[keycloak-user] keycloak configuration
Bill Burke
bburke at redhat.com
Thu Mar 24 12:47:39 EDT 2016
Contributions are always welcome!
On 3/24/2016 10:31 AM, Jason Axley wrote:
> +1 on the API documentation. I’d prefer a Swagger interface with
> collapsable sections and the ability to execute the API in the browser
> for testing. Additionally, you can now integrate with Postman by
> importing everything as a Postman collection via a Run in Postman
> button — would also be very useful. You can just import the Swagger
> or RAML file to create the Postman collection.
>
> -Jason
>
> From: <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Guus der
> Kinderen <guus.der.kinderen at gmail.com
> <mailto:guus.der.kinderen at gmail.com>>
> Date: Thursday, March 24, 2016 at 6:54 AM
> To: Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>>
> Cc: "keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] keycloak configuration
>
> I signed up to the mailinglist at a time that this thread was already
> underway. I didn't read back to find out what the original question
> was, and given the tone of the responses I am not going to either,
> but, as for for the call for specific improvements: I've got two:
>
> * It would be helpful if the section on JAAS integration would
> contain a very short example of a configuration file, and a java
> snippet that shows how to instantiate a LoginContext based on
> that. I was unfamiliar with JAAS and was struggling to put one and
> one together. I think the above could be done in ten lines or so,
> so it's relatively small, but would be a good illustrative example
> for the likes of me.
> * The REST endpoint documentation lacks structure (grouping), which
> makes it hard to navigate. Improving on that would be a simple as
> grouping each piece of documentation by its resource path.
>
> $0.02
>
> - Guus
>
> On 24 March 2016 at 14:25, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> documentation hasn't received any love for more than a year.
> Screencasts are even more out of date. The good news is that
> myself and the red hat documentation team is scheduled to focus on
> docs and screencasts the month of April. Up until a few months
> ago, we were just an open source community. Now that the Red Hat
> machine is getting behind us, areas like documentation should
> start to be improved.
>
> BTW, If you want help, we need more than just "it doesn't work,
> your documentation sucks". Walking us through the problem helps
> us improve error messages, general usability, and documentation.
> Threatening us doesn't really help as you are just as likely to
> get ignored.
>
> On 3/24/2016 4:56 AM, Stian Thorgersen wrote:
>> Firstly, that's not FreeIPA (community project) documentation,
>> but Red Hat Identity Management documentation (product). The
>> FreeIPA documentation is https://www.freeipa.org/page/Documentation.
>>
>> Secondly, just stating that our documentation is bad and pointing
>> to some better documentation doesn't give us anything to go on.
>> We would like to give a good experience and I would be very
>> interested in knowing exactly what documentation you are lacking,
>> hard to understand or whatever other issues you may have with the
>> documentation. Help us to help you ;)
>>
>> Finally we know the documentation is not as good as it could be
>> and are planning to improve it in the not to distant future. So
>> input from users would be valuable.
>>
>> On 23 March 2016 at 11:32, Pavlos Kleanthous <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>> wrote:
>>
>> Just compare the documentation from another redhat product
>> FreeIPA
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html>
>>
>> I have read this documentation and setup/configure IPA server
>> very easy.
>>
>> Keycloak's current documentation looks like more as a
>> developers manual to me.
>>
>>
>> On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>> Could you elaborate on what is missing from the
>> documentation? That would be helpful.
>>
>> On 22 Mar 2016 12:05, "Pavlos Kleanthous"
>> <parsectix at gmail.com <mailto:parsectix at gmail.com>> wrote:
>>
>> Dear all,
>>
>> I dropped the project at the moment. The lack of
>> documentation is too time consuming.
>>
>> Hope that soon keycloak will have it.
>>
>>
>> On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>> What adapter? Is the server and client adapter
>> both 1.9.1? We did recently deprecate some OIDC
>> endpoints. I think ../login is gone and it should
>> be ../auth. So if you are using an old adapter
>> that may be the issue.
>>
>> On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous"
>> <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>> wrote:
>>
>> Yours.
>>
>> I configured the realm with the same
>> settings on both versions 1.9.1 and 1.8.1.
>>
>>
>> On Fri, Mar 18, 2016 at 11:58 AM, Stian
>> Thorgersen <sthorger at redhat.com
>> <mailto:sthorger at redhat.com>> wrote:
>>
>> Client ID has nothing to do with this
>> issue as it would show an login error
>> page not a not found. So must be either
>> realm name or another part of URL is wrong.
>>
>> Are you using our adapters or another
>> library atm?
>>
>> I'm answering on my phone on the plane so
>> can't look into it more atm.
>>
>> On 17 Mar 2016 10:00, "Pavlos Kleanthous"
>> <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>> wrote:
>>
>> Hi,
>>
>> In jenkins, I'm pasting the JSON
>> configuration that it can found
>> inside "Installation" tab.
>>
>> Instead of using keycloak client
>> plugins, can I use a generic oauth
>> plugin in my apps? How can I
>> configure my keycloak for this?
>> i.e. Instead of using google's oauth
>> URL use my own pointing to keycloak.
>>
>>
>> On Wed, Mar 16, 2016 at 1:29 PM,
>> Marko Strukelj <mstrukel at redhat.com
>> <mailto:mstrukel at redhat.com>> wrote:
>>
>> In your jenkins realm - under
>> Clients do you have a client
>> called 'ci'? That's the client_id
>> used in your request.
>>
>> AFAIK nothing changed in this
>> part of the code since 1.8.1.
>>
>> On Mar 16, 2016 12:04 PM, "Pavlos
>> Kleanthous" <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>> wrote:
>>
>> yes I can.
>>
>> Please note that this is a
>> problem of version 1.9.1.
>> I have tried now version
>> 1.8.1 and it redirect me to
>> keycloak.
>>
>> p.s. I'm using the official
>> containers from docker hub.
>>
>> On Wed, Mar 16, 2016 at 10:56
>> AM, Marko Strukelj
>> <mstrukel at redhat.com
>> <mailto:mstrukel at redhat.com>>
>> wrote:
>>
>> Are you able to login
>> into admin console at:
>> http://192.168.99.100:32786/auth
>>
>> And you see the realm
>> called 'jenkins' there?
>>
>> On Mar 16, 2016 11:32 AM,
>> "Pavlos Kleanthous"
>> <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>>
>> wrote:
>>
>> Hi guys adding to
>> this. Please see the
>> HTTP requests and
>> responses.
>>
>> 1.
>> Request URL:
>> http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F
>> 2.
>> Request Method:
>> GET
>> 3.
>> Status Code:
>> 302 Found
>> 4.
>> Remote Address:
>> 192.168.99.100:32769
>> <http://192.168.99.100:32769>
>> 1. Response
>> Headersview source
>> 1.
>> Content-Length:
>> 0
>> 2.
>> Location:
>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>> 3.
>> Server:
>> Jetty(winstone-2.9)
>> 4.
>> X-Content-Type-Options:
>> nosniff
>>
>> 1.
>> Request URL:
>> http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>> 2.
>> Request Method:
>> GET
>> 3.
>> Status Code:
>> *404 Not Found*
>> 4.
>> Remote Address:
>> 192.168.99.100:32786
>> <http://192.168.99.100:32786>
>> 1. Response
>> Headersview source
>> 1.
>> Connection:
>> keep-alive
>> 2.
>> Content-Length:
>> 0
>> 3.
>> Date:
>> Wed, 16 Mar
>> 2016 10:30:40 GMT
>> 4.
>> Server:
>> WildFly/10
>> 5.
>> X-Powered-By:
>> Undertow/1
>> 2. Request
>> Headersview source
>> 1.
>> Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>> 2.
>> Accept-Encoding:
>> gzip,
>> deflate, sdch
>> 3.
>> Accept-Language:
>> en-US,en;q=0.8,el;q=0.6
>> 4.
>> Connection:
>> keep-alive
>> 5.
>> Cookie:
>> KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic;
>> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni!
>> gQ9FnaP6
>> DEyOvd8v2Yo;
>> KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg;
>> KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae;
>> JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4;
>> screenResolution=1920x1080
>> 6.
>> DNT:
>> 1
>> 7.
>> Host:
>> 192.168.99.100:32786
>> <http://192.168.99.100:32786>
>> 8.
>> Referer:
>> http://192.168.99.100:32769/
>> 9.
>> Save-Data:
>> on
>> 10.
>> Upgrade-Insecure-Requests:
>> 1
>>
>>
>> On Tue, Mar 15, 2016 at
>> 4:26 PM, Pavlos
>> Kleanthous
>> <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>>
>> wrote:
>>
>> Thanks for pointing
>> this out. I think it
>> does not matter as
>> the same name can be
>> found in
>> "Installation" tab where
>> I copied the
>> configuration.
>>
>> On Tue, Mar 15, 2016
>> at 4:21 PM, Marko
>> Strukelj
>> <mstrukel at redhat.com
>> <mailto:mstrukel at redhat.com>>
>> wrote:
>>
>> Looks like you
>> mistyped your
>> client id: 'jenknis'.
>>
>> On Mar 15, 2016
>> 5:19 PM, "Pavlos
>> Kleanthous"
>> <parsectix at gmail.com
>> <mailto:parsectix at gmail.com>>
>> wrote:
>>
>> Hello,
>>
>>
>> I'm trying to
>> configure
>> keycloak for
>> first time.
>> My setup has
>> 2 containers
>> keycloak and
>> jenkins.
>> Following the
>> example how
>> to integrate
>> those two, I
>> created a
>> realm and a
>> client called
>> "jenkins".
>>
>> It seams that
>> the realm
>> configuration
>> it's not
>> correct as I
>> get the
>> following
>> debug error.
>> "15:47:55,791
>> ERROR
>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default
>> task-12)
>> RESTEASY002010:
>> Failed to
>> execute:
>> javax.ws.rs.NotFoundException:
>> RESTEASY003210:
>> Could not
>> find resource
>> for full
>> path:
>> <http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261>http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261"
>>
>> I noticed
>> that
>> "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect"
>> does not work
>> generally.
>> The URL
>> ending with
>> "/auth/realms/ci/account"
>> it works.
>>
>> if I access
>> the URL:
>> <http://192.168.99.100:32786/auth/realms/ci>http://192.168.99.100:32786/auth/realms/ci
>>
>> {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0}
>>
>> Can you help
>> how to find
>> the problem ?
>>
>> p.s. is there
>> any other way
>> to find help
>> on those
>> matters?
>> Tried IRC but
>> nobody is
>> replying there...
>>
>> Thank you
>>
>> _______________________________________________
>> keycloak-user
>> mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/d57265df/attachment-0001.html
More information about the keycloak-user
mailing list