[keycloak-user] keycloak configuration

Marek Posolda mposolda at redhat.com
Wed Mar 30 07:00:16 EDT 2016


On 24/03/16 14:54, Guus der Kinderen wrote:
> I signed up to the mailinglist at a time that this thread was already 
> underway. I didn't read back to find out what the original question 
> was, and given the tone of the responses I am not going to either, 
> but, as for for the call for specific improvements: I've got two:
>
>   * It would be helpful if the section on JAAS integration would
>     contain a very short example of a configuration file, and a java
>     snippet that shows how to instantiate a LoginContext based on
>     that. I was unfamiliar with JAAS and was struggling to put one and
>     one together. I think the above could be done in ten lines or so,
>     so it's relatively small, but would be a good illustrative example
>     for the likes of me.
>
We have jira for this one created already 
https://issues.jboss.org/browse/KEYCLOAK-971 . I hope to do some short 
example of JAAS soon.

Marek
>
>   * The REST endpoint documentation lacks structure (grouping), which
>     makes it hard to navigate. Improving on that would be a simple as
>     grouping each piece of documentation by its resource path.
>
> $0.02
>
>  - Guus
>
> On 24 March 2016 at 14:25, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     documentation hasn't received any love for more than a year. 
>     Screencasts are even more out of date.  The good news is that
>     myself and the red hat documentation team is scheduled to focus on
>     docs and screencasts the month of April.  Up until a few months
>     ago, we were just an open source community.  Now that the Red Hat
>     machine is getting behind us, areas like documentation should
>     start to be improved.
>
>     BTW, If you want help, we need more than just "it doesn't work,
>     your documentation sucks".  Walking us through the problem helps
>     us improve error messages, general usability, and documentation. 
>     Threatening us doesn't really help as you are just as likely to
>     get ignored.
>
>     On 3/24/2016 4:56 AM, Stian Thorgersen wrote:
>>     Firstly, that's not FreeIPA (community project) documentation,
>>     but Red Hat Identity Management documentation (product). The
>>     FreeIPA documentation is https://www.freeipa.org/page/Documentation.
>>
>>     Secondly, just stating that our documentation is bad and pointing
>>     to some better documentation doesn't give us anything to go on.
>>     We would like to give a good experience and I would be very
>>     interested in knowing exactly what documentation you are lacking,
>>     hard to understand or whatever other issues you may have with the
>>     documentation. Help us to help you ;)
>>
>>     Finally we know the documentation is not as good as it could be
>>     and are planning to improve it in the not to distant future. So
>>     input from users would be valuable.
>>
>>     On 23 March 2016 at 11:32, Pavlos Kleanthous <parsectix at gmail.com
>>     <mailto:parsectix at gmail.com>> wrote:
>>
>>         Just compare the documentation from another redhat product
>>         FreeIPA
>>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html>
>>
>>         I have read this documentation and setup/configure IPA server
>>         very easy.
>>
>>         Keycloak's current documentation looks like more as a
>>         developers manual to me.
>>
>>
>>         On Tue, Mar 22, 2016 at 4:29 PM, Stian Thorgersen
>>         <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>>             Could you elaborate on what is missing from the
>>             documentation? That would be helpful.
>>
>>             On 22 Mar 2016 12:05, "Pavlos Kleanthous"
>>             <parsectix at gmail.com <mailto:parsectix at gmail.com>> wrote:
>>
>>                 Dear all,
>>
>>                 I dropped the project at the moment. The lack of
>>                 documentation is too time consuming.
>>
>>                 Hope that soon keycloak will have it.
>>
>>
>>                 On Fri, Mar 18, 2016 at 1:52 PM, Stian Thorgersen
>>                 <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>>                     What adapter? Is the server and client adapter
>>                     both 1.9.1? We did recently deprecate some OIDC
>>                     endpoints. I think ../login is gone and it should
>>                     be ../auth. So if you are using an old adapter
>>                     that may be the issue.
>>
>>                     On 18 Mar 2016 2:20 p.m., "Pavlos Kleanthous"
>>                     <parsectix at gmail.com
>>                     <mailto:parsectix at gmail.com>> wrote:
>>
>>                         Yours.
>>
>>                         I  configured the realm with the same
>>                         settings on both versions 1.9.1 and 1.8.1.
>>
>>
>>                         On Fri, Mar 18, 2016 at 11:58 AM, Stian
>>                         Thorgersen <sthorger at redhat.com
>>                         <mailto:sthorger at redhat.com>> wrote:
>>
>>                             Client ID has nothing to do with this
>>                             issue as it would show an login error
>>                             page not a not found. So must be either
>>                             realm name or another part of URL is wrong.
>>
>>                             Are you using our adapters or another
>>                             library atm?
>>
>>                             I'm answering on my phone on the plane so
>>                             can't look into it more atm.
>>
>>                             On 17 Mar 2016 10:00, "Pavlos Kleanthous"
>>                             <parsectix at gmail.com
>>                             <mailto:parsectix at gmail.com>> wrote:
>>
>>                                 Hi,
>>
>>                                 In jenkins, I'm pasting the JSON
>>                                 configuration that it can found
>>                                 inside "Installation" tab.
>>
>>                                 Instead of using keycloak client
>>                                 plugins, can I use a generic oauth
>>                                 plugin in my apps? How can I
>>                                 configure my keycloak for this?
>>                                 i.e. Instead of using google's oauth
>>                                 URL use my own pointing to keycloak.
>>
>>
>>                                 On Wed, Mar 16, 2016 at 1:29 PM,
>>                                 Marko Strukelj <mstrukel at redhat.com
>>                                 <mailto:mstrukel at redhat.com>> wrote:
>>
>>                                     In your jenkins realm - under
>>                                     Clients do you have a client
>>                                     called 'ci'? That's the client_id
>>                                     used in your request.
>>
>>                                     AFAIK nothing changed in this
>>                                     part of the code since 1.8.1.
>>
>>                                     On Mar 16, 2016 12:04 PM, "Pavlos
>>                                     Kleanthous" <parsectix at gmail.com
>>                                     <mailto:parsectix at gmail.com>> wrote:
>>
>>                                         yes I can.
>>
>>                                         Please note that this is a
>>                                         problem of version 1.9.1.
>>                                         I have tried now version
>>                                         1.8.1 and it redirect me to
>>                                         keycloak.
>>
>>                                         p.s. I'm using the official
>>                                         containers from docker hub.
>>
>>                                         On Wed, Mar 16, 2016 at 10:56
>>                                         AM, Marko Strukelj
>>                                         <mstrukel at redhat.com
>>                                         <mailto:mstrukel at redhat.com>>
>>                                         wrote:
>>
>>                                             Are you able to login
>>                                             into admin console at:
>>                                             http://192.168.99.100:32786/auth
>>
>>                                             And you see the realm
>>                                             called 'jenkins' there?
>>
>>                                             On Mar 16, 2016 11:32 AM,
>>                                             "Pavlos Kleanthous"
>>                                             <parsectix at gmail.com
>>                                             <mailto:parsectix at gmail.com>>
>>                                             wrote:
>>
>>                                                 Hi guys adding to
>>                                                 this. Please see the
>>                                                 HTTP requests and
>>                                                 responses.
>>
>>                                                     1.
>>                                                         Request URL:
>>                                                         http://192.168.99.100:32769/securityRealm/commenceLogin?from=%2F
>>                                                     2.
>>                                                         Request Method:
>>                                                         GET
>>                                                     3.
>>                                                         Status Code:
>>                                                         302 Found
>>                                                     4.
>>                                                         Remote Address:
>>                                                         192.168.99.100:32769
>>                                                         <http://192.168.99.100:32769>
>>                                                  1. Response
>>                                                     Headersview source
>>                                                     1.
>>                                                         Content-Length:
>>                                                         0
>>                                                     2.
>>                                                         Location:
>>                                                         http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>>                                                     3.
>>                                                         Server:
>>                                                         Jetty(winstone-2.9)
>>                                                     4.
>>                                                         X-Content-Type-Options:
>>                                                         nosniff
>>
>>                                                     1.
>>                                                         Request URL:
>>                                                         http://192.168.99.100:32786/auth/realms/jenkins/protocol/openid-connect/login?client_id=ci&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=cb0b57c5-c160-4861-ab36-ed1835e4b184
>>                                                     2.
>>                                                         Request Method:
>>                                                         GET
>>                                                     3.
>>                                                         Status Code:
>>                                                         *404 Not Found*
>>                                                     4.
>>                                                         Remote Address:
>>                                                         192.168.99.100:32786
>>                                                         <http://192.168.99.100:32786>
>>                                                  1. Response
>>                                                     Headersview source
>>                                                     1.
>>                                                         Connection:
>>                                                         keep-alive
>>                                                     2.
>>                                                         Content-Length:
>>                                                         0
>>                                                     3.
>>                                                         Date:
>>                                                         Wed, 16 Mar
>>                                                         2016 10:30:40 GMT
>>                                                     4.
>>                                                         Server:
>>                                                         WildFly/10
>>                                                     5.
>>                                                         X-Powered-By:
>>                                                         Undertow/1
>>                                                  2. Request
>>                                                     Headersview source
>>                                                     1.
>>                                                         Accept:
>>                                                         text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
>>                                                     2.
>>                                                         Accept-Encoding:
>>                                                         gzip,
>>                                                         deflate, sdch
>>                                                     3.
>>                                                         Accept-Language:
>>                                                         en-US,en;q=0.8,el;q=0.6
>>                                                     4.
>>                                                         Connection:
>>                                                         keep-alive
>>                                                     5.
>>                                                         Cookie:
>>                                                         KEYCLOAK_STATE_CHECKER=VJrM9jv37wPkh_NmI101cofXzDzfVqK-MNEmt9V5Hic;
>>                                                         KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjhlYWY3ZjM2LWZhOGMtNGFiZi04ZDQ0LWVlN2RlODI0ZmE2NyIsImNpZCI6ImFjY291bnQiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucy9hY2NvdW50L2xvZ2luLXJlZGlyZWN0IiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsiYWN0aW9uX2tleSI6IjIyMGExNzllLWM1OGQtNDAyOS1hMmIwLTQ5MmI3MTVkMWI3ZiIsImF1dGhfdHlwZSI6ImNvZGUiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjMyNzg2L2F1dGgvcmVhbG1zL2plbmtpbnMvYWNjb3VudC9sb2dpbi1yZWRpcmVjdCIsInN0YXRlIjoiMC8zMjFhMDk0Zi03ODYwLTRkOTAtOWU4Yy1iMmM5ZmFkYWVjZmIifX0.QAucuHQLj_-5s3dgnFaxDeni!
>>                                                         gQ9FnaP6
>>                                                         DEyOvd8v2Yo;
>>                                                         KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmYjc3NDc0NS1jNDA4LTQ5ODctYjE2My03NWFiNTc1YmYzYTMiLCJleHAiOjE0NTgxNTczNDcsIm5iZiI6MCwiaWF0IjoxNDU4MTIxMzQ3LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzI3ODYvYXV0aC9yZWFsbXMvamVua2lucyIsInN1YiI6ImM1ZWU4OGQ2LTE1Y2MtNDMwOS1hMjdjLTBmYjAwMmI2NDA2YiIsInNlc3Npb25fc3RhdGUiOiJkMDkxYzNkMi04YzQ0LTQyMTEtYWEyNi1lM2Y3ZmRhY2I1YWUiLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.a2A3wZ6-VSAErHebIuV1maEEHYknzB7eiiogT03Ab6t_d95bj8FDNl5YrDrS6hoJqgJXQrGYdp5xurb8zcEQIUCnwxFs1Kh62UtMytYyyaDyJEfQeJf8o2QSZdyAs_OZHDtPeY8qVbVvJkttQ_umsiQMPUmi9ADKeLE-nqq5T9fuo29WMEf9SFiEwJJE4ya3-Ut8NPa5iG-TbxSmDrDRGJXNrCuN2stOuYNHXwWRVd7DckZS0ZOB-ReQQM9NBMw-gDjaEv_0_2oG-whv1dQKpGlrQObNL9sNqvV_PgIEUgRGB6sn2U1zFnwao-bwxYIYXbXqiIaiLC9ObnqYCuYVtg;
>>                                                         KEYCLOAK_SESSION=jenkins/c5ee88d6-15cc-4309-a27c-0fb002b6406b/d091c3d2-8c44-4211-aa26-e3f7fdacb5ae;
>>                                                         JSESSIONID.96a98541=1a8t1iio7w9ol14h8gslmkjvr4;
>>                                                         screenResolution=1920x1080
>>                                                     6.
>>                                                         DNT:
>>                                                         1
>>                                                     7.
>>                                                         Host:
>>                                                         192.168.99.100:32786
>>                                                         <http://192.168.99.100:32786>
>>                                                     8.
>>                                                         Referer:
>>                                                         http://192.168.99.100:32769/
>>                                                     9.
>>                                                         Save-Data:
>>                                                         on
>>                                                    10.
>>                                                         Upgrade-Insecure-Requests:
>>                                                         1
>>
>>
>>                                                 On Tue, Mar 15, 2016
>>                                                 at 4:26 PM, Pavlos
>>                                                 Kleanthous
>>                                                 <parsectix at gmail.com
>>                                                 <mailto:parsectix at gmail.com>>
>>                                                 wrote:
>>
>>                                                     Thanks for
>>                                                     pointing this
>>                                                     out. I think it
>>                                                     does not matter
>>                                                     as the same name
>>                                                     can be found in
>>                                                     "Installation"
>>                                                     tab where
>>                                                     I copied the
>>                                                     configuration.
>>
>>                                                     On Tue, Mar 15,
>>                                                     2016 at 4:21 PM,
>>                                                     Marko Strukelj
>>                                                     <mstrukel at redhat.com
>>                                                     <mailto:mstrukel at redhat.com>>
>>                                                     wrote:
>>
>>                                                         Looks like
>>                                                         you mistyped
>>                                                         your client
>>                                                         id: 'jenknis'.
>>
>>                                                         On Mar 15,
>>                                                         2016 5:19 PM,
>>                                                         "Pavlos
>>                                                         Kleanthous"
>>                                                         <parsectix at gmail.com
>>                                                         <mailto:parsectix at gmail.com>>
>>                                                         wrote:
>>
>>                                                             Hello,
>>
>>
>>                                                             I'm
>>                                                             trying to
>>                                                             configure
>>                                                             keycloak
>>                                                             for first
>>                                                             time. My
>>                                                             setup has
>>                                                             2
>>                                                             containers keycloak
>>                                                             and jenkins.
>>                                                             Following
>>                                                             the
>>                                                             example
>>                                                             how to
>>                                                             integrate
>>                                                             those
>>                                                             two, I
>>                                                             created a
>>                                                             realm and
>>                                                             a client
>>                                                             called
>>                                                             "jenkins".
>>
>>                                                             It seams
>>                                                             that the
>>                                                             realm
>>                                                             configuration
>>                                                             it's not
>>                                                             correct
>>                                                             as I get
>>                                                             the
>>                                                             following
>>                                                             debug error.
>>                                                             "15:47:55,791
>>                                                             ERROR
>>                                                             [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>                                                             (default
>>                                                             task-12)
>>                                                             RESTEASY002010:
>>                                                             Failed to
>>                                                             execute:
>>                                                             javax.ws.rs.NotFoundException:
>>                                                             RESTEASY003210:
>>                                                             Could not
>>                                                             find
>>                                                             resource
>>                                                             for full
>>                                                             path:
>>                                                             http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect/login?client_id=jenknis&redirect_uri=http%3A%2F%2F192.168.99.100%3A32769%2FsecurityRealm%2FfinishLogin&state=fb8e0ecd-7a59-4c5e-9fcd-0c90c25a4261"
>>
>>                                                             I noticed
>>                                                             that 
>>                                                             "http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect"
>>                                                             does not
>>                                                             work
>>                                                             generally. The
>>                                                             URL
>>                                                             ending
>>                                                             with
>>                                                             "/auth/realms/ci/account"
>>                                                             it works.
>>
>>                                                             if I
>>                                                             access
>>                                                             the URL:
>>                                                             http://192.168.99.100:32786/auth/realms/ci
>>
>>                                                             {"realm":"ci","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0IQoyEf8wt4ZkD0Jf6t8ppM4MVtiR+QJkaWctQvYRPeg9HGBHLDcsnQnpQ+zZ6Rl5sn5CArqcEygpALpglUiiGdSuH8X0VwfATpWB/0KBwylPJ7CJObDiKoBD7ZMjR67IRa9e8ySdbbCb/Ehapk9SkDfAU7dgHscEkVMuHWUilSpGrqUPPMX9dl6rpIZGX/87DxuHGi4e3d9RYrvKS6wliZF+Pvar5A48OmmklTIpPoPr4NXyQx7a1gsk3VjHLtK2NBLcbMVY+juJTCxa2reukl0eMGVITYFyQgQrXtCyDh18M3TTyFQsS3H2+dLcUdob8r1f973HHXaOUDiD7TrwIDAQAB","token-service":"http://192.168.99.100:32786/auth/realms/ci/protocol/openid-connect","account-service":"http://192.168.99.100:32786/auth/realms/ci/account","admin-api":"http://192.168.99.100:32786/auth/admin","tokens-not-before":0}
>>
>>                                                             Can you
>>                                                             help how
>>                                                             to find
>>                                                             the problem ?
>>
>>                                                             p.s. is
>>                                                             there any
>>                                                             other way
>>                                                             to find
>>                                                             help on
>>                                                             those
>>                                                             matters?
>>                                                             Tried IRC
>>                                                             but
>>                                                             nobody is
>>                                                             replying
>>                                                             there...
>>
>>                                                             Thank you
>>
>>                                                             _______________________________________________
>>                                                             keycloak-user
>>                                                             mailing list
>>                                                             keycloak-user at lists.jboss.org
>>                                                             <mailto:keycloak-user at lists.jboss.org>
>>                                                             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>                                 _______________________________________________
>>                                 keycloak-user mailing list
>>                                 keycloak-user at lists.jboss.org
>>                                 <mailto:keycloak-user at lists.jboss.org>
>>                                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160330/117fa518/attachment-0001.html 


More information about the keycloak-user mailing list