistent with >>> overlay, so both are add-user-keycloak. Not sure how I feel about that. >>> >>> >>> >>> >>> On 2 March 2016 at 11:10, Bruno Oliveira wrote: >>> >>>> I'm not sure if I follow your question but './add-user.sh -u admin -p >>>> admin' or './add-user.sh -u admin' should work. >>>> >>>> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >>>> wrote: >>>> >>>>> Hi Bruno, >>>>> >>>>> thanks for answer. >>>>> But from >>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>> and section: *...you can use the add-user script from the >>>>> command-line.* >>>>> is my question is how exactly should looks like command with add-user >>>>> script? >>>>> Because in past we used this command: add-user.sh ?container -u admin >>>>> -p admin >>>>> >>>>> Andrej. >>>>> >>>>> >>>>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>>>> wrote: >>>>> >>>>>> Hi Andrej, answers inline >>>>>> >>>>>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky < >>>>>> ado.boj.83 at gmail.com> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I would like to summary information about How to add Admin User - >>>>>>> chapter 3.2.1. >>>>>>> >>>>>>> My questions are: >>>>>>> 1.) From which version (including) is new concept, that there is no >>>>>>> built in user? >>>>>>> >>>>>> >>>>>> 1.8.0 See: >>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>>>>> >>>>>> >>>>>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>>>>> create admin user ? >>>>>>> >>>>>> >>>>>> See: >>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>>> >>>>>> >>>>>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>>>>> add-user-keycloak.sh)? >>>>>>> >>>>>> >>>>>> You are correct. Maybe this is an inconsistency to be fixed. >>>>>> >>>>>>> >>>>>>> Thanks and Best Regards, >>>>>>> Andrej. >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/3a93a880/attachment.html From jpicklyk at gmail.com Thu Mar 3 09:21:34 2016 From: jpicklyk at gmail.com (Jeff Picklyk) Date: Thu, 3 Mar 2016 09:21:34 -0500 Subject: [keycloak-user] Migration issues from KC 1.5 to 1.9 In-Reply-To: References: Message-ID: Hi Stian, thank you for following up. To keep things simple the application is working on the full KC 1.5.0.Final.zip distribution but not on the 1.9.0.Final.zip distribution. My war file is secured by KC and has the keycloak.json file updated when I attempt to use the 1.9 distribution. I do use the admin client and the representation classes to retrieve data from the server which all works fine in 1.5.0. Here are further details from my POM file. 2.5.4 3.0.14.Final 1.5.0 1.9.0.Final org.keycloak keycloak-core provided ${keycloak.version} org.keycloak keycloak-adapter-core provided ${keycloak.version} org.keycloak keycloak-admin-client ${keycloak.version} org.jboss.resteasy resteasy-client ${resteasy.version} provided org.jboss.resteasy resteasy-jackson2-provider ${resteasy.version} provided com.fasterxml.jackson.core jackson-core ${jackson.version} provided com.fasterxml.jackson.core jackson-annotations ${jackson.version} provided com.fasterxml.jackson.core jackson-databind ${jackson.version} provided com.fasterxml.jackson.jaxrs jackson-jaxrs-json-provider ${jackson.version} provided com.fasterxml.jackson.datatype jackson-datatype-hibernate4 ${jackson.version} com.fasterxml.jackson.datatype jackson-datatype-jsr310 ${jackson.version} On Thu, Mar 3, 2016 at 1:26 AM, Stian Thorgersen wrote: > Do you have the Keycloak adapter subsystem installed? Is your WAR secured > by Keycloak? If so it should have the required dependencies with the > exception of the admin client. If no to those questions you need to add a > dependency to keycloak-core. > > On 2 March 2016 at 15:10, Jeff Picklyk wrote: > >> Hi all, >> >> I have an Java EE7 application using KC on wildfly and I'm porting it >> over to work on KC 1.9.0.Final and Wildfly 10. The issue I'm running into >> has the following stack trace: >> >> 15:36:18,209 INFO [org.hibernate.orm.deprecation] (ServerService Thread >> Pool -- 78) HHH90000001: Found usage of deprecated setting for specifying >> Scanner [hibernate.ejb.resource_scanner]; use [hibernate.archive.scanner] >> instead >> 15:36:18,452 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) >> MSC000001: Failed to start service >> jboss.deployment.unit."portal.war".POST_MODULE: >> org.jboss.msc.service.StartException in service >> jboss.deployment.unit."portal.war".POST_MODULE: WFLYSRV0153: Failed to >> process phase POST_MODULE of deployment "portal.war" >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting >> reflective information for class >> net.sbs.portal.business.registrar.control.UserAsyncManager with ClassLoader >> ModuleClassLoader for Module "deployment.portal.war:main" from Service >> Module Loader >> at >> org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70) >> at >> org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57) >> at >> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:106) >> at >> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:91) >> at >> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:76) >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) >> ... 5 more >> Caused by: java.lang.NoClassDefFoundError: >> org/keycloak/representations/idm/UserRepresentation >> at java.lang.Class.getDeclaredMethods0(Native Method) >> at java.lang.Class.privateGetDeclaredMethods(Class.java:2693) >> at java.lang.Class.getDeclaredMethods(Class.java:1967) >> at >> org.jboss.as.server.deployment.reflect.ClassReflectionIndex.(ClassReflectionIndex.java:80) >> at >> org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66) >> ... 10 more >> Caused by: java.lang.ClassNotFoundException: >> org.keycloak.representations.idm.UserRepresentation from [Module >> "deployment.portal.war:main" from Service Module Loader] >> at >> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) >> at >> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) >> at >> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) >> at >> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) >> ... 15 more >> >> >> >> My UserAsyncManager class is just a SLSB with an @Asynchronous method to >> take the KC UserRepresentation and save it to my application database for >> further usage. I am using the Keycloak-admin-client in my application to >> retrieve the user representation from the KC server. >> >> I've been struggling to find a solution to this problem for a few days >> and need some help from the community. The relevant POM dependency >> versions are the following: >> >> 2.5.4 >> 3.0.14.Final >> 1.5.0 >> 1.9.0.Final >> >> I can include the full POM if needed. >> >> Any thoughts? >> >> Thanks, >> Jeff >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/df0ea304/attachment-0001.html From sthorger at redhat.com Thu Mar 3 09:32:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 15:32:22 +0100 Subject: [keycloak-user] Migration issues from KC 1.5 to 1.9 In-Reply-To: References: Message-ID: Are you trying to deploy the WAR to the Keycloak server itself? It should be installed onto a separate WildFly server with the Keycloak adapter subystem installed. See documentation for that. On 3 March 2016 at 15:21, Jeff Picklyk wrote: > Hi Stian, thank you for following up. > > To keep things simple the application is working on the full KC > 1.5.0.Final.zip distribution but not on the 1.9.0.Final.zip distribution. > My war file is secured by KC and has the keycloak.json file updated when I > attempt to use the 1.9 distribution. > > I do use the admin client and the representation classes to retrieve data > from the server which all works fine in 1.5.0. > > Here are further details from my POM file. > > 2.5.4 > 3.0.14.Final > 1.5.0 > 1.9.0.Final > > > > org.keycloak > keycloak-core > provided > ${keycloak.version} > > > org.keycloak > keycloak-adapter-core > provided > ${keycloak.version} > > > > org.keycloak > keycloak-admin-client > ${keycloak.version} > > > > > org.jboss.resteasy > resteasy-client > ${resteasy.version} > provided > > > org.jboss.resteasy > resteasy-jackson2-provider > ${resteasy.version} > provided > > > com.fasterxml.jackson.core > jackson-core > ${jackson.version} > provided > > > com.fasterxml.jackson.core > jackson-annotations > ${jackson.version} > provided > > > com.fasterxml.jackson.core > jackson-databind > ${jackson.version} > provided > > > > com.fasterxml.jackson.jaxrs > jackson-jaxrs-json-provider > ${jackson.version} > provided > > > > com.fasterxml.jackson.datatype > jackson-datatype-hibernate4 > ${jackson.version} > > > > com.fasterxml.jackson.datatype > jackson-datatype-jsr310 > ${jackson.version} > > > > > On Thu, Mar 3, 2016 at 1:26 AM, Stian Thorgersen > wrote: > >> Do you have the Keycloak adapter subsystem installed? Is your WAR secured >> by Keycloak? If so it should have the required dependencies with the >> exception of the admin client. If no to those questions you need to add a >> dependency to keycloak-core. >> >> On 2 March 2016 at 15:10, Jeff Picklyk wrote: >> >>> Hi all, >>> >>> I have an Java EE7 application using KC on wildfly and I'm porting it >>> over to work on KC 1.9.0.Final and Wildfly 10. The issue I'm running into >>> has the following stack trace: >>> >>> 15:36:18,209 INFO [org.hibernate.orm.deprecation] (ServerService Thread >>> Pool -- 78) HHH90000001: Found usage of deprecated setting for specifying >>> Scanner [hibernate.ejb.resource_scanner]; use [hibernate.archive.scanner] >>> instead >>> 15:36:18,452 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) >>> MSC000001: Failed to start service >>> jboss.deployment.unit."portal.war".POST_MODULE: >>> org.jboss.msc.service.StartException in service >>> jboss.deployment.unit."portal.war".POST_MODULE: WFLYSRV0153: Failed to >>> process phase POST_MODULE of deployment "portal.war" >>> at >>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) >>> at >>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) >>> at >>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: java.lang.RuntimeException: WFLYSRV0177: Error getting >>> reflective information for class >>> net.sbs.portal.business.registrar.control.UserAsyncManager with ClassLoader >>> ModuleClassLoader for Module "deployment.portal.war:main" from Service >>> Module Loader >>> at >>> org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:70) >>> at >>> org.jboss.as.ee.metadata.MethodAnnotationAggregator.runtimeAnnotationInformation(MethodAnnotationAggregator.java:57) >>> at >>> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.handleAnnotations(InterceptorAnnotationProcessor.java:106) >>> at >>> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.processComponentConfig(InterceptorAnnotationProcessor.java:91) >>> at >>> org.jboss.as.ee.component.deployers.InterceptorAnnotationProcessor.deploy(InterceptorAnnotationProcessor.java:76) >>> at >>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) >>> ... 5 more >>> Caused by: java.lang.NoClassDefFoundError: >>> org/keycloak/representations/idm/UserRepresentation >>> at java.lang.Class.getDeclaredMethods0(Native Method) >>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2693) >>> at java.lang.Class.getDeclaredMethods(Class.java:1967) >>> at >>> org.jboss.as.server.deployment.reflect.ClassReflectionIndex.(ClassReflectionIndex.java:80) >>> at >>> org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex.getClassIndex(DeploymentReflectionIndex.java:66) >>> ... 10 more >>> Caused by: java.lang.ClassNotFoundException: >>> org.keycloak.representations.idm.UserRepresentation from [Module >>> "deployment.portal.war:main" from Service Module Loader] >>> at >>> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) >>> at >>> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) >>> at >>> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) >>> at >>> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) >>> ... 15 more >>> >>> >>> >>> My UserAsyncManager class is just a SLSB with an @Asynchronous method to >>> take the KC UserRepresentation and save it to my application database for >>> further usage. I am using the Keycloak-admin-client in my application to >>> retrieve the user representation from the KC server. >>> >>> I've been struggling to find a solution to this problem for a few days >>> and need some help from the community. The relevant POM dependency >>> versions are the following: >>> >>> 2.5.4 >>> 3.0.14.Final >>> 1.5.0 >>> 1.9.0.Final >>> >>> I can include the full POM if needed. >>> >>> Any thoughts? >>> >>> Thanks, >>> Jeff >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/e937ea77/attachment-0001.html From thomas.darimont at googlemail.com Thu Mar 3 10:14:21 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 3 Mar 2016 16:14:21 +0100 Subject: [keycloak-user] Keycloak Health-Check Message-ID: Hello group, I'd like to implement a cheap health indicator for a Spring Boot App that checks whether keycloak is currently up and running well. What would be the best endpoint to check for a HTTP 200 OK via an unauthenticated HTTP request that is cheap to call but still gives enough information to report that Keycloak is ok? Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/01cfe0a4/attachment.html From ado.boj.83 at gmail.com Thu Mar 3 10:24:22 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Thu, 3 Mar 2016 16:24:22 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: <56D6E6C7.4050609@redhat.com> <56D7384F.8080709@redhat.com> <56D83295.6090105@redhat.com> Message-ID: Hi all, 1.) meantime I tried on keycloak-overlay-1.7.0.Final via add-user-keycloak.sh script in wildfly domain mode create Admin user and I got: [root at keycloakoverlay /opt/wildfly/bin]$ ./add-user-keycloak.sh -u admin -p admin Added 'admin' to ' */opt/wildfly/standalone/configuration/keycloak-add-user.json*', restart server to load user Is it correct, that user is created in standalone path? ---------------------------------------------------------------------------- 2.) can I in version 1.7.0.Final create or replace Admin user for Master realm with permanent password, which could be created automatically via command line and not needed change password manually after first login? Thanks, Andrej. On Thu, Mar 3, 2016 at 1:50 PM, Stian Thorgersen wrote: > > > On 3 March 2016 at 13:48, Stan Silvert wrote: > >> On 3/3/2016 12:09 AM, Stian Thorgersen wrote: >> >> The standard add-user script adds WildFly users, we want the standard >> script to add Keycloak users. It's a Keycloak server after all. >> >> You still need WildFly users if you want to use CLI (remotely) or web >> console. As far as I know, we can't secure those things with Keycloak yet. >> > > In the future we will secure it with Keycloak, in the mean time the > add-user has a '--container' option. > > >> >> There are workarounds, but I'm just saying, WildFly add-user.sh is a >> useful tool that we might want to still ship in some form until such time >> that CLI and web console is fully integrated with Keycloak. >> >> >> On 2 March 2016 at 20:00, Stan Silvert wrote: >> >>> On 3/2/2016 1:50 PM, Stian Thorgersen wrote: >>> >>> Not a chance. In server dist we want to hide WildFly's add-user script. >>> >>> I could guess, but I have to ask, why? >>> >>> >>> >>> On 2 March 2016 at 14:12, Stan Silvert wrote: >>> >>>> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >>>> >>>> In overlay the script should be add-user-keycloak. The overlay adds >>>> Keycloak server to an existing WildFly installation so we don't want to >>>> overwrite any existing files. I appreciate this may be confusing and >>>> inconsistent, but at the same time if we did overwrite people would >>>> probably complain about us overwriting the existing script. >>>> >>>> In the server dist this doesn't apply as the server is purely a >>>> Keycloak server, not a WildFly server. >>>> >>>> I guess the solution would be to make server dist consistent with >>>> overlay, so both are add-user-keycloak. Not sure how I feel about that. >>>> >>>> >>>> >>>> >>>> On 2 March 2016 at 11:10, Bruno Oliveira wrote: >>>> >>>>> I'm not sure if I follow your question but './add-user.sh -u admin -p >>>>> admin' or './add-user.sh -u admin' should work. >>>>> >>>>> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky >>>>> wrote: >>>>> >>>>>> Hi Bruno, >>>>>> >>>>>> thanks for answer. >>>>>> But from >>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>>> and section: *...you can use the add-user script from the >>>>>> command-line.* >>>>>> is my question is how exactly should looks like command with add-user >>>>>> script? >>>>>> Because in past we used this command: add-user.sh ?container -u >>>>>> admin -p admin >>>>>> >>>>>> Andrej. >>>>>> >>>>>> >>>>>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>>>>> wrote: >>>>>> >>>>>>> Hi Andrej, answers inline >>>>>>> >>>>>>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky < >>>>>>> ado.boj.83 at gmail.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I would like to summary information about How to add Admin User - >>>>>>>> chapter 3.2.1. >>>>>>>> >>>>>>>> My questions are: >>>>>>>> 1.) From which version (including) is new concept, that there is no >>>>>>>> built in user? >>>>>>>> >>>>>>> >>>>>>> 1.8.0 See: >>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>>>>>> >>>>>>> >>>>>>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>>>>>> create admin user ? >>>>>>>> >>>>>>> >>>>>>> See: >>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>>>> >>>>>>> >>>>>>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>>>>>> add-user-keycloak.sh)? >>>>>>>> >>>>>>> >>>>>>> You are correct. Maybe this is an inconsistency to be fixed. >>>>>>> >>>>>>>> >>>>>>>> Thanks and Best Regards, >>>>>>>> Andrej. >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/12692b53/attachment-0001.html From sai-soma-kala.kalidindi at hpe.com Thu Mar 3 11:06:04 2016 From: sai-soma-kala.kalidindi at hpe.com (Kalidindi, Sai Soma Kala) Date: Thu, 3 Mar 2016 16:06:04 +0000 Subject: [keycloak-user] Proof Key For Code Exchange Message-ID: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> Hi, I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE. Thanks, Sai. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/af7f4134/attachment.html From cmoulliard at redhat.com Thu Mar 3 12:11:18 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Thu, 3 Mar 2016 18:11:18 +0100 Subject: [keycloak-user] WS-Federation & Keycloak Message-ID: <56D87036.7040206@redhat.com> Hi, Do we have more fresh news about this request (WS-Federation with Keycloak) - http://lists.jboss.org/pipermail/keycloak-user/2015-March/001749.html posted last year ? Regards, Charles From sthorger at redhat.com Thu Mar 3 13:18:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 19:18:38 +0100 Subject: [keycloak-user] How to add Admin User In-Reply-To: References: <56D6E6C7.4050609@redhat.com> <56D7384F.8080709@redhat.com> <56D83295.6090105@redhat.com> Message-ID: Please read the documentation it explains it all http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 On 3 March 2016 at 16:24, Andrej Prievalsky wrote: > Hi all, > > 1.) meantime I tried on keycloak-overlay-1.7.0.Final via > add-user-keycloak.sh script in wildfly domain mode create Admin user and I > got: > > [root at keycloakoverlay /opt/wildfly/bin]$ ./add-user-keycloak.sh -u admin > -p admin > Added 'admin' to ' > */opt/wildfly/standalone/configuration/keycloak-add-user.json*', restart > server to load user > > Is it correct, that user is created in standalone path? > > > ---------------------------------------------------------------------------- > > 2.) can I in version 1.7.0.Final create or replace Admin user for Master > realm with permanent password, which could be created automatically via > command line and not needed change password manually after first login? > > Thanks, > Andrej. > > > On Thu, Mar 3, 2016 at 1:50 PM, Stian Thorgersen > wrote: > >> >> >> On 3 March 2016 at 13:48, Stan Silvert wrote: >> >>> On 3/3/2016 12:09 AM, Stian Thorgersen wrote: >>> >>> The standard add-user script adds WildFly users, we want the standard >>> script to add Keycloak users. It's a Keycloak server after all. >>> >>> You still need WildFly users if you want to use CLI (remotely) or web >>> console. As far as I know, we can't secure those things with Keycloak yet. >>> >> >> In the future we will secure it with Keycloak, in the mean time the >> add-user has a '--container' option. >> >> >>> >>> There are workarounds, but I'm just saying, WildFly add-user.sh is a >>> useful tool that we might want to still ship in some form until such time >>> that CLI and web console is fully integrated with Keycloak. >>> >>> >>> On 2 March 2016 at 20:00, Stan Silvert wrote: >>> >>>> On 3/2/2016 1:50 PM, Stian Thorgersen wrote: >>>> >>>> Not a chance. In server dist we want to hide WildFly's add-user script. >>>> >>>> I could guess, but I have to ask, why? >>>> >>>> >>>> >>>> On 2 March 2016 at 14:12, Stan Silvert wrote: >>>> >>>>> On 3/2/2016 7:02 AM, Stian Thorgersen wrote: >>>>> >>>>> In overlay the script should be add-user-keycloak. The overlay adds >>>>> Keycloak server to an existing WildFly installation so we don't want to >>>>> overwrite any existing files. I appreciate this may be confusing and >>>>> inconsistent, but at the same time if we did overwrite people would >>>>> probably complain about us overwriting the existing script. >>>>> >>>>> In the server dist this doesn't apply as the server is purely a >>>>> Keycloak server, not a WildFly server. >>>>> >>>>> I guess the solution would be to make server dist consistent with >>>>> overlay, so both are add-user-keycloak. Not sure how I feel about that. >>>>> >>>>> >>>>> >>>>> >>>>> On 2 March 2016 at 11:10, Bruno Oliveira wrote: >>>>> >>>>>> I'm not sure if I follow your question but './add-user.sh -u admin -p >>>>>> admin' or './add-user.sh -u admin' should work. >>>>>> >>>>>> On Wed, Mar 2, 2016 at 7:03 AM Andrej Prievalsky < >>>>>> ado.boj.83 at gmail.com> wrote: >>>>>> >>>>>>> Hi Bruno, >>>>>>> >>>>>>> thanks for answer. >>>>>>> But from >>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>>>> and section: *...you can use the add-user script from the >>>>>>> command-line.* >>>>>>> is my question is how exactly should looks like command with >>>>>>> add-user script? >>>>>>> Because in past we used this command: add-user.sh ?container -u >>>>>>> admin -p admin >>>>>>> >>>>>>> Andrej. >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 2, 2016 at 10:38 AM, Bruno Oliveira >>>>>> > wrote: >>>>>>> >>>>>>>> Hi Andrej, answers inline >>>>>>>> >>>>>>>> On Wed, Mar 2, 2016 at 6:13 AM Andrej Prievalsky < >>>>>>>> ado.boj.83 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I would like to summary information about How to add Admin User - >>>>>>>>> chapter 3.2.1. >>>>>>>>> >>>>>>>>> My questions are: >>>>>>>>> 1.) From which version (including) is new concept, that there is >>>>>>>>> no built in user? >>>>>>>>> >>>>>>>> >>>>>>>> 1.8.0 See: >>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/Migration_from_older_versions.html#d4e4031 >>>>>>>> >>>>>>>> >>>>>>>>> 2a.) What is exact command via add-user script (add-user.sh) for >>>>>>>>> create admin user ? >>>>>>>>> >>>>>>>> >>>>>>>> See: >>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 >>>>>>>> >>>>>>>> >>>>>>>>> 2b.) Same question like in 2a, but in keycloak-overlay ( >>>>>>>>> add-user-keycloak.sh)? >>>>>>>>> >>>>>>>> >>>>>>>> You are correct. Maybe this is an inconsistency to be fixed. >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks and Best Regards, >>>>>>>>> Andrej. >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/6dbbf391/attachment-0001.html From sthorger at redhat.com Thu Mar 3 14:11:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 20:11:09 +0100 Subject: [keycloak-user] WS-Federation & Keycloak In-Reply-To: <56D87036.7040206@redhat.com> References: <56D87036.7040206@redhat.com> Message-ID: Afraid not, it's very low priority for us at the moment. There's not enough demand for it to justify the amount of work required. On 3 March 2016 at 18:11, Charles Moulliard wrote: > Hi, > > Do we have more fresh news about this request (WS-Federation with > Keycloak) - > http://lists.jboss.org/pipermail/keycloak-user/2015-March/001749.html > posted last year ? > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/065441fa/attachment.html From sthorger at redhat.com Thu Mar 3 14:21:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 3 Mar 2016 20:21:45 +0100 Subject: [keycloak-user] Commercial support Message-ID: We're very pleased to announce that Red Hat is working on a commercially supported version of Keycloak. At the moment we can't give any details around product name, release date or subscription model. What we can tell you is that the supported version will be based on Keycloak 1.9.x. Rather than working on new features we're currently focusing on performance, bug fixes and general polishing. We will be releasing minor releases of 1.9.x every few weeks going forward. This means that we highly recommend you upgrade to 1.9.x now. It will get continuous fixes, including security fixes, until the commercially supported version is ready. Going forwards we'll also be very unlikely to answer questions or help with problems unless you've upgraded to 1.9.x. We'd also appreciate all the review and feedback we can get on this release. We want to make it as good as possible. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/0209dc37/attachment.html From a.cserinko at gmail.com Thu Mar 3 14:28:16 2016 From: a.cserinko at gmail.com (Andreas Cserinko) Date: Thu, 3 Mar 2016 20:28:16 +0100 Subject: [keycloak-user] Obtain Google Token Message-ID: Hey guys! I've been trying since a few days to make a rest-call to '/realms/myrealm/broker/google/token' from my Java-code. But when I send the request, the response says that the token is invalid. I have no clue what token to use. Can anybody please describe the flow of how to obtain the right tokens, or post some examples how to solve the problem. I looked at the example on GitHub ( https://github.com/keycloak/keycloak/tree/master/examples/broker/facebook-authentication) but this example don't fit my needs because it is client-side. Any help would be appreciated, thanks! Thank you, Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160303/8bab936c/attachment.html From orestis.tsakiridis at telestax.com Fri Mar 4 03:12:47 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Fri, 4 Mar 2016 10:12:47 +0200 Subject: [keycloak-user] Design concerns on automated Keycloak Client addition to a realm Message-ID: Hello, I'm trying to design a keycloak-based system that will have the following characteristics: * A single realm R will exist with a big set of users. * Users will be able to install instances of software X that consists of four (4) applications protected by keycloak. * Each application in any instance of X will have a corresponding Keycloak Client entity containing a set of application-level roles. Thus, having the appropriate role,m a user of R can selectively be granted access to any application of any instance of X. * The addition of a new instance of X to the keycloak realm (the creation of the Clients, client roles etc.) is called 'registration' and will be done using the Keycloak Admin REST API. What's the best practice to achieve automatic registration of a new instance to the realm? I've considered the following: a. Have the instance applications *directly* consume keycloak Admin REST API and create Clients and Client roles. As far as i investigated users of the instance will need to have a R:realm-management:manage-clients role in order to do that (create-client didn't work). This seems a pretty permissive role to give to any user in R. b. Have a separate keycloak-protected application that won't be part of X to do the important work of 'registration'. It will work as a proxy. The application will act on behalf of an administrator user with a powerfull role like R:realm-management:realm-admin. The application will define it's own set of roles and HTTP API for instance registration. All users will have to go through it to register their instance. It will work as a proxy. But they won't need to be granted dangerous roles to do it. Any suggestion will be more than welcome. Thanks Orestis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/f14b465f/attachment.html From cmoulliard at redhat.com Fri Mar 4 04:12:05 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 10:12:05 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax Message-ID: <56D95165.20107@redhat.com> Hi, Do we have a doc explaining how to configure the syntax (= fields + values) of the keycloak.json file be used to configure the web/js applications integrated with Keycloak Server ? The only info that I have is the class parsing the file https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 Regards, Charles From Edgar at info.nl Fri Mar 4 04:20:15 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Fri, 4 Mar 2016 09:20:15 +0000 Subject: [keycloak-user] How to increase session/token timeout for reset action emails? Message-ID: <159CF628-4424-4A70-A80B-748EA5D71F9B@info.nl> Hi all, We use the ?Users > Credentials > Reset Actions (Update Password) > Reset Actions Email? functionality to send out emails to our users so that they can set their password and log in to our application. This seems to result in an ?Account Session? for each user. We notice that the timeout for these sessions is too low for our purposes. How can we increase it? Is this the ?SSO Session Max? setting (default: 10 hours) or something else? We first thought it was the ?Login action timeout? but apparently not. We want it to be in the order of several days. cheers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/95f0111e/attachment.bin From mstrukel at redhat.com Fri Mar 4 04:31:27 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 4 Mar 2016 10:31:27 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: <56D95165.20107@redhat.com> References: <56D95165.20107@redhat.com> Message-ID: Take a look at the docs: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard wrote: > Hi, > > Do we have a doc explaining how to configure the syntax (= fields + > values) of the keycloak.json file be used to configure the web/js > applications integrated with Keycloak Server ? > The only info that I have is the class parsing the file > > https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 > > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/ae956e5d/attachment-0001.html From cmoulliard at redhat.com Fri Mar 4 04:46:33 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 10:46:33 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: References: <56D95165.20107@redhat.com> Message-ID: <56D95979.1060305@redhat.com> Thx for the info. We should certainly improve the introduction of the chapter 8 to also mention that the General Adapter Config will also be used to configure the keycloak Web/js/ ... client (https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) connected to a keycloak server Remark : Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a template for this config file from the admin console. Go to the realm and select the application you want a template for. Go to the Installation tab and this will provide you with a template that includes the public key of the realm.) as I don't see from the console (1.9.0.Final) how I can get a config template file for an application ... ? On 04/03/16 10:31, Marko Strukelj wrote: > Take a look at the docs: > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > > On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard > > wrote: > > Hi, > > Do we have a doc explaining how to configure the syntax (= fields + > values) of the keycloak.json file be used to configure the web/js > applications integrated with Keycloak Server ? > The only info that I have is the class parsing the file > https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 > > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/aa009f6b/attachment.html From bruno at abstractj.org Fri Mar 4 05:02:18 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 04 Mar 2016 10:02:18 +0000 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: <56D95979.1060305@redhat.com> References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: Please, file a Jira On Fri, Mar 4, 2016 at 6:46 AM Charles Moulliard wrote: > Thx for the info. > > We should certainly improve the introduction of the chapter 8 to also > mention that the General Adapter Config will also be used to configure the > keycloak Web/js/ ... client ( > https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) > connected to a keycloak server > > Remark : > > Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a > template for this config file from the admin console. Go to the realm and > select the application you want a template for. Go to the Installation tab > and this will provide you with a template that includes the public key of > the realm.) as I don't see from the console (1.9.0.Final) how I can get a > config template file for an application ... ? > > > > > On 04/03/16 10:31, Marko Strukelj wrote: > > Take a look at the docs: > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > > On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard > wrote: > >> Hi, >> >> Do we have a doc explaining how to configure the syntax (= fields + >> values) of the keycloak.json file be used to configure the web/js >> applications integrated with Keycloak Server ? >> The only info that I have is the class parsing the file >> >> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >> >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/74267e65/attachment.html From sthorger at redhat.com Fri Mar 4 05:08:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 11:08:32 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: <56D95979.1060305@redhat.com> References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: On 4 March 2016 at 10:46, Charles Moulliard wrote: > Thx for the info. > > We should certainly improve the introduction of the chapter 8 to also > mention that the General Adapter Config will also be used to configure the > keycloak Web/js/ ... client ( > https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) > connected to a keycloak server > General adapter config is not applicable to js adapter. It only uses realm, auth-server-url and resource. > > Remark : > > Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a > template for this config file from the admin console. Go to the realm and > select the application you want a template for. Go to the Installation tab > and this will provide you with a template that includes the public key of > the realm.) as I don't see from the console (1.9.0.Final) how I can get a > config template file for an application ... ? > Yes, although it should be client, not application. > > > > > On 04/03/16 10:31, Marko Strukelj wrote: > > Take a look at the docs: > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > > On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard < > cmoulliard at redhat.com> wrote: > >> Hi, >> >> Do we have a doc explaining how to configure the syntax (= fields + >> values) of the keycloak.json file be used to configure the web/js >> applications integrated with Keycloak Server ? >> The only info that I have is the class parsing the file >> >> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >> >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/694d6c50/attachment.html From sthorger at redhat.com Fri Mar 4 05:09:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 11:09:49 +0100 Subject: [keycloak-user] Design concerns on automated Keycloak Client addition to a realm In-Reply-To: References: Message-ID: For dynamic registration of clients take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html On 4 March 2016 at 09:12, Orestis Tsakiridis < orestis.tsakiridis at telestax.com> wrote: > Hello, > > I'm trying to design a keycloak-based system that will have the following > characteristics: > > * A single realm R will exist with a big set of users. > * Users will be able to install instances of software X that consists of > four (4) applications protected by keycloak. > * Each application in any instance of X will have a corresponding Keycloak > Client entity containing a set of application-level roles. Thus, having the > appropriate role,m a user of R can selectively be granted access to any > application of any instance of X. > * The addition of a new instance of X to the keycloak realm (the creation > of the Clients, client roles etc.) is called 'registration' and will be > done using the Keycloak Admin REST API. > > What's the best practice to achieve automatic registration of a new > instance to the realm? > > I've considered the following: > > a. Have the instance applications *directly* consume keycloak Admin REST > API and create Clients and Client roles. As far as i investigated users of > the instance will need to have a R:realm-management:manage-clients role in > order to do that (create-client didn't work). This seems a pretty > permissive role to give to any user in R. > > b. Have a separate keycloak-protected application that won't be part of X > to do the important work of 'registration'. It will work as a proxy. The > application will act on behalf of an administrator user with a powerfull > role like R:realm-management:realm-admin. The application will define it's > own set of roles and HTTP API for instance registration. All users will > have to go through it to register their instance. It will work as a proxy. > But they won't need to be granted dangerous roles to do it. > > Any suggestion will be more than welcome. > > Thanks > > Orestis > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/47fdd57e/attachment-0001.html From sthorger at redhat.com Fri Mar 4 05:11:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 11:11:02 +0100 Subject: [keycloak-user] Obtain Google Token In-Reply-To: References: Message-ID: To read the token the user has to have the broker.read-token permission. The client also needs a scope on it. Please take a look at http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2198 On 3 March 2016 at 20:28, Andreas Cserinko wrote: > Hey guys! > > I've been trying since a few days to make a rest-call to > '/realms/myrealm/broker/google/token' > from my Java-code. But when I send the request, the response says that the > token is invalid. I have no clue what token to use. > > Can anybody please describe the flow of how to obtain the right tokens, or > post some examples how to solve the problem. I looked at the example on > GitHub ( > https://github.com/keycloak/keycloak/tree/master/examples/broker/facebook-authentication) > but this example don't fit my needs because it is client-side. > > Any help would be appreciated, thanks! > > Thank you, > Andreas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/0a4f67d6/attachment.html From mstrukel at redhat.com Fri Mar 4 05:24:03 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 4 Mar 2016 11:24:03 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: We have a file called keycloak.json (for JS) that has different syntax than another file called keycloak.json (for .war)? On Fri, Mar 4, 2016 at 11:08 AM, Stian Thorgersen wrote: > > > On 4 March 2016 at 10:46, Charles Moulliard wrote: > >> Thx for the info. >> >> We should certainly improve the introduction of the chapter 8 to also >> mention that the General Adapter Config will also be used to configure the >> keycloak Web/js/ ... client ( >> https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) >> connected to a keycloak server >> > > General adapter config is not applicable to js adapter. It only uses > realm, auth-server-url and resource. > > >> >> Remark : >> >> Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a >> template for this config file from the admin console. Go to the realm and >> select the application you want a template for. Go to the Installation tab >> and this will provide you with a template that includes the public key of >> the realm.) as I don't see from the console (1.9.0.Final) how I can get a >> config template file for an application ... ? >> > > Yes, although it should be client, not application. > > >> >> >> >> >> On 04/03/16 10:31, Marko Strukelj wrote: >> >> Take a look at the docs: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >> >> On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard < >> cmoulliard at redhat.com> wrote: >> >>> Hi, >>> >>> Do we have a doc explaining how to configure the syntax (= fields + >>> values) of the keycloak.json file be used to configure the web/js >>> applications integrated with Keycloak Server ? >>> The only info that I have is the class parsing the file >>> >>> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >>> >>> >>> Regards, >>> >>> Charles >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/998cd865/attachment.html From sthorger at redhat.com Fri Mar 4 05:31:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 11:31:45 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: It doesn't have different syntax, it just only supports a subset of the fields. On 4 March 2016 at 11:24, Marko Strukelj wrote: > We have a file called keycloak.json (for JS) that has different syntax > than another file called keycloak.json (for .war)? > > On Fri, Mar 4, 2016 at 11:08 AM, Stian Thorgersen > wrote: > >> >> >> On 4 March 2016 at 10:46, Charles Moulliard >> wrote: >> >>> Thx for the info. >>> >>> We should certainly improve the introduction of the chapter 8 to also >>> mention that the General Adapter Config will also be used to configure the >>> keycloak Web/js/ ... client ( >>> https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) >>> connected to a keycloak server >>> >> >> General adapter config is not applicable to js adapter. It only uses >> realm, auth-server-url and resource. >> >> >>> >>> Remark : >>> >>> Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a >>> template for this config file from the admin console. Go to the realm and >>> select the application you want a template for. Go to the Installation tab >>> and this will provide you with a template that includes the public key of >>> the realm.) as I don't see from the console (1.9.0.Final) how I can get a >>> config template file for an application ... ? >>> >> >> Yes, although it should be client, not application. >> >> >>> >>> >>> >>> >>> On 04/03/16 10:31, Marko Strukelj wrote: >>> >>> Take a look at the docs: >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>> >>> On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard < >>> cmoulliard at redhat.com> wrote: >>> >>>> Hi, >>>> >>>> Do we have a doc explaining how to configure the syntax (= fields + >>>> values) of the keycloak.json file be used to configure the web/js >>>> applications integrated with Keycloak Server ? >>>> The only info that I have is the class parsing the file >>>> >>>> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >>>> >>>> >>>> Regards, >>>> >>>> Charles >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/b6d283eb/attachment.html From mstrukel at redhat.com Fri Mar 4 05:33:57 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 4 Mar 2016 11:33:57 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: Ah, I see. So I suppose we're just missing a sentence or two in the docs that would clarify that. On Fri, Mar 4, 2016 at 11:31 AM, Stian Thorgersen wrote: > It doesn't have different syntax, it just only supports a subset of the > fields. > > On 4 March 2016 at 11:24, Marko Strukelj wrote: > >> We have a file called keycloak.json (for JS) that has different syntax >> than another file called keycloak.json (for .war)? >> >> On Fri, Mar 4, 2016 at 11:08 AM, Stian Thorgersen >> wrote: >> >>> >>> >>> On 4 March 2016 at 10:46, Charles Moulliard >>> wrote: >>> >>>> Thx for the info. >>>> >>>> We should certainly improve the introduction of the chapter 8 to also >>>> mention that the General Adapter Config will also be used to configure the >>>> keycloak Web/js/ ... client ( >>>> https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) >>>> connected to a keycloak server >>>> >>> >>> General adapter config is not applicable to js adapter. It only uses >>> realm, auth-server-url and resource. >>> >>> >>>> >>>> Remark : >>>> >>>> Is this sentence still relevant (chapter 8.1 --> Also, you can obtain a >>>> template for this config file from the admin console. Go to the realm and >>>> select the application you want a template for. Go to the Installation tab >>>> and this will provide you with a template that includes the public key of >>>> the realm.) as I don't see from the console (1.9.0.Final) how I can get a >>>> config template file for an application ... ? >>>> >>> >>> Yes, although it should be client, not application. >>> >>> >>>> >>>> >>>> >>>> >>>> On 04/03/16 10:31, Marko Strukelj wrote: >>>> >>>> Take a look at the docs: >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >>>> >>>> On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard < >>>> cmoulliard at redhat.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Do we have a doc explaining how to configure the syntax (= fields + >>>>> values) of the keycloak.json file be used to configure the web/js >>>>> applications integrated with Keycloak Server ? >>>>> The only info that I have is the class parsing the file >>>>> >>>>> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Charles >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/7f5cc236/attachment-0001.html From Edgar at info.nl Fri Mar 4 06:06:03 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Fri, 4 Mar 2016 11:06:03 +0000 Subject: [keycloak-user] How to increase session/token timeout for reset action emails? In-Reply-To: <159CF628-4424-4A70-A80B-748EA5D71F9B@info.nl> References: <159CF628-4424-4A70-A80B-748EA5D71F9B@info.nl> Message-ID: Some more info: currently we have the ?Login action timeout? set to 2 days (48 hours). In the ?reset action? emails that are sent to our user we see: "Your adminstrator has just requested that you update your Our Realm account. Click on the link below to start this process. https://gry-test.info.nl/auth/realms/our-realm/login-actions/execute-actions?key=zHyraAkcSzGO6HXXF9uVTrVx4r_b3a8Qk9JqWwF47gI.cf034bbd-2779-4aab-a444-0b86ffc9f948 This link will expire within 2880 minutes.? So we assumed that these ?Account Session? tokens would remain active for 2 days (=2880 minutes). However this does not seem to be the case.. If I am not mistaken these sessions only live 30 minutes, the same as normal user sessions. Are we doing something wrong or is this is an issue in Keycloak? PS: instead of 'normal' sessions we would really want to use offline tokens for the reset action emails so that the reset action tokens are persisted in the database and can survive a server restart. cheers Edgar > On 04 Mar 2016, at 10:20, Edgar Vonk - Info.nl wrote: > > Hi all, > > We use the ?Users > Credentials > Reset Actions (Update Password) > Reset Actions Email? functionality to send out emails to our users so that they can set their password and log in to our application. This seems to result in an ?Account Session? for each user. We notice that the timeout for these sessions is too low for our purposes. > > How can we increase it? Is this the ?SSO Session Max? setting (default: 10 hours) or something else? We first thought it was the ?Login action timeout? but apparently not. We want it to be in the order of several days. > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/40378c17/attachment.bin From sthorger at redhat.com Fri Mar 4 06:06:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 12:06:26 +0100 Subject: [keycloak-user] Proof Key For Code Exchange In-Reply-To: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> References: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> Message-ID: Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though. If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala < sai-soma-kala.kalidindi at hpe.com> wrote: > Hi, > > > > I am a beginner in keycloak. We are trying to implement Proof Key For Code > Exchange in the keycloak, which is deployed as a container in our > production right now. I would appreciate If I can get any helpful links or > advice to implement PKCE. > > > > Thanks, > > Sai. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/bcc0b8b7/attachment.html From a.cserinko at gmail.com Fri Mar 4 06:15:03 2016 From: a.cserinko at gmail.com (Andreas Cserinko) Date: Fri, 4 Mar 2016 12:15:03 +0100 Subject: [keycloak-user] Obtain Google Token In-Reply-To: References: Message-ID: Thank you very much, it works! At least I have one question: How do I know which identity provider is used? Lets say I log in with facebook, how does my Java code know that it must send the rest-call to the facebook-endpoint? Thanks, Andreas 2016-03-04 11:11 GMT+01:00 Stian Thorgersen : > To read the token the user has to have the broker.read-token permission. > The client also needs a scope on it. Please take a look at > http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2198 > > On 3 March 2016 at 20:28, Andreas Cserinko wrote: > >> Hey guys! >> >> I've been trying since a few days to make a rest-call to >> '/realms/myrealm/broker/google/token' >> from my Java-code. But when I send the request, the response says that >> the token is invalid. I have no clue what token to use. >> >> Can anybody please describe the flow of how to obtain the right tokens, >> or post some examples how to solve the problem. I looked at the example on >> GitHub ( >> https://github.com/keycloak/keycloak/tree/master/examples/broker/facebook-authentication) >> but this example don't fit my needs because it is client-side. >> >> Any help would be appreciated, thanks! >> >> Thank you, >> Andreas >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/0d1df5c7/attachment.html From sthorger at redhat.com Fri Mar 4 06:24:21 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 12:24:21 +0100 Subject: [keycloak-user] Obtain Google Token In-Reply-To: References: Message-ID: Good question - I don't know the answer. Anyone else? On 4 March 2016 at 12:15, Andreas Cserinko wrote: > Thank you very much, it works! At least I have one question: How do I know > which identity provider is used? Lets say I log in with facebook, how does > my Java code know that it must send the rest-call to the facebook-endpoint? > > Thanks, > Andreas > > 2016-03-04 11:11 GMT+01:00 Stian Thorgersen : > >> To read the token the user has to have the broker.read-token permission. >> The client also needs a scope on it. Please take a look at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/identity-broker.html#d4e2198 >> >> On 3 March 2016 at 20:28, Andreas Cserinko wrote: >> >>> Hey guys! >>> >>> I've been trying since a few days to make a rest-call to >>> '/realms/myrealm/broker/google/token' >>> from my Java-code. But when I send the request, the response says that >>> the token is invalid. I have no clue what token to use. >>> >>> Can anybody please describe the flow of how to obtain the right tokens, >>> or post some examples how to solve the problem. I looked at the example on >>> GitHub ( >>> https://github.com/keycloak/keycloak/tree/master/examples/broker/facebook-authentication) >>> but this example don't fit my needs because it is client-side. >>> >>> Any help would be appreciated, thanks! >>> >>> Thank you, >>> Andreas >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/be84f1c1/attachment.html From sthorger at redhat.com Fri Mar 4 07:15:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 13:15:30 +0100 Subject: [keycloak-user] Supporting sticky sessions Message-ID: Eventually it would be nice to support the ability for load balancers to send all requests for a particular user session to the same node (browser as well as client requests). More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 Is this a high priority for 1.9 or should it be 2.x? We may be able to put it into 1.9.2 if required. I'd like feedback on how useful folks think it would be as well as feedback on the proposed implementation. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/45274791/attachment-0001.html From olivier.lievre at altran.com Fri Mar 4 07:16:43 2016 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Fri, 4 Mar 2016 12:16:43 +0000 Subject: [keycloak-user] How to increase session/token timeout for reset action emails? In-Reply-To: References: <159CF628-4424-4A70-A80B-748EA5D71F9B@info.nl> Message-ID: <5E0EBD68B410924EADA89C5CBD233CD0646DEB30@XMB-DCFR-35.europe.corp.altran.com> Hello, We need exactly the same, so if there a solution it will also help, a workaround could be to increase SSO Session Idle. @+ oli -----Message d'origine----- De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Edgar Vonk - Info.nl Envoy??: vendredi 4 mars 2016 12:06 ??: keycloak-user Objet?: Re: [keycloak-user] How to increase session/token timeout for reset action emails? Some more info: currently we have the ?Login action timeout? set to 2 days (48 hours). In the ?reset action? emails that are sent to our user we see: "Your adminstrator has just requested that you update your Our Realm account. Click on the link below to start this process. https://gry-test.info.nl/auth/realms/our-realm/login-actions/execute-actions?key=zHyraAkcSzGO6HXXF9uVTrVx4r_b3a8Qk9JqWwF47gI.cf034bbd-2779-4aab-a444-0b86ffc9f948 This link will expire within 2880 minutes.? So we assumed that these ?Account Session? tokens would remain active for 2 days (=2880 minutes). However this does not seem to be the case.. If I am not mistaken these sessions only live 30 minutes, the same as normal user sessions. Are we doing something wrong or is this is an issue in Keycloak? PS: instead of 'normal' sessions we would really want to use offline tokens for the reset action emails so that the reset action tokens are persisted in the database and can survive a server restart. cheers Edgar > On 04 Mar 2016, at 10:20, Edgar Vonk - Info.nl wrote: > > Hi all, > > We use the ?Users > Credentials > Reset Actions (Update Password) > Reset Actions Email? functionality to send out emails to our users so that they can set their password and log in to our application. This seems to result in an ?Account Session? for each user. We notice that the timeout for these sessions is too low for our purposes. > > How can we increase it? Is this the ?SSO Session Max? setting (default: 10 hours) or something else? We first thought it was the ?Login action timeout? but apparently not. We want it to be in the order of several days. > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Mar 4 08:52:55 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 4 Mar 2016 08:52:55 -0500 Subject: [keycloak-user] Supporting sticky sessions In-Reply-To: References: Message-ID: <56D99337.2040906@redhat.com> I"m not sure how well keycloak would scale without this. On 3/4/2016 7:15 AM, Stian Thorgersen wrote: > Eventually it would be nice to support the ability for load balancers > to send all requests for a particular user session to the same node > (browser as well as client requests). > > More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 > > Is this a high priority for 1.9 or should it be 2.x? We may be able to > put it into 1.9.2 if required. > > I'd like feedback on how useful folks think it would be as well as > feedback on the proposed implementation. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/a5ef3a6b/attachment.html From samuel.otter at gmail.com Fri Mar 4 09:18:55 2016 From: samuel.otter at gmail.com (Samuel Otter) Date: Fri, 04 Mar 2016 14:18:55 +0000 Subject: [keycloak-user] How to increase session/token timeout for reset action emails? In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD0646DEB30@XMB-DCFR-35.europe.corp.altran.com> References: <159CF628-4424-4A70-A80B-748EA5D71F9B@info.nl> <5E0EBD68B410924EADA89C5CBD233CD0646DEB30@XMB-DCFR-35.europe.corp.altran.com> Message-ID: I reported this as a bug a while back: https://issues.jboss.org/browse/KEYCLOAK-2125 I also agree that persisting these tokens would be nice. /Samuel Otter Den fre 4 mars 2016 13:17LIEVRE Olivier skrev: > Hello, > > We need exactly the same, so if there a solution it will also help, a > workaround could be to increase SSO Session Idle. > > @+ > oli > > -----Message d'origine----- > De : keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] De la part de Edgar Vonk - Info.nl > Envoy? : vendredi 4 mars 2016 12:06 > ? : keycloak-user > Objet : Re: [keycloak-user] How to increase session/token timeout for > reset action emails? > > Some more info: currently we have the ?Login action timeout? set to 2 days > (48 hours). In the ?reset action? emails that are sent to our user we see: > > "Your adminstrator has just requested that you update your Our Realm > account. Click on the link below to start this process. > > > https://gry-test.info.nl/auth/realms/our-realm/login-actions/execute-actions?key=zHyraAkcSzGO6HXXF9uVTrVx4r_b3a8Qk9JqWwF47gI.cf034bbd-2779-4aab-a444-0b86ffc9f948 > > This link will expire within 2880 minutes.? > > So we assumed that these ?Account Session? tokens would remain active for > 2 days (=2880 minutes). However this does not seem to be the case.. If I am > not mistaken these sessions only live 30 minutes, the same as normal user > sessions. > > Are we doing something wrong or is this is an issue in Keycloak? > > PS: instead of 'normal' sessions we would really want to use offline > tokens for the reset action emails so that the reset action tokens are > persisted in the database and can survive a server restart. > > cheers > > Edgar > > > > On 04 Mar 2016, at 10:20, Edgar Vonk - Info.nl wrote: > > > > Hi all, > > > > We use the ?Users > Credentials > Reset Actions (Update Password) > > Reset Actions Email? functionality to send out emails to our users so that > they can set their password and log in to our application. This seems to > result in an ?Account Session? for each user. We notice that the timeout > for these sessions is too low for our purposes. > > > > How can we increase it? Is this the ?SSO Session Max? setting (default: > 10 hours) or something else? We first thought it was the ?Login action > timeout? but apparently not. We want it to be in the order of several days. > > > > cheers > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/b51f9c92/attachment.html From cmoulliard at redhat.com Fri Mar 4 10:01:03 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 16:01:03 +0100 Subject: [keycloak-user] Doc about keycloak.json syntax In-Reply-To: References: <56D95165.20107@redhat.com> <56D95979.1060305@redhat.com> Message-ID: <56D9A32F.3060706@redhat.com> Jira ticket created : https://issues.jboss.org/browse/KEYCLOAK-2598 . On 04/03/16 11:33, Marko Strukelj wrote: > Ah, I see. So I suppose we're just missing a sentence or two in the > docs that would clarify that. > > On Fri, Mar 4, 2016 at 11:31 AM, Stian Thorgersen > wrote: > > It doesn't have different syntax, it just only supports a subset > of the fields. > > On 4 March 2016 at 11:24, Marko Strukelj > wrote: > > We have a file called keycloak.json (for JS) that has > different syntax than another file called keycloak.json (for > .war)? > > On Fri, Mar 4, 2016 at 11:08 AM, Stian Thorgersen > > wrote: > > > > On 4 March 2016 at 10:46, Charles Moulliard > > wrote: > > Thx for the info. > > We should certainly improve the introduction of the > chapter 8 to also mention that the General Adapter > Config will also be used to configure the keycloak > Web/js/ ... client > (https://github.com/keycloak/keycloak/blob/master/examples/basic-auth/src/main/webapp/WEB-INF/keycloak.json) > connected to a keycloak server > > > General adapter config is not applicable to js adapter. It > only uses realm, auth-server-url and resource. > > > Remark : > > Is this sentence still relevant (chapter 8.1 --> Also, > you can obtain a template for this config file from > the admin console. Go to the realm and select the > application you want a template for. Go to the > Installation tab and this will provide you with a > template that includes the public key of the realm.) > as I don't see from the console (1.9.0.Final) how I > can get a config template file for an application ... ? > > > Yes, although it should be client, not application. > > > > > > On 04/03/16 10:31, Marko Strukelj wrote: >> Take a look at the docs: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >> >> On Fri, Mar 4, 2016 at 10:12 AM, Charles Moulliard >> > > wrote: >> >> Hi, >> >> Do we have a doc explaining how to configure the >> syntax (= fields + >> values) of the keycloak.json file be used to >> configure the web/js >> applications integrated with Keycloak Server ? >> The only info that I have is the class parsing >> the file >> https://github.com/cmoulliard/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java#L30 >> >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/8bc65889/attachment-0001.html From sthorger at redhat.com Fri Mar 4 10:18:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 4 Mar 2016 16:18:45 +0100 Subject: [keycloak-user] Supporting sticky sessions In-Reply-To: <56D99337.2040906@redhat.com> References: <56D99337.2040906@redhat.com> Message-ID: Users are cached so that helps + it's possible to load balance based on source address. Do you really think that a lot of people will run that many nodes in either case? On 4 March 2016 at 14:52, Bill Burke wrote: > I"m not sure how well keycloak would scale without this. > > > On 3/4/2016 7:15 AM, Stian Thorgersen wrote: > > Eventually it would be nice to support the ability for load balancers to > send all requests for a particular user session to the same node (browser > as well as client requests). > > More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 > > Is this a high priority for 1.9 or should it be 2.x? We may be able to put > it into 1.9.2 if required. > > I'd like feedback on how useful folks think it would be as well as > feedback on the proposed implementation. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/1806a08f/attachment.html From jorsol at gmail.com Fri Mar 4 10:31:33 2016 From: jorsol at gmail.com (=?UTF-8?Q?Jorge_Sol=C3=B3rzano?=) Date: Fri, 4 Mar 2016 09:31:33 -0600 Subject: [keycloak-user] Supporting sticky sessions In-Reply-To: References: <56D99337.2040906@redhat.com> Message-ID: If the stable branch will be 1.9 which will be the base for the commercial product, then it should make it in 1.9.x. I belive a SSO should be a critical service, reliable, always available and high performer, if for instance the SSO is not available it can lockout all systems that depends on it. *Ing. Jorge Sol?rzano* about.me/jorsol On Fri, Mar 4, 2016 at 9:18 AM, Stian Thorgersen wrote: > Users are cached so that helps + it's possible to load balance based on > source address. Do you really think that a lot of people will run that many > nodes in either case? > > On 4 March 2016 at 14:52, Bill Burke wrote: > >> I"m not sure how well keycloak would scale without this. >> >> >> On 3/4/2016 7:15 AM, Stian Thorgersen wrote: >> >> Eventually it would be nice to support the ability for load balancers to >> send all requests for a particular user session to the same node (browser >> as well as client requests). >> >> More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 >> >> Is this a high priority for 1.9 or should it be 2.x? We may be able to >> put it into 1.9.2 if required. >> >> I'd like feedback on how useful folks think it would be as well as >> feedback on the proposed implementation. >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/4185f597/attachment.html From bburke at redhat.com Fri Mar 4 10:34:04 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 4 Mar 2016 10:34:04 -0500 Subject: [keycloak-user] Supporting sticky sessions In-Reply-To: References: <56D99337.2040906@redhat.com> Message-ID: <56D9AAEC.1030500@redhat.com> There's a minimum of 4 Http Requests. There is about 6 SQL queries to load a user. So, if there is 2 nodes, you have minimum 12 queries for an uncached user. It really all depends how big the cache can be. Couldn't a million users be cached on a pretty inexpensive box? My laptop has 32 gig ram. 10K per user is 10 gigs for a million users. Then, depending on UserSession ownership setting, you have pulling/grabbing/replication of the client sessions as you hop between nodes. This is the one that can't be fixed. I don't know how much of a big deal it is. On 3/4/2016 10:18 AM, Stian Thorgersen wrote: > Users are cached so that helps + it's possible to load balance based > on source address. Do you really think that a lot of people will run > that many nodes in either case? > > On 4 March 2016 at 14:52, Bill Burke > wrote: > > I"m not sure how well keycloak would scale without this. > > > On 3/4/2016 7:15 AM, Stian Thorgersen wrote: >> Eventually it would be nice to support the ability for load >> balancers to send all requests for a particular user session to >> the same node (browser as well as client requests). >> >> More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 >> >> Is this a high priority for 1.9 or should it be 2.x? We may be >> able to put it into 1.9.2 if required. >> >> I'd like feedback on how useful folks think it would be as well >> as feedback on the proposed implementation. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/85e07126/attachment.html From jaxley at expedia.com Fri Mar 4 11:21:27 2016 From: jaxley at expedia.com (Jason Axley) Date: Fri, 4 Mar 2016 16:21:27 +0000 Subject: [keycloak-user] Proof Key For Code Exchange In-Reply-To: References: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> Message-ID: <662DA202-2DB3-48F3-8BC4-CBD882FE3194@expedia.com> +1 OAuth bearer tokens considered harmful. BTW, I think you mean RFC 7636: https://tools.ietf.org/html/rfc7636 There?s also this draft that the OAuth WG is continuing to push forward regarding Proof of Possession for authentication of JWT: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ Not sure how they frame these two seemingly competing approaches. Offhand I don?t see a JIRA about this? -Jason From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, March 4, 2016 at 3:06 AM To: "Kalidindi, Sai Soma Kala" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Proof Key For Code Exchange Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though. If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala > wrote: Hi, I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE. Thanks, Sai. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/09d9ed94/attachment-0001.html From cmoulliard at redhat.com Fri Mar 4 11:26:00 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 17:26:00 +0100 Subject: [keycloak-user] keycloak javascript resources- how are they added Message-ID: <56D9B718.4020709@redhat.com> Hi, The console-js demo part of the keycloak examples contains a reference to the keycloak.js script "" but this rersource isn't packaged within the code source of the project - https://www.dropbox.com/s/hg6tfi3samdskn9/Screenshot%202016-03-04%2017.20.22.png?dl=0 So, how this js script (https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js) is packaged and deployed on keycloak demo server ? The doc is not really explicit about that : http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter Regards, Charles From sblanc at redhat.com Fri Mar 4 11:39:03 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 4 Mar 2016 17:39:03 +0100 Subject: [keycloak-user] keycloak javascript resources- how are they added In-Reply-To: <56D9B718.4020709@redhat.com> References: <56D9B718.4020709@redhat.com> Message-ID: If you want to package it with your js app, you can just add the file "manually" to your project or if you are using npm, there is module for that https://www.npmjs.com/package/keycloak-js On Fri, Mar 4, 2016 at 5:26 PM, Charles Moulliard wrote: > Hi, > > The console-js demo part of the keycloak examples contains a reference > to the keycloak.js script > > "" > > but this rersource isn't packaged within the code source of the project > - > > https://www.dropbox.com/s/hg6tfi3samdskn9/Screenshot%202016-03-04%2017.20.22.png?dl=0 > > So, how this js script > ( > https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js > ) > is packaged and deployed on keycloak demo server ? The doc is not really > explicit about that : > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/1e8d40b2/attachment.html From cmoulliard at redhat.com Fri Mar 4 12:12:33 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 18:12:33 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? Message-ID: <56D9C201.9050204@redhat.com> Hi, How is the keycloak.json file loaded by the keycloak.js script as I don't see any value like this "cors-allowed-methods" within the keycloak.js file ? Regards, Charles From sblanc at redhat.com Fri Mar 4 12:18:22 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 4 Mar 2016 18:18:22 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? In-Reply-To: <56D9C201.9050204@redhat.com> References: <56D9C201.9050204@redhat.com> Message-ID: No CORS stuff needed as the keycloak.json will always be on the same domain as the app, it happens here https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L523 On Fri, Mar 4, 2016 at 6:12 PM, Charles Moulliard wrote: > Hi, > > How is the keycloak.json file loaded by the keycloak.js script as I > don't see any value like this "cors-allowed-methods" within the > keycloak.js file ? > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/a53d1afa/attachment.html From cmoulliard at redhat.com Fri Mar 4 12:39:49 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 18:39:49 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? In-Reply-To: References: <56D9C201.9050204@redhat.com> Message-ID: <56D9C865.40407@redhat.com> So only these fields are required for the keycloak.js client ? kc.authServerUrl = config['auth-server-url']; kc.realm = config['realm']; kc.clientId = config['resource']; kc.clientSecret = (config['credentials'] || {})['secret']; My confusion comes from that chapter which refers to the adapter config doc (http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config). As js is also an adapter, I was thinking that all these values were also used by js client ;-) On 04/03/16 18:18, Sebastien Blanc wrote: > No CORS stuff needed as the keycloak.json will always be on the same > domain as the app, it happens here > https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L523 > > On Fri, Mar 4, 2016 at 6:12 PM, Charles Moulliard > > wrote: > > Hi, > > How is the keycloak.json file loaded by the keycloak.js script as I > don't see any value like this "cors-allowed-methods" within the > keycloak.js file ? > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/21c4e707/attachment.html From cmoulliard at redhat.com Fri Mar 4 12:49:27 2016 From: cmoulliard at redhat.com (Charles Moulliard) Date: Fri, 4 Mar 2016 18:49:27 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? In-Reply-To: <56D9C865.40407@redhat.com> References: <56D9C201.9050204@redhat.com> <56D9C865.40407@redhat.com> Message-ID: <56D9CAA7.40905@redhat.com> And the java client adapter uses these values /** * Configuration for Java based adapters * * @author Bill Burke * @version $Revision: 1 $ */ @JsonPropertyOrder({"realm", "realm-public-key", "auth-server-url", "ssl-required", "resource", "public-client", "credentials", "use-resource-role-mappings", "enable-cors", "cors-max-age", "cors-allowed-methods", "expose-token", "bearer-only", "connection-pool-size", "allow-any-hostname", "disable-trust-manager", "truststore", "truststore-password", "client-keystore", "client-keystore-password", "client-key-password", "auth-server-url-for-backend-requests", "always-refresh-token", "register-node-at-startup", "register-node-period", "token-store", "principal-attribute" }) On 04/03/16 18:39, Charles Moulliard wrote: > So only these fields are required for the keycloak.js client ? > > kc.authServerUrl = config['auth-server-url']; > kc.realm = config['realm']; > kc.clientId = config['resource']; > kc.clientSecret = (config['credentials'] > || {})['secret']; > > My confusion comes from that chapter which refers to the adapter > config doc > (http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config). > As js is also an adapter, I was thinking that all these values were > also used by js client ;-) > > > On 04/03/16 18:18, Sebastien Blanc wrote: >> No CORS stuff needed as the keycloak.json will always be on the same >> domain as the app, it happens here >> https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L523 >> >> On Fri, Mar 4, 2016 at 6:12 PM, Charles Moulliard >> > wrote: >> >> Hi, >> >> How is the keycloak.json file loaded by the keycloak.js script as I >> don't see any value like this "cors-allowed-methods" within the >> keycloak.js file ? >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/e951f48f/attachment-0001.html From thiagoleocosta at gmail.com Fri Mar 4 13:37:18 2016 From: thiagoleocosta at gmail.com (Thiago Leonardo) Date: Fri, 4 Mar 2016 15:37:18 -0300 Subject: [keycloak-user] Credentials on create a new user. Message-ID: Hi, I'am trying create a new user in admin-client, but the credentials are not saved. The new user is saved normaly. Can you help me ? My code is: Keycloak kc = KeycloakBuilder.builder() .serverUrl("http://localhost:8080/auth") .realm("Realm") .username(username) .password(password) .clientId("admin-cli") .resteasyClient( new ResteasyClientBuilder().connectionPoolSize(10).build() ) .build(); UserRepresentation newUser = new UserRepresentation(); newUser.setUsername(user.getEmail()); newUser.setFirstName(user.getName()); newUser.setEmail(usuario.getEmail()); newUser.setEnabled(true); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(user.getEmail()); credential.setTemporary(true); newUser.setCredentials(Arrays.asList(credential)); kc.realm("Realm").users().create(newUser); Regards, Thiago -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/60cfb02d/attachment.html From sai-soma-kala.kalidindi at hpe.com Fri Mar 4 16:58:15 2016 From: sai-soma-kala.kalidindi at hpe.com (Kalidindi, Sai Soma Kala) Date: Fri, 4 Mar 2016 21:58:15 +0000 Subject: [keycloak-user] Proof Key For Code Exchange In-Reply-To: <662DA202-2DB3-48F3-8BC4-CBD882FE3194@expedia.com> References: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> <662DA202-2DB3-48F3-8BC4-CBD882FE3194@expedia.com> Message-ID: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDFFF9@G9W0339.americas.hpqcorp.net> Hi, I do mean RFC 7636: https://tools.ietf.org/html/rfc7636. I would like to contribute PKCE feature to keycloak,. I would appreciate it if you can provide some guidance to get me started. Thanks, Sai. From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, March 4, 2016 at 3:06 AM To: "Kalidindi, Sai Soma Kala" > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Proof Key For Code Exchange Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public Clients we are considering adding it and it's on our road-map. It will be a while until we get around to implementing it though. If you'd like to contribute this feature to Keycloak it would be more than welcome assuming it came with tests and documentation. On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala > wrote: Hi, I am a beginner in keycloak. We are trying to implement Proof Key For Code Exchange in the keycloak, which is deployed as a container in our production right now. I would appreciate If I can get any helpful links or advice to implement PKCE. Thanks, Sai. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160304/0b414c20/attachment.html From chairfield at gmail.com Fri Mar 4 21:22:33 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Sat, 05 Mar 2016 02:22:33 +0000 Subject: [keycloak-user] Credentials on create a new user. In-Reply-To: References: Message-ID: I've been encountering the same issue with 1.4.0 and 1.6.1 and assume it's by design. I believe I've come across past threads confirming this. My solution is to first create the user, then hit the reset password API, and, as a final and optional step, update the user with an empty requiredActions array to clear the Update Password action inherent in the reset password flow. Hopefully someone that is more sure can step in to confirm. On Fri, Mar 4, 2016, 11:38 AM Thiago Leonardo wrote: > Hi, > > I'am trying create a new user in admin-client, but the credentials are not > saved. > The new user is saved normaly. Can you help me ? > > My code is: > > Keycloak kc = KeycloakBuilder.builder() > .serverUrl("http://localhost:8080/auth") > .realm("Realm") > .username(username) > .password(password) > .clientId("admin-cli") > .resteasyClient( new > ResteasyClientBuilder().connectionPoolSize(10).build() ) > .build(); > > UserRepresentation newUser = new UserRepresentation(); > newUser.setUsername(user.getEmail()); > newUser.setFirstName(user.getName()); > newUser.setEmail(usuario.getEmail()); > newUser.setEnabled(true); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(user.getEmail()); > credential.setTemporary(true); > > newUser.setCredentials(Arrays.asList(credential)); > kc.realm("Realm").users().create(newUser); > > > Regards, > > Thiago > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160305/2236c0cc/attachment-0001.html From chairfield at gmail.com Fri Mar 4 21:35:38 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Sat, 05 Mar 2016 02:35:38 +0000 Subject: [keycloak-user] Encoding theme selection in realm? Message-ID: We've built some themes, login and email, and configured our Keycloak 1.6.1 such that the theme is available in both dropdowns on the first start of the server, but I'd like to optimize a bit more. Since we import our realms, is it possible to configure them such that our theme is selected without any manual input? On a related note, is it possible to configure the admin user such that we don't need to reset their password on first start of the server? We expect to upgrade to 1.7.x or higher soon, which may be relevant given how the admin account is removed. I'd be curious to know whether my ask is possible on either 1.6.1 or higher. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160305/e9145984/attachment.html From bburke at redhat.com Sat Mar 5 07:18:21 2016 From: bburke at redhat.com (Bill Burke) Date: Sat, 5 Mar 2016 07:18:21 -0500 Subject: [keycloak-user] Credentials on create a new user. In-Reply-To: References: Message-ID: <56DACE8D.3020401@redhat.com> If you pass in temporary = false in the json rep, then it won't set up the required action. On 3/4/2016 9:22 PM, Chris Hairfield wrote: > > I've been encountering the same issue with 1.4.0 and 1.6.1 and assume > it's by design. I believe I've come across past threads confirming this. > > My solution is to first create the user, then hit the reset password > API, and, as a final and optional step, update the user with an empty > requiredActions array to clear the Update Password action inherent in > the reset password flow. > > Hopefully someone that is more sure can step in to confirm. > > > On Fri, Mar 4, 2016, 11:38 AM Thiago Leonardo > > wrote: > > Hi, > > I'am trying create a new user in admin-client, but the credentials > are not saved. > The new user is saved normaly. Can you help me ? > > My code is: > > Keycloak kc = KeycloakBuilder.builder() > .serverUrl("http://localhost:8080/auth") > .realm("Realm") > .username(username) > .password(password) > .clientId("admin-cli") > .resteasyClient( new > ResteasyClientBuilder().connectionPoolSize(10).build() ) > .build(); > > UserRepresentation newUser = new UserRepresentation(); > newUser.setUsername(user.getEmail()); > newUser.setFirstName(user.getName()); > newUser.setEmail(usuario.getEmail()); > newUser.setEnabled(true); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(user.getEmail()); > credential.setTemporary(true); > > newUser.setCredentials(Arrays.asList(credential)); > kc.realm("Realm").users().create(newUser); > > > Regards, > > Thiago > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160305/07a6bb0a/attachment.html From sthorger at redhat.com Mon Mar 7 01:07:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 07:07:32 +0100 Subject: [keycloak-user] Credentials on create a new user. In-Reply-To: <56DACE8D.3020401@redhat.com> References: <56DACE8D.3020401@redhat.com> Message-ID: We'll fix this in the future so you can do a single post with new user, including credentials and role mappings. For now you'll have to do the two separate requests though. On 5 March 2016 at 13:18, Bill Burke wrote: > If you pass in temporary = false in the json rep, then it won't set up the > required action. > > > On 3/4/2016 9:22 PM, Chris Hairfield wrote: > > I've been encountering the same issue with 1.4.0 and 1.6.1 and assume it's > by design. I believe I've come across past threads confirming this. > > My solution is to first create the user, then hit the reset password API, > and, as a final and optional step, update the user with an empty > requiredActions array to clear the Update Password action inherent in the > reset password flow. > > Hopefully someone that is more sure can step in to confirm. > > On Fri, Mar 4, 2016, 11:38 AM Thiago Leonardo > wrote: > >> Hi, >> >> I'am trying create a new user in admin-client, but the credentials are >> not saved. >> The new user is saved normaly. Can you help me ? >> >> My code is: >> >> Keycloak kc = KeycloakBuilder.builder() >> .serverUrl(" http://localhost:8080/auth") >> .realm("Realm") >> .username(username) >> .password(password) >> .clientId("admin-cli") >> .resteasyClient( new >> ResteasyClientBuilder().connectionPoolSize(10).build() ) >> .build(); >> >> UserRepresentation newUser = new UserRepresentation(); >> newUser.setUsername(user.getEmail()); >> newUser.setFirstName(user.getName()); >> newUser.setEmail(usuario.getEmail()); >> newUser.setEnabled(true); >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue(user.getEmail()); >> credential.setTemporary(true); >> >> newUser.setCredentials(Arrays.asList(credential)); >> kc.realm("Realm").users().create(newUser); >> >> >> Regards, >> >> Thiago >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/b236c6a5/attachment.html From sthorger at redhat.com Mon Mar 7 01:12:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 07:12:16 +0100 Subject: [keycloak-user] Encoding theme selection in realm? In-Reply-To: References: Message-ID: On 5 March 2016 at 03:35, Chris Hairfield wrote: > We've built some themes, login and email, and configured our Keycloak > 1.6.1 such that the theme is available in both dropdowns on the first start > of the server, but I'd like to optimize a bit more. Since we import our > realms, is it possible to configure them such that our theme is selected > without any manual input? If you are handcrafting the realms you are importing then just add loginTheme and emailTheme fields on the realm. If you are using export, then the themes should already be set. > > On a related note, is it possible to configure the admin user such that we > don't need to reset their password on first start of the server? We expect > to upgrade to 1.7.x or higher soon, which may be relevant given how the > admin account is removed. I'd be curious to know whether my ask is possible > on either 1.6.1 or higher. > Upgrade to 1.9.x! See http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 for more details on admin user > > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/77a3486f/attachment-0001.html From sthorger at redhat.com Mon Mar 7 01:19:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 07:19:38 +0100 Subject: [keycloak-user] Proof Key For Code Exchange In-Reply-To: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDFFF9@G9W0339.americas.hpqcorp.net> References: <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDE70C@G9W0339.americas.hpqcorp.net> <662DA202-2DB3-48F3-8BC4-CBD882FE3194@expedia.com> <7C7BD855C19D7B46BE7AE2B0E5D7794B34CDFFF9@G9W0339.americas.hpqcorp.net> Message-ID: Sai, Take a look at https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md. For implementation on the server side the flows are implemented in TokenEndpoint ( https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java). We'd also need this added to the JavaScript adapter https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js . For testing we're in process of moving our tests to Arquillian so new tests should be added to https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian, while currently most OpenID Connect/OAuth tests are in the old testsuite (embedded server). There's also a lack of documentation around OpenID Connect/OAuth, but we aim to add a chapter that includes details about what we implement, endpoints, etc.. A contribution around this would be great. One thing to clarify is that we will not accept any PRs without proper testing or documentation. If you have any further questions please ask, but you'll need to be a bit more specific than "provide some guidance" ;) On 4 March 2016 at 22:58, Kalidindi, Sai Soma Kala < sai-soma-kala.kalidindi at hpe.com> wrote: > > > > > Hi, > > > > I do mean RFC 7636: https://tools.ietf.org/html/rfc7636. I would like to > contribute PKCE feature to keycloak,. I would appreciate it if you can > provide some guidance to get me started. > > > > Thanks, > > Sai. > > > > *From: * on behalf of Stian > Thorgersen > *Reply-To: *"stian at redhat.com" > *Date: *Friday, March 4, 2016 at 3:06 AM > *To: *"Kalidindi, Sai Soma Kala" > *Cc: *"keycloak-user at lists.jboss.org" > *Subject: *Re: [keycloak-user] Proof Key For Code Exchange > > > > Assuming you mean RFC 7637 Proof Key for Code Exchange by OAuth Public > Clients we are considering adding it and it's on our road-map. It will be a > while until we get around to implementing it though. > > > > If you'd like to contribute this feature to Keycloak it would be more than > welcome assuming it came with tests and documentation. > > > > On 3 March 2016 at 17:06, Kalidindi, Sai Soma Kala < > sai-soma-kala.kalidindi at hpe.com> wrote: > > Hi, > > > > I am a beginner in keycloak. We are trying to implement Proof Key For Code > Exchange in the keycloak, which is deployed as a container in our > production right now. I would appreciate If I can get any helpful links or > advice to implement PKCE. > > > > Thanks, > > Sai. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/de25d5fa/attachment.html From sthorger at redhat.com Mon Mar 7 01:35:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 07:35:46 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? In-Reply-To: <56D9CAA7.40905@redhat.com> References: <56D9C201.9050204@redhat.com> <56D9C865.40407@redhat.com> <56D9CAA7.40905@redhat.com> Message-ID: It's not clear from the documentation, but the general adapter config only applies to server-side adapters (WildFly, Tomcat, etc.). The JavaScript adapter only reads a subset of the properties (auth-server-url, realm, resource). On 4 March 2016 at 18:49, Charles Moulliard wrote: > And the java client adapter uses these values > > /** > * Configuration for Java based adapters > * > * @author >Bill > Burke > * @version $Revision: 1 $ > */ > @JsonPropertyOrder({"realm", "realm-public-key", "auth-server-url", > "ssl-required", > "resource", "public-client", "credentials", > "use-resource-role-mappings", > "enable-cors", "cors-max-age", "cors-allowed-methods", > "expose-token", "bearer-only", > "connection-pool-size", > "allow-any-hostname", "disable-trust-manager", "truststore", > "truststore-password", > "client-keystore", "client-keystore-password", > "client-key-password", > "auth-server-url-for-backend-requests", "always-refresh-token", > "register-node-at-startup", "register-node-period", "token-store", > "principal-attribute" > }) > > > On 04/03/16 18:39, Charles Moulliard wrote: > > So only these fields are required for the keycloak.js client ? > > kc.authServerUrl = config['auth-server-url']; > kc.realm = config['realm']; > kc.clientId = config['resource']; > kc.clientSecret = (config['credentials'] || > {})['secret']; > > My confusion comes from that chapter which refers to the adapter config > doc ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config). > As js is also an adapter, I was thinking that all these values were also > used by js client ;-) > > > On 04/03/16 18:18, Sebastien Blanc wrote: > > No CORS stuff needed as the keycloak.json will always be on the same > domain as the app, it happens here > > https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L523 > > On Fri, Mar 4, 2016 at 6:12 PM, Charles Moulliard < > cmoulliard at redhat.com> wrote: > >> Hi, >> >> How is the keycloak.json file loaded by the keycloak.js script as I >> don't see any value like this "cors-allowed-methods" within the >> keycloak.js file ? >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/0b3b4257/attachment.html From sthorger at redhat.com Mon Mar 7 01:37:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 07:37:23 +0100 Subject: [keycloak-user] how keycloak.json file is loaded by the js ? In-Reply-To: References: <56D9C201.9050204@redhat.com> Message-ID: On 4 March 2016 at 18:18, Sebastien Blanc wrote: > No CORS stuff needed as the keycloak.json will always be on the same > domain as the app, it happens here > https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L523 > keycloak.json can be loaded from anywhere (see http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter), but it'd be up to whatever serves it to make sure CORS headers are added. > > > On Fri, Mar 4, 2016 at 6:12 PM, Charles Moulliard > wrote: > >> Hi, >> >> How is the keycloak.json file loaded by the keycloak.js script as I >> don't see any value like this "cors-allowed-methods" within the >> keycloak.js file ? >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/0fee8740/attachment-0001.html From sthorger at redhat.com Mon Mar 7 02:03:40 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 08:03:40 +0100 Subject: [keycloak-user] keycloak javascript resources- how are they added In-Reply-To: <56D9B718.4020709@redhat.com> References: <56D9B718.4020709@redhat.com> Message-ID: ATM the examples assumes they are using the demo distro and so are deployed to the same server. That's obviously not great and something we want to improve. For your own apps you have the choice of: * Load keycloak.js directly from KC server (/auth/js/keycloak.js) * Add to your app (copy from /auth/js/keycloak.js, use Bower or just download it from keycloak.org/downloads) On 4 March 2016 at 17:26, Charles Moulliard wrote: > Hi, > > The console-js demo part of the keycloak examples contains a reference > to the keycloak.js script > > "" > > but this rersource isn't packaged within the code source of the project > - > > https://www.dropbox.com/s/hg6tfi3samdskn9/Screenshot%202016-03-04%2017.20.22.png?dl=0 > > So, how this js script > ( > https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js > ) > is packaged and deployed on keycloak demo server ? The doc is not really > explicit about that : > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#javascript-adapter > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/1461dd8e/attachment.html From sthorger at redhat.com Mon Mar 7 03:11:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 7 Mar 2016 09:11:25 +0100 Subject: [keycloak-user] Best practices for securing sign-in on mobile Message-ID: Our Cordova apapter uses a webview (via cordova-plugin-inappbrowser) to open the login page. This results in no SSO between applications and it also has some security implications. A better approach is to use in app browser tabs when supported or fallback to the system browser. See https://www.youtube.com/watch?v=ppeU8yeI_ks for more details. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/0cbcdf89/attachment.html From mposolda at redhat.com Mon Mar 7 05:46:07 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 7 Mar 2016 11:46:07 +0100 Subject: [keycloak-user] Supporting sticky sessions In-Reply-To: <56D9AAEC.1030500@redhat.com> References: <56D99337.2040906@redhat.com> <56D9AAEC.1030500@redhat.com> Message-ID: <56DD5BEF.8050708@redhat.com> On 04/03/16 16:34, Bill Burke wrote: > There's a minimum of 4 Http Requests. There is about 6 SQL queries to > load a user. So, if there is 2 nodes, you have minimum 12 queries for > an uncached user. It really all depends how big the cache can be. > Couldn't a million users be cached on a pretty inexpensive box? My > laptop has 32 gig ram. 10K per user is 10 gigs for a million users. > > Then, depending on UserSession ownership setting, you have > pulling/grabbing/replication of the client sessions as you hop between > nodes. This is the one that can't be fixed. I don't know how much of > a big deal it is. Just one important thing about how distributed infinispan caches work by default. I think it's quite important and may not be obvious, so writing it here just for case. Feel free to ignore if you're already aware of it. If you have numOwners=1 in configuration and on node1 you call: cache.put("session-id1", userSession1); It doesn't mean that session is automatically saved on the local node (node1 in this case). Session can be saved internally on node2 and when you call on node1: cache.get("session-id1"); you may always have some remote cluster calls to lookup session from node2. It seems by default infinispan decides just based on the hash of key (sessionId in our case). Hopefully it's possible to change this behaviour by use some custom hash factory : http://infinispan.org/docs/8.2.x/user_guide/user_guide.html#_hashing_algorithms . IMO we should first investigate this, otherwise we may end with situation when we implement sticky sessions support, but there won't be any performance gain regarding userSessions lookup because of this infinispan behaviour. Marek > > On 3/4/2016 10:18 AM, Stian Thorgersen wrote: >> Users are cached so that helps + it's possible to load balance based >> on source address. Do you really think that a lot of people will run >> that many nodes in either case? >> >> On 4 March 2016 at 14:52, Bill Burke > > wrote: >> >> I"m not sure how well keycloak would scale without this. >> >> >> On 3/4/2016 7:15 AM, Stian Thorgersen wrote: >>> Eventually it would be nice to support the ability for load >>> balancers to send all requests for a particular user session to >>> the same node (browser as well as client requests). >>> >>> More details here: https://issues.jboss.org/browse/KEYCLOAK-2352 >>> >>> Is this a high priority for 1.9 or should it be 2.x? We may be >>> able to put it into 1.9.2 if required. >>> >>> I'd like feedback on how useful folks think it would be as well >>> as feedback on the proposed implementation. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/263081b2/attachment.html From adrianmatei at gmail.com Mon Mar 7 07:19:58 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 7 Mar 2016 13:19:58 +0100 Subject: [keycloak-user] page not rendered in AngularJS app after "Terms and conditions" are declined... Message-ID: Hi everyone, Has any of you experienced the following behavior: we have an AngularJS app with some of its resources protected by Keycloak - setup: var auth = {}; angular.element(document).ready(function () { var env = 'keycloak'; var keycloakAuth = new Keycloak(env + '.json'); keycloakAuth.init({onLoad: 'check-sso'}) .success(function () { auth.authz = keycloakAuth; module.factory('Auth', function() { return auth; }); angular.bootstrap(document, ["client_id"]); }).error(function () { }); }); Everything works as expected, except that in the registration process if the user does NOT accept the "Terms and Conditions" the page where it came from, present in the redirect_fragment is not rendered - but it is being rendered when I refresh the page as expected... Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/8376fc61/attachment.html From m.fleur at topdesk.com Mon Mar 7 07:21:16 2016 From: m.fleur at topdesk.com (Michel Fleur) Date: Mon, 7 Mar 2016 13:21:16 +0100 Subject: [keycloak-user] Dynamic multi-realm authentication with Keycloak Message-ID: <56DD723C.50702@topdesk.com> Hello, We are building a system with multiple services that service a set of user communities. Each user belongs only to one community. Each service potentially services all communities. Both the set of services and set of communities is dynamic. Each community can configure its own authentication scheme and UI theme. Login names - if used by the authentication scheme - are not necessarily unique across communities. The number of communities will be in the order of thousands. As far as I can see, separation of authentication and UI themes requires the mapping of communities on their own dedicated Keycloak realms. That's okay. Our services will know against what realm to authenticate a user. Naturally, I looked into you multi-tenant example (1). It does not seem trivial to let a service authenticate to just any realm. It doesn't feel right to script-or-service a lot of JSON around for each time a service (instance) starts or a community gets added or removed. Is there a way to make this more dynamic? (2) It can very well be that I bluntly overlook something! GreetZ (and thanks in advance), Michel. (1) Example multi-tenant service using Keycloak: https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) In our case, tenant means community. (2) The best I can come up with is to have each service use the REST API to get the realm information before the user is actually authenticated against it. However, can a service that is not yet registered with a realm also access that realm? From Johannes.Langer at telekom.de Mon Mar 7 09:30:55 2016 From: Johannes.Langer at telekom.de (Johannes.Langer at telekom.de) Date: Mon, 7 Mar 2016 15:30:55 +0100 Subject: [keycloak-user] Keycloak as Identity provider wih OpenID Message-ID: <5CEBF9EC910A1E4C8DAA18A95E2B74491F9C7F76C8@HE113483.emea1.cds.t-internal.com> Hi, we are currently evaluating Keycloak. One of the questions I couldn't figure out yet is, As we are thinking about providing our own internal OpenId identity provider, is it possible to use Keycloak as a standalone OpenId Identity provider (without brokering)? As Keycloak has the OpenId endpoints for the brokering use case anyways... If yes is there an example how to configure this? In the documentation I could only see info on how to configure a broker... Thanks Johannes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/534112f2/attachment.html From amaeztu at tesicnor.com Mon Mar 7 09:53:29 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Mon, 7 Mar 2016 15:53:29 +0100 Subject: [keycloak-user] Grabbing Keycloak user roles from Android app Message-ID: <56DD95E9.20306@tesicnor.com> Hi all, I'm managing the keycloak authentication-authorization for my Android app. I do it manually since there's no adapter still available as far as I know. Currently I am able to log in from a webview, retrieve the access token using the code and refresh the token when it's necessary and retrieve the user info using the openid-connect compliant endpoints. However, I would like to grab the roles available for the token too, in order to show/hide specific operations in the screen. How to achieve it? Thanks in advance. -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/9ec449a0/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/9ec449a0/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/9ec449a0/attachment.png From bburke at redhat.com Mon Mar 7 11:08:25 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 7 Mar 2016 11:08:25 -0500 Subject: [keycloak-user] Keycloak as Identity provider wih OpenID In-Reply-To: <5CEBF9EC910A1E4C8DAA18A95E2B74491F9C7F76C8@HE113483.emea1.cds.t-internal.com> References: <5CEBF9EC910A1E4C8DAA18A95E2B74491F9C7F76C8@HE113483.emea1.cds.t-internal.com> Message-ID: <56DDA779.3000303@redhat.com> I don't understand your question. Keycloak can be a standalone IDP and is configured to be used as one out of the box. It can use Open ID Connect or SAML 2.0 as the authentication protocols. On 3/7/2016 9:30 AM, Johannes.Langer at telekom.de wrote: > Hi, > we are currently evaluating Keycloak. One of the questions I couldn?t > figure out yet is, > As we are thinking about providing our own internal OpenId identity > provider, is it possible to use Keycloak as a standalone OpenId > Identity provider (without brokering)? As Keycloak has the OpenId > endpoints for the brokering use case anyways? > If yes is there an example how to configure this? > In the documentation I could only see info on how to configure a broker? > Thanks Johannes > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/237540e7/attachment.html From bburke at redhat.com Mon Mar 7 11:11:39 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 7 Mar 2016 11:11:39 -0500 Subject: [keycloak-user] Dynamic multi-realm authentication with Keycloak In-Reply-To: <56DD723C.50702@topdesk.com> References: <56DD723C.50702@topdesk.com> Message-ID: <56DDA83B.4080908@redhat.com> If you don't like how we configure multi-tenet, you can provide your own implementation of AdapterDeploymentContext. This is used to resolve the configuration elements for the application adapter. On 3/7/2016 7:21 AM, Michel Fleur wrote: > Hello, > > We are building a system with multiple services that service a set of > user communities. Each user belongs only to one community. Each service > potentially services all communities. Both the set of services and set > of communities is dynamic. Each community can configure its own > authentication scheme and UI theme. Login names - if used by the > authentication scheme - are not necessarily unique across communities. > The number of communities will be in the order of thousands. > > As far as I can see, separation of authentication and UI themes requires > the mapping of communities on their own dedicated Keycloak realms. > That's okay. Our services will know against what realm to authenticate a > user. > > Naturally, I looked into you multi-tenant example (1). It does not seem > trivial to let a service authenticate to just any realm. It doesn't feel > right to script-or-service a lot of JSON around for each time a service > (instance) starts or a community gets added or removed. > > Is there a way to make this more dynamic? (2) It can very well be that > I bluntly overlook something! > > GreetZ (and thanks in advance), > Michel. > > > (1) > Example multi-tenant service using Keycloak: > https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) > In our case, tenant means community. > > (2) > The best I can come up with is to have each service use the REST API to > get the realm information before the user is actually authenticated > against it. However, can a service that is not yet registered with a > realm also access that realm? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/cbb1b661/attachment.html From thomas.darimont at googlemail.com Mon Mar 7 11:16:07 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 7 Mar 2016 17:16:07 +0100 Subject: [keycloak-user] Grabbing Keycloak user roles from Android app In-Reply-To: <56DD95E9.20306@tesicnor.com> References: <56DD95E9.20306@tesicnor.com> Message-ID: Hello Aritz, couldn't you just use a JWT parser library to parse the AccessToken string? http://jwt.io/ lists quite a few usable ones: I created a gist with a quick example for parsing a keycloak AccessToken with jjwt: https://gist.github.com/thomasdarimont/23a80208c1ef529169be To get the roles for a particular application (acme-petclinic) in this case, you could do the following: ((Map)claimsJws.getBody().get("resource_access")).get("acme-petclinic")).get("roles") Cheers, Thomas 2016-03-07 15:53 GMT+01:00 Aritz Maeztu : > Hi all, > > I'm managing the keycloak authentication-authorization for my Android app. > I do it manually since there's no adapter still available as far as I know. > Currently I am able to log in from a webview, retrieve the access token > using the code and refresh the token when it's necessary and retrieve the > user info using the openid-connect compliant endpoints. However, I would > like to grab the roles available for the token too, in order to show/hide > specific operations in the screen. > > How to achieve it? > > Thanks in advance. > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > Antes de imprimir este e-mail piense bien si es necesario hacerlo: El > medioambiente es cosa de todos. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/bf938bd8/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/bf938bd8/attachment-0001.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/bf938bd8/attachment-0001.png From jaxley at expedia.com Mon Mar 7 12:28:44 2016 From: jaxley at expedia.com (Jason Axley) Date: Mon, 7 Mar 2016 17:28:44 +0000 Subject: [keycloak-user] Best practices for securing sign-in on mobile In-Reply-To: References: Message-ID: <718327EA-EE14-41C1-80F4-44CD71B9CC36@expedia.com> The Google Identity team just open sourced some Open ID Connect libraries that use In-app tabs on Android and SFSafariViewController on iOS for secure, streamlined web workflows in-app. https://openid.github.io/AppAuth-Android https://openid.github.io/AppAuth-iOS -Jason From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, March 7, 2016 at 12:11 AM To: keycloak-dev >, "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] Best practices for securing sign-in on mobile Our Cordova apapter uses a webview (via cordova-plugin-inappbrowser) to open the login page. This results in no SSO between applications and it also has some security implications. A better approach is to use in app browser tabs when supported or fallback to the system browser. See https://www.youtube.com/watch?v=ppeU8yeI_ks for more details. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/2557ec2e/attachment.html From aikeaguinea at xsmail.com Mon Mar 7 14:04:10 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Mon, 07 Mar 2016 14:04:10 -0500 Subject: [keycloak-user] Regenerating a realm public key through the API Message-ID: <1457377450.2684173.542155106.4B07038F@webmail.messagingengine.com> After doing a scripted import of a realm file I'm looking to call the Keycloak API to change the realm's public and private keys. The API docs aren't entirely clear on how to do this, but after looking at the "Generate New Keys" button in the Keycloak admin console I'm guessing it should be done as follows: Update the top-level realm information by sending a PUT request to /admin/realms/ with a body of { realm: , publicKey : 'GENERATE' } Is that correct? -- http://www.fastmail.com - Email service worth paying for. Try it for free From alex_orl1079 at yahoo.it Mon Mar 7 16:32:40 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Mon, 7 Mar 2016 21:32:40 +0000 (UTC) Subject: [keycloak-user] db deadlock in concurrence environment References: <205999427.8265000.1457386360384.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <205999427.8265000.1457386360384.JavaMail.yahoo@mail.yahoo.com> Hi,i wrote my custom federation provider.All the synchronize operations (roles and user-roles) are done inside the getUserByUsername and the isValid method.This way every time a user or a new-user logins into my system, all the roles and role-mapping are kept up to date.All seems to work well with one user, but now i'm experiencing a lot of exceptions in a concurrence environment.These are the tests i'm launching:1) 20 concurrent threads, each of which tries to login, to send a REST request (to backend) and finally to logout. All 20 threads login with the same test username.2) 200 concurrent threads, doing the same as at the previous point, with 20 differents username. Everytime each federation provider instance tries to synchronize all realm roles...adding or removing roles in concurrence, i catch this error: 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/MyRealm/protocol/openid-connect/token? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? ... 29 moreCaused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64)? ? ? ? at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22)? ? ? ? at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? ... 37 moreCaused by: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171)? ? ? ? at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67)? ? ? ? at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162)? ? ? ? at org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)? ? ? ? at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67)? ? ? ? at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139)? ? ? ? at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228)? ? ? ? ... 70 moreCaused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646)? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737)? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)? ? ? ? ... 74 moreCaused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms])? ? ? ? at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579)? ? ? ? ... 77 more 16:10:08,260 ERROR [stderr] (default task-41) javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) What's the solution to correctly handle a concurrence environment?What am doing wrong? Is there a way to make synchronized keycloak jpa transactions?Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/b05eb60a/attachment-0001.html From thomas.darimont at googlemail.com Mon Mar 7 16:37:44 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 7 Mar 2016 22:37:44 +0100 Subject: [keycloak-user] db deadlock in concurrence environment In-Reply-To: <205999427.8265000.1457386360384.JavaMail.yahoo@mail.yahoo.com> References: <205999427.8265000.1457386360384.JavaMail.yahoo.ref@mail.yahoo.com> <205999427.8265000.1457386360384.JavaMail.yahoo@mail.yahoo.com> Message-ID: Hello Alex, looks like your database connection pool is exhausted - how is your connection pool configured in wildfly? Cheers, Thomas 2016-03-07 22:32 GMT+01:00 alex orl : > Hi, > i wrote my custom federation provider. > All the synchronize operations (roles and user-roles) are done inside the > getUserByUsername and the isValid method. > This way every time a user or a new-user logins into my system, all the > roles and role-mapping are kept up to date. > All seems to work well with one user, but now i'm experiencing a lot of > exceptions in a concurrence environment. > These are the tests i'm launching: > 1) 20 concurrent threads, each of which tries to login, to send a REST > request (to backend) and finally to logout. All 20 threads login with the > same test username. > 2) 200 concurrent threads, doing the same as at the previous point, with > 20 differents username. > > Everytime each federation provider instance tries to synchronize all realm > roles...adding or removing roles in concurrence, i catch this error: > > > 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: > Exception handling request to > /auth/realms/MyRealm/protocol/openid-connect/token: > java.lang.RuntimeException: reques > t path: /auth/realms/MyRealm/protocol/openid-connect/token > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.jboss.resteasy.spi.UnhandledException: > javax.persistence.PersistenceException: > org.hibernate.exception.GenericJDBCException: Could not open connection > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > ... 29 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.GenericJDBCException: Could not open connection > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771) > at > org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64) > at > org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22) > at > org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34) > at > org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147) > at > org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180) > at > org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246) > at > org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47) > at > org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) > at > org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369) > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110) > at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > ... 37 more > Caused by: org.hibernate.exception.GenericJDBCException: Could not open > connection > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) > at > org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235) > at > org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171) > at > org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67) > at > org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162) > at > org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471) > at > org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61) > ... 65 more > Caused by: java.sql.SQLException: javax.resource.ResourceException: > IJ000453: Unable to get managed connection for > java:jboss/datasources/KeycloakOracleDS > at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) > at > org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67) > at > org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139) > at > org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380) > at > org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228) > ... 70 more > Caused by: javax.resource.ResourceException: IJ000453: Unable to get > managed connection for java:jboss/datasources/KeycloakOracleDS > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646) > at > org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737) > at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) > ... 74 more > Caused by: javax.resource.ResourceException: IJ000655: No managed > connections available within configured blocking timeout (30000 [ms]) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579) > ... 77 more > > 16:10:08,260 ERROR [stderr] (default task-41) > javax.persistence.PersistenceException: > org.hibernate.exception.GenericJDBCException: Could not open connection > 16:10:08,333 ERROR [stderr] (default task-41) at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > 16:10:08,333 ERROR [stderr] (default task-41) at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) > > What's the solution to correctly handle a concurrence environment? > What am doing wrong? Is there a way to make synchronized keycloak jpa > transactions? > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/84beaa5c/attachment-0001.html From RRathod at carbonite.com Mon Mar 7 17:48:11 2016 From: RRathod at carbonite.com (Riddhi Rathod) Date: Mon, 7 Mar 2016 22:48:11 +0000 Subject: [keycloak-user] Url for updating security Q&As tab in user account Message-ID: <85C2B959-F9B4-4311-B8DF-AFB2A51019CD@carboniteinc.com> Hi all, I edited the security Q&A plugin to include 3 questions. So now when the user registers for the first time, they have to answer 3 security questions which are saved in the database. Then, when the users clicks ?Forgot Password?: 1. A reset email url is sent to them. 2. On entering reset url, the user has to answer 3 security Q&As. 3. And then the user is able to reset password. So now, the only place where the user can save security Q&As in when they register for the first time. I want to be able to add an ?Update security questions? tab in the left sidebar menu in user?s account page. I know the UI changes that needs to be made. 1. However, I am not sure about the URL that should be called for making this tab available? 2. Currently, I think there is no url in keycloak that supports this. So can I go ahead and create a new custom one? If yes, would it be possible to integrate it with the existing keycloak code so that it can be discovered during url route resolution. Thanks, Riddhi Rathod -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160307/a511d2d8/attachment.html From eugene.chow.ct at gmail.com Mon Mar 7 21:45:32 2016 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Tue, 8 Mar 2016 10:45:32 +0800 Subject: [keycloak-user] Custom User Info URL for an OpenID Connect endpoint Message-ID: Hi guys, I need to make Keycloak authenticate against a custom-built OpenID endpoint that?s not under my control. Keycloak authenticates flawlessly. The ?but? here is that the endpoint doesn?t implement a standard User Info endpoint, so Keycloak isn?t able to grab the user?s profile. Getting the user?s profile is a 2-step process. 1) Get the UID of the user from the standard User Info endpoint: https://custom.openid.io/openid/connect/v1/userinfo 2) Use the UID from Step 1 to obtain the real User Info from here: https://custom.openid.io/realuserinfo/v1/users To make this happen, I have a feeling that I have to roll out my own identity provider and probably write a plugin using the Auth SPI. Could you please guide me in the right direction? Thanks in advance! From sthorger at redhat.com Tue Mar 8 01:24:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:24:46 +0100 Subject: [keycloak-user] page not rendered in AngularJS app after "Terms and conditions" are declined... In-Reply-To: References: Message-ID: I'm not quite following, but I tried the following: # Open http://localhost:8080/auth/admin/master/console/#/realms/master/clients # Logout # Add terms and condition required action to user # Login # Decline terms and condition # Routed back to login page as admin console requires authenticated user # Login # I'm now on #/realms/master/clients, so the fragment doesn't seem to be lost as part of rejecting terms and conditions On 7 March 2016 at 13:19, Adrian Matei wrote: > Hi everyone, > > Has any of you experienced the following behavior: > we have an AngularJS app with some of its resources protected by Keycloak > - setup: > var auth = {}; > angular.element(document).ready(function () { > var env = 'keycloak'; > var keycloakAuth = new Keycloak(env + '.json'); > keycloakAuth.init({onLoad: 'check-sso'}) > .success(function () { > auth.authz = keycloakAuth; > module.factory('Auth', function() { > return auth; > }); > angular.bootstrap(document, ["client_id"]); > }).error(function () { > > }); > }); > > Everything works as expected, except that in the registration process if > the user does NOT accept the "Terms and Conditions" the page where it came > from, present in the redirect_fragment is not rendered - but it is being > rendered when I refresh the page as expected... > > Thanks, > Adrian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/b8bb74f6/attachment.html From thomas.darimont at googlemail.com Tue Mar 8 01:27:12 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 8 Mar 2016 07:27:12 +0100 Subject: [keycloak-user] page not rendered in AngularJS app after "Terms and conditions" are declined... In-Reply-To: References: Message-ID: Adrian, which Keycloak Version are you using? Cheers, Thomas Am 08.03.2016 7:25 vorm. schrieb "Stian Thorgersen" : > I'm not quite following, but I tried the following: > > # Open > http://localhost:8080/auth/admin/master/console/#/realms/master/clients > # Logout > # Add terms and condition required action to user > # Login > # Decline terms and condition > # Routed back to login page as admin console requires authenticated user > # Login > # I'm now on #/realms/master/clients, so the fragment doesn't seem to be > lost as part of rejecting terms and conditions > > On 7 March 2016 at 13:19, Adrian Matei wrote: > >> Hi everyone, >> >> Has any of you experienced the following behavior: >> we have an AngularJS app with some of its resources protected by Keycloak >> - setup: >> var auth = {}; >> angular.element(document).ready(function () { >> var env = 'keycloak'; >> var keycloakAuth = new Keycloak(env + '.json'); >> keycloakAuth.init({onLoad: 'check-sso'}) >> .success(function () { >> auth.authz = keycloakAuth; >> module.factory('Auth', function() { >> return auth; >> }); >> angular.bootstrap(document, ["client_id"]); >> }).error(function () { >> >> }); >> }); >> >> Everything works as expected, except that in the registration process if >> the user does NOT accept the "Terms and Conditions" the page where it came >> from, present in the redirect_fragment is not rendered - but it is being >> rendered when I refresh the page as expected... >> >> Thanks, >> Adrian >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/3130efb4/attachment.html From sthorger at redhat.com Tue Mar 8 01:28:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:28:07 +0100 Subject: [keycloak-user] Best practices for securing sign-in on mobile In-Reply-To: <718327EA-EE14-41C1-80F4-44CD71B9CC36@expedia.com> References: <718327EA-EE14-41C1-80F4-44CD71B9CC36@expedia.com> Message-ID: Have you tried AppAuth with Keycloak? If so I'd love to know how you got on with it. On 7 March 2016 at 18:28, Jason Axley wrote: > The Google Identity team just open sourced some Open ID Connect libraries > that use In-app tabs on Android and SFSafariViewController on iOS for > secure, streamlined web workflows in-app. > > https://openid.github.io/AppAuth-Android > https://openid.github.io/AppAuth-iOS > > -Jason > > From: on behalf of Stian > Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, March 7, 2016 at 12:11 AM > To: keycloak-dev , " > keycloak-user at lists.jboss.org" > Subject: [keycloak-user] Best practices for securing sign-in on mobile > > Our Cordova apapter uses a webview (via cordova-plugin-inappbrowser) to > open the login page. This results in no SSO between applications and it > also has some security implications. A better approach is to use in app > browser tabs when supported or fallback to the system browser. > > See https://www.youtube.com/watch?v=ppeU8yeI_ks for more details. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/142d4ad9/attachment-0001.html From sthorger at redhat.com Tue Mar 8 01:28:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:28:30 +0100 Subject: [keycloak-user] Regenerating a realm public key through the API In-Reply-To: <1457377450.2684173.542155106.4B07038F@webmail.messagingengine.com> References: <1457377450.2684173.542155106.4B07038F@webmail.messagingengine.com> Message-ID: Yup On 7 March 2016 at 20:04, Aikeaguinea wrote: > After doing a scripted import of a realm file I'm looking to call the > Keycloak API to change the realm's public and private keys. The API docs > aren't entirely clear on how to do this, but after looking at the > "Generate New Keys" button in the Keycloak admin console I'm guessing it > should be done as follows: > > Update the top-level realm information by sending a PUT request to > /admin/realms/ with a body of { realm: , > publicKey : 'GENERATE' } > > Is that correct? > > -- > http://www.fastmail.com - Email service worth paying for. Try it for free > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/09c654c2/attachment.html From sthorger at redhat.com Tue Mar 8 01:34:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:34:31 +0100 Subject: [keycloak-user] db deadlock in concurrence environment In-Reply-To: References: <205999427.8265000.1457386360384.JavaMail.yahoo.ref@mail.yahoo.com> <205999427.8265000.1457386360384.JavaMail.yahoo@mail.yahoo.com> Message-ID: As it times out after 30 seconds to obtain a connection it looks more like connections/transactions are not being closed. Is your federation provider using the same datasource? Any chance it's not closing the connections properly? On 7 March 2016 at 22:37, Thomas Darimont wrote: > Hello Alex, > > looks like your database connection pool is exhausted - how is your > connection pool configured in wildfly? > > Cheers, > Thomas > > 2016-03-07 22:32 GMT+01:00 alex orl : > >> Hi, >> i wrote my custom federation provider. >> All the synchronize operations (roles and user-roles) are done inside the >> getUserByUsername and the isValid method. >> This way every time a user or a new-user logins into my system, all the >> roles and role-mapping are kept up to date. >> All seems to work well with one user, but now i'm experiencing a lot of >> exceptions in a concurrence environment. >> These are the tests i'm launching: >> 1) 20 concurrent threads, each of which tries to login, to send a REST >> request (to backend) and finally to logout. All 20 threads login with the >> same test username. >> 2) 200 concurrent threads, doing the same as at the previous point, with >> 20 differents username. >> >> Everytime each federation provider instance tries to synchronize all >> realm roles...adding or removing roles in concurrence, i catch this error: >> >> >> 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: >> Exception handling request to >> /auth/realms/MyRealm/protocol/openid-connect/token: >> java.lang.RuntimeException: reques >> t path: /auth/realms/MyRealm/protocol/openid-connect/token >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> javax.persistence.PersistenceException: >> org.hibernate.exception.GenericJDBCException: Could not open connection >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> ... 29 more >> Caused by: javax.persistence.PersistenceException: >> org.hibernate.exception.GenericJDBCException: Could not open connection >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771) >> at >> org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64) >> at >> org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25) >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46) >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) >> at >> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >> at >> org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34) >> at >> org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16) >> at >> org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) >> at >> org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50) >> at >> org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147) >> at >> org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180) >> at >> org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246) >> at >> org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47) >> at >> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155) >> at >> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369) >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110) >> at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:497) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) >> ... 37 more >> Caused by: org.hibernate.exception.GenericJDBCException: Could not open >> connection >> at >> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) >> at >> org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235) >> at >> org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171) >> at >> org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67) >> at >> org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162) >> at >> org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471) >> at >> org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61) >> ... 65 more >> Caused by: java.sql.SQLException: javax.resource.ResourceException: >> IJ000453: Unable to get managed connection for >> java:jboss/datasources/KeycloakOracleDS >> at >> org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) >> at >> org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67) >> at >> org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139) >> at >> org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380) >> at >> org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228) >> ... 70 more >> Caused by: javax.resource.ResourceException: IJ000453: Unable to get >> managed connection for java:jboss/datasources/KeycloakOracleDS >> at >> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646) >> at >> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) >> at >> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737) >> at >> org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) >> ... 74 more >> Caused by: javax.resource.ResourceException: IJ000655: No managed >> connections available within configured blocking timeout (30000 [ms]) >> at >> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569) >> at >> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627) >> at >> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599) >> at >> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579) >> ... 77 more >> >> 16:10:08,260 ERROR [stderr] (default task-41) >> javax.persistence.PersistenceException: >> org.hibernate.exception.GenericJDBCException: Could not open connection >> 16:10:08,333 ERROR [stderr] (default task-41) at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) >> 16:10:08,333 ERROR [stderr] (default task-41) at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) >> >> What's the solution to correctly handle a concurrence environment? >> What am doing wrong? Is there a way to make synchronized keycloak jpa >> transactions? >> Thanks >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/d5376ea7/attachment-0001.html From sthorger at redhat.com Tue Mar 8 01:36:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:36:33 +0100 Subject: [keycloak-user] Url for updating security Q&As tab in user account In-Reply-To: <85C2B959-F9B4-4311-B8DF-AFB2A51019CD@carboniteinc.com> References: <85C2B959-F9B4-4311-B8DF-AFB2A51019CD@carboniteinc.com> Message-ID: We don't currently support adding additional tabs to the account management console. You'd have to do it as part of the profile page as that allows changing custom attributes. On 7 March 2016 at 23:48, Riddhi Rathod wrote: > Hi all, > > I edited the security Q&A plugin to include 3 questions. So now when the > user registers for the first time, they have to answer 3 security questions > which are saved in the database. Then, when the users clicks ?Forgot > Password?: > > 1. A reset email url is sent to them. > 2. On entering reset url, the user has to answer 3 security Q&As. > 3. And then the user is able to reset password. > > So now, the only place where the user can save security Q&As in when they > register for the first time. I want to be able to add an ?Update security > questions? tab in the left sidebar menu in user?s account page. I know the > UI changes that needs to be made. > > 1. However, I am not sure about the URL that should be called for making > this tab available? > > 2. Currently, I think there is no url in keycloak that supports this. So > can I go ahead and create a new custom one? If yes, would it be possible to > integrate it with the existing keycloak code so that it can be discovered > during url route resolution. > > > Thanks, > Riddhi Rathod > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/14fbc205/attachment.html From sthorger at redhat.com Tue Mar 8 01:41:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 07:41:26 +0100 Subject: [keycloak-user] Custom User Info URL for an OpenID Connect endpoint In-Reply-To: References: Message-ID: Write a custom identity provider extending OIDCIdentityProvider and override getFederatedIdentity. See http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html on how to deploy to Keycloak. I would imagine you don't need 1 as the sub (UID) should be available in the access token. On 8 March 2016 at 03:45, Eugene Chow wrote: > Hi guys, > > I need to make Keycloak authenticate against a custom-built OpenID > endpoint that?s not under my control. Keycloak authenticates flawlessly. > The ?but? here is that the endpoint doesn?t implement a standard User Info > endpoint, so Keycloak isn?t able to grab the user?s profile. Getting the > user?s profile is a 2-step process. > > 1) Get the UID of the user from the standard User Info endpoint: > https://custom.openid.io/openid/connect/v1/userinfo > 2) Use the UID from Step 1 to obtain the real User Info from here: > https://custom.openid.io/realuserinfo/v1/users > > To make this happen, I have a feeling that I have to roll out my own > identity provider and probably write a plugin using the Auth SPI. Could you > please guide me in the right direction? > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/b3830e18/attachment.html From amaeztu at tesicnor.com Tue Mar 8 02:11:55 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Tue, 8 Mar 2016 08:11:55 +0100 Subject: [keycloak-user] Grabbing Keycloak user roles from Android app In-Reply-To: References: <56DD95E9.20306@tesicnor.com> Message-ID: <56DE7B3B.4040803@tesicnor.com> Many thanks Thomas! I'll give it a try ;-) 07/03/2016 17:16(e)an, Thomas Darimont igorleak idatzi zuen: > Hello Aritz, > > couldn't you just use a JWT parser library to parse the AccessToken > string? > http://jwt.io/ lists quite a few usable ones: > > I created a gist with a quick example for parsing a keycloak > AccessToken with jjwt: > https://gist.github.com/thomasdarimont/23a80208c1ef529169be > > To get the roles for a particular application (acme-petclinic) in this > case, you could do the following: > ((Map)claimsJws.getBody().get("resource_access")).get("acme-petclinic")).get("roles") > > Cheers, > Thomas > > 2016-03-07 15:53 GMT+01:00 Aritz Maeztu >: > > Hi all, > > I'm managing the keycloak authentication-authorization for my > Android app. I do it manually since there's no adapter still > available as far as I know. Currently I am able to log in from a > webview, retrieve the access token using the code and refresh the > token when it's necessary and retrieve the user info using the > openid-connect compliant endpoints. However, I would like to grab > the roles available for the token too, in order to show/hide > specific operations in the screen. > > How to achieve it? > > Thanks in advance. > -- > Aritz Maeztu Ota?o > Departamento Desarrollo de Software > > > > Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) > Telf.: 948 21 40 40 > Fax.: 948 21 40 41 > > Antes de imprimir este e-mail piense bien si es necesario hacerlo: > El medioambiente es cosa de todos. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf.: 948 21 40 40 Fax.: 948 21 40 41 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/f36b3058/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/f36b3058/attachment-0002.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/f36b3058/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: linkdin.gif Type: image/gif Size: 1295 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/f36b3058/attachment-0003.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: logo.png Type: image/png Size: 2983 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/f36b3058/attachment-0003.png From adrianmatei at gmail.com Tue Mar 8 02:43:57 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Tue, 8 Mar 2016 08:43:57 +0100 Subject: [keycloak-user] page not rendered in AngularJS app after "Terms and conditions" are declined... In-Reply-To: References: Message-ID: Sorry sorry, I've forgotten to mention it again - it is 1.7.0.Final. If I try it with the admin console, master realm and account app I get a page with the text "error" and url when declining: http://localhost:8080/auth/realms/master/account/login-redirect?error=access_denied&state=0%2F677d62e0-9c89-4029-b40e-fe01eac5173b The next trial to work around this, is to say on front end, if the user clicks the "decline" button the user should be redirected to the login page... Cheers, Adrian On Tue, Mar 8, 2016 at 7:27 AM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Adrian, which Keycloak Version are you using? > > Cheers, > Thomas > Am 08.03.2016 7:25 vorm. schrieb "Stian Thorgersen" : > >> I'm not quite following, but I tried the following: >> >> # Open >> http://localhost:8080/auth/admin/master/console/#/realms/master/clients >> # Logout >> # Add terms and condition required action to user >> # Login >> # Decline terms and condition >> # Routed back to login page as admin console requires authenticated user >> # Login >> # I'm now on #/realms/master/clients, so the fragment doesn't seem to be >> lost as part of rejecting terms and conditions >> >> On 7 March 2016 at 13:19, Adrian Matei wrote: >> >>> Hi everyone, >>> >>> Has any of you experienced the following behavior: >>> we have an AngularJS app with some of its resources protected by >>> Keycloak - setup: >>> var auth = {}; >>> angular.element(document).ready(function () { >>> var env = 'keycloak'; >>> var keycloakAuth = new Keycloak(env + '.json'); >>> keycloakAuth.init({onLoad: 'check-sso'}) >>> .success(function () { >>> auth.authz = keycloakAuth; >>> module.factory('Auth', function() { >>> return auth; >>> }); >>> angular.bootstrap(document, ["client_id"]); >>> }).error(function () { >>> >>> }); >>> }); >>> >>> Everything works as expected, except that in the registration process if >>> the user does NOT accept the "Terms and Conditions" the page where it came >>> from, present in the redirect_fragment is not rendered - but it is being >>> rendered when I refresh the page as expected... >>> >>> Thanks, >>> Adrian >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/a7b21b55/attachment.html From sthorger at redhat.com Tue Mar 8 02:52:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 08:52:45 +0100 Subject: [keycloak-user] page not rendered in AngularJS app after "Terms and conditions" are declined... In-Reply-To: References: Message-ID: Please try with 1.9.0.Final and see if the issue is already resolved. If it's not give me exact steps to reproduce. On 8 March 2016 at 08:43, Adrian Matei wrote: > Sorry sorry, > > I've forgotten to mention it again - it is 1.7.0.Final. > If I try it with the admin console, master realm and account app I get a > page with the text "error" and url when declining: > > http://localhost:8080/auth/realms/master/account/login-redirect?error=access_denied&state=0%2F677d62e0-9c89-4029-b40e-fe01eac5173b > > The next trial to work around this, is to say on front end, if the user > clicks the "decline" button the user should be redirected to the login > page... > > Cheers, > Adrian > > On Tue, Mar 8, 2016 at 7:27 AM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Adrian, which Keycloak Version are you using? >> >> Cheers, >> Thomas >> Am 08.03.2016 7:25 vorm. schrieb "Stian Thorgersen" > >: >> >>> I'm not quite following, but I tried the following: >>> >>> # Open >>> http://localhost:8080/auth/admin/master/console/#/realms/master/clients >>> # Logout >>> # Add terms and condition required action to user >>> # Login >>> # Decline terms and condition >>> # Routed back to login page as admin console requires authenticated user >>> # Login >>> # I'm now on #/realms/master/clients, so the fragment doesn't seem to be >>> lost as part of rejecting terms and conditions >>> >>> On 7 March 2016 at 13:19, Adrian Matei wrote: >>> >>>> Hi everyone, >>>> >>>> Has any of you experienced the following behavior: >>>> we have an AngularJS app with some of its resources protected by >>>> Keycloak - setup: >>>> var auth = {}; >>>> angular.element(document).ready(function () { >>>> var env = 'keycloak'; >>>> var keycloakAuth = new Keycloak(env + '.json'); >>>> keycloakAuth.init({onLoad: 'check-sso'}) >>>> .success(function () { >>>> auth.authz = keycloakAuth; >>>> module.factory('Auth', function() { >>>> return auth; >>>> }); >>>> angular.bootstrap(document, ["client_id"]); >>>> }).error(function () { >>>> >>>> }); >>>> }); >>>> >>>> Everything works as expected, except that in the registration process >>>> if the user does NOT accept the "Terms and Conditions" the page where it >>>> came from, present in the redirect_fragment is not rendered - but it is >>>> being rendered when I refresh the page as expected... >>>> >>>> Thanks, >>>> Adrian >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/4b617547/attachment.html From alex_orl1079 at yahoo.it Tue Mar 8 04:46:50 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 8 Mar 2016 09:46:50 +0000 (UTC) Subject: [keycloak-user] db deadlock in concurrence environment In-Reply-To: References: Message-ID: <153020874.5410151.1457430410961.JavaMail.yahoo@mail.yahoo.com> I will try to make my use case clearer:Every time a user logins into my system, so when keycloak invokes "getUserByUsername()" method or the "isValid()" ?method, ?i do the realm roles synchronization: i.e.RoleModel keycloakRole;? public UserModel getUserByUsername(RealmModel realm, String username) { ? ? ... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} public boolean isValid(RealmModel realm, UserModel local) { ? ? ?... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} This does work well just with a single thread user.When the environment is configured with 20 concurrent threads/users trying to login, ?i get "deadlock exception". I can say the one i printed in my first email is a direct consequence of the deadlock.After:"optministiLock exception" i get also:09:51:12,677 WARN ?[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-2) SQL Error: 1, SQLState: 2300009:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-102) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated 09:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-105) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated Now my question is:- I never found a point inside the keycloak authentication flow from which triggering the synchronization operations so i guessed to make this operation inside the LOGIN phase. Is it right?- doing like this, is the best way or is there a way to hook the login jpa transaction? the way that all the sync operations are flushed after the whole login transaction is committed?- Or am i totally wrong and there is a specific pattern to follow for all the roles and attributes synchronize operations? thanks Il Marted? 8 Marzo 2016 7:34, Stian Thorgersen ha scritto: As it times out after 30 seconds to obtain a connection it looks more like connections/transactions are not being closed. Is your federation provider using the same datasource? Any chance it's not closing the connections properly? On 7 March 2016 at 22:37, Thomas Darimont wrote: Hello Alex, looks like your database connection pool is exhausted - how is your connection pool configured in wildfly? Cheers,Thomas 2016-03-07 22:32 GMT+01:00 alex orl : Hi,i wrote my custom federation provider.All the synchronize operations (roles and user-roles) are done inside the getUserByUsername and the isValid method.This way every time a user or a new-user logins into my system, all the roles and role-mapping are kept up to date.All seems to work well with one user, but now i'm experiencing a lot of exceptions in a concurrence environment.These are the tests i'm launching:1) 20 concurrent threads, each of which tries to login, to send a REST request (to backend) and finally to logout. All 20 threads login with the same test username.2) 200 concurrent threads, doing the same as at the previous point, with 20 differents username. Everytime each federation provider instance tries to synchronize all realm roles...adding or removing roles in concurrence, i catch this error: 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/MyRealm/protocol/openid-connect/token? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? ... 29 moreCaused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64)? ? ? ? at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22)? ? ? ? at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? ... 37 moreCaused by: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171)? ? ? ? at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67)? ? ? ? at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162)? ? ? ? at org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)? ? ? ? at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67)? ? ? ? at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139)? ? ? ? at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228)? ? ? ? ... 70 moreCaused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646)? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737)? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)? ? ? ? ... 74 moreCaused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms])? ? ? ? at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579)? ? ? ? ... 77 more 16:10:08,260 ERROR [stderr] (default task-41) javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) What's the solution to correctly handle a concurrence environment?What am doing wrong? Is there a way to make synchronized keycloak jpa transactions?Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/b57dfe15/attachment-0001.html From alex_orl1079 at yahoo.it Tue Mar 8 07:01:17 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 8 Mar 2016 12:01:17 +0000 (UTC) Subject: [keycloak-user] db deadlock in concurrence environment In-Reply-To: <153020874.5410151.1457430410961.JavaMail.yahoo@mail.yahoo.com> References: <153020874.5410151.1457430410961.JavaMail.yahoo@mail.yahoo.com> Message-ID: <491091343.8775016.1457438477239.JavaMail.yahoo@mail.yahoo.com> in addition to my previous email i attach the deadlock exception stactrace: 2:53:20,188 WARN ?[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-118) SQL Error: 60, SQLState: 6100012:53:20,189 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-118) ORA-00060: deadlock detected while waiting for resource 12:53:20,189 INFO ?[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-118) HHH000010: On release of batch it still contained JDBC statements12:53:20,192 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-118) javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)? ? ? ? at com.sun.proxy.$Proxy147.flush(Unknown Source)? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.removeUser(JpaUserProvider.java:117)? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.removeUser(JpaUserProvider.java:97)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:283)? ? ? ? at org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)? ? ? ? at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:182)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor284.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)? ? ? ? at sun.reflect.GeneratedMethodAccessor280.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)? ? ? ? ... 61 moreCaused by: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.hibernate.dialect.Oracle8iDialect$2.convert(Oracle8iDialect.java:473)? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:211)? ? ? ? at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62)? ? ? ? at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)? ? ? ? at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)? ? ? ? at org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)? ? ? ? at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)? ? ? ? at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)? ? ? ? at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)? ? ? ? at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)? ? ? ? at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource Il Marted? 8 Marzo 2016 10:46, alex orl ha scritto: I will try to make my use case clearer:Every time a user logins into my system, so when keycloak invokes "getUserByUsername()" method or the "isValid()" ?method, ?i do the realm roles synchronization: i.e.RoleModel keycloakRole;? public UserModel getUserByUsername(RealmModel realm, String username) { ? ? ... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} public boolean isValid(RealmModel realm, UserModel local) { ? ? ?... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} This does work well just with a single thread user.When the environment is configured with 20 concurrent threads/users trying to login, ?i get "deadlock exception". I can say the one i printed in my first email is a direct consequence of the deadlock.After:"optministiLock exception" i get also:09:51:12,677 WARN ?[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-2) SQL Error: 1, SQLState: 2300009:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-102) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated 09:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-105) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated Now my question is:- I never found a point inside the keycloak authentication flow from which triggering the synchronization operations so i guessed to make this operation inside the LOGIN phase. Is it right?- doing like this, is the best way or is there a way to hook the login jpa transaction? the way that all the sync operations are flushed after the whole login transaction is committed?- Or am i totally wrong and there is a specific pattern to follow for all the roles and attributes synchronize operations? thanks Il Marted? 8 Marzo 2016 7:34, Stian Thorgersen ha scritto: As it times out after 30 seconds to obtain a connection it looks more like connections/transactions are not being closed. Is your federation provider using the same datasource? Any chance it's not closing the connections properly? On 7 March 2016 at 22:37, Thomas Darimont wrote: Hello Alex, looks like your database connection pool is exhausted - how is your connection pool configured in wildfly? Cheers,Thomas 2016-03-07 22:32 GMT+01:00 alex orl : Hi,i wrote my custom federation provider.All the synchronize operations (roles and user-roles) are done inside the getUserByUsername and the isValid method.This way every time a user or a new-user logins into my system, all the roles and role-mapping are kept up to date.All seems to work well with one user, but now i'm experiencing a lot of exceptions in a concurrence environment.These are the tests i'm launching:1) 20 concurrent threads, each of which tries to login, to send a REST request (to backend) and finally to logout. All 20 threads login with the same test username.2) 200 concurrent threads, doing the same as at the previous point, with 20 differents username. Everytime each federation provider instance tries to synchronize all realm roles...adding or removing roles in concurrence, i catch this error: 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/MyRealm/protocol/openid-connect/token? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? ... 29 moreCaused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64)? ? ? ? at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22)? ? ? ? at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? ... 37 moreCaused by: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171)? ? ? ? at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67)? ? ? ? at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162)? ? ? ? at org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)? ? ? ? at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67)? ? ? ? at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139)? ? ? ? at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228)? ? ? ? ... 70 moreCaused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646)? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737)? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)? ? ? ? ... 74 moreCaused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms])? ? ? ? at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579)? ? ? ? ... 77 more 16:10:08,260 ERROR [stderr] (default task-41) javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) What's the solution to correctly handle a concurrence environment?What am doing wrong? Is there a way to make synchronized keycloak jpa transactions?Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/51b4fcc3/attachment-0001.html From alex_orl1079 at yahoo.it Tue Mar 8 08:42:36 2016 From: alex_orl1079 at yahoo.it (alex orl) Date: Tue, 8 Mar 2016 13:42:36 +0000 (UTC) Subject: [keycloak-user] db deadlock in concurrence environment In-Reply-To: <491091343.8775016.1457438477239.JavaMail.yahoo@mail.yahoo.com> References: <153020874.5410151.1457430410961.JavaMail.yahoo@mail.yahoo.com> <491091343.8775016.1457438477239.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1211295494.8905725.1457444556776.JavaMail.yahoo@mail.yahoo.com> Sorry again...another important information is that i'm working on keycloak 1.7.0 finalAny help?is there any bug fixed on the next releases? Il Marted? 8 Marzo 2016 13:01, alex orl ha scritto: in addition to my previous email i attach the deadlock exception stactrace: 2:53:20,188 WARN ?[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-118) SQL Error: 60, SQLState: 6100012:53:20,189 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-118) ORA-00060: deadlock detected while waiting for resource 12:53:20,189 INFO ?[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-118) HHH000010: On release of batch it still contained JDBC statements12:53:20,192 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (default task-118) javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)? ? ? ? at com.sun.proxy.$Proxy147.flush(Unknown Source)? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.removeUser(JpaUserProvider.java:117)? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.removeUser(JpaUserProvider.java:97)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:283)? ? ? ? at org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)? ? ? ? at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:182)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor284.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)? ? ? ? at sun.reflect.GeneratedMethodAccessor280.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)? ? ? ? ... 61 moreCaused by: org.hibernate.exception.LockAcquisitionException: could not execute statement? ? ? ? at org.hibernate.dialect.Oracle8iDialect$2.convert(Oracle8iDialect.java:473)? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:211)? ? ? ? at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62)? ? ? ? at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)? ? ? ? at org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)? ? ? ? at org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)? ? ? ? at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)? ? ? ? at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)? ? ? ? at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)? ? ? ? at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)? ? ? ? at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: ORA-00060: deadlock detected while waiting for resource Il Marted? 8 Marzo 2016 10:46, alex orl ha scritto: I will try to make my use case clearer:Every time a user logins into my system, so when keycloak invokes "getUserByUsername()" method or the "isValid()" ?method, ?i do the realm roles synchronization: i.e.RoleModel keycloakRole;? public UserModel getUserByUsername(RealmModel realm, String username) { ? ? ... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} public boolean isValid(RealmModel realm, UserModel local) { ? ? ?... ????for ( MyRole role : MyRoleList) { ? ?????????keycloakRole = realm.addRole(myNewRole.getName());????????keycloakRole.setDescription(myNewRole.getDescription());????} This does work well just with a single thread user.When the environment is configured with 20 concurrent threads/users trying to login, ?i get "deadlock exception". I can say the one i printed in my first email is a direct consequence of the deadlock.After:"optministiLock exception" i get also:09:51:12,677 WARN ?[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-2) SQL Error: 1, SQLState: 2300009:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-102) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated 09:51:12,679 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-105) ORA-00001: unique constraint (KEYCLOAK17.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated Now my question is:- I never found a point inside the keycloak authentication flow from which triggering the synchronization operations so i guessed to make this operation inside the LOGIN phase. Is it right?- doing like this, is the best way or is there a way to hook the login jpa transaction? the way that all the sync operations are flushed after the whole login transaction is committed?- Or am i totally wrong and there is a specific pattern to follow for all the roles and attributes synchronize operations? thanks Il Marted? 8 Marzo 2016 7:34, Stian Thorgersen ha scritto: As it times out after 30 seconds to obtain a connection it looks more like connections/transactions are not being closed. Is your federation provider using the same datasource? Any chance it's not closing the connections properly? On 7 March 2016 at 22:37, Thomas Darimont wrote: Hello Alex, looks like your database connection pool is exhausted - how is your connection pool configured in wildfly? Cheers,Thomas 2016-03-07 22:32 GMT+01:00 alex orl : Hi,i wrote my custom federation provider.All the synchronize operations (roles and user-roles) are done inside the getUserByUsername and the isValid method.This way every time a user or a new-user logins into my system, all the roles and role-mapping are kept up to date.All seems to work well with one user, but now i'm experiencing a lot of exceptions in a concurrence environment.These are the tests i'm launching:1) 20 concurrent threads, each of which tries to login, to send a REST request (to backend) and finally to logout. All 20 threads login with the same test username.2) 200 concurrent threads, doing the same as at the previous point, with 20 differents username. Everytime each federation provider instance tries to synchronize all realm roles...adding or removing roles in concurrence, i catch this error: 16:10:08,228 ERROR [io.undertow.request] (default task-96) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/MyRealm/protocol/openid-connect/token? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)? ? ? ? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)? ? ? ? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)? ? ? ? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)? ? ? ? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)? ? ? ? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)? ? ? ? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)? ? ? ? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)? ? ? ? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)? ? ? ? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)? ? ? ? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)? ? ? ? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)? ? ? ? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)? ? ? ? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)? ? ? ? at java.lang.Thread.run(Thread.java:745)Caused by: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)? ? ? ? at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)? ? ? ? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)? ? ? ? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)? ? ? ? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)? ? ? ? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)? ? ? ? ... 29 moreCaused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1771)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:64)? ? ? ? at org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:22)? ? ? ? at org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:25)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:46)? ? ? ? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:34)? ? ? ? at org.keycloak.models.jpa.JpaUserProviderFactory.create(JpaUserProviderFactory.java:16)? ? ? ? at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getDelegate(DefaultCacheUserProvider.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getUserByUsername(DefaultCacheUserProvider.java:147)? ? ? ? at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:180)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:246)? ? ? ? at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:47)? ? ? ? at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)? ? ? ? at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:776)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:369)? ? ? ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)? ? ? ? at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)? ? ? ? at java.lang.reflect.Method.invoke(Method.java:497)? ? ? ? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)? ? ? ? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)? ? ? ? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)? ? ? ? ... 37 moreCaused by: org.hibernate.exception.GenericJDBCException: Could not open connection? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:54)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:235)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.getConnection(LogicalConnectionImpl.java:171)? ? ? ? at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doBegin(JdbcTransaction.java:67)? ? ? ? at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.begin(AbstractTransactionImpl.java:162)? ? ? ? at org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1471)? ? ? ? at org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:61)? ? ? ? ... 65 moreCaused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)? ? ? ? at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:67)? ? ? ? at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:139)? ? ? ? at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:380)? ? ? ? at org.hibernate.engine.jdbc.internal.LogicalConnectionImpl.obtainConnection(LogicalConnectionImpl.java:228)? ? ? ? ... 70 moreCaused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakOracleDS? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:646)? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:737)? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)? ? ? ? ... 74 moreCaused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms])? ? ? ? at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:569)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:627)? ? ? ? at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:599)? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:579)? ? ? ? ... 77 more 16:10:08,260 ERROR [stderr] (default task-41) javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Could not open connection16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)16:10:08,333 ERROR [stderr] (default task-41) ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) What's the solution to correctly handle a concurrence environment?What am doing wrong? Is there a way to make synchronized keycloak jpa transactions?Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/d333ef41/attachment-0001.html From malmi.suh at gmail.com Tue Mar 8 08:57:59 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Tue, 8 Mar 2016 19:27:59 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> <56B4A6CB.3020507@redhat.com> Message-ID: Hi All, We have upgraded the keycloak version to 1.9.0. I just carried out a load test on our identity server and it seems to have reduced the failures to a great extent. However, when I execute 50 threads per second, there are some intermittent failures (2-3 failures for 50 threads). I further noticed that the frequency is higher for realm roles than for client roles. Regards, Malmi On Sat, Feb 6, 2016 at 8:33 AM, Malmi Samarasinghe wrote: > Many Thanks to your assistance regarding the issue. > > On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke wrote: > >> 1.9.0.Final will have it... >> >> >> On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote: >> >> Hi Stian, >> >> Thank you very much for looking in to the issue. We tried with around 6 >> role creations per second, and I tried switching off realm cache and it had >> negative impact on the performance of other API s. >> >> Really appreciate if you could suggest us a rough timeline for a fix >> date. >> >> Regards, >> Malmi >> >> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen >> wrote: >> >>> Either don't create roles concurrently or disable cache. >>> >>> How frequently are you creating roles? Just wondering because if you do >>> it will significantly impact the benefits of the cache as we invalidate a >>> large amount of the cache when roles are added/removed. >>> >>> The problem you are seeing is most likely down to a race condition when >>> the realm role list (or client role lists) are re-loaded after they are >>> invalidated. I haven't had much time to look at it yet, so I don't know the >>> exact cause or a solution. >>> >>> On 5 February 2016 at 09:57, Malmi Samarasinghe < >>> malmi.suh at gmail.com> wrote: >>> >>>> Hi Stian, >>>> >>>> We have this in production is there any intermediary fix that we can do >>>> or any workaround? >>>> >>>> Regards, >>>> Malmi >>>> >>>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Confirmed this bug >>>>> https://issues.jboss.org/browse/KEYCLOAK-2458 >>>>> >>>>> On 5 February 2016 at 06:53, Malmi Samarasinghe < >>>>> malmi.suh at gmail.com> wrote: >>>>> >>>>>> Hi Stian/Bill, >>>>>> >>>>>> I just wanted to highlight that this issue only occurred when realm >>>>>> cache enabled option is ON. >>>>>> >>>>>> Regards, >>>>>> Malmi >>>>>> >>>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe < >>>>>> malmi.suh at gmail.com> wrote: >>>>>> >>>>>>> Hi Stian >>>>>>> >>>>>>> I have multiple threads creating different roles. Basically one >>>>>>> thread will execute all three apis one after another. >>>>>>> >>>>>>> Regards, >>>>>>> Malmi >>>>>>> >>>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> When you say method1 is executed in multiple threads, do you mean >>>>>>>> one thread creates the role and another retrieves it? Or do you have >>>>>>>> multiple threads creating different roles? >>>>>>>> >>>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe < >>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi Bill, >>>>>>>>> >>>>>>>>> Please find the work flow that we have implemented >>>>>>>>> create user : POST : admin/realms/{realm}/users >>>>>>>>> >>>>>>>>> *Method1* wrapps the following API calls >>>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>>>>>> Assign Role : POST : >>>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm >>>>>>>>> >>>>>>>>> Same for the client roles as well. >>>>>>>>> >>>>>>>>> *Method1 *is executed in multiple threads and assign reams role >>>>>>>>> API starts failing with 404 (keycloak log states role not found) >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Malmi >>>>>>>>> >>>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < >>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Can you give me what REST invocations you are doing? How do you >>>>>>>>>> find the role? How do you create the role? etc... >>>>>>>>>> >>>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>>>>>> >>>>>>>>>> Hi Bill, >>>>>>>>>> >>>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes >>>>>>>>>> from the commits attached to the >>>>>>>>>> >>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and >>>>>>>>>> it seems to have the same issue. If you have any further update on this >>>>>>>>>> please let us know. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Malmi >>>>>>>>>> >>>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen < >>>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> This could be related to >>>>>>>>>>> >>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>>>>>> >>>>>>>>>>> It's already fixed in master, so if you can try it out that >>>>>>>>>>> would be great. We should also have a 1.8.1.Final release this week with >>>>>>>>>>> the fix in as well. >>>>>>>>>>> >>>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Bill, >>>>>>>>>>>> >>>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Malmi Samarasinghe >>>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>>>>>> >>>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Everyone, >>>>>>>>>>>>> >>>>>>>>>>>>> In my application we create retrieve and assign role >>>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with >>>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not >>>>>>>>>>>>> exist error and 404 is returned from keycloak. >>>>>>>>>>>>> >>>>>>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>>>>>> >>>>>>>>>>>>> Please get back to me if you have any information on any other >>>>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>>>>>>> cache will be persisted to DB. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Malmi >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Bill Burke >>>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>> >>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>> >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Bill Burke >>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/deb6b1a9/attachment-0001.html From orestis.tsakiridis at telestax.com Tue Mar 8 10:03:18 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Tue, 8 Mar 2016 17:03:18 +0200 Subject: [keycloak-user] Design concerns on automated Keycloak Client addition to a realm In-Reply-To: References: Message-ID: Thanks Stian! Client Registration service passed under my radar (still on 1.6.1). I was wondering, Initial Access Tokens seem to be only generated from the Administration Console. Is there a REST API for that ? On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen wrote: > For dynamic registration of clients take a look at > http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html > > On 4 March 2016 at 09:12, Orestis Tsakiridis < > orestis.tsakiridis at telestax.com> wrote: > >> Hello, >> >> I'm trying to design a keycloak-based system that will have the following >> characteristics: >> >> * A single realm R will exist with a big set of users. >> * Users will be able to install instances of software X that consists of >> four (4) applications protected by keycloak. >> * Each application in any instance of X will have a corresponding >> Keycloak Client entity containing a set of application-level roles. Thus, >> having the appropriate role,m a user of R can selectively be granted access >> to any application of any instance of X. >> * The addition of a new instance of X to the keycloak realm (the creation >> of the Clients, client roles etc.) is called 'registration' and will be >> done using the Keycloak Admin REST API. >> >> What's the best practice to achieve automatic registration of a new >> instance to the realm? >> >> I've considered the following: >> >> a. Have the instance applications *directly* consume keycloak Admin REST >> API and create Clients and Client roles. As far as i investigated users of >> the instance will need to have a R:realm-management:manage-clients role in >> order to do that (create-client didn't work). This seems a pretty >> permissive role to give to any user in R. >> >> b. Have a separate keycloak-protected application that won't be part of X >> to do the important work of 'registration'. It will work as a proxy. The >> application will act on behalf of an administrator user with a powerfull >> role like R:realm-management:realm-admin. The application will define it's >> own set of roles and HTTP API for instance registration. All users will >> have to go through it to register their instance. It will work as a proxy. >> But they won't need to be granted dangerous roles to do it. >> >> Any suggestion will be more than welcome. >> >> Thanks >> >> Orestis >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/0a1fcec9/attachment.html From jaxley at expedia.com Tue Mar 8 11:33:55 2016 From: jaxley at expedia.com (Jason Axley) Date: Tue, 8 Mar 2016 16:33:55 +0000 Subject: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag Message-ID: Bringing this discussion from an open JIRA to the mailing list to have an open discussion about the issue. Stian can join in to make sure his viewpoint is represented here. I?ll try to summarize the discussion. The Keycloak admin and account client applications do not currently use the Keycloak adapters for authentication/authorization interception. They currently write their own set of Keycloak cookies to manage the user?s security session. These applications do not have any dependency on the J2EE session. However, if applications make use of the Keycloak adapters as authentication/authorization interceptors, those are currently written to not write separate Keycloak security session cookies ? they just repurpose the J2EE session (JSESSIONID). However, the adapters don?t do any security configuration or checking or warning that the underlying J2EE session has not been configured to be a Secure and HttpOnly cookie, meaning that Keycloak adapters are all insecure by default. A design decision was made to say that security of that cookie is out of scope for the adapters. There is a general concern about where the adapters should draw the line between Keycloak security checking responsibility and the application it is protecting. I think there is a line that?s easy to draw ? if Keycloak is using something for its needs that it depends on being secure, then it has a responsibility to ensure that facility is configured securely. If Keycloak was to write its own session ID cookie and not enforce Secure and HttpOnly cookies, it would be clear that Keycloak would be negligible in not securing the application to basic web application standards. I don?t think that a decision to use the J2EE session absolves Keycloak from its security responsibilities. There?s a saying that you can outsource the technology but you can?t outsource the risk. I think especially as a security application, Keycloak has a duty to do the right thing from a web app security perspective and ensure it is implementing all of the typical OWASP top 10 and beyond security controls in the code it produces and depends on. Cookie security is a basic building block for a secure web application. There was a proposal to try to rely on the Documentation to warn anyone using the adapters that they are essentially responsible for doing all of the web application security configuration of the J2EE session, HTTPS, etc. However, time and time again, it has shown that Documentation just doesn?t make up for the lack of secure defaults when you measure the rate of compliance in the real world. Security is one of those orthogonal things where the system can ?work? but be completely insecure and operators and developers can be completely unaware of this until a pen tester or attacker shows them they have not changed the insecure default settings. My proposal is that Keycloak application (including adapters) should have a secure design philosophy of being secure-by-default and require explicit overrides to disable the secure defaults. This will ensure that the system will be robust unless someone makes conscious choices to degrade the security. Thoughts? -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/931a58f7/attachment.html From sthorger at redhat.com Tue Mar 8 13:57:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 19:57:50 +0100 Subject: [keycloak-user] Design concerns on automated Keycloak Client addition to a realm In-Reply-To: References: Message-ID: On 8 March 2016 at 16:03, Orestis Tsakiridis < orestis.tsakiridis at telestax.com> wrote: > Thanks Stian! > > Client Registration service passed under my radar (still on 1.6.1). > > I was wondering, Initial Access Tokens seem to be only generated from the > Administration Console. Is there a REST API for that ? > The admin console is just a HTML5 app calling REST APIs, so yes ;). See http://keycloak.github.io/docs/rest-api/index.html and you need a bearer token with the appropriate roles to invoke. > > > > > > On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen > wrote: > >> For dynamic registration of clients take a look at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html >> >> On 4 March 2016 at 09:12, Orestis Tsakiridis < >> orestis.tsakiridis at telestax.com> wrote: >> >>> Hello, >>> >>> I'm trying to design a keycloak-based system that will have the >>> following characteristics: >>> >>> * A single realm R will exist with a big set of users. >>> * Users will be able to install instances of software X that consists of >>> four (4) applications protected by keycloak. >>> * Each application in any instance of X will have a corresponding >>> Keycloak Client entity containing a set of application-level roles. Thus, >>> having the appropriate role,m a user of R can selectively be granted access >>> to any application of any instance of X. >>> * The addition of a new instance of X to the keycloak realm (the >>> creation of the Clients, client roles etc.) is called 'registration' and >>> will be done using the Keycloak Admin REST API. >>> >>> What's the best practice to achieve automatic registration of a new >>> instance to the realm? >>> >>> I've considered the following: >>> >>> a. Have the instance applications *directly* consume keycloak Admin REST >>> API and create Clients and Client roles. As far as i investigated users of >>> the instance will need to have a R:realm-management:manage-clients role in >>> order to do that (create-client didn't work). This seems a pretty >>> permissive role to give to any user in R. >>> >>> b. Have a separate keycloak-protected application that won't be part of >>> X to do the important work of 'registration'. It will work as a proxy. The >>> application will act on behalf of an administrator user with a powerfull >>> role like R:realm-management:realm-admin. The application will define it's >>> own set of roles and HTTP API for instance registration. All users will >>> have to go through it to register their instance. It will work as a proxy. >>> But they won't need to be granted dangerous roles to do it. >>> >>> Any suggestion will be more than welcome. >>> >>> Thanks >>> >>> Orestis >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/67502cf7/attachment-0001.html From sthorger at redhat.com Tue Mar 8 14:06:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 8 Mar 2016 20:06:07 +0100 Subject: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag In-Reply-To: References: Message-ID: Adding my point of view on this. Our JEE adapters are written to help users integrate with Keycloak to authenticate users, that's the scope of the adapters at the moment. We do not pretend to solve any OWASP top 10 or other general web security recommendations in users applications. In fact unless you enable SSL for your applications token security is completely insecure. I'd love it to be the case that we could extend the adapters to cover general web security to make JEE applications secured in a simple way, but we don't have enough resources for that and we'd rather focus our effort on providing adapters/integration for other programming languages and frameworks. Further, the adapters can be configured to be stateless or use the regular JEE HTTP session. It's the container and the users responsibility to secure the HTTP session. You can make exactly the same argument that your are making towards Keycloak towards the JEE containers as well. They provide the HTTP session in the first place and as long as you don't enable SSL and secure the cookie it's not going to be secure. IMO it's better to try to educate than to try to magically fix it. Educating means that users will understand that they still need to review OWASP top 10 and other web security recommendations even if they are using Keycloak. On 8 March 2016 at 17:33, Jason Axley wrote: > Bringing this discussion from an open JIRA to the mailing list to have an > open discussion about the issue. Stian can join in to make sure his > viewpoint is represented here. I?ll try to summarize the discussion. > > The Keycloak admin and account client applications do not currently use > the Keycloak adapters for authentication/authorization interception. They > currently write their own set of Keycloak cookies to manage the user?s > security session. These applications do not have any dependency on the > J2EE session. > > However, if applications make use of the Keycloak adapters as > authentication/authorization interceptors, those are currently written to > not write separate Keycloak security session cookies ? they just > repurpose the J2EE session (JSESSIONID). However, the adapters don?t do > any security configuration or checking or warning that the underlying J2EE > session has not been configured to be a Secure and HttpOnly cookie, meaning > that Keycloak adapters are all insecure by default. A design decision was > made to say that security of that cookie is out of scope for the adapters. > There is a general concern about where the adapters should draw the line > between Keycloak security checking responsibility and the application it is > protecting. > > I think there is a line that?s easy to draw ? if Keycloak is using > something for its needs that it depends on being secure, then it has a > responsibility to ensure that facility is configured securely. If Keycloak > was to write its own session ID cookie and not enforce Secure and HttpOnly > cookies, it would be clear that Keycloak would be negligible in not > securing the application to basic web application standards. I don?t think > that a decision to use the J2EE session absolves Keycloak from its security > responsibilities. There?s a saying that you can outsource the technology > but you can?t outsource the risk. > > I think especially as a security application, Keycloak has a duty to do > the right thing from a web app security perspective and ensure it is > implementing all of the typical OWASP top 10 and beyond security controls in > the code it produces and depends on. Cookie security is a basic building > block for a secure web application. > > There was a proposal to try to rely on the Documentation to warn anyone > using the adapters that they are essentially responsible for doing all of > the web application security configuration of the J2EE session, HTTPS, > etc. However, time and time again, it has shown that Documentation just > doesn?t make up for the lack of secure defaults when you measure the rate > of compliance in the real world. Security is one of those orthogonal > things where the system can ?work? but be completely insecure and operators > and developers can be completely unaware of this until a pen tester or > attacker shows them they have not changed the insecure default settings. > > My proposal is that Keycloak application (including adapters) should have > a secure design philosophy of being secure-by-default and require explicit > overrides to disable the secure defaults. This will ensure that the system > will be robust unless someone makes conscious choices to degrade the > security. > > Thoughts? > > -Jason > > *Jason Axley* > > Sr. Security Engineer, Expedia Worldwide Engineering Team > > 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) > > 333 108th Ave NE, 9S-282, Bellevue, WA 98004 > > EWE Security Wiki > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/2bf5cbc9/attachment.html From bruno at abstractj.org Tue Mar 8 14:43:32 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 08 Mar 2016 19:43:32 +0000 Subject: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag In-Reply-To: References: Message-ID: +1 on what Stian said. Plus, I don't see why the same could not be achieved/configured on WildFly for example. Security is a process, not a product. People willing to secure their systems, must stick with a set of best practices for Web Applications, OS and etc. If we start to think that everything should be secure by default, 100% of the servers outside, should already come with Firewall enabled, Honeypots and SELinux policies enabled. But they won't do that. Why? Because it's up to the sysadmin to have the security awareness, to evaluate the network, decided whether their users should set strong or weak passwords. On Tue, Mar 8, 2016 at 4:06 PM Stian Thorgersen wrote: > Adding my point of view on this. Our JEE adapters are written to help > users integrate with Keycloak to authenticate users, that's the scope of > the adapters at the moment. We do not pretend to solve any OWASP top 10 or > other general web security recommendations in users applications. In fact > unless you enable SSL for your applications token security is completely > insecure. I'd love it to be the case that we could extend the adapters to > cover general web security to make JEE applications secured in a simple > way, but we don't have enough resources for that and we'd rather focus our > effort on providing adapters/integration for other programming languages > and frameworks. > > Further, the adapters can be configured to be stateless or use the regular > JEE HTTP session. It's the container and the users responsibility to secure > the HTTP session. You can make exactly the same argument that your are > making towards Keycloak towards the JEE containers as well. They provide > the HTTP session in the first place and as long as you don't enable SSL and > secure the cookie it's not going to be secure. IMO it's better to try to > educate than to try to magically fix it. Educating means that users will > understand that they still need to review OWASP top 10 and other web > security recommendations even if they are using Keycloak. > > On 8 March 2016 at 17:33, Jason Axley wrote: > >> Bringing this discussion from an open JIRA to the mailing list to have an >> open discussion about the issue. Stian can join in to make sure his >> viewpoint is represented here. I?ll try to summarize the discussion. >> >> The Keycloak admin and account client applications do not currently use >> the Keycloak adapters for authentication/authorization interception. They >> currently write their own set of Keycloak cookies to manage the user?s >> security session. These applications do not have any dependency on the >> J2EE session. >> >> However, if applications make use of the Keycloak adapters as >> authentication/authorization interceptors, those are currently written to >> not write separate Keycloak security session cookies ? they just >> repurpose the J2EE session (JSESSIONID). However, the adapters don?t do >> any security configuration or checking or warning that the underlying J2EE >> session has not been configured to be a Secure and HttpOnly cookie, meaning >> that Keycloak adapters are all insecure by default. A design decision was >> made to say that security of that cookie is out of scope for the adapters. >> There is a general concern about where the adapters should draw the line >> between Keycloak security checking responsibility and the application it is >> protecting. >> >> I think there is a line that?s easy to draw ? if Keycloak is using >> something for its needs that it depends on being secure, then it has a >> responsibility to ensure that facility is configured securely. If Keycloak >> was to write its own session ID cookie and not enforce Secure and HttpOnly >> cookies, it would be clear that Keycloak would be negligible in not >> securing the application to basic web application standards. I don?t think >> that a decision to use the J2EE session absolves Keycloak from its security >> responsibilities. There?s a saying that you can outsource the technology >> but you can?t outsource the risk. >> >> I think especially as a security application, Keycloak has a duty to do >> the right thing from a web app security perspective and ensure it is >> implementing all of the typical OWASP top 10 and beyond security controls in >> the code it produces and depends on. Cookie security is a basic >> building block for a secure web application. >> >> There was a proposal to try to rely on the Documentation to warn anyone >> using the adapters that they are essentially responsible for doing all of >> the web application security configuration of the J2EE session, HTTPS, >> etc. However, time and time again, it has shown that Documentation just >> doesn?t make up for the lack of secure defaults when you measure the rate >> of compliance in the real world. Security is one of those orthogonal >> things where the system can ?work? but be completely insecure and operators >> and developers can be completely unaware of this until a pen tester or >> attacker shows them they have not changed the insecure default settings. >> >> My proposal is that Keycloak application (including adapters) should have >> a secure design philosophy of being secure-by-default and require explicit >> overrides to disable the secure defaults. This will ensure that the system >> will be robust unless someone makes conscious choices to degrade the >> security. >> >> Thoughts? >> >> -Jason >> >> *Jason Axley* >> >> Sr. Security Engineer, Expedia Worldwide Engineering Team >> >> 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) >> >> 333 108th Ave NE, 9S-282, Bellevue, WA 98004 >> >> EWE Security Wiki >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/68e1b718/attachment-0001.html From jaxley at expedia.com Tue Mar 8 14:59:44 2016 From: jaxley at expedia.com (Jason Axley) Date: Tue, 8 Mar 2016 19:59:44 +0000 Subject: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag In-Reply-To: References: Message-ID: <72C053C9-E2D2-4C3B-A52A-BB9638954785@expedia.com> If sysadmins should be responsible, then why not put the responsibility squarely in the lap of the ops/sysadmins then and make the app secure by default so they have to overtly and knowingly make it insecure rather than happily running an app they won?t know is insecure unless they happen to stumble upon some dusty corner of the documentation? This is 2016 ? we should not be building apps that are not secure and punting to sysadmins to fix them ? that is a failed model that results in insecure defaults in production deployments in practice. Do you agree that if Keycloak was writing the cookies itself then Keycloak should ensure secure and HttpOnly cookies for the security session? -Jason From: Bruno Oliveira > Date: Tuesday, March 8, 2016 at 11:43 AM To: "stian at redhat.com" >, Jason Axley > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag +1 on what Stian said. Plus, I don't see why the same could not be achieved/configured on WildFly for example. Security is a process, not a product. People willing to secure their systems, must stick with a set of best practices for Web Applications, OS and etc. If we start to think that everything should be secure by default, 100% of the servers outside, should already come with Firewall enabled, Honeypots and SELinux policies enabled. But they won't do that. Why? Because it's up to the sysadmin to have the security awareness, to evaluate the network, decided whether their users should set strong or weak passwords. On Tue, Mar 8, 2016 at 4:06 PM Stian Thorgersen > wrote: Adding my point of view on this. Our JEE adapters are written to help users integrate with Keycloak to authenticate users, that's the scope of the adapters at the moment. We do not pretend to solve any OWASP top 10 or other general web security recommendations in users applications. In fact unless you enable SSL for your applications token security is completely insecure. I'd love it to be the case that we could extend the adapters to cover general web security to make JEE applications secured in a simple way, but we don't have enough resources for that and we'd rather focus our effort on providing adapters/integration for other programming languages and frameworks. Further, the adapters can be configured to be stateless or use the regular JEE HTTP session. It's the container and the users responsibility to secure the HTTP session. You can make exactly the same argument that your are making towards Keycloak towards the JEE containers as well. They provide the HTTP session in the first place and as long as you don't enable SSL and secure the cookie it's not going to be secure. IMO it's better to try to educate than to try to magically fix it. Educating means that users will understand that they still need to review OWASP top 10 and other web security recommendations even if they are using Keycloak. On 8 March 2016 at 17:33, Jason Axley > wrote: Bringing this discussion from an open JIRA to the mailing list to have an open discussion about the issue. Stian can join in to make sure his viewpoint is represented here. I?ll try to summarize the discussion. The Keycloak admin and account client applications do not currently use the Keycloak adapters for authentication/authorization interception. They currently write their own set of Keycloak cookies to manage the user?s security session. These applications do not have any dependency on the J2EE session. However, if applications make use of the Keycloak adapters as authentication/authorization interceptors, those are currently written to not write separate Keycloak security session cookies ? they just repurpose the J2EE session (JSESSIONID). However, the adapters don?t do any security configuration or checking or warning that the underlying J2EE session has not been configured to be a Secure and HttpOnly cookie, meaning that Keycloak adapters are all insecure by default. A design decision was made to say that security of that cookie is out of scope for the adapters. There is a general concern about where the adapters should draw the line between Keycloak security checking responsibility and the application it is protecting. I think there is a line that?s easy to draw ? if Keycloak is using something for its needs that it depends on being secure, then it has a responsibility to ensure that facility is configured securely. If Keycloak was to write its own session ID cookie and not enforce Secure and HttpOnly cookies, it would be clear that Keycloak would be negligible in not securing the application to basic web application standards. I don?t think that a decision to use the J2EE session absolves Keycloak from its security responsibilities. There?s a saying that you can outsource the technology but you can?t outsource the risk. I think especially as a security application, Keycloak has a duty to do the right thing from a web app security perspective and ensure it is implementing all of the typical OWASP top 10 and beyond security controls in the code it produces and depends on. Cookie security is a basic building block for a secure web application. There was a proposal to try to rely on the Documentation to warn anyone using the adapters that they are essentially responsible for doing all of the web application security configuration of the J2EE session, HTTPS, etc. However, time and time again, it has shown that Documentation just doesn?t make up for the lack of secure defaults when you measure the rate of compliance in the real world. Security is one of those orthogonal things where the system can ?work? but be completely insecure and operators and developers can be completely unaware of this until a pen tester or attacker shows them they have not changed the insecure default settings. My proposal is that Keycloak application (including adapters) should have a secure design philosophy of being secure-by-default and require explicit overrides to disable the secure defaults. This will ensure that the system will be robust unless someone makes conscious choices to degrade the security. Thoughts? -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160308/e9338489/attachment.html From eugene.chow.ct at gmail.com Tue Mar 8 21:21:07 2016 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 9 Mar 2016 10:21:07 +0800 Subject: [keycloak-user] Custom User Info URL for an OpenID Connect endpoint In-Reply-To: References: Message-ID: <2576F7A4-DA9E-44CD-98C5-ABB85C43BB68@gmail.com> It seems like when using the user info endpoint in Step 2, I have to add additional headers. Looks like I have to write the custom ID provider. Can I also check if Keycloak supports regular updates of user accounts? Since user account details can change from time to time, it would be nice to make Keycloak pull user account updates on a daily basis. > On 8 Mar 2016, at 14:41, Stian Thorgersen wrote: > > Write a custom identity provider extending OIDCIdentityProvider and override getFederatedIdentity. See http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html on how to deploy to Keycloak. I would imagine you don't need 1 as the sub (UID) should be available in the access token. > > On 8 March 2016 at 03:45, Eugene Chow > wrote: > Hi guys, > > I need to make Keycloak authenticate against a custom-built OpenID endpoint that?s not under my control. Keycloak authenticates flawlessly. The ?but? here is that the endpoint doesn?t implement a standard User Info endpoint, so Keycloak isn?t able to grab the user?s profile. Getting the user?s profile is a 2-step process. > > 1) Get the UID of the user from the standard User Info endpoint: https://custom.openid.io/openid/connect/v1/userinfo > 2) Use the UID from Step 1 to obtain the real User Info from here: https://custom.openid.io/realuserinfo/v1/users > > To make this happen, I have a feeling that I have to roll out my own identity provider and probably write a plugin using the Auth SPI. Could you please guide me in the right direction? > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/83fb98a1/attachment-0001.html From sthorger at redhat.com Wed Mar 9 00:25:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 06:25:35 +0100 Subject: [keycloak-user] JSESSIONID is not set with the Secure nor HttpOnly flag In-Reply-To: <72C053C9-E2D2-4C3B-A52A-BB9638954785@expedia.com> References: <72C053C9-E2D2-4C3B-A52A-BB9638954785@expedia.com> Message-ID: On 8 March 2016 at 20:59, Jason Axley wrote: > If sysadmins should be responsible, then why not put the responsibility > squarely in the lap of the ops/sysadmins then and make the app secure by > default so they have to overtly and knowingly make it insecure rather than > happily running an app they won?t know is insecure unless they happen to > stumble upon some dusty corner of the documentation? > > This is 2016 ? we should not be building apps that are not secure and > punting to sysadmins to fix them ? that is a failed model that results in > insecure defaults in production deployments in practice. > To some extent I agree. However, it's not as simple as improve default settings and you are somehow magically secure. Security settings are also very environment specific and some can't even be included by default (for example SSL). > > Do you agree that if Keycloak was writing the cookies itself then Keycloak > should ensure secure and HttpOnly cookies for the security session? > Yes, if Keycloak was creating the cookie then we would set http only and set the secure field based on our ssl-required policy. It's created by the container so defaults come from there, I don't uderstand http only isn't set by default though. What container are you using? Maybe you can send a issue their way? > > -Jason > > From: Bruno Oliveira > Date: Tuesday, March 8, 2016 at 11:43 AM > To: "stian at redhat.com" , Jason Axley > > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] JSESSIONID is not set with the Secure nor > HttpOnly flag > > +1 on what Stian said. > > Plus, I don't see why the same could not be achieved/configured on WildFly > for example. Security is a process, not a product. People willing to secure > their systems, must stick with a set of best practices for Web > Applications, OS and etc. > > If we start to think that everything should be secure by default, 100% of > the servers outside, should already come with Firewall enabled, Honeypots > and SELinux policies enabled. But they won't do that. Why? Because it's up > to the sysadmin to have the security awareness, to evaluate the network, > decided whether their users should set strong or weak passwords. > > > > On Tue, Mar 8, 2016 at 4:06 PM Stian Thorgersen > wrote: > >> Adding my point of view on this. Our JEE adapters are written to help >> users integrate with Keycloak to authenticate users, that's the scope of >> the adapters at the moment. We do not pretend to solve any OWASP top 10 or >> other general web security recommendations in users applications. In fact >> unless you enable SSL for your applications token security is completely >> insecure. I'd love it to be the case that we could extend the adapters to >> cover general web security to make JEE applications secured in a simple >> way, but we don't have enough resources for that and we'd rather focus our >> effort on providing adapters/integration for other programming languages >> and frameworks. >> >> Further, the adapters can be configured to be stateless or use the >> regular JEE HTTP session. It's the container and the users responsibility >> to secure the HTTP session. You can make exactly the same argument that >> your are making towards Keycloak towards the JEE containers as well. They >> provide the HTTP session in the first place and as long as you don't enable >> SSL and secure the cookie it's not going to be secure. IMO it's better to >> try to educate than to try to magically fix it. Educating means that users >> will understand that they still need to review OWASP top 10 and other web >> security recommendations even if they are using Keycloak. >> >> On 8 March 2016 at 17:33, Jason Axley wrote: >> >>> Bringing this discussion from an open JIRA to the mailing list to have >>> an open discussion about the issue. Stian can join in to make sure his >>> viewpoint is represented here. I?ll try to summarize the discussion. >>> >>> The Keycloak admin and account client applications do not currently use >>> the Keycloak adapters for authentication/authorization interception. They >>> currently write their own set of Keycloak cookies to manage the user?s >>> security session. These applications do not have any dependency on the >>> J2EE session. >>> >>> However, if applications make use of the Keycloak adapters as >>> authentication/authorization interceptors, those are currently written to >>> not write separate Keycloak security session cookies ? they just >>> repurpose the J2EE session (JSESSIONID). However, the adapters don?t do >>> any security configuration or checking or warning that the underlying J2EE >>> session has not been configured to be a Secure and HttpOnly cookie, meaning >>> that Keycloak adapters are all insecure by default. A design decision was >>> made to say that security of that cookie is out of scope for the adapters. >>> There is a general concern about where the adapters should draw the line >>> between Keycloak security checking responsibility and the application it is >>> protecting. >>> >>> I think there is a line that?s easy to draw ? if Keycloak is using >>> something for its needs that it depends on being secure, then it has a >>> responsibility to ensure that facility is configured securely. If Keycloak >>> was to write its own session ID cookie and not enforce Secure and HttpOnly >>> cookies, it would be clear that Keycloak would be negligible in not >>> securing the application to basic web application standards. I don?t think >>> that a decision to use the J2EE session absolves Keycloak from its security >>> responsibilities. There?s a saying that you can outsource the technology >>> but you can?t outsource the risk. >>> >>> I think especially as a security application, Keycloak has a duty to do >>> the right thing from a web app security perspective and ensure it is >>> implementing all of the typical OWASP top 10 and beyond security controls in >>> the code it produces and depends on. Cookie security is a basic >>> building block for a secure web application. >>> >>> There was a proposal to try to rely on the Documentation to warn anyone >>> using the adapters that they are essentially responsible for doing all of >>> the web application security configuration of the J2EE session, HTTPS, >>> etc. However, time and time again, it has shown that Documentation just >>> doesn?t make up for the lack of secure defaults when you measure the rate >>> of compliance in the real world. Security is one of those orthogonal >>> things where the system can ?work? but be completely insecure and operators >>> and developers can be completely unaware of this until a pen tester or >>> attacker shows them they have not changed the insecure default settings. >>> >>> My proposal is that Keycloak application (including adapters) should >>> have a secure design philosophy of being secure-by-default and require >>> explicit overrides to disable the secure defaults. This will ensure that >>> the system will be robust unless someone makes conscious choices to degrade >>> the security. >>> >>> Thoughts? >>> >>> -Jason >>> >>> *Jason Axley* >>> >>> Sr. Security Engineer, Expedia Worldwide Engineering Team >>> >>> 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) >>> >>> 333 108th Ave NE, 9S-282, Bellevue, WA 98004 >>> >>> EWE Security Wiki >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/82b4fc0e/attachment.html From sthorger at redhat.com Wed Mar 9 00:26:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 06:26:57 +0100 Subject: [keycloak-user] Custom User Info URL for an OpenID Connect endpoint In-Reply-To: <2576F7A4-DA9E-44CD-98C5-ABB85C43BB68@gmail.com> References: <2576F7A4-DA9E-44CD-98C5-ABB85C43BB68@gmail.com> Message-ID: We don't support regular updates through identity brokers, but it's possible to write a custom user federation provider that does that. On 9 March 2016 at 03:21, Eugene Chow wrote: > It seems like when using the user info endpoint in Step 2, I have to add > additional headers. Looks like I have to write the custom ID provider. > > Can I also check if Keycloak supports regular updates of user accounts? > Since user account details can change from time to time, it would be nice > to make Keycloak pull user account updates on a daily basis. > > > On 8 Mar 2016, at 14:41, Stian Thorgersen wrote: > > Write a custom identity provider extending OIDCIdentityProvider and > override getFederatedIdentity. See > http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html > on how to deploy to Keycloak. I would imagine you don't need 1 as the sub > (UID) should be available in the access token. > > On 8 March 2016 at 03:45, Eugene Chow wrote: > >> Hi guys, >> >> I need to make Keycloak authenticate against a custom-built OpenID >> endpoint that?s not under my control. Keycloak authenticates flawlessly. >> The ?but? here is that the endpoint doesn?t implement a standard User Info >> endpoint, so Keycloak isn?t able to grab the user?s profile. Getting the >> user?s profile is a 2-step process. >> >> 1) Get the UID of the user from the standard User Info endpoint: >> https://custom.openid.io/openid/connect/v1/userinfo >> 2) Use the UID from Step 1 to obtain the real User Info from here: >> https://custom.openid.io/realuserinfo/v1/users >> >> To make this happen, I have a feeling that I have to roll out my own >> identity provider and probably write a plugin using the Auth SPI. Could you >> please guide me in the right direction? >> >> Thanks in advance! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/e8bbe26c/attachment-0001.html From sthorger at redhat.com Wed Mar 9 00:55:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 06:55:02 +0100 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> <56B4A6CB.3020507@redhat.com> Message-ID: We have some further improvements coming in 1.9.1 which is due to be released today. Please test with that and let us know if you still have issues. On 8 March 2016 at 14:57, Malmi Samarasinghe wrote: > Hi All, > > We have upgraded the keycloak version to 1.9.0. > I just carried out a load test on our identity server and it seems to have > reduced the failures to a great extent. > However, when I execute 50 threads per second, there are some intermittent > failures (2-3 failures for 50 threads). I further noticed that the > frequency is higher for realm roles than for client roles. > > Regards, > Malmi > > On Sat, Feb 6, 2016 at 8:33 AM, Malmi Samarasinghe > wrote: > >> Many Thanks to your assistance regarding the issue. >> >> On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke wrote: >> >>> 1.9.0.Final will have it... >>> >>> >>> On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote: >>> >>> Hi Stian, >>> >>> Thank you very much for looking in to the issue. We tried with around 6 >>> role creations per second, and I tried switching off realm cache and it had >>> negative impact on the performance of other API s. >>> >>> Really appreciate if you could suggest us a rough timeline for a fix >>> date. >>> >>> Regards, >>> Malmi >>> >>> On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen >>> wrote: >>> >>>> Either don't create roles concurrently or disable cache. >>>> >>>> How frequently are you creating roles? Just wondering because if you do >>>> it will significantly impact the benefits of the cache as we invalidate a >>>> large amount of the cache when roles are added/removed. >>>> >>>> The problem you are seeing is most likely down to a race condition when >>>> the realm role list (or client role lists) are re-loaded after they are >>>> invalidated. I haven't had much time to look at it yet, so I don't know the >>>> exact cause or a solution. >>>> >>>> On 5 February 2016 at 09:57, Malmi Samarasinghe < >>>> malmi.suh at gmail.com> wrote: >>>> >>>>> Hi Stian, >>>>> >>>>> We have this in production is there any intermediary fix that we can >>>>> do or any workaround? >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> Confirmed this bug >>>>>> https://issues.jboss.org/browse/KEYCLOAK-2458 >>>>>> >>>>>> On 5 February 2016 at 06:53, Malmi Samarasinghe < >>>>>> malmi.suh at gmail.com> wrote: >>>>>> >>>>>>> Hi Stian/Bill, >>>>>>> >>>>>>> I just wanted to highlight that this issue only occurred when realm >>>>>>> cache enabled option is ON. >>>>>>> >>>>>>> Regards, >>>>>>> Malmi >>>>>>> >>>>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe < >>>>>>> malmi.suh at gmail.com> wrote: >>>>>>> >>>>>>>> Hi Stian >>>>>>>> >>>>>>>> I have multiple threads creating different roles. Basically one >>>>>>>> thread will execute all three apis one after another. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Malmi >>>>>>>> >>>>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> When you say method1 is executed in multiple threads, do you mean >>>>>>>>> one thread creates the role and another retrieves it? Or do you have >>>>>>>>> multiple threads creating different roles? >>>>>>>>> >>>>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe < >>>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Bill, >>>>>>>>>> >>>>>>>>>> Please find the work flow that we have implemented >>>>>>>>>> create user : POST : admin/realms/{realm}/users >>>>>>>>>> >>>>>>>>>> *Method1* wrapps the following API calls >>>>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>>>>>>> Assign Role : POST : >>>>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm >>>>>>>>>> >>>>>>>>>> Same for the client roles as well. >>>>>>>>>> >>>>>>>>>> *Method1 *is executed in multiple threads and assign reams role >>>>>>>>>> API starts failing with 404 (keycloak log states role not found) >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Malmi >>>>>>>>>> >>>>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < >>>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Can you give me what REST invocations you are doing? How do you >>>>>>>>>>> find the role? How do you create the role? etc... >>>>>>>>>>> >>>>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Bill, >>>>>>>>>>> >>>>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes >>>>>>>>>>> from the commits attached to the >>>>>>>>>>> >>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and >>>>>>>>>>> it seems to have the same issue. If you have any further update on this >>>>>>>>>>> please let us know. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Malmi >>>>>>>>>>> >>>>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen < >>>>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> This could be related to >>>>>>>>>>>> >>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>>>>>>> >>>>>>>>>>>> It's already fixed in master, so if you can try it out that >>>>>>>>>>>> would be great. We should also have a 1.8.1.Final release this week with >>>>>>>>>>>> the fix in as well. >>>>>>>>>>>> >>>>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Bill, >>>>>>>>>>>>> >>>>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Malmi Samarasinghe >>>>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Everyone, >>>>>>>>>>>>>> >>>>>>>>>>>>>> In my application we create retrieve and assign role >>>>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with >>>>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not >>>>>>>>>>>>>> exist error and 404 is returned from keycloak. >>>>>>>>>>>>>> >>>>>>>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please get back to me if you have any information on any >>>>>>>>>>>>>> other option we can follow to get this issue sorted or on what action the >>>>>>>>>>>>>> realm cache will be persisted to DB. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Malmi >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Bill Burke >>>>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>> >>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Bill Burke >>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/4fcc6c30/attachment-0001.html From kalc04 at gmail.com Wed Mar 9 06:45:30 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Wed, 9 Mar 2016 17:15:30 +0530 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final Message-ID: Hi, When we were testing out 1.9.0.Final, we came across two issues: 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) because of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java class. Basically if realm.getDisplayNameHtml() is null, the exception gets thrown. 2) Cannot map the access codes returned after authentication to the AccessTokenResponse.java class. A jsonifying error occurs. Seems this has something to do with @JsonProperty annotation that has impacted with Jackson version upgrade. Are these issue already tracked? If not I can create JIRAs. Regards, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/612f6a97/attachment.html From postmaster at lists.jboss.org Wed Mar 9 06:55:48 2016 From: postmaster at lists.jboss.org (Bounced mail) Date: Wed, 9 Mar 2016 20:55:48 +0900 Subject: [keycloak-user] vdadu Message-ID: <201603091155.u29BtnJw019176@lists01.dmz-a.mwc.hst.phx2.redhat.com> The message was not delivered due to the following reason: Your message was not delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 2 days: Host 152.127.49.61 is not responding. The following recipients did not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: transcript.zip Type: application/octet-stream Size: 28990 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/a57a720f/attachment-0001.obj From sthorger at redhat.com Wed Mar 9 07:01:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 13:01:41 +0100 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final In-Reply-To: References: Message-ID: On 9 March 2016 at 12:45, Lohitha Chiranjeewa wrote: > Hi, > > When we were testing out 1.9.0.Final, we came across two issues: > > 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) because > of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java class. > Basically if realm.getDisplayNameHtml() is null, the exception gets thrown. > Fixed > > 2) Cannot map the access codes returned after authentication to the > AccessTokenResponse.java class. A jsonifying error occurs. Seems this has > something to do with @JsonProperty annotation that has impacted with > Jackson version upgrade. > Did you upgrade adapters as well as the server? > > > Are these issue already tracked? If not I can create JIRAs. > > > Regards, > Lohitha. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/ce44ab81/attachment.html From khirschmann at huebinet.de Wed Mar 9 08:38:59 2016 From: khirschmann at huebinet.de (Kevin Hirschmann) Date: Wed, 9 Mar 2016 14:38:59 +0100 Subject: [keycloak-user] "Random" error when using https Message-ID: <03ad01d17a09$0958e490$1c0aadb0$@huebinet.de> Hello, Sometimes I get the following error. I can?t find a reason why this happens. Do you have any idea what might be causing this? Thank you. 2016-03-09 14:27:19,438 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) failed to turn code into token: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:918) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessio nInputBuffer.java:160) at org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java: 84) at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionI nputBuffer.java:273) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpRes ponseParser.java:140) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpRes ponseParser.java:57) at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.ja va:260) at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(Abst ractHttpClientConnection.java:283) at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(Defa ultClientConnection.java:251) at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(Ab stractClientConnAdapter.java:223) at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestEx ecutor.java:271) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.jav a:123) at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequest Director.java:685) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir ector.java:487) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient. java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:106) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:57) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja va:90) at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth enticator.java:320) at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut henticator.java:263) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator .java:95) at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth enticate(AbstractUndertowKeycloakAuthMech.java:110) at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK eycloakAuthMech.java:92) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:339) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:356) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur ityContextImpl.java:325) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security ContextImpl.java:138) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext Impl.java:113) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm pl.java:106) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl eRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa ndler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A bstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle r.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl eRequest(ServletSecurityConstraintHandler.java:56) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand leRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(Noti ficationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI nitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ est(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se rvletPreAuthActionsHandler.java:69) Mit freundlichen Gr??en Kevin Hirschmann HUEBINET Informationsmanagement GmbH & Co. KG An der K?nigsbach 8 56075 Koblenz Sitz und Registergericht: Koblenz HRA 5329 Pers?nlich haftender Gesellschafter der KG: HUEBINET GmbH; Sitz und Registergericht: Koblenz HRB 6857 Gesch?ftsf?hrung: Frank H?ttmann; Michael Biemer ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------- Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann. Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/fbd2726a/attachment-0001.html From orestis.tsakiridis at telestax.com Wed Mar 9 09:21:25 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 9 Mar 2016 16:21:25 +0200 Subject: [keycloak-user] Design concerns on automated Keycloak Client addition to a realm In-Reply-To: References: Message-ID: Thanks for the pointers Stian. I used this: http://keycloak.github.io/docs/rest-api/index.html#_get_admin_realms_realm_clients_initial_access and it worked just fine. On Tue, Mar 8, 2016 at 8:57 PM, Stian Thorgersen wrote: > > > On 8 March 2016 at 16:03, Orestis Tsakiridis < > orestis.tsakiridis at telestax.com> wrote: > >> Thanks Stian! >> >> Client Registration service passed under my radar (still on 1.6.1). >> >> I was wondering, Initial Access Tokens seem to be only generated from the >> Administration Console. Is there a REST API for that ? >> > > The admin console is just a HTML5 app calling REST APIs, so yes ;). See > http://keycloak.github.io/docs/rest-api/index.html and you need a bearer > token with the appropriate roles to invoke. > > >> >> >> >> >> >> On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen >> wrote: >> >>> For dynamic registration of clients take a look at >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html >>> >>> On 4 March 2016 at 09:12, Orestis Tsakiridis < >>> orestis.tsakiridis at telestax.com> wrote: >>> >>>> Hello, >>>> >>>> I'm trying to design a keycloak-based system that will have the >>>> following characteristics: >>>> >>>> * A single realm R will exist with a big set of users. >>>> * Users will be able to install instances of software X that consists >>>> of four (4) applications protected by keycloak. >>>> * Each application in any instance of X will have a corresponding >>>> Keycloak Client entity containing a set of application-level roles. Thus, >>>> having the appropriate role,m a user of R can selectively be granted access >>>> to any application of any instance of X. >>>> * The addition of a new instance of X to the keycloak realm (the >>>> creation of the Clients, client roles etc.) is called 'registration' and >>>> will be done using the Keycloak Admin REST API. >>>> >>>> What's the best practice to achieve automatic registration of a new >>>> instance to the realm? >>>> >>>> I've considered the following: >>>> >>>> a. Have the instance applications *directly* consume keycloak Admin >>>> REST API and create Clients and Client roles. As far as i investigated >>>> users of the instance will need to have a >>>> R:realm-management:manage-clients role in order to do that (create-client >>>> didn't work). This seems a pretty permissive role to give to any user in R. >>>> >>>> b. Have a separate keycloak-protected application that won't be part of >>>> X to do the important work of 'registration'. It will work as a proxy. The >>>> application will act on behalf of an administrator user with a powerfull >>>> role like R:realm-management:realm-admin. The application will define it's >>>> own set of roles and HTTP API for instance registration. All users will >>>> have to go through it to register their instance. It will work as a proxy. >>>> But they won't need to be granted dangerous roles to do it. >>>> >>>> Any suggestion will be more than welcome. >>>> >>>> Thanks >>>> >>>> Orestis >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/2abcb8df/attachment.html From orestis.tsakiridis at telestax.com Wed Mar 9 09:30:56 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 9 Mar 2016 16:30:56 +0200 Subject: [keycloak-user] Is a Keycloak server compatible with applications with older adapters ? Message-ID: Hello! Is it possible to secure applications using old adapters (say 1.6.1) with a keycloak server of more recent version (say 1.9.0) ? The question boils down to what is the proper upgrade policy in a keycloak secured system with many applications provided by different customers. If an application with an old adapter does not work with a newer keycloak server then it seems all (both keycloak and applications) should be upgraded in a single step. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/81de97de/attachment.html From sthorger at redhat.com Wed Mar 9 09:40:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 15:40:24 +0100 Subject: [keycloak-user] Is a Keycloak server compatible with applications with older adapters ? In-Reply-To: References: Message-ID: To make sure everything works as expected you should upgrade both server and adapters at the same time. I understand this is not always convenient and we are planning to reduce this restriction in the future. On 9 March 2016 at 15:30, Orestis Tsakiridis < orestis.tsakiridis at telestax.com> wrote: > Hello! > > Is it possible to secure applications using old adapters (say 1.6.1) with > a keycloak server of more recent version (say 1.9.0) ? > > The question boils down to what is the proper upgrade policy in a keycloak > secured system with many applications provided by different customers. If > an application with an old adapter does not work with a newer keycloak > server then it seems all (both keycloak and applications) should be > upgraded in a single step. > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/afd4d4e2/attachment.html From bruno at abstractj.org Wed Mar 9 10:01:43 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 09 Mar 2016 15:01:43 +0000 Subject: [keycloak-user] "Random" error when using https In-Reply-To: <03ad01d17a09$0958e490$1c0aadb0$@huebinet.de> References: <03ad01d17a09$0958e490$1c0aadb0$@huebinet.de> Message-ID: Which version of Keycloak are you running? Not sure it helps, but a similar question was posted while ago http://lists.jboss.org/pipermail/keycloak-user/2016-January/004529.html On Wed, Mar 9, 2016 at 10:39 AM Kevin Hirschmann wrote: > Hello, > > > > Sometimes I get the following error. I can?t find a reason why this > happens. > > Do you have any idea what might be causing this? > > > > Thank you. > > > > 2016-03-09 14:27:19,438 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-43) failed > to turn code into token: java.net.SocketException: Connection reset > > at > java.net.SocketInputStream.read(SocketInputStream.java:209) > > at > java.net.SocketInputStream.read(SocketInputStream.java:141) > > at > sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961) > > at > sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:918) > > at > sun.security.ssl.AppInputStream.read(AppInputStream.java:105) > > at > org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:160) > > at > org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:84) > > at > org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:273) > > at > org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:140) > > at > org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:57) > > at > org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:260) > > at > org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:283) > > at > org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:251) > > at > org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:223) > > at > org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:271) > > at > org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:123) > > at > org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:685) > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:487) > > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) > > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) > > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90) > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:320) > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:263) > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95) > > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) > > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:339) > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:356) > > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:325) > > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:138) > > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:113) > > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:106) > > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) > > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > > > > Mit freundlichen Gr??en > > > > Kevin Hirschmann > > > > > > HUEBINET Informationsmanagement GmbH & Co. KG > > An der K?nigsbach 8 > > 56075 Koblenz > > > > Sitz und Registergericht: Koblenz HRA 5329 > > > > Pers?nlich haftender Gesellschafter der KG: > > HUEBINET GmbH; > > Sitz und Registergericht: Koblenz HRB 6857 > > > > Gesch?ftsf?hrung: > > Frank H?ttmann; Michael Biemer > > > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > > > Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. > KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. > Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses > Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch > Dritte nicht ausgeschlossen werden kann. > > > > Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is > only intended to provide information of a general kind, and shall not be > used for any statement with binding contents in respect to legal relations. > It is not totally possible to prevent a third party from manipulating > emails and email contents. > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/c99f017c/attachment-0001.html From orestis.tsakiridis at telestax.com Wed Mar 9 11:12:12 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Wed, 9 Mar 2016 18:12:12 +0200 Subject: [keycloak-user] Is a Keycloak server compatible with applications with older adapters ? In-Reply-To: References: Message-ID: I see. I suppose the fewer keycloak features an application uses the smaller is the exposure to incompatibilities and braking. For example if only the OpenID Connect/Oauth authentication is used and keycloak Admin REST api is avoided chances is that an upgrade won't brake things. Is this the case or an explicit version check prevents an adapter from working at all in case an incompatibility is detected ? On Wed, Mar 9, 2016 at 4:40 PM, Stian Thorgersen wrote: > To make sure everything works as expected you should upgrade both server > and adapters at the same time. I understand this is not always convenient > and we are planning to reduce this restriction in the future. > > On 9 March 2016 at 15:30, Orestis Tsakiridis < > orestis.tsakiridis at telestax.com> wrote: > >> Hello! >> >> Is it possible to secure applications using old adapters (say 1.6.1) with >> a keycloak server of more recent version (say 1.9.0) ? >> >> The question boils down to what is the proper upgrade policy in a >> keycloak secured system with many applications provided by different >> customers. If an application with an old adapter does not work with a newer >> keycloak server then it seems all (both keycloak and applications) should >> be upgraded in a single step. >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/f9a3597f/attachment.html From TBarcia at wfscorp.com Wed Mar 9 13:14:31 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Wed, 9 Mar 2016 18:14:31 +0000 Subject: [keycloak-user] Keycloak upgrade from 1.6.1-Final to 1.9.0-Final clustering does not work Message-ID: I've upgraded from 1.6.1-Final to 1.9.0-Final per the documentation and no matter what I try, the two instances will not connect via infinispan. I noticed the following discrepancy between the docs and the files created during the upgrade: The documentation says: "connectionsInfinispan": { "default" : { "cacheContainer" : "java:jboss/infinispan/Keycloak" } } However the keycloak-server.json created during install: "connectionsInfinispan": { "provider": "locking", "locking": { "cacheContainer" : "java:comp/env/infinispan/Keycloak" } } I'm not sure which is the correct syntax for the file and I'm starting keycloak using the following: {KeycloakHome}/bin/standalone.sh -server-config=standalone-ha.xml -b= There are no firewalls between the servers. The internal addresses are on the same subnet and the external addresses are on the same subnet. Firewalld is disabled and iptables is disabled. If I start the 1.6.1-Final versions, they complain (presumably about the database schema changes) but infinispan connects. Any help would be greatly appreciated. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/07c01fb9/attachment.html From kalc04 at gmail.com Wed Mar 9 13:48:35 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 10 Mar 2016 00:18:35 +0530 Subject: [keycloak-user] Keycloak upgrade from 1.6.1-Final to 1.9.0-Final clustering does not work In-Reply-To: References: Message-ID: You probably need to remove the interface="private" attributes from the following elements in standalone-ha.xml: On Wed, Mar 9, 2016 at 11:44 PM, Thomas Barcia wrote: > > > I?ve upgraded from 1.6.1-Final to 1.9.0-Final per the documentation and no > matter what I try, the two instances will not connect via infinispan. I > noticed the following discrepancy between the docs and the files created > during the upgrade: > > > > The documentation says: > > "connectionsInfinispan": { > > "default" : { > > "cacheContainer" : "java:jboss/infinispan/Keycloak" > > } > > } > > > > However the keycloak-server.json created during install: > > > > "connectionsInfinispan": { > > "provider": "locking", > > "locking": { > > "cacheContainer" : "java:comp/env/infinispan/Keycloak" > > } > > } > > > > I?m not sure which is the correct syntax for the file and I?m starting > keycloak using the following: > > {KeycloakHome}/bin/standalone.sh ?server-config=standalone-ha.xml > ?b= > > > > There are no firewalls between the servers. The internal addresses are on > the same subnet and the external addresses are on the same subnet. > Firewalld is disabled and iptables is disabled. If I start the 1.6.1-Final > versions, they complain (presumably about the database schema changes) but > infinispan connects. > > > > Any help would be greatly appreciated. > > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/51e13a42/attachment-0001.html From kalc04 at gmail.com Wed Mar 9 13:50:09 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 10 Mar 2016 00:20:09 +0530 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final In-Reply-To: References: Message-ID: Yes, we have upgraded the adapters as well. Seems the new Jackson version doesn't accept the @JsonProperty annotation against each variable itself, but they should be placed against getters and setters instead? On Wed, Mar 9, 2016 at 5:31 PM, Stian Thorgersen wrote: > > > On 9 March 2016 at 12:45, Lohitha Chiranjeewa wrote: > >> Hi, >> >> When we were testing out 1.9.0.Final, we came across two issues: >> >> 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) because >> of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java class. >> Basically if realm.getDisplayNameHtml() is null, the exception gets thrown. >> > > Fixed > > >> >> 2) Cannot map the access codes returned after authentication to the >> AccessTokenResponse.java class. A jsonifying error occurs. Seems this has >> something to do with @JsonProperty annotation that has impacted with >> Jackson version upgrade. >> > > Did you upgrade adapters as well as the server? > > >> >> >> Are these issue already tracked? If not I can create JIRAs. >> >> >> Regards, >> Lohitha. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/d7090bf5/attachment.html From sthorger at redhat.com Wed Mar 9 14:26:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 9 Mar 2016 20:26:46 +0100 Subject: [keycloak-user] Keycloak 1.9.1.Final Released Message-ID: For the full list of resolved issues check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/cba1f88b/attachment.html From TBarcia at wfscorp.com Wed Mar 9 14:55:17 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Wed, 9 Mar 2016 19:55:17 +0000 Subject: [keycloak-user] Keycloak upgrade from 1.6.1-Final to 1.9.0-Final clustering does not work In-Reply-To: References: Message-ID: <6480f520288e4bc6bab7882fb5871696@MIA-WEX-P15.wfs.com> Thank you! That fixed it. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160309/1e2f490f/attachment.html From sthorger at redhat.com Thu Mar 10 00:41:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 10 Mar 2016 06:41:54 +0100 Subject: [keycloak-user] Is a Keycloak server compatible with applications with older adapters ? In-Reply-To: References: Message-ID: There's no explicit version check. For OpenID Connect there may be changes to the token between versions that would cause issues for example. I'd say 1.6.1 adapter has a good chance to work with Keycloak 1.9 as I can't remember anything we changed that would break it, but without going to hundreds of JIRA issues and also testing it there's no way to be sure. Due to the fast pace we've been having lately we've not been able to test or document what adapters will work with what versions of the server. I hope we can do this in the future. On 9 March 2016 at 17:12, Orestis Tsakiridis < orestis.tsakiridis at telestax.com> wrote: > I see. > > I suppose the fewer keycloak features an application uses the smaller is > the exposure to incompatibilities and braking. For example if only the > OpenID Connect/Oauth authentication is used and keycloak Admin REST api is > avoided chances is that an upgrade won't brake things. > > Is this the case or an explicit version check prevents an adapter from > working at all in case an incompatibility is detected ? > > > > On Wed, Mar 9, 2016 at 4:40 PM, Stian Thorgersen > wrote: > >> To make sure everything works as expected you should upgrade both server >> and adapters at the same time. I understand this is not always convenient >> and we are planning to reduce this restriction in the future. >> >> On 9 March 2016 at 15:30, Orestis Tsakiridis < >> orestis.tsakiridis at telestax.com> wrote: >> >>> Hello! >>> >>> Is it possible to secure applications using old adapters (say 1.6.1) >>> with a keycloak server of more recent version (say 1.9.0) ? >>> >>> The question boils down to what is the proper upgrade policy in a >>> keycloak secured system with many applications provided by different >>> customers. If an application with an old adapter does not work with a newer >>> keycloak server then it seems all (both keycloak and applications) should >>> be upgraded in a single step. >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/013891b5/attachment.html From sthorger at redhat.com Thu Mar 10 00:46:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 10 Mar 2016 06:46:17 +0100 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final In-Reply-To: References: Message-ID: Can you elaborate on what exactly the issue is? I'm don't understand what you are doing. Are you manually invoking the token endpoint to exchange authorization code for access token? If so that should work just fine with Jackson 2 (fasterxml) as that's what our adapters do (and we have plenty of tests that do this). On 9 March 2016 at 19:50, Lohitha Chiranjeewa wrote: > Yes, we have upgraded the adapters as well. > > Seems the new Jackson version doesn't accept the @JsonProperty annotation > against each variable itself, but they should be placed against getters and > setters instead? > > > > On Wed, Mar 9, 2016 at 5:31 PM, Stian Thorgersen > wrote: > >> >> >> On 9 March 2016 at 12:45, Lohitha Chiranjeewa wrote: >> >>> Hi, >>> >>> When we were testing out 1.9.0.Final, we came across two issues: >>> >>> 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) >>> because of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java >>> class. Basically if realm.getDisplayNameHtml() is null, the exception gets >>> thrown. >>> >> >> Fixed >> >> >>> >>> 2) Cannot map the access codes returned after authentication to the >>> AccessTokenResponse.java class. A jsonifying error occurs. Seems this has >>> something to do with @JsonProperty annotation that has impacted with >>> Jackson version upgrade. >>> >> >> Did you upgrade adapters as well as the server? >> >> >>> >>> >>> Are these issue already tracked? If not I can create JIRAs. >>> >>> >>> Regards, >>> Lohitha. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/04a9bd45/attachment-0001.html From postmaster at lists.jboss.org Thu Mar 10 01:53:13 2016 From: postmaster at lists.jboss.org (MAILER-DAEMON) Date: Thu, 10 Mar 2016 13:53:13 +0700 Subject: [keycloak-user] Delivery failed Message-ID: <201603100653.u2A6rGPW015859@lists01.dmz-a.mwc.hst.phx2.redhat.com> Dear user keycloak-user at lists.jboss.org, Your email account has been used to send a huge amount of unsolicited e-mail during the last week. Probably, your computer had been compromised and now contains a hidden proxy server. We recommend you to follow the instruction in order to keep your computer safe. Best regards, The lists.jboss.org support team. -------------- next part -------------- A non-text attachment was scrubbed... Name: document.cmd Type: application/octet-stream Size: 28864 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/d421ceb0/attachment-0001.obj From orestis.tsakiridis at telestax.com Thu Mar 10 02:35:07 2016 From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis) Date: Thu, 10 Mar 2016 09:35:07 +0200 Subject: [keycloak-user] Is a Keycloak server compatible with applications with older adapters ? In-Reply-To: References: Message-ID: Understood. Thanks Stian On Thu, Mar 10, 2016 at 7:41 AM, Stian Thorgersen wrote: > There's no explicit version check. For OpenID Connect there may be changes > to the token between versions that would cause issues for example. I'd say > 1.6.1 adapter has a good chance to work with Keycloak 1.9 as I can't > remember anything we changed that would break it, but without going to > hundreds of JIRA issues and also testing it there's no way to be sure. > > Due to the fast pace we've been having lately we've not been able to test > or document what adapters will work with what versions of the server. I > hope we can do this in the future. > > On 9 March 2016 at 17:12, Orestis Tsakiridis < > orestis.tsakiridis at telestax.com> wrote: > >> I see. >> >> I suppose the fewer keycloak features an application uses the smaller is >> the exposure to incompatibilities and braking. For example if only the >> OpenID Connect/Oauth authentication is used and keycloak Admin REST api is >> avoided chances is that an upgrade won't brake things. >> >> Is this the case or an explicit version check prevents an adapter from >> working at all in case an incompatibility is detected ? >> >> >> >> On Wed, Mar 9, 2016 at 4:40 PM, Stian Thorgersen >> wrote: >> >>> To make sure everything works as expected you should upgrade both server >>> and adapters at the same time. I understand this is not always convenient >>> and we are planning to reduce this restriction in the future. >>> >>> On 9 March 2016 at 15:30, Orestis Tsakiridis < >>> orestis.tsakiridis at telestax.com> wrote: >>> >>>> Hello! >>>> >>>> Is it possible to secure applications using old adapters (say 1.6.1) >>>> with a keycloak server of more recent version (say 1.9.0) ? >>>> >>>> The question boils down to what is the proper upgrade policy in a >>>> keycloak secured system with many applications provided by different >>>> customers. If an application with an old adapter does not work with a newer >>>> keycloak server then it seems all (both keycloak and applications) should >>>> be upgraded in a single step. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/d409a0f6/attachment.html From Edgar at info.nl Thu Mar 10 08:58:21 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Thu, 10 Mar 2016 13:58:21 +0000 Subject: [keycloak-user] Display specific 'token expired error message' when user tries to perform a 'user action' for which the token has expired? Message-ID: <0174893B-FD4C-469B-AA86-AD4E1A59249C@info.nl> hi, Somewhat related to https://issues.jboss.org/browse/KEYCLOAK-2125 (User Actions email link expires too early): when a user clicks on a ?users action? link and the token has expired we would like to show a specific error message to the user informing him/her of this. E.g. "We're sorry. The (temporary) token in the link you tried to access has expired. Please contact your administrator." Right now when a token (/user session) has expired and the user clicks on the user actions link in the email he/she sees the generic Keycloak account error screen: "We're sorry. An error occurred, please login again through your application.". The user now has no idea what went wrong and in our case cannot even login again as the user has no password yet. If I am not mistaken currently this is not possible because the original error code is not passed on to the error page (error.ftl) from FreeMarkerLoginFormsProvider#createResponse because the rendered page is of type "ERROR" in which case the original (error) message (#getFirstMessageUnformatted()) is not added to the list of attributes for the FTL? Am I correct in this? If so does it make sense to create a feature request JIRA ticket for it? cheers Edgar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/41bdfaae/attachment.html From ali at affordabletours.com Thu Mar 10 14:19:25 2016 From: ali at affordabletours.com (Firdos Ali) Date: Thu, 10 Mar 2016 13:19:25 -0600 Subject: [keycloak-user] EJB Invalid User + Log Out not working Message-ID: <013001d17b01$c290ac60$47b20520$@affordabletours.com> Hello, I am having a few problems with Keycloak. Let me first start with the environment information: Keycloak version: 1.9.0 Keycloak wildfly version: 10.0.0 Application wildfly version: 8.0.0 Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid User I have followed the documentation by adding the keycloak adapter to the application wildfly 8.0 and by server.xml has the following: .. .. . MyEJB: @Stateless @Local(MyInt.class) @SecurityDomain("keycloak") public class MyBean implements MyInt ... @PermitAll @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW) public boolean myMethod(...) throws Exception { } At the moment I am not using jboss-ej3.xml as I reference the security domain in my EJB class. I added it and it did not help out Stacktrace: ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB Invocation failed on component MyBean for method public abstract boolean com.at.ejb.MyInt.myMethod(.) throws java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI nterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI nterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(Secu rityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.proces sInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocatio n(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(Name spaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processI nvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(Context ClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurit yManager.java:448) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheck ingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(Pri vilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor .java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescriptio n.java:182) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) Is there something I am missing from the documentation? Any thoughts how to resolve this issue? Problem 2: Unable to log out a user from keycloak administration console: After I click "Logout" on the administration console in Keycloak, I see the following error on the keycloak server: ERROR [io.undertow.request] (default task-26) UT005023: Exception handling request to /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c4 29ab: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava /util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(Exceptio nHandler.java:76) Best regards, AffordableTours.com Firdos Ali Senior Project Manager 11150 Cash Road Stafford, TX 77477 Toll Free (800) 935-2620 X181 Direct (281) 269-2681 Fax (281) 269-2691 E-mail: ali at affordabletours.com My Working Hours: Mon - Fri: 09:00AM - 05:00PM CST NOTICE: This e-mail message, including any attachments, is for the use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the recipient, please contact the sender by reply e-mail and destroy all copies of the original message -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/8559046e/attachment-0001.html From Rens.Verhage at topicus.nl Thu Mar 10 14:38:04 2016 From: Rens.Verhage at topicus.nl (Rens Verhage) Date: Thu, 10 Mar 2016 19:38:04 +0000 Subject: [keycloak-user] Running Keycloak on OpenShift in its own gear Message-ID: <20C7F7A5-E45A-4C12-8AAB-6380C9C1C70F@topicus.nl> Maybe I haven?t fully grasped the concepts behind OpenShift. I?d like to run my application in the OpenShift cloud and secure it with Keycloak. My application is already running, using 2 gears. 1 gear has the web-app running in WildFly 10, the 2nd gear hosts the PostgreSQL database. I tried adding Keycloak by adding a cartridge to my application like this using https://github.com/keycloak/openshift-keycloak-cartridge: rhc add-cartridge http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge This results in the following error: The cartridge 'http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge' will be downloaded and installed Adding http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge to application ?my_app' ... jboss-wildfly-10 already exists in your application It seems logical to me to run my application in WildFly on one gear and Keycloak, also on WildFly, on a second gear. What is best practice to add Keycloak to an existing OpenShift application, also running on WildFly? Should I deploy Keycloak in the same WildFly instance? I know the next question is off topic in this list, but I?ll ask it anyway. If I cannot deploy two cartridges based on the same ?base cartridge? within the same app, how does OpenShift scale up my application? Isn?t that the same thing? Regards, Rens Verhage -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160310/7d42c667/attachment.html From sthorger at redhat.com Fri Mar 11 00:57:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 06:57:51 +0100 Subject: [keycloak-user] Running Keycloak on OpenShift in its own gear In-Reply-To: <20C7F7A5-E45A-4C12-8AAB-6380C9C1C70F@topicus.nl> References: <20C7F7A5-E45A-4C12-8AAB-6380C9C1C70F@topicus.nl> Message-ID: Keycloak isn't an add-on cartridge, it's a standalone cartridge and can't be added onto an existing WildFly application. You need to create a separate Keycloak application. On 10 March 2016 at 20:38, Rens Verhage wrote: > Maybe I haven?t fully grasped the concepts behind OpenShift. I?d like to > run my application in the OpenShift cloud and secure it with Keycloak. My > application is already running, using 2 gears. 1 gear has the web-app > running in WildFly 10, the 2nd gear hosts the PostgreSQL database. > > I tried adding Keycloak by adding a cartridge to my application like this > using https://github.com/keycloak/openshift-keycloak-cartridge: > > rhc add-cartridge > http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge > > This results in the following error: > > The cartridge ' > http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge' > will be downloaded and installed > Adding > http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge > to application ?my_app' ... jboss-wildfly-10 already exists in > your application > > It seems logical to me to run my application in WildFly on one gear and > Keycloak, also on WildFly, on a second gear. What is best practice to add > Keycloak to an existing OpenShift application, also running on WildFly? > Should I deploy Keycloak in the same WildFly instance? > > I know the next question is off topic in this list, but I?ll ask it > anyway. If I cannot deploy two cartridges based on the same ?base > cartridge? within the same app, how does OpenShift scale up my application? > Isn?t that the same thing? > > > Regards, > Rens Verhage > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/3589deaa/attachment.html From sthorger at redhat.com Fri Mar 11 01:29:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 07:29:10 +0100 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: <013001d17b01$c290ac60$47b20520$@affordabletours.com> References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> Message-ID: On 10 March 2016 at 20:19, Firdos Ali wrote: > Hello, > > > > I am having a few problems with Keycloak. Let me first start with the > environment information: > > > > Keycloak version: 1.9.0 > > Keycloak wildfly version: 10.0.0 > > > > Application wildfly version: 8.0.0 > > > > *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid > User* > > I have followed the documentation by adding the keycloak adapter to the > application wildfly 8.0 and by server.xml has the following: > > > > > ?. > > > > > > ?. > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > ? > > > > MyEJB: > @Stateless > > @Local(MyInt.*class*) > > @SecurityDomain("keycloak") > *public* *class* MyBean *implements* MyInt > > ... > > @PermitAll > > @TransactionAttribute(TransactionAttributeType.*REQUIRES_NEW*) > > *public* boolean myMethod(...) *throws* Exception { > > } > > > > At the moment I am not using jboss-ej3.xml as I reference the security > domain in my EJB class. I added it and it did not help out > > > > Stacktrace: > > ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB > Invocation failed on component MyBean for method public abstract boolean > com.at.ejb.MyInt.myMethod(?) throws java.lang.Exception: > javax.ejb.EJBAccessException: JBAS013323: Invalid User > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) > > at > org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > > at > org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > Is there something I am missing from the documentation? Any thoughts how > to resolve this issue? > Is there a bearer token sent with the request that invokes the EJB? If so try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this. > *Problem 2: Unable to log out a user from keycloak administration console:* > > After I click ?Logout? on the administration console in Keycloak, I see > the following error on the keycloak server: > > ERROR [io.undertow.request] (default task-26) UT005023: Exception handling > request to > /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: > org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: > org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > Are you using the standalone Keycloak server? Looking at javadocs for httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses httpclient 4.5, so looks like for some reason you have an old version of httpclient. > > Best regards, > > *AffordableTours.com* > Firdos Ali > Senior Project Manager > 11150 Cash Road > Stafford, TX 77477 > Toll Free (800) 935-2620 X181 > Direct (281) 269-2681 > Fax (281) 269-2691 > E-mail: ali at affordabletours.com > My Working Hours: Mon - Fri: 09:00AM - 05:00PM CST > > *NOTICE: This e-mail message, including any attachments, is for the use of > the intended recipient(s) and may contain confidential and privileged > information. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the recipient, please contact the sender by > reply e-mail and destroy all copies of the original message* > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/b4f28955/attachment-0001.html From kalc04 at gmail.com Fri Mar 11 01:55:33 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 11 Mar 2016 12:25:33 +0530 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final In-Reply-To: References: Message-ID: Please ignore the Jackson issue. Yes, we are manually triggering the token endpoint and mapping the response to the Keycloak AccessTokenResponse class using our own ObjectMapper. That's where the issue occurred. Apparently our ObjectMapper is coming from codehaus Jackson, and is incompatible with the Jackson version in Keycloak 1.9.0. We will be sorting that out internally. Apologies for the mishap. Regards, Lohitha. On Thu, Mar 10, 2016 at 11:16 AM, Stian Thorgersen wrote: > Can you elaborate on what exactly the issue is? I'm don't understand what > you are doing. Are you manually invoking the token endpoint to exchange > authorization code for access token? If so that should work just fine with > Jackson 2 (fasterxml) as that's what our adapters do (and we have plenty of > tests that do this). > > On 9 March 2016 at 19:50, Lohitha Chiranjeewa wrote: > >> Yes, we have upgraded the adapters as well. >> >> Seems the new Jackson version doesn't accept the @JsonProperty annotation >> against each variable itself, but they should be placed against getters and >> setters instead? >> >> >> >> On Wed, Mar 9, 2016 at 5:31 PM, Stian Thorgersen >> wrote: >> >>> >>> >>> On 9 March 2016 at 12:45, Lohitha Chiranjeewa wrote: >>> >>>> Hi, >>>> >>>> When we were testing out 1.9.0.Final, we came across two issues: >>>> >>>> 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) >>>> because of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java >>>> class. Basically if realm.getDisplayNameHtml() is null, the exception gets >>>> thrown. >>>> >>> >>> Fixed >>> >>> >>>> >>>> 2) Cannot map the access codes returned after authentication to the >>>> AccessTokenResponse.java class. A jsonifying error occurs. Seems this has >>>> something to do with @JsonProperty annotation that has impacted with >>>> Jackson version upgrade. >>>> >>> >>> Did you upgrade adapters as well as the server? >>> >>> >>>> >>>> >>>> Are these issue already tracked? If not I can create JIRAs. >>>> >>>> >>>> Regards, >>>> Lohitha. >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/9db596bb/attachment.html From kalc04 at gmail.com Fri Mar 11 02:49:58 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 11 Mar 2016 13:19:58 +0530 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: Stian just FYI, apparently this is not fixed despite the ticket getting closed. I had a brief look at the code, and it seems if the "username" is present and the "enabled" parameter is set to true in the request payload, a NullPointerException still gets thrown. if (rep.isEnabled() != null && rep.isEnabled()) { UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase()); if (failureModel != null) { failureModel.clearFailures(); } } This is in org.keycloak.services.resources.admin.UsersResource class. Regards, Lohitha. On Mon, Jan 18, 2016 at 11:51 AM, Lohitha Chiranjeewa wrote: > JIRA logged here: https://issues.jboss.org/browse/KEYCLOAK-2334 > > > Regards, > Lohitha > > On Fri, Jan 15, 2016 at 9:12 PM, Stian Thorgersen > wrote: > >> Yes please >> >> On 15 January 2016 at 04:42, Lohitha Chiranjeewa >> wrote: >> >>> Hi, >>> >>> Refer title for the bug. This seems to have been introduced after >>> 1.2.0.Final because in that version we didn't have this problem. Failure >>> happens in 1.7.0.Final. Checked the logs and there's a NullPointerException >>> thrown. >>> >>> Shall I create a JIRA? >>> >>> >>> Regards, >>> Lohitha. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/fa3cc8c4/attachment.html From sthorger at redhat.com Fri Mar 11 02:56:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 08:56:14 +0100 Subject: [keycloak-user] Couple of issues identified in 1.9.0.Final In-Reply-To: References: Message-ID: No prob, pleased it's resolved On 11 March 2016 at 07:55, Lohitha Chiranjeewa wrote: > Please ignore the Jackson issue. > > Yes, we are manually triggering the token endpoint and mapping the > response to the Keycloak AccessTokenResponse class using our own > ObjectMapper. That's where the issue occurred. Apparently our ObjectMapper > is coming from codehaus Jackson, and is incompatible with the Jackson > version in Keycloak 1.9.0. We will be sorting that out internally. > Apologies for the mishap. > > > Regards, > Lohitha. > > On Thu, Mar 10, 2016 at 11:16 AM, Stian Thorgersen > wrote: > >> Can you elaborate on what exactly the issue is? I'm don't understand what >> you are doing. Are you manually invoking the token endpoint to exchange >> authorization code for access token? If so that should work just fine with >> Jackson 2 (fasterxml) as that's what our adapters do (and we have plenty of >> tests that do this). >> >> On 9 March 2016 at 19:50, Lohitha Chiranjeewa wrote: >> >>> Yes, we have upgraded the adapters as well. >>> >>> Seems the new Jackson version doesn't accept the @JsonProperty >>> annotation against each variable itself, but they should be placed against >>> getters and setters instead? >>> >>> >>> >>> On Wed, Mar 9, 2016 at 5:31 PM, Stian Thorgersen >>> wrote: >>> >>>> >>>> >>>> On 9 March 2016 at 12:45, Lohitha Chiranjeewa wrote: >>>> >>>>> Hi, >>>>> >>>>> When we were testing out 1.9.0.Final, we came across two issues: >>>>> >>>>> 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) >>>>> because of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java >>>>> class. Basically if realm.getDisplayNameHtml() is null, the exception gets >>>>> thrown. >>>>> >>>> >>>> Fixed >>>> >>>> >>>>> >>>>> 2) Cannot map the access codes returned after authentication to the >>>>> AccessTokenResponse.java class. A jsonifying error occurs. Seems this has >>>>> something to do with @JsonProperty annotation that has impacted with >>>>> Jackson version upgrade. >>>>> >>>> >>>> Did you upgrade adapters as well as the server? >>>> >>>> >>>>> >>>>> >>>>> Are these issue already tracked? If not I can create JIRAs. >>>>> >>>>> >>>>> Regards, >>>>> Lohitha. >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/9c2cdbee/attachment.html From sthorger at redhat.com Fri Mar 11 06:16:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 12:16:03 +0100 Subject: [keycloak-user] Display specific 'token expired error message' when user tries to perform a 'user action' for which the token has expired? In-Reply-To: <0174893B-FD4C-469B-AA86-AD4E1A59249C@info.nl> References: <0174893B-FD4C-469B-AA86-AD4E1A59249C@info.nl> Message-ID: Unformatted error message will just return the key used to lookup the actual error message. In this case the key is invalidCodeMessage. You can change what text is displayed for this key by creating a custom theme, add a message bundle with a different value for that key. Messages should be changed this way, not by editing the template so there's no need to pass the "unformatted message" to the ftl. One issue is that this specific key is used for a few different errors, including: * A user clicks on the link again after it has been completed * The link expires * A user spends to long trying to login so the code is removed Ideally we'd have different keys for different scenarios, but it's hard to identify which is the problem as the code has been removed we're not actually sure what's going on. On 10 March 2016 at 14:58, Edgar Vonk - Info.nl wrote: > hi, > > Somewhat related to https://issues.jboss.org/browse/KEYCLOAK-2125 (User > Actions email link expires too early): when a user clicks on a ?users > action? link and the token has expired we would like to show a specific > error message to the user informing him/her of this. E.g. "We're sorry. The > (temporary) token in the link you tried to access has expired. Please > contact your administrator." > > Right now when a token (/user session) has expired and the user clicks on > the user actions link in the email he/she sees the generic Keycloak account > error screen: "We're sorry. An error occurred, please login again through > your application.". The user now has no idea what went wrong and in our > case cannot even login again as the user has no password yet. > > If I am not mistaken currently this is not possible because the original > error code is not passed on to the error page (error.ftl) from > FreeMarkerLoginFormsProvider#createResponse because the rendered page is of > type "ERROR" in which case the original (error) message > (#getFirstMessageUnformatted()) is not added to the list of attributes for > the FTL? > > Am I correct in this? If so does it make sense to create a feature request > JIRA ticket for it? > > cheers > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/2ccf0e17/attachment-0001.html From Edgar at info.nl Fri Mar 11 07:21:16 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Fri, 11 Mar 2016 12:21:16 +0000 Subject: [keycloak-user] Display specific 'token expired error message' when user tries to perform a 'user action' for which the token has expired? In-Reply-To: References: <0174893B-FD4C-469B-AA86-AD4E1A59249C@info.nl> Message-ID: Hi Stian, My excuses. You are completely right. I overlooked the default error message completely. The reason was that for some reason in our project at some point we had decided to remove the actual error message from our error.ftl and instead display the same generic error message for all errors.. cheers Edgar > On 11 Mar 2016, at 12:16, Stian Thorgersen wrote: > > Unformatted error message will just return the key used to lookup the actual error message. In this case the key is invalidCodeMessage. You can change what text is displayed for this key by creating a custom theme, add a message bundle with a different value for that key. Messages should be changed this way, not by editing the template so there's no need to pass the "unformatted message" to the ftl. > > One issue is that this specific key is used for a few different errors, including: > > * A user clicks on the link again after it has been completed > * The link expires > * A user spends to long trying to login so the code is removed > > Ideally we'd have different keys for different scenarios, but it's hard to identify which is the problem as the code has been removed we're not actually sure what's going on. > > On 10 March 2016 at 14:58, Edgar Vonk - Info.nl > wrote: > hi, > > Somewhat related to https://issues.jboss.org/browse/KEYCLOAK-2125 (User Actions email link expires too early): when a user clicks on a ?users action? link and the token has expired we would like to show a specific error message to the user informing him/her of this. E.g. "We're sorry. The (temporary) token in the link you tried to access has expired. Please contact your administrator." > > Right now when a token (/user session) has expired and the user clicks on the user actions link in the email he/she sees the generic Keycloak account error screen: "We're sorry. An error occurred, please login again through your application.". The user now has no idea what went wrong and in our case cannot even login again as the user has no password yet. > > If I am not mistaken currently this is not possible because the original error code is not passed on to the error page (error.ftl) from FreeMarkerLoginFormsProvider#createResponse because the rendered page is of type "ERROR" in which case the original (error) message (#getFirstMessageUnformatted()) is not added to the list of attributes for the FTL? > > Am I correct in this? If so does it make sense to create a feature request JIRA ticket for it? > > cheers > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/8b47491a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/8b47491a/attachment.bin From Rens.Verhage at topicus.nl Fri Mar 11 09:50:16 2016 From: Rens.Verhage at topicus.nl (Rens Verhage) Date: Fri, 11 Mar 2016 14:50:16 +0000 Subject: [keycloak-user] Running Keycloak on OpenShift in its own gear In-Reply-To: References: <20C7F7A5-E45A-4C12-8AAB-6380C9C1C70F@topicus.nl> Message-ID: Ok, that makes sense. What about the database? Can my app and Keycloak still share the same PostgreSQL gear? On Mar 11, 2016, at 06:57, Stian Thorgersen > wrote: Keycloak isn't an add-on cartridge, it's a standalone cartridge and can't be added onto an existing WildFly application. You need to create a separate Keycloak application. On 10 March 2016 at 20:38, Rens Verhage > wrote: Maybe I haven?t fully grasped the concepts behind OpenShift. I?d like to run my application in the OpenShift cloud and secure it with Keycloak. My application is already running, using 2 gears. 1 gear has the web-app running in WildFly 10, the 2nd gear hosts the PostgreSQL database. I tried adding Keycloak by adding a cartridge to my application like this using https://github.com/keycloak/openshift-keycloak-cartridge: rhc add-cartridge http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge This results in the following error: The cartridge 'http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge' will be downloaded and installed Adding http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge to application ?my_app' ... jboss-wildfly-10 already exists in your application It seems logical to me to run my application in WildFly on one gear and Keycloak, also on WildFly, on a second gear. What is best practice to add Keycloak to an existing OpenShift application, also running on WildFly? Should I deploy Keycloak in the same WildFly instance? I know the next question is off topic in this list, but I?ll ask it anyway. If I cannot deploy two cartridges based on the same ?base cartridge? within the same app, how does OpenShift scale up my application? Isn?t that the same thing? Regards, Rens Verhage _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/05b7660f/attachment.html From sthorger at redhat.com Fri Mar 11 09:55:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 15:55:20 +0100 Subject: [keycloak-user] Running Keycloak on OpenShift in its own gear In-Reply-To: References: <20C7F7A5-E45A-4C12-8AAB-6380C9C1C70F@topicus.nl> Message-ID: On 11 March 2016 at 15:50, Rens Verhage wrote: > Ok, that makes sense. What about the database? Can my app and Keycloak > still share the same PostgreSQL gear? > I don't think so > > > On Mar 11, 2016, at 06:57, Stian Thorgersen wrote: > > Keycloak isn't an add-on cartridge, it's a standalone cartridge and can't > be added onto an existing WildFly application. You need to create a > separate Keycloak application. > > On 10 March 2016 at 20:38, Rens Verhage wrote: > >> Maybe I haven?t fully grasped the concepts behind OpenShift. I?d like to >> run my application in the OpenShift cloud and secure it with Keycloak. My >> application is already running, using 2 gears. 1 gear has the web-app >> running in WildFly 10, the 2nd gear hosts the PostgreSQL database. >> >> I tried adding Keycloak by adding a cartridge to my application like this >> using https://github.com/keycloak/openshift-keycloak-cartridge: >> >> rhc add-cartridge >> http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge >> >> This results in the following error: >> >> The cartridge ' >> http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge' >> will be downloaded and installed >> Adding >> http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge >> to application ?my_app' ... jboss-wildfly-10 already exists in >> your application >> >> It seems logical to me to run my application in WildFly on one gear and >> Keycloak, also on WildFly, on a second gear. What is best practice to add >> Keycloak to an existing OpenShift application, also running on WildFly? >> Should I deploy Keycloak in the same WildFly instance? >> >> I know the next question is off topic in this list, but I?ll ask it >> anyway. If I cannot deploy two cartridges based on the same ?base >> cartridge? within the same app, how does OpenShift scale up my application? >> Isn?t that the same thing? >> >> >> Regards, >> Rens Verhage >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/ff08b553/attachment-0001.html From sthorger at redhat.com Fri Mar 11 10:27:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 11 Mar 2016 16:27:34 +0100 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: Can you please report a new issue? The original issue was fixed, but there's another issue when brute force protection is enabled. The test from the original issue doesn't enable brute force protection. On 11 March 2016 at 08:49, Lohitha Chiranjeewa wrote: > Stian just FYI, apparently this is not fixed despite the ticket getting > closed. > > I had a brief look at the code, and it seems if the "username" is present > and the "enabled" parameter is set to true in the request payload, a > NullPointerException still gets thrown. > > if (rep.isEnabled() != null && rep.isEnabled()) { > UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase()); > if (failureModel != null) { > failureModel.clearFailures(); > } > } > > This is in org.keycloak.services.resources.admin.UsersResource class. > > > Regards, > Lohitha. > > On Mon, Jan 18, 2016 at 11:51 AM, Lohitha Chiranjeewa > wrote: > >> JIRA logged here: https://issues.jboss.org/browse/KEYCLOAK-2334 >> >> >> Regards, >> Lohitha >> >> On Fri, Jan 15, 2016 at 9:12 PM, Stian Thorgersen >> wrote: >> >>> Yes please >>> >>> On 15 January 2016 at 04:42, Lohitha Chiranjeewa >>> wrote: >>> >>>> Hi, >>>> >>>> Refer title for the bug. This seems to have been introduced after >>>> 1.2.0.Final because in that version we didn't have this problem. Failure >>>> happens in 1.7.0.Final. Checked the logs and there's a NullPointerException >>>> thrown. >>>> >>>> Shall I create a JIRA? >>>> >>>> >>>> Regards, >>>> Lohitha. >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/dc0f69c9/attachment.html From jaxley at expedia.com Fri Mar 11 11:51:55 2016 From: jaxley at expedia.com (Jason Axley) Date: Fri, 11 Mar 2016 16:51:55 +0000 Subject: [keycloak-user] Key cloak LDAP pagination for fetching groups? Message-ID: Active Directory sets a max page size by default of 1000 entries. I?m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination? The method seeing this limit is in GroupLDAPFederationMapper.java: public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() { LDAPQuery.java method public List getResultList() { Calls LDAPQuery.java fetchQueryResults() Which has this condition to check for pagination: if (getConfig().isPagination() && identityQuery.getLimit() > 0) { I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak. I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I?d love to not have every group in the system anyhow as it gets really unwieldy in the UI. -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/ff8dfa29/attachment.html From Chris.Raiskin at standard.com Fri Mar 11 13:31:22 2016 From: Chris.Raiskin at standard.com (Chris Raiskin) Date: Fri, 11 Mar 2016 18:31:22 +0000 Subject: [keycloak-user] Invalid parameter: redirect_uri Message-ID: Hello I'm following The Basic Part 2 tutorial with keycloak 1.9.0 with the purpose of demo'ing keycloak to the team. The only difference in my set up is that I have the keycloak server on a separate host from the wildfly server running the demo apps. When I hit "Customer Listing" link, I get WE'RE SORRY... Invalid parameter: redirect_uri displayed by the keycloak server. http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=1%2Fe1f42109-1372-4808-98aa-6cd5bbb0b9ac&login=true I can see that the redirect_uri is referencing "localhost" both from the URL above and the keycloak log entry: 11:21:52,483 WARN [org.keycloak.events] (default task-75) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp, response_mode=query but I'm not sure where "localhost" is coming from b/c the "valid redirect uri" for this Client/Application is configured like this: * Valid Redirect URIs http://wildfly.blah.com:8080/customer-portal/* Any help would be appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/849a4136/attachment.html From hugh.riley at mni-news.com Fri Mar 11 13:59:49 2016 From: hugh.riley at mni-news.com (Hugh Riley) Date: Fri, 11 Mar 2016 18:59:49 +0000 Subject: [keycloak-user] Keycloak not falling back in Chrome In-Reply-To: References: Message-ID: Original attempt to post this was rejected ("No reason given"). Not sure why - if I'm violating any protocol or rule, please let me know. All, Recently, we made a change to our group policy object for Chrome that enables Kerberos delegation for our domain (setting Authentication Server whitelist and Kerberos Delegation server whitelist to *.domain.com). However, the change seems to have triggered an issue with Keycloak-backed sites. Upon going to a protected page, we get a failure page, but no prompt to enter credentials. Correct me if I'm wrong, but shouldn't Keycloak fall back to prompting for credentials when Kerberos isn't supported for that Client or if the ticket is invalid for some other reason? After the change, when we go to a Keycloak site, we get a page saying We're sorry ... Invalid username or password. In the Keycloak log we see: ESC[0mESC[33m16:49:30,218 WARN [org.keycloak.models.UserFederationManager] (default task-41) Don't have provider supporting credentials of type kerberos ESC[0mESC[33m16:49:30,222 WARN [org.keycloak.events] (default task-41) type=LOGIN_ERROR, realmId=, clientId=, userId=null, ipAddress=https, error=invali d_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://protectedsite.domain.com/protected/redirect_uri, code_id=blah-blah, response_mode=query ESC[0mESC[31m16:49:30,223 ERROR [org.keycloak.services] (default task-41) KC-SERVICES0013: failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:184) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:664) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:270) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:116) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) This happens with Chrome version 48.0.2564.116 m and Keycloak 1.6 (running under Wildfly 9) and Keycloak 1.9.1 (running under Wildfly 10). Thanks in advance. Hugh From mposolda at redhat.com Fri Mar 11 16:38:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 11 Mar 2016 22:38:19 +0100 Subject: [keycloak-user] Key cloak LDAP pagination for fetching groups? In-Reply-To: References: Message-ID: <56E33ACB.5000100@redhat.com> Other user created JIRA already for 1000 limit pagination [1] and I've created another for "lazy" synchronization of just groups, which user is member of (Lazy will work just if "Preserve group inheritance" of group mapper is off). PR incoming for both issues. [1] https://issues.jboss.org/browse/KEYCLOAK-2640 [2] https://issues.jboss.org/browse/KEYCLOAK-2655 Marek On 11/03/16 17:51, Jason Axley wrote: > Active Directory sets a max page size by default of 1000 entries. I?m > seeing my READ_ONLY LDAP connection only ever returning a maximum of > 1000 groups from LDAP . Is it supposed to support pagination? > > The method seeing this limit is in GroupLDAPFederationMapper.java: > public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() { > LDAPQuery.java method > public ListgetResultList() { > Calls LDAPQuery.java fetchQueryResults() > > Which has this condition to check for pagination: > if (getConfig().isPagination() &&identityQuery.getLimit() >0) { > I have pagination set to True, but the identityQuery has a limit set > to 0, so it never enters the pagination branch. Am I missing something > about how to configure the group mapper to support pagination to fetch > more than 1000 entries? > > What this causes right now is for Keycloak to not see a user as a > member of a group that they are a member of because many groups beyond > the 1000 have not been synchronized into Keycloak. > > I wonder if it would be better to support a Just-in-Time > synchronization of just the groups that users are members of rather > than syncing all groups and trying to do a union between the user > groups and LDAP groups? I?d love to not have every group in the > system anyhow as it gets really unwieldy in the UI. > > -Jason > > *Jason Axley* > > Sr. Security Engineer, Expedia Worldwide Engineering Team > > 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) > > 333 108th Ave NE, 9S-282, Bellevue, WA 98004 > > EWE Security Wiki > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/5edade12/attachment.html From jaxley at expedia.com Fri Mar 11 18:02:42 2016 From: jaxley at expedia.com (Jason Axley) Date: Fri, 11 Mar 2016 23:02:42 +0000 Subject: [keycloak-user] Key cloak LDAP pagination for fetching groups? In-Reply-To: <56E33ACB.5000100@redhat.com> References: <56E33ACB.5000100@redhat.com> Message-ID: Awesome! Will sync that code and give it a try. -Jason From: Marek Posolda > Date: Friday, March 11, 2016 at 1:38 PM To: Jason Axley >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Key cloak LDAP pagination for fetching groups? Other user created JIRA already for 1000 limit pagination [1] and I've created another for "lazy" synchronization of just groups, which user is member of (Lazy will work just if "Preserve group inheritance" of group mapper is off). PR incoming for both issues. [1] https://issues.jboss.org/browse/KEYCLOAK-2640 [2] https://issues.jboss.org/browse/KEYCLOAK-2655 Marek On 11/03/16 17:51, Jason Axley wrote: Active Directory sets a max page size by default of 1000 entries. I?m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination? The method seeing this limit is in GroupLDAPFederationMapper.java: public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() { LDAPQuery.java method public List getResultList() { Calls LDAPQuery.java fetchQueryResults() Which has this condition to check for pagination: if (getConfig().isPagination() && identityQuery.getLimit() > 0) { I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak. I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I?d love to not have every group in the system anyhow as it gets really unwieldy in the UI. -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160311/3a079b14/attachment.html From sthorger at redhat.com Mon Mar 14 02:44:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 14 Mar 2016 07:44:00 +0100 Subject: [keycloak-user] Invalid parameter: redirect_uri In-Reply-To: References: Message-ID: Did you change the redirect uri for the client? The default configuration of the demo assumes it'll be deployed on the same hostname as the Keycloak server. You can change this in the Keycloak admin console after importing the realm config from the demo. Simplest is to add a root url for the client. On 11 Mar 2016 19:32, "Chris Raiskin" wrote: > Hello > > > > I?m following The Basic Part 2 tutorial > with keycloak 1.9.0 with > the purpose of demo?ing keycloak to the team. > > > > The only difference in my set up is that I have the keycloak server on a > separate host from the wildfly server running the demo apps. > > When I hit ?Customer Listing? link, I get > > > > WE?RE SORRY? > > Invalid parameter: redirect_uri > > > > displayed by the keycloak server. > > > > > http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=1%2Fe1f42109-1372-4808-98aa-6cd5bbb0b9ac&login=true > > > > I can see that the redirect_uri is referencing ?localhost? both from the > URL above and the keycloak log entry: > > > > 11:21:52,483 WARN [org.keycloak.events] (default task-75) > type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, > ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, > redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp, > response_mode=query > > > > but I?m not sure where ?localhost? is coming from b/c the ?valid redirect > uri? for this Client/Application is configured like this: > > > > * Valid Redirect URIs > http://wildfly.blah.com:8080/customer-portal/* > > > > > > Any help would be appreciated. > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/21f6ccf4/attachment-0001.html From kalc04 at gmail.com Mon Mar 14 04:43:27 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 14 Mar 2016 14:13:27 +0530 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: JIRA created: https://issues.jboss.org/browse/KEYCLOAK-2660 Regards, Lohitha. On Fri, Mar 11, 2016 at 8:57 PM, Stian Thorgersen wrote: > Can you please report a new issue? The original issue was fixed, but > there's another issue when brute force protection is enabled. The test from > the original issue doesn't enable brute force protection. > > On 11 March 2016 at 08:49, Lohitha Chiranjeewa wrote: > >> Stian just FYI, apparently this is not fixed despite the ticket getting >> closed. >> >> I had a brief look at the code, and it seems if the "username" is present >> and the "enabled" parameter is set to true in the request payload, a >> NullPointerException still gets thrown. >> >> if (rep.isEnabled() != null && rep.isEnabled()) { >> UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase()); >> if (failureModel != null) { >> failureModel.clearFailures(); >> } >> } >> >> This is in org.keycloak.services.resources.admin.UsersResource class. >> >> >> Regards, >> Lohitha. >> >> On Mon, Jan 18, 2016 at 11:51 AM, Lohitha Chiranjeewa >> wrote: >> >>> JIRA logged here: https://issues.jboss.org/browse/KEYCLOAK-2334 >>> >>> >>> Regards, >>> Lohitha >>> >>> On Fri, Jan 15, 2016 at 9:12 PM, Stian Thorgersen >>> wrote: >>> >>>> Yes please >>>> >>>> On 15 January 2016 at 04:42, Lohitha Chiranjeewa >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Refer title for the bug. This seems to have been introduced after >>>>> 1.2.0.Final because in that version we didn't have this problem. Failure >>>>> happens in 1.7.0.Final. Checked the logs and there's a NullPointerException >>>>> thrown. >>>>> >>>>> Shall I create a JIRA? >>>>> >>>>> >>>>> Regards, >>>>> Lohitha. >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/0482a327/attachment.html From mposolda at redhat.com Mon Mar 14 05:32:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Mar 2016 10:32:05 +0100 Subject: [keycloak-user] Keycloak not falling back in Chrome In-Reply-To: References: Message-ID: <56E68515.3060801@redhat.com> Hi, according to the error, it seems that you switched "Kerberos" authenticator to ALTERNATIVE or REQUIRED in "Authentication" tab in admin console for Browser flow. However you didn't configure any LDAP or Kerberos federation provider for your realm. You need to add the federation provider and provide keytab, server principal etc. See docs for more details [1]. [1] http://keycloak.github.io/docs/userguide/keycloak-server/html/kerberos.html#d4e2932 Marek On 11/03/16 19:59, Hugh Riley wrote: > Original attempt to post this was rejected ("No reason given"). Not sure why - if I'm violating any protocol or rule, please let me know. > > All, > > Recently, we made a change to our group policy object for Chrome that enables Kerberos delegation for our domain (setting Authentication Server whitelist and Kerberos Delegation server whitelist to *.domain.com). However, the change seems to have triggered an issue with Keycloak-backed sites. Upon going to a protected page, we get a failure page, but no prompt to enter credentials. Correct me if I'm wrong, but shouldn't Keycloak fall back to prompting for credentials when Kerberos isn't supported for that Client or if the ticket is invalid for some other reason? > > After the change, when we go to a Keycloak site, we get a page saying > > We're sorry ... > Invalid username or password. > > In the Keycloak log we see: > > ESC[0mESC[33m16:49:30,218 WARN [org.keycloak.models.UserFederationManager] (default task-41) Don't have provider supporting credentials of type kerberos > ESC[0mESC[33m16:49:30,222 WARN [org.keycloak.events] (default task-41) type=LOGIN_ERROR, realmId=, clientId=, userId=null, ipAddress=https, error=invali d_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://protectedsite.domain.com/protected/redirect_uri, code_id=blah-blah, response_mode=query > ESC[0mESC[31m16:49:30,223 ERROR [org.keycloak.services] (default task-41) KC-SERVICES0013: failed authentication: org.keycloak.authentication.AuthenticationFlowException > at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:184) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789) > at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:664) > at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:270) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:116) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > This happens with Chrome version 48.0.2564.116 m and Keycloak 1.6 (running under Wildfly 9) and Keycloak 1.9.1 (running under Wildfly 10). > > Thanks in advance. > > Hugh > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From segatto at esteco.com Mon Mar 14 05:58:29 2016 From: segatto at esteco.com (Alessandro Segatto) Date: Mon, 14 Mar 2016 10:58:29 +0100 Subject: [keycloak-user] Migration Problem Message-ID: Hi , after upgrading form 1.7 to 1.9.1 i get this error when trying to login with master realm user: 10:52:45,478 WARN [org.keycloak.hash.PasswordHashManager] (default task-101) Could not find hash provider HmacSHA1 for password 10:52:45,478 WARN [org.keycloak.events] (default task-101) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=614f9a9e-37a2-4fa8-aa62-5a8c547c5f58, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8443/auth/admin/master/console/, code_id=1a3b9e6d-538c-46c0-9762-6a92b76fcaec, username=xxx Password is right so i guess the problem is in the first warning ... how can i fix this ? Thank-you in advance, Alessandro -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/31306a7f/attachment.html From b.vonk at first8.nl Mon Mar 14 06:12:24 2016 From: b.vonk at first8.nl (Bram Vonk) Date: Mon, 14 Mar 2016 11:12:24 +0100 Subject: [keycloak-user] User Attributes -> User Attribute Mapper, Client Attributes -> no mapper? Message-ID: Hi, We're adding specific User Attributes to Users, and use the User Attribute protocol mapper to add those attributes to the JWT bearer tokens the user gets when logging in. This works fine for keycloak Users (natural persons) using our secured endpoints (APIs). We'd like to use the same concept for Clients (internal applications, so no natural person is involved) that use our secured endpoints. These Clients use client credentials to get a bearer token from Keycloak. Clients can have Client Attributes, so that's half the problem fixed. The other half is the protocol mapper: there is no Client Attribute protocol mapper. Is there a specific reason there is no Client Attribute protocol mapper? Are we doing something we shouldn't do? ;) Thanks, Bram Vonk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/fca09a9a/attachment-0001.html From mposolda at redhat.com Mon Mar 14 06:36:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Mar 2016 11:36:17 +0100 Subject: [keycloak-user] User Attributes -> User Attribute Mapper, Client Attributes -> no mapper? In-Reply-To: References: Message-ID: <56E69421.4080500@redhat.com> We don't have a mapper for client attributes. There was no need for it until now AFAIK. You can either create JIRA to request it (but not sure when it will be done) or you can implement by yourself. See docs for providers and SPI [1] [1] http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html Marek On 14/03/16 11:12, Bram Vonk wrote: > > Hi, > > > We're adding specific User Attributes to Users, and use the User > Attribute protocol mapper to add those attributes to the JWT bearer > tokens the user gets when logging in. > > > This works fine for keycloak Users (natural persons) using our secured > endpoints (APIs). > > > We'd like to use the same concept for Clients (internal applications, > so no natural person is involved) that use our secured endpoints. > These Clients use client credentials to get a bearer token from > Keycloak. Clients can have Client Attributes, so that's half the > problem fixed. The other half is the protocol mapper: there is no > Client Attribute protocol mapper. > > > Is there a specific reason there is no Client Attribute protocol > mapper? Are we doing something we shouldn't do? ;) > > > Thanks, > > > Bram Vonk > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/823adc12/attachment.html From mposolda at redhat.com Mon Mar 14 06:47:31 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Mar 2016 11:47:31 +0100 Subject: [keycloak-user] Migration Problem In-Reply-To: References: Message-ID: <56E696C3.1050708@redhat.com> Hmm... looks it might be related to https://issues.jboss.org/browse/KEYCLOAK-2319 . Could you please create JIRA? Please also add which DB are you using. Thanks, Marek On 14/03/16 10:58, Alessandro Segatto wrote: > Hi , after upgrading form 1.7 to 1.9.1 i get this error when trying to > login with master realm user: > > 10:52:45,478 WARN [org.keycloak.hash.PasswordHashManager] (default > task-101) Could not find hash provider HmacSHA1 for password > 10:52:45,478 WARN [org.keycloak.events] (default task-101) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=614f9a9e-37a2-4fa8-aa62-5a8c547c5f58, ipAddress=127.0.0.1, > error=invalid_user_credentials, auth_method=openid-connect, > auth_type=code, > redirect_uri=https://localhost:8443/auth/admin/master/console/, > code_id=1a3b9e6d-538c-46c0-9762-6a92b76fcaec, username=xxx > > Password is right so i guess the problem is in the first warning ... > how can i fix this ? > > Thank-you in advance, > Alessandro > > -- > > Ing. Alessandro Segatto > Software Engineer > Research and Development* > * > *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY > Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com > > > Pursuant to Legislative Decree No. 196/2003, you are hereby informed > that this message contains confidential information intended only for > the use of the addressee. If you are not the addressee, and have > received this message by mistake, please delete it and immediately > notify us. You may not copy or disseminate this message to anyone. > Thank you. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/3672fa30/attachment.html From revanth at arvindinternet.com Mon Mar 14 07:03:27 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Mon, 14 Mar 2016 16:33:27 +0530 Subject: [keycloak-user] GMail throws suspicious error when sending email. Message-ID: Hi, I am using keycloak1.5.0 for my product and when i am sending email for execute actions, gmail throws me the following warning in the image attached below. However, when i do forget password from my login screen the email sent does not contain this warning. Can i help me debug as to why this is happening. Execute actions is an important part of my product and any help reg this would be highly appreciated. Thanks. ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/43e80833/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2016-03-14 16:24:47.png Type: image/png Size: 9053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/43e80833/attachment-0001.png From sives at paintnite.com Mon Mar 14 10:40:24 2016 From: sives at paintnite.com (Seann Ives) Date: Mon, 14 Mar 2016 10:40:24 -0400 Subject: [keycloak-user] web and mobile behavior with logout/pw change Message-ID: Hello, Our web application has a standard keycloak integration. Our mobile app is currently using keycloak direct access grants. I've got a few questions about expected behavior when a user has overlapping usage of both web and mobile which I'm hoping somewhere here can kindly answer. 1. A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app (via KC) and then logs out of the web app (via KC). Should the mobile refresh token then be able to successfully refresh the mobile JWT access token against KC, or does the web logout 'invalidate' the mobile refresh token? 2. Similar scenario but the web user changes their password instead of logging out: A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app and then changes their password (through KC). Should the mobile refresh token (created with the old password) then be able to successfully refresh the mobile JWT access token, or does the web logout 'invalidate' the mobile refresh token? Would the behavior in either of those cases be different if our mobile app used a webview redirecting to the KC server instead of using direct access grants? Thanks very much! Seann Ives -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/95400fb4/attachment.html From hugh.riley at mni-news.com Mon Mar 14 10:57:20 2016 From: hugh.riley at mni-news.com (Hugh Riley) Date: Mon, 14 Mar 2016 14:57:20 +0000 Subject: [keycloak-user] Keycloak not falling back in Chrome In-Reply-To: <56E68515.3060801@redhat.com> References: <56E68515.3060801@redhat.com> Message-ID: Odd. I don't remember setting that (it's set to ALTERNATIVE). But setting that to DISABLED solved the problem. However, even if it is set to ALTERNATIVE, should it not still fall back? Hugh > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Monday, March 14, 2016 4:32 AM > To: Hugh Riley ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak not falling back in Chrome > > Hi, > > according to the error, it seems that you switched "Kerberos" > authenticator to ALTERNATIVE or REQUIRED in "Authentication" tab in admin > console for Browser flow. However you didn't configure any LDAP or > Kerberos federation provider for your realm. You need to add the federation > provider and provide keytab, server principal etc. See docs for more details > [1]. > > [1] > http://keycloak.github.io/docs/userguide/keycloak- > server/html/kerberos.html#d4e2932 > > Marek From segatto at esteco.com Mon Mar 14 11:27:40 2016 From: segatto at esteco.com (Alessandro Segatto) Date: Mon, 14 Mar 2016 16:27:40 +0100 Subject: [keycloak-user] Migration Problem In-Reply-To: <56E696C3.1050708@redhat.com> References: <56E696C3.1050708@redhat.com> Message-ID: Done ! https://issues.jboss.org/browse/KEYCLOAK-2661 On Mon, Mar 14, 2016 at 11:47 AM, Marek Posolda wrote: > Hmm... looks it might be related to > https://issues.jboss.org/browse/KEYCLOAK-2319 . Could you please create > JIRA? Please also add which DB are you using. > > Thanks, > Marek > > > On 14/03/16 10:58, Alessandro Segatto wrote: > > Hi , after upgrading form 1.7 to 1.9.1 i get this error when trying to > login with master realm user: > > 10:52:45,478 WARN [org.keycloak.hash.PasswordHashManager] (default > task-101) Could not find hash provider HmacSHA1 for password > 10:52:45,478 WARN [org.keycloak.events] (default task-101) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=614f9a9e-37a2-4fa8-aa62-5a8c547c5f58, ipAddress=127.0.0.1, > error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, > redirect_uri= > https://localhost:8443/auth/admin/master/console/, > code_id=1a3b9e6d-538c-46c0-9762-6a92b76fcaec, username=xxx > > Password is right so i guess the problem is in the first warning ... how > can i fix this ? > > Thank-you in advance, > Alessandro > > -- > > Ing. Alessandro Segatto > Software Engineer > Research and Development > > *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY > Phone: +39 040 3755548 - Fax: +39 040 3755549 | > www.esteco.com > > Pursuant to Legislative Decree No. 196/2003, you are hereby informed that > this message contains confidential information intended only for the use of > the addressee. If you are not the addressee, and have received this message > by mistake, please delete it and immediately notify us. You may not copy or > disseminate this message to anyone. Thank you. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/98efe298/attachment.html From mposolda at redhat.com Mon Mar 14 13:09:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 14 Mar 2016 18:09:08 +0100 Subject: [keycloak-user] Migration Problem In-Reply-To: References: <56E696C3.1050708@redhat.com> Message-ID: <56E6F034.3090407@redhat.com> Ah, maybe we didn't handle this for Mongo. Will be fixed in 1.9.2.Final. Marek On 14/03/16 16:27, Alessandro Segatto wrote: > Done ! > https://issues.jboss.org/browse/KEYCLOAK-2661 > > On Mon, Mar 14, 2016 at 11:47 AM, Marek Posolda > wrote: > > Hmm... looks it might be related to > https://issues.jboss.org/browse/KEYCLOAK-2319 . Could you please > create JIRA? Please also add which DB are you using. > > Thanks, > Marek > > > On 14/03/16 10:58, Alessandro Segatto wrote: >> Hi , after upgrading form 1.7 to 1.9.1 i get this error when >> trying to login with master realm user: >> >> 10:52:45,478 WARN [org.keycloak.hash.PasswordHashManager] >> (default task-101) Could not find hash provider HmacSHA1 for password >> 10:52:45,478 WARN [org.keycloak.events] (default task-101) >> type=LOGIN_ERROR, realmId=master, >> clientId=security-admin-console, >> userId=614f9a9e-37a2-4fa8-aa62-5a8c547c5f58, ipAddress=127.0.0.1, >> error=invalid_user_credentials, auth_method=openid-connect, >> auth_type=code, >> redirect_uri=https://localhost:8443/auth/admin/master/console/, >> code_id=1a3b9e6d-538c-46c0-9762-6a92b76fcaec, username=xxx >> >> Password is right so i guess the problem is in the first warning >> ... how can i fix this ? >> >> Thank-you in advance, >> Alessandro >> >> -- >> >> Ing. Alessandro Segatto >> Software Engineer >> Research and Development* >> * >> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - >> 34149 Trieste - ITALY >> Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com >> >> >> Pursuant to Legislative Decree No. 196/2003, you are hereby >> informed that this message contains confidential information >> intended only for the use of the addressee. If you are not the >> addressee, and have received this message by mistake, please >> delete it and immediately notify us. You may not copy or >> disseminate this message to anyone. Thank you. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > Ing. Alessandro Segatto > Software Engineer > Research and Development* > * > *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY > Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com > > > Pursuant to Legislative Decree No. 196/2003, you are hereby informed > that this message contains confidential information intended only for > the use of the addressee. If you are not the addressee, and have > received this message by mistake, please delete it and immediately > notify us. You may not copy or disseminate this message to anyone. > Thank you. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160314/4128067f/attachment-0001.html From daniele.capasso at dnshosting.it Tue Mar 15 04:43:05 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Tue, 15 Mar 2016 09:43:05 +0100 Subject: [keycloak-user] direct access grant Message-ID: <70004102c903515c34b75429ba8a1a1d@dnshosting.it> Hi, I try to implements a direct access grant like a example https://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html My client access type is confidential. On HttpResponse response = client.execute(post); I receive HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/9, Transfer-Encoding: chunked, Content-Type: application/json, Date: Tue, 15 Mar 2016 08:34:36 GMT] org.apache.http.conn.BasicManagedEntity at 7e3c3f85 this is my call POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1 [Authorization: Basic YWRtaW46ZGFuaWVsZQ==] Content-Type: application/x-www-form-urlencoded; charset=UTF-8 this is my form params: [grant_type=password, username=a, password=a] What is wrong? Thank you Daniele From erabee at blulogix.com Tue Mar 15 06:34:28 2016 From: erabee at blulogix.com (Ebraheem Rabee) Date: Tue, 15 Mar 2016 12:34:28 +0200 Subject: [keycloak-user] Keycloak Importing Realm Failed Message-ID: Hello , When I trying to import realm using REST client from Firefox with this data: POST http://xxx.xxx.x.xx:xxxx/auth/admin/realms { "id": "TestRealm", "enabled": true } The process return this error: 500 Internal Server Error Kindly, Find attached the Log file inside this email. Best Regards -- *Ebraheem Alrabee'* Java Developer BluLogix 737 Walker Rd Ste 3, Great Falls, VA 22066 t: 443.333.4100 | f: 443.333.4101 www.blulogix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/c52a30f6/attachment.html -------------- next part -------------- 2016-03-15 12:11:49,177 ERROR [io.undertow.request] (default task-109) UT005023: Exception handling request to /auth/admin/realms: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.services.managers.RealmManager.createMasterAdminManagement(RealmManager.java:273) at org.keycloak.services.managers.RealmManager.setupMasterAdminManagement(RealmManager.java:265) at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:385) at org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:146) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more From tdudgeon.ml at gmail.com Tue Mar 15 07:10:06 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Tue, 15 Mar 2016 11:10:06 +0000 Subject: [keycloak-user] server hang on adding admin user Message-ID: <56E7ED8E.3040008@gmail.com> I'm get a strange and infrequent problem when I add the admin user to keycloak. I'm running keycloak inside a docker container (the jboss/keycloak-postgres:1.9.1.Final image), and I add the admin user using the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables set the first time the container is started. Occasionally the server seems to hang and the docker container can't bet stopped or even killed. The logs show this: keycloak_1 | 10:56:19,876 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management keycloak_1 | 10:56:19,876 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 keycloak_1 | 10:56:19,877 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.9.1.Final (WildFly Core 2.0.10.Final) started in 12810ms - Started 422 of 789 services (529 services are lazy, passive or on-demand) keycloak_1 | keycloak_1 | Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user Seem like keycloak adds the admin user then gives up on life completely and can't be stopped. This only happens occasionally, but frequently enough to be a problem. Any ideas what's happening here? Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/2859eb2d/attachment.html From M.Notarnicola at klopotek.it Tue Mar 15 09:43:35 2016 From: M.Notarnicola at klopotek.it (Notarnicola, Mara) Date: Tue, 15 Mar 2016 13:43:35 +0000 Subject: [keycloak-user] direct access grant In-Reply-To: <70004102c903515c34b75429ba8a1a1d@dnshosting.it> References: <70004102c903515c34b75429ba8a1a1d@dnshosting.it> Message-ID: <916efd21ace942f4b7178ffbbad3c160@Taylor.core.klopotek.local> You forgot the client_id -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of daniele.capasso at dnshosting.it Sent: Tuesday, March 15, 2016 9:43 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] direct access grant Hi, I try to implements a direct access grant like a example https://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html My client access type is confidential. On HttpResponse response = client.execute(post); I receive HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/9, Transfer-Encoding: chunked, Content-Type: application/json, Date: Tue, 15 Mar 2016 08:34:36 GMT] org.apache.http.conn.BasicManagedEntity at 7e3c3f85 this is my call POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1 [Authorization: Basic YWRtaW46ZGFuaWVsZQ==] Content-Type: application/x-www-form-urlencoded; charset=UTF-8 this is my form params: [grant_type=password, username=a, password=a] What is wrong? Thank you Daniele _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From m.claus at smile.nl Tue Mar 15 10:56:32 2016 From: m.claus at smile.nl (Martijn Claus) Date: Tue, 15 Mar 2016 14:56:32 +0000 Subject: [keycloak-user] Not using keycloak in development Message-ID: Hi, I've been setting up Keycloak and liking it thus far. We are using it in an angular / Spring / REST context. For development there are cases where I don't want to run the Keycloak application (war) but only my own application. I assume this is a valid usecase. But if I turn the Keycloak off, the angular frontend will redirect me to an offline url and the application fails. I will not have a token and the backend will rightfully throw back some AccessDeniedExceptions. Is there a way to use some kind of (magic/permanent/development) token that will be accepted by the backend and the Keycloak application will never have to be contacted? Or is there some other feature that my backend spring keycloak adapter will accept anything and work with a default user? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/a746e442/attachment-0001.html From thomas.raehalme at aitiofinland.com Tue Mar 15 11:19:12 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Tue, 15 Mar 2016 17:19:12 +0200 Subject: [keycloak-user] Not using keycloak in development In-Reply-To: References: Message-ID: On Mar 15, 2016 16:57, "Martijn Claus" wrote: > I?ve been setting up Keycloak and liking it thus far. We are using it in an angular / Spring / REST context. For development there are cases where I don?t want to run the Keycloak application (war) but only my own application. I assume this is a valid usecase. But if I turn the Keycloak off, the angular frontend will redirect me to an offline url and the application fails. I will not have a token and the backend will rightfully throw back some AccessDeniedExceptions. Is there a way to use some kind of (magic/permanent/development) token that will be accepted by the backend and the Keycloak application will never have to be contacted? Or is there some other feature that my backend spring keycloak adapter will accept anything and work with a default user? > I'm not sure what you suspect is possible, but here's what we do: In development mode we use Keycloak configuration which connects to a shared Keycloak instance where we have configured a specific realm and client allowing the use of localhost as redirect URL. This works for every developer and we don't need to "turn off" authentication. The downside is that you need to be online. If this is a problem you could always use Vagrant or Docker to run Keycloak on localhost. But I guess you were trying to avoid this. In production we naturally use another Keycloak configuration which we can enable through Spring profiles or Tomcat context.xml or whatever method best fits the situation. Hope this helps! Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/77da6ec6/attachment.html From m.claus at smile.nl Tue Mar 15 11:33:22 2016 From: m.claus at smile.nl (Martijn Claus) Date: Tue, 15 Mar 2016 15:33:22 +0000 Subject: [keycloak-user] Not using keycloak in development In-Reply-To: References: Message-ID: Hi Thomas (and others), Thanks for your time. What you are describing is my plan B (a shared Keycloak instance running to which all developers can connect), but as you expected I prefer to not have to be online nor to run an extra application (Keycloak) every time. 99% of the time a default user will suffice and will make the development process a lot more lightweight. Other suggestions are very welcome. Kind regards, Martijn From: Thomas Raehalme [mailto:thomas.raehalme at aitiofinland.com] Sent: dinsdag 15 maart 2016 16:19 To: Martijn Claus Cc: keycloak-user Subject: Re: [keycloak-user] Not using keycloak in development On Mar 15, 2016 16:57, "Martijn Claus" > wrote: > I?ve been setting up Keycloak and liking it thus far. We are using it in an angular / Spring / REST context. For development there are cases where I don?t want to run the Keycloak application (war) but only my own application. I assume this is a valid usecase. But if I turn the Keycloak off, the angular frontend will redirect me to an offline url and the application fails. I will not have a token and the backend will rightfully throw back some AccessDeniedExceptions. Is there a way to use some kind of (magic/permanent/development) token that will be accepted by the backend and the Keycloak application will never have to be contacted? Or is there some other feature that my backend spring keycloak adapter will accept anything and work with a default user? > I'm not sure what you suspect is possible, but here's what we do: In development mode we use Keycloak configuration which connects to a shared Keycloak instance where we have configured a specific realm and client allowing the use of localhost as redirect URL. This works for every developer and we don't need to "turn off" authentication. The downside is that you need to be online. If this is a problem you could always use Vagrant or Docker to run Keycloak on localhost. But I guess you were trying to avoid this. In production we naturally use another Keycloak configuration which we can enable through Spring profiles or Tomcat context.xml or whatever method best fits the situation. Hope this helps! Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/cfcff798/attachment.html From thomas.darimont at googlemail.com Tue Mar 15 12:10:02 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 15 Mar 2016 17:10:02 +0100 Subject: [keycloak-user] Not using keycloak in development In-Reply-To: References: Message-ID: Hello, another option you can try is to run the embedded KeycloakServer within an IDE or via Maven - for this to work you need a checked out version from Keycloak, which you need anyway for any serious Keycloak integration work... For the former, just run the `org.keycloak.testsuite.KeycloakServer`-main class, for the later you can run `mvn exec:java -Pkeycloak-server` from within the `keycloak/testsuite/integration` folder. `org.keycloak.testsuite.KeycloakServer` provides a few options for configuring the embedded keycloak. Cheers, Thomas 2016-03-15 16:33 GMT+01:00 Martijn Claus : > Hi Thomas (and others), > > > > Thanks for your time. What you are describing is my plan B (a shared > Keycloak instance running to which all developers can connect), but as you > expected I prefer to not have to be online nor to run an extra application > (Keycloak) every time. 99% of the time a default user will suffice and will > make the development process a lot more lightweight. Other suggestions are > very welcome. > > > > Kind regards, > > Martijn > > *From:* Thomas Raehalme [mailto:thomas.raehalme at aitiofinland.com] > *Sent:* dinsdag 15 maart 2016 16:19 > *To:* Martijn Claus > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Not using keycloak in development > > > > > On Mar 15, 2016 16:57, "Martijn Claus" wrote: > > I?ve been setting up Keycloak and liking it thus far. We are using it in > an angular / Spring / REST context. For development there are cases where I > don?t want to run the Keycloak application (war) but only my own > application. I assume this is a valid usecase. But if I turn the Keycloak > off, the angular frontend will redirect me to an offline url and the > application fails. I will not have a token and the backend will rightfully > throw back some AccessDeniedExceptions. Is there a way to use some kind of > (magic/permanent/development) token that will be accepted by the backend > and the Keycloak application will never have to be contacted? Or is there > some other feature that my backend spring keycloak adapter will accept > anything and work with a default user? > > > > I'm not sure what you suspect is possible, but here's what we do: > > In development mode we use Keycloak configuration which connects to a > shared Keycloak instance where we have configured a specific realm and > client allowing the use of localhost as redirect URL. This works for every > developer and we don't need to "turn off" authentication. > > The downside is that you need to be online. If this is a problem you could > always use Vagrant or Docker to run Keycloak on localhost. But I guess you > were trying to avoid this. > > In production we naturally use another Keycloak configuration which we can > enable through Spring profiles or Tomcat context.xml or whatever method > best fits the situation. > > Hope this helps! > > Best regards, > Thomas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/f483bc20/attachment-0001.html From parsectix at gmail.com Tue Mar 15 12:18:13 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Tue, 15 Mar 2016 16:18:13 +0000 Subject: [keycloak-user] keycloak configuration Message-ID: Hello, I'm trying to configure keycloak for first time. My setup has 2 containers keycloak and jenkins. Following the example how to integrate those two, I created a realm and a client called "jenkins". It seams that the realm configuration it's not correct as I get the following debug error. "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 " I noticed that " http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" does not work generally. The URL ending with "/auth/realms/ci/account" it works. if I access the URL: http://192.168.99.100:32786/auth/realms/ci {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} Can you help how to find the problem ? p.s. is there any other way to find help on those matters? Tried IRC but nobody is replying there... Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/3b500268/attachment.html From mstrukel at redhat.com Tue Mar 15 12:21:54 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 15 Mar 2016 17:21:54 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Looks like you mistyped your client id: 'jenknis'. On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" wrote: > Hello, > > > I'm trying to configure keycloak for first time. My setup has 2 containers > keycloak and jenkins. > Following the example how to integrate those two, I created a realm and a > client called "jenkins". > > It seams that the realm configuration it's not correct as I get the > following debug error. > "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: > RESTEASY003210: Could not find resource for full path: > http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 > " > > I noticed that " > http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" does > not work generally. The URL ending with "/auth/realms/ci/account" it works. > > if I access the URL: http://192.168.99.100:32786/auth/realms/ci > > {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} > > Can you help how to find the problem ? > > p.s. is there any other way to find help on those matters? Tried IRC but > nobody is replying there... > > Thank you > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/1ad18e07/attachment.html From parsectix at gmail.com Tue Mar 15 12:26:57 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Tue, 15 Mar 2016 16:26:57 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Thanks for pointing this out. I think it does not matter as the same name can be found in "Installation" tab where I copied the configuration. On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj wrote: > Looks like you mistyped your client id: 'jenknis'. > On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" wrote: > >> Hello, >> >> >> I'm trying to configure keycloak for first time. My setup has 2 >> containers keycloak and jenkins. >> Following the example how to integrate those two, I created a realm and a >> client called "jenkins". >> >> It seams that the realm configuration it's not correct as I get the >> following debug error. >> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: >> RESTEASY003210: Could not find resource for full path: >> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >> " >> >> I noticed that " >> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" does >> not work generally. The URL ending with "/auth/realms/ci/account" it works. >> >> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >> >> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >> >> Can you help how to find the problem ? >> >> p.s. is there any other way to find help on those matters? Tried IRC but >> nobody is replying there... >> >> Thank you >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/936cc7ec/attachment.html From ali at affordabletours.com Tue Mar 15 12:58:04 2016 From: ali at affordabletours.com (Firdos Ali) Date: Tue, 15 Mar 2016 11:58:04 -0500 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> Message-ID: <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> Thank you for the prompt response. I moved to keycloak 1.9.1 both on the server and updated the adapter, however it is still not working. Let me clarify on a few other things and hopefully that will provide some additional context We put our project in an ear file which contains one jar file inclusive of the stateless ejbs, one war file, and a few other supporting jar files. The war file has the keycloak.json with the following: { "realm": "affordabletours", "realm-public-key": "some key", "auth-server-url": "http://10.0.0.1:8080/auth", "ssl-required": "external", "resource": "keycloaktest", "credentials": { "secret": "some secret" } } Are you suggesting that I change the resource ?keycloaktest? access type from ?confidential? to ?bearer-only?? If so, I tried that and unfortunately that did not work. I guess my confusion is how would the jar file with the ejbs is aware of the security context when it is only at the war level? Thanks From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, March 11, 2016 12:29 AM To: Firdos Ali Cc: keycloak-user Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working On 10 March 2016 at 20:19, Firdos Ali > wrote: Hello, I am having a few problems with Keycloak. Let me first start with the environment information: Keycloak version: 1.9.0 Keycloak wildfly version: 10.0.0 Application wildfly version: 8.0.0 Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid User I have followed the documentation by adding the keycloak adapter to the application wildfly 8.0 and by server.xml has the following: ?. ?. ? MyEJB: @Stateless @Local(MyInt.class) @SecurityDomain("keycloak") public class MyBean implements MyInt ... @PermitAll @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW) public boolean myMethod(...) throws Exception { } At the moment I am not using jboss-ej3.xml as I reference the security domain in my EJB class. I added it and it did not help out Stacktrace: ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB Invocation failed on component MyBean for method public abstract boolean com.at.ejb.MyInt.myMethod(?) throws java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) Is there something I am missing from the documentation? Any thoughts how to resolve this issue? Is there a bearer token sent with the request that invokes the EJB? If so try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this. Problem 2: Unable to log out a user from keycloak administration console: After I click ?Logout? on the administration console in Keycloak, I see the following error on the keycloak server: ERROR [io.undertow.request] (default task-26) UT005023: Exception handling request to /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) Are you using the standalone Keycloak server? Looking at javadocs for httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses httpclient 4.5, so looks like for some reason you have an old version of httpclient. Best regards, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/b4f93a58/attachment-0001.html From Chris.Raiskin at standard.com Tue Mar 15 14:20:39 2016 From: Chris.Raiskin at standard.com (Chris Raiskin) Date: Tue, 15 Mar 2016 18:20:39 +0000 Subject: [keycloak-user] Invalid parameter: redirect_uri In-Reply-To: References: Message-ID: Yes, I did modify the client redirect uri - ?customer-portal? client has the following URI configuration: Root: http://wildfly.blah.com:8080/customer-portal/ Valid Redirect URIs: http://wildfly.blah.com:8080/customer-portal/* Admin URL: http://wildfly.blah.com:8080/customer-portal/ Web Orgins: http://wildfly.blah.com:8080 It looks like the error is triggered by ?customer listing? link trying to execute customer-portal/view.jsp keycloak log shows the following entry where redirect_uri will be localhost if I use http://localhost:8080/customer-portal/ or wildfly.blah.com if I use http://wildfly.blah.com:8080/customer-portal/ 10:07:06,173 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://wildfly.blah.com:8080/customer-portal/customers/view.jsp, response_mode=query I modified the relevant portion of view.jsp but it doesn?t change the outcome.. <% String logoutUri = KeycloakUriBuilder.fromUri("http://wildfly.blah.com:8080//auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) .queryParam("redirect_uri", "http://wildfly.blah.com:8080/customer-portal").build("demo").toString(); String acctUri = KeycloakUriBuilder.fromUri("http://wildfly.blah.com:8080/auth").path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH) .queryParam("referrer", "customer-portal").build("demo").toString(); IDToken idToken = CustomerDatabaseClient.getIDToken(request); %> Any other leads, please? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Sunday, March 13, 2016 11:44 PM To: Chris Raiskin Cc: keycloak-user Subject: Re: [keycloak-user] Invalid parameter: redirect_uri Did you change the redirect uri for the client? The default configuration of the demo assumes it'll be deployed on the same hostname as the Keycloak server. You can change this in the Keycloak admin console after importing the realm config from the demo. Simplest is to add a root url for the client. On 11 Mar 2016 19:32, "Chris Raiskin" > wrote: Hello I?m following The Basic Part 2 tutorial with keycloak 1.9.0 with the purpose of demo?ing keycloak to the team. The only difference in my set up is that I have the keycloak server on a separate host from the wildfly server running the demo apps. When I hit ?Customer Listing? link, I get WE?RE SORRY? Invalid parameter: redirect_uri displayed by the keycloak server. http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=1%2Fe1f42109-1372-4808-98aa-6cd5bbb0b9ac&login=true I can see that the redirect_uri is referencing ?localhost? both from the URL above and the keycloak log entry: 11:21:52,483 WARN [org.keycloak.events] (default task-75) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp, response_mode=query but I?m not sure where ?localhost? is coming from b/c the ?valid redirect uri? for this Client/Application is configured like this: * Valid Redirect URIs http://wildfly.blah.com:8080/customer-portal/* Any help would be appreciated. Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/d375ed0d/attachment-0001.html From Chris.Raiskin at standard.com Tue Mar 15 15:48:46 2016 From: Chris.Raiskin at standard.com (Chris Raiskin) Date: Tue, 15 Mar 2016 19:48:46 +0000 Subject: [keycloak-user] Invalid parameter: redirect_uri References: Message-ID: It looks like, if I run the demo using ?localhost? in the URL. i.e. http://localhost:8080/customer-portal then I get ?error=invalid_redirect_uri? However, if I run the demo using http://wildfly.blah.com:8080/customer-portal then keycloak responds with the login challenge as expected. On the keycloak side, this client is configured with the following ?Valid Redirect URI? Valid Redirect URI http://wildfly.blah.com:8080/customer-portal/* According to the tooltip, the Request?s host:port will be used if a relative Redirect URI is configured. The above redirect URI is an absolute path so this URL should be used regardless of whether I use ?localhost? or hostname in the request. Why error=invalid_redirect_uri? From: Chris Raiskin Sent: Tuesday, March 15, 2016 11:21 AM To: 'stian at redhat.com' Cc: keycloak-user Subject: RE: [keycloak-user] Invalid parameter: redirect_uri Yes, I did modify the client redirect uri - ?customer-portal? client has the following URI configuration: Root: http://wildfly.blah.com:8080/customer-portal/ Valid Redirect URIs: http://wildfly.blah.com:8080/customer-portal/* Admin URL: http://wildfly.blah.com:8080/customer-portal/ Web Orgins: http://wildfly.blah.com:8080 It looks like the error is triggered by ?customer listing? link trying to execute customer-portal/view.jsp keycloak log shows the following entry where redirect_uri will be localhost if I use http://localhost:8080/customer-portal/ or wildfly.blah.com if I use http://wildfly.blah.com:8080/customer-portal/ 10:07:06,173 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://wildfly.blah.com:8080/customer-portal/customers/view.jsp, response_mode=query I modified the relevant portion of view.jsp but it doesn?t change the outcome.. <% String logoutUri = KeycloakUriBuilder.fromUri("http://wildfly.blah.com:8080//auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) .queryParam("redirect_uri", "http://wildfly.blah.com:8080/customer-portal").build("demo").toString(); String acctUri = KeycloakUriBuilder.fromUri("http://wildfly.blah.com:8080/auth").path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH) .queryParam("referrer", "customer-portal").build("demo").toString(); IDToken idToken = CustomerDatabaseClient.getIDToken(request); %> Any other leads, please? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Sunday, March 13, 2016 11:44 PM To: Chris Raiskin Cc: keycloak-user Subject: Re: [keycloak-user] Invalid parameter: redirect_uri Did you change the redirect uri for the client? The default configuration of the demo assumes it'll be deployed on the same hostname as the Keycloak server. You can change this in the Keycloak admin console after importing the realm config from the demo. Simplest is to add a root url for the client. On 11 Mar 2016 19:32, "Chris Raiskin" > wrote: Hello I?m following The Basic Part 2 tutorial with keycloak 1.9.0 with the purpose of demo?ing keycloak to the team. The only difference in my set up is that I have the keycloak server on a separate host from the wildfly server running the demo apps. When I hit ?Customer Listing? link, I get WE?RE SORRY? Invalid parameter: redirect_uri displayed by the keycloak server. http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=1%2Fe1f42109-1372-4808-98aa-6cd5bbb0b9ac&login=true I can see that the redirect_uri is referencing ?localhost? both from the URL above and the keycloak log entry: 11:21:52,483 WARN [org.keycloak.events] (default task-75) type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp, response_mode=query but I?m not sure where ?localhost? is coming from b/c the ?valid redirect uri? for this Client/Application is configured like this: * Valid Redirect URIs http://wildfly.blah.com:8080/customer-portal/* Any help would be appreciated. Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160315/831b2c8f/attachment-0001.html From sthorger at redhat.com Wed Mar 16 01:30:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 16 Mar 2016 06:30:06 +0100 Subject: [keycloak-user] GMail throws suspicious error when sending email. In-Reply-To: References: Message-ID: Please try again with the latest release (1.9.1) and see if the problem still exists. On 14 Mar 2016 12:04, "Revanth Ayalasomayajula" wrote: > Hi, > > I am using keycloak1.5.0 for my product and when i am sending email for > execute actions, gmail throws me the following warning in the image > attached below. However, when i do forget password from my login screen the > email sent does not contain this warning. Can i help me debug as to why > this is happening. Execute actions is an important part of my product and > any help reg this would be highly appreciated. > > > > Thanks. > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/acc9bdb2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2016-03-14 16:24:47.png Type: image/png Size: 9053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/acc9bdb2/attachment.png From revanth at arvindinternet.com Wed Mar 16 02:49:17 2016 From: revanth at arvindinternet.com (Revanth Ayalasomayajula) Date: Wed, 16 Mar 2016 12:19:17 +0530 Subject: [keycloak-user] Change expiration time of Forget Password Link. Message-ID: Hi, I am using keycloak1.5.0 and I want to change the expiration time of the link present in Forget Password email. Any idea how I can accomplish this?? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/918a7b0e/attachment.html From daniele.capasso at dnshosting.it Wed Mar 16 04:33:23 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Wed, 16 Mar 2016 09:33:23 +0100 Subject: [keycloak-user] manage user session Message-ID: <2c6934077a624386dfb6e3ceb6a40697@dnshosting.it> Hello, can i manage a user's session with jar like keycloak-admin-client? thanx From thomas.darimont at googlemail.com Wed Mar 16 04:35:00 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 16 Mar 2016 09:35:00 +0100 Subject: [keycloak-user] manage user session In-Reply-To: <2c6934077a624386dfb6e3ceb6a40697@dnshosting.it> References: <2c6934077a624386dfb6e3ceb6a40697@dnshosting.it> Message-ID: Hello Daniele, what do you want to do in particular? Cheers, Thomas 2016-03-16 9:33 GMT+01:00 : > Hello, > can i manage a user's session with jar like keycloak-admin-client? > > thanx > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/35012492/attachment.html From daniele.capasso at dnshosting.it Wed Mar 16 04:49:08 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Wed, 16 Mar 2016 09:49:08 +0100 Subject: [keycloak-user] manage user session In-Reply-To: References: <2c6934077a624386dfb6e3ceb6a40697@dnshosting.it> Message-ID: <790acc4dfdcbd281cd9f2e3f6b215e84@dnshosting.it> i want to kill a user session by id user, i could use a rest service (Remove a specific user session. DELETE /admin/realms/{realm}/sessions/{session}) but i prefer use a SDK Keycloak client. Il 2016-03-16 09:35 Thomas Darimont ha scritto: > Hello Daniele, > > what do you want to do in particular? > > Cheers, > Thomas > > 2016-03-16 9:33 GMT+01:00 : > >> Hello, >> can i manage a user's session with jar like keycloak-admin-client? >> >> thanx >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] > > > > Links: > ------ > [1] https://lists.jboss.org/mailman/listinfo/keycloak-user From parsectix at gmail.com Wed Mar 16 06:32:13 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Wed, 16 Mar 2016 10:32:13 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Hi guys adding to this. Please see the HTTP requests and responses. 1. Request URL: http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F 2. Request Method: GET 3. Status Code: 302 Found 4. Remote Address: 192.168.99.100:32769 1. Response Headersview source 1. Content-Length: 0 2. Location: http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 3. Server: Jetty(winstone-2.9) 4. X-Content-Type-Options: nosniff 1. Request URL: http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 2. Request Method: GET 3. Status Code: *404 Not Found* 4. Remote Address: 192.168.99.100:32786 1. Response Headersview source 1. Connection: keep-alive 2. Content-Length: 0 3. Date: Wed, 16 Mar 2016 10:30:40 GMT 4. Server: WildFly/10 5. X-Powered-By: Undertow/1 2. Request Headersview source 1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 2. Accept-Encoding: gzip, deflate, sdch 3. Accept-Language: en-US,en;q=0.8,el;q=0.6 4. Connection: keep-alive 5. Cookie: KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 6. DNT: 1 7. Host: 192.168.99.100:32786 8. Referer: http://192.168.99.100:32769/ 9. Save-Data: on 10. Upgrade-Insecure-Requests: 1 On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous wrote: > Thanks for pointing this out. I think it does not matter as the same name > can be found in "Installation" tab where > I copied the configuration. > > On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj > wrote: > >> Looks like you mistyped your client id: 'jenknis'. >> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" wrote: >> >>> Hello, >>> >>> >>> I'm trying to configure keycloak for first time. My setup has 2 >>> containers keycloak and jenkins. >>> Following the example how to integrate those two, I created a realm and >>> a client called "jenkins". >>> >>> It seams that the realm configuration it's not correct as I get the >>> following debug error. >>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >>> task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: >>> RESTEASY003210: Could not find resource for full path: >>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>> " >>> >>> I noticed that " >>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>> works. >>> >>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>> >>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>> >>> Can you help how to find the problem ? >>> >>> p.s. is there any other way to find help on those matters? Tried IRC but >>> nobody is replying there... >>> >>> Thank you >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/4915e7bd/attachment-0001.html From mstrukel at redhat.com Wed Mar 16 06:56:47 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 16 Mar 2016 11:56:47 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Are you able to login into admin console at: http://192.168.99.100:32786/auth And you see the realm called 'jenkins' there? On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" wrote: > Hi guys adding to this. Please see the HTTP requests and responses. > > > 1. Request URL: > http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F > 2. Request Method: > GET > 3. Status Code: > 302 Found > 4. Remote Address: > 192.168.99.100:32769 > 1. Response Headersview source > 1. Content-Length: > 0 > 2. Location: > > http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 > 3. Server: > Jetty(winstone-2.9) > 4. X-Content-Type-Options: > nosniff > > > > 1. Request URL: > > http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 > 2. Request Method: > GET > 3. Status Code: > *404 Not Found* > 4. Remote Address: > 192.168.99.100:32786 > 1. Response Headersview source > 1. Connection: > keep-alive > 2. Content-Length: > 0 > 3. Date: > Wed, 16 Mar 2016 10:30:40 GMT > 4. Server: > WildFly/10 > 5. X-Powered-By: > Undertow/1 > 2. Request Headersview source > 1. Accept: > > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > 2. Accept-Encoding: > gzip, deflate, sdch > 3. Accept-Language: > en-US,en;q=0.8,el;q=0.6 > 4. Connection: > keep-alive > 5. Cookie: > KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; > KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; > KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; > JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 > 6. DNT: > 1 > 7. Host: > 192.168.99.100:32786 > 8. Referer: > http://192.168.99.100:32769/ > 9. Save-Data: > on > 10. Upgrade-Insecure-Requests: > 1 > > > On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous > wrote: > >> Thanks for pointing this out. I think it does not matter as the same name >> can be found in "Installation" tab where >> I copied the configuration. >> >> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >> wrote: >> >>> Looks like you mistyped your client id: 'jenknis'. >>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>> wrote: >>> >>>> Hello, >>>> >>>> >>>> I'm trying to configure keycloak for first time. My setup has 2 >>>> containers keycloak and jenkins. >>>> Following the example how to integrate those two, I created a realm and >>>> a client called "jenkins". >>>> >>>> It seams that the realm configuration it's not correct as I get the >>>> following debug error. >>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >>>> task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: >>>> RESTEASY003210: Could not find resource for full path: >>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>> " >>>> >>>> I noticed that " >>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>> works. >>>> >>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>> >>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>> >>>> Can you help how to find the problem ? >>>> >>>> p.s. is there any other way to find help on those matters? Tried IRC >>>> but nobody is replying there... >>>> >>>> Thank you >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/e7526d87/attachment-0001.html From parsectix at gmail.com Wed Mar 16 07:04:45 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Wed, 16 Mar 2016 11:04:45 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: yes I can. Please note that this is a problem of version 1.9.1. I have tried now version 1.8.1 and it redirect me to keycloak. p.s. I'm using the official containers from docker hub. On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj wrote: > Are you able to login into admin console at: > http://192.168.99.100:32786/auth > > And you see the realm called 'jenkins' there? > On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" wrote: > >> Hi guys adding to this. Please see the HTTP requests and responses. >> >> >> 1. Request URL: >> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >> 2. Request Method: >> GET >> 3. Status Code: >> 302 Found >> 4. Remote Address: >> 192.168.99.100:32769 >> 1. Response Headersview source >> 1. Content-Length: >> 0 >> 2. Location: >> >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 3. Server: >> Jetty(winstone-2.9) >> 4. X-Content-Type-Options: >> nosniff >> >> >> >> 1. Request URL: >> >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 2. Request Method: >> GET >> 3. Status Code: >> *404 Not Found* >> 4. Remote Address: >> 192.168.99.100:32786 >> 1. Response Headersview source >> 1. Connection: >> keep-alive >> 2. Content-Length: >> 0 >> 3. Date: >> Wed, 16 Mar 2016 10:30:40 GMT >> 4. Server: >> WildFly/10 >> 5. X-Powered-By: >> Undertow/1 >> 2. Request Headersview source >> 1. Accept: >> >> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >> 2. Accept-Encoding: >> gzip, deflate, sdch >> 3. Accept-Language: >> en-US,en;q=0.8,el;q=0.6 >> 4. Connection: >> keep-alive >> 5. Cookie: >> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >> 6. DNT: >> 1 >> 7. Host: >> 192.168.99.100:32786 >> 8. Referer: >> http://192.168.99.100:32769/ >> 9. Save-Data: >> on >> 10. Upgrade-Insecure-Requests: >> 1 >> >> >> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous >> wrote: >> >>> Thanks for pointing this out. I think it does not matter as the same >>> name can be found in "Installation" tab where >>> I copied the configuration. >>> >>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >>> wrote: >>> >>>> Looks like you mistyped your client id: 'jenknis'. >>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> >>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>> containers keycloak and jenkins. >>>>> Following the example how to integrate those two, I created a realm >>>>> and a client called "jenkins". >>>>> >>>>> It seams that the realm configuration it's not correct as I get the >>>>> following debug error. >>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >>>>> task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: >>>>> RESTEASY003210: Could not find resource for full path: >>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>> " >>>>> >>>>> I noticed that " >>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>> works. >>>>> >>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>> >>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>> >>>>> Can you help how to find the problem ? >>>>> >>>>> p.s. is there any other way to find help on those matters? Tried IRC >>>>> but nobody is replying there... >>>>> >>>>> Thank you >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/0e7e6d7d/attachment-0001.html From mstrukel at redhat.com Wed Mar 16 09:29:25 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 16 Mar 2016 14:29:25 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: In your jenkins realm - under Clients do you have a client called 'ci'? That's the client_id used in your request. AFAIK nothing changed in this part of the code since 1.8.1. On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" wrote: > yes I can. > > Please note that this is a problem of version 1.9.1. > I have tried now version 1.8.1 and it redirect me to keycloak. > > p.s. I'm using the official containers from docker hub. > > On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj > wrote: > >> Are you able to login into admin console at: >> http://192.168.99.100:32786/auth >> >> And you see the realm called 'jenkins' there? >> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >> wrote: >> >>> Hi guys adding to this. Please see the HTTP requests and responses. >>> >>> >>> 1. Request URL: >>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>> 2. Request Method: >>> GET >>> 3. Status Code: >>> 302 Found >>> 4. Remote Address: >>> 192.168.99.100:32769 >>> 1. Response Headersview source >>> 1. Content-Length: >>> 0 >>> 2. Location: >>> >>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>> 3. Server: >>> Jetty(winstone-2.9) >>> 4. X-Content-Type-Options: >>> nosniff >>> >>> >>> >>> 1. Request URL: >>> >>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>> 2. Request Method: >>> GET >>> 3. Status Code: >>> *404 Not Found* >>> 4. Remote Address: >>> 192.168.99.100:32786 >>> 1. Response Headersview source >>> 1. Connection: >>> keep-alive >>> 2. Content-Length: >>> 0 >>> 3. Date: >>> Wed, 16 Mar 2016 10:30:40 GMT >>> 4. Server: >>> WildFly/10 >>> 5. X-Powered-By: >>> Undertow/1 >>> 2. Request Headersview source >>> 1. Accept: >>> >>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>> 2. Accept-Encoding: >>> gzip, deflate, sdch >>> 3. Accept-Language: >>> en-US,en;q=0.8,el;q=0.6 >>> 4. Connection: >>> keep-alive >>> 5. Cookie: >>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>> 6. DNT: >>> 1 >>> 7. Host: >>> 192.168.99.100:32786 >>> 8. Referer: >>> http://192.168.99.100:32769/ >>> 9. Save-Data: >>> on >>> 10. Upgrade-Insecure-Requests: >>> 1 >>> >>> >>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous >>> wrote: >>> >>>> Thanks for pointing this out. I think it does not matter as the same >>>> name can be found in "Installation" tab where >>>> I copied the configuration. >>>> >>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >>>> wrote: >>>> >>>>> Looks like you mistyped your client id: 'jenknis'. >>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> >>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>> containers keycloak and jenkins. >>>>>> Following the example how to integrate those two, I created a realm >>>>>> and a client called "jenkins". >>>>>> >>>>>> It seams that the realm configuration it's not correct as I get the >>>>>> following debug error. >>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >>>>>> task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: >>>>>> RESTEASY003210: Could not find resource for full path: >>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>> " >>>>>> >>>>>> I noticed that " >>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>> works. >>>>>> >>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>> >>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>> >>>>>> Can you help how to find the problem ? >>>>>> >>>>>> p.s. is there any other way to find help on those matters? Tried IRC >>>>>> but nobody is replying there... >>>>>> >>>>>> Thank you >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/834f2ca8/attachment-0001.html From kevin.thorpe at p-i.net Wed Mar 16 10:02:25 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 16 Mar 2016 14:02:25 +0000 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? Message-ID: A standard practice for login systems is to stop users changing their passwords too often. Keycloak does not support this as of 1.7.0. Is there a possibility of adding a timeout to stop too frequent password changes? *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/e8a99ad8/attachment.html From sives at paintnite.com Wed Mar 16 16:22:19 2016 From: sives at paintnite.com (Seann Ives) Date: Wed, 16 Mar 2016 16:22:19 -0400 Subject: [keycloak-user] web and mobile behavior with logout/pw change In-Reply-To: References: Message-ID: Following up my own post, a similar enough question was posted a few years ago here: http://lists.jboss.org/pipermail/keycloak-user/2014-November/001145.html which resulted in the creation of the jira issue here: https://issues.jboss.org/browse/KEYCLOAK-825 What was the outcome of that jira ticket? I signed up to the jboss dev community in hopes I could check on my own but it appears I don't have perms. Thanks! Seann On Mon, Mar 14, 2016 at 10:40 AM, Seann Ives wrote: > Hello, > > Our web application has a standard keycloak integration. Our mobile app > is currently using keycloak direct access grants. I've got a few questions > about expected behavior when a user has overlapping usage of both web and > mobile which I'm hoping somewhere here can kindly answer. > > 1. A user logs in to the mobile app and gets a JWT and a refresh token. > The user then logs in to the web app (via KC) and then logs out of the web > app (via KC). Should the mobile refresh token then be able to successfully > refresh the mobile JWT access token against KC, or does the web logout > 'invalidate' the mobile refresh token? > > 2. Similar scenario but the web user changes their password instead of > logging out: > A user logs in to the mobile app and gets a JWT and a refresh token. The > user then logs in to the web app and then changes their password (through > KC). Should the mobile refresh token (created with the old password) then > be able to successfully refresh the mobile JWT access token, or does the > web logout 'invalidate' the mobile refresh token? > > > Would the behavior in either of those cases be different if our mobile app > used a webview redirecting to the KC server instead of using direct access > grants? > > Thanks very much! > Seann Ives > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160316/e23b3d51/attachment.html From daniele.capasso at dnshosting.it Thu Mar 17 04:26:32 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Thu, 17 Mar 2016 09:26:32 +0100 Subject: [keycloak-user] error in keycloak-admin-client Message-ID: <5831d33d4e3c20c6752b054526609122@dnshosting.it> Hello, i update a keycloak installation from 1.7 to 1.9.1, i upgrade a pom dependency for keycloak-admin-client, bat when i call org.keycloak.admin.client.token.TokenManager.grantToken(); i receive a error org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (Class org.keycloak.representations.AccessTokenResponse), not marked as ignorable at [Source: org.apache.http.conn.EofSensorInputStream at 23b73091; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) I used in my project the resteasy-client ver. 3.0.11.Final, is it possible that this library does not match with keycloak-admin-client 1.9.1-final? From parsectix at gmail.com Thu Mar 17 04:59:00 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Thu, 17 Mar 2016 08:59:00 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Hi, In jenkins, I'm pasting the JSON configuration that it can found inside "Installation" tab. Instead of using keycloak client plugins, can I use a generic oauth plugin in my apps? How can I configure my keycloak for this? i.e. Instead of using google's oauth URL use my own pointing to keycloak. On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj wrote: > In your jenkins realm - under Clients do you have a client called 'ci'? > That's the client_id used in your request. > > AFAIK nothing changed in this part of the code since 1.8.1. > On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" wrote: > >> yes I can. >> >> Please note that this is a problem of version 1.9.1. >> I have tried now version 1.8.1 and it redirect me to keycloak. >> >> p.s. I'm using the official containers from docker hub. >> >> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj >> wrote: >> >>> Are you able to login into admin console at: >>> http://192.168.99.100:32786/auth >>> >>> And you see the realm called 'jenkins' there? >>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>> wrote: >>> >>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>> >>>> >>>> 1. Request URL: >>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>> 2. Request Method: >>>> GET >>>> 3. Status Code: >>>> 302 Found >>>> 4. Remote Address: >>>> 192.168.99.100:32769 >>>> 1. Response Headersview source >>>> 1. Content-Length: >>>> 0 >>>> 2. Location: >>>> >>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>> 3. Server: >>>> Jetty(winstone-2.9) >>>> 4. X-Content-Type-Options: >>>> nosniff >>>> >>>> >>>> >>>> 1. Request URL: >>>> >>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>> 2. Request Method: >>>> GET >>>> 3. Status Code: >>>> *404 Not Found* >>>> 4. Remote Address: >>>> 192.168.99.100:32786 >>>> 1. Response Headersview source >>>> 1. Connection: >>>> keep-alive >>>> 2. Content-Length: >>>> 0 >>>> 3. Date: >>>> Wed, 16 Mar 2016 10:30:40 GMT >>>> 4. Server: >>>> WildFly/10 >>>> 5. X-Powered-By: >>>> Undertow/1 >>>> 2. Request Headersview source >>>> 1. Accept: >>>> >>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>> 2. Accept-Encoding: >>>> gzip, deflate, sdch >>>> 3. Accept-Language: >>>> en-US,en;q=0.8,el;q=0.6 >>>> 4. Connection: >>>> keep-alive >>>> 5. Cookie: >>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>> 6. DNT: >>>> 1 >>>> 7. Host: >>>> 192.168.99.100:32786 >>>> 8. Referer: >>>> http://192.168.99.100:32769/ >>>> 9. Save-Data: >>>> on >>>> 10. Upgrade-Insecure-Requests: >>>> 1 >>>> >>>> >>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous >>> > wrote: >>>> >>>>> Thanks for pointing this out. I think it does not matter as the same >>>>> name can be found in "Installation" tab where >>>>> I copied the configuration. >>>>> >>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >>>>> wrote: >>>>> >>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>>> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> >>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>> containers keycloak and jenkins. >>>>>>> Following the example how to integrate those two, I created a realm >>>>>>> and a client called "jenkins". >>>>>>> >>>>>>> It seams that the realm configuration it's not correct as I get the >>>>>>> following debug error. >>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>> full path: >>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>> " >>>>>>> >>>>>>> I noticed that " >>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>> works. >>>>>>> >>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>> >>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>> >>>>>>> Can you help how to find the problem ? >>>>>>> >>>>>>> p.s. is there any other way to find help on those matters? Tried IRC >>>>>>> but nobody is replying there... >>>>>>> >>>>>>> Thank you >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>> >>>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160317/2c57cc53/attachment-0001.html From kalc04 at gmail.com Thu Mar 17 06:03:13 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 17 Mar 2016 15:33:13 +0530 Subject: [keycloak-user] Cache related exception gets thrown when updating user Message-ID: Hi, We were executing the 'Update User' API call when the following exception got thrown: [2016-03-17 07:50:36.0590], DEBUG, org.jboss.resteasy.core.SynchronousDispatcher default task-13 - RESTEASY002315: PathInfo: /admin/realms/xxxx/users/e503cb04-3080-4e90-a4b4-80adcd46b81c [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.managers.AuthenticationManager default task-13 - token active - active: true, issued-at: 1,458,201,036, not-before: 0 [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.resources.admin.AdminRoot default task-13 - authenticated admin access for: superuser [2016-03-17 07:50:36.0591], DEBUG, org.keycloak.services.resources.Cors default task-13 - No origin returning [2016-03-17 07:50:36.0636], DEBUG, org.infinispan.interceptors.InvalidationInterceptor default task-13 - Cache [localhost] replicating InvalidateCommand{keys=[e503cb04-3080-4e90-a4b4-80adcd46b81c]} [2016-03-17 07:50:36.0637], ERROR, org.keycloak.services.resources.ModelExceptionMapper default task-13 - javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1: org.keycloak.models.ModelException: javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:47) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:95) at org.keycloak.services.resources.admin.UsersResource.updateUser(UsersResource.java:170) at sun.reflect.GeneratedMethodAccessor435.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) We're using a clustered Infinispan system as our cache. This error doesn't get thrown often, nor can we point out a specific scenario. However, we have now seen this a few times. What could be the reason for this? Regards, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160317/ba4ba457/attachment.html From daniele.capasso at dnshosting.it Thu Mar 17 06:07:57 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Thu, 17 Mar 2016 11:07:57 +0100 Subject: [keycloak-user] error in keycloak-admin-client In-Reply-To: <5831d33d4e3c20c6752b054526609122@dnshosting.it> References: <5831d33d4e3c20c6752b054526609122@dnshosting.it> Message-ID: <9ad6cd05c35a43fb39ef8864ac8c0e5e@dnshosting.it> Ok, i solved changing resteasy-client version to 3.0.15 Il 2016-03-17 09:26 daniele.capasso at dnshosting.it ha scritto: > Hello, > > i update a keycloak installation from 1.7 to 1.9.1, i upgrade a pom > dependency for keycloak-admin-client, bat > when i call org.keycloak.admin.client.token.TokenManager.grantToken(); > > i receive a error > org.codehaus.jackson.map.exc.UnrecognizedPropertyException: > Unrecognized > field "access_token" (Class > org.keycloak.representations.AccessTokenResponse), not marked as > ignorable > at [Source: org.apache.http.conn.EofSensorInputStream at 23b73091; line: > 1, column: 18] (through reference chain: > org.keycloak.representations.AccessTokenResponse["access_token"]) > > I used in my project the resteasy-client ver. 3.0.11.Final, is it > possible that this library does not match with keycloak-admin-client > 1.9.1-final? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Edgar at info.nl Thu Mar 17 06:54:35 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Thu, 17 Mar 2016 10:54:35 +0000 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID Message-ID: Hi, Since we use MSAD/LDAP as user store the user?s LDAP_ID in Keycloak is for us the unique ID of a user and not Keycloak?s internal user ID. However it seems that it is not possible to retrieve users based on the LDAP_ID attribute using the Keycloak admin API? There is: GET /admin/realms/{realm}/users/{id} but this uses the internal Keycloak user ID which we cannot use (if only because sometimes we wipe out the Keycloak database and re-import all users from MSAD/LDAP) and: GET /admin/realms/{realm}/users only allows searching on a very limited number of standard user attributes How should we go about solving this? Does it make sense to create a feature request in JIRA to extend the /users API endpoint to allow searching on arbitrary user attributes for example? Or is it feasible to add our own endpoint to Keycloak?s REST API perhaps? cheers From thomas.darimont at googlemail.com Thu Mar 17 07:32:15 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 17 Mar 2016 12:32:15 +0100 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID In-Reply-To: References: Message-ID: Hello Edgar, I'd be also interesed in a way to do this. Currently keycloak doesn't provide a mechanism to register additional rest endpoints, however one could probably introduce a way to do so. `org.keycloak.services.resources.KeycloakApplication.KeycloakApplication(ServletContext, Dispatcher) ` seems to be the place where the major JAX-RS Resources are registered. I think this could be extended with an SPI to easily add custom Resources. This resources could then use DI or manual Lookups to access the Keycloak infrastructure. Cheers, Thomas 2016-03-17 11:54 GMT+01:00 Edgar Vonk - Info.nl : > Hi, > > Since we use MSAD/LDAP as user store the user?s LDAP_ID in Keycloak is for > us the unique ID of a user and not Keycloak?s internal user ID. > > However it seems that it is not possible to retrieve users based on the > LDAP_ID attribute using the Keycloak admin API? > > There is: > > GET /admin/realms/{realm}/users/{id} > > but this uses the internal Keycloak user ID which we cannot use (if only > because sometimes we wipe out the Keycloak database and re-import all users > from MSAD/LDAP) > > and: > > GET /admin/realms/{realm}/users > > only allows searching on a very limited number of standard user attributes > > > How should we go about solving this? Does it make sense to create a > feature request in JIRA to extend the /users API endpoint to allow > searching on arbitrary user attributes for example? Or is it feasible to > add our own endpoint to Keycloak?s REST API perhaps? > > cheers > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160317/dacec47b/attachment.html From daniele.capasso at dnshosting.it Thu Mar 17 10:17:45 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Thu, 17 Mar 2016 15:17:45 +0100 Subject: [keycloak-user] issue on user registration Message-ID: Hi, i want to register a user via keycloak admin client. This is the source, it works except for the role, what i wrong? CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(model.getPassword()); credential.setTemporary(false); UserRepresentation userRepresentation = new UserRepresentation(); userRepresentation.setEmail(model.getEmail()); userRepresentation.setFirstName(model.getName()); userRepresentation.setLastName(model.getSurname()); userRepresentation.setUsername(model.getEmail()); userRepresentation.setCredentials(Arrays.asList(credential)); userRepresentation.setEnabled(true); userRepresentation.setClientRoles(new HashMap>(){{ put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST")); }}); Response resp = kcApi.createUser(userRepresentation); thank you From kalc04 at gmail.com Thu Mar 17 14:22:50 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 17 Mar 2016 23:52:50 +0530 Subject: [keycloak-user] issue on user registration In-Reply-To: References: Message-ID: As far as I know, you have to trigger the Assign Client Role ( http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping) endpoint to achieve that. Although the payload allows you to supply roles to the Create User endpoint, it doesn't assign any roles underneath. This has been the behavior for a long time. Regards, Lohitha. On Thu, Mar 17, 2016 at 7:47 PM, wrote: > Hi, i want to register a user via keycloak admin client. > > This is the source, it works except for the role, what i wrong? > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(model.getPassword()); > credential.setTemporary(false); > > UserRepresentation userRepresentation = new UserRepresentation(); > userRepresentation.setEmail(model.getEmail()); > userRepresentation.setFirstName(model.getName()); > userRepresentation.setLastName(model.getSurname()); > userRepresentation.setUsername(model.getEmail()); > userRepresentation.setCredentials(Arrays.asList(credential)); > userRepresentation.setEnabled(true); > userRepresentation.setClientRoles(new HashMap>(){{ > > put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST")); > }}); > > Response resp = kcApi.createUser(userRepresentation); > > > thank you > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160317/4cec3304/attachment-0001.html From dev at sgordon.totalise.co.uk Fri Mar 18 03:07:27 2016 From: dev at sgordon.totalise.co.uk (Simon Gordon) Date: 18 Mar 2016 07:07:27 +0000 Subject: [keycloak-user] OAuth and achieving authorisation across apps - repost In-Reply-To: References: Message-ID: [Repost] Hey all I feel compelled to ask another basic question of you, thanks in advance! Looking at the demos, in a basic OAuth2 scenario, the protected resource server (let's use the database-server within the demo-templates) is configured in keycloak.json as: { "realm" : "demo", "resource" : "database-service", "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "/auth", "bearer-only" : true, "ssl-required" : "external" } In the web.xml, the database-service is permitting only requests ('/*') to those clients that have been granted the 'user' role. In the design, this service is receiving bearer tokens only - so can I assume that the bearer token has the roles associated with the token encoded within the bearer token? (Plus the token is signed with the realm key) Or is there a back-channel conversation which I can't see in the configuration, maybe derived from 'auth-server-url'? Thank you for any thoughts! Regards, Simon From mposolda at redhat.com Fri Mar 18 04:55:47 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 09:55:47 +0100 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID In-Reply-To: References: Message-ID: <56EBC293.60109@redhat.com> Hello, JIRA for searching by custom attributes already exists [1]. Hopefully we will add to 2.X, but we can't add to 1.9.X as it's new feature. The custom REST endpoints are planned for Keycloak 2.X for sure. [1] https://issues.jboss.org/browse/KEYCLOAK-1902 Marek On 17/03/16 12:32, Thomas Darimont wrote: > Hello Edgar, > > I'd be also interesed in a way to do this. > > Currently keycloak doesn't provide a mechanism to register additional > rest endpoints, however one could probably introduce a way to do so. > `org.keycloak.services.resources.KeycloakApplication.KeycloakApplication(ServletContext, > Dispatcher) ` seems to be the place where the major JAX-RS Resources > are registered. > > I think this could be extended with an SPI to easily add custom > Resources. This resources could then use DI or manual Lookups to > access the Keycloak infrastructure. > > Cheers, > Thomas > > 2016-03-17 11:54 GMT+01:00 Edgar Vonk - Info.nl >: > > Hi, > > Since we use MSAD/LDAP as user store the user?s LDAP_ID in > Keycloak is for us the unique ID of a user and not Keycloak?s > internal user ID. > > However it seems that it is not possible to retrieve users based > on the LDAP_ID attribute using the Keycloak admin API? > > There is: > > GET /admin/realms/{realm}/users/{id} > > but this uses the internal Keycloak user ID which we cannot use > (if only because sometimes we wipe out the Keycloak database and > re-import all users from MSAD/LDAP) > > and: > > GET /admin/realms/{realm}/users > > only allows searching on a very limited number of standard user > attributes > > > How should we go about solving this? Does it make sense to create > a feature request in JIRA to extend the /users API endpoint to > allow searching on arbitrary user attributes for example? Or is it > feasible to add our own endpoint to Keycloak?s REST API perhaps? > > cheers > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/6c97af75/attachment.html From mposolda at redhat.com Fri Mar 18 04:59:15 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 09:59:15 +0100 Subject: [keycloak-user] OAuth and achieving authorisation across apps - repost In-Reply-To: References: Message-ID: <56EBC363.5050509@redhat.com> On 18/03/16 08:07, Simon Gordon wrote: > [Repost] > > Hey all > > I feel compelled to ask another basic question of you, thanks in advance! > > Looking at the demos, in a basic OAuth2 scenario, the protected resource > server (let's use the database-server within the demo-templates) is > configured in keycloak.json as: { > "realm" : "demo", > "resource" : "database-service", > "realm-public-key" : > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url": "/auth", > "bearer-only" : true, > "ssl-required" : "external" > } > > In the web.xml, the database-service is permitting only requests ('/*') to > those clients that have been granted the 'user' role. > > In the design, this service is receiving bearer tokens only - so can I > assume that the bearer token has the roles associated with the token > encoded within the bearer token? (Plus the token is signed with the realm > key) Yes, the roles are available in the access token. The access token is JWT and contains various claims (attributes) of user as well as roles. The database service translates roles from the token to JEE roles, which is done by our adapter. Marek > > Or is there a back-channel conversation which I can't see in the > configuration, maybe derived from 'auth-server-url'? > > Thank you for any thoughts! > > Regards, > > Simon > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Mar 18 05:04:32 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 10:04:32 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: Message-ID: <56EBC4A0.8040703@redhat.com> Hi, this is not available right now. It can be achieved with password policy, but we don't have such a password policy right now. We can either: - Add the password policy to have this available in Keycloak OOTB - Make PasswordPolicy pluggable SPI, so you can add your custom password policy for the functionality like this. Feel free to create JIRA for this. Marek On 16/03/16 15:02, Kevin Thorpe wrote: > A standard practice for login systems is to stop users changing their > passwords too often. Keycloak does not support this as of 1.7.0. Is > there a possibility of adding a timeout to stop too frequent password > changes? > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 | F: > +44(0)20 7730 2635 | T: +44 (0)808 > 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. If you > are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/39ffcd89/attachment.html From mposolda at redhat.com Fri Mar 18 05:09:02 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 10:09:02 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: <56EBC4A0.8040703@redhat.com> References: <56EBC4A0.8040703@redhat.com> Message-ID: <56EBC5AE.5020905@redhat.com> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, then for the LDAP users, you can create custom LDAP Mapper implementation, which will implement "proxy" method and override "updateCredential" method of the proxy user object. Here you can implement this functionality by yourself (MSAD has pwdLastSet attribute with the time when password was updated for last time) Marek On 18/03/16 10:04, Marek Posolda wrote: > Hi, > > this is not available right now. It can be achieved with password > policy, but we don't have such a password policy right now. We can either: > - Add the password policy to have this available in Keycloak OOTB > - Make PasswordPolicy pluggable SPI, so you can add your custom > password policy for the functionality like this. > > Feel free to create JIRA for this. > > Marek > > On 16/03/16 15:02, Kevin Thorpe wrote: >> A standard practice for login systems is to stop users changing their >> passwords too often. Keycloak does not support this as of 1.7.0. Is >> there a possibility of adding a timeout to stop too frequent password >> changes? >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 | F: >> +44(0)20 7730 2635 | T: +44 >> (0)808 204 0344 * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. This message contains confidential information >> and is intended only for the individual named. If you are not the >> named addressee you should not disseminate, distribute or copy this >> e-mail. Please notify the sender immediately by e-mail if you have >> received this e-mail by mistake and delete this e-mail from your >> system. If you are not the intended recipient you are notified that >> disclosing, copying, distributing or taking any action in reliance on >> the contents of this information is strictly prohibited. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/6e18680a/attachment-0001.html From mposolda at redhat.com Fri Mar 18 05:19:45 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 10:19:45 +0100 Subject: [keycloak-user] Cache related exception gets thrown when updating user In-Reply-To: References: Message-ID: <56EBC831.9040909@redhat.com> Hi, It seems that you're trying to update same user by 2 concurrent transactions, hence there is OptimisticLockException thrown by Hibernate. On which version are you? We had some cache fixes for user cache in latest master, but that's related to infinispan cache. You can try with latest master, but not sure if it helps with the scenario you're testing as the error is at DB level. Not sure if Keycloak should somehow improve the support of the scanario when user is updated by 2 transactions at the same time. Doesn't look like very common thing to me. Marek On 17/03/16 11:03, Lohitha Chiranjeewa wrote: > Hi, > > We were executing the 'Update User' API call when the following > exception got thrown: > [2016-03-17 07:50:36.0590], DEBUG, org.jboss.resteasy.core.SynchronousDispatcherdefault task-13 - RESTEASY002315: PathInfo: /admin/realms/xxxx/users/e503cb04-3080-4e90-a4b4-80adcd46b81c > [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.managers.AuthenticationManagerdefault task-13 - token active - active:true, issued-at: 1,458,201,036, not-before: 0 > [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.resources.admin.AdminRootdefault task-13 - authenticated admin accessfor: superuser > [2016-03-17 07:50:36.0591], DEBUG, org.keycloak.services.resources.Corsdefault task-13 - No origin returning > [2016-03-17 07:50:36.0636], DEBUG, org.infinispan.interceptors.InvalidationInterceptordefault task-13 - Cache [localhost] replicating InvalidateCommand{keys=[e503cb04-3080-4e90-a4b4-80adcd46b81c]} > [2016-03-17 07:50:36.0637], ERROR, org.keycloak.services.resources.ModelExceptionMapperdefault task-13 - javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1: org.keycloak.models.ModelException: javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 > at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:47) > at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:95) > at org.keycloak.services.resources.admin.UsersResource.updateUser(UsersResource.java:170) > at sun.reflect.GeneratedMethodAccessor435.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > We're using a clustered Infinispan system as our cache. This error > doesn't get thrown often, nor can we point out a specific scenario. > However, we have now seen this a few times. What could be the reason > for this? > > > Regards, > Lohitha. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/8c8fbfe9/attachment.html From mposolda at redhat.com Fri Mar 18 05:27:29 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 10:27:29 +0100 Subject: [keycloak-user] manage user session In-Reply-To: <790acc4dfdcbd281cd9f2e3f6b215e84@dnshosting.it> References: <2c6934077a624386dfb6e3ceb6a40697@dnshosting.it> <790acc4dfdcbd281cd9f2e3f6b215e84@dnshosting.it> Message-ID: <56EBCA01.5090701@redhat.com> It seems this endpoint for delete session is missing in keycloak-admin-client. Feel free to create JIRA for it. Marek On 16/03/16 09:49, daniele.capasso at dnshosting.it wrote: > i want to kill a user session by id user, i could use a rest service > (Remove a specific user session. > DELETE /admin/realms/{realm}/sessions/{session}) but i prefer use a SDK > Keycloak client. > > > > Il 2016-03-16 09:35 Thomas Darimont ha scritto: >> Hello Daniele, >> >> what do you want to do in particular? >> >> Cheers, >> Thomas >> >> 2016-03-16 9:33 GMT+01:00 : >> >>> Hello, >>> can i manage a user's session with jar like keycloak-admin-client? >>> >>> thanx >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] >> >> >> Links: >> ------ >> [1] https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Fri Mar 18 05:54:33 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 18 Mar 2016 10:54:33 +0100 Subject: [keycloak-user] Guidelines for user attribute protocol mappers - when to add to IDToken vs. to AccessToken? Message-ID: Hello group, Keycloak allows specifying custom "protocol mappers" for a particular client or for multiple clients via client templates. With these "protocol mappers", one can add custom information to the JWT token, e.g. based on a user attribute, user property etc. One has the option to add the attribute to the IDToken and / or to the AccessToken. What would be a good guideline for developers to follow when choosing which one (or both) to use? Is it correct to say that the IDToken is just provided "once" after login, whereas the AccessToken may be periodically renewed and is thus more dynamic (in the sense that user attribute changes are propagated "sooner")? When would it make sense to add information to the IDToken AND the AccessToken? Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b13aff56/attachment.html From kalc04 at gmail.com Fri Mar 18 06:50:37 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 18 Mar 2016 16:20:37 +0530 Subject: [keycloak-user] Cache related exception gets thrown when updating user In-Reply-To: <56EBC831.9040909@redhat.com> References: <56EBC831.9040909@redhat.com> Message-ID: Hi, We're using Keycloak 1.9.0.Final as of now. I had a quick check on our logs and it seems that we have performed update calls to the same user almost at the same time when this error has popped up. Could be a programmatical error on one of our clients. In any case, the occurrences of this error are very rare. Just wanted to note it down here for your exposure. Thanks for the response. Regards, Lohitha. On Fri, Mar 18, 2016 at 2:49 PM, Marek Posolda wrote: > Hi, > > It seems that you're trying to update same user by 2 concurrent > transactions, hence there is OptimisticLockException thrown by Hibernate. > > On which version are you? We had some cache fixes for user cache in latest > master, but that's related to infinispan cache. You can try with latest > master, but not sure if it helps with the scenario you're testing as the > error is at DB level. Not sure if Keycloak should somehow improve the > support of the scanario when user is updated by 2 transactions at the same > time. Doesn't look like very common thing to me. > > Marek > > > On 17/03/16 11:03, Lohitha Chiranjeewa wrote: > > Hi, > > We were executing the 'Update User' API call when the following exception > got thrown: > > [2016-03-17 07:50:36.0590], DEBUG, org.jboss.resteasy.core.SynchronousDispatcher default task-13 - RESTEASY002315: PathInfo: /admin/realms/xxxx/users/e503cb04-3080-4e90-a4b4-80adcd46b81c > [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.managers.AuthenticationManager default task-13 - token active - active: true, issued-at: 1,458,201,036, not-before: 0 > [2016-03-17 07:50:36.0590], DEBUG, org.keycloak.services.resources.admin.AdminRoot default task-13 - authenticated admin access for: superuser > [2016-03-17 07:50:36.0591], DEBUG, org.keycloak.services.resources.Cors default task-13 - No origin returning > [2016-03-17 07:50:36.0636], DEBUG, org.infinispan.interceptors.InvalidationInterceptor default task-13 - Cache [localhost] replicating InvalidateCommand{keys=[e503cb04-3080-4e90-a4b4-80adcd46b81c]} > [2016-03-17 07:50:36.0637], ERROR, org.keycloak.services.resources.ModelExceptionMapper default task-13 - javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1: org.keycloak.models.ModelException: javax.persistence.OptimisticLockException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1 > at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at org.keycloak.connections.jpa.JpaKeycloakTransaction.commit(JpaKeycloakTransaction.java:47) > at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:95) > at org.keycloak.services.resources.admin.UsersResource.updateUser(UsersResource.java:170) > at sun.reflect.GeneratedMethodAccessor435.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > We're using a clustered Infinispan system as our cache. This error doesn't > get thrown often, nor can we point out a specific scenario. However, we > have now seen this a few times. What could be the reason for this? > > > Regards, > Lohitha. > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b65aed6c/attachment-0001.html From sthorger at redhat.com Fri Mar 18 07:23:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:23:31 +0100 Subject: [keycloak-user] '500 Internal Server Error' thrown when 'Update User' API is invoked w/o 'username' in the payload In-Reply-To: References: Message-ID: Thanks, scheduled for next release On 14 Mar 2016 09:43, "Lohitha Chiranjeewa" wrote: > JIRA created: https://issues.jboss.org/browse/KEYCLOAK-2660 > > > Regards, > Lohitha. > > On Fri, Mar 11, 2016 at 8:57 PM, Stian Thorgersen > wrote: > >> Can you please report a new issue? The original issue was fixed, but >> there's another issue when brute force protection is enabled. The test from >> the original issue doesn't enable brute force protection. >> >> On 11 March 2016 at 08:49, Lohitha Chiranjeewa wrote: >> >>> Stian just FYI, apparently this is not fixed despite the ticket getting >>> closed. >>> >>> I had a brief look at the code, and it seems if the "username" is >>> present and the "enabled" parameter is set to true in the request payload, >>> a NullPointerException still gets thrown. >>> >>> if (rep.isEnabled() != null && rep.isEnabled()) { >>> UsernameLoginFailureModel failureModel = session.sessions().getUserLoginFailure(realm, rep.getUsername().toLowerCase()); >>> if (failureModel != null) { >>> failureModel.clearFailures(); >>> } >>> } >>> >>> This is in org.keycloak.services.resources.admin.UsersResource class. >>> >>> >>> Regards, >>> Lohitha. >>> >>> On Mon, Jan 18, 2016 at 11:51 AM, Lohitha Chiranjeewa >>> wrote: >>> >>>> JIRA logged here: https://issues.jboss.org/browse/KEYCLOAK-2334 >>>> >>>> >>>> Regards, >>>> Lohitha >>>> >>>> On Fri, Jan 15, 2016 at 9:12 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Yes please >>>>> >>>>> On 15 January 2016 at 04:42, Lohitha Chiranjeewa >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Refer title for the bug. This seems to have been introduced after >>>>>> 1.2.0.Final because in that version we didn't have this problem. Failure >>>>>> happens in 1.7.0.Final. Checked the logs and there's a NullPointerException >>>>>> thrown. >>>>>> >>>>>> Shall I create a JIRA? >>>>>> >>>>>> >>>>>> Regards, >>>>>> Lohitha. >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/193180e8/attachment.html From sthorger at redhat.com Fri Mar 18 07:26:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:26:56 +0100 Subject: [keycloak-user] User Attributes -> User Attribute Mapper, Client Attributes -> no mapper? In-Reply-To: <56E69421.4080500@redhat.com> References: <56E69421.4080500@redhat.com> Message-ID: Is this for service accounts or clients in general? On 14 Mar 2016 11:37, "Marek Posolda" wrote: > We don't have a mapper for client attributes. There was no need for it > until now AFAIK. You can either create JIRA to request it (but not sure > when it will be done) or you can implement by yourself. See docs for > providers and SPI [1] > > [1] > http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html > > Marek > > On 14/03/16 11:12, Bram Vonk wrote: > > Hi, > > > We're adding specific User Attributes to Users, and use the User Attribute > protocol mapper to add those attributes to the JWT bearer tokens the user > gets when logging in. > > > This works fine for keycloak Users (natural persons) using our secured > endpoints (APIs). > > > We'd like to use the same concept for Clients (internal applications, so > no natural person is involved) that use our secured endpoints. These > Clients use client credentials to get a bearer token from Keycloak. Clients > can have Client Attributes, so that's half the problem fixed. The other > half is the protocol mapper: there is no Client Attribute protocol mapper. > > > Is there a specific reason there is no Client Attribute protocol mapper? Are > we doing something we shouldn't do? ;) > > > Thanks, > > > Bram Vonk > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/93715035/attachment.html From sthorger at redhat.com Fri Mar 18 07:30:40 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:30:40 +0100 Subject: [keycloak-user] Invalid parameter: redirect_uri In-Reply-To: References: Message-ID: Localhost can only be used to access your app if you have a valid redirect uri for it. Same goes for the other hostname. You can of course add both if you want On 15 Mar 2016 20:48, "Chris Raiskin" wrote: > It looks like, if I run the demo using ?localhost? in the URL. i.e. > > http://localhost:8080/customer-portal > > then I get ?error=invalid_redirect_uri? > > However, if I run the demo using > > http://wildfly.blah.com:8080/customer-portal > > then keycloak responds with the login challenge as expected. > > > > On the keycloak side, this client is configured with the following ?Valid > Redirect URI? > > Valid Redirect URI > http://wildfly.blah.com:8080/customer-portal/* > > > > According to the tooltip, the Request?s host:port will be used if a > relative Redirect URI is configured. > > The above redirect URI is an absolute path so this URL should be used > regardless of whether I use ?localhost? or hostname in the request. > > > > Why error=invalid_redirect_uri? > > > > > > > > *From:* Chris Raiskin > *Sent:* Tuesday, March 15, 2016 11:21 AM > *To:* 'stian at redhat.com' > *Cc:* keycloak-user > *Subject:* RE: [keycloak-user] Invalid parameter: redirect_uri > > > > Yes, I did modify the client redirect uri - ?customer-portal? client has > the following URI configuration: > > > > Root: http://wildfly.blah.com:8080/customer-portal/ > > Valid Redirect URIs: > > http://wildfly.blah.com:8080/customer-portal/* > > Admin URL: > > http://wildfly.blah.com:8080/customer-portal/ > > Web Orgins: > > http://wildfly.blah.com:8080 > > > > > > It looks like the error is triggered by ?customer listing? link trying to > execute customer-portal/view.jsp > > > > keycloak log shows the following entry where redirect_uri will be > > localhost if I use > http://localhost:8080/customer-portal/ > > or > > wildfly.blah.com if I use > http://wildfly.blah.com:8080/customer-portal/ > > > > 10:07:06,173 WARN [org.keycloak.events] (default task-3) > type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, > ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, > redirect_uri= > http://wildfly.blah.com:8080/customer-portal/customers/view.jsp, > response_mode=query > > > > > > I modified the relevant portion of view.jsp but it doesn?t change the > outcome.. > > > > <% > String logoutUri = KeycloakUriBuilder.fromUri(*"http://wildfly.blah.com:8080//auth > "* > ).path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) > .queryParam(*"redirect_uri"*, *"http://wildfly.blah.com:8080/customer-portal > "*).build(*"demo"* > ).toString(); > String acctUri = KeycloakUriBuilder.fromUri(*"http://wildfly.blah.com:8080/auth > "* > ).path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH) > .queryParam(*"referrer"*, *"customer-portal"*).build(*"demo"* > ).toString(); > IDToken idToken = CustomerDatabaseClient.getIDToken(request); > %> > > > > > > Any other leads, please? > > > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Sunday, March 13, 2016 11:44 PM > *To:* Chris Raiskin > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Invalid parameter: redirect_uri > > > > Did you change the redirect uri for the client? The default configuration > of the demo assumes it'll be deployed on the same hostname as the Keycloak > server. You can change this in the Keycloak admin console after importing > the realm config from the demo. Simplest is to add a root url for the > client. > > On 11 Mar 2016 19:32, "Chris Raiskin" wrote: > > Hello > > > > I?m following The Basic Part 2 tutorial > > with keycloak 1.9.0 with the purpose of demo?ing keycloak to the team. > > > > The only difference in my set up is that I have the keycloak server on a > separate host from the wildfly server running the demo apps. > > When I hit ?Customer Listing? link, I get > > > > WE?RE SORRY? > > Invalid parameter: redirect_uri > > > > displayed by the keycloak server. > > > > > http://keycloak.blah.com:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=1%2Fe1f42109-1372-4808-98aa-6cd5bbb0b9ac&login=true > > > > > I can see that the redirect_uri is referencing ?localhost? both from the > URL above and the keycloak log entry: > > > > 11:21:52,483 WARN [org.keycloak.events] (default task-75) > type=LOGIN_ERROR, realmId=demo, clientId=customer-portal, userId=null, > ipAddress=192.168.1.3, error=invalid_redirect_uri, response_type=code, > redirect_uri=http://localhost:8080/customer-portal/customers/view.jsp > , > response_mode=query > > > > but I?m not sure where ?localhost? is coming from b/c the ?valid redirect > uri? for this Client/Application is configured like this: > > > > * Valid Redirect URIs > http://wildfly.blah.com:8080/customer-portal/* > > > > > > > Any help would be appreciated. > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/90a15782/attachment-0001.html From erik.mulder at docdatapayments.com Fri Mar 18 07:45:19 2016 From: erik.mulder at docdatapayments.com (Erik Mulder) Date: Fri, 18 Mar 2016 12:45:19 +0100 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID In-Reply-To: <56EBC293.60109@redhat.com> References: , <56EBC293.60109@redhat.com> Message-ID: <9A5619B792BBA041AE094585791BB71C01BB4CC94904@DDPEX01.DDP.dcloud.local> FYI: My pull request https://github.com/keycloak/keycloak/pull/2219 adds support for extending the Keycloak REST API, among other things to support a full extension of the Keycloak datamodel. Regards, Erik ________________________________________ Van: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] namens Marek Posolda [mposolda at redhat.com] Verzonden: vrijdag 18 maart 2016 9:55 Aan: Thomas Darimont; Edgar Vonk - Info.nl CC: keycloak-user Onderwerp: Re: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID Hello, JIRA for searching by custom attributes already exists [1]. Hopefully we will add to 2.X, but we can't add to 1.9.X as it's new feature. The custom REST endpoints are planned for Keycloak 2.X for sure. [1] https://issues.jboss.org/browse/KEYCLOAK-1902 Marek On 17/03/16 12:32, Thomas Darimont wrote: Hello Edgar, I'd be also interesed in a way to do this. Currently keycloak doesn't provide a mechanism to register additional rest endpoints, however one could probably introduce a way to do so. `org.keycloak.services.resources.KeycloakApplication.KeycloakApplication(ServletContext, Dispatcher) ` seems to be the place where the major JAX-RS Resources are registered. I think this could be extended with an SPI to easily add custom Resources. This resources could then use DI or manual Lookups to access the Keycloak infrastructure. Cheers, Thomas 2016-03-17 11:54 GMT+01:00 Edgar Vonk - Info.nl >: Hi, Since we use MSAD/LDAP as user store the user?s LDAP_ID in Keycloak is for us the unique ID of a user and not Keycloak?s internal user ID. However it seems that it is not possible to retrieve users based on the LDAP_ID attribute using the Keycloak admin API? There is: GET /admin/realms/{realm}/users/{id} but this uses the internal Keycloak user ID which we cannot use (if only because sometimes we wipe out the Keycloak database and re-import all users from MSAD/LDAP) and: GET /admin/realms/{realm}/users only allows searching on a very limited number of standard user attributes How should we go about solving this? Does it make sense to create a feature request in JIRA to extend the /users API endpoint to allow searching on arbitrary user attributes for example? Or is it feasible to add our own endpoint to Keycloak?s REST API perhaps? cheers _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Mar 18 07:58:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:58:26 +0100 Subject: [keycloak-user] Change expiration time of Forget Password Link. In-Reply-To: References: Message-ID: You can change the expiration for all used actions in the admin console under token settings. You can't set it just for forgotten password though. On 16 Mar 2016 07:50, "Revanth Ayalasomayajula" wrote: > Hi, > > I am using keycloak1.5.0 and I want to change the expiration time of the > link present in Forget Password email. Any idea how I can accomplish this?? > > Thanks. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/bf07d02c/attachment.html From sthorger at redhat.com Fri Mar 18 07:58:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:58:26 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: <56EBC5AE.5020905@redhat.com> References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: Seems like a strange requirement. I can see why you would want users to update the password frequently, not the other way around. Or is there something I'm missing? Password policy will be made an spi in the future. That will make it easy to do, but it's not going to be done for a little while. On 18 Mar 2016 10:10, "Marek Posolda" wrote: > Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, then > for the LDAP users, you can create custom LDAP Mapper implementation, which > will implement "proxy" method and override "updateCredential" method of the > proxy user object. Here you can > implement this functionality by yourself (MSAD has pwdLastSet attribute > with the time when password was updated for last time) > > Marek > > On 18/03/16 10:04, Marek Posolda wrote: > > Hi, > > this is not available right now. It can be achieved with password policy, > but we don't have such a password policy right now. We can either: > - Add the password policy to have this available in Keycloak OOTB > - Make PasswordPolicy pluggable SPI, so you can add your custom password > policy for the functionality like this. > > Feel free to create JIRA for this. > > Marek > > On 16/03/16 15:02, Kevin Thorpe wrote: > > A standard practice for login systems is to stop users changing their > passwords too often. Keycloak does not support this as of 1.7.0. Is there a > possibility of adding a timeout to stop too frequent password changes? > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/91ff3183/attachment-0001.html From sthorger at redhat.com Fri Mar 18 07:58:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:58:26 +0100 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID In-Reply-To: <56EBC293.60109@redhat.com> References: <56EBC293.60109@redhat.com> Message-ID: Rather than continue adding to the current rest endpoints I'd rather add a v2 of the endpoints so we are more free to refactor and improve the endpoints. The current endpoints was created for admin console so usability wasn't ever a focus. On 18 Mar 2016 09:57, "Marek Posolda" wrote: > Hello, > > JIRA for searching by custom attributes already exists [1]. Hopefully we > will add to 2.X, but we can't add to 1.9.X as it's new feature. > > The custom REST endpoints are planned for Keycloak 2.X for sure. > > [1] https://issues.jboss.org/browse/KEYCLOAK-1902 > > Marek > > On 17/03/16 12:32, Thomas Darimont wrote: > > Hello Edgar, > > I'd be also interesed in a way to do this. > > Currently keycloak doesn't provide a mechanism to register additional rest > endpoints, however one could probably introduce a way to do so. > `org.keycloak.services.resources.KeycloakApplication.KeycloakApplication(ServletContext, > Dispatcher) ` seems to be the place where the major JAX-RS Resources are > registered. > > I think this could be extended with an SPI to easily add custom Resources. > This resources could then use DI or manual Lookups to access the Keycloak > infrastructure. > > Cheers, > Thomas > > 2016-03-17 11:54 GMT+01:00 Edgar Vonk - Info.nl : > >> Hi, >> >> Since we use MSAD/LDAP as user store the user?s LDAP_ID in Keycloak is >> for us the unique ID of a user and not Keycloak?s internal user ID. >> >> However it seems that it is not possible to retrieve users based on the >> LDAP_ID attribute using the Keycloak admin API? >> >> There is: >> >> GET /admin/realms/{realm}/users/{id} >> >> but this uses the internal Keycloak user ID which we cannot use (if only >> because sometimes we wipe out the Keycloak database and re-import all users >> from MSAD/LDAP) >> >> and: >> >> GET /admin/realms/{realm}/users >> >> only allows searching on a very limited number of standard user attributes >> >> >> How should we go about solving this? Does it make sense to create a >> feature request in JIRA to extend the /users API endpoint to allow >> searching on arbitrary user attributes for example? Or is it feasible to >> add our own endpoint to Keycloak?s REST API perhaps? >> >> cheers >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/ea44caa4/attachment-0001.html From sthorger at redhat.com Fri Mar 18 07:58:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:58:26 +0100 Subject: [keycloak-user] issue on user registration In-Reply-To: References: Message-ID: Creating a user through admin rest is 3 requests. Create user, update credentials, assign roles. Not very elegant that's true and we will improve it eventually. On 17 Mar 2016 19:24, "Lohitha Chiranjeewa" wrote: > As far as I know, you have to trigger the Assign Client Role ( > http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping) > endpoint to achieve that. Although the payload allows you to supply roles > to the Create User endpoint, it doesn't assign any roles underneath. This > has been the behavior for a long time. > > > Regards, > Lohitha. > > On Thu, Mar 17, 2016 at 7:47 PM, wrote: > >> Hi, i want to register a user via keycloak admin client. >> >> This is the source, it works except for the role, what i wrong? >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue(model.getPassword()); >> credential.setTemporary(false); >> >> UserRepresentation userRepresentation = new UserRepresentation(); >> userRepresentation.setEmail(model.getEmail()); >> userRepresentation.setFirstName(model.getName()); >> userRepresentation.setLastName(model.getSurname()); >> userRepresentation.setUsername(model.getEmail()); >> userRepresentation.setCredentials(Arrays.asList(credential)); >> userRepresentation.setEnabled(true); >> userRepresentation.setClientRoles(new HashMap>(){{ >> >> put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST")); >> }}); >> >> Response resp = kcApi.createUser(userRepresentation); >> >> >> thank you >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/bb0d6b31/attachment-0001.html From sthorger at redhat.com Fri Mar 18 07:58:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 12:58:26 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Client ID has nothing to do with this issue as it would show an login error page not a not found. So must be either realm name or another part of URL is wrong. Are you using our adapters or another library atm? I'm answering on my phone on the plane so can't look into it more atm. On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: > Hi, > > In jenkins, I'm pasting the JSON configuration that it can found inside > "Installation" tab. > > Instead of using keycloak client plugins, can I use a generic oauth plugin > in my apps? How can I configure my keycloak for this? > i.e. Instead of using google's oauth URL use my own pointing to keycloak. > > > On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj > wrote: > >> In your jenkins realm - under Clients do you have a client called 'ci'? >> That's the client_id used in your request. >> >> AFAIK nothing changed in this part of the code since 1.8.1. >> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >> wrote: >> >>> yes I can. >>> >>> Please note that this is a problem of version 1.9.1. >>> I have tried now version 1.8.1 and it redirect me to keycloak. >>> >>> p.s. I'm using the official containers from docker hub. >>> >>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj >>> wrote: >>> >>>> Are you able to login into admin console at: >>>> http://192.168.99.100:32786/auth >>>> >>>> And you see the realm called 'jenkins' there? >>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>> wrote: >>>> >>>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>>> >>>>> >>>>> 1. Request URL: >>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>> 2. Request Method: >>>>> GET >>>>> 3. Status Code: >>>>> 302 Found >>>>> 4. Remote Address: >>>>> 192.168.99.100:32769 >>>>> 1. Response Headersview source >>>>> 1. Content-Length: >>>>> 0 >>>>> 2. Location: >>>>> >>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>> 3. Server: >>>>> Jetty(winstone-2.9) >>>>> 4. X-Content-Type-Options: >>>>> nosniff >>>>> >>>>> >>>>> >>>>> 1. Request URL: >>>>> >>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>> 2. Request Method: >>>>> GET >>>>> 3. Status Code: >>>>> *404 Not Found* >>>>> 4. Remote Address: >>>>> 192.168.99.100:32786 >>>>> 1. Response Headersview source >>>>> 1. Connection: >>>>> keep-alive >>>>> 2. Content-Length: >>>>> 0 >>>>> 3. Date: >>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>> 4. Server: >>>>> WildFly/10 >>>>> 5. X-Powered-By: >>>>> Undertow/1 >>>>> 2. Request Headersview source >>>>> 1. Accept: >>>>> >>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>> 2. Accept-Encoding: >>>>> gzip, deflate, sdch >>>>> 3. Accept-Language: >>>>> en-US,en;q=0.8,el;q=0.6 >>>>> 4. Connection: >>>>> keep-alive >>>>> 5. Cookie: >>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>> 6. DNT: >>>>> 1 >>>>> 7. Host: >>>>> 192.168.99.100:32786 >>>>> 8. Referer: >>>>> http://192.168.99.100:32769/ >>>>> 9. Save-Data: >>>>> on >>>>> 10. Upgrade-Insecure-Requests: >>>>> 1 >>>>> >>>>> >>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>> parsectix at gmail.com> wrote: >>>>> >>>>>> Thanks for pointing this out. I think it does not matter as the same >>>>>> name can be found in "Installation" tab where >>>>>> I copied the configuration. >>>>>> >>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >>>>>> wrote: >>>>>> >>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> >>>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>>> containers keycloak and jenkins. >>>>>>>> Following the example how to integrate those two, I created a realm >>>>>>>> and a client called "jenkins". >>>>>>>> >>>>>>>> It seams that the realm configuration it's not correct as I get the >>>>>>>> following debug error. >>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>> full path: >>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>> " >>>>>>>> >>>>>>>> I noticed that " >>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>> works. >>>>>>>> >>>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>>> >>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>> >>>>>>>> Can you help how to find the problem ? >>>>>>>> >>>>>>>> p.s. is there any other way to find help on those matters? Tried >>>>>>>> IRC but nobody is replying there... >>>>>>>> >>>>>>>> Thank you >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>> >>>>> >>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/f08ecdca/attachment-0001.html From sthorger at redhat.com Fri Mar 18 08:05:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 13:05:15 +0100 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> Message-ID: How is the ejb being called? From jax-rs service or server-side web app? For there to be a user you need to be authenticated as a user so either the server-side webapp has redirected to login page or there is a bearer token included in the authorisation header of the http request. On 15 Mar 2016 17:58, "Firdos Ali" wrote: > Thank you for the prompt response. > > > > I moved to keycloak 1.9.1 both on the server and updated the adapter, > however it is still not working. Let me clarify on a few other things and > hopefully that will provide some additional context > > > > We put our project in an ear file which contains one jar file inclusive of > the stateless ejbs, one war file, and a few other supporting jar files. > > > > The war file has the keycloak.json with the following: > > { > > "realm": "affordabletours", > > "realm-public-key": "some key", > > "auth-server-url": "http://10.0.0.1:8080/auth", > > "ssl-required": "external", > > "resource": "keycloaktest", > > "credentials": { > > "secret": "some secret" > > } > > } > > > > Are you suggesting that I change the resource ?keycloaktest? access type > from ?confidential? to ?bearer-only?? If so, I tried that and > unfortunately that did not work. I guess my confusion is how would the jar > file with the ejbs is aware of the security context when it is only at the > war level? Thanks > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Friday, March 11, 2016 12:29 AM > *To:* Firdos Ali > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working > > > > > > > > On 10 March 2016 at 20:19, Firdos Ali wrote: > > Hello, > > > > I am having a few problems with Keycloak. Let me first start with the > environment information: > > > > Keycloak version: 1.9.0 > > Keycloak wildfly version: 10.0.0 > > > > Application wildfly version: 8.0.0 > > > > *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid > User* > > I have followed the documentation by adding the keycloak adapter to the > application wildfly 8.0 and by server.xml has the following: > > > > > ?. > > > > > > ?. > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > ? > > > > MyEJB: > @Stateless > > @Local(MyInt.*class*) > > @SecurityDomain("keycloak") > *public* *class* MyBean *implements* MyInt > > ... > > @PermitAll > > @TransactionAttribute(TransactionAttributeType.*REQUIRES_NEW*) > > *public* boolean myMethod(...) *throws* Exception { > > } > > > > At the moment I am not using jboss-ej3.xml as I reference the security > domain in my EJB class. I added it and it did not help out > > > > Stacktrace: > > ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB > Invocation failed on component MyBean for method public abstract boolean > com.at.ejb.MyInt.myMethod(?) throws java.lang.Exception: > javax.ejb.EJBAccessException: JBAS013323: Invalid User > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) > > at > org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > > at > org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > Is there something I am missing from the documentation? Any thoughts how > to resolve this issue? > > > > Is there a bearer token sent with the request that invokes the EJB? If so > try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 > fixes this. > > > > *Problem 2: Unable to log out a user from keycloak administration console:* > > After I click ?Logout? on the administration console in Keycloak, I see > the following error on the keycloak server: > > ERROR [io.undertow.request] (default task-26) UT005023: Exception handling > request to > /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: > org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: > org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > > > Are you using the standalone Keycloak server? Looking at javadocs for > httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses > httpclient 4.5, so looks like for some reason you have an old version of > httpclient. > > > > > Best regards, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/66d04b61/attachment-0001.html From sthorger at redhat.com Fri Mar 18 08:21:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 13:21:58 +0100 Subject: [keycloak-user] web and mobile behavior with logout/pw change In-Reply-To: References: Message-ID: On 14 Mar 2016 15:42, "Seann Ives" wrote: > > Hello, > > Our web application has a standard keycloak integration. Our mobile app is currently using keycloak direct access grants. I've got a few questions about expected behavior when a user has overlapping usage of both web and mobile which I'm hoping somewhere here can kindly answer. > > 1. A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app (via KC) and then logs out of the web app (via KC). Should the mobile refresh token then be able to successfully refresh the mobile JWT access token against KC, or does the web logout 'invalidate' the mobile refresh token? Logout only invalidates one session. Since you have a mobile app with direct grant and a separate web app they have separate sessions. > > 2. Similar scenario but the web user changes their password instead of logging out: > A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app and then changes their password (through KC). Should the mobile refresh token (created with the old password) then be able to successfully refresh the mobile JWT access token, or does the web logout 'invalidate' the mobile refresh token? All sessions except the session changing the password are logged out. So the mobile refresh token should be invalid. > > > Would the behavior in either of those cases be different if our mobile app used a webview redirecting to the KC server instead of using direct access grants? Yes/no. If you use an embedded webview it has its own cookies and doesn't have access to the system browser cookies. So there's two separate sessions. I'd still use webview though and not direct grant. A much better option is to use an embedded system browser tab as it actually allows having one session between multiple mobile apps and system browser. I've got no clue how to do that though, I just read that's the proper way to do it. > > Thanks very much! > Seann Ives > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/c06e8d2e/attachment.html From sthorger at redhat.com Fri Mar 18 08:21:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 13:21:58 +0100 Subject: [keycloak-user] Obtain user from Keycloak admin API using LDAP_ID In-Reply-To: <9A5619B792BBA041AE094585791BB71C01BB4CC94904@DDPEX01.DDP.dcloud.local> References: <56EBC293.60109@redhat.com> <9A5619B792BBA041AE094585791BB71C01BB4CC94904@DDPEX01.DDP.dcloud.local> Message-ID: Erik - can you remove that from the PR? We have someone else working on adding the custom rest endpoints. Also I prefer a PR per feature in either case ;) On 18 Mar 2016 12:48, "Erik Mulder" wrote: > FYI: > My pull request https://github.com/keycloak/keycloak/pull/2219 adds > support for extending the Keycloak REST API, among other things to support > a full extension of the Keycloak datamodel. > Regards, Erik > > ________________________________________ > Van: keycloak-user-bounces at lists.jboss.org [ > keycloak-user-bounces at lists.jboss.org] namens Marek Posolda [ > mposolda at redhat.com] > Verzonden: vrijdag 18 maart 2016 9:55 > Aan: Thomas Darimont; Edgar Vonk - Info.nl > CC: keycloak-user > Onderwerp: Re: [keycloak-user] Obtain user from Keycloak admin API using > LDAP_ID > > Hello, > > JIRA for searching by custom attributes already exists [1]. Hopefully we > will add to 2.X, but we can't add to 1.9.X as it's new feature. > > The custom REST endpoints are planned for Keycloak 2.X for sure. > > [1] https://issues.jboss.org/browse/KEYCLOAK-1902 > > Marek > On 17/03/16 12:32, Thomas Darimont wrote: > Hello Edgar, > > I'd be also interesed in a way to do this. > > Currently keycloak doesn't provide a mechanism to register additional rest > endpoints, however one could probably introduce a way to do so. > `org.keycloak.services.resources.KeycloakApplication.KeycloakApplication(ServletContext, > Dispatcher) ` seems to be the place where the major JAX-RS Resources are > registered. > > I think this could be extended with an SPI to easily add custom Resources. > This resources could then use DI or manual Lookups to access the Keycloak > infrastructure. > > Cheers, > Thomas > > 2016-03-17 11:54 GMT+01:00 Edgar Vonk - Info.nl Edgar at info.nl>>: > Hi, > > Since we use MSAD/LDAP as user store the user?s LDAP_ID in Keycloak is for > us the unique ID of a user and not Keycloak?s internal user ID. > > However it seems that it is not possible to retrieve users based on the > LDAP_ID attribute using the Keycloak admin API? > > There is: > > GET /admin/realms/{realm}/users/{id} > > but this uses the internal Keycloak user ID which we cannot use (if only > because sometimes we wipe out the Keycloak database and re-import all users > from MSAD/LDAP) > > and: > > GET /admin/realms/{realm}/users > > only allows searching on a very limited number of standard user attributes > > > How should we go about solving this? Does it make sense to create a > feature request in JIRA to extend the /users API endpoint to allow > searching on arbitrary user attributes for example? Or is it feasible to > add our own endpoint to Keycloak?s REST API perhaps? > > cheers > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/4c664d8f/attachment.html From mposolda at redhat.com Fri Mar 18 09:14:44 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 18 Mar 2016 14:14:44 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: <56EBFF44.1010700@redhat.com> On 18/03/16 12:58, Stian Thorgersen wrote: > > Seems like a strange requirement. I can see why you would want users > to update the password frequently, not the other way around. Or is > there something I'm missing? > > Password policy will be made an spi in the future. That will make it > easy to do, but it's not going to be done for a little while. > Maybe we can do Password policy SPI in 2.X together with validation SPI? Looks to me like quite related things. Marek > On 18 Mar 2016 10:10, "Marek Posolda" > wrote: > > Btv. Kevin you are using LDAP/MSAD right? If you have writable > LDAP, then for the LDAP users, you can create custom LDAP Mapper > implementation, which will implement "proxy" method and override > "updateCredential" method of the proxy user object. Here you can > implement this functionality by yourself (MSAD has pwdLastSet > attribute with the time when password was updated for last time) > > Marek > > On 18/03/16 10:04, Marek Posolda wrote: >> Hi, >> >> this is not available right now. It can be achieved with password >> policy, but we don't have such a password policy right now. We >> can either: >> - Add the password policy to have this available in Keycloak OOTB >> - Make PasswordPolicy pluggable SPI, so you can add your custom >> password policy for the functionality like this. >> >> Feel free to create JIRA for this. >> >> Marek >> >> On 16/03/16 15:02, Kevin Thorpe wrote: >>> A standard practice for login systems is to stop users changing >>> their passwords too often. Keycloak does not support this as of >>> 1.7.0. Is there a possibility of adding a timeout to stop too >>> frequent password changes? >>> >>> >>> *Kevin Thorpe* >>> VP Enterprise Platform >>> >>> www.p-i.net | @PI_150 >>> >>> >>> *T: +44 (0)20 3005 6750 | >>> F: +44(0)20 7730 2635 | T: >>> +44 (0)808 204 0344 * >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential >>> and intended solely for the use of the individual or entity to >>> whom they are addressed. If you have received this email in >>> error please notify the system manager. This message contains >>> confidential information and is intended only for the individual >>> named. If you are not the named addressee you should not >>> disseminate, distribute or copy this e-mail. Please notify the >>> sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not >>> the intended recipient you are notified that disclosing, >>> copying, distributing or taking any action in reliance on the >>> contents of this information is strictly prohibited. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/660d7997/attachment-0001.html From parsectix at gmail.com Fri Mar 18 09:20:25 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Fri, 18 Mar 2016 13:20:25 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Yours. I configured the realm with the same settings on both versions 1.9.1 and 1.8.1. On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen wrote: > Client ID has nothing to do with this issue as it would show an login > error page not a not found. So must be either realm name or another part of > URL is wrong. > > Are you using our adapters or another library atm? > > I'm answering on my phone on the plane so can't look into it more atm. > On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: > >> Hi, >> >> In jenkins, I'm pasting the JSON configuration that it can found inside >> "Installation" tab. >> >> Instead of using keycloak client plugins, can I use a generic oauth >> plugin in my apps? How can I configure my keycloak for this? >> i.e. Instead of using google's oauth URL use my own pointing to keycloak. >> >> >> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >> wrote: >> >>> In your jenkins realm - under Clients do you have a client called 'ci'? >>> That's the client_id used in your request. >>> >>> AFAIK nothing changed in this part of the code since 1.8.1. >>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>> wrote: >>> >>>> yes I can. >>>> >>>> Please note that this is a problem of version 1.9.1. >>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>> >>>> p.s. I'm using the official containers from docker hub. >>>> >>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj >>>> wrote: >>>> >>>>> Are you able to login into admin console at: >>>>> http://192.168.99.100:32786/auth >>>>> >>>>> And you see the realm called 'jenkins' there? >>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>>> wrote: >>>>> >>>>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>>>> >>>>>> >>>>>> 1. Request URL: >>>>>> >>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>> 2. Request Method: >>>>>> GET >>>>>> 3. Status Code: >>>>>> 302 Found >>>>>> 4. Remote Address: >>>>>> 192.168.99.100:32769 >>>>>> 1. Response Headersview source >>>>>> 1. Content-Length: >>>>>> 0 >>>>>> 2. Location: >>>>>> >>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>> 3. Server: >>>>>> Jetty(winstone-2.9) >>>>>> 4. X-Content-Type-Options: >>>>>> nosniff >>>>>> >>>>>> >>>>>> >>>>>> 1. Request URL: >>>>>> >>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>> 2. Request Method: >>>>>> GET >>>>>> 3. Status Code: >>>>>> *404 Not Found* >>>>>> 4. Remote Address: >>>>>> 192.168.99.100:32786 >>>>>> 1. Response Headersview source >>>>>> 1. Connection: >>>>>> keep-alive >>>>>> 2. Content-Length: >>>>>> 0 >>>>>> 3. Date: >>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>> 4. Server: >>>>>> WildFly/10 >>>>>> 5. X-Powered-By: >>>>>> Undertow/1 >>>>>> 2. Request Headersview source >>>>>> 1. Accept: >>>>>> >>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>> 2. Accept-Encoding: >>>>>> gzip, deflate, sdch >>>>>> 3. Accept-Language: >>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>> 4. Connection: >>>>>> keep-alive >>>>>> 5. Cookie: >>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>> 6. DNT: >>>>>> 1 >>>>>> 7. Host: >>>>>> 192.168.99.100:32786 >>>>>> 8. Referer: >>>>>> http://192.168.99.100:32769/ >>>>>> 9. Save-Data: >>>>>> on >>>>>> 10. Upgrade-Insecure-Requests: >>>>>> 1 >>>>>> >>>>>> >>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>> parsectix at gmail.com> wrote: >>>>>> >>>>>>> Thanks for pointing this out. I think it does not matter as the same >>>>>>> name can be found in "Installation" tab where >>>>>>> I copied the configuration. >>>>>>> >>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj >>>>>> > wrote: >>>>>>> >>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> >>>>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>>>> containers keycloak and jenkins. >>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>> realm and a client called "jenkins". >>>>>>>>> >>>>>>>>> It seams that the realm configuration it's not correct as I get >>>>>>>>> the following debug error. >>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>> full path: >>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>> " >>>>>>>>> >>>>>>>>> I noticed that " >>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>> works. >>>>>>>>> >>>>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>>>> >>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>> >>>>>>>>> Can you help how to find the problem ? >>>>>>>>> >>>>>>>>> p.s. is there any other way to find help on those matters? Tried >>>>>>>>> IRC but nobody is replying there... >>>>>>>>> >>>>>>>>> Thank you >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/89a8bf1c/attachment-0001.html From sthorger at redhat.com Fri Mar 18 09:49:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 14:49:14 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: <56EBFF44.1010700@redhat.com> References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> <56EBFF44.1010700@redhat.com> Message-ID: +1 Password policy shouldn't be hard as it's already using a similar approach, expect it's hard coded. On 18 Mar 2016 2:14 p.m., "Marek Posolda" wrote: > On 18/03/16 12:58, Stian Thorgersen wrote: > > Seems like a strange requirement. I can see why you would want users to > update the password frequently, not the other way around. Or is there > something I'm missing? > > Password policy will be made an spi in the future. That will make it easy > to do, but it's not going to be done for a little while. > > Maybe we can do Password policy SPI in 2.X together with validation SPI? > Looks to me like quite related things. > > Marek > > On 18 Mar 2016 10:10, "Marek Posolda" wrote: > >> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, then >> for the LDAP users, you can create custom LDAP Mapper implementation, which >> will implement "proxy" method and override "updateCredential" method of the >> proxy user object. Here you can >> implement this functionality by yourself (MSAD has pwdLastSet attribute >> with the time when password was updated for last time) >> >> Marek >> >> On 18/03/16 10:04, Marek Posolda wrote: >> >> Hi, >> >> this is not available right now. It can be achieved with password policy, >> but we don't have such a password policy right now. We can either: >> - Add the password policy to have this available in Keycloak OOTB >> - Make PasswordPolicy pluggable SPI, so you can add your custom password >> policy for the functionality like this. >> >> Feel free to create JIRA for this. >> >> Marek >> >> On 16/03/16 15:02, Kevin Thorpe wrote: >> >> A standard practice for login systems is to stop users changing their >> passwords too often. Keycloak does not support this as of 1.7.0. Is there a >> possibility of adding a timeout to stop too frequent password changes? >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/3b9bc4d9/attachment.html From sthorger at redhat.com Fri Mar 18 09:52:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 14:52:11 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: What adapter? Is the server and client adapter both 1.9.1? We did recently deprecate some OIDC endpoints. I think ../login is gone and it should be ../auth. So if you are using an old adapter that may be the issue. On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" wrote: > Yours. > > I configured the realm with the same settings on both versions 1.9.1 and > 1.8.1. > > > On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen > wrote: > >> Client ID has nothing to do with this issue as it would show an login >> error page not a not found. So must be either realm name or another part of >> URL is wrong. >> >> Are you using our adapters or another library atm? >> >> I'm answering on my phone on the plane so can't look into it more atm. >> On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: >> >>> Hi, >>> >>> In jenkins, I'm pasting the JSON configuration that it can found inside >>> "Installation" tab. >>> >>> Instead of using keycloak client plugins, can I use a generic oauth >>> plugin in my apps? How can I configure my keycloak for this? >>> i.e. Instead of using google's oauth URL use my own pointing to >>> keycloak. >>> >>> >>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >>> wrote: >>> >>>> In your jenkins realm - under Clients do you have a client called 'ci'? >>>> That's the client_id used in your request. >>>> >>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>>> wrote: >>>> >>>>> yes I can. >>>>> >>>>> Please note that this is a problem of version 1.9.1. >>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>> >>>>> p.s. I'm using the official containers from docker hub. >>>>> >>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj >>>>> wrote: >>>>> >>>>>> Are you able to login into admin console at: >>>>>> http://192.168.99.100:32786/auth >>>>>> >>>>>> And you see the realm called 'jenkins' there? >>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>>>> wrote: >>>>>> >>>>>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>>>>> >>>>>>> >>>>>>> 1. Request URL: >>>>>>> >>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>> 2. Request Method: >>>>>>> GET >>>>>>> 3. Status Code: >>>>>>> 302 Found >>>>>>> 4. Remote Address: >>>>>>> 192.168.99.100:32769 >>>>>>> 1. Response Headersview source >>>>>>> 1. Content-Length: >>>>>>> 0 >>>>>>> 2. Location: >>>>>>> >>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>> 3. Server: >>>>>>> Jetty(winstone-2.9) >>>>>>> 4. X-Content-Type-Options: >>>>>>> nosniff >>>>>>> >>>>>>> >>>>>>> >>>>>>> 1. Request URL: >>>>>>> >>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>> 2. Request Method: >>>>>>> GET >>>>>>> 3. Status Code: >>>>>>> *404 Not Found* >>>>>>> 4. Remote Address: >>>>>>> 192.168.99.100:32786 >>>>>>> 1. Response Headersview source >>>>>>> 1. Connection: >>>>>>> keep-alive >>>>>>> 2. Content-Length: >>>>>>> 0 >>>>>>> 3. Date: >>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>> 4. Server: >>>>>>> WildFly/10 >>>>>>> 5. X-Powered-By: >>>>>>> Undertow/1 >>>>>>> 2. Request Headersview source >>>>>>> 1. Accept: >>>>>>> >>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>> 2. Accept-Encoding: >>>>>>> gzip, deflate, sdch >>>>>>> 3. Accept-Language: >>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>> 4. Connection: >>>>>>> keep-alive >>>>>>> 5. Cookie: >>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>> 6. DNT: >>>>>>> 1 >>>>>>> 7. Host: >>>>>>> 192.168.99.100:32786 >>>>>>> 8. Referer: >>>>>>> http://192.168.99.100:32769/ >>>>>>> 9. Save-Data: >>>>>>> on >>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>> 1 >>>>>>> >>>>>>> >>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>> parsectix at gmail.com> wrote: >>>>>>> >>>>>>>> Thanks for pointing this out. I think it does not matter as the >>>>>>>> same name can be found in "Installation" tab where >>>>>>>> I copied the configuration. >>>>>>>> >>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>> >>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>>>>> containers keycloak and jenkins. >>>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>>> realm and a client called "jenkins". >>>>>>>>>> >>>>>>>>>> It seams that the realm configuration it's not correct as I get >>>>>>>>>> the following debug error. >>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>> full path: >>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>> " >>>>>>>>>> >>>>>>>>>> I noticed that " >>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>> works. >>>>>>>>>> >>>>>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>> >>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>> >>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>> >>>>>>>>>> p.s. is there any other way to find help on those matters? Tried >>>>>>>>>> IRC but nobody is replying there... >>>>>>>>>> >>>>>>>>>> Thank you >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/419fde79/attachment-0001.html From ado.boj.83 at gmail.com Fri Mar 18 09:55:45 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Fri, 18 Mar 2016 14:55:45 +0100 Subject: [keycloak-user] Brute Force Detection - Get status of a username in brute force detection Message-ID: Hi, I have question concerning your REST_API: GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} In 1.9.1..Final my setting per realm Demo looks like: [image: Inline image 1] I have noticed with this endpoint: - 1.) when user is not created the answer for this REST is same like for created user with 0 numFailures: { "numFailures": 0, "disabled": false, "lastIPFailure": "n/a", "lastFailure": 0 } - 2.) when Max Login Failures is set to 3 and I put 2 times incorrect password and 3rd time correct password numFailures is not reset by Keycloak: { "numFailures": 2, "disabled": false, .... .... } Are this 2 cases correct from your point of view? Thanks and Best Regards, Andrej. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b78b7a9d/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 46216 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/b78b7a9d/attachment-0001.png From ali at affordabletours.com Fri Mar 18 10:31:47 2016 From: ali at affordabletours.com (Firdos Ali) Date: Fri, 18 Mar 2016 09:31:47 -0500 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> Message-ID: <03e301d18122$e7407f50$b5c17df0$@affordabletours.com> The EJB is called from the server-side web app. This is a legacy app using Struts, so after the user logs in from keycloak they are redirected back to the webapp. The web application has access to the user, however the EJB does not find a user and throws back the error. I have the following in my jboss-web.xml: java:/jaas/keycloak I have the following in my jboss-ejb3.xml: * keycloak true From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, March 18, 2016 7:05 AM To: Firdos Ali Cc: keycloak-user ; Stian Thorgersen Subject: RE: [keycloak-user] EJB Invalid User + Log Out not working How is the ejb being called? From jax-rs service or server-side web app? For there to be a user you need to be authenticated as a user so either the server-side webapp has redirected to login page or there is a bearer token included in the authorisation header of the http request. On 15 Mar 2016 17:58, "Firdos Ali" > wrote: Thank you for the prompt response. I moved to keycloak 1.9.1 both on the server and updated the adapter, however it is still not working. Let me clarify on a few other things and hopefully that will provide some additional context We put our project in an ear file which contains one jar file inclusive of the stateless ejbs, one war file, and a few other supporting jar files. The war file has the keycloak.json with the following: { "realm": "affordabletours", "realm-public-key": "some key", "auth-server-url": "http://10.0.0.1:8080/auth", "ssl-required": "external", "resource": "keycloaktest", "credentials": { "secret": "some secret" } } Are you suggesting that I change the resource ?keycloaktest? access type from ?confidential? to ?bearer-only?? If so, I tried that and unfortunately that did not work. I guess my confusion is how would the jar file with the ejbs is aware of the security context when it is only at the war level? Thanks From: Stian Thorgersen [mailto:sthorger at redhat.com ] Sent: Friday, March 11, 2016 12:29 AM To: Firdos Ali > Cc: keycloak-user > Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working On 10 March 2016 at 20:19, Firdos Ali > wrote: Hello, I am having a few problems with Keycloak. Let me first start with the environment information: Keycloak version: 1.9.0 Keycloak wildfly version: 10.0.0 Application wildfly version: 8.0.0 Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid User I have followed the documentation by adding the keycloak adapter to the application wildfly 8.0 and by server.xml has the following: ?. ?. ? MyEJB: @Stateless @Local(MyInt.class) @SecurityDomain("keycloak") public class MyBean implements MyInt ... @PermitAll @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW) public boolean myMethod(...) throws Exception { } At the moment I am not using jboss-ej3.xml as I reference the security domain in my EJB class. I added it and it did not help out Stacktrace: ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB Invocation failed on component MyBean for method public abstract boolean com.at.ejb.MyInt.myMethod(?) throws java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) Is there something I am missing from the documentation? Any thoughts how to resolve this issue? Is there a bearer token sent with the request that invokes the EJB? If so try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this. Problem 2: Unable to log out a user from keycloak administration console: After I click ?Logout? on the administration console in Keycloak, I see the following error on the keycloak server: ERROR [io.undertow.request] (default task-26) UT005023: Exception handling request to /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) Are you using the standalone Keycloak server? Looking at javadocs for httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses httpclient 4.5, so looks like for some reason you have an old version of httpclient. Best regards, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/5fa92275/attachment-0001.html From sthorger at redhat.com Fri Mar 18 12:22:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 18 Mar 2016 17:22:53 +0100 Subject: [keycloak-user] Brute Force Detection - Get status of a username in brute force detection In-Reply-To: References: Message-ID: numFailures should be reset after successful login On 18 Mar 2016 2:56 p.m., "Andrej Prievalsky" wrote: > Hi, > > I have question concerning your REST_API: > GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} > In 1.9.1..Final my setting per realm Demo looks like: > > [image: Inline image 1] > > I have noticed with this endpoint: > > - 1.) when user is not created the answer for this REST is same like for > created user with 0 numFailures: > { > "numFailures": 0, > "disabled": false, > "lastIPFailure": "n/a", > "lastFailure": 0 > } > > - 2.) when Max Login Failures is set to 3 and I put 2 times incorrect > password and 3rd time correct password numFailures is not reset by Keycloak: > { > "numFailures": 2, > "disabled": false, > .... > .... > } > > Are this 2 cases correct from your point of view? > > Thanks and Best Regards, > Andrej. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/ba486fcd/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 46216 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160318/ba486fcd/attachment-0001.png From stefan.reuter at reucon.com Fri Mar 18 14:45:37 2016 From: stefan.reuter at reucon.com (Stefan Reuter) Date: Fri, 18 Mar 2016 19:45:37 +0100 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: <56EC4CD1.8050405@reucon.com> On 18/03/16 12:58, Stian Thorgersen wrote: > Seems like a strange requirement. I can see why you would want users to > update the password frequently, not the other way around. Or is there > something I'm missing? This makes sense when combined with a password history policy. To prevent users from reusing old password you also have to prevent them from changing the passwords immediately after they were just changed. =Stefan From xiao.ma at masergy.com Sun Mar 20 10:58:30 2016 From: xiao.ma at masergy.com (Xiao Ma) Date: Sun, 20 Mar 2016 10:58:30 -0400 Subject: [keycloak-user] Logout to the external IDP Message-ID: Hi, I configured a OIDC identity provider by selecting the OpenID Connect v1.0 identity provider from the drop-down box on the top right corner of the identity providers table in Keycloak's Admin Console. During the configuration process, I also configure "Logout Url" for the IDP logout url. When I try to logout to the external IDP, the browser is redirected to the external IDP to perform the logout. I can see some URL as follows: https://*keycloakdev.xxxxxxx.com * /auth/realms/*Internal*/protocol/openid-connect/logout?*state=* a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=* eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0raAz-YPOcwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA : "keycloakdev.xxxxxxx.com" is where the externalIDP is located. "Internal" is the name of the realm. The parameters "state" and "id_token_hint" are appended to the endpoint logout URL automatically during the logout process. However, this process failed because I got "Session Not Active" error in the UI. After some investigations, I found this "Session Not Active" error seems to be related to the value of Realm Setting ?> Tokens ?> Access Token Lifespan I configured. The default value is 5 minutes, if I trigger the logout within 5 minutes, I can logout to the external IDP successfully. If I do the logout after 5 minutes, I will get this ""Session Not Active" error. Is this the expected behavior? Do I have to bump up the value of "Access Token Lifespan" to get a longer session for the logout purpose? Thanks a lot for the help! Xiao -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160320/4837b40b/attachment.html From Anthony.Fryer at virginaustralia.com Sun Mar 20 23:50:11 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Mon, 21 Mar 2016 03:50:11 +0000 Subject: [keycloak-user] How to detect if user is already logged in? Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7DEC06295@iskexcemxprd02.virginblue.internal> Hi All, We're implementing SSO across multiple applications using keycloak. Some of these applications are traditional java web apps and some are single page javascript apps. For the java web applications, we're using standard flow and we're using the "Spring Security Adapter" to implement this. One of the use cases we have to support is, when a user goes to the landing page of a web application, the header should show if the user is already logged in or not. When a user has logged in from a different application and then navigates to another application using a bookmark, they're accessing a non protected url. The user wouldn't have an authenticated session with the web application yet, so how can we tell if the user has already logged in from the previous application? They would already have a session with the keycloak server. It seems this is possible from single page applications using the keycloak javascript adapter with the "check-sso" initialization option, but it is not clear how this can be achieved from a traditional web application using the "Spring Security Adapter". Any suggestions would be appreciated. Cheers, Anthony Fryer The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/232150fd/attachment.html From ado.boj.83 at gmail.com Mon Mar 21 04:06:34 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Mon, 21 Mar 2016 09:06:34 +0100 Subject: [keycloak-user] Brute Force Detection - Get status of a username in brute force detection In-Reply-To: References: Message-ID: Thanks for answer for 2nd question. I will write JIRA. But I didn't get answer for my 1st question. On Fri, Mar 18, 2016 at 5:22 PM, Stian Thorgersen wrote: > numFailures should be reset after successful login > On 18 Mar 2016 2:56 p.m., "Andrej Prievalsky" > wrote: > >> Hi, >> >> I have question concerning your REST_API: >> GET >> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} >> In 1.9.1..Final my setting per realm Demo looks like: >> >> [image: Inline image 1] >> >> I have noticed with this endpoint: >> >> - 1.) when user is not created the answer for this REST is same like for >> created user with 0 numFailures: >> { >> "numFailures": 0, >> "disabled": false, >> "lastIPFailure": "n/a", >> "lastFailure": 0 >> } >> >> - 2.) when Max Login Failures is set to 3 and I put 2 times incorrect >> password and 3rd time correct password numFailures is not reset by Keycloak: >> { >> "numFailures": 2, >> "disabled": false, >> .... >> .... >> } >> >> Are this 2 cases correct from your point of view? >> >> Thanks and Best Regards, >> Andrej. >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/9405072b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 46216 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/9405072b/attachment-0001.png From sthorger at redhat.com Mon Mar 21 05:05:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Mar 2016 10:05:32 +0100 Subject: [keycloak-user] Brute Force Detection - Get status of a username in brute force detection In-Reply-To: References: Message-ID: In case #1 returning 0 for non-existent user is fine in my opinion. On 21 March 2016 at 09:06, Andrej Prievalsky wrote: > Thanks for answer for 2nd question. I will write JIRA. > But I didn't get answer for my 1st question. > > > > On Fri, Mar 18, 2016 at 5:22 PM, Stian Thorgersen > wrote: > >> numFailures should be reset after successful login >> On 18 Mar 2016 2:56 p.m., "Andrej Prievalsky" >> wrote: >> >>> Hi, >>> >>> I have question concerning your REST_API: >>> GET >>> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} >>> In 1.9.1..Final my setting per realm Demo looks like: >>> >>> [image: Inline image 1] >>> >>> I have noticed with this endpoint: >>> >>> - 1.) when user is not created the answer for this REST is same like for >>> created user with 0 numFailures: >>> { >>> "numFailures": 0, >>> "disabled": false, >>> "lastIPFailure": "n/a", >>> "lastFailure": 0 >>> } >>> >>> - 2.) when Max Login Failures is set to 3 and I put 2 times incorrect >>> password and 3rd time correct password numFailures is not reset by Keycloak: >>> { >>> "numFailures": 2, >>> "disabled": false, >>> .... >>> .... >>> } >>> >>> Are this 2 cases correct from your point of view? >>> >>> Thanks and Best Regards, >>> Andrej. >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/785a48bf/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 46216 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/785a48bf/attachment-0001.png From adrianmatei at gmail.com Mon Mar 21 09:35:58 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 21 Mar 2016 14:35:58 +0100 Subject: [keycloak-user] User old password verification via REST admin api Message-ID: Hi everyone, Use case: "reset user password via REST admin API - PUT /admin/realms/{realm}/users/{id}/reset-password" Is there a possibility to verify the user's old password before changing it, as is the case via the Account app? Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/6829b231/attachment.html From daniele.capasso at dnshosting.it Mon Mar 21 09:41:07 2016 From: daniele.capasso at dnshosting.it (daniele.capasso at dnshosting.it) Date: Mon, 21 Mar 2016 14:41:07 +0100 Subject: [keycloak-user] issue on user registration In-Reply-To: References: Message-ID: <06961fe3b778c1db474a61ad0d0df4e9@dnshosting.it> I do not understand how to set up a role , I insert a new user , I call this function without errors , but does not assign the role keycloak public void addRoleToUser(String idKeycloak, String clientRole){ UserRepresentation user= getUserRepresentation(idKeycloak); Map> roles =user.getClientRoles(); List rolesInClient=new ArrayList(); if (roles!=null) rolesInClient = roles.get(getKeycloakCurrentClient()); else roles = new HashMap>(); rolesInClient.add(clientRole); roles.put(getKeycloakCurrentClient(), rolesInClient); user.setClientRoles(roles); UserResource userResource = getUserResource(idKeycloak); userResource.update(user); } Il 2016-03-18 12:58 Stian Thorgersen ha scritto: > Creating a user through admin rest is 3 requests. Create user, update > credentials, assign roles. Not very elegant that's true and we will > improve it eventually. > On 17 Mar 2016 19:24, "Lohitha Chiranjeewa" wrote: > >> As far as I know, you have to trigger the Assign Client Role >> > (http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping >> [2]) endpoint to achieve that. Although the payload allows you to >> supply roles to the Create User endpoint, it doesn't assign any >> roles underneath. This has been the behavior for a long time. >> >> Regards, >> Lohitha. >> >> On Thu, Mar 17, 2016 at 7:47 PM, >> wrote: >> >>> Hi, i want to register a user via keycloak admin client. >>> >>> This is the source, it works except for the role, what i wrong? >>> >>> CredentialRepresentation credential = new >>> CredentialRepresentation(); >>> credential.setType(CredentialRepresentation.PASSWORD); >>> credential.setValue(model.getPassword()); >>> credential.setTemporary(false); >>> >>> UserRepresentation userRepresentation = new UserRepresentation(); >>> userRepresentation.setEmail(model.getEmail()); >>> userRepresentation.setFirstName(model.getName()); >>> userRepresentation.setLastName(model.getSurname()); >>> userRepresentation.setUsername(model.getEmail()); >>> userRepresentation.setCredentials(Arrays.asList(credential)); >>> userRepresentation.setEnabled(true); >>> userRepresentation.setClientRoles(new HashMap>> List>(){{ >>> >>> >> > put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST")); >>> }}); >>> >>> Response resp = kcApi.createUser(userRepresentation); >>> >>> thank you >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] > > > Links: > ------ > [1] https://lists.jboss.org/mailman/listinfo/keycloak-user > [2] > http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping From sthorger at redhat.com Mon Mar 21 10:02:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Mar 2016 15:02:16 +0100 Subject: [keycloak-user] issue on user registration In-Reply-To: <06961fe3b778c1db474a61ad0d0df4e9@dnshosting.it> References: <06961fe3b778c1db474a61ad0d0df4e9@dnshosting.it> Message-ID: I usually use the admin console and look at the request it sends to figure out how to use the rest endpoints. It's usually simpler than reading the not so great docs. On 21 March 2016 at 14:41, wrote: > > I do not understand how to set up a role , I insert a new user , I call > this function without errors , but does not assign the role keycloak > > public void addRoleToUser(String idKeycloak, String clientRole){ > UserRepresentation user= getUserRepresentation(idKeycloak); > Map> roles =user.getClientRoles(); > List rolesInClient=new ArrayList(); > if (roles!=null) > rolesInClient = > roles.get(getKeycloakCurrentClient()); > else > roles = new HashMap>(); > rolesInClient.add(clientRole); > roles.put(getKeycloakCurrentClient(), rolesInClient); > user.setClientRoles(roles); > UserResource userResource = getUserResource(idKeycloak); > userResource.update(user); > } > > Il 2016-03-18 12:58 Stian Thorgersen ha scritto: > >> Creating a user through admin rest is 3 requests. Create user, update >> credentials, assign roles. Not very elegant that's true and we will >> improve it eventually. >> On 17 Mar 2016 19:24, "Lohitha Chiranjeewa" wrote: >> >> As far as I know, you have to trigger the Assign Client Role >>> >>> ( >> http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping >> >>> [2]) endpoint to achieve that. Although the payload allows you to >>> >>> supply roles to the Create User endpoint, it doesn't assign any >>> roles underneath. This has been the behavior for a long time. >>> >>> Regards, >>> Lohitha. >>> >>> On Thu, Mar 17, 2016 at 7:47 PM, >>> wrote: >>> >>> Hi, i want to register a user via keycloak admin client. >>>> >>>> This is the source, it works except for the role, what i wrong? >>>> >>>> CredentialRepresentation credential = new >>>> CredentialRepresentation(); >>>> credential.setType(CredentialRepresentation.PASSWORD); >>>> credential.setValue(model.getPassword()); >>>> credential.setTemporary(false); >>>> >>>> UserRepresentation userRepresentation = new UserRepresentation(); >>>> userRepresentation.setEmail(model.getEmail()); >>>> userRepresentation.setFirstName(model.getName()); >>>> userRepresentation.setLastName(model.getSurname()); >>>> userRepresentation.setUsername(model.getEmail()); >>>> userRepresentation.setCredentials(Arrays.asList(credential)); >>>> userRepresentation.setEnabled(true); >>>> userRepresentation.setClientRoles(new HashMap>>> List>(){{ >>>> >>>> >>>> >>> put(kcApi.getKeycloakCurrentClient(),Arrays.asList("ROLE_USER_HOST")); >> >>> }}); >>>> >>>> Response resp = kcApi.createUser(userRepresentation); >>>> >>>> thank you >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] >>> >> >> >> Links: >> ------ >> [1] https://lists.jboss.org/mailman/listinfo/keycloak-user >> [2] >> >> http://keycloak.github.io/docs/rest-api/index.html#_add_client_level_roles_to_the_user_role_mapping >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/2a42d08c/attachment.html From sthorger at redhat.com Mon Mar 21 10:11:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 21 Mar 2016 15:11:01 +0100 Subject: [keycloak-user] User old password verification via REST admin api In-Reply-To: References: Message-ID: No, with the admin endpoints you can't retrieve the password, nor can you expect an admin to know the existing password so it shouldn't verify it either. On 21 March 2016 at 14:35, Adrian Matei wrote: > Hi everyone, > > Use case: "reset user password via REST admin API - PUT > /admin/realms/{realm}/users/{id}/reset-password" > > Is there a possibility to verify the user's old password before changing > it, as is the case via the Account app? > > Thanks, > Adrian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/32c311db/attachment.html From bburke at redhat.com Mon Mar 21 10:26:21 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 21 Mar 2016 10:26:21 -0400 Subject: [keycloak-user] Logout to the external IDP In-Reply-To: References: Message-ID: <56F0048D.4050601@redhat.com> I think this is a bug. We probably don't refresh the token that is obtained by the "child" IDP. https://issues.jboss.org/browse/KEYCLOAK-2691 On 3/20/2016 10:58 AM, Xiao Ma wrote: > Hi, > > I configured a OIDC identity provider by selecting the |OpenID Connect > v1.0| identity provider from the drop-down box on the top right corner > of the identity providers table in Keycloak's Admin Console. During > the configuration process, I also configure "Logout Url" for the IDP > logout url. > > When I try to logout to the external IDP, the browser is redirected to > the external IDP to perform the logout. I can see some URL as follows: > > https://*keycloakdev.xxxxxxx.com > */auth/realms/*Internal*/protocol/openid-connect/logout?*state=*a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0raAz-YPOcwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA: > > "keycloakdev.xxxxxxx.com " is where > the externalIDP is located. "Internal" is the name of the realm. The > parameters "state" and "id_token_hint" are appended to the endpoint > logout URL automatically during the logout process. > > However, this process failed because I got "Session Not Active" error > in the UI. After some investigations, I found this "Session Not > Active" error seems to be related to the value of Realm Setting ?> > Tokens ?> Access Token Lifespan I configured. The default value is 5 > minutes, if I trigger the logout within 5 minutes, I can logout to the > external IDP successfully. If I do the logout after 5 minutes, I will > get this ""Session Not Active" error. Is this the expected behavior? > Do I have to bump up the value of "Access Token Lifespan" to get a > longer session for the logout purpose? > > Thanks a lot for the help! > > Xiao > > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/af2a877d/attachment-0001.html From bburke at redhat.com Mon Mar 21 10:56:00 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 21 Mar 2016 10:56:00 -0400 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: <03e301d18122$e7407f50$b5c17df0$@affordabletours.com> References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> <03e301d18122$e7407f50$b5c17df0$@affordabletours.com> Message-ID: <56F00B80.90800@redhat.com> Sorry for late response. We were all traveling last week for face to face meetings. Check out this: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter Look for KeycloakLoginModule You have to set this up in order to propagate between component layers. I wish we didn't have to require this extra step, but its just a falacy of the current Wildfly security architecture. On 3/18/2016 10:31 AM, Firdos Ali wrote: > > The EJB is called from the server-side web app. This is a legacy app > using Struts, so after the user logs in from keycloak they are > redirected back to the webapp. The web application has access to the > user, however the EJB does not find a user and throws back the error. > > I have the following in my jboss-web.xml: > > > > > > java:/jaas/keycloak > > > > I have the following in my jboss-ejb3.xml: > > > > > xmlns="http://java.sun.com/xml/ns/javaee" > > xmlns:jboss="http://www.jboss.com/xml/ns/javaee" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > xmlns:s="urn:security:1.1" > > version="3.1" impl-version="2.0"> > > > > > > * > > keycloak > > > > true > > > > > > > > *From:*Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Friday, March 18, 2016 7:05 AM > *To:* Firdos Ali > *Cc:* keycloak-user ; Stian Thorgersen > > *Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working > > How is the ejb being called? >From jax-rs service or server-side web > app? For there to be a user you need to be authenticated as a user so > either the server-side webapp has redirected to login page or there is > a bearer token included in the authorisation header of the http request. > > On 15 Mar 2016 17:58, "Firdos Ali" > wrote: > > Thank you for the prompt response. > > I moved to keycloak 1.9.1 both on the server and updated the adapter, > however it is still not working. Let me clarify on a few other things > and hopefully that will provide some additional context > > We put our project in an ear file which contains one jar file > inclusive of the stateless ejbs, one war file, and a few other > supporting jar files. > > The war file has the keycloak.json with the following: > > { > > "realm": "affordabletours", > > "realm-public-key": "some key", > > "auth-server-url": "http://10.0.0.1:8080/auth", > > "ssl-required": "external", > > "resource": "keycloaktest", > > "credentials": { > > "secret": "some secret" > > } > > } > > Are you suggesting that I change the resource ?keycloaktest? access > type from ?confidential? to ?bearer-only?? If so, I tried that and > unfortunately that did not work. I guess my confusion is how would > the jar file with the ejbs is aware of the security context when it is > only at the war level? Thanks > > *From:*Stian Thorgersen [mailto:sthorger at redhat.com > ] > *Sent:* Friday, March 11, 2016 12:29 AM > *To:* Firdos Ali > > *Cc:* keycloak-user > > *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working > > On 10 March 2016 at 20:19, Firdos Ali > wrote: > > Hello, > > I am having a few problems with Keycloak. Let me first start with > the environment information: > > Keycloak version: 1.9.0 > > Keycloak wildfly version: 10.0.0 > > Application wildfly version: 8.0.0 > > *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: > Invalid User* > > I have followed the documentation by adding the keycloak adapter > to the application wildfly 8.0 and by server.xml has the following: > > > ?. > > > > > > ?. > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" > flag="required"/> > > > > > ? > > > > MyEJB: > @Stateless > > @Local(MyInt.*class*) > > @SecurityDomain("keycloak") > *public**class*MyBean *implements*MyInt > > ... > > @PermitAll > > @TransactionAttribute(TransactionAttributeType.*/REQUIRES_NEW/*) > > *public*boolean myMethod(...) *throws*Exception { > > } > > At the moment I am not using jboss-ej3.xml as I reference the > security domain in my EJB class. I added it and it did not help out > > Stacktrace: > > ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: > EJB Invocation failed on component MyBean for method public > abstract boolean com.at.ejb.MyInt.myMethod(?) throws > java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: > Invalid User > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) > > at > org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > > at > org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > Is there something I am missing from the documentation? Any > thoughts how to resolve this issue? > > Is there a bearer token sent with the request that invokes the EJB? If > so try with 1.9.1. Could be > https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this. > > *Problem 2: Unable to log out a user from keycloak administration > console:* > > After I click ?Logout? on the administration console in Keycloak, > I see the following error on the keycloak server: > > ERROR [io.undertow.request] (default task-26) UT005023: Exception > handling request to > /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: > org.jboss.resteasy.spi.UnhandledException: > java.lang.NoSuchMethodError: > org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > Are you using the standalone Keycloak server? Looking at javadocs for > httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses > httpclient 4.5, so looks like for some reason you have an old version > of httpclient. > > > Best regards, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/74c6d68e/attachment-0001.html From ali at affordabletours.com Mon Mar 21 11:14:48 2016 From: ali at affordabletours.com (Firdos Ali) Date: Mon, 21 Mar 2016 10:14:48 -0500 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: <56F00B80.90800@redhat.com> References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> <03e301d18122$e7407f50$b5c17df0$@affordabletours.com> <56F00B80.90800@redhat.com> Message-ID: <04eb01d18384$6911f000$3b35d000$@affordabletours.com> Thank you and I hope that your meetings went well. I already had that in place when I read the documentation which is why it was really odd to see it not work. Below is my server.xml file: . . . . . . . . . . . . . . . affordabletours atoms ... http://10.0.0.2:8080/auth EXTERNAL some secret From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Monday, March 21, 2016 9:56 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working Sorry for late response. We were all traveling last week for face to face meetings. Check out this: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jbos s-adapter Look for KeycloakLoginModule You have to set this up in order to propagate between component layers. I wish we didn't have to require this extra step, but its just a falacy of the current Wildfly security architecture. On 3/18/2016 10:31 AM, Firdos Ali wrote: The EJB is called from the server-side web app. This is a legacy app using Struts, so after the user logs in from keycloak they are redirected back to the webapp. The web application has access to the user, however the EJB does not find a user and throws back the error. I have the following in my jboss-web.xml: java:/jaas/keycloak I have the following in my jboss-ejb3.xml: "http://java.sun.com/xml/ns/javaee" xmlns:jboss= "http://www.jboss.com/xml/ns/javaee" xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" xmlns:s="urn:security:1.1" version="3.1" impl-version="2.0"> * keycloak true From: Stian Thorgersen [ mailto:sthorger at redhat.com] Sent: Friday, March 18, 2016 7:05 AM To: Firdos Ali Cc: keycloak-user ; Stian Thorgersen Subject: RE: [keycloak-user] EJB Invalid User + Log Out not working How is the ejb being called? >From jax-rs service or server-side web app? For there to be a user you need to be authenticated as a user so either the server-side webapp has redirected to login page or there is a bearer token included in the authorisation header of the http request. On 15 Mar 2016 17:58, "Firdos Ali" > wrote: Thank you for the prompt response. I moved to keycloak 1.9.1 both on the server and updated the adapter, however it is still not working. Let me clarify on a few other things and hopefully that will provide some additional context We put our project in an ear file which contains one jar file inclusive of the stateless ejbs, one war file, and a few other supporting jar files. The war file has the keycloak.json with the following: { "realm": "affordabletours", "realm-public-key": "some key", "auth-server-url": " http://10.0.0.1:8080/auth", "ssl-required": "external", "resource": "keycloaktest", "credentials": { "secret": "some secret" } } Are you suggesting that I change the resource "keycloaktest" access type from 'confidential' to 'bearer-only'? If so, I tried that and unfortunately that did not work. I guess my confusion is how would the jar file with the ejbs is aware of the security context when it is only at the war level? Thanks From: Stian Thorgersen [mailto: sthorger at redhat.com] Sent: Friday, March 11, 2016 12:29 AM To: Firdos Ali < ali at affordabletours.com> Cc: keycloak-user < keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] EJB Invalid User + Log Out not working On 10 March 2016 at 20:19, Firdos Ali > wrote: Hello, I am having a few problems with Keycloak. Let me first start with the environment information: Keycloak version: 1.9.0 Keycloak wildfly version: 10.0.0 Application wildfly version: 8.0.0 Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid User I have followed the documentation by adding the keycloak adapter to the application wildfly 8.0 and by server.xml has the following: .. .. . MyEJB: @Stateless @Local(MyInt.class) @SecurityDomain("keycloak") public class MyBean implements MyInt ... @PermitAll @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW) public boolean myMethod(...) throws Exception { } At the moment I am not using jboss-ej3.xml as I reference the security domain in my EJB class. I added it and it did not help out Stacktrace: ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB Invocation failed on component MyBean for method public abstract boolean com.at.ejb.MyInt.myMethod(.) throws java.lang.Exception: javax.ejb.EJBAccessException: JBAS013323: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI nterceptor.java:66) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextI nterceptor.java:46) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(Secu rityContextInterceptor.java:92) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.proces sInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocatio n(LoggingInterceptor.java:59) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(Name spaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processI nvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(Context ClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurit yManager.java:448) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheck ingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(Pri vilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor .java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescriptio n.java:182) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) Is there something I am missing from the documentation? Any thoughts how to resolve this issue? Is there a bearer token sent with the request that invokes the EJB? If so try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 fixes this. Problem 2: Unable to log out a user from keycloak administration console: After I click "Logout" on the administration console in Keycloak, I see the following error on the keycloak server: ERROR [io.undertow.request] (default task-26) UT005023: Exception handling request to /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c4 29ab: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava /util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(Exceptio nHandler.java:76) Are you using the standalone Keycloak server? Looking at javadocs for httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses httpclient 4.5, so looks like for some reason you have an old version of httpclient. Best regards, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/b4e6d22a/attachment-0001.html From xiao.ma at masergy.com Mon Mar 21 11:25:51 2016 From: xiao.ma at masergy.com (Xiao Ma) Date: Mon, 21 Mar 2016 11:25:51 -0400 Subject: [keycloak-user] Logout to the external IDP In-Reply-To: <56F0048D.4050601@redhat.com> References: <56F0048D.4050601@redhat.com> Message-ID: Thank you, Bill! I am wondering what is our rough estimate on when are going to release 1.9.2.Final. Best Regards, Xiao On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke wrote: > I think this is a bug. We probably don't refresh the token that is > obtained by the "child" IDP. > > https://issues.jboss.org/browse/KEYCLOAK-2691 > > On 3/20/2016 10:58 AM, Xiao Ma wrote: > > Hi, > > I configured a OIDC identity provider by selecting the OpenID Connect v1.0 identity > provider from the drop-down box on the top right corner of the identity > providers table in Keycloak's Admin Console. During the configuration > process, I also configure "Logout Url" for the IDP logout url. > > When I try to logout to the external IDP, the browser is redirected to the > external IDP to perform the logout. I can see some URL as follows: > > https://*keycloakdev.xxxxxxx.com * > /auth/realms/*Internal*/protocol/openid-connect/logout?*state=* > a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0! > raAz-YPO > cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA > : > > "keycloakdev.xxxxxxx.com" is where the externalIDP is located. "Internal" > is the name of the realm. The parameters "state" and "id_token_hint" are > appended to the endpoint logout URL automatically during the logout > process. > > However, this process failed because I got "Session Not Active" error in > the UI. After some investigations, I found this "Session Not Active" error > seems to be related to the value of Realm Setting ?> Tokens ?> Access > Token Lifespan I configured. The default value is 5 minutes, if I trigger > the logout within 5 minutes, I can logout to the external IDP successfully. > If I do the logout after 5 minutes, I will get this ""Session Not Active" > error. Is this the expected behavior? Do I have to bump up the value of "Access > Token Lifespan" to get a longer session for the logout purpose? > > Thanks a lot for the help! > > Xiao > > > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/3bed9e17/attachment.html From ado.boj.83 at gmail.com Mon Mar 21 12:00:19 2016 From: ado.boj.83 at gmail.com (Andrej Prievalsky) Date: Mon, 21 Mar 2016 17:00:19 +0100 Subject: [keycloak-user] Brute Force Detection - Get status of a username in brute force detection In-Reply-To: References: Message-ID: JIRA created for case #2: https://issues.jboss.org/browse/KEYCLOAK-2692 On Mon, Mar 21, 2016 at 10:05 AM, Stian Thorgersen wrote: > In case #1 returning 0 for non-existent user is fine in my opinion. > > On 21 March 2016 at 09:06, Andrej Prievalsky wrote: > >> Thanks for answer for 2nd question. I will write JIRA. >> But I didn't get answer for my 1st question. >> >> >> >> On Fri, Mar 18, 2016 at 5:22 PM, Stian Thorgersen >> wrote: >> >>> numFailures should be reset after successful login >>> On 18 Mar 2016 2:56 p.m., "Andrej Prievalsky" >>> wrote: >>> >>>> Hi, >>>> >>>> I have question concerning your REST_API: >>>> GET >>>> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} >>>> In 1.9.1..Final my setting per realm Demo looks like: >>>> >>>> [image: Inline image 1] >>>> >>>> I have noticed with this endpoint: >>>> >>>> - 1.) when user is not created the answer for this REST is same like >>>> for created user with 0 numFailures: >>>> { >>>> "numFailures": 0, >>>> "disabled": false, >>>> "lastIPFailure": "n/a", >>>> "lastFailure": 0 >>>> } >>>> >>>> - 2.) when Max Login Failures is set to 3 and I put 2 times incorrect >>>> password and 3rd time correct password numFailures is not reset by Keycloak: >>>> { >>>> "numFailures": 2, >>>> "disabled": false, >>>> .... >>>> .... >>>> } >>>> >>>> Are this 2 cases correct from your point of view? >>>> >>>> Thanks and Best Regards, >>>> Andrej. >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/bce9609f/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 46216 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/bce9609f/attachment-0001.png From Anthony.Fryer at virginaustralia.com Mon Mar 21 19:26:09 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Mon, 21 Mar 2016 23:26:09 +0000 Subject: [keycloak-user] spring security adapter and single log out Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7DEC074F3@iskexcemxprd02.virginblue.internal> I've noticed some issues when testing single logout with the spring security adapter. I setup the admin url for the test application that used the spring security adapter in keycloak and tested logging out from keycloak and it didn't invalidate the session. This is consistent with what I saw in other environments while testing. I did some digging and found that the spring adapter isn't working correctly for single log out in my environments. We're not using spring boot so not sure if that might be a reason why its not working out of the box. The issue is with the org.keycloak.adapters.springsecurity.management.HtttpSessionManager class. This implements javax.servlet.http.HttpSessionListener to receive events when sessions are created and stores the sessions in a hash map. When you do a logout from keycloak, it sends a POST request to /k_logout. This results in a call to the HttpSessionManager.logoutHttpSessions method with the session id passed in as an argument. This method attempts to lookup the session in the hashmap and call the invalidate() method. The problem is by default the HttpSessionManager class isn't receiving the session create events. You need to configure it as a listener in web.xml to enable that. But even if you do that it still doesn't work because the servlet container will create a instance of the class, but spring will also create another instance when creating the keycloak beans and this new instance is the one passed into the KeycloakPreAuthActionsFilter constructor. So the instance that is created by the servlet container is the one receiving the session create event and the one used by spring isn't receiving any events but is the one used to do the logoutHttpSessions() call. The spring instance has no sessions in the hashmap, so logoutHttpSessions() does nothing. The fix is to make a new version of HttpSessionManager that implements org.keycloak.adapters.spi.UserSessionManagement and org.springframework.context.ApplicationListener, which is a spring interface that receives session create/destroy events. In web.xml you need to register org.springframework.security.web.session.HttpSessionEventPublisher as a listener so spring will receive those events from the servlet container. Then in the spring config, you need the KeycloakPreAuthActionsFilter to be initialized with the new HttpSessionManager instead of the default one. The HttpSessionManager class that works for me is below... package my.keycloak; import java.util.List; import javax.servlet.http.HttpSession; import org.keycloak.adapters.spi.UserSessionManagement; import org.keycloak.adapters.springsecurity.management.LocalSessionManagementStrategy; import org.keycloak.adapters.springsecurity.management.SessionManagementStrategy; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationEvent; import org.springframework.context.ApplicationListener; import org.springframework.security.web.session.HttpSessionCreatedEvent; import org.springframework.security.web.session.HttpSessionDestroyedEvent; public class HttpSessionManager implements UserSessionManagement, ApplicationListener { private static final Logger log = LoggerFactory.getLogger(HttpSessionManager.class); private SessionManagementStrategy sessions = new LocalSessionManagementStrategy(); @Override public void logoutAll() { log.info("Received request to log out all users."); for (HttpSession session : sessions.getAll()) { session.invalidate(); } sessions.clear(); } @Override public void logoutHttpSessions(List ids) { log.info("Received request to log out {} session(s): {}", ids.size(), ids); for (String id : ids) { HttpSession session = sessions.remove(id); if (session != null) { session.invalidate(); } } sessions.clear(); } @Override public void onApplicationEvent(ApplicationEvent event) { if (event instanceof HttpSessionCreatedEvent) { HttpSessionCreatedEvent e = (HttpSessionCreatedEvent)event; HttpSession session = e.getSession(); log.debug("Session created: {}", session.getId()); sessions.store(session); } else if (event instanceof HttpSessionDestroyedEvent) { HttpSessionDestroyedEvent e = (HttpSessionDestroyedEvent)event; HttpSession session = e.getSession(); sessions.remove(session.getId()); log.debug("Session destroyed: {}", session.getId()); } } } The keycloak config changes are below... @Configuration @EnableWebSecurity @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(keycloakAuthenticationProvider()); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Bean protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() { return new KeycloakPreAuthActionsFilter(springHttpSessionManager()); } @Bean protected my.keycloak.HttpSessionManager springHttpSessionManager() { return new my.keycloak.HttpSessionManager(); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout")) .and() .authorizeRequests() .antMatchers("/user*").authenticated() .anyRequest().permitAll(); } } and web.xml needs this added to it... org.springframework.security.web.session.HttpSessionEventPublisher After making the above changes, log out from the keycloak admin console works as expected. Regards, Anthony Fryer The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160321/0b4c4ddf/attachment-0001.html From DSzeto at investlab.com Mon Mar 21 21:44:14 2016 From: DSzeto at investlab.com (Doug Szeto) Date: Tue, 22 Mar 2016 01:44:14 +0000 Subject: [keycloak-user] User old password verification via REST admin api In-Reply-To: References: Message-ID: If you already have the username and old password that you want to check, I just attempt to retrieve an access token. If it works, you know the old password is correct, then you can proceed in changing the password. POST - /auth/realms/{realm}/protocol/openid-connect/token headers.set("content-type", "application/x-www-form-urlencoded"); headers.set("accept", "application/json"); body.add("grant_type", ?password?) body.add("username", username); body.add("password", password); body.add(?client_id?, {clientId}) From: > on behalf of Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, March 21, 2016 at 10:11 PM To: Adrian Matei > Cc: keycloak-user > Subject: Re: [keycloak-user] User old password verification via REST admin api No, with the admin endpoints you can't retrieve the password, nor can you expect an admin to know the existing password so it shouldn't verify it either. On 21 March 2016 at 14:35, Adrian Matei > wrote: Hi everyone, Use case: "reset user password via REST admin API - PUT /admin/realms/{realm}/users/{id}/reset-password" Is there a possibility to verify the user's old password before changing it, as is the case via the Account app? Thanks, Adrian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/3532f527/attachment.html From sthorger at redhat.com Tue Mar 22 02:13:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 22 Mar 2016 07:13:50 +0100 Subject: [keycloak-user] User old password verification via REST admin api In-Reply-To: References: Message-ID: Bear in mind that approach will result in a session being created, so I wouldn't recommend doing that to check password. On 22 Mar 2016 01:44, "Doug Szeto" wrote: > If you already have the username and old password that you want to check, > I just attempt to retrieve an access token. If it works, you know the old > password is correct, then you can proceed in changing the password. > > POST - /auth/realms/{realm}/protocol/openid-connect/token > > headers.set("content-type", "application/x-www-form-urlencoded"); > headers.set("accept", "application/json"); > > body.add("grant_type", ?password?) > body.add("username", username); > body.add("password", password); > body.add(?client_id?, {clientId}) > > From: on behalf of Stian > Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, March 21, 2016 at 10:11 PM > To: Adrian Matei > Cc: keycloak-user > Subject: Re: [keycloak-user] User old password verification via REST > admin api > > No, with the admin endpoints you can't retrieve the password, nor can you > expect an admin to know the existing password so it shouldn't verify it > either. > > On 21 March 2016 at 14:35, Adrian Matei wrote: > >> Hi everyone, >> >> Use case: "reset user password via REST admin API - PUT >> /admin/realms/{realm}/users/{id}/reset-password" >> >> Is there a possibility to verify the user's old password before changing >> it, as is the case via the Account app? >> >> Thanks, >> Adrian >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/8a4c15dd/attachment.html From sthorger at redhat.com Tue Mar 22 03:53:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 22 Mar 2016 07:53:09 +0000 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: <56EC4CD1.8050405@reucon.com> References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> <56EC4CD1.8050405@reucon.com> Message-ID: Didn't think of that. Feel free to create a JIRA to request it. On 18 March 2016 at 18:45, Stefan Reuter wrote: > On 18/03/16 12:58, Stian Thorgersen wrote: > > Seems like a strange requirement. I can see why you would want users to > > update the password frequently, not the other way around. Or is there > > something I'm missing? > > This makes sense when combined with a password history policy. > To prevent users from reusing old password you also have to prevent them > from changing the passwords immediately after they were just changed. > > =Stefan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/7ec544b4/attachment.html From dev at sgordon.totalise.co.uk Tue Mar 22 04:33:36 2016 From: dev at sgordon.totalise.co.uk (Simon Gordon) Date: 22 Mar 2016 08:33:36 +0000 Subject: [keycloak-user] servlet filter and roles In-Reply-To: <56EBC363.5050509@redhat.com> References: <56EBC363.5050509@redhat.com> Message-ID: Hi My client applications (some SAML, some OIDC) are all running within Tomcat 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs adding into the server classpath which of course I can't do on OpenShift. (Or I've struggled to at least!) Hence I'm using the generic servlet filter adapter. Looking here for SAML: http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html and here for OIDC: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1046 I can't see how to achieve the security-constraints (roles primarily). Do I need to resort to coding those in the apps, or maybe using JAAS? Thanks, Simon From kevin.thorpe at p-i.net Tue Mar 22 06:09:08 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Tue, 22 Mar 2016 10:09:08 +0000 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: As Stefan has already said one thing is to stop people changing their password and putting it straight back. Also for some implementations it's possible to repeatedly change passwords mechanically and sniff timings to get an idea of the implementation of the password check policy. In my case it's simply that we have a large prospective clients who specifically requested this functionality. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 18 March 2016 at 11:58, Stian Thorgersen wrote: > Seems like a strange requirement. I can see why you would want users to > update the password frequently, not the other way around. Or is there > something I'm missing? > > Password policy will be made an spi in the future. That will make it easy > to do, but it's not going to be done for a little while. > On 18 Mar 2016 10:10, "Marek Posolda" wrote: > >> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, then >> for the LDAP users, you can create custom LDAP Mapper implementation, which >> will implement "proxy" method and override "updateCredential" method of the >> proxy user object. Here you can >> implement this functionality by yourself (MSAD has pwdLastSet attribute >> with the time when password was updated for last time) >> >> Marek >> >> On 18/03/16 10:04, Marek Posolda wrote: >> >> Hi, >> >> this is not available right now. It can be achieved with password policy, >> but we don't have such a password policy right now. We can either: >> - Add the password policy to have this available in Keycloak OOTB >> - Make PasswordPolicy pluggable SPI, so you can add your custom password >> policy for the functionality like this. >> >> Feel free to create JIRA for this. >> >> Marek >> >> On 16/03/16 15:02, Kevin Thorpe wrote: >> >> A standard practice for login systems is to stop users changing their >> passwords too often. Keycloak does not support this as of 1.7.0. Is there a >> possibility of adding a timeout to stop too frequent password changes? >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/07a8c04e/attachment-0001.html From parsectix at gmail.com Tue Mar 22 08:05:22 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Tue, 22 Mar 2016 12:05:22 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Dear all, I dropped the project at the moment. The lack of documentation is too time consuming. Hope that soon keycloak will have it. On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen wrote: > What adapter? Is the server and client adapter both 1.9.1? We did recently > deprecate some OIDC endpoints. I think ../login is gone and it should be > ../auth. So if you are using an old adapter that may be the issue. > On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" wrote: > >> Yours. >> >> I configured the realm with the same settings on both versions 1.9.1 and >> 1.8.1. >> >> >> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen >> wrote: >> >>> Client ID has nothing to do with this issue as it would show an login >>> error page not a not found. So must be either realm name or another part of >>> URL is wrong. >>> >>> Are you using our adapters or another library atm? >>> >>> I'm answering on my phone on the plane so can't look into it more atm. >>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: >>> >>>> Hi, >>>> >>>> In jenkins, I'm pasting the JSON configuration that it can found inside >>>> "Installation" tab. >>>> >>>> Instead of using keycloak client plugins, can I use a generic oauth >>>> plugin in my apps? How can I configure my keycloak for this? >>>> i.e. Instead of using google's oauth URL use my own pointing to >>>> keycloak. >>>> >>>> >>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >>>> wrote: >>>> >>>>> In your jenkins realm - under Clients do you have a client called >>>>> 'ci'? That's the client_id used in your request. >>>>> >>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>>>> wrote: >>>>> >>>>>> yes I can. >>>>>> >>>>>> Please note that this is a problem of version 1.9.1. >>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>> >>>>>> p.s. I'm using the official containers from docker hub. >>>>>> >>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj >>>>> > wrote: >>>>>> >>>>>>> Are you able to login into admin console at: >>>>>>> http://192.168.99.100:32786/auth >>>>>>> >>>>>>> And you see the realm called 'jenkins' there? >>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>>>>> wrote: >>>>>>> >>>>>>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>>>>>> >>>>>>>> >>>>>>>> 1. Request URL: >>>>>>>> >>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>> 2. Request Method: >>>>>>>> GET >>>>>>>> 3. Status Code: >>>>>>>> 302 Found >>>>>>>> 4. Remote Address: >>>>>>>> 192.168.99.100:32769 >>>>>>>> 1. Response Headersview source >>>>>>>> 1. Content-Length: >>>>>>>> 0 >>>>>>>> 2. Location: >>>>>>>> >>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>> 3. Server: >>>>>>>> Jetty(winstone-2.9) >>>>>>>> 4. X-Content-Type-Options: >>>>>>>> nosniff >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 1. Request URL: >>>>>>>> >>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>> 2. Request Method: >>>>>>>> GET >>>>>>>> 3. Status Code: >>>>>>>> *404 Not Found* >>>>>>>> 4. Remote Address: >>>>>>>> 192.168.99.100:32786 >>>>>>>> 1. Response Headersview source >>>>>>>> 1. Connection: >>>>>>>> keep-alive >>>>>>>> 2. Content-Length: >>>>>>>> 0 >>>>>>>> 3. Date: >>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>> 4. Server: >>>>>>>> WildFly/10 >>>>>>>> 5. X-Powered-By: >>>>>>>> Undertow/1 >>>>>>>> 2. Request Headersview source >>>>>>>> 1. Accept: >>>>>>>> >>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>> 2. Accept-Encoding: >>>>>>>> gzip, deflate, sdch >>>>>>>> 3. Accept-Language: >>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>> 4. Connection: >>>>>>>> keep-alive >>>>>>>> 5. Cookie: >>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>> 6. DNT: >>>>>>>> 1 >>>>>>>> 7. Host: >>>>>>>> 192.168.99.100:32786 >>>>>>>> 8. Referer: >>>>>>>> http://192.168.99.100:32769/ >>>>>>>> 9. Save-Data: >>>>>>>> on >>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>> 1 >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>> parsectix at gmail.com> wrote: >>>>>>>> >>>>>>>>> Thanks for pointing this out. I think it does not matter as the >>>>>>>>> same name can be found in "Installation" tab where >>>>>>>>> I copied the configuration. >>>>>>>>> >>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>>>>>> containers keycloak and jenkins. >>>>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>>>> realm and a client called "jenkins". >>>>>>>>>>> >>>>>>>>>>> It seams that the realm configuration it's not correct as I get >>>>>>>>>>> the following debug error. >>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>> full path: >>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>> " >>>>>>>>>>> >>>>>>>>>>> I noticed that " >>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>> works. >>>>>>>>>>> >>>>>>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>> >>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>> >>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>> >>>>>>>>>>> p.s. is there any other way to find help on those matters? Tried >>>>>>>>>>> IRC but nobody is replying there... >>>>>>>>>>> >>>>>>>>>>> Thank you >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/6c8a8f0c/attachment-0001.html From teatimej at gmail.com Tue Mar 22 08:24:15 2016 From: teatimej at gmail.com (Michael Mok) Date: Tue, 22 Mar 2016 20:24:15 +0800 Subject: [keycloak-user] Fwd: Login.ftl converting realm name to upper case why In-Reply-To: References: Message-ID: Hi All I am using Keycloak 1.9.1 and notice the realm name displayed in login.ftl is always uppercase. Can we have the realm name display in the way it is entered. Eg if my realm say test demo, the login page displays it as TEST DEMO. Not sure if there is a flag somewhere to tell keycloak to preserve case in the realm name? <#if section = "title"> ${msg("loginTitle",(realm.displayName!''))} <#elseif section = "header"> ${msg("loginTitleHtml",(realm.displayNameHtml!''))} <#elseif section = "form"> Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/a293d18c/attachment.html From bburke at redhat.com Tue Mar 22 10:10:18 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 22 Mar 2016 10:10:18 -0400 Subject: [keycloak-user] servlet filter and roles In-Reply-To: References: <56EBC363.5050509@redhat.com> Message-ID: <56F1524A.20807@redhat.com> On 3/22/2016 4:33 AM, Simon Gordon wrote: > Hi > > My client applications (some SAML, some OIDC) are all running within Tomcat > 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs > adding into the server classpath which of course I can't do on OpenShift. > (Or I've struggled to at least!) > > Hence I'm using the generic servlet filter adapter. Looking here for SAML: > http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html > > and here for OIDC: > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1046 > > I can't see how to achieve the security-constraints (roles primarily). Do I > need to resort to coding those in the apps, or maybe using JAAS? You have to code into the app. You could write a filter that did a HttpServletRequest.isUserInRole() We should probably provide something like that... Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Mar 22 11:43:33 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 22 Mar 2016 16:43:33 +0100 Subject: [keycloak-user] servlet filter and roles In-Reply-To: <56F1524A.20807@redhat.com> References: <56EBC363.5050509@redhat.com> <56F1524A.20807@redhat.com> Message-ID: <56F16825.70002@redhat.com> On 22/03/16 15:10, Bill Burke wrote: > > On 3/22/2016 4:33 AM, Simon Gordon wrote: >> Hi >> >> My client applications (some SAML, some OIDC) are all running within Tomcat >> 7 on OpenShift. Since the Keycloak Tomcat adapter is a Valve, the jar needs >> adding into the server classpath which of course I can't do on OpenShift. >> (Or I've struggled to at least!) >> >> Hence I'm using the generic servlet filter adapter. Looking here for SAML: >> http://keycloak.github.io/docs/userguide/saml-client-adapter/html/ch07.html >> >> and here for OIDC: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1046 >> >> I can't see how to achieve the security-constraints (roles primarily). Do I >> need to resort to coding those in the apps, or maybe using JAAS? > You have to code into the app. You could write a filter that did a > HttpServletRequest.isUserInRole() We should probably provide something > like that... +1 Servlet specs has HttpServletRequestWrapper where we can easily override all the methods like isUserInRole, getRemoteUser, getUserPrincipal etc and fill with the stuff from the token and send this request wrapper down to filter chain. Not sure if we should do it automatically or have configurable flag for it. Marek > > Bill > From mposolda at redhat.com Tue Mar 22 12:02:41 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 22 Mar 2016 17:02:41 +0100 Subject: [keycloak-user] Fwd: Login.ftl converting realm name to upper case why In-Reply-To: References: Message-ID: <56F16CA1.4000608@redhat.com> From what I can see, in the login.css there is defined class "#kc-header-wrapper" which contains "text-transform: uppercase;" . Looks you have more possibilities to achieve lower case for example: - Create theme and define property "kcHeaderWrapperClass" in theme.properties and add any CSS you want. - Create theme and override login.css and redefine "#kc-header-wrapper" - Override template.ftl in your theme and use different ID than "kc-header-wrapper". Not sure what is best solution, I am not an expert in UI etc :) But I definitely suggest to look at our theme documentation and example. This should give you more ideas what is best solution. You can decide if you want to override just CSS or also freemarker templates. In the end, you can completely override whole login screen and replace with your own look & feel. Marek On 22/03/16 13:24, Michael Mok wrote: > Hi All > > I am using Keycloak 1.9.1 and notice the realm name displayed in > login.ftl is always uppercase. Can we have the realm name display in > the way it is entered. Eg if my realm say test demo, the login page > displays it as TEST DEMO. > > Not sure if there is a flag somewhere to tell keycloak to preserve > case in the realm name? > > <#if section = "title"> > ${msg("loginTitle",(realm.displayName!''))} > <#elseif section = "header"> > ${msg("loginTitleHtml",(realm.displayNameHtml!''))} > <#elseif section = "form"> > > > Thanks. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/d7ddf22f/attachment.html From sthorger at redhat.com Tue Mar 22 12:29:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 22 Mar 2016 16:29:15 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Could you elaborate on what is missing from the documentation? That would be helpful. On 22 Mar 2016 12:05, "Pavlos Kleanthous" wrote: > Dear all, > > I dropped the project at the moment. The lack of documentation is too time > consuming. > > Hope that soon keycloak will have it. > > > On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen > wrote: > >> What adapter? Is the server and client adapter both 1.9.1? We did >> recently deprecate some OIDC endpoints. I think ../login is gone and it >> should be ../auth. So if you are using an old adapter that may be the issue. >> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" >> wrote: >> >>> Yours. >>> >>> I configured the realm with the same settings on both versions 1.9.1 >>> and 1.8.1. >>> >>> >>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen >>> wrote: >>> >>>> Client ID has nothing to do with this issue as it would show an login >>>> error page not a not found. So must be either realm name or another part of >>>> URL is wrong. >>>> >>>> Are you using our adapters or another library atm? >>>> >>>> I'm answering on my phone on the plane so can't look into it more atm. >>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: >>>> >>>>> Hi, >>>>> >>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>> inside "Installation" tab. >>>>> >>>>> Instead of using keycloak client plugins, can I use a generic oauth >>>>> plugin in my apps? How can I configure my keycloak for this? >>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>> keycloak. >>>>> >>>>> >>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >>>>> wrote: >>>>> >>>>>> In your jenkins realm - under Clients do you have a client called >>>>>> 'ci'? That's the client_id used in your request. >>>>>> >>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>>>>> wrote: >>>>>> >>>>>>> yes I can. >>>>>>> >>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>> >>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>> >>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>> mstrukel at redhat.com> wrote: >>>>>>> >>>>>>>> Are you able to login into admin console at: >>>>>>>> http://192.168.99.100:32786/auth >>>>>>>> >>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi guys adding to this. Please see the HTTP requests and responses. >>>>>>>>> >>>>>>>>> >>>>>>>>> 1. Request URL: >>>>>>>>> >>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>> 2. Request Method: >>>>>>>>> GET >>>>>>>>> 3. Status Code: >>>>>>>>> 302 Found >>>>>>>>> 4. Remote Address: >>>>>>>>> 192.168.99.100:32769 >>>>>>>>> 1. Response Headersview source >>>>>>>>> 1. Content-Length: >>>>>>>>> 0 >>>>>>>>> 2. Location: >>>>>>>>> >>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>> 3. Server: >>>>>>>>> Jetty(winstone-2.9) >>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>> nosniff >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 1. Request URL: >>>>>>>>> >>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>> 2. Request Method: >>>>>>>>> GET >>>>>>>>> 3. Status Code: >>>>>>>>> *404 Not Found* >>>>>>>>> 4. Remote Address: >>>>>>>>> 192.168.99.100:32786 >>>>>>>>> 1. Response Headersview source >>>>>>>>> 1. Connection: >>>>>>>>> keep-alive >>>>>>>>> 2. Content-Length: >>>>>>>>> 0 >>>>>>>>> 3. Date: >>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>> 4. Server: >>>>>>>>> WildFly/10 >>>>>>>>> 5. X-Powered-By: >>>>>>>>> Undertow/1 >>>>>>>>> 2. Request Headersview source >>>>>>>>> 1. Accept: >>>>>>>>> >>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>> 2. Accept-Encoding: >>>>>>>>> gzip, deflate, sdch >>>>>>>>> 3. Accept-Language: >>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>> 4. Connection: >>>>>>>>> keep-alive >>>>>>>>> 5. Cookie: >>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>> 6. DNT: >>>>>>>>> 1 >>>>>>>>> 7. Host: >>>>>>>>> 192.168.99.100:32786 >>>>>>>>> 8. Referer: >>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>> 9. Save-Data: >>>>>>>>> on >>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>> 1 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Thanks for pointing this out. I think it does not matter as the >>>>>>>>>> same name can be found in "Installation" tab where >>>>>>>>>> I copied the configuration. >>>>>>>>>> >>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup has 2 >>>>>>>>>>>> containers keycloak and jenkins. >>>>>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>>>>> realm and a client called "jenkins". >>>>>>>>>>>> >>>>>>>>>>>> It seams that the realm configuration it's not correct as I get >>>>>>>>>>>> the following debug error. >>>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>>> full path: >>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>> " >>>>>>>>>>>> >>>>>>>>>>>> I noticed that " >>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>> works. >>>>>>>>>>>> >>>>>>>>>>>> if I access the URL: http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>> >>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>> >>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>> >>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>> >>>>>>>>>>>> Thank you >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/162af128/attachment-0001.html From sthorger at redhat.com Tue Mar 22 12:44:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 22 Mar 2016 16:44:36 +0000 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: Why is it an issue that someone can sniff the password policy? Is it that would make it slightly easier to guess passwords? On 22 Mar 2016 10:09, "Kevin Thorpe" wrote: > As Stefan has already said one thing is to stop people changing their > password and putting it straight back. Also for some implementations it's > possible to repeatedly change passwords mechanically and sniff timings to > get an idea of the implementation of the password check policy. In my case > it's simply that we have a large prospective clients who specifically > requested this functionality. > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > On 18 March 2016 at 11:58, Stian Thorgersen wrote: > >> Seems like a strange requirement. I can see why you would want users to >> update the password frequently, not the other way around. Or is there >> something I'm missing? >> >> Password policy will be made an spi in the future. That will make it easy >> to do, but it's not going to be done for a little while. >> On 18 Mar 2016 10:10, "Marek Posolda" wrote: >> >>> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, >>> then for the LDAP users, you can create custom LDAP Mapper implementation, >>> which will implement "proxy" method and override "updateCredential" method >>> of the proxy user object. Here you can >>> implement this functionality by yourself (MSAD has pwdLastSet attribute >>> with the time when password was updated for last time) >>> >>> Marek >>> >>> On 18/03/16 10:04, Marek Posolda wrote: >>> >>> Hi, >>> >>> this is not available right now. It can be achieved with password >>> policy, but we don't have such a password policy right now. We can either: >>> - Add the password policy to have this available in Keycloak OOTB >>> - Make PasswordPolicy pluggable SPI, so you can add your custom password >>> policy for the functionality like this. >>> >>> Feel free to create JIRA for this. >>> >>> Marek >>> >>> On 16/03/16 15:02, Kevin Thorpe wrote: >>> >>> A standard practice for login systems is to stop users changing their >>> passwords too often. Keycloak does not support this as of 1.7.0. Is there a >>> possibility of adding a timeout to stop too frequent password changes? >>> >>> >>> *Kevin Thorpe* >>> VP Enterprise Platform >>> >>> www.p-i.net | @PI_150 >>> >>> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >>> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >>> <%2B44%20%280%29808%20204%200344> * >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you have received this email in error please notify the >>> system manager. This message contains confidential information and is >>> intended only for the individual named. If you are not the named addressee >>> you should not disseminate, distribute or copy this e-mail. Please notify >>> the sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not the >>> intended recipient you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this information is >>> strictly prohibited. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/85393d53/attachment.html From kevin.thorpe at p-i.net Tue Mar 22 13:17:44 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Tue, 22 Mar 2016 17:17:44 +0000 Subject: [keycloak-user] Is there a possibility to stop users changing their passwords too often? In-Reply-To: References: <56EBC4A0.8040703@redhat.com> <56EBC5AE.5020905@redhat.com> Message-ID: It is an edge case but some implementations of password policy checks will have response timing differences depending on which rules are being tripped. That way you can possibly discount a lot of passwords. eg if you get a quicker no by not using special chars than if you have special chars then chances are that special chars are required. I do accept that this is pretty extreme and you have to be pretty close to the server to detect those time intervals. The main use case is to stop a user changing their password as many times as the history allows and then immediately setting it back to the original one. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 22 March 2016 at 16:44, Stian Thorgersen wrote: > Why is it an issue that someone can sniff the password policy? Is it that > would make it slightly easier to guess passwords? > On 22 Mar 2016 10:09, "Kevin Thorpe" wrote: > >> As Stefan has already said one thing is to stop people changing their >> password and putting it straight back. Also for some implementations it's >> possible to repeatedly change passwords mechanically and sniff timings to >> get an idea of the implementation of the password check policy. In my case >> it's simply that we have a large prospective clients who specifically >> requested this functionality. >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> On 18 March 2016 at 11:58, Stian Thorgersen wrote: >> >>> Seems like a strange requirement. I can see why you would want users to >>> update the password frequently, not the other way around. Or is there >>> something I'm missing? >>> >>> Password policy will be made an spi in the future. That will make it >>> easy to do, but it's not going to be done for a little while. >>> On 18 Mar 2016 10:10, "Marek Posolda" wrote: >>> >>>> Btv. Kevin you are using LDAP/MSAD right? If you have writable LDAP, >>>> then for the LDAP users, you can create custom LDAP Mapper implementation, >>>> which will implement "proxy" method and override "updateCredential" method >>>> of the proxy user object. Here you can >>>> implement this functionality by yourself (MSAD has pwdLastSet attribute >>>> with the time when password was updated for last time) >>>> >>>> Marek >>>> >>>> On 18/03/16 10:04, Marek Posolda wrote: >>>> >>>> Hi, >>>> >>>> this is not available right now. It can be achieved with password >>>> policy, but we don't have such a password policy right now. We can either: >>>> - Add the password policy to have this available in Keycloak OOTB >>>> - Make PasswordPolicy pluggable SPI, so you can add your custom >>>> password policy for the functionality like this. >>>> >>>> Feel free to create JIRA for this. >>>> >>>> Marek >>>> >>>> On 16/03/16 15:02, Kevin Thorpe wrote: >>>> >>>> A standard practice for login systems is to stop users changing their >>>> passwords too often. Keycloak does not support this as of 1.7.0. Is there a >>>> possibility of adding a timeout to stop too frequent password changes? >>>> >>>> >>>> *Kevin Thorpe* >>>> VP Enterprise Platform >>>> >>>> www.p-i.net | @PI_150 >>>> >>>> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | >>>> F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 >>>> 0344 <%2B44%20%280%29808%20204%200344> * >>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>> >>>> >>>> >>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>> >>>> ____________________________________________________________________ >>>> >>>> This email and any files transmitted with it are confidential and >>>> intended solely for the use of the individual or entity to whom they are >>>> addressed. If you have received this email in error please notify the >>>> system manager. This message contains confidential information and is >>>> intended only for the individual named. If you are not the named addressee >>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>> the sender immediately by e-mail if you have received this e-mail by >>>> mistake and delete this e-mail from your system. If you are not the >>>> intended recipient you are notified that disclosing, copying, distributing >>>> or taking any action in reliance on the contents of this information is >>>> strictly prohibited. >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/6fe7dcef/attachment-0001.html From srossillo at smartling.com Tue Mar 22 13:34:41 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 22 Mar 2016 13:34:41 -0400 Subject: [keycloak-user] spring security adapter and single log out In-Reply-To: <8EE3449CB6463C4FB0544A12CEA72DD7DEC074F3@iskexcemxprd02.virginblue.internal> References: <8EE3449CB6463C4FB0544A12CEA72DD7DEC074F3@iskexcemxprd02.virginblue.internal> Message-ID: <6E696A99-A3D8-43C4-8D72-3BE00CB304CA@smartling.com> Hi Anthony, Thanks for the very descriptive bug report. I?ll have a look at fixing this shortly. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Mar 21, 2016, at 7:26 PM, Anthony Fryer wrote: > > I?ve noticed some issues when testing single logout with the spring security adapter. > > I setup the admin url for the test application that used the spring security adapter in keycloak and tested logging out from keycloak and it didn?t invalidate the session. This is consistent with what I saw in other environments while testing. I did some digging and found that the spring adapter isn?t working correctly for single log out in my environments. We?re not using spring boot so not sure if that might be a reason why its not working out of the box. > > The issue is with the org.keycloak.adapters.springsecurity.management.HtttpSessionManager class. This implements javax.servlet.http.HttpSessionListener to receive events when sessions are created and stores the sessions in a hash map. When you do a logout from keycloak, it sends a POST request to /k_logout. This results in a call to the HttpSessionManager.logoutHttpSessions method with the session id passed in as an argument. This method attempts to lookup the session in the hashmap and call the invalidate() method. > > The problem is by default the HttpSessionManager class isn?t receiving the session create events. You need to configure it as a listener in web.xml to enable that. But even if you do that it still doesn?t work because the servlet container will create a instance of the class, but spring will also create another instance when creating the keycloak beans and this new instance is the one passed into the KeycloakPreAuthActionsFilter constructor. So the instance that is created by the servlet container is the one receiving the session create event and the one used by spring isn?t receiving any events but is the one used to do the logoutHttpSessions() call. The spring instance has no sessions in the hashmap, so logoutHttpSessions() does nothing. > > The fix is to make a new version of HttpSessionManager that implements org.keycloak.adapters.spi.UserSessionManagement andorg.springframework.context.ApplicationListener, which is a spring interface that receives session create/destroy events. In web.xml you need to register org.springframework.security.web.session.HttpSessionEventPublisher as a listener so spring will receive those events from the servlet container. Then in the spring config, you need the KeycloakPreAuthActionsFilter to be initialized with the new HttpSessionManager instead of the default one. > > The HttpSessionManager class that works for me is below? > > package my.keycloak; > > import java.util.List; > > import javax.servlet.http.HttpSession; > > import org.keycloak.adapters.spi.UserSessionManagement; > import org.keycloak.adapters.springsecurity.management.LocalSessionManagementStrategy; > import org.keycloak.adapters.springsecurity.management.SessionManagementStrategy; > import org.slf4j.Logger; > import org.slf4j.LoggerFactory; > import org.springframework.context.ApplicationEvent; > import org.springframework.context.ApplicationListener; > import org.springframework.security.web.session.HttpSessionCreatedEvent; > import org.springframework.security.web.session.HttpSessionDestroyedEvent; > > public class HttpSessionManager implements UserSessionManagement, ApplicationListener { > > private static final Logger log = LoggerFactory.getLogger(HttpSessionManager.class); > private SessionManagementStrategy sessions = new LocalSessionManagementStrategy(); > > @Override > public void logoutAll() { > log .info ("Received request to log out all users."); > for (HttpSession session : sessions.getAll()) { > session.invalidate(); > } > sessions.clear(); > } > > @Override > public void logoutHttpSessions(List ids) { > log .info ("Received request to log out {} session(s): {}", ids.size(), ids); > for (String id : ids) { > HttpSession session = sessions.remove(id); > if (session != null) { > session.invalidate(); > } > } > sessions.clear(); > } > > @Override > public void onApplicationEvent(ApplicationEvent event) { > if (event instanceof HttpSessionCreatedEvent) { > HttpSessionCreatedEvent e = (HttpSessionCreatedEvent)event; > HttpSession session = e.getSession(); > log.debug("Session created: {}", session.getId()); > sessions.store(session); > } else if (event instanceof HttpSessionDestroyedEvent) { > HttpSessionDestroyedEvent e = (HttpSessionDestroyedEvent)event; > HttpSession session = e.getSession(); > sessions.remove(session.getId()); > log.debug("Session destroyed: {}", session.getId()); > > } > > } > > } > > > The keycloak config changes are below? > > @Configuration > @EnableWebSecurity > @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) > public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter { > > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { > auth.authenticationProvider(keycloakAuthenticationProvider()); > } > > > @Override > protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); > } > > @Bean > protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() { > return new KeycloakPreAuthActionsFilter(springHttpSessionManager()); > } > > > @Bean > protected my.keycloak.HttpSessionManager springHttpSessionManager() { > return new my.keycloak.HttpSessionManager(); > } > > > > @Override > protected void configure(HttpSecurity http) throws Exception { > super.configure(http); > > > http > .logout() > .logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout")) > .and() > .authorizeRequests() > .antMatchers("/user*").authenticated() > .anyRequest().permitAll(); > } > } > > and web.xml needs this added to it? > > > org.springframework.security.web.session.HttpSessionEventPublisher > > > After making the above changes, log out from the keycloak admin console works as expected. > > Regards, > > Anthony Fryer > > The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/3d1b1e08/attachment-0001.html From nielsbne at gmail.com Wed Mar 23 03:19:47 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Wed, 23 Mar 2016 17:19:47 +1000 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created Message-ID: Hi everyone, I am trying to setup Wildfly admin console access on the 1.9.1 release running in standalone mode. Following the keycloak documentation I used ./bin/add-user -u admin -r master to add a keycloak admin but when I browse to http://localhost:9990/console I get prompted with a screen that reads: *WildFly Application Server is running.* *However you have not yet added any users to be able to access the admin console.* *To add a new user execute the add-user.sh script within the bin folder of your WildFly installationand enter the requested information.* Looking through the wildfly documentation https://docs.jboss.org/author/display/WFLY10/add-user+utility and also comparing the add-user.sh script in the keycloak distro to a normal wildfly distro it looks like it has been replaced. How do you create a wildfly admin user with the keycloak distro? Shouldn't the wildfly admin scripts stay as they are and the keycloak script added with a different name? Cheers, Niels -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/d7fa3db7/attachment.html From juraci at kroehling.de Wed Mar 23 03:43:23 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Wed, 23 Mar 2016 08:43:23 +0100 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created In-Reply-To: References: Message-ID: <56F2491B.6040103@kroehling.de> On 23.03.2016 08:19, Niels Bertram wrote: > Following the keycloak documentation I used > ./bin/add-user -u admin -r master to add a keycloak admin but when I > browse to http://localhost:9990/console Have you restarted the server after running the script? - Juca. From mposolda at redhat.com Wed Mar 23 03:57:45 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Mar 2016 08:57:45 +0100 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created In-Reply-To: References: Message-ID: <56F24C79.6010501@redhat.com> It seems that when you run the add-user.sh script with the flag "--container", it will delegate to the Wildfly builtin add-user script. So in this case you will create admin user for wildfly admin console instead of admin user for keycloak. Is it what you were asking for? Marek On 23/03/16 08:19, Niels Bertram wrote: > Hi everyone, > > I am trying to setup Wildfly admin console access on the 1.9.1 release > running in standalone mode. Following the keycloak documentation I > used ./bin/add-user -u admin -r master to add a keycloak admin but > when I browse to http://localhost:9990/console I get prompted with a > screen that reads: > > /*WildFly Application Server is running.* > / > /However you have not yet added any users to be able to access the > admin console. > / > /To add a new user execute the add-user.sh script within the bin > folder of your WildFly installationand enter the requested information./ > > Looking through the wildfly documentation > https://docs.jboss.org/author/display/WFLY10/add-user+utility and also > comparing the add-user.sh script in the keycloak distro to a normal > wildfly distro it looks like it has been replaced. > > How do you create a wildfly admin user with the keycloak distro? > Shouldn't the wildfly admin scripts stay as they are and the keycloak > script added with a different name? > > Cheers, > Niels > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/b56ca7b5/attachment.html From nielsbne at gmail.com Wed Mar 23 03:59:23 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Wed, 23 Mar 2016 17:59:23 +1000 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created In-Reply-To: <56F2491B.6040103@kroehling.de> References: <56F2491B.6040103@kroehling.de> Message-ID: <6C285B1A-A46F-4FDC-8B99-34A0FA53F2B5@gmail.com> Yep added user and restarted wildfly. If I inspect the mgmt-users.properties file in standalone/configuration I can also see that this one is empty. > On 23 Mar 2016, at 17:43, Juraci Paix?o Kr?hling wrote: > >> On 23.03.2016 08:19, Niels Bertram wrote: >> Following the keycloak documentation I used >> ./bin/add-user -u admin -r master to add a keycloak admin but when I >> browse to http://localhost:9990/console > > Have you restarted the server after running the script? > > - Juca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nielsbne at gmail.com Wed Mar 23 04:05:07 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Wed, 23 Mar 2016 18:05:07 +1000 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created In-Reply-To: <56F24C79.6010501@redhat.com> References: <56F24C79.6010501@redhat.com> Message-ID: <07096162-7E88-48F5-980D-2D6C54D21A3F@gmail.com> Yes that's the one I was missing. Looked at the help context but did not register, thanks Marek. > On 23 Mar 2016, at 17:57, Marek Posolda wrote: > > It seems that when you run the add-user.sh script with the flag "--container", it will delegate to the Wildfly builtin add-user script. So in this case you will create admin user for wildfly admin console instead of admin user for keycloak. Is it what you were asking for? > > Marek > >> On 23/03/16 08:19, Niels Bertram wrote: >> Hi everyone, >> >> I am trying to setup Wildfly admin console access on the 1.9.1 release running in standalone mode. Following the keycloak documentation I used ./bin/add-user -u admin -r master to add a keycloak admin but when I browse to http://localhost:9990/console I get prompted with a screen that reads: >> >> WildFly Application Server is running. >> However you have not yet added any users to be able to access the admin console. >> To add a new user execute the add-user.sh script within the bin folder of your WildFly installationand enter the requested information. >> >> Looking through the wildfly documentation https://docs.jboss.org/author/display/WFLY10/add-user+utility and also comparing the add-user.sh script in the keycloak distro to a normal wildfly distro it looks like it has been replaced. >> >> How do you create a wildfly admin user with the keycloak distro? Shouldn't the wildfly admin scripts stay as they are and the keycloak script added with a different name? >> >> Cheers, >> Niels >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/9bbc7e06/attachment.html From sthorger at redhat.com Wed Mar 23 04:19:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Mar 2016 08:19:34 +0000 Subject: [keycloak-user] Keycloak 1.9.1 Wildfly admin user not created In-Reply-To: References: Message-ID: Use --container to create WildFly admin console user. Eventually this will either be secured with Keycloak or removed completely. On 23 Mar 2016 07:21, "Niels Bertram" wrote: > Hi everyone, > > I am trying to setup Wildfly admin console access on the 1.9.1 release > running in standalone mode. Following the keycloak documentation I used ./bin/add-user > -u admin -r master to add a keycloak admin but when I browse to > http://localhost:9990/console I get prompted with a screen that reads: > > > *WildFly Application Server is running.* > > *However you have not yet added any users to be able to access the admin > console.* > *To add a new user execute the add-user.sh script within the bin folder of > your WildFly installationand enter the requested information.* > > Looking through the wildfly documentation > https://docs.jboss.org/author/display/WFLY10/add-user+utility and also > comparing the add-user.sh script in the keycloak distro to a normal wildfly > distro it looks like it has been replaced. > > How do you create a wildfly admin user with the keycloak distro? Shouldn't > the wildfly admin scripts stay as they are and the keycloak script added > with a different name? > > Cheers, > Niels > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/e0e05d07/attachment-0001.html From Markus.Lauer at co-met.info Wed Mar 23 05:21:48 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Wed, 23 Mar 2016 09:21:48 +0000 Subject: [keycloak-user] Arquillian Remote Container / Secured Webroot Message-ID: <1458724896.4526.31.camel@co-met.info> Hello, This problem is not really Keycloak-specific, but maybe someone else using Keycloak stumbled over this: A WAR deployment with context-root "/" has a security-constraint as follows: Customers /* user Each access to application should be restricted. Now Arquillian deploys it's testing deployment also to the same webroot and as a result the tests can not be run. (Can not handle redirect to Keycloak server.) Error launching test at http://0.0.0.0:8080/dd2ff55e-faa7-41fe-b092-8cc14d8ef4ae/ArquillianServletRunner?outputMode=serializedObject&className=some.example.TestClass&methodName=someTest. Got 302 (Found) I do not want to blacklist all application paths/resources separately (so that access to arquillian's UUID-named deployment would be possible), because I'm afraid to forget one path. Solution could be s/th like get a token via direct access grant and inject it somehow into arquillian's requests... How do you handle this? Regards, Markus. ________________________________ Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. http://disclaimer.tec-saar.de/co-met.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/82b698ae/attachment.bin From guus.der.kinderen at gmail.com Wed Mar 23 05:30:08 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 10:30:08 +0100 Subject: [keycloak-user] Total user count Message-ID: Hi there, Recently, I switched from WSO2 Identity Server to Keycloak, and all of a sudden, the sun is shining a bit brighter, birds are singing cheerful songs, and I'm pretty sure I just saw a unicorn pass by, leaving multi-colored droppings. Thanks! That being said, I'm still pretty new, and could use some help. I'll probably have more questions like these pretty soon. Is there a instant messaging based channel (IRC, XMPP?) where you guys hang out? For the entry-level questions that I have, that might be more suitable. In any case: my first question: We're using keycloak to form the user base of our existing product. Integration is going well, but I'm running into a snag: the existing product has a paged user overview - much like the keycloak administrative interface. However, unlike the keycloak interface, I need to be able to calculate the exact amount of pages (keycloak resorts to having a 'next page' button only, I need to explicitly provide references to every page). To be able to integrate, I need to find a way to retrieve the total number of users for a particular realm. So far, I'm retrieving all users to be able to count them, which quite obviously defeats the purpose of having a paginated call in the first place. Is there a better way than keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? Kind regards, Guus -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/be1a6548/attachment.html From parsectix at gmail.com Wed Mar 23 07:32:41 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Wed, 23 Mar 2016 11:32:41 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Just compare the documentation from another redhat product FreeIPA I have read this documentation and setup/configure IPA server very easy. Keycloak's current documentation looks like more as a developers manual to me. On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen wrote: > Could you elaborate on what is missing from the documentation? That would > be helpful. > On 22 Mar 2016 12:05, "Pavlos Kleanthous" wrote: > >> Dear all, >> >> I dropped the project at the moment. The lack of documentation is too >> time consuming. >> >> Hope that soon keycloak will have it. >> >> >> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen >> wrote: >> >>> What adapter? Is the server and client adapter both 1.9.1? We did >>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>> should be ../auth. So if you are using an old adapter that may be the issue. >>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" >>> wrote: >>> >>>> Yours. >>>> >>>> I configured the realm with the same settings on both versions 1.9.1 >>>> and 1.8.1. >>>> >>>> >>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen >>> > wrote: >>>> >>>>> Client ID has nothing to do with this issue as it would show an login >>>>> error page not a not found. So must be either realm name or another part of >>>>> URL is wrong. >>>>> >>>>> Are you using our adapters or another library atm? >>>>> >>>>> I'm answering on my phone on the plane so can't look into it more atm. >>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>> inside "Installation" tab. >>>>>> >>>>>> Instead of using keycloak client plugins, can I use a generic oauth >>>>>> plugin in my apps? How can I configure my keycloak for this? >>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>> keycloak. >>>>>> >>>>>> >>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >>>>>> wrote: >>>>>> >>>>>>> In your jenkins realm - under Clients do you have a client called >>>>>>> 'ci'? That's the client_id used in your request. >>>>>>> >>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>>>>>> wrote: >>>>>>> >>>>>>>> yes I can. >>>>>>>> >>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>> >>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>> >>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>> >>>>>>>>> Are you able to login into admin console at: >>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>> >>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>> responses. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1. Request URL: >>>>>>>>>> >>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>> 2. Request Method: >>>>>>>>>> GET >>>>>>>>>> 3. Status Code: >>>>>>>>>> 302 Found >>>>>>>>>> 4. Remote Address: >>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>> 1. Response Headersview source >>>>>>>>>> 1. Content-Length: >>>>>>>>>> 0 >>>>>>>>>> 2. Location: >>>>>>>>>> >>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>> 3. Server: >>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>> nosniff >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 1. Request URL: >>>>>>>>>> >>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>> 2. Request Method: >>>>>>>>>> GET >>>>>>>>>> 3. Status Code: >>>>>>>>>> *404 Not Found* >>>>>>>>>> 4. Remote Address: >>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>> 1. Response Headersview source >>>>>>>>>> 1. Connection: >>>>>>>>>> keep-alive >>>>>>>>>> 2. Content-Length: >>>>>>>>>> 0 >>>>>>>>>> 3. Date: >>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>> 4. Server: >>>>>>>>>> WildFly/10 >>>>>>>>>> 5. X-Powered-By: >>>>>>>>>> Undertow/1 >>>>>>>>>> 2. Request Headersview source >>>>>>>>>> 1. Accept: >>>>>>>>>> >>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>> gzip, deflate, sdch >>>>>>>>>> 3. Accept-Language: >>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>> 4. Connection: >>>>>>>>>> keep-alive >>>>>>>>>> 5. Cookie: >>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>> 6. DNT: >>>>>>>>>> 1 >>>>>>>>>> 7. Host: >>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>> 8. Referer: >>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>> 9. Save-Data: >>>>>>>>>> on >>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>> 1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks for pointing this out. I think it does not matter as the >>>>>>>>>>> same name can be found in "Installation" tab where >>>>>>>>>>> I copied the configuration. >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup has >>>>>>>>>>>>> 2 containers keycloak and jenkins. >>>>>>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>>>>>> realm and a client called "jenkins". >>>>>>>>>>>>> >>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>>>> full path: >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>> " >>>>>>>>>>>>> >>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>> works. >>>>>>>>>>>>> >>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>> >>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>> >>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>> >>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/0a98086d/attachment-0001.html From Markus.Lauer at co-met.info Wed Mar 23 08:01:04 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Wed, 23 Mar 2016 12:01:04 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security Message-ID: <1458734452.4526.43.camel@co-met.info> Hello, We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests. While it is no problem to get a valid access token, we stuck at howto "inject" the token into the session to actual access the secured EJBs. Is it possible to use the JAAS LoginModule (LoginContext etc.) for this? Can someone provide an example? Please note: There is a solution with @RunAs. But this only allows to specify one role at once. Regards, Markus. ________________________________ Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. http://disclaimer.tec-saar.de/co-met.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/431729ea/attachment.bin From adrianmatei at gmail.com Wed Mar 23 08:13:19 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 23 Mar 2016 13:13:19 +0100 Subject: [keycloak-user] User old password verification via REST admin api In-Reply-To: References: Message-ID: Thanks you two for your inputs, In the end we've decided to overwrite the passwd.ftl and use the Keycloak-account backend functionality. Best regards, Adrian On Tue, Mar 22, 2016 at 7:13 AM, Stian Thorgersen wrote: > Bear in mind that approach will result in a session being created, so I > wouldn't recommend doing that to check password. > On 22 Mar 2016 01:44, "Doug Szeto" wrote: > >> If you already have the username and old password that you want to check, >> I just attempt to retrieve an access token. If it works, you know the old >> password is correct, then you can proceed in changing the password. >> >> POST - /auth/realms/{realm}/protocol/openid-connect/token >> >> headers.set("content-type", "application/x-www-form-urlencoded"); >> headers.set("accept", "application/json"); >> >> body.add("grant_type", ?password?) >> body.add("username", username); >> body.add("password", password); >> body.add(?client_id?, {clientId}) >> >> From: on behalf of Stian >> Thorgersen >> Reply-To: "stian at redhat.com" >> Date: Monday, March 21, 2016 at 10:11 PM >> To: Adrian Matei >> Cc: keycloak-user >> Subject: Re: [keycloak-user] User old password verification via REST >> admin api >> >> No, with the admin endpoints you can't retrieve the password, nor can you >> expect an admin to know the existing password so it shouldn't verify it >> either. >> >> On 21 March 2016 at 14:35, Adrian Matei wrote: >> >>> Hi everyone, >>> >>> Use case: "reset user password via REST admin API - PUT >>> /admin/realms/{realm}/users/{id}/reset-password" >>> >>> Is there a possibility to verify the user's old password before changing >>> it, as is the case via the Account app? >>> >>> Thanks, >>> Adrian >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/447c381f/attachment.html From guus.der.kinderen at gmail.com Wed Mar 23 09:04:00 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 14:04:00 +0100 Subject: [keycloak-user] Internal Server Error when trying to get (all) members of a group Message-ID: Hiya, Using the admin-client on a Keycloak 1.9.1 instance, I'm running into something odd. I'm trying to obtain all members from a particular group in a particular realm. My code, simplified: public List getAllUsersInGroup( String groupName ) { RealmResource realmRes = keycloak.realm( "myrealm" ); GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName ); GroupResource groupRes = realmRes.groups().group( group.getId() ); return groupRes.members( null, null ); } Oddly enough, the last line throws a javax.ws.rs.InternalServerErrorException. When I look at the log from my keycloak intance, I see a stacktrace that suggests that -2 is used for the maxResult value (but it isn't - it's null). What's going on here? 13:32:01,519 ERROR [io.undertow.request] (default task-40) UT005023: Exception handling request to /auth/admin/realms/myrealm/groups/ad2251c9-8e21-4eb6-903d-679f49cceb9e/members: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: Negative value (-2) passed to setMaxResults at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalArgumentException: Negative value (-2) passed to setMaxResults at org.hibernate.jpa.spi.BaseQueryImpl.setMaxResults(BaseQueryImpl.java:131) at org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:78) at org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:32) at org.keycloak.models.jpa.JpaUserProvider.getGroupMembers(JpaUserProvider.java:382) at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getGroupMembers(DefaultCacheUserProvider.java:203) at org.keycloak.models.UserFederationManager$2.query(UserFederationManager.java:194) at org.keycloak.models.UserFederationManager.query(UserFederationManager.java:297) at org.keycloak.models.UserFederationManager.getGroupMembers(UserFederationManager.java:190) at org.keycloak.services.resources.admin.GroupResource.getMembers(GroupResource.java:189) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/a296b606/attachment-0001.html From guus.der.kinderen at gmail.com Wed Mar 23 09:11:27 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 14:11:27 +0100 Subject: [keycloak-user] Internal Server Error when trying to get (all) members of a group In-Reply-To: References: Message-ID: Insta-update: passing explicit values to the method call works around the issue: public List getAllUsersInGroup( String groupName ) { RealmResource realmRes = keycloak.realm( "myrealm" ); GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName ); GroupResource groupRes = realmRes.groups().group( group.getId() ); return groupRes.members( 0, Integer.MAX_VALUE ); } On 23 March 2016 at 14:04, Guus der Kinderen wrote: > Hiya, > > Using the admin-client on a Keycloak 1.9.1 instance, I'm running into > something odd. I'm trying to obtain all members from a particular group in > a particular realm. My code, simplified: > > public List getAllUsersInGroup( String groupName ) > { > RealmResource realmRes = keycloak.realm( "myrealm" ); > GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName ); > GroupResource groupRes = realmRes.groups().group( group.getId() ); > return groupRes.members( null, null ); > } > > Oddly enough, the last line throws > a javax.ws.rs.InternalServerErrorException. > > When I look at the log from my keycloak intance, I see a stacktrace that > suggests that -2 is used for the maxResult value (but it isn't - it's > null). What's going on here? > > 13:32:01,519 ERROR [io.undertow.request] (default task-40) UT005023: > Exception handling request to > /auth/admin/realms/myrealm/groups/ad2251c9-8e21-4eb6-903d-679f49cceb9e/members: > org.jboss.resteasy.spi.UnhandledException: > java.lang.IllegalArgumentException: Negative value (-2) passed to > setMaxResults > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.IllegalArgumentException: Negative value (-2) passed > to setMaxResults > at > org.hibernate.jpa.spi.BaseQueryImpl.setMaxResults(BaseQueryImpl.java:131) > at > org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:78) > at > org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:32) > at > org.keycloak.models.jpa.JpaUserProvider.getGroupMembers(JpaUserProvider.java:382) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getGroupMembers(DefaultCacheUserProvider.java:203) > at > org.keycloak.models.UserFederationManager$2.query(UserFederationManager.java:194) > at > org.keycloak.models.UserFederationManager.query(UserFederationManager.java:297) > at > org.keycloak.models.UserFederationManager.getGroupMembers(UserFederationManager.java:190) > at > org.keycloak.services.resources.admin.GroupResource.getMembers(GroupResource.java:189) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/4034fbf6/attachment.html From mposolda at redhat.com Wed Mar 23 09:47:32 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Mar 2016 14:47:32 +0100 Subject: [keycloak-user] Internal Server Error when trying to get (all) members of a group In-Reply-To: References: Message-ID: <56F29E74.1090505@redhat.com> Feel free to create JIRA for this. Admin console is always using some good default values for min and max, so it's not a very big issue IMO, but still would be good to fix. Marek On 23/03/16 14:11, Guus der Kinderen wrote: > Insta-update: passing explicit values to the method call works around > the issue: > public List getAllUsersInGroup( String groupName ) > { > RealmResource realmRes =keycloak.realm("myrealm" ); > GroupRepresentation group = realmRes.getGroupByPath("/" + groupName ); > GroupResource groupRes = realmRes.groups().group( group.getId() ); > return groupRes.members(0,Integer.MAX_VALUE); > } > > On 23 March 2016 at 14:04, Guus der Kinderen > > wrote: > > Hiya, > > Using the admin-client on a Keycloak 1.9.1 instance, I'm running > into something odd. I'm trying to obtain all members from a > particular group in a particular realm. My code, simplified: > > public List getAllUsersInGroup( String groupName ) > { > RealmResource realmRes =keycloak.realm("myrealm" ); > GroupRepresentation group = realmRes.getGroupByPath("/" + groupName ); > GroupResource groupRes = realmRes.groups().group( group.getId() ); > return groupRes.members(null,null ); > } > > Oddly enough, the last line throws > a javax.ws.rs.InternalServerErrorException. > > When I look at the log from my keycloak intance, I see a > stacktrace that suggests that -2 is used for the maxResult value > (but it isn't - it's null). What's going on here? > > 13:32:01,519 ERROR [io.undertow.request] (default task-40) > UT005023: Exception handling request to > /auth/admin/realms/myrealm/groups/ad2251c9-8e21-4eb6-903d-679f49cceb9e/members: > org.jboss.resteasy.spi.UnhandledException: > java.lang.IllegalArgumentException: Negative value (-2) passed to > setMaxResults > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.IllegalArgumentException: Negative value (-2) > passed to setMaxResults > at > org.hibernate.jpa.spi.BaseQueryImpl.setMaxResults(BaseQueryImpl.java:131) > at > org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:78) > at > org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:32) > at > org.keycloak.models.jpa.JpaUserProvider.getGroupMembers(JpaUserProvider.java:382) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getGroupMembers(DefaultCacheUserProvider.java:203) > at > org.keycloak.models.UserFederationManager$2.query(UserFederationManager.java:194) > at > org.keycloak.models.UserFederationManager.query(UserFederationManager.java:297) > at > org.keycloak.models.UserFederationManager.getGroupMembers(UserFederationManager.java:190) > at > org.keycloak.services.resources.admin.GroupResource.getMembers(GroupResource.java:189) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/3c3ad299/attachment-0001.html From mposolda at redhat.com Wed Mar 23 09:52:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Mar 2016 14:52:38 +0100 Subject: [keycloak-user] Total user count In-Reply-To: References: Message-ID: <56F29FA6.7020602@redhat.com> On 23/03/16 10:30, Guus der Kinderen wrote: > Hi there, > > Recently, I switched from WSO2 Identity Server to Keycloak, and all of > a sudden, the sun is shining a bit brighter, birds are singing > cheerful songs, and I'm pretty sure I just saw a unicorn pass by, > leaving multi-colored droppings. Thanks! Nice summary, we should put to our homepage :-) > > That being said, I'm still pretty new, and could use some help. I'll > probably have more questions like these pretty soon. Is there a > instant messaging based channel (IRC, XMPP?) where you guys hang out? > For the entry-level questions that I have, that might be more suitable. We have #keycloak on freenode, but using keycloak-user mailing list is better as not all members are on IRC and asynchronous channel is preferred. > > In any case: my first question: We're using keycloak to form the user > base of our existing product. Integration is going well, but I'm > running into a snag: the existing product has a paged user overview - > much like the keycloak administrative interface. However, unlike the > keycloak interface, I need to be able to calculate the exact amount of > pages (keycloak resorts to having a 'next page' button only, I need to > explicitly provide references to every page). > > To be able to integrate, I need to find a way to retrieve the total > number of users for a particular realm. So far, I'm retrieving all > users to be able to count them, which quite obviously defeats the > purpose of having a paginated call in the first place. Is there a > better way than keycloak.realm( "myRealm" ).users().search( null, > null, null ).size() ? We have model method for getUsersCount(), but looks we don't have it exposed through admin REST endpoint. Feel free to create JIRA. Marek > > Kind regards, > > Guus > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/dac8b581/attachment.html From mposolda at redhat.com Wed Mar 23 10:01:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 23 Mar 2016 15:01:17 +0100 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <1458734452.4526.43.camel@co-met.info> References: <1458734452.4526.43.camel@co-met.info> Message-ID: <56F2A1AD.90300@redhat.com> We have some example here : http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter . Then if there is possibility to somehow access JAAS Subject or Principal from the JAAS authentication inside EJB (which I hope it is), you can just cast the principal to KeycloakPrincipal and retrieve the accessToken from it. Marek On 23/03/16 13:01, Lauer Markus wrote: > Hello, > > We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests. > > While it is no problem to get a valid access token, we stuck at howto > "inject" the token into the session to actual access the secured EJBs. > > Is it possible to use the JAAS LoginModule (LoginContext etc.) for this? > > Can someone provide an example? > > Please note: There is a solution with @RunAs. But this only allows to > specify one role at once. > > > Regards, > > Markus. > > > ________________________________ > > Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. > > http://disclaimer.tec-saar.de/co-met.htm > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/5120cbae/attachment.html From guus.der.kinderen at gmail.com Wed Mar 23 10:08:24 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 15:08:24 +0100 Subject: [keycloak-user] Total user count In-Reply-To: <56F29FA6.7020602@redhat.com> References: <56F29FA6.7020602@redhat.com> Message-ID: Thanks for your fast response! I created https://issues.jboss.org/browse/KEYCLOAK-2704 to track the getUsersCount() REST exposure. - Guus On 23 March 2016 at 14:52, Marek Posolda wrote: > On 23/03/16 10:30, Guus der Kinderen wrote: > > Hi there, > > Recently, I switched from WSO2 Identity Server to Keycloak, and all of a > sudden, the sun is shining a bit brighter, birds are singing cheerful > songs, and I'm pretty sure I just saw a unicorn pass by, leaving > multi-colored droppings. Thanks! > > Nice summary, we should put to our homepage :-) > > > That being said, I'm still pretty new, and could use some help. I'll > probably have more questions like these pretty soon. Is there a instant > messaging based channel (IRC, XMPP?) where you guys hang out? For the > entry-level questions that I have, that might be more suitable. > > We have #keycloak on freenode, but using keycloak-user mailing list is > better as not all members are on IRC and asynchronous channel is preferred. > > > In any case: my first question: We're using keycloak to form the user base > of our existing product. Integration is going well, but I'm running into a > snag: the existing product has a paged user overview - much like the > keycloak administrative interface. However, unlike the keycloak interface, > I need to be able to calculate the exact amount of pages (keycloak resorts > to having a 'next page' button only, I need to explicitly provide > references to every page). > > To be able to integrate, I need to find a way to retrieve the total number > of users for a particular realm. So far, I'm retrieving all users to be > able to count them, which quite obviously defeats the purpose of having a > paginated call in the first place. Is there a better way than > keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? > > We have model method for getUsersCount(), but looks we don't have it > exposed through admin REST endpoint. Feel free to create JIRA. > > Marek > > > Kind regards, > > Guus > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/5fef71bf/attachment.html From Markus.Lauer at co-met.info Wed Mar 23 10:15:12 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Wed, 23 Mar 2016 14:15:12 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <56F2A1AD.90300@redhat.com> References: <1458734452.4526.43.camel@co-met.info> <56F2A1AD.90300@redhat.com> Message-ID: <1458742499.4526.53.camel@co-met.info> Am Mittwoch, den 23.03.2016, 15:01 +0100 schrieb Marek Posolda: > We have some example here : > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter . > > Then if there is possibility to somehow access JAAS Subject or > Principal from the JAAS authentication inside EJB (which I hope it > is), you can just cast the principal to KeycloakPrincipal and retrieve > the accessToken from it. > > Marek > Hi Marek, I think I understood the EJB part and it is working as expected: @RolesAllowed methods are secured and I can access them after the normal Keycloak browser login, if user has appropriate role. My question was how to do the login for automated testing with Arquillian, so that the test methods can access the secured EJB methods. One solution is described here (@RunAs solution): https://samaxes.com/2014/11/test-javaee-security-with-arquillian/ What I need instead is a user login, so that the current principal/user has all his roles... > On 23/03/16 13:01, Lauer Markus wrote: > > > Hello, > > > > We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests. > > > > While it is no problem to get a valid access token, we stuck at howto > > "inject" the token into the session to actual access the secured EJBs. > > > > Is it possible to use the JAAS LoginModule (LoginContext etc.) for this? > > > > Can someone provide an example? > > > > Please note: There is a solution with @RunAs. But this only allows to > > specify one role at once. > > > > > > Regards, > > > > Markus. > > > > > > ________________________________ > > > > Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. > > > > http://disclaimer.tec-saar.de/co-met.htm > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > +----------------------------------------------------------------------+ > | SecureMail Gateway | > | Ein Dienst f?r EMail Signatur und Verschluesselung | > | Zur Verfuegung gestellt von VVS-KONZERN | > +----------------------------------------------------------------------+ > | - Die Nachricht war weder verschluesselt noch digital unterschrieben | > +----------------------------------------------------------------------+ > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/ad042834/attachment-0001.bin From guus.der.kinderen at gmail.com Wed Mar 23 10:22:33 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 15:22:33 +0100 Subject: [keycloak-user] Internal Server Error when trying to get (all) members of a group In-Reply-To: <56F29E74.1090505@redhat.com> References: <56F29E74.1090505@redhat.com> Message-ID: Allright. Here's the JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-2705 - Guus On 23 March 2016 at 14:47, Marek Posolda wrote: > Feel free to create JIRA for this. Admin console is always using some good > default values for min and max, so it's not a very big issue IMO, but still > would be good to fix. > > Marek > > > On 23/03/16 14:11, Guus der Kinderen wrote: > > Insta-update: passing explicit values to the method call works around the > issue: > > public List getAllUsersInGroup( String groupName ) > { > RealmResource realmRes = keycloak.realm( "myrealm" ); > GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName ); > GroupResource groupRes = realmRes.groups().group( group.getId() ); > return groupRes.members( 0, Integer.MAX_VALUE ); > } > > > On 23 March 2016 at 14:04, Guus der Kinderen > wrote: > >> Hiya, >> >> Using the admin-client on a Keycloak 1.9.1 instance, I'm running into >> something odd. I'm trying to obtain all members from a particular group in >> a particular realm. My code, simplified: >> >> public List getAllUsersInGroup( String groupName ) >> { >> RealmResource realmRes = keycloak.realm( "myrealm" ); >> GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName ); >> GroupResource groupRes = realmRes.groups().group( group.getId() ); >> return groupRes.members( null, null ); >> } >> >> Oddly enough, the last line throws >> a javax.ws.rs.InternalServerErrorException. >> >> When I look at the log from my keycloak intance, I see a stacktrace that >> suggests that -2 is used for the maxResult value (but it isn't - it's >> null). What's going on here? >> >> 13:32:01,519 ERROR [io.undertow.request] (default task-40) UT005023: >> Exception handling request to >> /auth/admin/realms/myrealm/groups/ad2251c9-8e21-4eb6-903d-679f49cceb9e/members: >> org.jboss.resteasy.spi.UnhandledException: >> java.lang.IllegalArgumentException: Negative value (-2) passed to >> setMaxResults >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.IllegalArgumentException: Negative value (-2) passed >> to setMaxResults >> at >> org.hibernate.jpa.spi.BaseQueryImpl.setMaxResults(BaseQueryImpl.java:131) >> at >> org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:78) >> at >> org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:32) >> at >> org.keycloak.models.jpa.JpaUserProvider.getGroupMembers(JpaUserProvider.java:382) >> at >> org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getGroupMembers(DefaultCacheUserProvider.java:203) >> at >> org.keycloak.models.UserFederationManager$2.query(UserFederationManager.java:194) >> at >> org.keycloak.models.UserFederationManager.query(UserFederationManager.java:297) >> at >> org.keycloak.models.UserFederationManager.getGroupMembers(UserFederationManager.java:190) >> at >> org.keycloak.services.resources.admin.GroupResource.getMembers(GroupResource.java:189) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >> ... 37 more >> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/077f5152/attachment-0001.html From Markus.Lauer at co-met.info Wed Mar 23 10:28:41 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Wed, 23 Mar 2016 14:28:41 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <1458742499.4526.53.camel@co-met.info> References: <1458734452.4526.43.camel@co-met.info> <56F2A1AD.90300@redhat.com> <1458742499.4526.53.camel@co-met.info> Message-ID: <1458743308.4526.56.camel@co-met.info> Am Mittwoch, den 23.03.2016, 14:15 +0000 schrieb Lauer Markus: > Am Mittwoch, den 23.03.2016, 15:01 +0100 schrieb Marek Posolda: > > We have some example here : > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter . > > > > > > Then if there is possibility to somehow access JAAS Subject or > > > Principal from the JAAS authentication inside EJB (which I hope it > > > is), you can just cast the principal to KeycloakPrincipal and retrieve > > > the accessToken from it. > > > > > > Marek > > > > > > > Hi Marek, > > I think I understood the EJB part and it is working as expected: > @RolesAllowed methods are secured and I can access them after the normal > Keycloak browser login, if user has appropriate role. > > My question was how to do the login for automated testing with > Arquillian, so that the test methods can access the secured EJB methods. > > One solution is described here (@RunAs solution): > https://samaxes.com/2014/11/test-javaee-security-with-arquillian/ > > What I need instead is a user login, so that the current principal/user > has all his roles... > > I'm looking for s/th like this: https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian This could possibly be combined with: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule But I can not change the "keycloak" security-domain for testing... > > > On 23/03/16 13:01, Lauer Markus wrote: > > > > > > > Hello, > > > > > > > > We'd like to access secured EJBs (@RolesAllowed) from Arquillian tests. > > > > > > > > While it is no problem to get a valid access token, we stuck at howto > > > > "inject" the token into the session to actual access the secured EJBs. > > > > > > > > Is it possible to use the JAAS LoginModule (LoginContext etc.) for this? > > > > > > > > Can someone provide an example? > > > > > > > > Please note: There is a solution with @RunAs. But this only allows to > > > > specify one role at once. > > > > > > > > > > > > Regards, > > > > > > > > Markus. > > > > > > > > > > > > ________________________________ > > > > > > > > Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. > > > > > > > > http://disclaimer.tec-saar.de/co-met.htm > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > +----------------------------------------------------------------------+ > > > | SecureMail Gateway | > > > | Ein Dienst f?r EMail Signatur und Verschluesselung | > > > | Zur Verfuegung gestellt von VVS-KONZERN | > > > +----------------------------------------------------------------------+ > > > | - Die Nachricht war weder verschluesselt noch digital unterschrieben | > > > +----------------------------------------------------------------------+ > > > > > > > +----------------------------------------------------------------------+ > | SecureMail Gateway | > | Ein Dienst fr EMail Signatur und Verschluesselung | > | Zur Verfuegung gestellt von VVS-KONZERN | > +----------------------------------------------------------------------+ > | - Die Nachricht war weder verschluesselt noch digital unterschrieben | > +----------------------------------------------------------------------+ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > +----------------------------------------------------------------------+ > | SecureMail Gateway | > | Ein Dienst fr EMail Signatur und Verschluesselung | > | Zur Verfuegung gestellt von VVS-KONZERN | > +----------------------------------------------------------------------+ > | - Die Nachricht war weder verschluesselt noch digital unterschrieben | > +----------------------------------------------------------------------+ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/20fa5bbb/attachment.bin From sthorger at redhat.com Wed Mar 23 11:28:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Mar 2016 15:28:55 +0000 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: Thanks for the awesome comment. We're actually planning to add a count to our console, so this will be added. Just wanted to point out that we're not adding more features to 1.9.x at this point so this won't be available until 2.x. On 23 Mar 2016 14:09, "Guus der Kinderen" wrote: > Thanks for your fast response! I created > https://issues.jboss.org/browse/KEYCLOAK-2704 to track the > getUsersCount() REST exposure. > > - Guus > > On 23 March 2016 at 14:52, Marek Posolda wrote: > >> On 23/03/16 10:30, Guus der Kinderen wrote: >> >> Hi there, >> >> Recently, I switched from WSO2 Identity Server to Keycloak, and all of a >> sudden, the sun is shining a bit brighter, birds are singing cheerful >> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >> multi-colored droppings. Thanks! >> >> Nice summary, we should put to our homepage :-) >> >> >> That being said, I'm still pretty new, and could use some help. I'll >> probably have more questions like these pretty soon. Is there a instant >> messaging based channel (IRC, XMPP?) where you guys hang out? For the >> entry-level questions that I have, that might be more suitable. >> >> We have #keycloak on freenode, but using keycloak-user mailing list is >> better as not all members are on IRC and asynchronous channel is preferred. >> >> >> In any case: my first question: We're using keycloak to form the user >> base of our existing product. Integration is going well, but I'm running >> into a snag: the existing product has a paged user overview - much like the >> keycloak administrative interface. However, unlike the keycloak interface, >> I need to be able to calculate the exact amount of pages (keycloak resorts >> to having a 'next page' button only, I need to explicitly provide >> references to every page). >> >> To be able to integrate, I need to find a way to retrieve the total >> number of users for a particular realm. So far, I'm retrieving all users to >> be able to count them, which quite obviously defeats the purpose of having >> a paginated call in the first place. Is there a better way than >> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >> >> We have model method for getUsersCount(), but looks we don't have it >> exposed through admin REST endpoint. Feel free to create JIRA. >> >> Marek >> >> >> Kind regards, >> >> Guus >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/f6e73568/attachment.html From guus.der.kinderen at gmail.com Wed Mar 23 11:30:43 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 16:30:43 +0100 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: Understood. Although out-of-scope of this question and I-hate-when-they-ask-me-for-my-projects: when it 2.x available? :) Also - we just started work on integration, based on 1.9 - will 2.0 be API compatible? - Guus On 23 March 2016 at 16:28, Stian Thorgersen wrote: > Thanks for the awesome comment. > > We're actually planning to add a count to our console, so this will be > added. Just wanted to point out that we're not adding more features to > 1.9.x at this point so this won't be available until 2.x. > On 23 Mar 2016 14:09, "Guus der Kinderen" > wrote: > >> Thanks for your fast response! I created >> https://issues.jboss.org/browse/KEYCLOAK-2704 to track the >> getUsersCount() REST exposure. >> >> - Guus >> >> On 23 March 2016 at 14:52, Marek Posolda wrote: >> >>> On 23/03/16 10:30, Guus der Kinderen wrote: >>> >>> Hi there, >>> >>> Recently, I switched from WSO2 Identity Server to Keycloak, and all of a >>> sudden, the sun is shining a bit brighter, birds are singing cheerful >>> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >>> multi-colored droppings. Thanks! >>> >>> Nice summary, we should put to our homepage :-) >>> >>> >>> That being said, I'm still pretty new, and could use some help. I'll >>> probably have more questions like these pretty soon. Is there a instant >>> messaging based channel (IRC, XMPP?) where you guys hang out? For the >>> entry-level questions that I have, that might be more suitable. >>> >>> We have #keycloak on freenode, but using keycloak-user mailing list is >>> better as not all members are on IRC and asynchronous channel is preferred. >>> >>> >>> In any case: my first question: We're using keycloak to form the user >>> base of our existing product. Integration is going well, but I'm running >>> into a snag: the existing product has a paged user overview - much like the >>> keycloak administrative interface. However, unlike the keycloak interface, >>> I need to be able to calculate the exact amount of pages (keycloak resorts >>> to having a 'next page' button only, I need to explicitly provide >>> references to every page). >>> >>> To be able to integrate, I need to find a way to retrieve the total >>> number of users for a particular realm. So far, I'm retrieving all users to >>> be able to count them, which quite obviously defeats the purpose of having >>> a paginated call in the first place. Is there a better way than >>> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >>> >>> We have model method for getUsersCount(), but looks we don't have it >>> exposed through admin REST endpoint. Feel free to create JIRA. >>> >>> Marek >>> >>> >>> Kind regards, >>> >>> Guus >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/c18996dd/attachment-0001.html From sthorger at redhat.com Wed Mar 23 11:35:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 23 Mar 2016 15:35:31 +0000 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: First 2.x release is probably July/August. Admin rest endpoints will be backwards compatible, but we are discussing at some point to introduce a v2. In this case v1 would be kept for at least a while. The Java admin client library will be completely rewritten at some point. On 23 Mar 2016 15:30, "Guus der Kinderen" wrote: > Understood. Although out-of-scope of this question and > I-hate-when-they-ask-me-for-my-projects: when it 2.x available? :) > > Also - we just started work on integration, based on 1.9 - will 2.0 be API > compatible? > > - Guus > > On 23 March 2016 at 16:28, Stian Thorgersen wrote: > >> Thanks for the awesome comment. >> >> We're actually planning to add a count to our console, so this will be >> added. Just wanted to point out that we're not adding more features to >> 1.9.x at this point so this won't be available until 2.x. >> On 23 Mar 2016 14:09, "Guus der Kinderen" >> wrote: >> >>> Thanks for your fast response! I created >>> https://issues.jboss.org/browse/KEYCLOAK-2704 to track the >>> getUsersCount() REST exposure. >>> >>> - Guus >>> >>> On 23 March 2016 at 14:52, Marek Posolda wrote: >>> >>>> On 23/03/16 10:30, Guus der Kinderen wrote: >>>> >>>> Hi there, >>>> >>>> Recently, I switched from WSO2 Identity Server to Keycloak, and all of >>>> a sudden, the sun is shining a bit brighter, birds are singing cheerful >>>> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >>>> multi-colored droppings. Thanks! >>>> >>>> Nice summary, we should put to our homepage :-) >>>> >>>> >>>> That being said, I'm still pretty new, and could use some help. I'll >>>> probably have more questions like these pretty soon. Is there a instant >>>> messaging based channel (IRC, XMPP?) where you guys hang out? For the >>>> entry-level questions that I have, that might be more suitable. >>>> >>>> We have #keycloak on freenode, but using keycloak-user mailing list is >>>> better as not all members are on IRC and asynchronous channel is preferred. >>>> >>>> >>>> In any case: my first question: We're using keycloak to form the user >>>> base of our existing product. Integration is going well, but I'm running >>>> into a snag: the existing product has a paged user overview - much like the >>>> keycloak administrative interface. However, unlike the keycloak interface, >>>> I need to be able to calculate the exact amount of pages (keycloak resorts >>>> to having a 'next page' button only, I need to explicitly provide >>>> references to every page). >>>> >>>> To be able to integrate, I need to find a way to retrieve the total >>>> number of users for a particular realm. So far, I'm retrieving all users to >>>> be able to count them, which quite obviously defeats the purpose of having >>>> a paginated call in the first place. Is there a better way than >>>> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >>>> >>>> We have model method for getUsersCount(), but looks we don't have it >>>> exposed through admin REST endpoint. Feel free to create JIRA. >>>> >>>> Marek >>>> >>>> >>>> Kind regards, >>>> >>>> Guus >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/dafb242f/attachment.html From guus.der.kinderen at gmail.com Wed Mar 23 11:38:28 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Wed, 23 Mar 2016 16:38:28 +0100 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: Meh, that's not very appealing. We're on somewhat of a deadline, and do expect huge numbers of users. Iterating over all of them, simply to get their count, isn't going to be a viable solution. I'd really like to avoid local caching. Can I somehow convince you to not see this as a new feature, but rather an improvement slash bugfix for a missing attribute exposure? :) On 23 March 2016 at 16:35, Stian Thorgersen wrote: > First 2.x release is probably July/August. > > Admin rest endpoints will be backwards compatible, but we are discussing > at some point to introduce a v2. In this case v1 would be kept for at least > a while. > > The Java admin client library will be completely rewritten at some point. > On 23 Mar 2016 15:30, "Guus der Kinderen" > wrote: > >> Understood. Although out-of-scope of this question and >> I-hate-when-they-ask-me-for-my-projects: when it 2.x available? :) >> >> Also - we just started work on integration, based on 1.9 - will 2.0 be >> API compatible? >> >> - Guus >> >> On 23 March 2016 at 16:28, Stian Thorgersen wrote: >> >>> Thanks for the awesome comment. >>> >>> We're actually planning to add a count to our console, so this will be >>> added. Just wanted to point out that we're not adding more features to >>> 1.9.x at this point so this won't be available until 2.x. >>> On 23 Mar 2016 14:09, "Guus der Kinderen" >>> wrote: >>> >>>> Thanks for your fast response! I created >>>> https://issues.jboss.org/browse/KEYCLOAK-2704 to track the >>>> getUsersCount() REST exposure. >>>> >>>> - Guus >>>> >>>> On 23 March 2016 at 14:52, Marek Posolda wrote: >>>> >>>>> On 23/03/16 10:30, Guus der Kinderen wrote: >>>>> >>>>> Hi there, >>>>> >>>>> Recently, I switched from WSO2 Identity Server to Keycloak, and all of >>>>> a sudden, the sun is shining a bit brighter, birds are singing cheerful >>>>> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >>>>> multi-colored droppings. Thanks! >>>>> >>>>> Nice summary, we should put to our homepage :-) >>>>> >>>>> >>>>> That being said, I'm still pretty new, and could use some help. I'll >>>>> probably have more questions like these pretty soon. Is there a instant >>>>> messaging based channel (IRC, XMPP?) where you guys hang out? For the >>>>> entry-level questions that I have, that might be more suitable. >>>>> >>>>> We have #keycloak on freenode, but using keycloak-user mailing list is >>>>> better as not all members are on IRC and asynchronous channel is preferred. >>>>> >>>>> >>>>> In any case: my first question: We're using keycloak to form the user >>>>> base of our existing product. Integration is going well, but I'm running >>>>> into a snag: the existing product has a paged user overview - much like the >>>>> keycloak administrative interface. However, unlike the keycloak interface, >>>>> I need to be able to calculate the exact amount of pages (keycloak resorts >>>>> to having a 'next page' button only, I need to explicitly provide >>>>> references to every page). >>>>> >>>>> To be able to integrate, I need to find a way to retrieve the total >>>>> number of users for a particular realm. So far, I'm retrieving all users to >>>>> be able to count them, which quite obviously defeats the purpose of having >>>>> a paginated call in the first place. Is there a better way than >>>>> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >>>>> >>>>> We have model method for getUsersCount(), but looks we don't have it >>>>> exposed through admin REST endpoint. Feel free to create JIRA. >>>>> >>>>> Marek >>>>> >>>>> >>>>> Kind regards, >>>>> >>>>> Guus >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160323/cb08b04a/attachment.html From adrianmatei at gmail.com Thu Mar 24 03:58:14 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Thu, 24 Mar 2016 08:58:14 +0100 Subject: [keycloak-user] Cannot change the user's username in AD... Message-ID: Hi everyone, Following situation: - Keycloak 1.7.0.Final - Login settings - Email as username ON - Edit username ON - AD Configuration - Edit mode : WRITABLE - Username LDAP attribute: cn (standard as all other attributes) I've been trying in vain to change the username/email of a user (via the account application or via the admin console) - only the mail gets changed in AD and not common name? Is there is a particular setting I need to configure? Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/f7b69316/attachment-0001.html From sthorger at redhat.com Thu Mar 24 04:49:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 24 Mar 2016 08:49:39 +0000 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: We will try to get it in, no promises though. On 23 March 2016 at 15:38, Guus der Kinderen wrote: > Meh, that's not very appealing. We're on somewhat of a deadline, and do > expect huge numbers of users. Iterating over all of them, simply to get > their count, isn't going to be a viable solution. I'd really like to avoid > local caching. Can I somehow convince you to not see this as a new feature, > but rather an improvement slash bugfix for a missing attribute exposure? :) > > On 23 March 2016 at 16:35, Stian Thorgersen wrote: > >> First 2.x release is probably July/August. >> >> Admin rest endpoints will be backwards compatible, but we are discussing >> at some point to introduce a v2. In this case v1 would be kept for at least >> a while. >> >> The Java admin client library will be completely rewritten at some point. >> On 23 Mar 2016 15:30, "Guus der Kinderen" >> wrote: >> >>> Understood. Although out-of-scope of this question and >>> I-hate-when-they-ask-me-for-my-projects: when it 2.x available? :) >>> >>> Also - we just started work on integration, based on 1.9 - will 2.0 be >>> API compatible? >>> >>> - Guus >>> >>> On 23 March 2016 at 16:28, Stian Thorgersen wrote: >>> >>>> Thanks for the awesome comment. >>>> >>>> We're actually planning to add a count to our console, so this will be >>>> added. Just wanted to point out that we're not adding more features to >>>> 1.9.x at this point so this won't be available until 2.x. >>>> On 23 Mar 2016 14:09, "Guus der Kinderen" >>>> wrote: >>>> >>>>> Thanks for your fast response! I created >>>>> https://issues.jboss.org/browse/KEYCLOAK-2704 to track the >>>>> getUsersCount() REST exposure. >>>>> >>>>> - Guus >>>>> >>>>> On 23 March 2016 at 14:52, Marek Posolda wrote: >>>>> >>>>>> On 23/03/16 10:30, Guus der Kinderen wrote: >>>>>> >>>>>> Hi there, >>>>>> >>>>>> Recently, I switched from WSO2 Identity Server to Keycloak, and all >>>>>> of a sudden, the sun is shining a bit brighter, birds are singing cheerful >>>>>> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >>>>>> multi-colored droppings. Thanks! >>>>>> >>>>>> Nice summary, we should put to our homepage :-) >>>>>> >>>>>> >>>>>> That being said, I'm still pretty new, and could use some help. I'll >>>>>> probably have more questions like these pretty soon. Is there a instant >>>>>> messaging based channel (IRC, XMPP?) where you guys hang out? For the >>>>>> entry-level questions that I have, that might be more suitable. >>>>>> >>>>>> We have #keycloak on freenode, but using keycloak-user mailing list >>>>>> is better as not all members are on IRC and asynchronous channel is >>>>>> preferred. >>>>>> >>>>>> >>>>>> In any case: my first question: We're using keycloak to form the user >>>>>> base of our existing product. Integration is going well, but I'm running >>>>>> into a snag: the existing product has a paged user overview - much like the >>>>>> keycloak administrative interface. However, unlike the keycloak interface, >>>>>> I need to be able to calculate the exact amount of pages (keycloak resorts >>>>>> to having a 'next page' button only, I need to explicitly provide >>>>>> references to every page). >>>>>> >>>>>> To be able to integrate, I need to find a way to retrieve the total >>>>>> number of users for a particular realm. So far, I'm retrieving all users to >>>>>> be able to count them, which quite obviously defeats the purpose of having >>>>>> a paginated call in the first place. Is there a better way than >>>>>> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >>>>>> >>>>>> We have model method for getUsersCount(), but looks we don't have it >>>>>> exposed through admin REST endpoint. Feel free to create JIRA. >>>>>> >>>>>> Marek >>>>>> >>>>>> >>>>>> Kind regards, >>>>>> >>>>>> Guus >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/91d13d34/attachment.html From sthorger at redhat.com Thu Mar 24 04:56:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 24 Mar 2016 08:56:54 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: Firstly, that's not FreeIPA (community project) documentation, but Red Hat Identity Management documentation (product). The FreeIPA documentation is https://www.freeipa.org/page/Documentation. Secondly, just stating that our documentation is bad and pointing to some better documentation doesn't give us anything to go on. We would like to give a good experience and I would be very interested in knowing exactly what documentation you are lacking, hard to understand or whatever other issues you may have with the documentation. Help us to help you ;) Finally we know the documentation is not as good as it could be and are planning to improve it in the not to distant future. So input from users would be valuable. On 23 March 2016 at 11:32, Pavlos Kleanthous wrote: > Just compare the documentation from another redhat product FreeIPA > > > I have read this documentation and setup/configure IPA server very easy. > > Keycloak's current documentation looks like more as a developers manual to > me. > > > On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen > wrote: > >> Could you elaborate on what is missing from the documentation? That would >> be helpful. >> On 22 Mar 2016 12:05, "Pavlos Kleanthous" wrote: >> >>> Dear all, >>> >>> I dropped the project at the moment. The lack of documentation is too >>> time consuming. >>> >>> Hope that soon keycloak will have it. >>> >>> >>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen >>> wrote: >>> >>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" >>>> wrote: >>>> >>>>> Yours. >>>>> >>>>> I configured the realm with the same settings on both versions 1.9.1 >>>>> and 1.8.1. >>>>> >>>>> >>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>> sthorger at redhat.com> wrote: >>>>> >>>>>> Client ID has nothing to do with this issue as it would show an login >>>>>> error page not a not found. So must be either realm name or another part of >>>>>> URL is wrong. >>>>>> >>>>>> Are you using our adapters or another library atm? >>>>>> >>>>>> I'm answering on my phone on the plane so can't look into it more atm. >>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>> inside "Installation" tab. >>>>>>> >>>>>>> Instead of using keycloak client plugins, can I use a generic oauth >>>>>>> plugin in my apps? How can I configure my keycloak for this? >>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>> keycloak. >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj >>>>>> > wrote: >>>>>>> >>>>>>>> In your jenkins realm - under Clients do you have a client called >>>>>>>> 'ci'? That's the client_id used in your request. >>>>>>>> >>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" >>>>>>>> wrote: >>>>>>>> >>>>>>>>> yes I can. >>>>>>>>> >>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>> >>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>> >>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>> >>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>> responses. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 1. Request URL: >>>>>>>>>>> >>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>> 2. Request Method: >>>>>>>>>>> GET >>>>>>>>>>> 3. Status Code: >>>>>>>>>>> 302 Found >>>>>>>>>>> 4. Remote Address: >>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>> 1. Content-Length: >>>>>>>>>>> 0 >>>>>>>>>>> 2. Location: >>>>>>>>>>> >>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>> 3. Server: >>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>> nosniff >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 1. Request URL: >>>>>>>>>>> >>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>> 2. Request Method: >>>>>>>>>>> GET >>>>>>>>>>> 3. Status Code: >>>>>>>>>>> *404 Not Found* >>>>>>>>>>> 4. Remote Address: >>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>> 1. Connection: >>>>>>>>>>> keep-alive >>>>>>>>>>> 2. Content-Length: >>>>>>>>>>> 0 >>>>>>>>>>> 3. Date: >>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>> 4. Server: >>>>>>>>>>> WildFly/10 >>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>> Undertow/1 >>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>> 1. Accept: >>>>>>>>>>> >>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>> 4. Connection: >>>>>>>>>>> keep-alive >>>>>>>>>>> 5. Cookie: >>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; >>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>> 6. DNT: >>>>>>>>>>> 1 >>>>>>>>>>> 7. Host: >>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>> 8. Referer: >>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>> 9. Save-Data: >>>>>>>>>>> on >>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>> 1 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as the >>>>>>>>>>>> same name can be found in "Installation" tab where >>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup has >>>>>>>>>>>>>> 2 containers keycloak and jenkins. >>>>>>>>>>>>>> Following the example how to integrate those two, I created a >>>>>>>>>>>>>> realm and a client called "jenkins". >>>>>>>>>>>>>> >>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>>>>> full path: >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>> " >>>>>>>>>>>>>> >>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>> works. >>>>>>>>>>>>>> >>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>> >>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>> >>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/39feb093/attachment-0001.html From guus.der.kinderen at gmail.com Thu Mar 24 05:08:43 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 24 Mar 2016 10:08:43 +0100 Subject: [keycloak-user] Total user count In-Reply-To: References: <56F29FA6.7020602@redhat.com> Message-ID: Appreciated! On 24 March 2016 at 09:49, Stian Thorgersen wrote: > We will try to get it in, no promises though. > > On 23 March 2016 at 15:38, Guus der Kinderen > wrote: > >> Meh, that's not very appealing. We're on somewhat of a deadline, and do >> expect huge numbers of users. Iterating over all of them, simply to get >> their count, isn't going to be a viable solution. I'd really like to avoid >> local caching. Can I somehow convince you to not see this as a new feature, >> but rather an improvement slash bugfix for a missing attribute exposure? :) >> >> On 23 March 2016 at 16:35, Stian Thorgersen wrote: >> >>> First 2.x release is probably July/August. >>> >>> Admin rest endpoints will be backwards compatible, but we are discussing >>> at some point to introduce a v2. In this case v1 would be kept for at least >>> a while. >>> >>> The Java admin client library will be completely rewritten at some point. >>> On 23 Mar 2016 15:30, "Guus der Kinderen" >>> wrote: >>> >>>> Understood. Although out-of-scope of this question and >>>> I-hate-when-they-ask-me-for-my-projects: when it 2.x available? :) >>>> >>>> Also - we just started work on integration, based on 1.9 - will 2.0 be >>>> API compatible? >>>> >>>> - Guus >>>> >>>> On 23 March 2016 at 16:28, Stian Thorgersen >>>> wrote: >>>> >>>>> Thanks for the awesome comment. >>>>> >>>>> We're actually planning to add a count to our console, so this will be >>>>> added. Just wanted to point out that we're not adding more features to >>>>> 1.9.x at this point so this won't be available until 2.x. >>>>> On 23 Mar 2016 14:09, "Guus der Kinderen" >>>>> wrote: >>>>> >>>>>> Thanks for your fast response! I created >>>>>> https://issues.jboss.org/browse/KEYCLOAK-2704 to track the >>>>>> getUsersCount() REST exposure. >>>>>> >>>>>> - Guus >>>>>> >>>>>> On 23 March 2016 at 14:52, Marek Posolda wrote: >>>>>> >>>>>>> On 23/03/16 10:30, Guus der Kinderen wrote: >>>>>>> >>>>>>> Hi there, >>>>>>> >>>>>>> Recently, I switched from WSO2 Identity Server to Keycloak, and all >>>>>>> of a sudden, the sun is shining a bit brighter, birds are singing cheerful >>>>>>> songs, and I'm pretty sure I just saw a unicorn pass by, leaving >>>>>>> multi-colored droppings. Thanks! >>>>>>> >>>>>>> Nice summary, we should put to our homepage :-) >>>>>>> >>>>>>> >>>>>>> That being said, I'm still pretty new, and could use some help. I'll >>>>>>> probably have more questions like these pretty soon. Is there a instant >>>>>>> messaging based channel (IRC, XMPP?) where you guys hang out? For the >>>>>>> entry-level questions that I have, that might be more suitable. >>>>>>> >>>>>>> We have #keycloak on freenode, but using keycloak-user mailing list >>>>>>> is better as not all members are on IRC and asynchronous channel is >>>>>>> preferred. >>>>>>> >>>>>>> >>>>>>> In any case: my first question: We're using keycloak to form the >>>>>>> user base of our existing product. Integration is going well, but I'm >>>>>>> running into a snag: the existing product has a paged user overview - much >>>>>>> like the keycloak administrative interface. However, unlike the keycloak >>>>>>> interface, I need to be able to calculate the exact amount of pages >>>>>>> (keycloak resorts to having a 'next page' button only, I need to explicitly >>>>>>> provide references to every page). >>>>>>> >>>>>>> To be able to integrate, I need to find a way to retrieve the total >>>>>>> number of users for a particular realm. So far, I'm retrieving all users to >>>>>>> be able to count them, which quite obviously defeats the purpose of having >>>>>>> a paginated call in the first place. Is there a better way than >>>>>>> keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ? >>>>>>> >>>>>>> We have model method for getUsersCount(), but looks we don't have it >>>>>>> exposed through admin REST endpoint. Feel free to create JIRA. >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> >>>>>>> Kind regards, >>>>>>> >>>>>>> Guus >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/5a86e3cc/attachment.html From guus.der.kinderen at gmail.com Thu Mar 24 05:21:20 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 24 Mar 2016 10:21:20 +0100 Subject: [keycloak-user] Class loading issue when refreshing token Message-ID: Hello cloakees. I'm having an interesting problem while using the admin-client from 1.9.1. Initially, things go well. I can extract data as expected. However, after a couple of minutes (I think when the admin-client-token needs refreshing), I'm suddenly getting errors: "java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader" I added a full stacktrace below. I find it odd that some functionality does work, but other does not. What's causing this? keycloak-admin-client-1.9.1.Final.jar is on the classpath, which is where that interface appears to live. Regards, Guus 2016.03.24 10:18:50 WARN [Jetty-QTP-AdminConsole-58]: org.eclipse.jetty.servlet.ServletHandler - /user-summary.jsp javax.ws.rs.ProcessingException: java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) at com.sun.proxy.$Proxy26.search(Unknown Source) at org.jivesoftware.openfire.plugin.KeycloakUserProvider.getUserCount(KeycloakUserProvider.java:134) at org.jivesoftware.openfire.user.UserManager.getUserCount(UserManager.java:263) at org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsummary_jsp.java:107) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581) at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557) at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230) at java.lang.reflect.WeakCache.get(WeakCache.java:127) at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419) at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719) at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:70) at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:122) at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74) at org.keycloak.admin.client.token.TokenManager.refreshToken(TokenManager.java:100) at org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:59) at org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:52) at org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:48) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) ... 40 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/7040330e/attachment-0001.html From mstrukel at redhat.com Thu Mar 24 05:29:22 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 24 Mar 2016 10:29:22 +0100 Subject: [keycloak-user] Class loading issue when refreshing token In-Reply-To: References: Message-ID: The stacktrace hides whether this is ClassNotFoundException or NoClassDefFoundError, so it's possible that TokenService is actually visible, but not one of its dependencies. You'll definitely also need to add keycloak-core.jar to your classpath. On Thu, Mar 24, 2016 at 10:21 AM, Guus der Kinderen < guus.der.kinderen at gmail.com> wrote: > Hello cloakees. > > I'm having an interesting problem while using the admin-client from 1.9.1. > Initially, things go well. I can extract data as expected. However, after a > couple of minutes (I think when the admin-client-token needs refreshing), > I'm suddenly getting errors: "java.lang.IllegalArgumentException: interface > org.keycloak.admin.client.token.TokenService is not visible from class > loader" I added a full stacktrace below. > > I find it odd that some functionality does work, but other does not. > What's causing this? keycloak-admin-client-1.9.1.Final.jar is on the > classpath, which is where that interface appears to live. > > Regards, > > Guus > > 2016.03.24 10:18:50 WARN [Jetty-QTP-AdminConsole-58]: > org.eclipse.jetty.servlet.ServletHandler - /user-summary.jsp > javax.ws.rs.ProcessingException: java.lang.IllegalArgumentException: > interface org.keycloak.admin.client.token.TokenService is not visible from > class loader > at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) > at > org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) > at com.sun.proxy.$Proxy26.search(Unknown Source) > at > org.jivesoftware.openfire.plugin.KeycloakUserProvider.getUserCount(KeycloakUserProvider.java:134) > at > org.jivesoftware.openfire.user.UserManager.getUserCount(UserManager.java:263) > at > org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsummary_jsp.java:107) > at > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) > at > com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) > at > com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162) > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) > at > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) > at org.eclipse.jetty.server.Server.handle(Server.java:499) > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) > at > org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.IllegalArgumentException: interface > org.keycloak.admin.client.token.TokenService is not visible from class > loader > at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581) > at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557) > at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230) > at java.lang.reflect.WeakCache.get(WeakCache.java:127) > at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419) > at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719) > at > org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:70) > at > org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:122) > at > org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74) > at > org.keycloak.admin.client.token.TokenManager.refreshToken(TokenManager.java:100) > at > org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:59) > at > org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:52) > at > org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:48) > at > org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) > ... 40 more > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/c4998063/attachment.html From Markus.Lauer at co-met.info Thu Mar 24 05:55:17 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Thu, 24 Mar 2016 09:55:17 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <1458743308.4526.56.camel@co-met.info> References: <1458734452.4526.43.camel@co-met.info> <56F2A1AD.90300@redhat.com> <1458742499.4526.53.camel@co-met.info> <1458743308.4526.56.camel@co-met.info> Message-ID: <1458813303.4526.67.camel@co-met.info> > > I'm looking for s/th like this: > https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian > > This could possibly be combined with: > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter > > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > > But I can not change the "keycloak" security-domain for testing... > Ok. Approaching a solution... I adopted the JBossLoginContextFactory from the link above: https://gist.github.com/anonymous/892d957dfdf289158ccc LoginContext loginContext = JBossLoginContextFactory.createLoginContext("markus.lauer at co-met.info", "********"); loginContext.login(); log.info("principals: " + loginContext.getSubject().getPrincipals()); Set principals = loginContext.getSubject().getPrincipals(); for ( Principal p : principals ) { log.info("name: " + p.getName() + ", type: " + p.getClass()); } Output: principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data, user, manage-master-data, markus.lauer at co-met.info] name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class org.keycloak.KeycloakPrincipal name: view-master-data, type: class org.keycloak.adapters.jaas.RolePrincipal name: user, type: class org.keycloak.adapters.jaas.RolePrincipal name: manage-master-data, type: class org.keycloak.adapters.jaas.RolePrincipal name: markus.lauer at co-met.info, type: class org.jboss.security.SimplePrincipal Login works! But unfortunately I still can not access the secured EJB: Subject.doAs(loginContext.getSubject(), new PrivilegedAction() { @Override public Void run() { log.info("count: " + securedEJB.count()); return null; } }); This throws an exception: javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User Here is a snippet of SecuredEJB: @Stateless @SecurityDomain("keycloak") @DeclareRoles({ "view-master-data", "manage-master-data" }) public class SecuredEJB { @RolesAllowed({"view-master-data"}) public int count() { .... } } Any ideas how to deal with the "Invalid User"? Perhaps the keycloak UUID vs. username? Regards, Markus. ________________________________ Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. http://disclaimer.tec-saar.de/co-met.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/681872a5/attachment-0001.bin From thomas.darimont at googlemail.com Thu Mar 24 06:48:50 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 24 Mar 2016 11:48:50 +0100 Subject: [keycloak-user] Guidelines for protecting Keycloak Endpoints Message-ID: Hello group, I'm about to configure our Web Application Firewall for Keycloak where I want to implement the following scenario: CLIENT_ENDPOINTS: All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as well as the account and login/totp/registration/forgot password pages should be accessible from the public internet. ADMIN_ENDPOINTS: Admin endpoints like the Admin Console, Admin REST API etc. should only be accessible from the internal network. Are there any guidelines for which URL pattern applies to which category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)? To me, it seems that: - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category. - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category. Have I missed anything else? Btw. it turns out that some endpoints (unnecessarily) expose internal links like: "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/ { realm: "my-realm", public_key: "...", token-service: " http://localhost:8080/auth/realms/my-realm/protocol/openid-connect", account-service: "http://localhost:8080/auth/realms/my-realm/account", admin-api: "http://localhost:8080/auth/admin", tokens-not-before: 0 } Can this be disabled? Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/de0b5f29/attachment.html From thomas.darimont at googlemail.com Thu Mar 24 06:51:21 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 24 Mar 2016 11:51:21 +0100 Subject: [keycloak-user] Keycloak Admin Console scoped to just one Realm Message-ID: Hello group, We found out that one can get an admin console scoped to just one particular realm if one changes the URL path slightly: In this case we have a realm called "bubu" and a user with the "realm-admin" role. The link: http://localhost:8082/auth/admin/bubu/console/#/realms will show an admin console scoped to just that one realm without any option for selecting other realms. Is this supported / expected behaviour or not? I couldn't find this mentioned in the docs. Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/b4bd4abd/attachment.html From Gary.Smith at cit.ie Thu Mar 24 07:20:05 2016 From: Gary.Smith at cit.ie (Gary Smith) Date: Thu, 24 Mar 2016 11:20:05 +0000 Subject: [keycloak-user] Nginx SSL endpoint login form action url uses wrong http scheme Message-ID: Hi, I currently have standalone Keycloak running behind an SSL enabled Nginx proxy, self signed certs. for the moment. Keycloak client is running on http://localhost:8080, ssl required = none, Nginx setup to redirect any request to /auth to this instance of Keycloak. This is a web app using the Keycloak Javascript Adapaer set to public. Issue is the Keycloak login form action, it's url is using the http scheme rather than https so as a result login fails. If I do a live edit in the browser of the forms url and change the scheme to https everything is fine and all the other url's (such as account information) work correctly in the app. Wondering if I am doing something wrong here or if it is a known issue, Cheers, Gary. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/4a2fad56/attachment.html From juraci at kroehling.de Thu Mar 24 08:48:57 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Thu, 24 Mar 2016 13:48:57 +0100 Subject: [keycloak-user] Nginx SSL endpoint login form action url uses wrong http scheme In-Reply-To: References: Message-ID: <56F3E239.7040007@kroehling.de> On 24.03.2016 12:20, Gary Smith wrote: > Issue is the Keycloak login form action, it's url is using the http > scheme rather than https so as a result login fails. Is the login page being served under HTTPS? If so, then you might be missing some nginx "proxy_set_header" directives in the configuration file. Here's what I have on my nginx: proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; Besides that, you'll need to add "proxy-address-forwarding" and "redirect-socket" to the HTTP listener, as well as add a socket-binding for the proxy port 443. It's described here, under "3.2.7.2.1. Configure WildFly": http://keycloak.github.io/docs/userguide/keycloak-server/html_single/index.html#d4e348 If your login page is under HTTP, instead of HTTPS, then you might need to adjust the server-url on the keycloak.json. - Juca. From bburke at redhat.com Thu Mar 24 09:25:19 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Mar 2016 09:25:19 -0400 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: Message-ID: <56F3EABF.7040809@redhat.com> documentation hasn't received any love for more than a year. Screencasts are even more out of date. The good news is that myself and the red hat documentation team is scheduled to focus on docs and screencasts the month of April. Up until a few months ago, we were just an open source community. Now that the Red Hat machine is getting behind us, areas like documentation should start to be improved. BTW, If you want help, we need more than just "it doesn't work, your documentation sucks". Walking us through the problem helps us improve error messages, general usability, and documentation. Threatening us doesn't really help as you are just as likely to get ignored. On 3/24/2016 4:56 AM, Stian Thorgersen wrote: > Firstly, that's not FreeIPA (community project) documentation, but Red > Hat Identity Management documentation (product). The FreeIPA > documentation is https://www.freeipa.org/page/Documentation. > > Secondly, just stating that our documentation is bad and pointing to > some better documentation doesn't give us anything to go on. We would > like to give a good experience and I would be very interested in > knowing exactly what documentation you are lacking, hard to understand > or whatever other issues you may have with the documentation. Help us > to help you ;) > > Finally we know the documentation is not as good as it could be and > are planning to improve it in the not to distant future. So input from > users would be valuable. > > On 23 March 2016 at 11:32, Pavlos Kleanthous > wrote: > > Just compare the documentation from another redhat product FreeIPA > > > I have read this documentation and setup/configure IPA server very > easy. > > Keycloak's current documentation looks like more as a developers > manual to me. > > > On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen > > wrote: > > Could you elaborate on what is missing from the documentation? > That would be helpful. > > On 22 Mar 2016 12:05, "Pavlos Kleanthous" > wrote: > > Dear all, > > I dropped the project at the moment. The lack of > documentation is too time consuming. > > Hope that soon keycloak will have it. > > > On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen > > wrote: > > What adapter? Is the server and client adapter both > 1.9.1? We did recently deprecate some OIDC endpoints. > I think ../login is gone and it should be ../auth. So > if you are using an old adapter that may be the issue. > > On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" > > wrote: > > Yours. > > I configured the realm with the same settings on > both versions 1.9.1 and 1.8.1. > > > On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen > > > wrote: > > Client ID has nothing to do with this issue as > it would show an login error page not a not > found. So must be either realm name or another > part of URL is wrong. > > Are you using our adapters or another library atm? > > I'm answering on my phone on the plane so > can't look into it more atm. > > On 17 Mar 2016 10:00, "Pavlos Kleanthous" > > wrote: > > Hi, > > In jenkins, I'm pasting the JSON > configuration that it can found inside > "Installation" tab. > > Instead of using keycloak client plugins, > can I use a generic oauth plugin in my > apps? How can I configure my keycloak for > this? > i.e. Instead of using google's oauth URL > use my own pointing to keycloak. > > > On Wed, Mar 16, 2016 at 1:29 PM, Marko > Strukelj > wrote: > > In your jenkins realm - under Clients > do you have a client called 'ci'? > That's the client_id used in your request. > > AFAIK nothing changed in this part of > the code since 1.8.1. > > On Mar 16, 2016 12:04 PM, "Pavlos > Kleanthous" > wrote: > > yes I can. > > Please note that this is a problem > of version 1.9.1. > I have tried now version 1.8.1 and > it redirect me to keycloak. > > p.s. I'm using the official > containers from docker hub. > > On Wed, Mar 16, 2016 at 10:56 AM, > Marko Strukelj > > wrote: > > Are you able to login into > admin console at: > http://192.168.99.100:32786/auth > > And you see the realm called > 'jenkins' there? > > On Mar 16, 2016 11:32 AM, > "Pavlos Kleanthous" > > > wrote: > > Hi guys adding to this. > Please see the HTTP > requests and responses. > > 1. > Request URL: > http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F > 2. > Request Method: > GET > 3. > Status Code: > 302 Found > 4. > Remote Address: > 192.168.99.100:32769 > > 1. Response Headersview > source > 1. > Content-Length: > 0 > 2. > Location: > http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 > 3. > Server: > Jetty(winstone-2.9) > 4. > X-Content-Type-Options: > nosniff > > 1. > Request URL: > http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 > 2. > Request Method: > GET > 3. > Status Code: > *404 Not Found* > 4. > Remote Address: > 192.168.99.100:32786 > > 1. Response Headersview > source > 1. > Connection: > keep-alive > 2. > Content-Length: > 0 > 3. > Date: > Wed, 16 Mar 2016 > 10:30:40 GMT > 4. > Server: > WildFly/10 > 5. > X-Powered-By: > Undertow/1 > 2. Request Headersview source > 1. > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 > 2. > Accept-Encoding: > gzip, deflate, sdch > 3. > Accept-Language: > en-US,en;q=0.8,el;q=0.6 > 4. > Connection: > keep-alive > 5. > Cookie: > KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; > KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDenigQ9FnaP6DEyOvd8v2Yo; > KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; > KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; > JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; > screenResolution=1920x1080 > 6. > DNT: > 1 > 7. > Host: > 192.168.99.100:32786 > > 8. > Referer: > http://192.168.99.100:32769/ > 9. > Save-Data: > on > 10. > Upgrade-Insecure-Requests: > 1 > > > On Tue, Mar 15, 2016 at > 4:26 PM, Pavlos Kleanthous > > > wrote: > > Thanks for pointing > this out. I think it > does not matter as the > same name can be found > in "Installation" tab > where > I copied the > configuration. > > On Tue, Mar 15, 2016 > at 4:21 PM, Marko > Strukelj > > > wrote: > > Looks like you > mistyped your > client id: 'jenknis'. > > On Mar 15, 2016 > 5:19 PM, "Pavlos > Kleanthous" > > > wrote: > > Hello, > > > I'm trying to > configure > keycloak for > first time. My > setup has 2 > containers > keycloak and > jenkins. > Following the > example how to > integrate > those two, I > created a > realm and a > client called > "jenkins". > > It seams that > the realm > configuration > it's not > correct as I > get the > following > debug error. > "15:47:55,791 > ERROR > [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default > task-12) > RESTEASY002010: Failed > to execute: > javax.ws.rs.NotFoundException: > RESTEASY003210: Could > not find > resource for > full path: > http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261" > > I noticed > that > "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" > does not work > generally. The > URL ending > with > "/auth/realms/ci/account" > it works. > > if I access > the URL: > http://192.168.99.100:32786/auth/realms/ci > > {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} > > Can you help > how to find > the problem ? > > p.s. is there > any other way > to find help > on those > matters? Tried > IRC but nobody > is replying > there... > > Thank you > > _______________________________________________ > keycloak-user > mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/8671c72a/attachment-0001.html From bburke at redhat.com Thu Mar 24 09:26:41 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Mar 2016 09:26:41 -0400 Subject: [keycloak-user] Keycloak Admin Console scoped to just one Realm In-Reply-To: References: Message-ID: <56F3EB11.9030700@redhat.com> http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html On 3/24/2016 6:51 AM, Thomas Darimont wrote: > Hello group, > > We found out that one can get an admin console scoped to just one > particular > realm if one changes the URL path slightly: > > In this case we have a realm called "bubu" and a user with the > "realm-admin" role. > The link: http://localhost:8082/auth/admin/bubu/console/#/realms > will show an admin console scoped to just that one realm without any > option > for selecting other realms. > > Is this supported / expected behaviour or not? I couldn't find this > mentioned in the docs. > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/6e4c857d/attachment.html From guus.der.kinderen at gmail.com Thu Mar 24 09:54:06 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 24 Mar 2016 14:54:06 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: <56F3EABF.7040809@redhat.com> References: <56F3EABF.7040809@redhat.com> Message-ID: I signed up to the mailinglist at a time that this thread was already underway. I didn't read back to find out what the original question was, and given the tone of the responses I am not going to either, but, as for for the call for specific improvements: I've got two: - It would be helpful if the section on JAAS integration would contain a very short example of a configuration file, and a java snippet that shows how to instantiate a LoginContext based on that. I was unfamiliar with JAAS and was struggling to put one and one together. I think the above could be done in ten lines or so, so it's relatively small, but would be a good illustrative example for the likes of me. - The REST endpoint documentation lacks structure (grouping), which makes it hard to navigate. Improving on that would be a simple as grouping each piece of documentation by its resource path. $0.02 - Guus On 24 March 2016 at 14:25, Bill Burke wrote: > documentation hasn't received any love for more than a year. Screencasts > are even more out of date. The good news is that myself and the red hat > documentation team is scheduled to focus on docs and screencasts the month > of April. Up until a few months ago, we were just an open source > community. Now that the Red Hat machine is getting behind us, areas like > documentation should start to be improved. > > BTW, If you want help, we need more than just "it doesn't work, your > documentation sucks". Walking us through the problem helps us improve > error messages, general usability, and documentation. Threatening us > doesn't really help as you are just as likely to get ignored. > > On 3/24/2016 4:56 AM, Stian Thorgersen wrote: > > Firstly, that's not FreeIPA (community project) documentation, but Red Hat > Identity Management documentation (product). The FreeIPA documentation is > > https://www.freeipa.org/page/Documentation. > > Secondly, just stating that our documentation is bad and pointing to some > better documentation doesn't give us anything to go on. We would like to > give a good experience and I would be very interested in knowing exactly > what documentation you are lacking, hard to understand or whatever other > issues you may have with the documentation. Help us to help you ;) > > Finally we know the documentation is not as good as it could be and are > planning to improve it in the not to distant future. So input from users > would be valuable. > > On 23 March 2016 at 11:32, Pavlos Kleanthous wrote: > >> Just compare the documentation from another redhat product FreeIPA >> >> >> I have read this documentation and setup/configure IPA server very easy. >> >> Keycloak's current documentation looks like more as a developers manual >> to me. >> >> >> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen < >> sthorger at redhat.com> wrote: >> >>> Could you elaborate on what is missing from the documentation? That >>> would be helpful. >>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < >>> parsectix at gmail.com> wrote: >>> >>>> Dear all, >>>> >>>> I dropped the project at the moment. The lack of documentation is too >>>> time consuming. >>>> >>>> Hope that soon keycloak will have it. >>>> >>>> >>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen < >>>> sthorger at redhat.com> wrote: >>>> >>>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < >>>>> parsectix at gmail.com> wrote: >>>>> >>>>>> Yours. >>>>>> >>>>>> I configured the realm with the same settings on both versions 1.9.1 >>>>>> and 1.8.1. >>>>>> >>>>>> >>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> Client ID has nothing to do with this issue as it would show an >>>>>>> login error page not a not found. So must be either realm name or another >>>>>>> part of URL is wrong. >>>>>>> >>>>>>> Are you using our adapters or another library atm? >>>>>>> >>>>>>> I'm answering on my phone on the plane so can't look into it more >>>>>>> atm. >>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < >>>>>>> parsectix at gmail.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>>> inside "Installation" tab. >>>>>>>> >>>>>>>> Instead of using keycloak client plugins, can I use a generic oauth >>>>>>>> plugin in my apps? How can I configure my keycloak for this? >>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>>> keycloak. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj < >>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>> >>>>>>>>> In your jenkins realm - under Clients do you have a client called >>>>>>>>> 'ci'? That's the client_id used in your request. >>>>>>>>> >>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" < >>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> yes I can. >>>>>>>>>> >>>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>>> >>>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>>> >>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>>> >>>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>>> >>>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>>> responses. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>> >>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>> GET >>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>> 302 Found >>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>> 1. Content-Length: >>>>>>>>>>>> 0 >>>>>>>>>>>> 2. Location: >>>>>>>>>>>> >>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>> 3. Server: >>>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>>> nosniff >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>> >>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>> GET >>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>> *404 Not Found* >>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>> 1. Connection: >>>>>>>>>>>> keep-alive >>>>>>>>>>>> 2. Content-Length: >>>>>>>>>>>> 0 >>>>>>>>>>>> 3. Date: >>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>>> 4. Server: >>>>>>>>>>>> WildFly/10 >>>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>>> Undertow/1 >>>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>>> 1. Accept: >>>>>>>>>>>> >>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>>> 4. Connection: >>>>>>>>>>>> keep-alive >>>>>>>>>>>> 5. Cookie: >>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo; >>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>>> 6. DNT: >>>>>>>>>>>> 1 >>>>>>>>>>>> 7. Host: >>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>> 8. Referer: >>>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>>> 9. Save-Data: >>>>>>>>>>>> on >>>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>>> 1 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as >>>>>>>>>>>>> the same name can be found in "Installation" tab where >>>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup >>>>>>>>>>>>>>> has 2 containers keycloak and jenkins. >>>>>>>>>>>>>>> Following the example how to integrate those two, I created >>>>>>>>>>>>>>> a realm and a client called "jenkins". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>>>>>> full path: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>>> " >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>>> works. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>> >>>> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/dac53f71/attachment-0001.html From guus.der.kinderen at gmail.com Thu Mar 24 09:58:06 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 24 Mar 2016 14:58:06 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> Message-ID: Instant follow-up: the Keycloak JAAS documentation refers to Login Module "configuration properties" while in JAAS terminology, those are named "options". It'd be good to use the same terms. $0.01 (barely) On 24 March 2016 at 14:54, Guus der Kinderen wrote: > I signed up to the mailinglist at a time that this thread was already > underway. I didn't read back to find out what the original question was, > and given the tone of the responses I am not going to either, but, as for > for the call for specific improvements: I've got two: > > - It would be helpful if the section on JAAS integration would contain > a very short example of a configuration file, and a java snippet that shows > how to instantiate a LoginContext based on that. I was unfamiliar with JAAS > and was struggling to put one and one together. I think the above could be > done in ten lines or so, so it's relatively small, but would be a good > illustrative example for the likes of me. > - The REST endpoint documentation lacks structure (grouping), which > makes it hard to navigate. Improving on that would be a simple as grouping > each piece of documentation by its resource path. > > $0.02 > > - Guus > > On 24 March 2016 at 14:25, Bill Burke wrote: > >> documentation hasn't received any love for more than a year. Screencasts >> are even more out of date. The good news is that myself and the red hat >> documentation team is scheduled to focus on docs and screencasts the month >> of April. Up until a few months ago, we were just an open source >> community. Now that the Red Hat machine is getting behind us, areas like >> documentation should start to be improved. >> >> BTW, If you want help, we need more than just "it doesn't work, your >> documentation sucks". Walking us through the problem helps us improve >> error messages, general usability, and documentation. Threatening us >> doesn't really help as you are just as likely to get ignored. >> >> On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >> >> Firstly, that's not FreeIPA (community project) documentation, but Red >> Hat Identity Management documentation (product). The FreeIPA documentation >> is >> https://www.freeipa.org/page/Documentation. >> >> Secondly, just stating that our documentation is bad and pointing to some >> better documentation doesn't give us anything to go on. We would like to >> give a good experience and I would be very interested in knowing exactly >> what documentation you are lacking, hard to understand or whatever other >> issues you may have with the documentation. Help us to help you ;) >> >> Finally we know the documentation is not as good as it could be and are >> planning to improve it in the not to distant future. So input from users >> would be valuable. >> >> On 23 March 2016 at 11:32, Pavlos Kleanthous wrote: >> >>> Just compare the documentation from another redhat product FreeIPA >>> >>> >>> I have read this documentation and setup/configure IPA server very easy. >>> >>> Keycloak's current documentation looks like more as a developers manual >>> to me. >>> >>> >>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen < >>> sthorger at redhat.com> wrote: >>> >>>> Could you elaborate on what is missing from the documentation? That >>>> would be helpful. >>>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < >>>> parsectix at gmail.com> wrote: >>>> >>>>> Dear all, >>>>> >>>>> I dropped the project at the moment. The lack of documentation is too >>>>> time consuming. >>>>> >>>>> Hope that soon keycloak will have it. >>>>> >>>>> >>>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen < >>>>> sthorger at redhat.com> wrote: >>>>> >>>>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < >>>>>> parsectix at gmail.com> wrote: >>>>>> >>>>>>> Yours. >>>>>>> >>>>>>> I configured the realm with the same settings on both versions >>>>>>> 1.9.1 and 1.8.1. >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> Client ID has nothing to do with this issue as it would show an >>>>>>>> login error page not a not found. So must be either realm name or another >>>>>>>> part of URL is wrong. >>>>>>>> >>>>>>>> Are you using our adapters or another library atm? >>>>>>>> >>>>>>>> I'm answering on my phone on the plane so can't look into it more >>>>>>>> atm. >>>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < >>>>>>>> parsectix at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>>>> inside "Installation" tab. >>>>>>>>> >>>>>>>>> Instead of using keycloak client plugins, can I use a generic >>>>>>>>> oauth plugin in my apps? How can I configure my keycloak for this? >>>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>>>> keycloak. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj < >>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> In your jenkins realm - under Clients do you have a client called >>>>>>>>>> 'ci'? That's the client_id used in your request. >>>>>>>>>> >>>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" < >>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> yes I can. >>>>>>>>>>> >>>>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>>>> >>>>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>>>> >>>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>>>> >>>>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>>>> >>>>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>>>> responses. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>> GET >>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>> 302 Found >>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>> 1. Content-Length: >>>>>>>>>>>>> 0 >>>>>>>>>>>>> 2. Location: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>> 3. Server: >>>>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>>>> nosniff >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>> GET >>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>> *404 Not Found* >>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>> 1. Connection: >>>>>>>>>>>>> keep-alive >>>>>>>>>>>>> 2. Content-Length: >>>>>>>>>>>>> 0 >>>>>>>>>>>>> 3. Date: >>>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>>>> 4. Server: >>>>>>>>>>>>> WildFly/10 >>>>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>>>> Undertow/1 >>>>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>>>> 1. Accept: >>>>>>>>>>>>> >>>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>>>> 4. Connection: >>>>>>>>>>>>> keep-alive >>>>>>>>>>>>> 5. Cookie: >>>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo; >>>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>>>> 6. DNT: >>>>>>>>>>>>> 1 >>>>>>>>>>>>> 7. Host: >>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>> 8. Referer: >>>>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>>>> 9. Save-Data: >>>>>>>>>>>>> on >>>>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>>>> 1 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as >>>>>>>>>>>>>> the same name can be found in "Installation" tab where >>>>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup >>>>>>>>>>>>>>>> has 2 containers keycloak and jenkins. >>>>>>>>>>>>>>>> Following the example how to integrate those two, I created >>>>>>>>>>>>>>>> a realm and a client called "jenkins". >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>>>> "15:47:55,791 ERROR >>>>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010: >>>>>>>>>>>>>>>> Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not >>>>>>>>>>>>>>>> find resource for full path: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>>>> works. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/fea7d6d7/attachment-0001.html From thomas.darimont at googlemail.com Thu Mar 24 10:01:26 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 24 Mar 2016 15:01:26 +0100 Subject: [keycloak-user] Keycloak Admin Console scoped to just one Realm In-Reply-To: <56F3EB11.9030700@redhat.com> References: <56F3EB11.9030700@redhat.com> Message-ID: Ups thanks :) Cheers, Thomas 2016-03-24 14:26 GMT+01:00 Bill Burke : > > http://keycloak.github.io/docs/userguide/keycloak-server/html/per-realm-admin-permissions.html > > > On 3/24/2016 6:51 AM, Thomas Darimont wrote: > > Hello group, > > We found out that one can get an admin console scoped to just one > particular > realm if one changes the URL path slightly: > > In this case we have a realm called "bubu" and a user with the > "realm-admin" role. > The link: http://localhost:8082/auth/admin/bubu/console/#/realms > will show an admin console scoped to just that one realm without any option > for selecting other realms. > > Is this supported / expected behaviour or not? I couldn't find this > mentioned in the docs. > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/a34b4f2b/attachment.html From jaxley at expedia.com Thu Mar 24 10:31:37 2016 From: jaxley at expedia.com (Jason Axley) Date: Thu, 24 Mar 2016 14:31:37 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> Message-ID: <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> +1 on the API documentation. I?d prefer a Swagger interface with collapsable sections and the ability to execute the API in the browser for testing. Additionally, you can now integrate with Postman by importing everything as a Postman collection via a Run in Postman button ? would also be very useful. You can just import the Swagger or RAML file to create the Postman collection. -Jason From: > on behalf of Guus der Kinderen > Date: Thursday, March 24, 2016 at 6:54 AM To: Bill Burke > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] keycloak configuration I signed up to the mailinglist at a time that this thread was already underway. I didn't read back to find out what the original question was, and given the tone of the responses I am not going to either, but, as for for the call for specific improvements: I've got two: * It would be helpful if the section on JAAS integration would contain a very short example of a configuration file, and a java snippet that shows how to instantiate a LoginContext based on that. I was unfamiliar with JAAS and was struggling to put one and one together. I think the above could be done in ten lines or so, so it's relatively small, but would be a good illustrative example for the likes of me. * The REST endpoint documentation lacks structure (grouping), which makes it hard to navigate. Improving on that would be a simple as grouping each piece of documentation by its resource path. $0.02 - Guus On 24 March 2016 at 14:25, Bill Burke > wrote: documentation hasn't received any love for more than a year. Screencasts are even more out of date. The good news is that myself and the red hat documentation team is scheduled to focus on docs and screencasts the month of April. Up until a few months ago, we were just an open source community. Now that the Red Hat machine is getting behind us, areas like documentation should start to be improved. BTW, If you want help, we need more than just "it doesn't work, your documentation sucks". Walking us through the problem helps us improve error messages, general usability, and documentation. Threatening us doesn't really help as you are just as likely to get ignored. On 3/24/2016 4:56 AM, Stian Thorgersen wrote: Firstly, that's not FreeIPA (community project) documentation, but Red Hat Identity Management documentation (product). The FreeIPA documentation is https://www.freeipa.org/page/Documentation. Secondly, just stating that our documentation is bad and pointing to some better documentation doesn't give us anything to go on. We would like to give a good experience and I would be very interested in knowing exactly what documentation you are lacking, hard to understand or whatever other issues you may have with the documentation. Help us to help you ;) Finally we know the documentation is not as good as it could be and are planning to improve it in the not to distant future. So input from users would be valuable. On 23 March 2016 at 11:32, Pavlos Kleanthous > wrote: Just compare the documentation from another redhat product FreeIPA I have read this documentation and setup/configure IPA server very easy. Keycloak's current documentation looks like more as a developers manual to me. On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen <sthorger at redhat.com> wrote: Could you elaborate on what is missing from the documentation? That would be helpful. On 22 Mar 2016 12:05, "Pavlos Kleanthous" <parsectix at gmail.com> wrote: Dear all, I dropped the project at the moment. The lack of documentation is too time consuming. Hope that soon keycloak will have it. On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen <sthorger at redhat.com> wrote: What adapter? Is the server and client adapter both 1.9.1? We did recently deprecate some OIDC endpoints. I think ../login is gone and it should be ../auth. So if you are using an old adapter that may be the issue. On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" <parsectix at gmail.com> wrote: Yours. I configured the realm with the same settings on both versions 1.9.1 and 1.8.1. On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen <sthorger at redhat.com> wrote: Client ID has nothing to do with this issue as it would show an login error page not a not found. So must be either realm name or another part of URL is wrong. Are you using our adapters or another library atm? I'm answering on my phone on the plane so can't look into it more atm. On 17 Mar 2016 10:00, "Pavlos Kleanthous" <parsectix at gmail.com> wrote: Hi, In jenkins, I'm pasting the JSON configuration that it can found inside "Installation" tab. Instead of using keycloak client plugins, can I use a generic oauth plugin in my apps? How can I configure my keycloak for this? i.e. Instead of using google's oauth URL use my own pointing to keycloak. On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj <mstrukel at redhat.com> wrote: In your jenkins realm - under Clients do you have a client called 'ci'? That's the client_id used in your request. AFAIK nothing changed in this part of the code since 1.8.1. On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" <parsectix at gmail.com> wrote: yes I can. Please note that this is a problem of version 1.9.1. I have tried now version 1.8.1 and it redirect me to keycloak. p.s. I'm using the official containers from docker hub. On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj <mstrukel at redhat.com> wrote: Are you able to login into admin console at: http://192.168.99.100:32786/auth And you see the realm called 'jenkins' there? On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" <parsectix at gmail.com> wrote: Hi guys adding to this. Please see the HTTP requests and responses. * Request URL: http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F * Request Method: GET * Status Code: 302 Found * Remote Address: 192.168.99.100:32769 1. Response Headersview source * Content-Length: 0 * Location: http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 * Server: Jetty(winstone-2.9) * X-Content-Type-Options: nosniff * Request URL: http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 * Request Method: GET * Status Code: 404 Not Found * Remote Address: 192.168.99.100:32786 1. Response Headersview source * Connection: keep-alive * Content-Length: 0 * Date: Wed, 16 Mar 2016 10:30:40 GMT * Server: WildFly/10 * X-Powered-By: Undertow/1 2. Request Headersview source * Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 * Accept-Encoding: gzip, deflate, sdch * Accept-Language: en-US,en;q=0.8,el;q=0.6 * Connection: keep-alive * Cookie: KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! gQ9FnaP6 DEyOvd8v2Yo; KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 * DNT: 1 * Host: 192.168.99.100:32786 * Referer: http://192.168.99.100:32769/ * Save-Data: on * Upgrade-Insecure-Requests: 1 On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous <parsectix at gmail.com> wrote: Thanks for pointing this out. I think it does not matter as the same name can be found in "Installation" tab where I copied the configuration. On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj <mstrukel at redhat.com> wrote: Looks like you mistyped your client id: 'jenknis'. On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" <parsectix at gmail.com> wrote: Hello, I'm trying to configure keycloak for first time. My setup has 2 containers keycloak and jenkins. Following the example how to integrate those two, I created a realm and a client called "jenkins". It seams that the realm configuration it's not correct as I get the following debug error. "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261" I noticed that "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" does not work generally. The URL ending with "/auth/realms/ci/account" it works. if I access the URL: http://192.168.99.100:32786/auth/realms/ci {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} Can you help how to find the problem ? p.s. is there any other way to find help on those matters? Tried IRC but nobody is replying there... Thank you _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/95c02e73/attachment-0001.html From bburke at redhat.com Thu Mar 24 12:47:39 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 24 Mar 2016 12:47:39 -0400 Subject: [keycloak-user] keycloak configuration In-Reply-To: <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> References: <56F3EABF.7040809@redhat.com> <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> Message-ID: <56F41A2B.7050703@redhat.com> Contributions are always welcome! On 3/24/2016 10:31 AM, Jason Axley wrote: > +1 on the API documentation. I?d prefer a Swagger interface with > collapsable sections and the ability to execute the API in the browser > for testing. Additionally, you can now integrate with Postman by > importing everything as a Postman collection via a Run in Postman > button ? would also be very useful. You can just import the Swagger > or RAML file to create the Postman collection. > > -Jason > > From: > on behalf of Guus der > Kinderen > > Date: Thursday, March 24, 2016 at 6:54 AM > To: Bill Burke > > Cc: "keycloak-user at lists.jboss.org > " > > Subject: Re: [keycloak-user] keycloak configuration > > I signed up to the mailinglist at a time that this thread was already > underway. I didn't read back to find out what the original question > was, and given the tone of the responses I am not going to either, > but, as for for the call for specific improvements: I've got two: > > * It would be helpful if the section on JAAS integration would > contain a very short example of a configuration file, and a java > snippet that shows how to instantiate a LoginContext based on > that. I was unfamiliar with JAAS and was struggling to put one and > one together. I think the above could be done in ten lines or so, > so it's relatively small, but would be a good illustrative example > for the likes of me. > * The REST endpoint documentation lacks structure (grouping), which > makes it hard to navigate. Improving on that would be a simple as > grouping each piece of documentation by its resource path. > > $0.02 > > - Guus > > On 24 March 2016 at 14:25, Bill Burke > wrote: > > documentation hasn't received any love for more than a year. > Screencasts are even more out of date. The good news is that > myself and the red hat documentation team is scheduled to focus on > docs and screencasts the month of April. Up until a few months > ago, we were just an open source community. Now that the Red Hat > machine is getting behind us, areas like documentation should > start to be improved. > > BTW, If you want help, we need more than just "it doesn't work, > your documentation sucks". Walking us through the problem helps > us improve error messages, general usability, and documentation. > Threatening us doesn't really help as you are just as likely to > get ignored. > > On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >> Firstly, that's not FreeIPA (community project) documentation, >> but Red Hat Identity Management documentation (product). The >> FreeIPA documentation is https://www.freeipa.org/page/Documentation. >> >> Secondly, just stating that our documentation is bad and pointing >> to some better documentation doesn't give us anything to go on. >> We would like to give a good experience and I would be very >> interested in knowing exactly what documentation you are lacking, >> hard to understand or whatever other issues you may have with the >> documentation. Help us to help you ;) >> >> Finally we know the documentation is not as good as it could be >> and are planning to improve it in the not to distant future. So >> input from users would be valuable. >> >> On 23 March 2016 at 11:32, Pavlos Kleanthous > > wrote: >> >> Just compare the documentation from another redhat product >> FreeIPA >> >> >> I have read this documentation and setup/configure IPA server >> very easy. >> >> Keycloak's current documentation looks like more as a >> developers manual to me. >> >> >> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >> > wrote: >> >> Could you elaborate on what is missing from the >> documentation? That would be helpful. >> >> On 22 Mar 2016 12:05, "Pavlos Kleanthous" >> > wrote: >> >> Dear all, >> >> I dropped the project at the moment. The lack of >> documentation is too time consuming. >> >> Hope that soon keycloak will have it. >> >> >> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen >> > wrote: >> >> What adapter? Is the server and client adapter >> both 1.9.1? We did recently deprecate some OIDC >> endpoints. I think ../login is gone and it should >> be ../auth. So if you are using an old adapter >> that may be the issue. >> >> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" >> > > wrote: >> >> Yours. >> >> I configured the realm with the same >> settings on both versions 1.9.1 and 1.8.1. >> >> >> On Fri, Mar 18, 2016 at 11:58 AM, Stian >> Thorgersen > > wrote: >> >> Client ID has nothing to do with this >> issue as it would show an login error >> page not a not found. So must be either >> realm name or another part of URL is wrong. >> >> Are you using our adapters or another >> library atm? >> >> I'm answering on my phone on the plane so >> can't look into it more atm. >> >> On 17 Mar 2016 10:00, "Pavlos Kleanthous" >> > > wrote: >> >> Hi, >> >> In jenkins, I'm pasting the JSON >> configuration that it can found >> inside "Installation" tab. >> >> Instead of using keycloak client >> plugins, can I use a generic oauth >> plugin in my apps? How can I >> configure my keycloak for this? >> i.e. Instead of using google's oauth >> URL use my own pointing to keycloak. >> >> >> On Wed, Mar 16, 2016 at 1:29 PM, >> Marko Strukelj > > wrote: >> >> In your jenkins realm - under >> Clients do you have a client >> called 'ci'? That's the client_id >> used in your request. >> >> AFAIK nothing changed in this >> part of the code since 1.8.1. >> >> On Mar 16, 2016 12:04 PM, "Pavlos >> Kleanthous" > > wrote: >> >> yes I can. >> >> Please note that this is a >> problem of version 1.9.1. >> I have tried now version >> 1.8.1 and it redirect me to >> keycloak. >> >> p.s. I'm using the official >> containers from docker hub. >> >> On Wed, Mar 16, 2016 at 10:56 >> AM, Marko Strukelj >> > > >> wrote: >> >> Are you able to login >> into admin console at: >> http://192.168.99.100:32786/auth >> >> And you see the realm >> called 'jenkins' there? >> >> On Mar 16, 2016 11:32 AM, >> "Pavlos Kleanthous" >> > > >> wrote: >> >> Hi guys adding to >> this. Please see the >> HTTP requests and >> responses. >> >> 1. >> Request URL: >> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >> 2. >> Request Method: >> GET >> 3. >> Status Code: >> 302 Found >> 4. >> Remote Address: >> 192.168.99.100:32769 >> >> 1. Response >> Headersview source >> 1. >> Content-Length: >> 0 >> 2. >> Location: >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 3. >> Server: >> Jetty(winstone-2.9) >> 4. >> X-Content-Type-Options: >> nosniff >> >> 1. >> Request URL: >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 2. >> Request Method: >> GET >> 3. >> Status Code: >> *404 Not Found* >> 4. >> Remote Address: >> 192.168.99.100:32786 >> >> 1. Response >> Headersview source >> 1. >> Connection: >> keep-alive >> 2. >> Content-Length: >> 0 >> 3. >> Date: >> Wed, 16 Mar >> 2016 10:30:40 GMT >> 4. >> Server: >> WildFly/10 >> 5. >> X-Powered-By: >> Undertow/1 >> 2. Request >> Headersview source >> 1. >> Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >> 2. >> Accept-Encoding: >> gzip, >> deflate, sdch >> 3. >> Accept-Language: >> en-US,en;q=0.8,el;q=0.6 >> 4. >> Connection: >> keep-alive >> 5. >> Cookie: >> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >> gQ9FnaP6 >> DEyOvd8v2Yo; >> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; >> screenResolution=1920x1080 >> 6. >> DNT: >> 1 >> 7. >> Host: >> 192.168.99.100:32786 >> >> 8. >> Referer: >> http://192.168.99.100:32769/ >> 9. >> Save-Data: >> on >> 10. >> Upgrade-Insecure-Requests: >> 1 >> >> >> On Tue, Mar 15, 2016 at >> 4:26 PM, Pavlos >> Kleanthous >> > > >> wrote: >> >> Thanks for pointing >> this out. I think it >> does not matter as >> the same name can be >> found in >> "Installation" tab where >> I copied the >> configuration. >> >> On Tue, Mar 15, 2016 >> at 4:21 PM, Marko >> Strukelj >> > > >> wrote: >> >> Looks like you >> mistyped your >> client id: 'jenknis'. >> >> On Mar 15, 2016 >> 5:19 PM, "Pavlos >> Kleanthous" >> > > >> wrote: >> >> Hello, >> >> >> I'm trying to >> configure >> keycloak for >> first time. >> My setup has >> 2 containers >> keycloak and >> jenkins. >> Following the >> example how >> to integrate >> those two, I >> created a >> realm and a >> client called >> "jenkins". >> >> It seams that >> the realm >> configuration >> it's not >> correct as I >> get the >> following >> debug error. >> "15:47:55,791 >> ERROR >> [org.jboss.resteasy.resteasy_jaxrs.i18n] >> (default >> task-12) >> RESTEASY002010: >> Failed to >> execute: >> javax.ws.rs.NotFoundException: >> RESTEASY003210: >> Could not >> find resource >> for full >> path: >> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261" >> >> I noticed >> that >> "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >> does not work >> generally. >> The URL >> ending with >> "/auth/realms/ci/account" >> it works. >> >> if I access >> the URL: >> http://192.168.99.100:32786/auth/realms/ci >> >> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >> >> Can you help >> how to find >> the problem ? >> >> p.s. is there >> any other way >> to find help >> on those >> matters? >> Tried IRC but >> nobody is >> replying there... >> >> Thank you >> >> _______________________________________________ >> keycloak-user >> mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/d57265df/attachment-0001.html From hr.stoyanov at peruncs.com Thu Mar 24 18:13:47 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Thu, 24 Mar 2016 15:13:47 -0700 Subject: [keycloak-user] Example for using rest admin? Message-ID: Hi all, I am trying to do this: 1. Have a war deployed in wildfly10 2. Need to instantiate a kc rest admin service and use the app service account 3. Need to manipulate user attributes and roles as the app runs via the rest admin API. I see some examples, but they are heavy on servlet configuration and low level HTTP header manipulations. I need something that picks the configuration from the adapter (not reading json conf) and use JEE client jax-rs 2.0 to call KC. Any pointers/sample code will be appreciated! Thanks! /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/c77fcd5c/attachment.html From postmaster at lists.jboss.org Fri Mar 25 02:32:29 2016 From: postmaster at lists.jboss.org (MAILER-DAEMON) Date: Fri, 25 Mar 2016 13:32:29 +0700 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201603250632.u2P6WRRI002886@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was received at Fri, 25 Mar 2016 13:32:29 +0700 from lists.jboss.org [18.63.111.252] ----- The following addresses had permanent fatal errors ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: mail.zip Type: application/octet-stream Size: 28978 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/6d907812/attachment-0001.obj From glavoie at gmail.com Fri Mar 25 10:43:02 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Fri, 25 Mar 2016 10:43:02 -0400 Subject: [keycloak-user] Upload of SAML SP/Client metadata and detection of NameIdFormat Message-ID: Hi, I'm trying to pre-configure a SAML 2.0 SP/Client in a realm with the upload of its metadata in XML format. The metadata I have currently tells that it wants the e-mail address as the NameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress After uploading the metadata, the Name ID Format attribute is set to "username" which seems to be the default value. Tested with 1.8.0 and 1.9.1 Is this the expected/desired behavior or this is something that Keycloak could extract? Thank you, Gabriel -- Gabriel Lavoie glavoie at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/adbd1c1f/attachment.html From bburke at redhat.com Fri Mar 25 13:52:52 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 25 Mar 2016 13:52:52 -0400 Subject: [keycloak-user] Upload of SAML SP/Client metadata and detection of NameIdFormat In-Reply-To: References: Message-ID: <56F57AF4.9060609@redhat.com> You imported a SAML SP metadata XML file into the admin console? IIRC, I didn't populate this because multiple nameID formats are allowed to be specified. Guess I should just pick one at least. On 3/25/2016 10:43 AM, Gabriel Lavoie wrote: > Hi, > I'm trying to pre-configure a SAML 2.0 SP/Client in a realm with > the upload of its metadata in XML format. The metadata I have > currently tells that it wants the e-mail address as the NameIdFormat: > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress > > After uploading the metadata, the Name ID Format attribute is set to > "username" which seems to be the default value. > > Tested with 1.8.0 and 1.9.1 > > Is this the expected/desired behavior or this is something that > Keycloak could extract? > > Thank you, > > Gabriel > > -- > Gabriel Lavoie > glavoie at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/b7a44461/attachment.html From glavoie at gmail.com Fri Mar 25 15:02:30 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Fri, 25 Mar 2016 15:02:30 -0400 Subject: [keycloak-user] Upload of SAML SP/Client metadata and detection of NameIdFormat In-Reply-To: <56F57AF4.9060609@redhat.com> References: <56F57AF4.9060609@redhat.com> Message-ID: I did it through both the admin console and the RealmResource.convertClientDescription() API to retrieve a ClientRepresentation object with the same result. As I see, in the UI, the "email", "transient" and "persistent" formats could be auto-detected. A fallback to "username" if the value isn't recognized would be an acceptable behavior. Gabriel 2016-03-25 13:52 GMT-04:00 Bill Burke : > You imported a SAML SP metadata XML file into the admin console? IIRC, I > didn't populate this because multiple nameID formats are allowed to be > specified. Guess I should just pick one at least. > > > On 3/25/2016 10:43 AM, Gabriel Lavoie wrote: > > Hi, > I'm trying to pre-configure a SAML 2.0 SP/Client in a realm with the > upload of its metadata in XML format. The metadata I have currently tells > that it wants the e-mail address as the NameIdFormat: > > > urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress > > After uploading the metadata, the Name ID Format attribute is set to > "username" which seems to be the default value. > > Tested with 1.8.0 and 1.9.1 > > Is this the expected/desired behavior or this is something that Keycloak > could extract? > > Thank you, > > Gabriel > > -- > Gabriel Lavoie > glavoie at gmail.com > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Gabriel Lavoie glavoie at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/3619cc1d/attachment.html From guus.der.kinderen at gmail.com Fri Mar 25 15:09:16 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 25 Mar 2016 20:09:16 +0100 Subject: [keycloak-user] Class loading issue when refreshing token In-Reply-To: References: Message-ID: I do have core on my classpath. I am bound to a setup where keycloak is instantiated by a classloader that is a child of the classloader that triggers the requests. Is that a problem? It obviously isn't a problem for some calls, but perhaps that there's something different with that TokenService? I'm having trouble determining the exact set of dependencies that I need for my project. Is that documented somewhere? Does anyone know how I could further diagnose this issue? Regards, Guus On 24 March 2016 at 10:29, Marko Strukelj wrote: > The stacktrace hides whether this is ClassNotFoundException or > NoClassDefFoundError, so it's possible that TokenService is actually > visible, but not one of its dependencies. > > You'll definitely also need to add keycloak-core.jar to your classpath. > > On Thu, Mar 24, 2016 at 10:21 AM, Guus der Kinderen < > guus.der.kinderen at gmail.com> wrote: > >> Hello cloakees. >> >> I'm having an interesting problem while using the admin-client from >> 1.9.1. Initially, things go well. I can extract data as expected. However, >> after a couple of minutes (I think when the admin-client-token needs >> refreshing), I'm suddenly getting errors: >> "java.lang.IllegalArgumentException: interface >> org.keycloak.admin.client.token.TokenService is not visible from class >> loader" I added a full stacktrace below. >> >> I find it odd that some functionality does work, but other does not. >> What's causing this? keycloak-admin-client-1.9.1.Final.jar is on the >> classpath, which is where that interface appears to live. >> >> Regards, >> >> Guus >> >> 2016.03.24 10:18:50 WARN [Jetty-QTP-AdminConsole-58]: >> org.eclipse.jetty.servlet.ServletHandler - /user-summary.jsp >> javax.ws.rs.ProcessingException: java.lang.IllegalArgumentException: >> interface org.keycloak.admin.client.token.TokenService is not visible from >> class loader >> at >> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) >> at >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) >> at >> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) >> at com.sun.proxy.$Proxy26.search(Unknown Source) >> at >> org.jivesoftware.openfire.plugin.KeycloakUserProvider.getUserCount(KeycloakUserProvider.java:134) >> at >> org.jivesoftware.openfire.user.UserManager.getUserCount(UserManager.java:263) >> at >> org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsummary_jsp.java:107) >> at >> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) >> at >> com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) >> at >> com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at >> org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at >> org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at >> org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at >> org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162) >> at >> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >> at >> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) >> at >> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) >> at >> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) >> at >> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) >> at >> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) >> at >> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) >> at >> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) >> at >> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) >> at >> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) >> at >> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) >> at >> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) >> at >> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >> at org.eclipse.jetty.server.Server.handle(Server.java:499) >> at >> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >> at >> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) >> at >> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) >> at >> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) >> at >> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.IllegalArgumentException: interface >> org.keycloak.admin.client.token.TokenService is not visible from class >> loader >> at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581) >> at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557) >> at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230) >> at java.lang.reflect.WeakCache.get(WeakCache.java:127) >> at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419) >> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719) >> at >> org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:70) >> at >> org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:122) >> at >> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74) >> at >> org.keycloak.admin.client.token.TokenManager.refreshToken(TokenManager.java:100) >> at >> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:59) >> at >> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:52) >> at >> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:48) >> at >> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) >> ... 40 more >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/bac31723/attachment-0001.html From parsectix at gmail.com Fri Mar 25 19:25:47 2016 From: parsectix at gmail.com (Pavlos Kleanthous) Date: Fri, 25 Mar 2016 23:25:47 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: <56F41A2B.7050703@redhat.com> References: <56F3EABF.7040809@redhat.com> <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> <56F41A2B.7050703@redhat.com> Message-ID: It's good to hear that you are trying guys to write better documentation. First of all I didn't have any knowledge about SSO. Chapter 2 it's a good start, although it needs to elaborate further. Some demo videos that you have are also a good start (as mentioned are outdated.) The documentation should include all those steps to create an configure a Realm as you can see in the video. It's good that you have containers and we can start a keycloak service very easy. p.s. I have a lot of respect for ALL OSS communities and I didn't want to offend you. if I done that please accept my apologies. Although I believe my mails were very polite, I don't get the tone or your responses guys... On Thu, Mar 24, 2016 at 4:47 PM, Bill Burke wrote: > Contributions are always welcome! > > > On 3/24/2016 10:31 AM, Jason Axley wrote: > > +1 on the API documentation. I?d prefer a Swagger interface with > collapsable sections and the ability to execute the API in the browser for > testing. Additionally, you can now integrate with Postman by importing > everything as a Postman collection via a Run in Postman button ? would also > be very useful. You can just import the Swagger or RAML file to create the > Postman collection. > > -Jason > > From: < > keycloak-user-bounces at lists.jboss.org> on behalf of Guus der Kinderen < > guus.der.kinderen at gmail.com> > Date: Thursday, March 24, 2016 at 6:54 AM > To: Bill Burke < bburke at redhat.com> > Cc: " keycloak-user at lists.jboss.org" < > keycloak-user at lists.jboss.org> > Subject: Re: [keycloak-user] keycloak configuration > > I signed up to the mailinglist at a time that this thread was already > underway. I didn't read back to find out what the original question was, > and given the tone of the responses I am not going to either, but, as for > for the call for specific improvements: I've got two: > > - It would be helpful if the section on JAAS integration would contain > a very short example of a configuration file, and a java snippet that shows > how to instantiate a LoginContext based on that. I was unfamiliar with JAAS > and was struggling to put one and one together. I think the above could be > done in ten lines or so, so it's relatively small, but would be a good > illustrative example for the likes of me. > - The REST endpoint documentation lacks structure (grouping), which > makes it hard to navigate. Improving on that would be a simple as grouping > each piece of documentation by its resource path. > > $0.02 > > - Guus > > On 24 March 2016 at 14:25, Bill Burke wrote: > >> documentation hasn't received any love for more than a year. Screencasts >> are even more out of date. The good news is that myself and the red hat >> documentation team is scheduled to focus on docs and screencasts the month >> of April. Up until a few months ago, we were just an open source >> community. Now that the Red Hat machine is getting behind us, areas like >> documentation should start to be improved. >> >> BTW, If you want help, we need more than just "it doesn't work, your >> documentation sucks". Walking us through the problem helps us improve >> error messages, general usability, and documentation. Threatening us >> doesn't really help as you are just as likely to get ignored. >> >> On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >> >> Firstly, that's not FreeIPA (community project) documentation, but Red >> Hat Identity Management documentation (product). The FreeIPA documentation >> is https://www.freeipa.org/page/Documentation. >> >> Secondly, just stating that our documentation is bad and pointing to some >> better documentation doesn't give us anything to go on. We would like to >> give a good experience and I would be very interested in knowing exactly >> what documentation you are lacking, hard to understand or whatever other >> issues you may have with the documentation. Help us to help you ;) >> >> Finally we know the documentation is not as good as it could be and are >> planning to improve it in the not to distant future. So input from users >> would be valuable. >> >> On 23 March 2016 at 11:32, Pavlos Kleanthous < >> parsectix at gmail.com> wrote: >> >>> Just compare the documentation from another redhat product FreeIPA >>> >>> >>> I have read this documentation and setup/configure IPA server very easy. >>> >>> Keycloak's current documentation looks like more as a developers manual >>> to me. >>> >>> >>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >>> wrote: >>> >>>> Could you elaborate on what is missing from the documentation? That >>>> would be helpful. >>>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < >>>> parsectix at gmail.com> wrote: >>>> >>>>> Dear all, >>>>> >>>>> I dropped the project at the moment. The lack of documentation is too >>>>> time consuming. >>>>> >>>>> Hope that soon keycloak will have it. >>>>> >>>>> >>>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen < >>>>> sthorger at redhat.com> wrote: >>>>> >>>>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < >>>>>> parsectix at gmail.com> wrote: >>>>>> >>>>>>> Yours. >>>>>>> >>>>>>> I configured the realm with the same settings on both versions >>>>>>> 1.9.1 and 1.8.1. >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> Client ID has nothing to do with this issue as it would show an >>>>>>>> login error page not a not found. So must be either realm name or another >>>>>>>> part of URL is wrong. >>>>>>>> >>>>>>>> Are you using our adapters or another library atm? >>>>>>>> >>>>>>>> I'm answering on my phone on the plane so can't look into it more >>>>>>>> atm. >>>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < >>>>>>>> parsectix at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>>>> inside "Installation" tab. >>>>>>>>> >>>>>>>>> Instead of using keycloak client plugins, can I use a generic >>>>>>>>> oauth plugin in my apps? How can I configure my keycloak for this? >>>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>>>> keycloak. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj < >>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> In your jenkins realm - under Clients do you have a client called >>>>>>>>>> 'ci'? That's the client_id used in your request. >>>>>>>>>> >>>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" < >>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> yes I can. >>>>>>>>>>> >>>>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>>>> >>>>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>>>> >>>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>>>> >>>>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>>>> >>>>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>>>> responses. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>> GET >>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>> 302 Found >>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>> 1. Content-Length: >>>>>>>>>>>>> 0 >>>>>>>>>>>>> 2. Location: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>> 3. Server: >>>>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>>>> nosniff >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>> GET >>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>> *404 Not Found* >>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>> 1. Connection: >>>>>>>>>>>>> keep-alive >>>>>>>>>>>>> 2. Content-Length: >>>>>>>>>>>>> 0 >>>>>>>>>>>>> 3. Date: >>>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>>>> 4. Server: >>>>>>>>>>>>> WildFly/10 >>>>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>>>> Undertow/1 >>>>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>>>> 1. Accept: >>>>>>>>>>>>> >>>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>>>> 4. Connection: >>>>>>>>>>>>> keep-alive >>>>>>>>>>>>> 5. Cookie: >>>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo; >>>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>>>> 6. DNT: >>>>>>>>>>>>> 1 >>>>>>>>>>>>> 7. Host: >>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>> 8. Referer: >>>>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>>>> 9. Save-Data: >>>>>>>>>>>>> on >>>>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>>>> 1 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as >>>>>>>>>>>>> the same name can be found in "Installation" tab where >>>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup >>>>>>>>>>>>>>> has 2 containers keycloak and jenkins. >>>>>>>>>>>>>>> Following the example how to integrate those two, I created >>>>>>>>>>>>>>> a realm and a client called "jenkins". >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>>> "15:47:55,791 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>>>>>>>>>>>>>> (default task-12) RESTEASY002010: Failed to execute: >>>>>>>>>>>>>>> javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for >>>>>>>>>>>>>>> full path: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>>> " >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>>> works. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.1! >>>>>>>>>>>>>>> 00:32786 >>>>>>>>>>>>>>> /auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>> >>> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160325/3d18286b/attachment-0001.html From chairfield at gmail.com Sun Mar 27 12:09:35 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Sun, 27 Mar 2016 16:09:35 +0000 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> <56F41A2B.7050703@redhat.com> Message-ID: I'd like to see the documentation include details on setting up a JGROUPSPING table for clustering, complete with example configuration. Great to hear documentation love is slated soon! On Fri, Mar 25, 2016 at 5:26 PM Pavlos Kleanthous wrote: > It's good to hear that you are trying guys to write better documentation. > > First of all I didn't have any knowledge about SSO. Chapter 2 it's a good > start, although it needs to elaborate further. > Some demo videos that you have are also a good start (as mentioned are > outdated.) > The documentation should include all those steps to create an configure a > Realm as you can see in the video. > > It's good that you have containers and we can start a keycloak service > very easy. > > p.s. I have a lot of respect for ALL OSS communities and I didn't want to > offend you. if I done that please accept my apologies. Although I believe > my mails were very polite, I don't get the tone or your responses guys... > > On Thu, Mar 24, 2016 at 4:47 PM, Bill Burke wrote: > >> Contributions are always welcome! >> >> >> On 3/24/2016 10:31 AM, Jason Axley wrote: >> >> +1 on the API documentation. I?d prefer a Swagger interface with >> collapsable sections and the ability to execute the API in the browser for >> testing. Additionally, you can now integrate with Postman by importing >> everything as a Postman collection via a Run in Postman button ? would also >> be very useful. You can just import the Swagger or RAML file to create the >> Postman collection. >> >> -Jason >> >> From: < >> keycloak-user-bounces at lists.jboss.org> on behalf of Guus der Kinderen < >> guus.der.kinderen at gmail.com> >> Date: Thursday, March 24, 2016 at 6:54 AM >> To: Bill Burke < bburke at redhat.com> >> Cc: " keycloak-user at lists.jboss.org" < >> keycloak-user at lists.jboss.org> >> Subject: Re: [keycloak-user] keycloak configuration >> >> I signed up to the mailinglist at a time that this thread was already >> underway. I didn't read back to find out what the original question was, >> and given the tone of the responses I am not going to either, but, as for >> for the call for specific improvements: I've got two: >> >> - It would be helpful if the section on JAAS integration would >> contain a very short example of a configuration file, and a java snippet >> that shows how to instantiate a LoginContext based on that. I was >> unfamiliar with JAAS and was struggling to put one and one together. I >> think the above could be done in ten lines or so, so it's relatively small, >> but would be a good illustrative example for the likes of me. >> - The REST endpoint documentation lacks structure (grouping), which >> makes it hard to navigate. Improving on that would be a simple as grouping >> each piece of documentation by its resource path. >> >> $0.02 >> >> - Guus >> >> On 24 March 2016 at 14:25, Bill Burke wrote: >> >>> documentation hasn't received any love for more than a year. >>> Screencasts are even more out of date. The good news is that myself and >>> the red hat documentation team is scheduled to focus on docs and >>> screencasts the month of April. Up until a few months ago, we were just an >>> open source community. Now that the Red Hat machine is getting behind us, >>> areas like documentation should start to be improved. >>> >>> BTW, If you want help, we need more than just "it doesn't work, your >>> documentation sucks". Walking us through the problem helps us improve >>> error messages, general usability, and documentation. Threatening us >>> doesn't really help as you are just as likely to get ignored. >>> >>> On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >>> >>> Firstly, that's not FreeIPA (community project) documentation, but Red >>> Hat Identity Management documentation (product). The FreeIPA documentation >>> is https://www.freeipa.org/page/Documentation. >>> >>> Secondly, just stating that our documentation is bad and pointing to >>> some better documentation doesn't give us anything to go on. We would like >>> to give a good experience and I would be very interested in knowing exactly >>> what documentation you are lacking, hard to understand or whatever other >>> issues you may have with the documentation. Help us to help you ;) >>> >>> Finally we know the documentation is not as good as it could be and are >>> planning to improve it in the not to distant future. So input from users >>> would be valuable. >>> >>> On 23 March 2016 at 11:32, Pavlos Kleanthous < >>> parsectix at gmail.com> wrote: >>> >>>> Just compare the documentation from another redhat product FreeIPA >>>> >>>> >>>> I have read this documentation and setup/configure IPA server very easy. >>>> >>>> Keycloak's current documentation looks like more as a developers manual >>>> to me. >>>> >>>> >>>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Could you elaborate on what is missing from the documentation? That >>>>> would be helpful. >>>>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < >>>>> parsectix at gmail.com> wrote: >>>>> >>>>>> Dear all, >>>>>> >>>>>> I dropped the project at the moment. The lack of documentation is too >>>>>> time consuming. >>>>>> >>>>>> Hope that soon keycloak will have it. >>>>>> >>>>>> >>>>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>>>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < >>>>>>> parsectix at gmail.com> wrote: >>>>>>> >>>>>>>> Yours. >>>>>>>> >>>>>>>> I configured the realm with the same settings on both versions >>>>>>>> 1.9.1 and 1.8.1. >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> Client ID has nothing to do with this issue as it would show an >>>>>>>>> login error page not a not found. So must be either realm name or another >>>>>>>>> part of URL is wrong. >>>>>>>>> >>>>>>>>> Are you using our adapters or another library atm? >>>>>>>>> >>>>>>>>> I'm answering on my phone on the plane so can't look into it more >>>>>>>>> atm. >>>>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < >>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>>>>> inside "Installation" tab. >>>>>>>>>> >>>>>>>>>> Instead of using keycloak client plugins, can I use a generic >>>>>>>>>> oauth plugin in my apps? How can I configure my keycloak for this? >>>>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>>>>> keycloak. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj < >>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> In your jenkins realm - under Clients do you have a client >>>>>>>>>>> called 'ci'? That's the client_id used in your request. >>>>>>>>>>> >>>>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" < >>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> yes I can. >>>>>>>>>>>> >>>>>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>>>>> >>>>>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>>>>> >>>>>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>>>>> responses. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>>> GET >>>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>>> 302 Found >>>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>>> 1. Content-Length: >>>>>>>>>>>>>> 0 >>>>>>>>>>>>>> 2. Location: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>>> 3. Server: >>>>>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>>>>> nosniff >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>>> GET >>>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>>> *404 Not Found* >>>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>>> 1. Connection: >>>>>>>>>>>>>> keep-alive >>>>>>>>>>>>>> 2. Content-Length: >>>>>>>>>>>>>> 0 >>>>>>>>>>>>>> 3. Date: >>>>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>>>>> 4. Server: >>>>>>>>>>>>>> WildFly/10 >>>>>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>>>>> Undertow/1 >>>>>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>>>>> 1. Accept: >>>>>>>>>>>>>> >>>>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>>>>> 4. Connection: >>>>>>>>>>>>>> keep-alive >>>>>>>>>>>>>> 5. Cookie: >>>>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>>>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo; >>>>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>>>>> 6. DNT: >>>>>>>>>>>>>> 1 >>>>>>>>>>>>>> 7. Host: >>>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>>> 8. Referer: >>>>>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>>>>> 9. Save-Data: >>>>>>>>>>>>>> on >>>>>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>>>>> 1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as >>>>>>>>>>>>>> the same name can be found in "Installation" tab where >>>>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup >>>>>>>>>>>>>>>> has 2 containers keycloak and jenkins. >>>>>>>>>>>>>>>> Following the example how to integrate those two, I created >>>>>>>>>>>>>>>> a realm and a client called "jenkins". >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>>>> "15:47:55,791 ERROR >>>>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010: >>>>>>>>>>>>>>>> Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not >>>>>>>>>>>>>>>> find resource for full path: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>>>> works. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.1! >>>>>>>>>>>>>>>> 00:32786 >>>>>>>>>>>>>>>> /auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>> >>>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160327/9b4ef19b/attachment-0001.html From hr.stoyanov at peruncs.com Sun Mar 27 14:38:40 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Sun, 27 Mar 2016 18:38:40 +0000 Subject: [keycloak-user] Need help for using KC REST API and service account Message-ID: Hi all, I am trying to apply KC for: 1. Authentication. So far KC works well and as expected! 2. Change the authenticated user roles as part of the application logic- based on external credit card registration (by an external credit card processor) and paid plan selection by the user, the web app need to move the authenticated user from "free" role to "premium" realm role, which correspond to the paid plan s/he selected. Is there an example of how to use KC APIs to change the user's role from within the app? I could not find anything specific in the examples or documentation, but I see some things that go in that direction: A. It seems like I have to use the Admin REST API somehow, but I am not sure which rest calls from the vast REST APIs I need to use? Is it "Add realm-level role mappings to the user" and "Delete realm-level role mappings"? What is "id" param then? Is this the "user id"? Can you please categorize the REST APIs in groups - "user management", "role CRUDs", etc., to make it easier to navigate? There seems to be an example "admin-access-app", but it is not clear where it gets the app username/password. Are they just hard-coded "username" and "password"? In the case of Wildfly adapter, the client secret is configured inside the standalone.xml configuration file, so *I expect to not have to configure it or read it from file configurations*, but the container should provide it/inject it for me? Is this correct assumption? Any example wildfly code? B. It seems like i also need to use a service account , so that the app can change user roles behind the scene on its own? Correct? This blog post seems obsolete as there is no more "Service accounts enabled" switch I could find. I figured, one need to switch to "confidential" access type instead. Is this correct? Unfortunately, the corresponding example, "Service Account Example" does not show how one should proceed when the client secret is configured in the Wildfly's standalone.xml file and the developer is not expected to parse configuration files (either embedded in the WAR or elsewhere). Any example of how to get configured objects? I tried to get some clue from the *KeycloakDeploymentBuilderTest.java* file, but it is not clear how one can get *KeycloakDeployment* injected by the container rather than paring it from files. Any clue? Thank you for the grate product! And thank you for any guidance you can provide - that would save me a lot of time and questions! /Hristo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160327/2d222e4f/attachment.html From chairfield at gmail.com Sun Mar 27 15:52:18 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Sun, 27 Mar 2016 19:52:18 +0000 Subject: [keycloak-user] Encoding theme selection in realm? In-Reply-To: References: Message-ID: To anyone interested in how to set up an admin user permanently (without having to modify its password on initial login), it becomes easy in 1.7.x. Running the add-user.sh script like `bin/add-user.sh -u admin -p admin` has the desired effect. Unfortunately, trying to do the same on a clean install of 1.6.x is failing for me when trying to create either a Management User or Application User; I am unable to log in to the newly-created user even though the script completes without errors (and I restarted the server, of course!). Looks like now's as good a time as any to upgrade ;) P.S. I was bitten last upgrade when I tried to jump from 1.4.0 to 1.6.1 without stepping through 1.5.x in-between. Once bitten, twice shy. On Sun, Mar 6, 2016 at 11:12 PM Stian Thorgersen wrote: > On 5 March 2016 at 03:35, Chris Hairfield wrote: > >> We've built some themes, login and email, and configured our Keycloak >> 1.6.1 such that the theme is available in both dropdowns on the first start >> of the server, but I'd like to optimize a bit more. Since we import our >> realms, is it possible to configure them such that our theme is selected >> without any manual input? > > > If you are handcrafting the realms you are importing then just add > loginTheme and emailTheme fields on the realm. If you are using export, > then the themes should already be set. > > >> >> On a related note, is it possible to configure the admin user such that >> we don't need to reset their password on first start of the server? We >> expect to upgrade to 1.7.x or higher soon, which may be relevant given how >> the admin account is removed. I'd be curious to know whether my ask is >> possible on either 1.6.1 or higher. >> > > Upgrade to 1.9.x! > > See > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e116 > for more details on admin user > > >> >> Thanks! >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160327/2eeea132/attachment.html From leo.nunes at gjccorp.com.br Mon Mar 28 13:36:37 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Mon, 28 Mar 2016 17:36:37 +0000 Subject: [keycloak-user] Token is not active, message shown after login Message-ID: I have Keycloak 1.9.1 installed on a testing server and on our production server. Both server have the same operating system, java version and most of the configurations. Keycloak at both server also have the same configurations. There's an application running on a Tomcat at my local machine that connects to the keycloak server. When I connect my local application to the keycloak at the testing server everything works fine. When I connect to the keycloak at the production server we are having the following problem: - I open my local application and navigate to a restricted URL - Keycloak login screen opens - I enter the username and password and click Log in The following error is returned to the browser: HTTP Status 403 - type Status report message description Access to the specified resource has been forbidden. Apache Tomcat/7.0.67 The following error shows at my Tomcat log: mar 28, 2016 11:26:15 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode ERROR: failed verification of token: Token is not active. If I navigate to Sessions at the Keycloak admin console, there's an active session. If I click Logout all the following error is shown: Error! Failed to logout users under: http://10.10.3.191:8088/accounts-teste. Verify availability of failed hosts and try again -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160328/b2f3c007/attachment.html From bburke at redhat.com Mon Mar 28 14:40:57 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 28 Mar 2016 14:40:57 -0400 Subject: [keycloak-user] Upload of SAML SP/Client metadata and detection of NameIdFormat In-Reply-To: References: <56F57AF4.9060609@redhat.com> Message-ID: <56F97AB9.3040904@redhat.com> Just fixed this in branch 1.9.x and master now. Will be in next release. On 3/25/2016 3:02 PM, Gabriel Lavoie wrote: > I did it through both the admin console and the > RealmResource.convertClientDescription() API to > retrieve a ClientRepresentation object with the same result. > > As I see, in the UI, the "email", "transient" and "persistent" formats > could be auto-detected. A fallback to "username" if the value isn't > recognized would be an acceptable behavior. > > Gabriel > > 2016-03-25 13:52 GMT-04:00 Bill Burke >: > > You imported a SAML SP metadata XML file into the admin console? > IIRC, I didn't populate this because multiple nameID formats are > allowed to be specified. Guess I should just pick one at least. > > > On 3/25/2016 10:43 AM, Gabriel Lavoie wrote: >> Hi, >> I'm trying to pre-configure a SAML 2.0 SP/Client in a realm >> with the upload of its metadata in XML format. The metadata I >> have currently tells that it wants the e-mail address as the >> NameIdFormat: >> >> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress >> >> After uploading the metadata, the Name ID Format attribute is set >> to "username" which seems to be the default value. >> >> Tested with 1.8.0 and 1.9.1 >> >> Is this the expected/desired behavior or this is something that >> Keycloak could extract? >> >> Thank you, >> >> Gabriel >> >> -- >> Gabriel Lavoie >> glavoie at gmail.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Gabriel Lavoie > glavoie at gmail.com -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160328/547dec52/attachment-0001.html From battery4cid at gmail.com Mon Mar 28 16:03:05 2016 From: battery4cid at gmail.com (Bruce Shaw) Date: Mon, 28 Mar 2016 16:03:05 -0400 Subject: [keycloak-user] hook into auth flow after new client consent Message-ID: I've created a Provider to execute some custom logic after a user registers or logs in. I'm having trouble finding where to hook up any custom logic for when a user consents to use a new client. So if he wants to use his login for another site, after the consent form is accepted, how can I execute some custom logic? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160328/21143e4b/attachment.html From guus.der.kinderen at gmail.com Tue Mar 29 05:28:19 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Tue, 29 Mar 2016 11:28:19 +0200 Subject: [keycloak-user] Class loading issue when refreshing token In-Reply-To: References: Message-ID: As I was afraid of, the problem does relate to the classloading setup that I need to work with. Although most service proxies are instantiated just fine, the TokenService gets instantiated "on demand", which causes the classloader to be used (for reflection) from the thread that's doing the invocation of the requested functionality (rather than the thread that was used to instantiate the admin client, which is how all other proxies were created). I do think that there's an easy improvement here: as far as I can tell, there's no need to re-create the proxy all the time. It can instead be created once, when TokenManager is created. Construction is very likely to occur in the correct classloader - it's not bullet proof, but certainly an improvement. I've created a JIRA issue for this here: https://issues.jboss.org/browse/KEYCLOAK-2721 as well as a pull request here: https://github.com/keycloak/keycloak/pull/2443 - Guus On 25 March 2016 at 20:09, Guus der Kinderen wrote: > I do have core on my classpath. I am bound to a setup where keycloak is > instantiated by a classloader that is a child of the classloader that > triggers the requests. Is that a problem? It obviously isn't a problem for > some calls, but perhaps that there's something different with that > TokenService? > > I'm having trouble determining the exact set of dependencies that I need > for my project. Is that documented somewhere? > > Does anyone know how I could further diagnose this issue? > > Regards, > > Guus > > On 24 March 2016 at 10:29, Marko Strukelj wrote: > >> The stacktrace hides whether this is ClassNotFoundException or >> NoClassDefFoundError, so it's possible that TokenService is actually >> visible, but not one of its dependencies. >> >> You'll definitely also need to add keycloak-core.jar to your classpath. >> >> On Thu, Mar 24, 2016 at 10:21 AM, Guus der Kinderen < >> guus.der.kinderen at gmail.com> wrote: >> >>> Hello cloakees. >>> >>> I'm having an interesting problem while using the admin-client from >>> 1.9.1. Initially, things go well. I can extract data as expected. However, >>> after a couple of minutes (I think when the admin-client-token needs >>> refreshing), I'm suddenly getting errors: >>> "java.lang.IllegalArgumentException: interface >>> org.keycloak.admin.client.token.TokenService is not visible from class >>> loader" I added a full stacktrace below. >>> >>> I find it odd that some functionality does work, but other does not. >>> What's causing this? keycloak-admin-client-1.9.1.Final.jar is on the >>> classpath, which is where that interface appears to live. >>> >>> Regards, >>> >>> Guus >>> >>> 2016.03.24 10:18:50 WARN [Jetty-QTP-AdminConsole-58]: >>> org.eclipse.jetty.servlet.ServletHandler - /user-summary.jsp >>> javax.ws.rs.ProcessingException: java.lang.IllegalArgumentException: >>> interface org.keycloak.admin.client.token.TokenService is not visible from >>> class loader >>> at >>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64) >>> at com.sun.proxy.$Proxy26.search(Unknown Source) >>> at >>> org.jivesoftware.openfire.plugin.KeycloakUserProvider.getUserCount(KeycloakUserProvider.java:134) >>> at >>> org.jivesoftware.openfire.user.UserManager.getUserCount(UserManager.java:263) >>> at >>> org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsummary_jsp.java:107) >>> at >>> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at >>> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) >>> at >>> com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) >>> at >>> com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> at >>> org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> at >>> org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> at >>> org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> at >>> org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162) >>> at >>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) >>> at >>> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) >>> at >>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) >>> at >>> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) >>> at >>> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) >>> at >>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) >>> at >>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) >>> at >>> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) >>> at >>> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) >>> at >>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) >>> at >>> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) >>> at >>> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) >>> at >>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>> at >>> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>> at >>> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) >>> at >>> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) >>> at >>> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) >>> at >>> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: java.lang.IllegalArgumentException: interface >>> org.keycloak.admin.client.token.TokenService is not visible from class >>> loader >>> at >>> java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581) >>> at >>> java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557) >>> at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230) >>> at java.lang.reflect.WeakCache.get(WeakCache.java:127) >>> at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419) >>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719) >>> at >>> org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:70) >>> at >>> org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:122) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74) >>> at >>> org.keycloak.admin.client.token.TokenManager.refreshToken(TokenManager.java:100) >>> at >>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:59) >>> at >>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:52) >>> at >>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:48) >>> at >>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413) >>> ... 40 more >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/764a26d0/attachment.html From guus.der.kinderen at gmail.com Tue Mar 29 08:02:20 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Tue, 29 Mar 2016 14:02:20 +0200 Subject: [keycloak-user] Token is not active, message shown after login In-Reply-To: References: Message-ID: Hi Leonardo, Note that I'm a beginner, Keycloak-wise. However, as no-one else has responded, let me try. Tokens are valid in a limited time-span. The message "token is not active" indicates that your token has expired, or is not yet valid. We had another user earlier that had a somewhat similar problem. The cause of that problem was an incorrect timezone setting on one of his servers. Perhaps that's something that you could check? - Guus On 28 March 2016 at 19:36, LEONARDO NUNES wrote: > I have Keycloak 1.9.1 installed on a testing server and on our production > server. Both server have the same operating system, java version and most > of the configurations. Keycloak at both server also have the same > configurations. > There's an application running on a Tomcat at my local machine that > connects to the keycloak server. > > When I connect my local application to the keycloak at the testing server > everything works fine. > When I connect to the keycloak at the production server we are having the > following problem: > > - I open my local application and navigate to a restricted URL > - Keycloak login screen opens > - I enter the username and password and click Log in > > The following error is returned to the browser: > HTTP Status 403 - > type Status report > message > description Access to the specified resource has been forbidden. > Apache Tomcat/7.0.67 > > The following error shows at my Tomcat log: > mar 28, 2016 11:26:15 AM org.keycloak.adapters.OAuthRequestAuthenticator > resolveCode > ERROR: failed verification of token: Token is not active. > > If I navigate to Sessions at the Keycloak admin console, there's an active > session. > If I click Logout all the following error is shown: > Error! Failed to logout users under: > http://10.10.3.191:8088/accounts-teste. Verify availability of failed > hosts and try again > > > -- > Leonardo > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/d2c06533/attachment-0001.html From leo.nunes at gjccorp.com.br Tue Mar 29 08:22:11 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Tue, 29 Mar 2016 12:22:11 +0000 Subject: [keycloak-user] Token is not active, message shown after login In-Reply-To: Message-ID: Hi Guus, you are right! I had an incorrect timezone setting. I fixed the timezone, now it works! Thank's a lot. -- Leonardo From: Guus der Kinderen > Date: ter?a-feira, 29 de mar?o de 2016 09:02 To: Leonardo Nunes > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Token is not active, message shown after login Hi Leonardo, Note that I'm a beginner, Keycloak-wise. However, as no-one else has responded, let me try. Tokens are valid in a limited time-span. The message "token is not active" indicates that your token has expired, or is not yet valid. We had another user earlier that had a somewhat similar problem. The cause of that problem was an incorrect timezone setting on one of his servers. Perhaps that's something that you could check? - Guus On 28 March 2016 at 19:36, LEONARDO NUNES > wrote: I have Keycloak 1.9.1 installed on a testing server and on our production server. Both server have the same operating system, java version and most of the configurations. Keycloak at both server also have the same configurations. There's an application running on a Tomcat at my local machine that connects to the keycloak server. When I connect my local application to the keycloak at the testing server everything works fine. When I connect to the keycloak at the production server we are having the following problem: - I open my local application and navigate to a restricted URL - Keycloak login screen opens - I enter the username and password and click Log in The following error is returned to the browser: HTTP Status 403 - type Status report message description Access to the specified resource has been forbidden. Apache Tomcat/7.0.67 The following error shows at my Tomcat log: mar 28, 2016 11:26:15 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode ERROR: failed verification of token: Token is not active. If I navigate to Sessions at the Keycloak admin console, there's an active session. If I click Logout all the following error is shown: Error! Failed to logout users under: http://10.10.3.191:8088/accounts-teste. Verify availability of failed hosts and try again -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/175cedab/attachment.html From sthorger at redhat.com Tue Mar 29 14:11:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 29 Mar 2016 19:11:16 +0100 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> <56F41A2B.7050703@redhat.com> Message-ID: Nothing wrong with your tone, just not very helpful. I don't see anything wrong with our tone either, we just asked you to provide some more details about what your issues was. On 25 March 2016 at 23:25, Pavlos Kleanthous wrote: > It's good to hear that you are trying guys to write better documentation. > > First of all I didn't have any knowledge about SSO. Chapter 2 it's a good > start, although it needs to elaborate further. > Some demo videos that you have are also a good start (as mentioned are > outdated.) > The documentation should include all those steps to create an configure a > Realm as you can see in the video. > > It's good that you have containers and we can start a keycloak service > very easy. > > p.s. I have a lot of respect for ALL OSS communities and I didn't want to > offend you. if I done that please accept my apologies. Although I believe > my mails were very polite, I don't get the tone or your responses guys... > > On Thu, Mar 24, 2016 at 4:47 PM, Bill Burke wrote: > >> Contributions are always welcome! >> >> >> On 3/24/2016 10:31 AM, Jason Axley wrote: >> >> +1 on the API documentation. I?d prefer a Swagger interface with >> collapsable sections and the ability to execute the API in the browser for >> testing. Additionally, you can now integrate with Postman by importing >> everything as a Postman collection via a Run in Postman button ? would also >> be very useful. You can just import the Swagger or RAML file to create the >> Postman collection. >> >> -Jason >> >> From: < >> keycloak-user-bounces at lists.jboss.org> on behalf of Guus der Kinderen < >> guus.der.kinderen at gmail.com> >> Date: Thursday, March 24, 2016 at 6:54 AM >> To: Bill Burke < bburke at redhat.com> >> Cc: " keycloak-user at lists.jboss.org" < >> keycloak-user at lists.jboss.org> >> Subject: Re: [keycloak-user] keycloak configuration >> >> I signed up to the mailinglist at a time that this thread was already >> underway. I didn't read back to find out what the original question was, >> and given the tone of the responses I am not going to either, but, as for >> for the call for specific improvements: I've got two: >> >> - It would be helpful if the section on JAAS integration would >> contain a very short example of a configuration file, and a java snippet >> that shows how to instantiate a LoginContext based on that. I was >> unfamiliar with JAAS and was struggling to put one and one together. I >> think the above could be done in ten lines or so, so it's relatively small, >> but would be a good illustrative example for the likes of me. >> - The REST endpoint documentation lacks structure (grouping), which >> makes it hard to navigate. Improving on that would be a simple as grouping >> each piece of documentation by its resource path. >> >> $0.02 >> >> - Guus >> >> On 24 March 2016 at 14:25, Bill Burke wrote: >> >>> documentation hasn't received any love for more than a year. >>> Screencasts are even more out of date. The good news is that myself and >>> the red hat documentation team is scheduled to focus on docs and >>> screencasts the month of April. Up until a few months ago, we were just an >>> open source community. Now that the Red Hat machine is getting behind us, >>> areas like documentation should start to be improved. >>> >>> BTW, If you want help, we need more than just "it doesn't work, your >>> documentation sucks". Walking us through the problem helps us improve >>> error messages, general usability, and documentation. Threatening us >>> doesn't really help as you are just as likely to get ignored. >>> >>> On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >>> >>> Firstly, that's not FreeIPA (community project) documentation, but Red >>> Hat Identity Management documentation (product). The FreeIPA documentation >>> is https://www.freeipa.org/page/Documentation. >>> >>> Secondly, just stating that our documentation is bad and pointing to >>> some better documentation doesn't give us anything to go on. We would like >>> to give a good experience and I would be very interested in knowing exactly >>> what documentation you are lacking, hard to understand or whatever other >>> issues you may have with the documentation. Help us to help you ;) >>> >>> Finally we know the documentation is not as good as it could be and are >>> planning to improve it in the not to distant future. So input from users >>> would be valuable. >>> >>> On 23 March 2016 at 11:32, Pavlos Kleanthous < >>> parsectix at gmail.com> wrote: >>> >>>> Just compare the documentation from another redhat product FreeIPA >>>> >>>> >>>> I have read this documentation and setup/configure IPA server very easy. >>>> >>>> Keycloak's current documentation looks like more as a developers manual >>>> to me. >>>> >>>> >>>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Could you elaborate on what is missing from the documentation? That >>>>> would be helpful. >>>>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" < >>>>> parsectix at gmail.com> wrote: >>>>> >>>>>> Dear all, >>>>>> >>>>>> I dropped the project at the moment. The lack of documentation is too >>>>>> time consuming. >>>>>> >>>>>> Hope that soon keycloak will have it. >>>>>> >>>>>> >>>>>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> What adapter? Is the server and client adapter both 1.9.1? We did >>>>>>> recently deprecate some OIDC endpoints. I think ../login is gone and it >>>>>>> should be ../auth. So if you are using an old adapter that may be the issue. >>>>>>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" < >>>>>>> parsectix at gmail.com> wrote: >>>>>>> >>>>>>>> Yours. >>>>>>>> >>>>>>>> I configured the realm with the same settings on both versions >>>>>>>> 1.9.1 and 1.8.1. >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Mar 18, 2016 at 11:58 AM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> Client ID has nothing to do with this issue as it would show an >>>>>>>>> login error page not a not found. So must be either realm name or another >>>>>>>>> part of URL is wrong. >>>>>>>>> >>>>>>>>> Are you using our adapters or another library atm? >>>>>>>>> >>>>>>>>> I'm answering on my phone on the plane so can't look into it more >>>>>>>>> atm. >>>>>>>>> On 17 Mar 2016 10:00, "Pavlos Kleanthous" < >>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> In jenkins, I'm pasting the JSON configuration that it can found >>>>>>>>>> inside "Installation" tab. >>>>>>>>>> >>>>>>>>>> Instead of using keycloak client plugins, can I use a generic >>>>>>>>>> oauth plugin in my apps? How can I configure my keycloak for this? >>>>>>>>>> i.e. Instead of using google's oauth URL use my own pointing to >>>>>>>>>> keycloak. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Mar 16, 2016 at 1:29 PM, Marko Strukelj < >>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> In your jenkins realm - under Clients do you have a client >>>>>>>>>>> called 'ci'? That's the client_id used in your request. >>>>>>>>>>> >>>>>>>>>>> AFAIK nothing changed in this part of the code since 1.8.1. >>>>>>>>>>> On Mar 16, 2016 12:04 PM, "Pavlos Kleanthous" < >>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> yes I can. >>>>>>>>>>>> >>>>>>>>>>>> Please note that this is a problem of version 1.9.1. >>>>>>>>>>>> I have tried now version 1.8.1 and it redirect me to keycloak. >>>>>>>>>>>> >>>>>>>>>>>> p.s. I'm using the official containers from docker hub. >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Mar 16, 2016 at 10:56 AM, Marko Strukelj < >>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Are you able to login into admin console at: >>>>>>>>>>>>> >>>>>>>>>>>>> http://192.168.99.100:32786/auth >>>>>>>>>>>>> >>>>>>>>>>>>> And you see the realm called 'jenkins' there? >>>>>>>>>>>>> On Mar 16, 2016 11:32 AM, "Pavlos Kleanthous" < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi guys adding to this. Please see the HTTP requests and >>>>>>>>>>>>>> responses. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>>> GET >>>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>>> 302 Found >>>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>>> 192.168.99.100:32769 >>>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>>> 1. Content-Length: >>>>>>>>>>>>>> 0 >>>>>>>>>>>>>> 2. Location: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>>> 3. Server: >>>>>>>>>>>>>> Jetty(winstone-2.9) >>>>>>>>>>>>>> 4. X-Content-Type-Options: >>>>>>>>>>>>>> nosniff >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Request URL: >>>>>>>>>>>>>> >>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>>>>>>>>>>>>> 2. Request Method: >>>>>>>>>>>>>> GET >>>>>>>>>>>>>> 3. Status Code: >>>>>>>>>>>>>> *404 Not Found* >>>>>>>>>>>>>> 4. Remote Address: >>>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>>> 1. Response Headersview source >>>>>>>>>>>>>> 1. Connection: >>>>>>>>>>>>>> keep-alive >>>>>>>>>>>>>> 2. Content-Length: >>>>>>>>>>>>>> 0 >>>>>>>>>>>>>> 3. Date: >>>>>>>>>>>>>> Wed, 16 Mar 2016 10:30:40 GMT >>>>>>>>>>>>>> 4. Server: >>>>>>>>>>>>>> WildFly/10 >>>>>>>>>>>>>> 5. X-Powered-By: >>>>>>>>>>>>>> Undertow/1 >>>>>>>>>>>>>> 2. Request Headersview source >>>>>>>>>>>>>> 1. Accept: >>>>>>>>>>>>>> >>>>>>>>>>>>>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>>>>>>>>>>>>> 2. Accept-Encoding: >>>>>>>>>>>>>> gzip, deflate, sdch >>>>>>>>>>>>>> 3. Accept-Language: >>>>>>>>>>>>>> en-US,en;q=0.8,el;q=0.6 >>>>>>>>>>>>>> 4. Connection: >>>>>>>>>>>>>> keep-alive >>>>>>>>>>>>>> 5. Cookie: >>>>>>>>>>>>>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>>>>>>>>>>>>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>>>>>>>>>>>>> gQ9FnaP6 DEyOvd8v2Yo; >>>>>>>>>>>>>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>>>>>>>>>>>>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>>>>>>>>>>>>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; screenResolution=1920x1080 >>>>>>>>>>>>>> 6. DNT: >>>>>>>>>>>>>> 1 >>>>>>>>>>>>>> 7. Host: >>>>>>>>>>>>>> 192.168.99.100:32786 >>>>>>>>>>>>>> 8. Referer: >>>>>>>>>>>>>> http://192.168.99.100:32769/ >>>>>>>>>>>>>> 9. Save-Data: >>>>>>>>>>>>>> on >>>>>>>>>>>>>> 10. Upgrade-Insecure-Requests: >>>>>>>>>>>>>> 1 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:26 PM, Pavlos Kleanthous < >>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for pointing this out. I think it does not matter as >>>>>>>>>>>>>> the same name can be found in "Installation" tab where >>>>>>>>>>>>>> I copied the configuration. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Mar 15, 2016 at 4:21 PM, Marko Strukelj < >>>>>>>>>>>>>> mstrukel at redhat.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Looks like you mistyped your client id: 'jenknis'. >>>>>>>>>>>>>>> On Mar 15, 2016 5:19 PM, "Pavlos Kleanthous" < >>>>>>>>>>>>>>> parsectix at gmail.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm trying to configure keycloak for first time. My setup >>>>>>>>>>>>>>>> has 2 containers keycloak and jenkins. >>>>>>>>>>>>>>>> Following the example how to integrate those two, I created >>>>>>>>>>>>>>>> a realm and a client called "jenkins". >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It seams that the realm configuration it's not correct as I >>>>>>>>>>>>>>>> get the following debug error. >>>>>>>>>>>>>>>> "15:47:55,791 ERROR >>>>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002010: >>>>>>>>>>>>>>>> Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not >>>>>>>>>>>>>>>> find resource for full path: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261 >>>>>>>>>>>>>>>> " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I noticed that " >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>>>>>>>>>>>>>>> does not work generally. The URL ending with "/auth/realms/ci/account" it >>>>>>>>>>>>>>>> works. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if I access the URL: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> http://192.168.99.100:32786/auth/realms/ci >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.1! >>>>>>>>>>>>>>>> 00:32786 >>>>>>>>>>>>>>>> /auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Can you help how to find the problem ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> p.s. is there any other way to find help on those matters? >>>>>>>>>>>>>>>> Tried IRC but nobody is replying there... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>> >>>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/9bf31695/attachment-0001.html From hr.stoyanov at peruncs.com Tue Mar 29 14:43:26 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Tue, 29 Mar 2016 18:43:26 +0000 Subject: [keycloak-user] How to obtain KeycloakDeployment instance in wf10? Message-ID: Hi, I configure KC via my WF10 standalone.xml file rather than changing my war package. How do I obtain KeycloakDeployment instance in my app, so I can place rest calls as my service account, using the secret and app id? Any code sample is appreciated! /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/47fdbf9c/attachment.html From thomas.darimont at googlemail.com Tue Mar 29 15:19:59 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 29 Mar 2016 21:19:59 +0200 Subject: [keycloak-user] How to obtain KeycloakDeployment instance in wf10? In-Reply-To: References: Message-ID: Hello Hristo, you should be able to access a KeycloakSecurityContext from the (Servlet)HttpRequest: KeycloakSecurityContext securityContext = (KeycloakSecurityContext) httpRequest.getAttribute(KeycloakSecurityContext.class.getName()); KeycloakSecurityContext gives you access to the IDToken as well as the AccessToken. You should also be able to cast securityContext to RefreshableKeycloakSecurityContext. This gives you access to the KeycloakDeployment configuration. org.keycloak.adapters.RefreshableKeycloakSecurityContext#getDeployment See: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/database-service/src/main/java/org/keycloak/example/oauth/CustomerService.java#L48 Cheers, Thomas 2016-03-29 20:43 GMT+02:00 Hristo Stoyanov : > Hi, > I configure KC via my WF10 standalone.xml > file rather than changing my war package. How do I obtain > KeycloakDeployment instance in my app, so I can place rest calls as my > service account, using the secret and app id? > Any code sample is appreciated! > > /Hristo Stoyanov > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160329/81d5e945/attachment.html From akaya at expedia.com Wed Mar 30 02:38:37 2016 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 30 Mar 2016 06:38:37 +0000 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out Message-ID: I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it's not. The problem is I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page: https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ told me to so. The only difference that I have done is adding ports (with -p 8080:8080 to one instance and -p 8081:8080 to the another one) and adding a new user. Once I start the I get this log: 05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak 05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate 05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container However I still have the same issue as above (I get logged out). Also I don't get any new logs for the entire log-in, log-out processes. Am I doing something wrong? Thanks, Sarp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/2d9dbcb9/attachment.html From mposolda at redhat.com Wed Mar 30 06:52:29 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 12:52:29 +0200 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: Message-ID: <56FBAFED.8050701@redhat.com> When you start the second instance, are you seeing something like this in log of both servers? INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] If not, then clustering doesn't work properly and the servers doesn't form a cluster with each other. From the log you sent, there is just startup of one server, which indicates that clustering may not work. Maybe multicast doesn't work in your network. Either disable firewall/selinux/whatever to have multicast working or switch to TCP JGroups channel instead of UDP. See the Wildfly and JGroups documentation for more details. Also I personally use the virtual hosts to test clustering of 2 servers on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using same host but differ just in port number ( host:8080 and host:8081 ) may causing mess with cookies, so I am personally not using the setup like this. Marek On 30/03/16 08:38, Sarp Kaya wrote: > I have tried using standalone-ha.xml with shared database. I thought > that would be enough but it seems like it?s not. The problem is > > I log into kc1 instance, and subsequent requests are authenticated. > Then I try viewing > host:8080/auth/realms/master/account > Which is also authenticated. > > Then I try to view this on kc1 by changing port like: > host:8081/auth/realms/master/account > > At this point I expect to see same page. However I get prompted for > login for both kc1 and kc2. I see no logs at this point. > > So now I have switched to using keycloak-ha-postgres because it seemed > to me that it comes clustering enabled out of box. So I nearly did > exactly what this page: > https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ > told me to so. The only difference that I have done is adding ports > (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another > one) and adding a new user. > > Once I start the I get this log: > > 05:28:49,888 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000078: Starting JGroups channel keycloak > > 05:28:49,893 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000078: Starting JGroups channel server > > 05:28:49,902 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000094: Received new cluster view for channel > keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,907 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000079: Channel keycloak local address is > a05014a5dc24, physical addresses are [127.0.0.1:55200] > > 05:28:49,902 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000094: Received new cluster view for channel > server: [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,914 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000079: Channel server local address is > a05014a5dc24, physical addresses are [127.0.0.1:55200] > > 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] > (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan > 'Mahou' 8.1.0.Final > > 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] > (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan > 'Mahou' 8.1.0.Final > > 05:28:49,978 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000078: Starting JGroups channel web > > 05:28:49,982 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000094: Received new cluster view for channel > web: [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,984 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-2) ISPN000079: Channel web local address is > a05014a5dc24, physical addresses are [127.0.0.1:55200] > > 05:28:49,985 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000078: Starting JGroups channel hibernate > > 05:28:49,986 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000094: Received new cluster view for channel > hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,987 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000079: Channel hibernate local address is > a05014a5dc24, physical addresses are [127.0.0.1:55200] > > 05:28:50,028 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000078: Starting JGroups channel ejb > > 05:28:50,030 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000094: Received new cluster view for channel > ejb: [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:50,031 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC > service thread 1-1) ISPN000079: Channel ejb local address is > a05014a5dc24, physical addresses are [127.0.0.1:55200] > > 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from > keycloak container > > 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > > 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from > keycloak container > > 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak > container > > 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak > container > > 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak > container > > 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak > container > > > > However I still have the same issue as above (I get logged out). Also > I don?t get any new logs for the entire log-in, log-out processes. > > Am I doing something wrong? > Thanks, > Sarp > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/1f99d97a/attachment-0001.html From mposolda at redhat.com Wed Mar 30 07:00:16 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 13:00:16 +0200 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> Message-ID: <56FBB1C0.1030502@redhat.com> On 24/03/16 14:54, Guus der Kinderen wrote: > I signed up to the mailinglist at a time that this thread was already > underway. I didn't read back to find out what the original question > was, and given the tone of the responses I am not going to either, > but, as for for the call for specific improvements: I've got two: > > * It would be helpful if the section on JAAS integration would > contain a very short example of a configuration file, and a java > snippet that shows how to instantiate a LoginContext based on > that. I was unfamiliar with JAAS and was struggling to put one and > one together. I think the above could be done in ten lines or so, > so it's relatively small, but would be a good illustrative example > for the likes of me. > We have jira for this one created already https://issues.jboss.org/browse/KEYCLOAK-971 . I hope to do some short example of JAAS soon. Marek > > * The REST endpoint documentation lacks structure (grouping), which > makes it hard to navigate. Improving on that would be a simple as > grouping each piece of documentation by its resource path. > > $0.02 > > - Guus > > On 24 March 2016 at 14:25, Bill Burke > wrote: > > documentation hasn't received any love for more than a year. > Screencasts are even more out of date. The good news is that > myself and the red hat documentation team is scheduled to focus on > docs and screencasts the month of April. Up until a few months > ago, we were just an open source community. Now that the Red Hat > machine is getting behind us, areas like documentation should > start to be improved. > > BTW, If you want help, we need more than just "it doesn't work, > your documentation sucks". Walking us through the problem helps > us improve error messages, general usability, and documentation. > Threatening us doesn't really help as you are just as likely to > get ignored. > > On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >> Firstly, that's not FreeIPA (community project) documentation, >> but Red Hat Identity Management documentation (product). The >> FreeIPA documentation is https://www.freeipa.org/page/Documentation. >> >> Secondly, just stating that our documentation is bad and pointing >> to some better documentation doesn't give us anything to go on. >> We would like to give a good experience and I would be very >> interested in knowing exactly what documentation you are lacking, >> hard to understand or whatever other issues you may have with the >> documentation. Help us to help you ;) >> >> Finally we know the documentation is not as good as it could be >> and are planning to improve it in the not to distant future. So >> input from users would be valuable. >> >> On 23 March 2016 at 11:32, Pavlos Kleanthous > > wrote: >> >> Just compare the documentation from another redhat product >> FreeIPA >> >> >> I have read this documentation and setup/configure IPA server >> very easy. >> >> Keycloak's current documentation looks like more as a >> developers manual to me. >> >> >> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >> > wrote: >> >> Could you elaborate on what is missing from the >> documentation? That would be helpful. >> >> On 22 Mar 2016 12:05, "Pavlos Kleanthous" >> > wrote: >> >> Dear all, >> >> I dropped the project at the moment. The lack of >> documentation is too time consuming. >> >> Hope that soon keycloak will have it. >> >> >> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen >> > wrote: >> >> What adapter? Is the server and client adapter >> both 1.9.1? We did recently deprecate some OIDC >> endpoints. I think ../login is gone and it should >> be ../auth. So if you are using an old adapter >> that may be the issue. >> >> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous" >> > > wrote: >> >> Yours. >> >> I configured the realm with the same >> settings on both versions 1.9.1 and 1.8.1. >> >> >> On Fri, Mar 18, 2016 at 11:58 AM, Stian >> Thorgersen > > wrote: >> >> Client ID has nothing to do with this >> issue as it would show an login error >> page not a not found. So must be either >> realm name or another part of URL is wrong. >> >> Are you using our adapters or another >> library atm? >> >> I'm answering on my phone on the plane so >> can't look into it more atm. >> >> On 17 Mar 2016 10:00, "Pavlos Kleanthous" >> > > wrote: >> >> Hi, >> >> In jenkins, I'm pasting the JSON >> configuration that it can found >> inside "Installation" tab. >> >> Instead of using keycloak client >> plugins, can I use a generic oauth >> plugin in my apps? How can I >> configure my keycloak for this? >> i.e. Instead of using google's oauth >> URL use my own pointing to keycloak. >> >> >> On Wed, Mar 16, 2016 at 1:29 PM, >> Marko Strukelj > > wrote: >> >> In your jenkins realm - under >> Clients do you have a client >> called 'ci'? That's the client_id >> used in your request. >> >> AFAIK nothing changed in this >> part of the code since 1.8.1. >> >> On Mar 16, 2016 12:04 PM, "Pavlos >> Kleanthous" > > wrote: >> >> yes I can. >> >> Please note that this is a >> problem of version 1.9.1. >> I have tried now version >> 1.8.1 and it redirect me to >> keycloak. >> >> p.s. I'm using the official >> containers from docker hub. >> >> On Wed, Mar 16, 2016 at 10:56 >> AM, Marko Strukelj >> > > >> wrote: >> >> Are you able to login >> into admin console at: >> http://192.168.99.100:32786/auth >> >> And you see the realm >> called 'jenkins' there? >> >> On Mar 16, 2016 11:32 AM, >> "Pavlos Kleanthous" >> > > >> wrote: >> >> Hi guys adding to >> this. Please see the >> HTTP requests and >> responses. >> >> 1. >> Request URL: >> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >> 2. >> Request Method: >> GET >> 3. >> Status Code: >> 302 Found >> 4. >> Remote Address: >> 192.168.99.100:32769 >> >> 1. Response >> Headersview source >> 1. >> Content-Length: >> 0 >> 2. >> Location: >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 3. >> Server: >> Jetty(winstone-2.9) >> 4. >> X-Content-Type-Options: >> nosniff >> >> 1. >> Request URL: >> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >> 2. >> Request Method: >> GET >> 3. >> Status Code: >> *404 Not Found* >> 4. >> Remote Address: >> 192.168.99.100:32786 >> >> 1. Response >> Headersview source >> 1. >> Connection: >> keep-alive >> 2. >> Content-Length: >> 0 >> 3. >> Date: >> Wed, 16 Mar >> 2016 10:30:40 GMT >> 4. >> Server: >> WildFly/10 >> 5. >> X-Powered-By: >> Undertow/1 >> 2. Request >> Headersview source >> 1. >> Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >> 2. >> Accept-Encoding: >> gzip, >> deflate, sdch >> 3. >> Accept-Language: >> en-US,en;q=0.8,el;q=0.6 >> 4. >> Connection: >> keep-alive >> 5. >> Cookie: >> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >> gQ9FnaP6 >> DEyOvd8v2Yo; >> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; >> screenResolution=1920x1080 >> 6. >> DNT: >> 1 >> 7. >> Host: >> 192.168.99.100:32786 >> >> 8. >> Referer: >> http://192.168.99.100:32769/ >> 9. >> Save-Data: >> on >> 10. >> Upgrade-Insecure-Requests: >> 1 >> >> >> On Tue, Mar 15, 2016 >> at 4:26 PM, Pavlos >> Kleanthous >> > > >> wrote: >> >> Thanks for >> pointing this >> out. I think it >> does not matter >> as the same name >> can be found in >> "Installation" >> tab where >> I copied the >> configuration. >> >> On Tue, Mar 15, >> 2016 at 4:21 PM, >> Marko Strukelj >> > > >> wrote: >> >> Looks like >> you mistyped >> your client >> id: 'jenknis'. >> >> On Mar 15, >> 2016 5:19 PM, >> "Pavlos >> Kleanthous" >> > > >> wrote: >> >> Hello, >> >> >> I'm >> trying to >> configure >> keycloak >> for first >> time. My >> setup has >> 2 >> containers keycloak >> and jenkins. >> Following >> the >> example >> how to >> integrate >> those >> two, I >> created a >> realm and >> a client >> called >> "jenkins". >> >> It seams >> that the >> realm >> configuration >> it's not >> correct >> as I get >> the >> following >> debug error. >> "15:47:55,791 >> ERROR >> [org.jboss.resteasy.resteasy_jaxrs.i18n] >> (default >> task-12) >> RESTEASY002010: >> Failed to >> execute: >> javax.ws.rs.NotFoundException: >> RESTEASY003210: >> Could not >> find >> resource >> for full >> path: >> http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261" >> >> I noticed >> that >> "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >> does not >> work >> generally. The >> URL >> ending >> with >> "/auth/realms/ci/account" >> it works. >> >> if I >> access >> the URL: >> http://192.168.99.100:32786/auth/realms/ci >> >> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >> >> Can you >> help how >> to find >> the problem ? >> >> p.s. is >> there any >> other way >> to find >> help on >> those >> matters? >> Tried IRC >> but >> nobody is >> replying >> there... >> >> Thank you >> >> _______________________________________________ >> keycloak-user >> mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/117fa518/attachment-0001.html From mposolda at redhat.com Wed Mar 30 07:10:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 13:10:11 +0200 Subject: [keycloak-user] keycloak configuration In-Reply-To: References: <56F3EABF.7040809@redhat.com> <09354F97-5587-485A-B33E-6999CA9B8555@expedia.com> <56F41A2B.7050703@redhat.com> Message-ID: <56FBB413.6060904@redhat.com> On 27/03/16 18:09, Chris Hairfield wrote: > I'd like to see the documentation include details on setting up a > JGROUPSPING table for clustering, complete with example configuration. Actually this one is tricky IMO as Keycloak just re-uses the clustering layer provided by underlying Wildfly, which itself reuses JGroups at lower level. Setup of JGroups stack is dependent on environment (multicast available or not, firewalls enabled or not etc), so people should look at Wildfly and JGroups documentation for details about this. Describing details about concrete JGroups protocol JGROUPSPING is out-of-scope for Keycloak docs IMO. But maybe we should more clearly reference Wildfly/JGroups clustering documentation from our documentation and mention where can be JGroups stack configured... Marek > > Great to hear documentation love is slated soon! > > On Fri, Mar 25, 2016 at 5:26 PM Pavlos Kleanthous > wrote: > > It's good to hear that you are trying guys to write better > documentation. > > First of all I didn't have any knowledge about SSO. Chapter 2 it's > a good start, although it needs to elaborate further. > Some demo videos that you have are also a good start (as mentioned > are outdated.) > The documentation should include all those steps to create an > configure a Realm as you can see in the video. > > It's good that you have containers and we can start a keycloak > service very easy. > > p.s. I have a lot of respect for ALL OSS communities and I didn't > want to offend you. if I done that please accept my apologies. > Although I believe my mails were very polite, I don't get the tone > or your responses guys... > > On Thu, Mar 24, 2016 at 4:47 PM, Bill Burke > wrote: > > Contributions are always welcome! > > > On 3/24/2016 10:31 AM, Jason Axley wrote: >> +1 on the API documentation. I?d prefer a Swagger interface >> with collapsable sections and the ability to execute the API >> in the browser for testing. Additionally, you can now >> integrate with Postman by importing everything as a Postman >> collection via a Run in Postman button ? would also be very >> useful. You can just import the Swagger or RAML file to >> create the Postman collection. >> >> -Jason >> >> From: > > on behalf of >> Guus der Kinderen > > >> Date: Thursday, March 24, 2016 at 6:54 AM >> To: Bill Burke > >> Cc: "keycloak-user at lists.jboss.org >> " >> > > >> Subject: Re: [keycloak-user] keycloak configuration >> >> I signed up to the mailinglist at a time that this thread was >> already underway. I didn't read back to find out what the >> original question was, and given the tone of the responses I >> am not going to either, but, as for for the call for specific >> improvements: I've got two: >> >> * It would be helpful if the section on JAAS integration >> would contain a very short example of a configuration >> file, and a java snippet that shows how to instantiate a >> LoginContext based on that. I was unfamiliar with JAAS >> and was struggling to put one and one together. I think >> the above could be done in ten lines or so, so it's >> relatively small, but would be a good illustrative >> example for the likes of me. >> * The REST endpoint documentation lacks structure >> (grouping), which makes it hard to navigate. Improving on >> that would be a simple as grouping each piece of >> documentation by its resource path. >> >> $0.02 >> >> - Guus >> >> On 24 March 2016 at 14:25, Bill Burke > > wrote: >> >> documentation hasn't received any love for more than a >> year. Screencasts are even more out of date. The good >> news is that myself and the red hat documentation team is >> scheduled to focus on docs and screencasts the month of >> April. Up until a few months ago, we were just an open >> source community. Now that the Red Hat machine is >> getting behind us, areas like documentation should start >> to be improved. >> >> BTW, If you want help, we need more than just "it doesn't >> work, your documentation sucks". Walking us through the >> problem helps us improve error messages, general >> usability, and documentation. Threatening us doesn't >> really help as you are just as likely to get ignored. >> >> On 3/24/2016 4:56 AM, Stian Thorgersen wrote: >>> Firstly, that's not FreeIPA (community project) >>> documentation, but Red Hat Identity Management >>> documentation (product). The FreeIPA documentation is >>> https://www.freeipa.org/page/Documentation. >>> >>> Secondly, just stating that our documentation is bad and >>> pointing to some better documentation doesn't give us >>> anything to go on. We would like to give a good >>> experience and I would be very interested in knowing >>> exactly what documentation you are lacking, hard to >>> understand or whatever other issues you may have with >>> the documentation. Help us to help you ;) >>> >>> Finally we know the documentation is not as good as it >>> could be and are planning to improve it in the not to >>> distant future. So input from users would be valuable. >>> >>> On 23 March 2016 at 11:32, Pavlos Kleanthous >>> > wrote: >>> >>> Just compare the documentation from another redhat >>> product FreeIPA >>> >>> >>> I have read this documentation and setup/configure >>> IPA server very easy. >>> >>> Keycloak's current documentation looks like more as >>> a developers manual to me. >>> >>> >>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen >>> > >>> wrote: >>> >>> Could you elaborate on what is missing from the >>> documentation? That would be helpful. >>> >>> On 22 Mar 2016 12:05, "Pavlos Kleanthous" >>> >> > wrote: >>> >>> Dear all, >>> >>> I dropped the project at the moment. The >>> lack of documentation is too time consuming. >>> >>> Hope that soon keycloak will have it. >>> >>> >>> On Fri, Mar 18, 2016 at 1:52 PM, Stian >>> Thorgersen >> > wrote: >>> >>> What adapter? Is the server and client >>> adapter both 1.9.1? We did recently >>> deprecate some OIDC endpoints. I think >>> ../login is gone and it should be >>> ../auth. So if you are using an old >>> adapter that may be the issue. >>> >>> On 18 Mar 2016 2:20 p.m., "Pavlos >>> Kleanthous" >> > wrote: >>> >>> Yours. >>> >>> I configured the realm with the >>> same settings on both versions 1.9.1 >>> and 1.8.1. >>> >>> >>> On Fri, Mar 18, 2016 at 11:58 AM, >>> Stian Thorgersen >>> >> > wrote: >>> >>> Client ID has nothing to do with >>> this issue as it would show an >>> login error page not a not >>> found. So must be either realm >>> name or another part of URL is >>> wrong. >>> >>> Are you using our adapters or >>> another library atm? >>> >>> I'm answering on my phone on the >>> plane so can't look into it more >>> atm. >>> >>> On 17 Mar 2016 10:00, "Pavlos >>> Kleanthous" >> > wrote: >>> >>> Hi, >>> >>> In jenkins, I'm pasting the >>> JSON configuration that it >>> can found inside >>> "Installation" tab. >>> >>> Instead of using keycloak >>> client plugins, can I use a >>> generic oauth plugin in my >>> apps? How can I configure my >>> keycloak for this? >>> i.e. Instead of using >>> google's oauth URL use my >>> own pointing to keycloak. >>> >>> >>> On Wed, Mar 16, 2016 at 1:29 >>> PM, Marko Strukelj >>> >> > wrote: >>> >>> In your jenkins realm - >>> under Clients do you >>> have a client called >>> 'ci'? That's the >>> client_id used in your >>> request. >>> >>> AFAIK nothing changed in >>> this part of the code >>> since 1.8.1. >>> >>> On Mar 16, 2016 12:04 >>> PM, "Pavlos Kleanthous" >>> >> > >>> wrote: >>> >>> yes I can. >>> >>> Please note that >>> this is a problem of >>> version 1.9.1. >>> I have tried now >>> version 1.8.1 and it >>> redirect me to keycloak. >>> >>> p.s. I'm using the >>> official containers >>> from docker hub. >>> >>> On Wed, Mar 16, 2016 >>> at 10:56 AM, Marko >>> Strukelj >>> >> > >>> wrote: >>> >>> Are you able to >>> login into admin >>> console at: >>> http://192.168.99.100:32786/auth >>> >>> And you see the >>> realm called >>> 'jenkins' there? >>> >>> On Mar 16, 2016 >>> 11:32 AM, >>> "Pavlos >>> Kleanthous" >>> >> > >>> wrote: >>> >>> Hi guys >>> adding to >>> this. Please >>> see the HTTP >>> requests and >>> responses. >>> >>> 1. >>> Request >>> URL: >>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F >>> 2. >>> Request >>> Method: >>> GET >>> 3. >>> Status >>> Code: >>> 302 >>> Found >>> 4. >>> Remote >>> Address: >>> 192.168.99.100:32769 >>> >>> 1. Response >>> Headersview >>> source >>> 1. >>> Content-Length: >>> 0 >>> 2. >>> Location: >>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>> 3. >>> Server: >>> Jetty(winstone-2.9) >>> 4. >>> X-Content-Type-Options: >>> nosniff >>> >>> 1. >>> Request >>> URL: >>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184 >>> 2. >>> Request >>> Method: >>> GET >>> 3. >>> Status >>> Code: >>> *404 >>> Not >>> Found* >>> 4. >>> Remote >>> Address: >>> 192.168.99.100:32786 >>> >>> 1. Response >>> Headersview >>> source >>> 1. >>> Connection: >>> keep-alive >>> 2. >>> Content-Length: >>> 0 >>> 3. >>> Date: >>> Wed, >>> 16 >>> Mar >>> 2016 >>> 10:30:40 >>> GMT >>> 4. >>> Server: >>> WildFly/10 >>> 5. >>> X-Powered-By: >>> Undertow/1 >>> 2. Request >>> Headersview >>> source >>> 1. >>> Accept: >>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 >>> 2. >>> Accept-Encoding: >>> gzip, deflate, >>> sdch >>> 3. >>> Accept-Language: >>> en-US,en;q=0.8,el;q=0.6 >>> 4. >>> Connection: >>> keep-alive >>> 5. >>> Cookie: >>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic; >>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni! >>> gQ9FnaP6 >>> DEyOvd8v2Yo; >>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg; >>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae; >>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4; >>> screenResolution=1920x1080 >>> 6. >>> DNT: >>> 1 >>> 7. >>> Host: >>> 192.168.99.100:32786 >>> >>> 8. >>> Referer: >>> http://192.168.99.100:32769/ >>> 9. >>> Save-Data: >>> on >>> 10. >>> Upgrade-Insecure-Requests: >>> 1 >>> >>> >>> On Tue, Mar 15, >>> 2016 at 4:26 PM, >>> Pavlos >>> Kleanthous >>> >> > >>> wrote: >>> >>> Thanks for >>> pointing >>> this out. I >>> think it >>> does not >>> matter as >>> the same >>> name can be >>> found in >>> "Installation" >>> tab where >>> I copied the >>> configuration. >>> >>> On Tue, Mar >>> 15, 2016 at >>> 4:21 PM, >>> Marko >>> Strukelj >>> >> > >>> wrote: >>> >>> Looks >>> like you >>> mistyped >>> your >>> client >>> id: >>> 'jenknis'. >>> >>> On Mar >>> 15, 2016 >>> 5:19 PM, >>> "Pavlos >>> Kleanthous" >>> >> > >>> wrote: >>> >>> Hello, >>> >>> >>> I'm >>> trying >>> to >>> configure >>> keycloak >>> for >>> first time. >>> My >>> setup has >>> 2 >>> containers >>> keycloak >>> and >>> jenkins. >>> Following >>> the >>> example >>> how >>> to >>> integrate >>> those two, >>> I >>> created >>> a >>> realm and >>> a >>> client >>> called >>> "jenkins". >>> >>> It >>> seams that >>> the >>> realm configuration >>> it's >>> not >>> correct >>> as I >>> get >>> the >>> following >>> debug error. >>> "15:47:55,791 >>> ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] >>> (default >>> task-12) >>> RESTEASY002010: >>> Failed >>> to >>> execute: >>> javax.ws.rs.NotFoundException: >>> RESTEASY003210: >>> Could not >>> find >>> resource >>> for >>> full >>> path: http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261" >>> >>> I >>> noticed >>> that "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect" >>> does >>> not >>> work >>> generally. >>> The >>> URL >>> ending >>> with >>> "/auth/realms/ci/account" >>> it >>> works. >>> >>> if I >>> access >>> the >>> URL: >>> http://192.168.99.100:32786/auth/realms/ci >>> >>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.1! >>> 00:32786 >>> /auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0} >>> >>> Can >>> you >>> help >>> how >>> to >>> find >>> the >>> problem >>> ? >>> >>> p.s. >>> is >>> there any >>> other way >>> to >>> find >>> help >>> on >>> those matters? >>> Tried IRC >>> but >>> nobody >>> is >>> replying >>> there... >>> >>> Thank you >>> >>> _______________________________________________ >>> keycloak-user >>> mailing >>> list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/a8d07dd6/attachment-0001.html From mposolda at redhat.com Wed Mar 30 07:33:47 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 13:33:47 +0200 Subject: [keycloak-user] Example for using rest admin? In-Reply-To: References: Message-ID: <56FBB99B.2040700@redhat.com> We have admin-client and the example is in the directory "admin-client" of example distribution, also there is some docs here : http://keycloak.github.io/docs/userguide/keycloak-server/html/admin-rest-api.html However our admin client doesn't support configuration through JSON file - it's all programmatic configuration for creating "Keycloak" object as you can see in the example. You can externalize to JSON in your own app if you want configuration externalized. Also we don't support the service accounts for admin client ATM. Currently you always need admin user and his password available and "Direct access grant" is used under the hood by admin-client to authenticate admin. Feel free to create JIRA to support Service account for calling admin-client. It makes sense to support this IMO. Marek On 24/03/16 23:13, Hristo Stoyanov wrote: > > Hi all, > I am trying to do this: > 1. Have a war deployed in wildfly10 > 2. Need to instantiate a kc rest admin service and use the app service > account > 3. Need to manipulate user attributes and roles as the app runs via > the rest admin API. > > I see some examples, but they are heavy on servlet configuration and > low level HTTP header manipulations. I need something that picks the > configuration from the adapter (not reading json conf) and use JEE > client jax-rs 2.0 to call KC. Any pointers/sample code will be > appreciated! Thanks! > /Hristo Stoyanov > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/23e7ef32/attachment.html From kevin.thorpe at p-i.net Wed Mar 30 07:43:00 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 30 Mar 2016 12:43:00 +0100 Subject: [keycloak-user] Can we change the default realm on Keycloak? Message-ID: Hi, just wondering if we could hide the default page https://keycloak.mydomain.com/auth because tat prompts you to log in to the master realm which we don't want visible. I could block that page outright but sometimes we might need to log in to the master realm for user admin. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/92ac133b/attachment.html From bbazian at mbopartners.com Wed Mar 30 07:52:27 2016 From: bbazian at mbopartners.com (Ben Bazian) Date: Wed, 30 Mar 2016 11:52:27 +0000 Subject: [keycloak-user] Can we change the default realm on Keycloak? In-Reply-To: References: Message-ID: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> Please let me know if you come up with a solution. We would actually like to limit access to this page to inside the firewall. No external access. Thanks From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kevin Thorpe Sent: Wednesday, March 30, 2016 7:43 AM To: keycloak-user Subject: [keycloak-user] Can we change the default realm on Keycloak? Hi, just wondering if we could hide the default page https://keycloak.mydomain.com/auth because tat prompts you to log in to the master realm which we don't want visible. I could block that page outright but sometimes we might need to log in to the master realm for user admin. Kevin Thorpe VP Enterprise Platform [http://i.imgur.com/8UeC1YO.png] www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/ccb9bf48/attachment-0001.html From kevin.thorpe at p-i.net Wed Mar 30 07:53:34 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 30 Mar 2016 12:53:34 +0100 Subject: [keycloak-user] Can we change the default realm on Keycloak? In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> References: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> Message-ID: Well I can hard-block because we front everything with an Nginx instance. Just seems dirty though. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 30 March 2016 at 12:52, Ben Bazian wrote: > Please let me know if you come up with a solution. We would actually like > to limit access to this page to inside the firewall. No external access. > > > > Thanks > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe > *Sent:* Wednesday, March 30, 2016 7:43 AM > *To:* keycloak-user > *Subject:* [keycloak-user] Can we change the default realm on Keycloak? > > > > Hi, > > just wondering if we could hide the default page > https://keycloak.mydomain.com/auth because tat prompts you to log in to > the master realm which we don't want visible. > > > > I could block that page outright but sometimes we might need to log in to > the master realm for user admin. > > > > > *Kevin Thorpe* > > VP Enterprise Platform > > www.p-i.net | @PI_150 > > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/52a8cd07/attachment.html From mposolda at redhat.com Wed Mar 30 09:09:26 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 15:09:26 +0200 Subject: [keycloak-user] Need help for using KC REST API and service account In-Reply-To: References: Message-ID: <56FBD006.60509@redhat.com> On 27/03/16 20:38, Hristo Stoyanov wrote: > Hi all, > I am trying to apply KC for: > 1. Authentication. So far KC works well and as expected! > 2. Change the authenticated user roles as part of the application > logic- based on external credit card registration (by an external > credit card processor) and paid plan selection by the user, the web > app need to move the authenticated user from "free" role to "premium" > realm role, which correspond to the paid plan s/he selected. > > Is there an example of how to use KC APIs to change the user's role > from within the app? I could not find anything specific in the > examples or documentation, but I see some things that go in that > direction: > > A. > It seems like I have to use the Admin REST API somehow, but I am not > sure which rest calls from the vast REST APIs I need to use? Is it > "Add realm-level role mappings to the user" and "Delete realm-level > role mappings"? What is "id" param then? Is this the "user id"? Can > you please categorize the REST APIs in groups - "user management", > "role CRUDs", etc., to make it easier to navigate? > There seems to be an example "admin-access-app", but it is not clear > where it gets the app username/password. Are they just hard-coded > "username" and "password"? In the case of Wildfly adapter, the client > secret is configured inside the standalone.xml configuration file, > so _I expect to not have to configure it or read it from file > configurations_, but the container should provide it/inject it for me? > Is this correct assumption? Any example wildfly code? As mentioned in other email, we have admin-client, which provides calling of REST endpoints as java methods and we have also example for it. > > B. > It seems like i also need to use a service account > , so > that the app can change user roles behind the scene on its own? > Correct? This blog post > seems > obsolete as there is no more "Service accounts enabled" switch I could > find. I figured, one need to switch to "confidential" access type > instead. Is this correct? Unfortunately, the corresponding example, > "Service Account Example" does not show how one should proceed when > the client secret is configured in the Wildfly's standalone.xml file > and the developer is not expected to parse configuration files (either > embedded in the WAR or elsewhere). Any example of how to get > configured objects? I tried to get some clue from the > *KeycloakDeploymentBuilderTest.java* file, but it is not clear how one > can get *KeycloakDeployment* injected by the container rather than > paring it from files. Any clue? Feel free to create JIRA for the service account documentation and example update. But actually you don't need service account for call admin REST endpoints (even the admin-client currently doesn't support service accounts, which we should improve. See the other mail I sent to you earlier today). You need to create admin user account and call admin operations with admin client through this account. It's using "Direct access grants" rather than service accounts. Marek > > Thank you for the grate product! And thank you for any guidance you > can provide - that would save me a lot of time and questions! > > /Hristo > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/0b4f3e8d/attachment.html From mposolda at redhat.com Wed Mar 30 09:17:01 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 15:17:01 +0200 Subject: [keycloak-user] Can we change the default realm on Keycloak? In-Reply-To: References: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> Message-ID: <56FBD1CD.1070500@redhat.com> Hi, you can configure welcome theme in keycloak-server.json - See docs http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2326 . Then in your theme you can override the welcome file and hide link to admin console from it. For access admin console just from local addresses, we don't support it AFAIK, but you can achieve it with usage of some custom proxy/filter, which will reject request coming from external IP address. For the future, we plan to improve authorization/permissions for admin console. As part of this, it will be possible to create authorization rule to limit access just for some IP addresses. Not sure when this is available though... Marek On 30/03/16 13:53, Kevin Thorpe wrote: > Well I can hard-block because we front everything with an Nginx > instance. Just seems dirty though. > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 | F: > +44(0)20 7730 2635 | T: +44 (0)808 > 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. If you > are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. > > > On 30 March 2016 at 12:52, Ben Bazian > wrote: > > Please let me know if you come up with a solution. We would > actually like to limit access to this page to inside the > firewall. No external access. > > Thanks > > *From:*keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org > ] *On Behalf Of > *Kevin Thorpe > *Sent:* Wednesday, March 30, 2016 7:43 AM > *To:* keycloak-user > > *Subject:* [keycloak-user] Can we change the default realm on > Keycloak? > > Hi, > > just wondering if we could hide the default page > https://keycloak.mydomain.com/auth > because tat prompts you to > log in to the master realm which we don't want visible. > > I could block that page outright but sometimes we might need to > log in to the master realm for user admin. > > > *Kevin Thorpe* > > VP Enterprise Platform > > www.p-i.net | @PI_150 > > > > *T: +44 (0)20 3005 6750 | > F: +44(0)20 7730 2635 | T: +44 > (0)808 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom > they are addressed. If you have received this email in error > please notify the system manager. This message contains > confidential information and is intended only for the individual > named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the > sender immediately by e-mail if you have received this e-mail by > mistake and delete this e-mail from your system. If you are not > the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of > this information is strictly prohibited. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/6d580d8b/attachment-0001.html From mposolda at redhat.com Wed Mar 30 09:21:52 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 15:21:52 +0200 Subject: [keycloak-user] Guidelines for protecting Keycloak Endpoints In-Reply-To: References: Message-ID: <56FBD2F0.80409@redhat.com> On 24/03/16 11:48, Thomas Darimont wrote: > Hello group, > > I'm about to configure our Web Application Firewall for Keycloak where > I want to implement > the following scenario: > > CLIENT_ENDPOINTS: > All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as > well as the account and > login/totp/registration/forgot password pages should be accessible > from the public internet. > > ADMIN_ENDPOINTS: > Admin endpoints like the Admin Console, Admin REST API etc. should > only be accessible > from the internal network. > > Are there any guidelines for which URL pattern applies to which > category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)? I think that all the stuff related to admin REST endpoints or admin console UI is under /auth/admin/* . For access admin console just from local addresses, we don't support it AFAIK, but you can achieve it with usage of some custom proxy/filter, which will reject request coming from external IP address. For the future, we plan to improve authorization/permissions for admin console. As part of this, it will be possible to create authorization rule to limit access just for some IP addresses. Not sure when this is available though... Marek > > To me, it seems that: > - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category. > - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category. > Have I missed anything else? > > Btw. it turns out that some endpoints (unnecessarily) expose internal > links like: > "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/ > > { > realm: "my-realm", > public_key: "...", > token-service: > "http://localhost:8080/auth/realms/my-realm/protocol/openid-connect", > account-service: "http://localhost:8080/auth/realms/my-realm/account", > admin-api: "http://localhost:8080/auth/admin", > tokens-not-before: 0 > } > > Can this be disabled? > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/e68b163a/attachment.html From kevin.thorpe at p-i.net Wed Mar 30 09:26:27 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 30 Mar 2016 14:26:27 +0100 Subject: [keycloak-user] Can we change the default realm on Keycloak? In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> References: <860E8DAFFC76794694CFF405F8A1E71F02BE6D5B@416429-EXCH1.mbopartners.com> Message-ID: Using Nginx to stop obvious access to master realm: Well I can hard-block with: location =/auth/ { return 404; } I *should* be able to do: location =/auth/ { allow 10.20.0.0/16; # all our LAN + VPN range deny all; } but it's not working when I test it. You'd also want to block: location /auth/realms/master to stop people who know it's Keycloak *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 30 March 2016 at 12:52, Ben Bazian wrote: > Please let me know if you come up with a solution. We would actually like > to limit access to this page to inside the firewall. No external access. > > > > Thanks > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe > *Sent:* Wednesday, March 30, 2016 7:43 AM > *To:* keycloak-user > *Subject:* [keycloak-user] Can we change the default realm on Keycloak? > > > > Hi, > > just wondering if we could hide the default page > https://keycloak.mydomain.com/auth because tat prompts you to log in to > the master realm which we don't want visible. > > > > I could block that page outright but sometimes we might need to log in to > the master realm for user admin. > > > > > *Kevin Thorpe* > > VP Enterprise Platform > > www.p-i.net | @PI_150 > > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/ee8a8b2f/attachment.html From mposolda at redhat.com Wed Mar 30 09:30:25 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 30 Mar 2016 15:30:25 +0200 Subject: [keycloak-user] Cannot change the user's username in AD... In-Reply-To: References: Message-ID: <56FBD4F1.1030008@redhat.com> On 24/03/16 08:58, Adrian Matei wrote: > Hi everyone, > Following situation: > > * Keycloak 1.7.0.Final > * Login settings > o Email as username ON > o Edit username ON > * AD Configuration > o Edit mode : WRITABLE > o Username LDAP attribute: cn (standard as all other attributes) > > I've been trying in vain to change the username/email of a user (via > the account application or via the admin console) - only the mail gets > changed in AD and not common name? Is there is a particular setting I > need to configure? ATM we don't support changing value of "cn" through Keycloak as cn is part of the DN of user record in Active Directory. We have JIRA, which is related to that : https://issues.jboss.org/browse/KEYCLOAK-2403 . Could you please create another JIRA with your usecase and link with this one? Thanks, Marek > > Thanks, > Adrian > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/04d5c9de/attachment-0001.html From adrianmatei at gmail.com Wed Mar 30 09:40:12 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Wed, 30 Mar 2016 15:40:12 +0200 Subject: [keycloak-user] Cannot change the user's username in AD... In-Reply-To: <56FBD4F1.1030008@redhat.com> References: <56FBD4F1.1030008@redhat.com> Message-ID: Hi Marek, Thanks for the info - it's been linked https://issues.jboss.org/browse/KEYCLOAK-2723 Cheers, Adrian On Wed, Mar 30, 2016 at 3:30 PM, Marek Posolda wrote: > On 24/03/16 08:58, Adrian Matei wrote: > > Hi everyone, > Following situation: > > - Keycloak 1.7.0.Final > - Login settings > - Email as username ON > - Edit username ON > - AD Configuration > - Edit mode : WRITABLE > - Username LDAP attribute: cn (standard as all other attributes) > > I've been trying in vain to change the username/email of a user (via the > account application or via the admin console) - only the mail gets changed > in AD and not common name? Is there is a particular setting I need to > configure? > > ATM we don't support changing value of "cn" through Keycloak as cn is part > of the DN of user record in Active Directory. We have JIRA, which is > related to that : https://issues.jboss.org/browse/KEYCLOAK-2403 . Could > you please create another JIRA with your usecase and link with this one? > > Thanks, > Marek > > > Thanks, > Adrian > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/f90fc9dd/attachment.html From dirk.franssen at gmail.com Wed Mar 30 10:08:24 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Wed, 30 Mar 2016 16:08:24 +0200 Subject: [keycloak-user] GMail throws suspicious error when sending email. In-Reply-To: References: Message-ID: Hi, I'm having the same behavior with 1.9.1.Final. I'm using SendGrid and have taken all steps for whitelabelling. After some testing with curl, using the same subject and body content, I found that it is related to the Subject content that is being send. Is there an easy way to change the mail templates in KeyCloak or by REST API? Kind regards, Dirk Franssen On Wed, Mar 16, 2016 at 6:30 AM, Stian Thorgersen wrote: > Please try again with the latest release (1.9.1) and see if the problem > still exists. > On 14 Mar 2016 12:04, "Revanth Ayalasomayajula" < > revanth at arvindinternet.com> wrote: > >> Hi, >> >> I am using keycloak1.5.0 for my product and when i am sending email for >> execute actions, gmail throws me the following warning in the image >> attached below. However, when i do forget password from my login screen the >> email sent does not contain this warning. Can i help me debug as to why >> this is happening. Execute actions is an important part of my product and >> any help reg this would be highly appreciated. >> >> >> >> Thanks. >> ? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/505dda66/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2016-03-14 16:24:47.png Type: image/png Size: 9053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/505dda66/attachment.png From john.bartko at drillinginfo.com Wed Mar 30 11:23:25 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Wed, 30 Mar 2016 10:23:25 -0500 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: <56FBAFED.8050701@redhat.com> References: <56FBAFED.8050701@redhat.com> Message-ID: When clustering across separate hosts, I had to change the jgroups-udp socket binding to listen on the public interface (binds to loopback by default). On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda wrote: > > When you start the second instance, are you seeing something like this in > log of both servers? > > INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-10,shared=udp) > ISPN000094: Received new cluster view: [node1/keycloak|1] (2) > [node1/keycloak, node2/keycloak] > > If not, then clustering doesn't work properly and the servers doesn't form > a cluster with each other. From the log you sent, there is just startup of > one server, which indicates that clustering may not work. > > Maybe multicast doesn't work in your network. Either disable > firewall/selinux/whatever to have multicast working or switch to TCP > JGroups channel instead of UDP. See the Wildfly and JGroups documentation > for more details. > > Also I personally use the virtual hosts to test clustering of 2 servers on > same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using > same host but differ just in port number ( host:8080 and host:8081 ) may > causing mess with cookies, so > I am personally not using the setup like this. > > Marek > > > On 30/03/16 08:38, Sarp Kaya wrote: > > I have tried using standalone-ha.xml with shared database. I thought that > would be enough but it seems like it?s not. The problem is > > I log into kc1 instance, and subsequent requests are authenticated. > Then I try viewing > host:8080/auth/realms/master/account > Which is also authenticated. > > Then I try to view this on kc1 by changing port like: > host:8081/auth/realms/master/account > > At this point I expect to see same page. However I get prompted for login > for both kc1 and kc2. I see no logs at this point. > > So now I have switched to using keycloak-ha-postgres because it seemed to > me that it comes clustering enabled out of box. So I nearly did exactly > what this page: > > https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ > told me to so. The only difference that I have done is adding ports (with > ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and > adding a new user. > > Once I start the I get this log: > > 05:28:49,888 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000078: Starting JGroups channel keycloak > > 05:28:49,893 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000078: Starting JGroups channel server > > 05:28:49,902 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel keycloak: > [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,907 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, > physical addresses are [127.0.0.1:55200] > > 05:28:49,902 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel server: > [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,914 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, > physical addresses are [127.0.0.1:55200] > > 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC > service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' > 8.1.0.Final > > 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC > service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' > 8.1.0.Final > > 05:28:49,978 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000078: Starting JGroups channel web > > 05:28:49,982 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel web: > [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,984 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical > addresses are [127.0.0.1:55200] > > 05:28:49,985 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000078: Starting JGroups channel hibernate > > 05:28:49,986 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel hibernate: > [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:49,987 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, > physical addresses are [127.0.0.1:55200] > > 05:28:50,028 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000078: Starting JGroups channel ejb > > 05:28:50,030 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [a05014a5dc24|0] (1) [a05014a5dc24] > > 05:28:50,031 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical > addresses are [127.0.0.1:55200] > > 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak > container > > 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from > keycloak container > > 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak > container > > 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak > container > > 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak > container > > 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak > container > > 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container > > > However I still have the same issue as above (I get logged out). Also I > don?t get any new logs for the entire log-in, log-out processes. > > Am I doing something wrong? > Thanks, > Sarp > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/278967aa/attachment-0001.html From bburke at redhat.com Wed Mar 30 18:37:23 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 30 Mar 2016 18:37:23 -0400 Subject: [keycloak-user] Logout to the external IDP In-Reply-To: References: <56F0048D.4050601@redhat.com> Message-ID: <56FC5523.307@redhat.com> This is fixed in master and will be released with 1.9.2 in 1 or 2 weeks. On 3/21/2016 11:25 AM, Xiao Ma wrote: > Thank you, Bill! I am wondering what is our rough estimate on when are > going to release 1.9.2.Final. > > Best Regards, > Xiao > > On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke > wrote: > > I think this is a bug. We probably don't refresh the token that > is obtained by the "child" IDP. > > https://issues.jboss.org/browse/KEYCLOAK-2691 > > On 3/20/2016 10:58 AM, Xiao Ma wrote: >> Hi, >> >> I configured a OIDC identity provider by selecting the |OpenID >> Connect v1.0| identity provider from the drop-down box on the top >> right corner of the identity providers table in Keycloak's Admin >> Console. During the configuration process, I also configure >> "Logout Url" for the IDP logout url. >> >> When I try to logout to the external IDP, the browser is >> redirected to the external IDP to perform the logout. I can see >> some URL as follows: >> >> https://*keycloakdev.xxxxxxx.com >> */auth/realms/*Internal*/protocol/openid-connect/logout?*state=*a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0! >> raAz-YPO >> cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA: >> >> "keycloakdev.xxxxxxx.com " is >> where the externalIDP is located. "Internal" is the name of the >> realm. The parameters "state" and "id_token_hint" are appended to >> the endpoint logout URL automatically during the logout process. >> >> However, this process failed because I got "Session Not Active" >> error in the UI. After some investigations, I found this "Session >> Not Active" error seems to be related to the value of Realm >> Setting ?> Tokens ?> Access Token Lifespan I configured. >> The default value is 5 minutes, if I trigger the logout within 5 >> minutes, I can logout to the external IDP successfully. If I do >> the logout after 5 minutes, I will get this ""Session Not Active" >> error. Is this the expected behavior? Do I have to bump up the >> value of "Access Token Lifespan" to get a longer session for the >> logout purpose? >> >> Thanks a lot for the help! >> >> Xiao >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/6ac7e1c8/attachment.html From akaya at expedia.com Wed Mar 30 19:10:09 2016 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 30 Mar 2016 23:10:09 +0000 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: Hi John, Could you please explain how you did that? @Marek, I?m not seeing that log, my setup is with 2 different docker instances deployed on the same machine. So they can talk to each other From: John Bartko > Date: Thursday, March 31, 2016 at 1:23 AM To: Marek Posolda > Cc: Abdullah Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out When clustering across separate hosts, I had to change the jgroups-udp socket binding to listen on the public interface (binds to loopback by default). On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > wrote: When you start the second instance, are you seeing something like this in log of both servers? INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] If not, then clustering doesn't work properly and the servers doesn't form a cluster with each other. From the log you sent, there is just startup of one server, which indicates that clustering may not work. Maybe multicast doesn't work in your network. Either disable firewall/selinux/whatever to have multicast working or switch to TCP JGroups channel instead of UDP. See the Wildfly and JGroups documentation for more details. Also I personally use the virtual hosts to test clustering of 2 servers on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using same host but differ just in port number ( host:8080 and host:8081 ) may causing mess with cookies, so I am personally not using the setup like this. Marek On 30/03/16 08:38, Sarp Kaya wrote: I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it?s not. The problem is I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page: https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ told me to so. The only difference that I have done is adding ports (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and adding a new user. Once I start the I get this log: 05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak 05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate 05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container However I still have the same issue as above (I get logged out). Also I don?t get any new logs for the entire log-in, log-out processes. Am I doing something wrong? Thanks, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/b38a7fb2/attachment-0001.html From hr.stoyanov at peruncs.com Wed Mar 30 19:37:48 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Wed, 30 Mar 2016 23:37:48 +0000 Subject: [keycloak-user] Is Keycloak client admin thread safe? Message-ID: Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as a single admin client for the entire app ... /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/4dca03f6/attachment.html From akaya at expedia.com Wed Mar 30 20:49:37 2016 From: akaya at expedia.com (Sarp Kaya) Date: Thu, 31 Mar 2016 00:49:37 +0000 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: Sorry to send an e-mail again what I did is changed this: Also set the public interface as: But now I?m getting this error: 00:45:40,146 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) ... 5 more Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) at org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) ... 7 more If I put a different IP address (say the docker machine IP address) I get the same error as well. From: John Bartko > Date: Thursday, March 31, 2016 at 1:23 AM To: Marek Posolda > Cc: Abdullah Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out When clustering across separate hosts, I had to change the jgroups-udp socket binding to listen on the public interface (binds to loopback by default). On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > wrote: When you start the second instance, are you seeing something like this in log of both servers? INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] If not, then clustering doesn't work properly and the servers doesn't form a cluster with each other. From the log you sent, there is just startup of one server, which indicates that clustering may not work. Maybe multicast doesn't work in your network. Either disable firewall/selinux/whatever to have multicast working or switch to TCP JGroups channel instead of UDP. See the Wildfly and JGroups documentation for more details. Also I personally use the virtual hosts to test clustering of 2 servers on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using same host but differ just in port number ( host:8080 and host:8081 ) may causing mess with cookies, so I am personally not using the setup like this. Marek On 30/03/16 08:38, Sarp Kaya wrote: I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it?s not. The problem is I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page: https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ told me to so. The only difference that I have done is adding ports (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and adding a new user. Once I start the I get this log: 05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak 05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate 05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container However I still have the same issue as above (I get logged out). Also I don?t get any new logs for the entire log-in, log-out processes. Am I doing something wrong? Thanks, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/627a6fa4/attachment-0001.html From john.bartko at drillinginfo.com Wed Mar 30 22:53:03 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Wed, 30 Mar 2016 21:53:03 -0500 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: You're on the right track. Taking a look at my notes, the following may be required: - docker container with host mode networking and NET_ADMIN capabilities if clustering across container hosts - entrypoint parameters: -Djgroups.bind_addr=HOST_IP -b HOST_IP --server-config standalone-ha.xml note the host default interface IP must be used and not a wildcard of 0.0.0.0 - the socket-binding changed On Wed, Mar 30, 2016 at 7:49 PM, Sarp Kaya wrote: > Sorry to send an e-mail again what I did is changed this: > > > > Also set the public interface as: > > > > > > But now I?m getting this error: > > 00:45:40,146 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) > MSC000001: Failed to start service jboss.jgroups.channel.ee: > org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: > java.security.PrivilegedActionException: java.net.BindException: [UDP] / > 0.0.0.0 is not a valid address on any local network interface > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.security.PrivilegedActionException: > java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any > local network interface > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) > > at > org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) > > ... 5 more > > Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address > on any local network interface > > at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) > > at > org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) > > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) > > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) > > at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) > > at org.jgroups.JChannel.init(JChannel.java:853) > > at org.jgroups.JChannel.(JChannel.java:159) > > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) > > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) > > ... 7 more > > > If I put a different IP address (say the docker machine IP address) I get > the same error as well. > > From: John Bartko > Date: Thursday, March 31, 2016 at 1:23 AM > To: Marek Posolda > Cc: Abdullah Sarp Kaya , "keycloak-user at lists.jboss.org" > > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me > out > > When clustering across separate hosts, I had to change the jgroups-udp > socket binding to listen on the public interface (binds to loopback by > default). > > On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > wrote: > >> >> When you start the second instance, are you seeing something like this in >> log of both servers? >> >> INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-10,shared=udp) >> ISPN000094: Received new cluster view: [node1/keycloak|1] (2) >> [node1/keycloak, node2/keycloak] >> >> If not, then clustering doesn't work properly and the servers doesn't >> form a cluster with each other. From the log you sent, there is just >> startup of one server, which indicates that clustering may not work. >> >> Maybe multicast doesn't work in your network. Either disable >> firewall/selinux/whatever to have multicast working or switch to TCP >> JGroups channel instead of UDP. See the Wildfly and JGroups documentation >> for more details. >> >> Also I personally use the virtual hosts to test clustering of 2 servers >> on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . >> Using same host but differ just in port number ( host:8080 and host:8081 ) >> may causing mess with cookies, so >> I am personally not using the setup like this. >> >> Marek >> >> >> On 30/03/16 08:38, Sarp Kaya wrote: >> >> I have tried using standalone-ha.xml with shared database. I thought that >> would be enough but it seems like it?s not. The problem is >> >> I log into kc1 instance, and subsequent requests are authenticated. >> Then I try viewing >> host:8080/auth/realms/master/account >> Which is also authenticated. >> >> Then I try to view this on kc1 by changing port like: >> host:8081/auth/realms/master/account >> >> At this point I expect to see same page. However I get prompted for login >> for both kc1 and kc2. I see no logs at this point. >> >> So now I have switched to using keycloak-ha-postgres because it seemed to >> me that it comes clustering enabled out of box. So I nearly did exactly >> what this page: >> >> https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ >> told me to so. The only difference that I have done is adding ports >> (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and >> adding a new user. >> >> Once I start the I get this log: >> >> 05:28:49,888 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000078: Starting JGroups channel keycloak >> >> 05:28:49,893 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000078: Starting JGroups channel server >> >> 05:28:49,902 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel keycloak: >> [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,907 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, >> physical addresses are [127.0.0.1:55200] >> >> 05:28:49,902 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000094: Received new cluster view for channel server: >> [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,914 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, >> physical addresses are [127.0.0.1:55200] >> >> 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] >> (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' >> 8.1.0.Final >> >> 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] >> (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' >> 8.1.0.Final >> >> 05:28:49,978 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000078: Starting JGroups channel web >> >> 05:28:49,982 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000094: Received new cluster view for channel web: >> [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,984 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical >> addresses are [127.0.0.1:55200] >> >> 05:28:49,985 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000078: Starting JGroups channel hibernate >> >> 05:28:49,986 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel hibernate: >> [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,987 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, >> physical addresses are [127.0.0.1:55200] >> >> 05:28:50,028 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000078: Starting JGroups channel ejb >> >> 05:28:50,030 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:50,031 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical >> addresses are [127.0.0.1:55200] >> >> 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak >> container >> >> 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from >> keycloak container >> >> 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak >> container >> >> 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak >> container >> >> 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak >> container >> >> 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak >> container >> >> 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container >> >> >> However I still have the same issue as above (I get logged out). Also I >> don?t get any new logs for the entire log-in, log-out processes. >> >> Am I doing something wrong? >> Thanks, >> Sarp >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/2902c5c4/attachment-0001.html From akaya at expedia.com Thu Mar 31 00:37:09 2016 From: akaya at expedia.com (Sarp Kaya) Date: Thu, 31 Mar 2016 04:37:09 +0000 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: Okay, so I gave up using that way and now using S3 instead, that way I can see what they send to each other. First thing I noticed is the file that they modify looks like this: 74594d4ef42f e0172d5d-8392-5ee7-bba3-03d997c2ef6e 127.0.0.1:55200 T When another instance connects, it tries to connect to 127.0.0.1:55200 which obviously doesn?t work, and that logs out like this: 04:26:15,908 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-2) 74594d4ef42f: JOIN(74594d4ef42f) sent to e8a65867f61d timed out (after 3000 ms), on try 1 Again I looked reverse and found out that jgroups-udp uses this port number. So I found that docker uses 172.17.0.x and assigned 2 IP addresses. Like this: However right now I still get the previous problem: 04:28:31,418 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) ... 5 more Why does it keep showing that my IP address is 0.0.0.0? Despite I specifically put the right IP address? PS: I?m well aware this is a bad hack to put IP addresses specifically, but at this point I?m trying to get it working. From: John Bartko > Date: Thursday, March 31, 2016 at 12:53 PM To: Abdullah Sarp Kaya > Cc: Marek Posolda >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out You're on the right track. Taking a look at my notes, the following may be required: * docker container with host mode networking and NET_ADMIN capabilities if clustering across container hosts * entrypoint parameters: -Djgroups.bind_addr=HOST_IP -b HOST_IP --server-config standalone-ha.xml note the host default interface IP must be used and not a wildcard of 0.0.0.0 * the socket-binding changed On Wed, Mar 30, 2016 at 7:49 PM, Sarp Kaya > wrote: Sorry to send an e-mail again what I did is changed this: Also set the public interface as: But now I?m getting this error: 00:45:40,146 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) ... 5 more Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) at org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) ... 7 more If I put a different IP address (say the docker machine IP address) I get the same error as well. From: John Bartko > Date: Thursday, March 31, 2016 at 1:23 AM To: Marek Posolda > Cc: Abdullah Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out When clustering across separate hosts, I had to change the jgroups-udp socket binding to listen on the public interface (binds to loopback by default). On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > wrote: When you start the second instance, are you seeing something like this in log of both servers? INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] If not, then clustering doesn't work properly and the servers doesn't form a cluster with each other. From the log you sent, there is just startup of one server, which indicates that clustering may not work. Maybe multicast doesn't work in your network. Either disable firewall/selinux/whatever to have multicast working or switch to TCP JGroups channel instead of UDP. See the Wildfly and JGroups documentation for more details. Also I personally use the virtual hosts to test clustering of 2 servers on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using same host but differ just in port number ( host:8080 and host:8081 ) may causing mess with cookies, so I am personally not using the setup like this. Marek On 30/03/16 08:38, Sarp Kaya wrote: I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it?s not. The problem is I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page: https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ told me to so. The only difference that I have done is adding ports (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and adding a new user. Once I start the I get this log: 05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak 05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate 05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container However I still have the same issue as above (I get logged out). Also I don?t get any new logs for the entire log-in, log-out processes. Am I doing something wrong? Thanks, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/38f9b601/attachment-0001.html From Markus.Lauer at co-met.info Thu Mar 31 03:09:30 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Thu, 31 Mar 2016 07:09:30 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <1458813303.4526.67.camel@co-met.info> References: <1458734452.4526.43.camel@co-met.info> <56F2A1AD.90300@redhat.com> <1458742499.4526.53.camel@co-met.info> <1458743308.4526.56.camel@co-met.info> <1458813303.4526.67.camel@co-met.info> Message-ID: <1459408152.4328.21.camel@co-met.info> Am Donnerstag, den 24.03.2016, 09:55 +0000 schrieb Lauer Markus: > > > > > I'm looking for s/th like this: > > > https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian > > > > > > This could possibly be combined with: > > > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter > > > > > > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > > > > > > But I can not change the "keycloak" security-domain for testing... > > > > > > > Ok. Approaching a solution... > > I adopted the JBossLoginContextFactory from the link above: > > https://gist.github.com/anonymous/892d957dfdf289158ccc > > > > > LoginContext loginContext = > JBossLoginContextFactory.createLoginContext("markus.lauer at co-met.info", > "********"); > loginContext.login(); > > log.info("principals: " + loginContext.getSubject().getPrincipals()); > > Set principals = loginContext.getSubject().getPrincipals(); > for ( Principal p : principals ) { > log.info("name: " + p.getName() + ", type: " + p.getClass()); > } > > > Output: > > principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data, > user, manage-master-data, markus.lauer at co-met.info] > name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class > org.keycloak.KeycloakPrincipal > name: view-master-data, type: class > org.keycloak.adapters.jaas.RolePrincipal > name: user, type: class org.keycloak.adapters.jaas.RolePrincipal > name: manage-master-data, type: class > org.keycloak.adapters.jaas.RolePrincipal > name: markus.lauer at co-met.info, type: class > org.jboss.security.SimplePrincipal > > > Login works! > > But unfortunately I still can not access the secured EJB: > > Subject.doAs(loginContext.getSubject(), new PrivilegedAction() { > > @Override > public Void run() { > log.info("count: " + securedEJB.count()); > return null; > } > > }); > > > This throws an exception: > > javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User > > > > Here is a snippet of SecuredEJB: > > @Stateless > @SecurityDomain("keycloak") > @DeclareRoles({ "view-master-data", "manage-master-data" }) > public class SecuredEJB { > > @RolesAllowed({"view-master-data"}) > public int count() { > .... > } > > } > > > > Any ideas how to deal with the "Invalid User"? > Perhaps the keycloak UUID vs. username? > > > Regards, > > Markus. > > No ideas? No comment? Another possible problem: The configured security domain in Wildfly is called "keycloak" and uses the default LoginModule "KeycloakLoginModule". Now I'm trying to access secured EJBs in this security domain ("keycloak") with another LoginModule: DirectAccessGrantsLoginModule. Is this possible at least? There is also a bug report in this context: https://issues.jboss.org/browse/WFLY-4626 Is this the same bug here? To recap: The only thing I'm trying to accomplish is to access secured EJBs from automated tests (arquillian). The @RunAs solution (see above / last mails in this thread) is not sufficient. Is there an easier way? (Stripping @RolesAllowed annotations in tests, deactivating security in tests, etc.) Regards, Markus. ________________________________ Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. http://disclaimer.tec-saar.de/co-met.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/8d911979/attachment.bin From akaya at expedia.com Thu Mar 31 03:25:30 2016 From: akaya at expedia.com (Sarp Kaya) Date: Thu, 31 Mar 2016 07:25:30 +0000 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: Please ignore my previous e-mail. Turns out I was simply not putting the private after address in interface name. Anyway I got it working this is how I get the logs now: 07:04:58,648 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 07:04:58,649 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.9.1.Final (WildFly Core 2.0.10.Final) started in 60797ms - Started 478 of 841 services (584 services are lazy, passive or on-demand) 07:05:24,574 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for channel server: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] 07:05:24,578 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for channel keycloak: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] 07:05:24,589 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for channel web: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] 07:05:24,607 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for channel hibernate: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] 07:05:24,614 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for channel ejb: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] 07:05:25,873 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t1) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:25,942 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t2) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:25,945 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:25,944 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:25,968 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t4) ISPN000310: Starting cluster-wide rebalance for cache work, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:25,971 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t3) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, actualMembers=[0abe138a46e3, 69ef835de644]} 07:05:26,086 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1 07:05:26,120 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 1 07:05:26,301 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, topology id = 1 07:05:26,310 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) ISPN000336: Finished cluster-wide rebalance for cache work, topology id = 1 07:05:26,325 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 1 07:05:26,332 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 1 However now I?m back to the initial scenario where: I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So what could be wrong now? From: Abdullah Sarp Kaya > Date: Thursday, March 31, 2016 at 2:37 PM To: John Bartko > Cc: Marek Posolda >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out Okay, so I gave up using that way and now using S3 instead, that way I can see what they send to each other. First thing I noticed is the file that they modify looks like this: 74594d4ef42f e0172d5d-8392-5ee7-bba3-03d997c2ef6e 127.0.0.1:55200 T When another instance connects, it tries to connect to 127.0.0.1:55200 which obviously doesn?t work, and that logs out like this: 04:26:15,908 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service thread 1-2) 74594d4ef42f: JOIN(74594d4ef42f) sent to e8a65867f61d timed out (after 3000 ms), on try 1 Again I looked reverse and found out that jgroups-udp uses this port number. So I found that docker uses 172.17.0.x and assigned 2 IP addresses. Like this: However right now I still get the previous problem: 04:28:31,418 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) ... 5 more Why does it keep showing that my IP address is 0.0.0.0? Despite I specifically put the right IP address? PS: I?m well aware this is a bad hack to put IP addresses specifically, but at this point I?m trying to get it working. From: John Bartko > Date: Thursday, March 31, 2016 at 12:53 PM To: Abdullah Sarp Kaya > Cc: Marek Posolda >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out You're on the right track. Taking a look at my notes, the following may be required: * docker container with host mode networking and NET_ADMIN capabilities if clustering across container hosts * entrypoint parameters: -Djgroups.bind_addr=HOST_IP -b HOST_IP --server-config standalone-ha.xml note the host default interface IP must be used and not a wildcard of 0.0.0.0 * the socket-binding changed On Wed, Mar 30, 2016 at 7:49 PM, Sarp Kaya > wrote: Sorry to send an e-mail again what I did is changed this: Also set the public interface as: But now I?m getting this error: 00:45:40,146 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.PrivilegedActionException: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) ... 5 more Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any local network interface at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) at org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) at org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) ... 7 more If I put a different IP address (say the docker machine IP address) I get the same error as well. From: John Bartko > Date: Thursday, March 31, 2016 at 1:23 AM To: Marek Posolda > Cc: Abdullah Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs me out When clustering across separate hosts, I had to change the jgroups-udp socket binding to listen on the public interface (binds to loopback by default). On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > wrote: When you start the second instance, are you seeing something like this in log of both servers? INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] If not, then clustering doesn't work properly and the servers doesn't form a cluster with each other. From the log you sent, there is just startup of one server, which indicates that clustering may not work. Maybe multicast doesn't work in your network. Either disable firewall/selinux/whatever to have multicast working or switch to TCP JGroups channel instead of UDP. See the Wildfly and JGroups documentation for more details. Also I personally use the virtual hosts to test clustering of 2 servers on same machine (Ie. have virtual servers like kc1:8080 and kc2:8080) . Using same host but differ just in port number ( host:8080 and host:8081 ) may causing mess with cookies, so I am personally not using the setup like this. Marek On 30/03/16 08:38, Sarp Kaya wrote: I have tried using standalone-ha.xml with shared database. I thought that would be enough but it seems like it?s not. The problem is I log into kc1 instance, and subsequent requests are authenticated. Then I try viewing host:8080/auth/realms/master/account Which is also authenticated. Then I try to view this on kc1 by changing port like: host:8081/auth/realms/master/account At this point I expect to see same page. However I get prompted for login for both kc1 and kc2. I see no logs at this point. So now I have switched to using keycloak-ha-postgres because it seemed to me that it comes clustering enabled out of box. So I nearly did exactly what this page: https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ told me to so. The only difference that I have done is adding ports (with ?p 8080:8080 to one instance and ?p 8081:8080 to the another one) and adding a new user. Once I start the I get this log: 05:28:49,888 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel keycloak 05:28:49,893 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel server 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,907 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel keycloak local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,902 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,914 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel server local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,925 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,926 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 05:28:49,978 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000078: Starting JGroups channel web 05:28:49,982 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,984 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel web local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:49,985 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel hibernate 05:28:49,986 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:49,987 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel hibernate local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,028 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb 05:28:50,030 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] 05:28:50,031 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is a05014a5dc24, physical addresses are [127.0.0.1:55200] 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started realmVersions cache from keycloak container 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0002: Started offlineSessions cache from keycloak container 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started loginFailures cache from keycloak container 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started sessions cache from keycloak container 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 53) WFLYCLINF0002: Started realms cache from keycloak container 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started users cache from keycloak container 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work cache from keycloak container However I still have the same issue as above (I get logged out). Also I don?t get any new logs for the entire log-in, log-out processes. Am I doing something wrong? Thanks, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/0f6bad35/attachment-0001.html From mposolda at redhat.com Thu Mar 31 04:30:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 31 Mar 2016 10:30:19 +0200 Subject: [keycloak-user] Keycloak Clustering, other instance logs me out In-Reply-To: References: <56FBAFED.8050701@redhat.com> Message-ID: <56FCE01B.5080900@redhat.com> On 31/03/16 09:25, Sarp Kaya wrote: > Please ignore my previous e-mail. Turns out I was simply not putting > the private after address in interface name. > > Anyway I got it working this is how I get the logs now: > > 07:04:58,648 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 > > 07:04:58,649 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0025: Keycloak 1.9.1.Final (WildFly Core 2.0.10.Final) started > in 60797ms - Started 478 of 841 services (584 services are lazy, > passive or on-demand) > > 07:05:24,574 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for > channel server: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] > > 07:05:24,578 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for > channel keycloak: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] > > 07:05:24,589 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for > channel web: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] > > 07:05:24,607 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for > channel hibernate: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] > > 07:05:24,614 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,0abe138a46e3) ISPN000094: Received new cluster view for > channel ejb: [0abe138a46e3|1] (2) [0abe138a46e3, 69ef835de644] > > 07:05:25,873 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t1) > ISPN000310: Starting cluster-wide rebalance for cache realms, topology > CacheTopology{id=1, rebalanceId=1, > currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: > 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = > (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:25,942 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t2) > ISPN000310: Starting cluster-wide rebalance for cache loginFailures, > topology CacheTopology{id=1, rebalanceId=1, > currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: > 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:25,945 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) > ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, > topology CacheTopology{id=1, rebalanceId=1, > currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: > 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:25,944 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) > ISPN000310: Starting cluster-wide rebalance for cache sessions, > topology CacheTopology{id=1, rebalanceId=1, > currentCH=DefaultConsistentHash{ns=80, owners = (1)[0abe138a46e3: > 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = > (2)[0abe138a46e3: 40+0, 69ef835de644: 40+0]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:25,968 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t4) > ISPN000310: Starting cluster-wide rebalance for cache work, topology > CacheTopology{id=1, rebalanceId=1, > currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: > 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = > (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:25,971 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t3) > ISPN000310: Starting cluster-wide rebalance for cache users, topology > CacheTopology{id=1, rebalanceId=1, > currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[0abe138a46e3: > 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = > (2)[0abe138a46e3: 30, 69ef835de644: 30]}, unionCH=null, > actualMembers=[0abe138a46e3, 69ef835de644]} > > 07:05:26,086 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) > ISPN000336: Finished cluster-wide rebalance for cache users, topology > id = 1 > > 07:05:26,120 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) > ISPN000336: Finished cluster-wide rebalance for cache realms, topology > id = 1 > > 07:05:26,301 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) > ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, > topology id = 1 > > 07:05:26,310 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) > ISPN000336: Finished cluster-wide rebalance for cache work, topology > id = 1 > > 07:05:26,325 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t5) > ISPN000336: Finished cluster-wide rebalance for cache sessions, > topology id = 1 > > 07:05:26,332 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t6) > ISPN000336: Finished cluster-wide rebalance for cache loginFailures, > topology id = 1 > > > > However now I?m back to the initial scenario where: > > >> I log into kc1 instance, and subsequent requests are authenticated. >> Then I try viewing >> host:8080/auth/realms/master/account >> Which is also authenticated. >> >> Then I try to view this on kc1 by changing port like: >> host:8081/auth/realms/master/account >> >> At this point I expect to see same page. However I get prompted for >> login for both kc1 and kc2. I see no logs at this point. > So what could be wrong now? If you want to check if clustering works, you can go to admin console and see it here. Try scenario like this: - Login to admin console on kc1 - See the "sessions" tab of user and doublecheck that your current userSession (the one related to login to admin console) is here - Login to admin console on kc2 - See the "sessions" tab of user again and doublecheck that you are seeing both userSessions there. Doublecheck that you are seeing same userSessions on both kc1 or kc2. If yes, clustering works. The scenario you pointed probably doesn't work as you expected because when you access host:8081 (but you were previously logged on host:8080) the SSO cookie is not shared between host:8080 and host:8081, so you need to reauthenticate. In real scenario, you will need loadbalancer, which will be always accessed under some address like lb:8080 and it will re-send the request automatically either to host:8080 or host:8081. With loadbalancer cookie will be shared, so you should be always able to see the account page and being authenticated. Marek > > > From: Abdullah Sarp Kaya > > Date: Thursday, March 31, 2016 at 2:37 PM > To: John Bartko > > Cc: Marek Posolda >, > "keycloak-user at lists.jboss.org " > > > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs > me out > > Okay, so I gave up using that way and now using S3 instead, that way I > can see what they send to each other. > > First thing I noticed is the file that they modify looks like this: > 74594d4ef42f e0172d5d-8392-5ee7-bba3-03d997c2ef6e 127.0.0.1:55200 T > > When another instance connects, it tries to connect to 127.0.0.1:55200 > which obviously doesn?t work, and that logs out like this: > > 04:26:15,908 WARN [org.jgroups.protocols.pbcast.GMS] (MSC service > thread 1-2) 74594d4ef42f: JOIN(74594d4ef42f) sent to e8a65867f61d > timed out (after 3000 ms), on try 1 > > > Again I looked reverse and found out that jgroups-udp uses this port > number. So I found that docker uses 172.17.0.x and assigned 2 IP > addresses. Like this: > > value="${jboss.bind.address:172.17.0.3}"/> > multicast-address="${jboss.default.multicast.address:230.0.0.4}" > multicast-port="45688"/> > However right now I still get the previous problem: > > 04:28:31,418 ERROR [org.jboss.msc.service.fail] (MSC service thread > 1-2) MSC000001: Failed to start service jboss.jgroups.channel.ee: > org.jboss.msc.service.StartException in service > jboss.jgroups.channel.ee: java.security.PrivilegedActionException: > java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any > local network interface > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.security.PrivilegedActionException: > java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any > local network interface > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) > > at > org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) > > ... 5 more > > Why does it keep showing that my IP address is 0.0.0.0? Despite I > specifically put the right IP address? > > PS: I?m well aware this is a bad hack to put IP addresses > specifically, but at this point I?m trying to get it working. > > > From: John Bartko > > Date: Thursday, March 31, 2016 at 12:53 PM > To: Abdullah Sarp Kaya > > Cc: Marek Posolda >, > "keycloak-user at lists.jboss.org " > > > Subject: Re: [keycloak-user] Keycloak Clustering, other instance logs > me out > > You're on the right track. Taking a look at my notes, the following > may be required: > > * docker container with host mode networking and NET_ADMIN > capabilities if clustering across container hosts > * entrypoint parameters: > -Djgroups.bind_addr=HOST_IP -b HOST_IP --server-config > standalone-ha.xml > note the host default interface IP must be used and not a wildcard > of 0.0.0.0 > * the socket-binding changed > > > On Wed, Mar 30, 2016 at 7:49 PM, Sarp Kaya > wrote: > > Sorry to send an e-mail again what I did is changed this: > > multicast-address="${jboss.default.multicast.address:230.0.0.4}" > multicast-port="45688"/> > > Also set the public interface as: > > value="${jboss.bind.address:0.0.0.0}"/> > > But now I?m getting this error: > > 00:45:40,146 ERROR [org.jboss.msc.service.fail] (MSC service > thread 1-2) MSC000001: Failed to start service > jboss.jgroups.channel.ee : > org.jboss.msc.service.StartException in service > jboss.jgroups.channel.ee : > java.security.PrivilegedActionException: java.net.BindException: > [UDP] /0.0.0.0 is not a valid address on any > local network interface > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:80) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.security.PrivilegedActionException: > java.net.BindException: [UDP] /0.0.0.0 is not a > valid address on any local network interface > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:640) > > at > org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) > > at > org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) > > ... 5 more > > Caused by: java.net.BindException: [UDP] /0.0.0.0 > is not a valid address on any local network interface > > at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) > > at > org.jgroups.stack.Configurator.ensureValidBindAddresses(Configurator.java:903) > > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:118) > > at > org.jgroups.stack.Configurator.setupProtocolStack(Configurator.java:57) > > at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:477) > > at org.jgroups.JChannel.init(JChannel.java:853) > > at org.jgroups.JChannel.(JChannel.java:159) > > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) > > at > org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) > > ... 7 more > > > If I put a different IP address (say the docker machine IP > address) I get the same error as well. > > From: John Bartko > > Date: Thursday, March 31, 2016 at 1:23 AM > To: Marek Posolda > > Cc: Abdullah Sarp Kaya >, "keycloak-user at lists.jboss.org > " > > > Subject: Re: [keycloak-user] Keycloak Clustering, other instance > logs me out > > When clustering across separate hosts, I had to change > the jgroups-udp socket binding to listen on the public interface > (binds to loopback by default). > > On Wed, Mar 30, 2016 at 5:52 AM, Marek Posolda > > wrote: > > > When you start the second instance, are you seeing something > like this in log of both servers? > > INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-10,shared=udp) > ISPN000094: Received new cluster view: [node1/keycloak|1] (2) > [node1/keycloak, node2/keycloak] > > If not, then clustering doesn't work properly and the servers > doesn't form a cluster with each other. From the log you sent, > there is just startup of one server, which indicates that > clustering may not work. > > Maybe multicast doesn't work in your network. Either disable > firewall/selinux/whatever to have multicast working or switch > to TCP JGroups channel instead of UDP. See the Wildfly and > JGroups documentation for more details. > > Also I personally use the virtual hosts to test clustering of > 2 servers on same machine (Ie. have virtual servers like > kc1:8080 and kc2:8080) . Using same host but differ just in > port number ( host:8080 and host:8081 ) may causing mess with > cookies, so > I am personally not using the setup like this. > > Marek > > > On 30/03/16 08:38, Sarp Kaya wrote: >> I have tried using standalone-ha.xml with shared database. I >> thought that would be enough but it seems like it?s not. The >> problem is >> >> I log into kc1 instance, and subsequent requests are >> authenticated. >> Then I try viewing >> host:8080/auth/realms/master/account >> Which is also authenticated. >> >> Then I try to view this on kc1 by changing port like: >> host:8081/auth/realms/master/account >> >> At this point I expect to see same page. However I get >> prompted for login for both kc1 and kc2. I see no logs at >> this point. >> >> So now I have switched to using keycloak-ha-postgres because >> it seemed to me that it comes clustering enabled out of box. >> So I nearly did exactly what this page: >> https://hub.docker.com/r/jboss/keycloak-ha-postgres/builds/benk6w5cgdmrqonrxvu3bfu/ >> told me to so. The only difference that I have done is >> adding ports (with ?p 8080:8080 to one instance and ?p >> 8081:8080 to the another one) and adding a new user. >> >> Once I start the I get this log: >> >> 05:28:49,888 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000078: Starting JGroups channel >> keycloak >> >> 05:28:49,893 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000078: Starting JGroups channel >> server >> >> 05:28:49,902 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000094: Received new cluster >> view for channel keycloak: [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,907 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000079: Channel keycloak local >> address is a05014a5dc24, physical addresses are >> [127.0.0.1:55200 ] >> >> 05:28:49,902 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000094: Received new cluster >> view for channel server: [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,914 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000079: Channel server local >> address is a05014a5dc24, physical addresses are >> [127.0.0.1:55200 ] >> >> 05:28:49,925 INFO >> [org.infinispan.factories.GlobalComponentRegistry] (MSC >> service thread 1-2) ISPN000128: Infinispan version: >> Infinispan 'Mahou' 8.1.0.Final >> >> 05:28:49,926 INFO >> [org.infinispan.factories.GlobalComponentRegistry] (MSC >> service thread 1-1) ISPN000128: Infinispan version: >> Infinispan 'Mahou' 8.1.0.Final >> >> 05:28:49,978 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000078: Starting JGroups channel web >> >> 05:28:49,982 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000094: Received new cluster >> view for channel web: [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,984 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000079: Channel web local >> address is a05014a5dc24, physical addresses are >> [127.0.0.1:55200 ] >> >> 05:28:49,985 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000078: Starting JGroups channel >> hibernate >> >> 05:28:49,986 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000094: Received new cluster >> view for channel hibernate: [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:49,987 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000079: Channel hibernate local >> address is a05014a5dc24, physical addresses are >> [127.0.0.1:55200 ] >> >> 05:28:50,028 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb >> >> 05:28:50,030 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000094: Received new cluster >> view for channel ejb: [a05014a5dc24|0] (1) [a05014a5dc24] >> >> 05:28:50,031 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000079: Channel ejb local >> address is a05014a5dc24, physical addresses are >> [127.0.0.1:55200 ] >> >> 05:28:50,357 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 56) WFLYCLINF0002: Started >> realmVersions cache from keycloak container >> >> 05:28:50,391 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 54) WFLYCLINF0002: Started >> offlineSessions cache from keycloak container >> >> 05:28:50,397 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 55) WFLYCLINF0002: Started >> loginFailures cache from keycloak container >> >> 05:28:50,396 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 52) WFLYCLINF0002: Started >> sessions cache from keycloak container >> >> 05:28:50,392 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 53) WFLYCLINF0002: Started >> realms cache from keycloak container >> >> 05:28:50,399 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 51) WFLYCLINF0002: Started >> users cache from keycloak container >> >> 05:28:50,402 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 50) WFLYCLINF0002: Started work >> cache from keycloak container >> >> >> >> However I still have the same issue as above (I get logged >> out). Also I don?t get any new logs for the entire log-in, >> log-out processes. >> >> Am I doing something wrong? >> Thanks, >> Sarp >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/17027556/attachment-0001.html From mposolda at redhat.com Thu Mar 31 05:38:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 31 Mar 2016 11:38:19 +0200 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: References: Message-ID: <56FCF00B.1030901@redhat.com> It's supposed to be and we even internally using it in some concurrency test. It's using Apache HTTP client under the hood, which itself is thread-safe and is using connection pooling. In case you need, you can configure more fine-grained details (like connection pool size etc) by pass the custom resteasyClient to Keycloak object. However when I looked a bit more into sources now, I can see that there are some potential concurrency issues in TokenManager class, which is used internally by admin client. Created JIRA https://issues.jboss.org/browse/KEYCLOAK-2731 for it. It's not too bad IMO, but note that you can possibly see situation when more concurrent threads are trying to refresh the same access token at the same time. Marek On 31/03/16 01:37, Hristo Stoyanov wrote: > > Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it > as a single admin client for the entire app ... > > /Hristo Stoyanov > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/efb65d66/attachment.html From xiao.ma at masergy.com Thu Mar 31 10:30:49 2016 From: xiao.ma at masergy.com (Xiao Ma) Date: Thu, 31 Mar 2016 10:30:49 -0400 Subject: [keycloak-user] Logout to the external IDP In-Reply-To: <56FC5523.307@redhat.com> References: <56F0048D.4050601@redhat.com> <56FC5523.307@redhat.com> Message-ID: Thank you very much for the quick help, Bill! Regards, Xiao On Wed, Mar 30, 2016 at 6:37 PM, Bill Burke wrote: > This is fixed in master and will be released with 1.9.2 in 1 or 2 weeks. > > > On 3/21/2016 11:25 AM, Xiao Ma wrote: > > Thank you, Bill! I am wondering what is our rough estimate on when are > going to release 1.9.2.Final. > > Best Regards, > Xiao > > On Mon, Mar 21, 2016 at 10:26 AM, Bill Burke wrote: > >> I think this is a bug. We probably don't refresh the token that is >> obtained by the "child" IDP. >> >> https://issues.jboss.org/browse/KEYCLOAK-2691 >> >> On 3/20/2016 10:58 AM, Xiao Ma wrote: >> >> Hi, >> >> I configured a OIDC identity provider by selecting the OpenID Connect >> v1.0 identity provider from the drop-down box on the top right corner of >> the identity providers table in Keycloak's Admin Console. During the >> configuration process, I also configure "Logout Url" for the IDP logout >> url. >> >> When I try to logout to the external IDP, the browser is redirected to >> the external IDP to perform the logout. I can see some URL as follows: >> >> https://*keycloakdev.xxxxxxx.com * >> /auth/realms/*Internal*/protocol/openid-connect/logout?*state=* >> a4efbda0-8b98-4169-a369-59e92bc3fac5&*id_token_hint=*eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMDY0NWJmZC0yZDhlLTQ1MjQtOWQ5Mi05OGViMDk5MDgxMzUiLCJleHAiOjE0NTgxNDg1ODksIm5iZiI6MCwiaWF0IjoxNDU4MTQ4NTg4LCJpc3MiOiJodHRwczovL2tleWNsb2FrZGV2Lm1hc2VyZ3kuY29tL2F1dGgvcmVhbG1zL0ludGVybmFsIiwiYXVkIjoiZXh0ZXJuYWxfcmVhbG1fYWNjZXNzXzIiLCJzdWIiOiI2ZmNmMDMwMi1jNzE0LTRiZDUtYjdlZS02MjMyODU2YTBlZWUiLCJ0eXAiOiJJRCIsImF6cCI6ImV4dGVybmFsX3JlYWxtX2FjY2Vzc18yIiwic2Vzc2lvbl9zdGF0ZSI6ImY1MWM3MzFkLTJkZWItNGRhZi04YWM3LTQyZDdkYjc1Zjc5YyIsIm5hbWUiOiJYaWFvIE1hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoieG1hIiwiZ2l2ZW5fbmFtZSI6IlhpYW8iLCJHUk9VUFNfRlJPTV9JTlRFUk5BTF9SRUFMTSI6WyIvTk9DIiwiL2xhbmRzY2FwZV9nZW5lcmFsX3VzZXIiXSwiZmFtaWx5X25hbWUiOiJNYSIsImVtYWlsIjoieGlhby5tYUBtYXNlcmd5LmNvbSJ9.BIneKvUpSPq4c32dV5JclWPjtbA0U55u8Pf_C7KDokNMMBKCERHnzIS8-9csBxh8NLJbB_PmApMY0! >> raAz-YPO >> cwyvmsOJ23bSrDR3Oa2HZ5JEGzs9IVFyhzQXJuDBCBWcPZl-eNxnxdGkNJBd7Cx03iWsUVUE9NeJYPjeZ5s8rmDtaX38V6JywugWRby5rfSZDLpu7xoGj6a_ZSZEXUfktwCMHS0Jnz_1M778Bmka0TcD1bvIpuqVl4-YQf2P3UZWgxqFQoNDVegZUNuekqUQyJiuRjlQuhITg5tDYfy2DbhkqVsN2gR7mUp21WNx2S5pG5Hb9cXajIVGR6SmW4qKA >> : >> >> "keycloakdev.xxxxxxx.com" is where the externalIDP is located. >> "Internal" is the name of the realm. The parameters "state" and >> "id_token_hint" are appended to the endpoint logout URL automatically >> during the logout process. >> >> However, this process failed because I got "Session Not Active" error in >> the UI. After some investigations, I found this "Session Not Active" error >> seems to be related to the value of Realm Setting ?> Tokens ?> Access >> Token Lifespan I configured. The default value is 5 minutes, if I trigger >> the logout within 5 minutes, I can logout to the external IDP successfully. >> If I do the logout after 5 minutes, I will get this ""Session Not >> Active" error. Is this the expected behavior? Do I have to bump up the >> value of "Access Token Lifespan" to get a longer session for the logout >> purpose? >> >> Thanks a lot for the help! >> >> Xiao >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/edf3e4fe/attachment.html From jsprague at redhat.com Thu Mar 31 13:17:19 2016 From: jsprague at redhat.com (Jared Sprague) Date: Thu, 31 Mar 2016 13:17:19 -0400 (EDT) Subject: [keycloak-user] Which OpenID Connect Flow to Use? In-Reply-To: <586916272.35742524.1459444041411.JavaMail.zimbra@redhat.com> Message-ID: <943504158.35746087.1459444639623.JavaMail.zimbra@redhat.com> Hello! We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other? Here is the general use case we are trying to solve. 1. A user logs in and receives an access_token. 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token. 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request. 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app. The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid? Standard Flow http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth Implicit Flow http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth Thank you! - Jared Sprague access.redhat.com From bburke at redhat.com Thu Mar 31 13:40:03 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 31 Mar 2016 13:40:03 -0400 Subject: [keycloak-user] Which OpenID Connect Flow to Use? In-Reply-To: <943504158.35746087.1459444639623.JavaMail.zimbra@redhat.com> References: <943504158.35746087.1459444639623.JavaMail.zimbra@redhat.com> Message-ID: <56FD60F3.6060109@redhat.com> The Keycloak admin console is a pure HTML5/Javascript/Angular application. It is a public client that uses the keycloak.js adapter. It uses the authorization code grant flow (standard). The admin console app is registered as a client under the realm with precise allowed redirect URIs. CORS is used at the REST api to additional ensure that the correct origins are communicating with it. This ensures that only the admin console can initiate authentication and that only the admin console can participate in the auth code grant flow and only the admin console (through CORS and bearer tokens) can invoke on the REST API. On 3/31/2016 1:17 PM, Jared Sprague wrote: > Hello! > We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other? > > Here is the general use case we are trying to solve. > > 1. A user logs in and receives an access_token. > 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token. > 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request. > 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app. > > The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid? > > Standard Flow > http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth > > Implicit Flow > http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth > > Thank you! > - Jared Sprague > access.redhat.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ali at affordabletours.com Thu Mar 31 13:43:24 2016 From: ali at affordabletours.com (Firdos Ali) Date: Thu, 31 Mar 2016 12:43:24 -0500 Subject: [keycloak-user] EJB Invalid User + Log Out not working In-Reply-To: <04eb01d18384$6911f000$3b35d000$@affordabletours.com> References: <013001d17b01$c290ac60$47b20520$@affordabletours.com> <00af01d17edb$d7bb50d0$8731f270$@affordabletours.com> <03e301d18122$e7407f50$b5c17df0$@affordabletours.com> <56F00B80.90800@redhat.com> <04eb01d18384$6911f000$3b35d000$@affordabletours.com> Message-ID: Hi Bill, I'm not sure if you've had a chance to review my previous message, so I thought I ping you again. Would you let me know what else I can do as I have followed the documentation and still can't seem to get this working inside of an ear file which contains both the war and jars (contains the EJB files). On Mon, Mar 21, 2016 at 10:14 AM, Firdos Ali wrote: > Thank you and I hope that your meetings went well. I already had that in > place when I read the documentation which is why it was really odd to see > it not work. Below is my server.xml file: > > > > > > > > > > > > > > . . . > > > > > > > > > > xmlns="urn:jboss:domain:ejb3:2.0"> > > . . . > > value="keycloak"/> > > . . . > > > > > > > > . . . > > > > > > > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > > > > > > . . . > > xmlns="urn:jboss:domain:keycloak:1.1"> > > > > affordabletours > > atoms > > ... > > http://10.0.0.2:8080/auth > > > EXTERNAL > > some secret > > > > > > > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Bill Burke > *Sent:* Monday, March 21, 2016 9:56 AM > *To:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working > > > > Sorry for late response. We were all traveling last week for face to face > meetings. > > Check out this: > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jboss-adapter > > Look for KeycloakLoginModule You have to set this up in order to > propagate between component layers. I wish we didn't have to require this > extra step, but its just a falacy of the current Wildfly security > architecture. > > On 3/18/2016 10:31 AM, Firdos Ali wrote: > > The EJB is called from the server-side web app. This is a legacy app > using Struts, so after the user logs in from keycloak they are redirected > back to the webapp. The web application has access to the user, however > the EJB does not find a user and throws back the error. > > > > I have the following in my jboss-web.xml: > > > > > > java:/jaas/keycloak > > > > > > I have the following in my jboss-ejb3.xml: > > > > > xmlns="http://java.sun.com/xml/ns/javaee" > > > xmlns:jboss="http://www.jboss.com/xml/ns/javaee" > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > xmlns:s="urn:security:1.1" > > version="3.1" impl-version="2.0"> > > > > > > * > > keycloak > > > > > true > > > > > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Friday, March 18, 2016 7:05 AM > *To:* Firdos Ali > *Cc:* keycloak-user > ; Stian Thorgersen > > *Subject:* RE: [keycloak-user] EJB Invalid User + Log Out not working > > > > How is the ejb being called? >From jax-rs service or server-side web app? > For there to be a user you need to be authenticated as a user so either the > server-side webapp has redirected to login page or there is a bearer token > included in the authorisation header of the http request. > > On 15 Mar 2016 17:58, "Firdos Ali" wrote: > > Thank you for the prompt response. > > > > I moved to keycloak 1.9.1 both on the server and updated the adapter, > however it is still not working. Let me clarify on a few other things and > hopefully that will provide some additional context > > > > We put our project in an ear file which contains one jar file inclusive of > the stateless ejbs, one war file, and a few other supporting jar files. > > > > The war file has the keycloak.json with the following: > > { > > "realm": "affordabletours", > > "realm-public-key": "some key", > > "auth-server-url": "http://10.0.0.1:8080/auth", > > "ssl-required": "external", > > "resource": "keycloaktest", > > "credentials": { > > "secret": "some secret" > > } > > } > > > > Are you suggesting that I change the resource ?keycloaktest? access type > from ?confidential? to ?bearer-only?? If so, I tried that and > unfortunately that did not work. I guess my confusion is how would the jar > file with the ejbs is aware of the security context when it is only at the > war level? Thanks > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Friday, March 11, 2016 12:29 AM > *To:* Firdos Ali > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] EJB Invalid User + Log Out not working > > > > > > > > On 10 March 2016 at 20:19, Firdos Ali wrote: > > Hello, > > > > I am having a few problems with Keycloak. Let me first start with the > environment information: > > > > Keycloak version: 1.9.0 > > Keycloak wildfly version: 10.0.0 > > > > Application wildfly version: 8.0.0 > > > > *Problem 1: EJB error - javax.ejb.EJBAccessException: JBAS013323: Invalid > User* > > I have followed the documentation by adding the keycloak adapter to the > application wildfly 8.0 and by server.xml has the following: > > > > > ?. > > > > > > ?. > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > ? > > > > MyEJB: > @Stateless > > @Local(MyInt.*class*) > > @SecurityDomain("keycloak") > *public* *class* MyBean *implements* MyInt > > ... > > @PermitAll > > @TransactionAttribute(TransactionAttributeType.*REQUIRES_NEW*) > > *public* boolean myMethod(...) *throws* Exception { > > } > > > > At the moment I am not using jboss-ej3.xml as I reference the security > domain in my EJB class. I added it and it did not help out > > > > Stacktrace: > > ERROR [org.jboss.as.ejb3.invocation] (default task-13) JBAS014134: EJB > Invocation failed on component MyBean for method public abstract boolean > com.at.ejb.MyInt.myMethod(?) throws java.lang.Exception: > javax.ejb.EJBAccessException: JBAS013323: Invalid User > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:66) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:46) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:92) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > [wildfly-ejb3-8.0.0.Final.jar:8.0.0.Final] > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448) > > at > org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326) > > at > org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > > at > org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) > > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309) > > Is there something I am missing from the documentation? Any thoughts how > to resolve this issue? > > > > Is there a bearer token sent with the request that invokes the EJB? If so > try with 1.9.1. Could be https://issues.jboss.org/browse/KEYCLOAK-2518 > fixes this. > > > > *Problem 2: Unable to log out a user from keycloak administration console:* > > After I click ?Logout? on the administration console in Keycloak, I see > the following error on the keycloak server: > > ERROR [io.undertow.request] (default task-26) UT005023: Exception handling > request to > /auth/admin/realms/affordabletours/sessions/f1e69f90-03fc-453d-a495-225bb0c429ab: > org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: > org.apache.http.impl.client.HttpClientBuilder.setConnectionTimeToLive(JLjava/util/concurrent/TimeUnit;)Lorg/apache/http/impl/client/HttpClientBuilder; > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > > > Are you using the standalone Keycloak server? Looking at javadocs for > httpclient setConnectionTimeToLive was added in 4.4. WildFly 10 uses > httpclient 4.5, so looks like for some reason you have an old version of > httpclient. > > > > > Best regards, > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > -- Best regards, *AffordableTours.com* Firdos Ali Senior Project Manager 11150 Cash Road Stafford, TX 77477 Toll Free (800) 935-2620 X181 Direct (281) 269-2681 Fax (281) 269-2691 E-mail: ali at affordabletours.com My Working Hours: Mon - Fri: 09:00AM - 05:00PM CST *NOTICE: This e-mail message, including any attachments, is for the use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the recipient, please contact the sender by reply e-mail and destroy all copies of the original message* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/0ee0d68a/attachment-0001.html From hr.stoyanov at peruncs.com Thu Mar 31 15:20:59 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Thu, 31 Mar 2016 19:20:59 +0000 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: <56FCF00B.1030901@redhat.com> References: <56FCF00B.1030901@redhat.com> Message-ID: Marek, Thanks for this clarification and all your help in this forum to my other questions! You guys rock! /Hristo Stoyanov On Mar 31, 2016 2:38 AM, "Marek Posolda" wrote: > It's supposed to be and we even internally using it in some concurrency > test. > > It's using Apache HTTP client under the hood, which itself is thread-safe > and is using connection pooling. In case you need, you can configure more > fine-grained details (like connection pool size etc) by pass the custom > resteasyClient to Keycloak object. > > However when I looked a bit more into sources now, I can see that there > are some potential concurrency issues in TokenManager class, which is used > internally by admin client. Created JIRA > https://issues.jboss.org/browse/KEYCLOAK-2731 for it. It's not too bad > IMO, but note that you can possibly see situation when more concurrent > threads are trying to refresh the same access token at the same time. > > Marek > > > On 31/03/16 01:37, Hristo Stoyanov wrote: > > Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as a > single admin client for the entire app ... > > /Hristo Stoyanov > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/f9ded0b6/attachment.html From leo.nunes at gjccorp.com.br Thu Mar 31 17:01:06 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Thu, 31 Mar 2016 21:01:06 +0000 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) Message-ID: Hi everyone, I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1. After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment. If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object. I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page. The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page. https://issues.jboss.org/browse/KEYCLOAK-2518 -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/277507b5/attachment.html From hr.stoyanov at peruncs.com Thu Mar 31 18:05:11 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Thu, 31 Mar 2016 22:05:11 +0000 Subject: [keycloak-user] @SecurityDomain for wildfly 10? Message-ID: Do we still need @SecurityDomain for wildfly 10 ejbs in addition for the older jboss server? If so, I think in section 8.2.1, the example ejb code has the wrong import for that annotation. It should be : import org.jboss.annotation.security.SecurityDomain? /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/d55120e3/attachment.html From Anthony.Fryer at virginaustralia.com Thu Mar 31 20:21:13 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Fri, 1 Apr 2016 00:21:13 +0000 Subject: [keycloak-user] standard vs implicit flow in SPA Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal> Hi, Up until recently I automatically selected to use implicit grant flow from SPAs, but lately I've been re-assessing this since the keycloak javascript adapter provides standard flow out of the box and makes that a viable option. I also note that the keycloak admin console is a HTML5/javascript/angular js app that uses the keycloak js adapter and uses the standard flow. As a side note I find the client defaults interesting in that Implicit flow is disabled, but direct access grants are enabled (I'm coming from a mitreid connect implementation where direct access grants where disabled by default and implicit flow was enabled, so just wonder what the thinking is behind this since direct access grants are discouraged). I'm really wondering why are you pushing standard flow from the keycloak javascript adapter instead of implicit? What are the benefits that make standard flow better in this case? One thing I have seen mentioned is refresh tokens obtained in standard flow make it easy to get a new access token, but I thought you could get refresh tokens from the implicit flow anyway, and even if not, if a user logs in with "remember me", then getting a new access token doesn't require re-entering credentials by the user. I want to make sure that when implementing keycloak in our SPA we choose the best flow and want to know if there's some reason standard flow is best. Regards, [Description: Description: C:\Users\jayt\Desktop\tonyjay_sig_files\virginaustralia.gif] Anthony Fryer | Solution Architect & Designer Mb: 0438 781 745 Email: anthony.fryer at virginaustralia.com Virgin Australia group of airlines including Virgin Australia, V Australia, Pacific Blue and Polynesian Blue Please consider the environment before printing this email. The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/6170fca1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 5071 bytes Desc: image001.gif Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/6170fca1/attachment-0001.gif