From sthorger at redhat.com Wed Feb 1 02:56:41 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 1 Feb 2017 08:56:41 +0100 Subject: [keycloak-user] Conflict with LastPass Chrome Extension In-Reply-To: References: Message-ID: If there is another 2.5.x release it'll be fixed for that (~2 weeks), otherwise the fix will come in 3.0.CR1 (~6 weeks). Even though I've got LastPass installed I've never been able to see these kinda problems and have had to simulate it to test it. Any tips on how I can get LastPass to do this? On 31 January 2017 at 14:26, Alessandro Segatto wrote: > Thanks, i've opened the issue. > > https://issues.jboss.org/browse/KEYCLOAK-4338 > > Will you fix in 2.5.x of we have to wait for 3.x ? I currently solved the > possible issue disabling the iframe ... > > On Tue, Jan 31, 2017 at 8:59 AM, Stian Thorgersen > wrote: > >> This is clearly a bug in LastPass, but there are similar bugs in other >> extensions, so we should guard against it. We used to do that, but seems >> that was lost when we recently redid this stuff. Feel free to create a bug >> report for it. >> >> On 30 January 2017 at 15:34, Alessandro Segatto >> wrote: >> >>> Hi, >>> we found a conflict between LastPass chrome extension (version 4.1.38) >>> and >>> Keycloak js adapter (version 2.5). LastPass is sending a message to login >>> status iframe, which crashes while trying to parse it! I think LastPass >>> caused the issue with his last update , but i think you should also be >>> interested in solving this lack of robustness. If you agree, I can open >>> an >>> issue o Jira. >>> I made an attempt also with angular2-product-app , but i run into a >>> similar >>> issue (LastPass and Keycloak messaging one the other, then crashing) >>> >>> Thanks, >>> Alessandro Segatto >>> -- >>> >>> Ing. Alessandro Segatto >>> Software Engineer >>> Research and Development >>> >>> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - >>> ITALY >>> Phone: +39 040 3755548 <+39%20040%20375%205548> - Fax: +39 040 3755549 >>> <+39%20040%20375%205549> | www.esteco.com >>> >>> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that >>> this message contains confidential information intended only for the use >>> of >>> the addressee. If you are not the addressee, and have received this >>> message >>> by mistake, please delete it and immediately notify us. You may not copy >>> or >>> disseminate this message to anyone. Thank you. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > > Ing. Alessandro Segatto > Software Engineer > Research and Development > > *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY > Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com > > Pursuant to Legislative Decree No. 196/2003, you are hereby informed that > this message contains confidential information intended only for the use of > the addressee. If you are not the addressee, and have received this message > by mistake, please delete it and immediately notify us. You may not copy or > disseminate this message to anyone. Thank you. > From sthorger at redhat.com Wed Feb 1 02:57:50 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 1 Feb 2017 08:57:50 +0100 Subject: [keycloak-user] implementing new password policy In-Reply-To: References: Message-ID: There's docs for custom providers in the server development guide. Other than that there's nothing, Take a look at the Keycloak source for an example: https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/policy/LowerCasePasswordPolicyProvider.java On 31 January 2017 at 05:04, Shaikh Asrafali Anwarali < asrafalianwarali.shaikh at gi-de.com> wrote: > Hi , > > Hope you are doing well. > I am currently trying to implement new password policy, is there any kind > of documentation or guide available which helps in implementation. > Or any example. > > Thanks in advance. > > Regards, > Asraf Shaikh > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mark.pardijs at topicus.nl Wed Feb 1 03:45:15 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Wed, 1 Feb 2017 08:45:15 +0000 Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo In-Reply-To: References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl> <25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl> <82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com> Message-ID: <28DEAF7A-D296-47E4-AB5A-749A30237F52@topicus.nl> Ah, that makes sense, thanks! > Op 31 jan. 2017, om 15:05 heeft Hynek Mlnarik het volgende geschreven: > > That's because with Keycloak on both server and client side, key ID > can be used to look up the particular signing key without attempting > to validate using other irrelevant keys, see [1, Optimize REDIRECT > signing key lookup option] and [2]. > > [1] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/client-saml.html > [2] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.5/topics/saml/java/general-config/idp_keys_subelement.html. > > On Tue, Jan 31, 2017 at 9:43 AM, Mark Pardijs wrote: >> Yep, that?s what I mean ;) That still leaves me curious why the XmlSignatureUtil is looking up the keyName when in the end this keyName is never used... >> >>> Op 30 jan. 2017, om 13:39 heeft Hynek Mlnarik het volgende geschreven: >>> >>> Keys specified in admin console are checked regardless of key ID. This applies just the same to the case when there is only a single key. >>> >>> On 01/30/2017 12:54 PM, Mark Pardijs wrote: >>>> Ah OK, I see what you mean, so the idea is, when no key is found using the key hint all keys are checked. But what if I do provide a KeyName hint in the SAML, then I still see a mismatch between the code and the Keycloak admin frontend, the code is returning the first key regardless which key id is provided, but in the frontend, no key id?s can be specified, just a comma seperated list. Can you clarify this? >>>> >>>> Op 30 jan. 2017, om 12:09 heeft Hynek Mlnarik > het volgende geschreven: >>>> >>>> Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine. >>>> >>>> --Hynek >>>> >>>> On 01/30/2017 10:55 AM, Mark Pardijs wrote: >>>> Hi, >>>> >>>> Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329 >>>> Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but I see the following code for checking a specific key: >>>> >>>> public Key getKey(String kid) { >>>> if (this.keys.size() == 1) { >>>> return this.keys.iterator().next(); >>>> } else { >>>> return null; >>>> } >>>> } >>>> >>>> And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys. >>>> >>>> So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right? >>>> >>>> Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik > het volgende geschreven: >>>> >>>> Hi, >>>> >>>> Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys. >>>> >>>> Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first. >>>> >>>> --Hynek >>>> >>>> On 01/30/2017 10:09 AM, Mark Pardijs wrote: >>>> Hi, >>>> >>>> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here. >>>> >>>> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details. >>>> >>>> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2. >>>> >>>> My two questions concerning this approach: >>>> >>>> >>>> 1. Keycloak is currently expecting a element with a in the incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo >>>> >>>> 2. What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended? >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek From segatto at esteco.com Wed Feb 1 04:01:11 2017 From: segatto at esteco.com (Alessandro Segatto) Date: Wed, 1 Feb 2017 10:01:11 +0100 Subject: [keycloak-user] Conflict with LastPass Chrome Extension In-Reply-To: References: Message-ID: I should check , but from what i have seen this happens when last pass extension icon becomes yellow, and some king of warning has to be shown. On Wed, Feb 1, 2017 at 8:56 AM, Stian Thorgersen wrote: > If there is another 2.5.x release it'll be fixed for that (~2 weeks), > otherwise the fix will come in 3.0.CR1 (~6 weeks). > > Even though I've got LastPass installed I've never been able to see these > kinda problems and have had to simulate it to test it. Any tips on how I > can get LastPass to do this? > > On 31 January 2017 at 14:26, Alessandro Segatto > wrote: > >> Thanks, i've opened the issue. >> >> https://issues.jboss.org/browse/KEYCLOAK-4338 >> >> Will you fix in 2.5.x of we have to wait for 3.x ? I currently solved the >> possible issue disabling the iframe ... >> >> On Tue, Jan 31, 2017 at 8:59 AM, Stian Thorgersen >> wrote: >> >>> This is clearly a bug in LastPass, but there are similar bugs in other >>> extensions, so we should guard against it. We used to do that, but seems >>> that was lost when we recently redid this stuff. Feel free to create a bug >>> report for it. >>> >>> On 30 January 2017 at 15:34, Alessandro Segatto >>> wrote: >>> >>>> Hi, >>>> we found a conflict between LastPass chrome extension (version 4.1.38) >>>> and >>>> Keycloak js adapter (version 2.5). LastPass is sending a message to >>>> login >>>> status iframe, which crashes while trying to parse it! I think LastPass >>>> caused the issue with his last update , but i think you should also be >>>> interested in solving this lack of robustness. If you agree, I can open >>>> an >>>> issue o Jira. >>>> I made an attempt also with angular2-product-app , but i run into a >>>> similar >>>> issue (LastPass and Keycloak messaging one the other, then crashing) >>>> >>>> Thanks, >>>> Alessandro Segatto >>>> -- >>>> >>>> Ing. Alessandro Segatto >>>> Software Engineer >>>> Research and Development >>>> >>>> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - >>>> ITALY >>>> Phone: +39 040 3755548 <+39%20040%20375%205548> - Fax: +39 040 3755549 >>>> <+39%20040%20375%205549> | www.esteco.com >>>> >>>> Pursuant to Legislative Decree No. 196/2003, you are hereby informed >>>> that >>>> this message contains confidential information intended only for the >>>> use of >>>> the addressee. If you are not the addressee, and have received this >>>> message >>>> by mistake, please delete it and immediately notify us. You may not >>>> copy or >>>> disseminate this message to anyone. Thank you. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> >> -- >> >> Ing. Alessandro Segatto >> Software Engineer >> Research and Development >> >> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - >> ITALY >> Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com >> >> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that >> this message contains confidential information intended only for the use of >> the addressee. If you are not the addressee, and have received this message >> by mistake, please delete it and immediately notify us. You may not copy or >> disseminate this message to anyone. Thank you. >> > > -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you. From dev.ebondu at gmail.com Wed Feb 1 04:32:51 2017 From: dev.ebondu at gmail.com (ebondu) Date: Wed, 1 Feb 2017 02:32:51 -0700 (MST) Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: References: <1485803899381-2527.post@n6.nabble.com> <1485808228624-2530.post@n6.nabble.com> <1485876734180-2545.post@n6.nabble.com> Message-ID: <1485941571036-2552.post@n6.nabble.com> Brian Schofield wrote > @ebondu > Are you not using HtmlWebpackPlugin or CommonChunksPlugin? Yes I am, but for the moment I didn't spent a lot of time on app packaging and webpack tuning. I agree with you, for distribution, copying the keycloak.json file will be lighter than copying an entire directory, so I will keep your solution in mind ;) -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2552.html Sent from the keycloak-user mailing list archive at Nabble.com. From dev.ebondu at gmail.com Wed Feb 1 05:01:34 2017 From: dev.ebondu at gmail.com (ebondu) Date: Wed, 1 Feb 2017 03:01:34 -0700 (MST) Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> References: <1485803899381-2527.post@n6.nabble.com> <1485808228624-2530.post@n6.nabble.com> <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> Message-ID: <1485943294984-2553.post@n6.nabble.com> Niko K?bler wrote > My troubles are packing the bundle with Webpack if the keycloak-js module > is referenced. > And this is, as I mentioned, happening with Webpack2 and Typescript. With > Webpack1 and JavaScript everything is fine. Yes, I think it is probably a Typescript issue rather than a Angular2 conflict. The idea behind the Typscript lib is to ease KC integration in angular2 apps (packaging, Observables, etc.) -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2553.html Sent from the keycloak-user mailing list archive at Nabble.com. From known.michael at gmail.com Wed Feb 1 05:17:58 2017 From: known.michael at gmail.com (Known Michael) Date: Wed, 1 Feb 2017 12:17:58 +0200 Subject: [keycloak-user] Strange behavior upon the RP initiated logout Message-ID: Hey, I successfully integrated mod_auth_openidc with Keycloak: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/mod-auth-openidc.html In addition to the master realm we use our own realm. I have strange behavior upon the RP initiated logout. I access RP logout URL it redirects to Keycloak using the logout endpoint (https:///auth/realms/realm/protocol/openid-connect/logout) as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management#logout Unfortunately, Keycloak redirect me to the ?Session not active? error string when I press on the logout after couple of minutes of work. The logout is successfully if I press the logout button after 1 or 2 minutes after the login. I have tried to debug Keycloak and I have found the following: TokenManager in the function org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken and founds that the token is expired (org.keycloak.representations.JsonWebToken#isExpired) It caused since the expiration of the token is very short (couple of minutes). Questions: 1) How to configure the token expiration? I have increased ?SSO Session Idle? to 90 minute but it does not change the token expiration (it remains short) https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sessions/timeouts.html 2) Why logout cannot work after couple of minutes? From mark.pardijs at topicus.nl Wed Feb 1 06:13:33 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Wed, 1 Feb 2017 11:13:33 +0000 Subject: [keycloak-user] Add OneTimeUse condition to SAMLResponse Message-ID: Hi, Is it possible to add an client configuration option to include the condition in the SAMLResponse sent to a client? Currently this element is not included, but I?ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable. From hmlnarik at redhat.com Wed Feb 1 06:21:02 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 1 Feb 2017 12:21:02 +0100 Subject: [keycloak-user] Add OneTimeUse condition to SAMLResponse In-Reply-To: References: Message-ID: <7b1108df-e4cf-e63f-c358-33a73fe4ca7c@redhat.com> Currently there's no support for OneTimeUse condition in SAML. Feel free to open feature request JIRA. --Hynek On 02/01/2017 12:13 PM, Mark Pardijs wrote: > Hi, > > Is it possible to add an client configuration option to include the condition in the SAMLResponse sent to a client? Currently this element is not included, but I?ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4: > > http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf > > I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Feb 1 06:50:30 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 1 Feb 2017 12:50:30 +0100 Subject: [keycloak-user] [keycloak-dev] Keycloak on active MQ In-Reply-To: <1485941179202.13544@infosys.com> References: <1485941179202.13544@infosys.com> Message-ID: I didn't try that yet. However I think it should work as ActiveMQ has some support for JAAS. We have some JAAS login modules, which can be used to secure those kind of services. See docs for details https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/latest/topics/oidc/java/jaas.html . Marek On 01/02/17 10:26, Shankar_Bhaskaran wrote: > Hi , > > We are using keycloak as SSO in our organization. I would like to know if securing activemq using keycloak is a valid use case. Does keycloak allow us to validate jms requests to the queue or topic? > > Regards, > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From mark.pardijs at topicus.nl Wed Feb 1 08:35:23 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Wed, 1 Feb 2017 13:35:23 +0000 Subject: [keycloak-user] Add OneTimeUse condition to SAMLResponse In-Reply-To: <7b1108df-e4cf-e63f-c358-33a73fe4ca7c@redhat.com> References: <7b1108df-e4cf-e63f-c358-33a73fe4ca7c@redhat.com> Message-ID: <500ECA13-6A81-4E70-831C-E1661DB6BA5A@topicus.nl> OK, I filed https://issues.jboss.org/browse/KEYCLOAK-4360 ;) > Op 1 feb. 2017, om 12:21 heeft Hynek Mlnarik het volgende geschreven: > > Currently there's no support for OneTimeUse condition in SAML. Feel free to open feature request JIRA. > > --Hynek > > On 02/01/2017 12:13 PM, Mark Pardijs wrote: >> Hi, >> >> Is it possible to add an client configuration option to include the condition in the SAMLResponse sent to a client? Currently this element is not included, but I?ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4: >> >> http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf >> >> I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From scope022 at gmail.com Wed Feb 1 09:57:26 2017 From: scope022 at gmail.com (Brian Schofield) Date: Wed, 1 Feb 2017 08:57:26 -0600 Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: <1485943294984-2553.post@n6.nabble.com> References: <1485803899381-2527.post@n6.nabble.com> <1485808228624-2530.post@n6.nabble.com> <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> Message-ID: @Ebondu I've been able to authenticate, I can see the new session created within the Keycloak admin panel. But every additional method I try to invoke returns a charAt error and each property returns undefined. Is that because your module is still in development or should I expect the defined methods to function? Thanks. On Wed, Feb 1, 2017 at 4:01 AM, ebondu wrote: > Niko K?bler wrote > > My troubles are packing the bundle with Webpack if the keycloak-js module > > is referenced. > > And this is, as I mentioned, happening with Webpack2 and Typescript. With > > Webpack1 and JavaScript everything is fine. > > Yes, I think it is probably a Typescript issue rather than a Angular2 > conflict. > > The idea behind the Typscript lib is to ease KC integration in angular2 > apps > (packaging, Observables, etc.) > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2553.html > Sent from the keycloak-user mailing list archive at Nabble.com. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Brian ?chofield From dev.ebondu at gmail.com Wed Feb 1 10:44:30 2017 From: dev.ebondu at gmail.com (ebondu) Date: Wed, 1 Feb 2017 08:44:30 -0700 (MST) Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: References: <1485808228624-2530.post@n6.nabble.com> <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> Message-ID: <1485963870680-2560.post@n6.nabble.com> @Brian The module is currently under development so some methods may have not been fully tested. Which methods are you testing exactly? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2560.html Sent from the keycloak-user mailing list archive at Nabble.com. From known.michael at gmail.com Wed Feb 1 10:59:51 2017 From: known.michael at gmail.com (Known Michael) Date: Wed, 1 Feb 2017 17:59:51 +0200 Subject: [keycloak-user] How explicitly enable session management in Keycloak? Message-ID: Hey, I use mod_auth_openidc version "2.1.2", Keycloak version ?2.4.0? I was not able to implement the session management using OP and RP frames as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management I see in mod_auth_openidc logs the following: [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client 192.168.111.33] oidc_save_in_session: session management disabled: session_state ((null)) and/or check_session_iframe ( https://localhost/auth/realms/realm/protocol/openid-connect/login-status-iframe.html) is not provided, referer: https://192.168.110.2/auth/realms/realm/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=httpd_192.168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4&redirect_uri=https%3A%2F%2F192.168.110.2%2Fprotected%2Fredirect_uri&nonce=0VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M It looks like the session management is disabled because the Provider did not return a session_state parameter in the authentication response (which in its turn can be verified via the referer URL in the same log entry) as the spec dictates: https://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions How should I configure explicitly enable session management in Keycloak? It should starts returning session_state in the authentication responses. I see that it is implemented already https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss something. From scope022 at gmail.com Wed Feb 1 11:39:40 2017 From: scope022 at gmail.com (Brian Schofield) Date: Wed, 1 Feb 2017 10:39:40 -0600 Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: <1485963870680-2560.post@n6.nabble.com> References: <1485808228624-2530.post@n6.nabble.com> <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> <1485963870680-2560.post@n6.nabble.com> Message-ID: In general, I'm just trying to grab the JWT and some user data. I've gone through: login isTokenExpired More importantly properties like: Keycloak.authenication returns false everytime Keycloak.token returns undefined Keycloak.realm returns undefined Keycloak.clientID returns undefined On Wed, Feb 1, 2017 at 9:44 AM, ebondu wrote: > @Brian > The module is currently under development so some methods may have not been > fully tested. > Which methods are you testing exactly? > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2560.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Brian ?chofield From shmuein+keycloak-dev at gmail.com Wed Feb 1 12:15:32 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Wed, 1 Feb 2017 11:15:32 -0600 Subject: [keycloak-user] SAML AuthnContext In-Reply-To: <2c76addc-16c9-7f18-a4e3-acc3342867e6@redhat.com> References: <2c76addc-16c9-7f18-a4e3-acc3342867e6@redhat.com> Message-ID: Added Jira ticket for this: https://issues.jboss.org/browse/KEYCLOAK-4365 On Mon, Jan 30, 2017 at 3:13 AM, Hynek Mlnarik wrote: > Keycloak always returns urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified > AuthnContextClassRef unless AuthnStatement inclusion is disabled. If you > need to handle authncontext properly, please open a JIRA feature request. > > --Hynek > > On 01/27/2017 12:21 AM, Muein Muzamil wrote: > > Hi all, > > > > We are trying to configure OpenAM as SAML client with KeyCloak, as part > of > > SAML request it sends PasswordProtectedTransport AuthnContext (as shown > > below) and it expects this back as part of SAML response. > > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact"> > > > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn: > oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport saml:AuthnContextClassRef> > > > > > > > > Currently, KeyCloak always returns unspecified as AuthnContext, is there > > any way to return back AuthnContext what KeyCloak received in the > request? > > > > urn:oasis:names:tc:SAML:2.0: > ac:classes:unspecified > > > > > > Regards, > > Muein > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sstark at redhat.com Wed Feb 1 14:50:34 2017 From: sstark at redhat.com (Scott Stark) Date: Wed, 1 Feb 2017 14:50:34 -0500 (EST) Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? In-Reply-To: <1781880996.15813502.1485978523666.JavaMail.zimbra@redhat.com> Message-ID: <814704590.15814612.1485978634648.JavaMail.zimbra@redhat.com> So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token? From sstark at redhat.com Wed Feb 1 15:42:47 2017 From: sstark at redhat.com (Scott Stark) Date: Wed, 1 Feb 2017 15:42:47 -0500 (EST) Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? In-Reply-To: <814704590.15814612.1485978634648.JavaMail.zimbra@redhat.com> References: <814704590.15814612.1485978634648.JavaMail.zimbra@redhat.com> Message-ID: <537256552.15827936.1485981767362.JavaMail.zimbra@redhat.com> I was able to find the public key from the Realm Settings/Keys section of the admin console, but I'm not able to get the signature to verify on the https://jwt.io debugger. For example, this token and public key won't work to verify the signature: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYiLCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3RhdGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJhY3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQtOWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o-BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi-VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB ----- Original Message ----- From: "Scott Stark" To: keycloak-user at lists.jboss.org Sent: Wednesday, February 1, 2017 11:50:34 AM Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sstark at redhat.com Wed Feb 1 16:15:44 2017 From: sstark at redhat.com (Scott Stark) Date: Wed, 1 Feb 2017 16:15:44 -0500 (EST) Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? In-Reply-To: <537256552.15827936.1485981767362.JavaMail.zimbra@redhat.com> References: <814704590.15814612.1485978634648.JavaMail.zimbra@redhat.com> <537256552.15827936.1485981767362.JavaMail.zimbra@redhat.com> Message-ID: <1654312768.15836738.1485983744324.JavaMail.zimbra@redhat.com> I was able to verify the token using the com.auth0 JWT library, so there must be something amiss with the web interface to the debugger. FYI, this is the little program I put together to do the verification: import java.security.KeyFactory; import java.security.interfaces.RSAKey; import java.security.spec.X509EncodedKeySpec; import java.util.Base64; import com.auth0.jwt.JWT; import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.algorithms.Algorithm; import com.auth0.jwt.interfaces.Claim; public class VerifyJWT { public static void main(String[] args) throws Exception { String token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiJlYzI2NDhhYS1jNTdmLTRhZGEtYTZlMi03ZjU4ZTBmOTIyZjQiLCJleHAiOjE0ODU5ODM2NDMsIm5iZiI6MCwiaWF0IjoxNDg1OTgzMzQzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5ODE4NDAsInNlc3Npb25fc3RhdGUiOiJkZDg5MjU4Yy1iMjRmLTQ0ZWUtYWJhZS00NWJmZjNhMTI4NmIiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5ZDA2ZmY2NS1kMWIwLTQ2ZWYtYjJlYi05NmVmY2Y3ZjJjZGQiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.YsoInnbkrPRyvauYsf5P5BePuPFFCyWBKz3TfP9FyeArp2bYyOzDusTEPCqhSx3-yYGsPxlVmsdu7LNonLs-rCXPki3uP3WAiSiyla4NXcBwly2kzM4EyO_J8CO9d4SqGEY8HDwTIga5E55KEOoYqOkGtj2pirIo8tlPa4SW2vwttvxix2zMOeyD50vZDAD3laVBzGsc07GMdFKvj4B0ZfUBM-l-92HB1xMWNNc1d-xbrLq8rKXyYeobU4bC4_WxHJOlOco-Z_60lD0z9vtmpaCpyOkq26V4Ygunhzd-36ofKdiYBjNURaB3SNc4l5OFZLCM12nkM_bb3_kO538Zyw"; JWT jwt = JWT.decode(token); Claim alg = jwt.getHeaderClaim("alg"); System.out.printf("alg: %s\n", alg.asString()); Claim type = jwt.getHeaderClaim("typ"); System.out.printf("typ: %s\n", type.asString()); Claim kid = jwt.getHeaderClaim("kid"); System.out.printf("kid: %s\n", kid.asString()); String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB"; byte[] byteKey = Base64.getDecoder().decode(key.getBytes()); X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey); KeyFactory kf = KeyFactory.getInstance("RSA"); RSAKey publicKey = (RSAKey) kf.generatePublic(X509publicKey); JWTVerifier verifier = JWT.require(Algorithm.RSA256(publicKey)) .withIssuer("http://localhost:8180/auth/realms/Microprofile") .build(); verifier.verify(token); } } ----- Original Message ----- From: "Scott Stark" To: keycloak-user at lists.jboss.org Sent: Wednesday, February 1, 2017 12:42:47 PM Subject: Re: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? I was able to find the public key from the Realm Settings/Keys section of the admin console, but I'm not able to get the signature to verify on the https://jwt.io debugger. For example, this token and public key won't work to verify the signature: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYiLCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3RhdGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJhY3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQtOWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoib! XBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o-BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi-VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB ----- Original Message ----- From: "Scott Stark" To: keycloak-user at lists.jboss.org Sent: Wednesday, February 1, 2017 11:50:34 AM Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? So I can query the current access token via the myapp-root/k_query_bearer_token when expose-token is set to true, but is there a way to query the public key associated with the signature portion of the token? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From akash_agrawal at yahoo.co.uk Wed Feb 1 18:00:47 2017 From: akash_agrawal at yahoo.co.uk (akash agrawal) Date: Wed, 1 Feb 2017 23:00:47 +0000 (UTC) Subject: [keycloak-user] Getting Access token over REST API References: <1445092911.665614.1485990047630.ref@mail.yahoo.com> Message-ID: <1445092911.665614.1485990047630@mail.yahoo.com> Hi, I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. Appreciate your help. Thanks. Akash From dev.ebondu at gmail.com Thu Feb 2 04:28:16 2017 From: dev.ebondu at gmail.com (ebondu) Date: Thu, 2 Feb 2017 02:28:16 -0700 (MST) Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: References: <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> <1485963870680-2560.post@n6.nabble.com> Message-ID: <1486027696642-2568.post@n6.nabble.com> @Brian I think you are trying to access these vars *before* the Keycloak component has been initialized. The global approach is to use Observables to be notified when states have been updated. For example, to get the user data, you should subscribe to the "authenticatedObserver" and then use the "tokenParsed" field wich contains the decoded JWT : Keycloak.authenticatedObs.subscribe(auth => { if(auth) { console.info(Keycloak.tokenParsed.given_name); } }); I will try to provide a basic example and a more detailed documentation soon. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2568.html Sent from the keycloak-user mailing list archive at Nabble.com. From lists at merit.unu.edu Thu Feb 2 09:03:40 2017 From: lists at merit.unu.edu (mj) Date: Thu, 2 Feb 2017 15:03:40 +0100 Subject: [keycloak-user] another small enhancement request for MSAD password mapper In-Reply-To: <39195464-798a-3c33-35a7-6a038c68df81@redhat.com> References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu> <590c2297-2917-4a85-f15b-b2d902b43130@redhat.com> <373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu> <59423d06-b531-9dc5-badd-765b12430713@redhat.com> <9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu> <39195464-798a-3c33-35a7-6a038c68df81@redhat.com> Message-ID: <82832778-81ce-76ab-c90c-ea034c09ac7e@merit.unu.edu> Hi Marek, list, On 01/27/2017 12:52 PM, Marek Posolda wrote: > Actually we don't test and officially support Samba AD, just the MSAD. > We may add that in the future though as there are more people asking for > that, but each LDAP vendor adds some overhead for testing etc... An update on the above: We are now collection quotations on making samba's output compatible with MSAD in the case of "NT_STATUS_PWD_MUST_CHANGE?. So with a bit of luck, future samba will behave just like MSAD in that case. There is another question that we have: Is keycloak supposed to import the pwdLastSet field for a user, in the case of an MSAD backend? If keycloak imports that field, it would be able enforce keycloaks own password max age policy also on MSAD federated accounts. Password age adherance is such a vital bit of functionality, to make keycloak a viable competitor of microsofts own AD federation services. MJ From scope022 at gmail.com Thu Feb 2 10:52:22 2017 From: scope022 at gmail.com (Brian Schofield) Date: Thu, 2 Feb 2017 09:52:22 -0600 Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: <1486027696642-2568.post@n6.nabble.com> References: <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> <1485963870680-2560.post@n6.nabble.com> <1486027696642-2568.post@n6.nabble.com> Message-ID: @ebondu I was trying to extract the info in a callback. Let me know when you push some big changes I can help test within my project (I'll keep the branch open). @keycloak-user I had to pivot to accomplish integration before end of sprint so I figured out how to get keycloak-js working within Typescript project using webpack at 1.14.0. Modified a few lines of code within a demo example: https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app/src/main/webapp/app If anyone is interested in how to accomplish please feel free to message, it's actually pretty simple and allows you to get away from script tags on your index.html and bundle the keycloak adapter naturally. (If I get some free time ill see if I can publish a demo with webpack) On Thu, Feb 2, 2017 at 3:28 AM, ebondu wrote: > @Brian > I think you are trying to access these vars *before* the Keycloak component > has been initialized. > The global approach is to use Observables to be notified when states have > been updated. > > For example, to get the user data, you should subscribe to the > "authenticatedObserver" and then use the "tokenParsed" field wich contains > the decoded JWT : > > Keycloak.authenticatedObs.subscribe(auth => { > if(auth) { > console.info(Keycloak.tokenParsed.given_name); > } > }); > > I will try to provide a basic example and a more detailed documentation > soon. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2568.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Brian ?chofield From scottpelliott at gmail.com Thu Feb 2 11:18:30 2017 From: scottpelliott at gmail.com (Scott Elliott) Date: Thu, 02 Feb 2017 16:18:30 +0000 Subject: [keycloak-user] Additional attributes for an authorization request Message-ID: Would therebe any way to pass additional attributes (say, something from a REST API call's headers or body) to an authorization request, and access it in a Javascript or rules based policy? I see that what is available in the Evaluation API currently is pretty limited. From mailamitarora at gmail.com Thu Feb 2 11:31:40 2017 From: mailamitarora at gmail.com (Amit Arora) Date: Thu, 2 Feb 2017 11:31:40 -0500 Subject: [keycloak-user] setOTPEnabled Message-ID: In 2.2.0 , I was using setOTPEnabled to enable and disable totp verification on run time. It seems in 2.5.0 this method is not available , do we have any way to have this functionality.. I can see a usercredentialmanager having a method disableCredentials , it seems i can use this to disable the totp verification but there is no counterpart to enable it Can any have a hint? From keijo.korte at kvak.net Thu Feb 2 12:04:31 2017 From: keijo.korte at kvak.net (keijo.korte at kvak.net) Date: Thu, 02 Feb 2017 19:04:31 +0200 Subject: [keycloak-user] Keycloak admin-panel. Infinite loop. In-Reply-To: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> References: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> Message-ID: <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> Hi, Setup: OS: Centos 6.8 Keycloak version, 2.5.1-FINAL httpd version 2.2.15 I have configured httpd as a SSL off loading reverse proxy for Keycloak server. The proxy and the Keycloak are on different servers. Basically everything works fine, but I can't log in because I am been redirected back to the square one all the time. Here is the flow: GET https://idp.xxx.net/auth/admin/ GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid POST https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 GET https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 GET lots of resources: /config, login-status-iframe.html, /token, /messages.json and so on GET https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid and the same thing from the start. Forever. httpd configuration for SSL: ***** ServerName idp.xxx.net ServerAdmin webmaster at xxx.net DocumentRoot /var/www/html/ Order deny,allow Allow from all Options FollowSymLinks AllowOverride None Order deny,allow Allow from all ProxyRequests Off RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" ProxyPreserveHost on ProxyPass / http://172.16.22.12:8080/ keepalive=On ProxyPassReverse / http://172.16.22.12:8080/ + lots of cipher suite setting and so on. ***** WildFly configuration: ***** .... ***** Does someone has some kind of clue why I am been redirected? First I think that this was some kind of http/https redirect problem, but when I enabled requestdumper @ wildfly I can see that everything is HTTPS. ***** ----------------------------REQUEST--------------------------- URI=/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=en-US,en;q=0.5 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=idp.xxx.net header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 header=Connection=Keep-Alive header=X-Forwarded-Proto=https header=X-Forwarded-Port=443 header=X-Forwarded-For=88.12.13.14 header=Upgrade-Insecure-Requests=1 header=Host=idp.xxx.net header=X-Forwarded-Host=idp.xxx.net locale=[en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=88.12.13.14:0 remoteHost=88.12.13.14 scheme=https host=idp.xxx.net serverPort=443 ***** -Keijo From bburke at redhat.com Thu Feb 2 12:48:15 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 2 Feb 2017 12:48:15 -0500 Subject: [keycloak-user] setOTPEnabled In-Reply-To: References: Message-ID: <35b456df-ae0e-97d9-98a4-e4eaf3ee5cfc@redhat.com> OTP is removed when disabled, it has to be reconfigured. Why do you want to toggle OTP for the user? On 2/2/17 11:31 AM, Amit Arora wrote: > In 2.2.0 , I was using setOTPEnabled to enable and disable totp > verification on run time. It seems in 2.5.0 this method is not available , > do we have any way to have this functionality.. > > I can see a usercredentialmanager having a method disableCredentials , it > seems i can use this to disable the totp verification but there is no > counterpart to enable it > > Can any have a hint? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From max.catarino at rps.com.br Thu Feb 2 13:37:17 2017 From: max.catarino at rps.com.br (max.catarino at rps.com.br) Date: Thu, 02 Feb 2017 16:37:17 -0200 Subject: [keycloak-user] keycloak-user Digest, Vol 38, Issue 3 In-Reply-To: References: Message-ID: <5c8cee5ee574bacbec668e8fb15f2440@rps.com.br> Yes, is possible. http://lists.jboss.org/pipermail/keycloak-user/2016-April/005869.html > Date: Wed, 1 Feb 2017 23:00:47 +0000 (UTC) > From: akash agrawal > Getting Access token over REST API > > Hi, > I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. > I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. > Appreciate your help. Thanks. > Akash From andrewrdwyer at gmail.com Thu Feb 2 16:47:54 2017 From: andrewrdwyer at gmail.com (andrew dwyer) Date: Fri, 3 Feb 2017 08:17:54 +1030 Subject: [keycloak-user] Add local user instead of federated user Message-ID: Hi, I?m wondering if there is a way to add a local user to a realm with an existing LDAP User Federation link. At the moment when I attempt to add a user via the web admin console Keycloak thinks I want to add the user to LDAP and fails with the error ?Registration is not supported by this ldap server?. This is to support the small percentage of our users who aren?t in our corporate LDAP directory. My fall back solution may be to write a simple alternative provider or set up an LDAP server under our control to add to the provider list. https://keycloak.gitbooks.io/server-developer-guide/ content/topics/user-storage/simple-example.html Thanks Andrew Dwyer From mposolda at redhat.com Fri Feb 3 02:32:36 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Feb 2017 08:32:36 +0100 Subject: [keycloak-user] Add local user instead of federated user In-Reply-To: References: Message-ID: <5df59e3d-ee7c-84cc-4fe5-0cd54b5a8f42@redhat.com> Hi, if you set "Sync Registrations" of your LDAP provider to "off", then Keycloak won't attempt to register new users into LDAP. It will register them just to local DB. Marek On 02/02/17 22:47, andrew dwyer wrote: > Hi, > > > > I?m wondering if there is a way to add a local user to a realm with an > existing LDAP User Federation link. At the moment when I attempt to add a > user via the web admin console Keycloak thinks I want to add the user to > LDAP and fails with the error ?Registration is not supported by this ldap > server?. > > > > This is to support the small percentage of our users who aren?t in our > corporate LDAP directory. My fall back solution may be to write a simple > alternative provider or set up an LDAP server under our control to add to > the provider list. https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/user-storage/simple-example.html > > > > Thanks > > > > Andrew Dwyer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Feb 3 03:32:37 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:32:37 +0100 Subject: [keycloak-user] Keycloak admin-panel. Infinite loop. In-Reply-To: <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> References: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> Message-ID: Is everything working fine if you go directly to the Keycloak server? Someone reported a similar issue a few weeks ago and it turned out to be an issue in the proxy setup. I can't remember the details, but maybe you can find it on http://www.keycloak.org/search.html On 2 February 2017 at 18:04, wrote: > Hi, > > Setup: > OS: Centos 6.8 > Keycloak version, 2.5.1-FINAL > httpd version 2.2.15 > > I have configured httpd as a SSL off loading reverse proxy for Keycloak > server. The proxy and the Keycloak are on different servers. > Basically everything works fine, but I can't log in because I am been > redirected back to the square one all the time. > > Here is the flow: > > GET https://idp.xxx.net/auth/admin/ > > GET > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F% > 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state= > eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a- > ff26-4213-8907-d86febde7b92&response_mode=fragment& > response_type=code&scope=openid > > POST > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code= > zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca- > 4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 > > GET > https://idp.xxx.net/auth/admin/master/console/#state= > eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_ > UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 > > GET lots of resources: /config, login-status-iframe.html, /token, > /messages.json and so on > > GET > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F% > 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F% > 3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4- > b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2& > response_mode=fragment&response_type=code&scope=openid > > and the same thing from the start. Forever. > > httpd configuration for SSL: > > ***** > > ServerName idp.xxx.net > ServerAdmin webmaster at xxx.net > DocumentRoot /var/www/html/ > > Order deny,allow > Allow from all > Options FollowSymLinks > AllowOverride None > > > Order deny,allow > Allow from all > > ProxyRequests Off > RequestHeader set X-Forwarded-Proto "https" > RequestHeader set X-Forwarded-Port "443" > ProxyPreserveHost on > ProxyPass / http://172.16.22.12:8080/ keepalive=On > ProxyPassReverse / http://172.16.22.12:8080/ > + lots of cipher suite setting and so on. > ***** > > WildFly configuration: > > ***** > > proxy-address-forwarding="true" socket-binding="http" > redirect-socket="proxy-https"/> > > > > > > > > .... > > default-interface="any" > port-offset="${jboss.socket.binding.port-offset:0}"> > port="${jboss.management.http.port:9990}"/> > port="${jboss.management.https.port:9993}"/> > > > > > > > > > > > > ***** > > Does someone has some kind of clue why I am been redirected? > First I think that this was some kind of http/https redirect problem, > but when I enabled requestdumper @ wildfly I can see that everything is > HTTPS. > > ***** > > ----------------------------REQUEST--------------------------- > URI=/ > characterEncoding=null > contentLength=-1 > contentType=null > > header=Accept=text/html,application/xhtml+xml, > application/xml;q=0.9,*/*;q=0.8 > header=Accept-Language=en-US,en;q=0.5 > header=Accept-Encoding=gzip, deflate, br > header=X-Forwarded-Server=idp.xxx.net > header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X > 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 > header=Connection=Keep-Alive > header=X-Forwarded-Proto=https > header=X-Forwarded-Port=443 > header=X-Forwarded-For=88.12.13.14 > header=Upgrade-Insecure-Requests=1 > header=Host=idp.xxx.net > header=X-Forwarded-Host=idp.xxx.net > locale=[en_US, en] > method=GET > protocol=HTTP/1.1 > queryString= > remoteAddr=88.12.13.14:0 > remoteHost=88.12.13.14 > scheme=https > host=idp.xxx.net > serverPort=443 > ***** > > -Keijo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:35:18 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:35:18 +0100 Subject: [keycloak-user] Client setup recommandation In-Reply-To: References: Message-ID: It's all controlled by the session and there are no way to get tokens that work for longer. Issuing offline tokens to a web application would be a really bad idea. If you want users to remain authenticated set the idle to a higher value. That's it. On 25 January 2017 at 15:09, David Delbecq wrote: > Hello, > > we have a javascript web application we are migrating to keycloak. I am not > sue what are the recommandations on setting up configuration for that > client with the following requirement: > > Once user triggers the "login" and gets keycloak authenticated, we should > get a bearer token to use later on REST services. > The user should not be requested again to login, unless he logs out. Even > if he closes his browser. So we need a way to keep or replace token on a > regular basis. Is there some keycloak REST service we can poll on a regular > basis for this? > Sometimes the user goes "off grid" (no network communication) for several > hours. How can we ensure we still keep logged in? > > My first idea was to just increase the SSO timeout and token validity to 30 > days. But it seems like a bad idea from my reading of keycloak > documentation. So i tried to use an offline token instead, but it seems the > implicit flow doesn't allow you to get an offline token. All token i get > after login are marked as expiring within 15 minutes. > > What's the recommended way to get long lived refresh token, using implicit > flow? > -- > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:36:53 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:36:53 +0100 Subject: [keycloak-user] Authentication via client certificate In-Reply-To: References: Message-ID: We don't support authentication via certificates at the moment, but we have a PR for authenticating users via certificates and it would be a natural addition to authenticate clients as well. Take a look at https://github.com/keycloak/keycloak/pull/3167 On 26 January 2017 at 15:12, FREIMUELLER Christian < Christian.FREIMUELLER at frequentis.com> wrote: > Dear all, > > I've a hopefully short question regarding authentication in Keycloak. > > Is there an already built in mechanism to authenticate against Keycloak > via client certificate? > > If yes, how can I configure it? > Are there any examples in the showcase regarding client certificates? > > If no, how can I implement and configure it? > > - I guess implementing the Authentication SPI and register it in > Keycloak as an alternative flow? > > Best regards, > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:38:01 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:38:01 +0100 Subject: [keycloak-user] Exception on realm import In-Reply-To: References: Message-ID: Seems like a bug - can you create a JIRA and include steps (including realm import files) to reproduce? On 26 January 2017 at 16:32, David Delbecq wrote: > Hello, > > I tried to use the import feature to import preconfigured client & roles > from dev environment to production, but I get an exception during the > import. I got to the realm -> import, select file, realm to import, check > import client and check import client roles, set to overwrite. I get an > error "*Error!* javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement" > > > Any workaround / suggestion? It seems related to a client role named > "authenticated" but not sure it's not just failing on first client role of > file. > > Here is server stacktrace: > > 2017-01-26 15:29:29,718 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) SQL > Error: 23505, SQLState: 23505 > 2017-01-26 15:29:29,718 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) > Unique > index or primary key violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON > PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */ > null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated', > null, null, null, null)"; SQL statement: > insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE, > DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?, > ?, ?, ?, ?, ?, ?, ?) [23505-173] > 2017-01-26 15:29:29,719 INFO > [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default > task-31) HHH000010: On release of batch it still contained JDBC statements > 2017-01-26 15:29:29,719 ERROR [org.keycloak.services] (default task-31) > KC-SERVICES0038: Error importing roles: > org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert( > PersistenceExceptionConverter.java:57) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke( > PersistenceExceptionConverter.java:51) > at com.sun.proxy.$Proxy61.flush(Unknown Source) > at > org.keycloak.models.jpa.JpaRealmProvider.addClientRole( > JpaRealmProvider.java:231) > at > org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole( > RealmCacheSession.java:703) > at org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:636) > at > org.keycloak.models.utils.RepresentationToModel.importRoles( > RepresentationToModel.java:437) > at > org.keycloak.partialimport.RolesPartialImport.doImport( > RolesPartialImport.java:98) > at > org.keycloak.partialimport.PartialImportManager.saveResources( > PartialImportManager.java:77) > at > org.keycloak.services.resources.admin.RealmAdminResource.partialImport( > RealmAdminResource.java:855) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1692) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1602) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1608) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush( > AbstractEntityManagerImpl.java:1303) > at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke( > PersistenceExceptionConverter.java:49) > ... 57 more > Caused by: org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert( > SQLStateConversionDelegate.java:112) > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert( > StandardSQLExceptionConverter.java:42) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:109) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:95) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate( > ResultSetReturnImpl.java:207) > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch( > NonBatchingBatch.java:45) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:2886) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:3386) > at > org.hibernate.action.internal.EntityInsertAction.execute( > EntityInsertAction.java:89) > at org.hibernate.engine.spi.ActionQueue.executeActions( > ActionQueue.java:560) > at org.hibernate.engine.spi.ActionQueue.executeActions( > ActionQueue.java:434) > at > org.hibernate.event.internal.AbstractFlushingEventListener. > performExecutions(AbstractFlushingEventListener.java:337) > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush( > DefaultFlushEventListener.java:39) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush( > AbstractEntityManagerImpl.java:1300) > ... 61 more > Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key > violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON > PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */ > null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated', > null, null, null, null)"; SQL statement: > insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE, > DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?, > ?, ?, ?, ?, ?, ?, ?) [23505-173] > at org.h2.message.DbException.getJdbcSQLException(DbException.java:331) > at org.h2.message.DbException.get(DbException.java:171) > at org.h2.message.DbException.get(DbException.java:148) > at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101) > at org.h2.index.PageBtree.find(PageBtree.java:121) > at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148) > at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101) > at org.h2.index.PageBtreeNode.addRowTry(PageBtreeNode.java:201) > at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95) > at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86) > at org.h2.table.RegularTable.addRow(RegularTable.java:125) > at org.h2.command.dml.Insert.insertRows(Insert.java:127) > at org.h2.command.dml.Insert.update(Insert.java:86) > at org.h2.command.CommandContainer.update(CommandContainer.java:79) > at org.h2.command.Command.executeUpdate(Command.java:235) > at > org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal( > JdbcPreparedStatement.java:154) > at > org.h2.jdbc.JdbcPreparedStatement.executeUpdate( > JdbcPreparedStatement.java:140) > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate( > WrappedPreparedStatement.java:537) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate( > ResultSetReturnImpl.java:204) > ... 71 more > > > > -- > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:41:05 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:41:05 +0100 Subject: [keycloak-user] Response CORS Headers In-Reply-To: References: Message-ID: I don't know what the issue is as there are no application specific urls in the well-known configuration. It is static information about Keycloak server. On 26 January 2017 at 16:48, Eriksson Fabian wrote: > Hello! > > We are currently facing a problem with CORS-headers and the theme cache > settings found in standalone/configuration/standalone.xml. We have two > applications using the same realm, when logging in to the first application > we first call the /auth/realms/${realm-name}/.well-known/openid-configuration > to find OIDC configuration and the browser first does an options request > and the response is showing the correct access-control-allow-origin header > and the header is cached for as long as the staticMaxAge is set to. But > when we try to login to the second application the response headers that > was cached is used and we get the wrong access-control-allow-origin header > (still pointing to the first application URL). > > Our question is; can we configure only this endpoint > (.../.well-known/openid-configuration) to have a no-cache header but > leave the rest of the application cached? > > BR > Fabian Eriksson > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:43:11 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:43:11 +0100 Subject: [keycloak-user] OAuth token introspection In-Reply-To: References: Message-ID: 1 looks like a bug and it simply has the wrong name. 2 scope is optional and we don't support this at the moment On 27 January 2017 at 05:52, Jason B wrote: > Hi, > > I am trying to understand the OAuth 2.0 capabilities of Keycloak server and > I have a few questions with respective to the implementation of OAuth > introspection spec. > > This is how a sample introspection response looking like > > { > "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108", > "exp": 1485492229, > "nbf": 0, > "iat": 1485491929, > "iss": "http://localhost:8080/auth/realms/nkadali", > "aud": "proxy", > "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf", > "typ": "Bearer", > "azp": "proxy", > "auth_time": 1485487408, > "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7", > "name": "", > "preferred_username": "jason", > "acr": "0", > "client_session": "5d761332-97eb-404d-8624-3de4eca967cd", > "allowed-origins": [], > "realm_access": { > "roles": [ > "uma_authorization" > ] > }, > "resource_access": { > "account": { > "roles": [ > "manage-account", > "view-profile" > ] > } > }, > "client_id": "proxy", > "username": "jason", > "active": true > } > > > I have two question based on this response. > > 1. According to the OAuth OAuth 2.0 Token Introspection ( > https://tools.ietf.org/html/rfc7662) the json response body may contain > "token_type" member. But why keycloak representing "token_type" as > "typ"? > Is there any specific reason? > 2. I don't see any "scope" attribute in the response body even though I > supplied scope parameter while requesting for the access token. Any > idea on > how to get scopes associated with the supplied access token? > > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:44:00 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:44:00 +0100 Subject: [keycloak-user] Strange behavior upon the RP initiated logout In-Reply-To: References: Message-ID: Upgrade to the latest version and this should be fixed On 1 February 2017 at 11:17, Known Michael wrote: > Hey, > > I successfully integrated mod_auth_openidc with Keycloak: > > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/oidc/mod-auth-openidc.html > > In addition to the master realm we use our own realm. > > I have strange behavior upon the RP initiated logout. > > I access RP logout URL it redirects to Keycloak using the logout endpoint > (https:///auth/realms/realm/protocol/openid-connect/logout) as > described here: > https://github.com/pingidentity/mod_auth_openidc/ > wiki/Session-Management#logout > > Unfortunately, Keycloak redirect me to the ?Session not active? error > string when I press on the logout after couple of minutes of work. > The logout is successfully if I press the logout button after 1 or 2 > minutes after the login. > > I have tried to debug Keycloak and I have found the following: > > TokenManager in the function > org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to > JsonWebToken > and founds that the token is expired > (org.keycloak.representations.JsonWebToken#isExpired) > > It caused since the expiration of the token is very short (couple of > minutes). > > Questions: > > 1) How to configure the token expiration? > I have increased ?SSO Session Idle? to 90 minute but it does not change the > token expiration (it remains short) > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/sessions/timeouts.html > > 2) Why logout cannot work after couple of minutes? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Feb 3 03:47:29 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:47:29 +0100 Subject: [keycloak-user] How explicitly enable session management in Keycloak? In-Reply-To: References: Message-ID: There's some fixes to the RP iframe coming in 2.5.4 which will be out in a week or two. There was an issue with it expecting a "session_state" value that wasn't equal to the value from the tokens. You can try building master if you'd like to try it out in advance. On 1 February 2017 at 16:59, Known Michael wrote: > Hey, > > I use mod_auth_openidc version "2.1.2", Keycloak version ?2.4.0? > > I was not able to implement the session management using OP and RP frames > as described here: > > https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management > > I see in mod_auth_openidc logs the following: > > [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): [client > 192.168.111.33] oidc_save_in_session: session management disabled: > session_state ((null)) and/or check_session_iframe ( > https://localhost/auth/realms/realm/protocol/openid-connect/ > login-status-iframe.html) > is not provided, referer: > https://192.168.110.2/auth/realms/realm/protocol/openid- > connect/auth?response_type=code&scope=openid&client_id= > httpd_192.168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4& > redirect_uri=https%3A%2F%2F192.168.110.2%2Fprotected% > 2Fredirect_uri&nonce=0VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M > > It looks like the session management is disabled because the Provider did > not return a session_state parameter in the authentication response (which > in its turn can be verified via the referer URL in the same log entry) as > the spec dictates: > https://openid.net/specs/openid-connect-session-1_0. > html#CreatingUpdatingSessions > > How should I configure explicitly enable session management in Keycloak? > It should starts returning session_state in the authentication responses. > > I see that it is implemented already > https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss > something. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Feb 3 03:51:18 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:51:18 +0100 Subject: [keycloak-user] k_query_bearer_token, is there a way to query the associated public key? In-Reply-To: <1654312768.15836738.1485983744324.JavaMail.zimbra@redhat.com> References: <814704590.15814612.1485978634648.JavaMail.zimbra@redhat.com> <537256552.15827936.1485981767362.JavaMail.zimbra@redhat.com> <1654312768.15836738.1485983744324.JavaMail.zimbra@redhat.com> Message-ID: jwt.io is a bit odd, but it does work. To get it to work do the following: * Select RS256 for the algorithm - they could detect this from the token, but they don't * In the "verify signature" box paste the realm public key pem in-between the lines "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" (you need to keep the header/footer otherwise jwt.io doesn't decrypt the key correctly) * Paste the token Now it should work. On 1 February 2017 at 22:15, Scott Stark wrote: > I was able to verify the token using the com.auth0 JWT library, so there > must be something amiss with the web interface to the debugger. FYI, this > is the little program I put together to do the verification: > > import java.security.KeyFactory; > import java.security.interfaces.RSAKey; > import java.security.spec.X509EncodedKeySpec; > import java.util.Base64; > > import com.auth0.jwt.JWT; > import com.auth0.jwt.JWTVerifier; > import com.auth0.jwt.algorithms.Algorithm; > import com.auth0.jwt.interfaces.Claim; > > public class VerifyJWT { > public static void main(String[] args) throws Exception { > String token = "eyJhbGciOiJSUzI1NiIsInR5cCIgOi > AiSldUIiwia2lkIiA6ICJGeFZlX1pUTHBoU0JrMGZMSDBmaDltUWY1OWkzNn > VXOFBDeFFvWkE4eHdvIn0.eyJqdGkiOiJlYzI2NDhhYS1jNTdmLT > RhZGEtYTZlMi03ZjU4ZTBmOTIyZjQiLCJleHAiOjE0ODU5ODM2NDMsIm5iZi > I6MCwiaWF0IjoxNDg1OTgzMzQzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Oj > gxODAvYXV0aC9yZWFsbXMvTWljcm9wcm9maWxlIiwiYXVkIjoidmFuaWxsYS > IsInN1YiI6IjhjM2Y1ZTRiLWZiM2EtNDZiYS04ODk5LTQyNTNkNzQzMGI4Zi > IsInR5cCI6IkJlYXJlciIsImF6cCI6InZhbmlsbGEiLCJhdXRoX3RpbWUiOj > E0ODU5ODE4NDAsInNlc3Npb25fc3RhdGUiOiJkZDg5MjU4Yy1iMjRmLTQ0ZW > UtYWJhZS00NWJmZjNhMTI4NmIiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb2 > 4iOiI5ZDA2ZmY2NS1kMWIwLTQ2ZWYtYjJlYi05NmVmY2Y3ZjJjZGQiLCJhbG > xvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYW > xtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicm > Vzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLW > FjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiTWljcm9wcm9maW > xlIERlbW8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbm > FtZSI6Ik1pY3JvcHJvZmlsZSIsImZhbWlseV9uYW1lI! > joiRGVtbyIsImVtYWlsIjoibXBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ. > YsoInnbkrPRyvauYsf5P5BePuPFFCyWBKz3TfP9FyeArp2bYyOzDusTEPCqh > Sx3-yYGsPxlVmsdu7LNonLs-rCXPki3uP3WAiSiyla4NXcBwly2kzM4EyO_ > J8CO9d4SqGEY8HDwTIga5E55KEOoYqOkGtj2pirIo8tlPa4SW2vwttvxix2z > MOeyD50vZDAD3laVBzGsc07GMdFKvj4B0ZfUBM-l-92HB1xMWNNc1d- > xbrLq8rKXyYeobU4bC4_WxHJOlOco-Z_60lD0z9vtmpaCpyOkq26V4Ygunhzd- > 36ofKdiYBjNURaB3SNc4l5OFZLCM12nkM_bb3_kO538Zyw"; > JWT jwt = JWT.decode(token); > Claim alg = jwt.getHeaderClaim("alg"); > System.out.printf("alg: %s\n", alg.asString()); > Claim type = jwt.getHeaderClaim("typ"); > System.out.printf("typ: %s\n", type.asString()); > Claim kid = jwt.getHeaderClaim("kid"); > System.out.printf("kid: %s\n", kid.asString()); > > String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ > 8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+Io2QcnyAxw6MzGSYD1Rla3fzIVRBlh > bq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+Vp8v3GfuVn2NoutPsxJA/1do+vcW/ > lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/J5beiqMAYioJQ5suE7P4N5OulZobPG > I0hibQ9lWM03gWocCnP1RtXWfzliQ0F2LqrBJS6GckcRwln/q0sacgK1ZC/ > XLIty7w88bxV7PXKfgsqROId/1Fl6kJBl6AjdQkJtSQxo+ > UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB"; > byte[] byteKey = Base64.getDecoder().decode(key.getBytes()); > X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey); > KeyFactory kf = KeyFactory.getInstance("RSA"); > > RSAKey publicKey = (RSAKey) kf.generatePublic(X509publicKey); > JWTVerifier verifier = JWT.require(Algorithm.RSA256(publicKey)) > .withIssuer("http://localhost:8180/auth/realms/Microprofile") > .build(); > verifier.verify(token); > } > > } > > > ----- Original Message ----- > From: "Scott Stark" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, February 1, 2017 12:42:47 PM > Subject: Re: [keycloak-user] k_query_bearer_token, is there a way to query > the associated public key? > > I was able to find the public key from the Realm Settings/Keys section of > the admin console, but I'm not able to get the signature to verify on the > https://jwt.io debugger. > > For example, this token and public key won't work to verify the signature: > > eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGeFZlX1pU > THBoU0JrMGZMSDBmaDltUWY1OWkzNnVXOFBDeFFvWkE4eHdvIn0. > eyJqdGkiOiIwYTJlNDljNy05ZTA1LTQ3MmUtOGQ5OS02ZGYwOGYxYmY5MzYi > LCJleHAiOjE0ODU5ODAwMTMsIm5iZiI6MCwiaWF0IjoxNDg1OTc5NzEzLCJp > c3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvTWljcm9w > cm9maWxlIiwiYXVkIjoidmFuaWxsYSIsInN1YiI6IjhjM2Y1ZTRiLWZiM2Et > NDZiYS04ODk5LTQyNTNkNzQzMGI4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6 > InZhbmlsbGEiLCJhdXRoX3RpbWUiOjE0ODU5NzY5ODgsInNlc3Npb25fc3Rh > dGUiOiJlYmQxMDgyZi02MWI3LTRlNzEtYTBkNi1iZTc1MzA3ODYzNjMiLCJh > Y3IiOiIwIiwiY2xpZW50X3Nlc3Npb24iOiI1NDhhZTVjNi1mZTU4LTQwZGQt > OWY0Yy03NmE4N2EwMjcwYzciLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDov > L2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1 > bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291 > bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUi > XX19LCJuYW1lIjoiTWljcm9wcm9maWxlIERlbW8iLCJwcmVmZXJyZWRfdXNl > cm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6Ik1pY3JvcHJvZmlsZSIsImZh > bWlseV9uYW1lIjoiRGVtbyIsImVtYWlsIjoib! > XBkZW1vQHN0YXJraW50ZXJuYXRpb25hbC5jb20ifQ.TAgwCENsVF9bug3TbvjB-KD_ > kT3AfLDduK_vQ-1Gp5ejeDLRVcppktXpIWe1jhJTKmqXIwL48S636BYrP35iNmlJLGIxm706o- > BU6SO8IJND_OJdfbCdkUrekcGTS8k5B2D_idQnnl-DcwKJs0Mqv8q_ > XD2XqCTAu1nTKsrTlFn6QoZ0_-Q_bRsmZ_Rgob5Gf4Vw93I5OnS5zRUV_qi- > VEDTEtAO3YlfWdTJXYXYeSGVXTjExw6TikYlcQETolfr-sxhfcPEH5KWQnUw_ > 40hb12Zzxp3DdnJuQ34NKe5vgPNW1Q3geT7YLGYcY1pJFmvLEKxDC5WxRNMp_PFYLYxTA > > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhir7PLNN6PafmxEN89tXD+vJGU+ > Io2QcnyAxw6MzGSYD1Rla3fzIVRBlhbq3rYd8SWcPPZ2i/SAyfnzt3d9KPef+ > Vp8v3GfuVn2NoutPsxJA/1do+vcW/lT5EDtbl9GQovMvFHE4JbgStdaRLD/4/w90zjbmEU4/ > J5beiqMAYioJQ5suE7P4N5OulZobPGI0hibQ9lWM03gWocCnP1RtXWfzliQ0 > F2LqrBJS6GckcRwln/q0sacgK1ZC/XLIty7w88bxV7PXKfgsqROId/ > 1Fl6kJBl6AjdQkJtSQxo+UOW4AJvABg6qvcC0bg1JkzDY0OPEMAm+AhUvdYzxrklvCJwIDAQAB > > ----- Original Message ----- > From: "Scott Stark" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, February 1, 2017 11:50:34 AM > Subject: [keycloak-user] k_query_bearer_token, is there a way to query the > associated public key? > > So I can query the current access token via the myapp-root/k_query_bearer_token > when expose-token is set to true, but is there a way to query the public > key associated with the signature portion of the token? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 03:53:40 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 09:53:40 +0100 Subject: [keycloak-user] Getting Access token over REST API In-Reply-To: <1445092911.665614.1485990047630@mail.yahoo.com> References: <1445092911.665614.1485990047630.ref@mail.yahoo.com> <1445092911.665614.1485990047630@mail.yahoo.com> Message-ID: I would strongly suggest you reconsider and use the Keycloak login as there are many many reasons why that is a better approach. I'm not going to list it again, because I've done that to many times to count. The login page is highly customizable so you can make it look exactly how you like. Any specific reasons why this is not an option? If you still insist on doing it the "wrong way" then use the OAuth2 resource owner credential grant instead, take a look at https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/oidc-generic.html for more details. On 2 February 2017 at 00:00, akash agrawal wrote: > Hi, > I am evaluating Keycloak for our Identity management needs. We have a > collection of REST APIs which we want to secure using OAuth/OpenIdConnect. > I am looking over Keycloak documentation to determine if a client > application can call a REST endpoint (production grade) to get the access > token. Are there other alternatives to get access token? Using KeyCloak > user interface to login and get an access token is not an option. > Appreciate your help. Thanks. > Akash > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From keijo.korte at kvak.net Fri Feb 3 04:04:39 2017 From: keijo.korte at kvak.net (keijo.korte at kvak.net) Date: Fri, 03 Feb 2017 11:04:39 +0200 Subject: [keycloak-user] Keycloak admin-panel. Infinite loop. In-Reply-To: References: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> Message-ID: <678320d59224396140c9a63dccacd081@kvak.net> Hi, Yes the problem is definitely on the proxy setup, but what is the problem? I am not so familiar with the jboss/wildfly (tomcat is usually my weapon of choice). So I am not sure what I am missing. And yes, if I create ssh tunnel to the KC server I can login and everything is working just like I expected. I tried the search before I posted the question, because I didn't find the answer. If the httpd and KC are on same server everything works. That was my previous setup, but now I want to dedicate one server just for reverse proxy role. -Keijo On 2017-02-03 10:32, Stian Thorgersen wrote: > Is everything working fine if you go directly to the Keycloak server? > Someone reported a similar issue a few weeks ago and it turned out to > be an issue in the proxy setup. I can't remember the details, but > maybe you can find it on http://www.keycloak.org/search.html > > On 2 February 2017 at 18:04, wrote: > >> Hi, >> >> Setup: >> OS: Centos 6.8 >> Keycloak version, 2.5.1-FINAL >> httpd version 2.2.15 >> >> I have configured httpd as a SSL off loading reverse proxy for >> Keycloak >> server. The proxy and the Keycloak are on different servers. >> Basically everything works fine, but I can't log in because I am >> been >> redirected back to the square one all the time. >> >> Here is the flow: >> >> GET https://idp.xxx.net/auth/admin/ [1] >> >> GET >> > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid >> [2] >> >> POST >> > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 >> [3] >> >> GET >> > https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 >> [4] >> >> GET lots of resources: /config, login-status-iframe.html, /token, >> /messages.json and so on >> >> GET >> > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid >> [5] >> >> and the same thing from the start. Forever. >> >> httpd configuration for SSL: >> >> ***** >> >> ServerName idp.xxx.net [6] >> ServerAdmin webmaster at xxx.net >> DocumentRoot /var/www/html/ >> >> Order deny,allow >> Allow from all >> Options FollowSymLinks >> AllowOverride None >> >> >> Order deny,allow >> Allow from all >> >> ProxyRequests Off >> RequestHeader set X-Forwarded-Proto "https" >> RequestHeader set X-Forwarded-Port "443" >> ProxyPreserveHost on >> ProxyPass / http://172.16.22.12:8080/ keepalive=On >> ProxyPassReverse / http://172.16.22.12:8080/ >> + lots of cipher suite setting and so on. >> ***** >> >> WildFly configuration: >> >> ***** >> >> > proxy-address-forwarding="true" socket-binding="http" >> redirect-socket="proxy-https"/> >> >> >> >> >> >> >> >> .... >> >> > default-interface="any" >> port-offset="${jboss.socket.binding.port-offset:0}"> >> > interface="management" >> port="${jboss.management.http.port:9990}"/> >> > interface="management" >> port="${jboss.management.https.port:9993}"/> >> >> > port="${jboss.http.port:8080}"/> >> >> > port="${jboss.https.port:8443}"/> >> > port="4712"/> >> >> >> >> >> >> >> ***** >> >> Does someone has some kind of clue why I am been redirected? >> First I think that this was some kind of http/https redirect >> problem, >> but when I enabled requestdumper @ wildfly I can see that everything >> is >> HTTPS. >> >> ***** >> >> ----------------------------REQUEST--------------------------- >> URI=/ >> characterEncoding=null >> contentLength=-1 >> contentType=null >> >> > header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> header=Accept-Language=en-US,en;q=0.5 >> header=Accept-Encoding=gzip, deflate, br >> header=X-Forwarded-Server=idp.xxx.net [6] >> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS >> X >> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 >> header=Connection=Keep-Alive >> header=X-Forwarded-Proto=https >> header=X-Forwarded-Port=443 >> header=X-Forwarded-For=88.12.13.14 >> header=Upgrade-Insecure-Requests=1 >> header=Host=idp.xxx.net [6] >> header=X-Forwarded-Host=idp.xxx.net [6] >> locale=[en_US, en] >> method=GET >> protocol=HTTP/1.1 >> queryString= >> remoteAddr=88.12.13.14:0 [7] >> remoteHost=88.12.13.14 >> scheme=https >> host=idp.xxx.net [6] >> serverPort=443 >> ***** >> >> -Keijo >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user [8] > > > > Links: > ------ > [1] https://idp.xxx.net/auth/admin/ > [2] > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid > [3] > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 > [4] > https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 > [5] > https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid > [6] http://idp.xxx.net > [7] http://88.12.13.14:0 > [8] https://lists.jboss.org/mailman/listinfo/keycloak-user From rsoares at redhat.com Fri Feb 3 05:47:44 2017 From: rsoares at redhat.com (Rafael T. C. Soares) Date: Fri, 3 Feb 2017 07:47:44 -0300 Subject: [keycloak-user] Keycloak admin-panel. Infinite loop. In-Reply-To: <678320d59224396140c9a63dccacd081@kvak.net> References: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> <678320d59224396140c9a63dccacd081@kvak.net> Message-ID: <4d6ef034-8a02-874b-7d55-1f191f4ea6eb@redhat.com> Are your keycloak server instances (backend) clustered? If yes confirm if they are replicating/communicating correctly (jgroups/infinispan). Turn on the wildfly's TRACE logs for Infinipan/jgroups.... Keycloak does not depends on sticky-sessions, so your reverse-proxy will loadbalance your auth requests randomly between your keycloak servers. Your keycloak cluster need to share/replicate auth sessions (the internal Infinispan component in wildfly do that work, if well configured!). Also, look for a thread in this maillist history with a subject "/Keycloak 2.2.1 and Apache + mod_cluster/" ___ Rafael T. C. Soares Em 03-02-2017 06:04, keijo.korte at kvak.net escreveu: > Hi, > > Yes the problem is definitely on the proxy setup, but what is the > problem? > I am not so familiar with the jboss/wildfly (tomcat is usually my weapon > of choice). So I am not sure what I am missing. > > And yes, if I create ssh tunnel to the KC server I can login and > everything is working just like I expected. > > I tried the search before I posted the question, because I didn't find > the answer. > > If the httpd and KC are on same server everything works. That was my > previous setup, but now I want to dedicate one server just for reverse > proxy role. > > -Keijo > > On 2017-02-03 10:32, Stian Thorgersen wrote: >> Is everything working fine if you go directly to the Keycloak server? >> Someone reported a similar issue a few weeks ago and it turned out to >> be an issue in the proxy setup. I can't remember the details, but >> maybe you can find it on http://www.keycloak.org/search.html >> >> On 2 February 2017 at 18:04, wrote: >> >>> Hi, >>> >>> Setup: >>> OS: Centos 6.8 >>> Keycloak version, 2.5.1-FINAL >>> httpd version 2.2.15 >>> >>> I have configured httpd as a SSL off loading reverse proxy for >>> Keycloak >>> server. The proxy and the Keycloak are on different servers. >>> Basically everything works fine, but I can't log in because I am >>> been >>> redirected back to the square one all the time. >>> >>> Here is the flow: >>> >>> GET https://idp.xxx.net/auth/admin/ [1] >>> >>> GET >>> >> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid >>> [2] >>> >>> POST >>> >> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 >>> [3] >>> >>> GET >>> >> https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 >>> [4] >>> >>> GET lots of resources: /config, login-status-iframe.html, /token, >>> /messages.json and so on >>> >>> GET >>> >> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid >>> [5] >>> >>> and the same thing from the start. Forever. >>> >>> httpd configuration for SSL: >>> >>> ***** >>> >>> ServerName idp.xxx.net [6] >>> ServerAdmin webmaster at xxx.net >>> DocumentRoot /var/www/html/ >>> >>> Order deny,allow >>> Allow from all >>> Options FollowSymLinks >>> AllowOverride None >>> >>> >>> Order deny,allow >>> Allow from all >>> >>> ProxyRequests Off >>> RequestHeader set X-Forwarded-Proto "https" >>> RequestHeader set X-Forwarded-Port "443" >>> ProxyPreserveHost on >>> ProxyPass / http://172.16.22.12:8080/ keepalive=On >>> ProxyPassReverse / http://172.16.22.12:8080/ >>> + lots of cipher suite setting and so on. >>> ***** >>> >>> WildFly configuration: >>> >>> ***** >>> >>> >> proxy-address-forwarding="true" socket-binding="http" >>> redirect-socket="proxy-https"/> >>> >>> >>> >>> >>> >>> >>> >>> .... >>> >>> >> default-interface="any" >>> port-offset="${jboss.socket.binding.port-offset:0}"> >>> >> interface="management" >>> port="${jboss.management.http.port:9990}"/> >>> >> interface="management" >>> port="${jboss.management.https.port:9993}"/> >>> >>> >> port="${jboss.http.port:8080}"/> >>> >>> >> port="${jboss.https.port:8443}"/> >>> >> port="4712"/> >>> >>> >>> >>> >>> >>> >>> ***** >>> >>> Does someone has some kind of clue why I am been redirected? >>> First I think that this was some kind of http/https redirect >>> problem, >>> but when I enabled requestdumper @ wildfly I can see that everything >>> is >>> HTTPS. >>> >>> ***** >>> >>> ----------------------------REQUEST--------------------------- >>> URI=/ >>> characterEncoding=null >>> contentLength=-1 >>> contentType=null >>> >>> >> header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >>> header=Accept-Language=en-US,en;q=0.5 >>> header=Accept-Encoding=gzip, deflate, br >>> header=X-Forwarded-Server=idp.xxx.net [6] >>> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS >>> X >>> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 >>> header=Connection=Keep-Alive >>> header=X-Forwarded-Proto=https >>> header=X-Forwarded-Port=443 >>> header=X-Forwarded-For=88.12.13.14 >>> header=Upgrade-Insecure-Requests=1 >>> header=Host=idp.xxx.net [6] >>> header=X-Forwarded-Host=idp.xxx.net [6] >>> locale=[en_US, en] >>> method=GET >>> protocol=HTTP/1.1 >>> queryString= >>> remoteAddr=88.12.13.14:0 [7] >>> remoteHost=88.12.13.14 >>> scheme=https >>> host=idp.xxx.net [6] >>> serverPort=443 >>> ***** >>> >>> -Keijo >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user [8] >> >> >> Links: >> ------ >> [1] https://idp.xxx.net/auth/admin/ >> [2] >> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_mode=fragment&response_type=code&scope=openid >> [3] >> https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code=zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca-4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 >> [4] >> https://idp.xxx.net/auth/admin/master/console/#state=eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 >> [5] >> https://idp.xxx.net/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2&response_mode=fragment&response_type=code&scope=openid >> [6] http://idp.xxx.net >> [7] http://88.12.13.14:0 >> [8] https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ushanas at gmail.com Fri Feb 3 08:47:20 2017 From: ushanas at gmail.com (Ushanas Shastri) Date: Fri, 3 Feb 2017 19:17:20 +0530 Subject: [keycloak-user] Scopes auto complete on Resources gets only limited records. Message-ID: Hello, In the resources screen, when we add new resource, and want to select some Scopes, the auto complete gets limited records, which look like page size chunks from the Scopes screen. If I have say 50 Scopes, all of which have parts of the word Search, then beyond the initial list, the other scopes don't show up. Regards, Ushanas. From sthorger at redhat.com Fri Feb 3 08:54:02 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 14:54:02 +0100 Subject: [keycloak-user] Keycloak admin-panel. Infinite loop. In-Reply-To: <678320d59224396140c9a63dccacd081@kvak.net> References: <7c25bdddae4206ed569bce718cdc7ff3@kvak.net> <759a9d9082d45f81b821d1a526f9fbd2@kvak.net> <678320d59224396140c9a63dccacd081@kvak.net> Message-ID: If I remember correctly it was something to do with a duplicated header or something. The guy figured it out on his own, so I really can't remember. Sorry. On 3 February 2017 at 10:04, wrote: > Hi, > > Yes the problem is definitely on the proxy setup, but what is the > problem? > I am not so familiar with the jboss/wildfly (tomcat is usually my weapon > of choice). So I am not sure what I am missing. > > And yes, if I create ssh tunnel to the KC server I can login and > everything is working just like I expected. > > I tried the search before I posted the question, because I didn't find > the answer. > > If the httpd and KC are on same server everything works. That was my > previous setup, but now I want to dedicate one server just for reverse > proxy role. > > -Keijo > > On 2017-02-03 10:32, Stian Thorgersen wrote: > > Is everything working fine if you go directly to the Keycloak server? > > Someone reported a similar issue a few weeks ago and it turned out to > > be an issue in the proxy setup. I can't remember the details, but > > maybe you can find it on http://www.keycloak.org/search.html > > > > On 2 February 2017 at 18:04, wrote: > > > >> Hi, > >> > >> Setup: > >> OS: Centos 6.8 > >> Keycloak version, 2.5.1-FINAL > >> httpd version 2.2.15 > >> > >> I have configured httpd as a SSL off loading reverse proxy for > >> Keycloak > >> server. The proxy and the Keycloak are on different servers. > >> Basically everything works fine, but I can't log in because I am > >> been > >> redirected back to the square one all the time. > >> > >> Here is the flow: > >> > >> GET https://idp.xxx.net/auth/admin/ [1] > >> > >> GET > >> > > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F% > 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state= > eeb29809-a4aa-458b-8530-645729ce42e5&nonce=fe92d57a- > ff26-4213-8907-d86febde7b92&response_mode=fragment& > response_type=code&scope=openid > >> [2] > >> > >> POST > >> > > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code= > zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca- > 4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 > >> [3] > >> > >> GET > >> > > https://idp.xxx.net/auth/admin/master/console/#state= > eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_ > UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 > >> [4] > >> > >> GET lots of resources: /config, login-status-iframe.html, /token, > >> /messages.json and so on > >> > >> GET > >> > > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F% > 2Fidp.xxx.net%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F% > 3Fredirect_fragment%3D%252F&state=3ad5cb6c-8285-4d6c-80e4- > b2dbb6320a47&nonce=4284a896-6694-4af8-9c91-71e4050455a2& > response_mode=fragment&response_type=code&scope=openid > >> [5] > >> > >> and the same thing from the start. Forever. > >> > >> httpd configuration for SSL: > >> > >> ***** > >> > >> ServerName idp.xxx.net [6] > >> ServerAdmin webmaster at xxx.net > >> DocumentRoot /var/www/html/ > >> > >> Order deny,allow > >> Allow from all > >> Options FollowSymLinks > >> AllowOverride None > >> > >> > >> Order deny,allow > >> Allow from all > >> > >> ProxyRequests Off > >> RequestHeader set X-Forwarded-Proto "https" > >> RequestHeader set X-Forwarded-Port "443" > >> ProxyPreserveHost on > >> ProxyPass / http://172.16.22.12:8080/ keepalive=On > >> ProxyPassReverse / http://172.16.22.12:8080/ > >> + lots of cipher suite setting and so on. > >> ***** > >> > >> WildFly configuration: > >> > >> ***** > >> > >> >> proxy-address-forwarding="true" socket-binding="http" > >> redirect-socket="proxy-https"/> > >> > >> > >> > >> > >> > >> > >> > >> .... > >> > >> >> default-interface="any" > >> port-offset="${jboss.socket.binding.port-offset:0}"> > >> >> interface="management" > >> port="${jboss.management.http.port:9990}"/> > >> >> interface="management" > >> port="${jboss.management.https.port:9993}"/> > >> > >> >> port="${jboss.http.port:8080}"/> > >> > >> >> port="${jboss.https.port:8443}"/> > >> >> port="4712"/> > >> > >> > >> > >> > >> > >> > >> ***** > >> > >> Does someone has some kind of clue why I am been redirected? > >> First I think that this was some kind of http/https redirect > >> problem, > >> but when I enabled requestdumper @ wildfly I can see that everything > >> is > >> HTTPS. > >> > >> ***** > >> > >> ----------------------------REQUEST--------------------------- > >> URI=/ > >> characterEncoding=null > >> contentLength=-1 > >> contentType=null > >> > >> > > header=Accept=text/html,application/xhtml+xml, > application/xml;q=0.9,*/*;q=0.8 > >> header=Accept-Language=en-US,en;q=0.5 > >> header=Accept-Encoding=gzip, deflate, br > >> header=X-Forwarded-Server=idp.xxx.net [6] > >> header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS > >> X > >> 10.11; rv:51.0) Gecko/20100101 Firefox/51.0 > >> header=Connection=Keep-Alive > >> header=X-Forwarded-Proto=https > >> header=X-Forwarded-Port=443 > >> header=X-Forwarded-For=88.12.13.14 > >> header=Upgrade-Insecure-Requests=1 > >> header=Host=idp.xxx.net [6] > >> header=X-Forwarded-Host=idp.xxx.net [6] > >> locale=[en_US, en] > >> method=GET > >> protocol=HTTP/1.1 > >> queryString= > >> remoteAddr=88.12.13.14:0 [7] > >> remoteHost=88.12.13.14 > >> scheme=https > >> host=idp.xxx.net [6] > >> serverPort=443 > >> ***** > >> > >> -Keijo > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user [8] > > > > > > > > Links: > > ------ > > [1] https://idp.xxx.net/auth/admin/ > > [2] > > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console& > redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin% > 2Fmaster%2Fconsole%2F&state=eeb29809-a4aa-458b-8530- > 645729ce42e5&nonce=fe92d57a-ff26-4213-8907-d86febde7b92&response_ > mode=fragment&response_type=code&scope=openid > > [3] > > https://idp.xxx.net/auth/realms/master/login-actions/authenticate?code= > zH8Olb6siunn95aH89zRIPLJTgp3Dh46fo6FxdK9v64.1f4f0836-a5ca- > 4dff-8f64-ac9bf461f946&execution=8d4a9760-42aa-4c9b-9419-a33944b88fd6 > > [4] > > https://idp.xxx.net/auth/admin/master/console/#state= > eeb29809-a4aa-458b-8530-645729ce42e5&code=6dHrd5I_USezn0sz4gIS_ > UBq86fs5QDgiWK8FA8NX5c.1f4f0836-a5ca-4dff-8f64-ac9bf461f946 > > [5] > > https://idp.xxx.net/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console& > redirect_uri=https%3A%2F%2Fidp.xxx.net%2Fauth%2Fadmin% > 2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252F& > amp;state=3ad5cb6c-8285-4d6c-80e4-b2dbb6320a47&nonce= > 4284a896-6694-4af8-9c91-71e4050455a2&response_ > mode=fragment&response_type=code&scope=openid > > [6] http://idp.xxx.net > > [7] http://88.12.13.14:0 > > [8] https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 3 08:55:46 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 3 Feb 2017 14:55:46 +0100 Subject: [keycloak-user] Email Templates In-Reply-To: References: Message-ID: If I remember correctly the admin endpoints simply send a generic you've been instructed to update your account mail rather than a specific mail. For verify email you should rather enable the verify email option in the realm, or add the action to the user. The user will then be required to verify the email during the next login. On 30 January 2017 at 16:56, Serhii Morunov wrote: > Hello. I meet some issue with using keycloack Admin API and client. When im > trying to send email-verification email via /send-verify-email i recieving > template for "Update user account". Is it known issue or i doing something > wrong? Im trying with Keycloak 2.5.1.Final server version. > Best Regards, > Serhii > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Feb 3 11:43:25 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 3 Feb 2017 14:43:25 -0200 Subject: [keycloak-user] Scopes auto complete on Resources gets only limited records. In-Reply-To: References: Message-ID: Hey Ushanas, I think limit is 20. Isn't refine your term an option to find the scope you want to select ? Regards. Pedro Igor On Fri, Feb 3, 2017 at 11:47 AM, Ushanas Shastri wrote: > Hello, > > In the resources screen, when we add new resource, and want to select > some Scopes, the auto complete gets limited records, which look like page > size chunks from the Scopes screen. > > If I have say 50 Scopes, all of which have parts of the word Search, then > beyond the initial list, the other scopes don't show up. > > Regards, Ushanas. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psiroky at redhat.com Fri Feb 3 11:50:01 2017 From: psiroky at redhat.com (=?UTF-8?B?UGV0ciDFoGlyb2vDvQ==?=) Date: Fri, 3 Feb 2017 17:50:01 +0100 Subject: [keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter Message-ID: <5c9e386d-79e7-3009-9201-f03de775f5c2@redhat.com> Hello everyone, I am having a logout issue when using the EAP7/WF10 adapter (2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I also tried the upstream Keycloak 2.5.1.Final). This is a simplified version of the code (full reproducer here https://github.com/psiroky/servlet-app-keycloak-reproducer): public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { .... request.logout(); HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } ... } The code first calls request.logout() and then session.invalidate(). This works OK when we are _not_ using the Keycloak adapter. However, once we switch to Keycloak adapter we end up with "java.lang.IllegalStateException:UT000021: Session already invalidated". I've been debugging the calls and it happens, because the request.logout() bubbles down to the Keycloak adapter code which calls session.invalidate() as well. For some reason (bug in Undertow/EAP?) the request.getSession(false) then returns what it seems to be a valid session (the invalidated flag=false). The session.invalidate() call happens again, but the session was in fact already invalidated and thus Undertow throws that IllegalStateException. Please note that exactly the same code works on EAP 6 (+ EAP6 adapter). The session also gets invalidated as part of logout(), but then the request.getSession(false) returns null, so the second call to invalidate() does not happen (this kind of points to Undertow as the culprit). I am trying to figure out what the root cause is: 1) Our application should _not_ call both request.logout() and then session.invalidate() (even though it works for EAP6 and also with e.g. basic auth without the Keycloak integration) 2) Keycloak adapter should not call session.invalidate() as part of request.logout() 3) Undertow does not properly propagate the invalidate() call by the Keycloak adapter. 4) Something completely different? Thanks, Petr From psilva at redhat.com Fri Feb 3 12:26:46 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 3 Feb 2017 15:26:46 -0200 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Hi Scott, You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. Right now, the information you get is basically what is in an access token. So whatever you push as a claim (e.g.: using mappers) it will be available to your policies. That is an important addition to our API in order to push more context to policies, as you are requesting. One thing to keep in mind is that we can't blindly trust authorization requests from clients are they can be easily manipulated. What type of client are you using ? Another question, what are you missing in the Evaluation API ? Is there anything we can provide OOTB ? Regards. Pedro Igor On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott wrote: > Would therebe any way to pass additional attributes (say, something from a > REST API call's headers or body) to an authorization request, and access it > in a Javascript or rules based policy? I see that what is available in the > Evaluation API currently is pretty limited. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From akash_agrawal at yahoo.co.uk Fri Feb 3 12:50:41 2017 From: akash_agrawal at yahoo.co.uk (akash agrawal) Date: Fri, 3 Feb 2017 17:50:41 +0000 (UTC) Subject: [keycloak-user] Getting Access token over REST API In-Reply-To: References: <1445092911.665614.1485990047630.ref@mail.yahoo.com> <1445092911.665614.1485990047630@mail.yahoo.com> Message-ID: <1759261461.469054.1486144241819@mail.yahoo.com> Thanks for replying Stian. Our APIs are external APIs and need to provide services including authentication. Users of these APIs/services will be external applications, external vendors APIs, mobile apps. The authentication needs to happen over Auth service/APIs as well. The link you shared has end points. Can they be used to get tokens in a production grade setting? Additionally, Why do say, getting tokens over REST end point is wrong way? Thanks.Akash From: Stian Thorgersen To: akash agrawal Cc: "keycloak-user at lists.jboss.org" Sent: Friday, February 3, 2017 12:53 AM Subject: Re: [keycloak-user] Getting Access token over REST API I would strongly suggest you reconsider and use the Keycloak login as there are many many reasons why that is a better approach. I'm not going to list it again, because I've done that to many times to count. The login page is highly customizable so you can make it look exactly how you like. Any specific reasons why this is not an option? If you still insist on doing it the "wrong way" then use the OAuth2 resource owner credential grant instead, take a look at?https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/oidc-generic.html for more details. On 2 February 2017 at 00:00, akash agrawal wrote: Hi, I am evaluating Keycloak for our Identity management needs. We have a collection of REST APIs which we want to secure using OAuth/OpenIdConnect. I am looking over Keycloak documentation to determine if a client application can call a REST endpoint (production grade) to get the access token. Are there other alternatives to get access token? Using KeyCloak user interface to login and get an access token is not an option. Appreciate your help. Thanks. Akash ______________________________ _________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/ mailman/listinfo/keycloak-user From shmuein+keycloak-dev at gmail.com Fri Feb 3 15:23:28 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Fri, 3 Feb 2017 14:23:28 -0600 Subject: [keycloak-user] Differences between SAML descriptors Message-ID: Hi All, Currently, KeyCloak supports two mechanisms to download SAML metadata. One is using this public URL /auth/realms/{realm}/protocol/saml/descriptor. The Second option is to download it from the installation tab of the client or using this API /admin/realms/{realm}/clients/ {id}/installation/providers/{providerId} It seems that there are some differences between them. Especially the first option returns you metadata with an extra tag. Such as ......... When we try to upload this metadata (downloaded from the public URL) to PingOne, it doesn't like it (metadata from installation tab works fine). Is there any reason for this? Regards, Muein From scottpelliott at gmail.com Fri Feb 3 15:26:05 2017 From: scottpelliott at gmail.com (Scott Elliott) Date: Fri, 03 Feb 2017 20:26:05 +0000 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: The example I've been given is evaluating whether or not a request has permission to make a change to a value by a particular amount. Sounds like an application function, but I don't necessarily want to have to change the application whenever some policy decision needs to be made or changed (like for now, it's based on one value, but in the future, it could be several values). Ideally, I guess, the ability to pass additional data (say, JSON) with the request that the Evaluation API could access, so it would be up to the caller and policy to decide what's needed to grant the request. OOTB, I'm not sure. It confused me for a while why the URI was in the resource configuration, when you couldn't pass a URI for Authorization, but I've since figured out that the URI is used in the OIDC adapter to select the resource, not in the server. That's one of the items that was expected to be available in the Evaluation API. I don't know if it really makes sense or not, assuming a general purpose resource mechanism. On Fri, Feb 3, 2017 at 12:26 PM Pedro Igor Silva wrote: > Hi Scott, > > You can't pass additional attributes along with an authorization request. > However, that is something we want to support on future versions. > > Right now, the information you get is basically what is in an access > token. So whatever you push as a claim (e.g.: using mappers) it will be > available to your policies. > > That is an important addition to our API in order to push more context to > policies, as you are requesting. > > One thing to keep in mind is that we can't blindly trust authorization > requests from clients are they can be easily manipulated. What type of > client are you using ? > > Another question, what are you missing in the Evaluation API ? Is there > anything we can provide OOTB ? > > Regards. > Pedro Igor > > On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott > wrote: > > Would therebe any way to pass additional attributes (say, something from a > REST API call's headers or body) to an authorization request, and access it > in a Javascript or rules based policy? I see that what is available in the > Evaluation API currently is pretty limited. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Fri Feb 3 16:20:52 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 3 Feb 2017 19:20:52 -0200 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: On Fri, Feb 3, 2017 at 6:26 PM, Scott Elliott wrote: > The example I've been given is evaluating whether or not a request has > permission to make a change to a value by a particular amount. Sounds like > an application function, but I don't necessarily want to have to change the > application whenever some policy decision needs to be made or changed (like > for now, it's based on one value, but in the future, it could be several > values). Ideally, I guess, the ability to pass additional data (say, JSON) > with the request that the Evaluation API could access, so it would be up to > the caller and policy to decide what's needed to grant the request. > I see. There is a very fragile line betweem business rules and security policies. For instance, what you want could be achieved with Drools/JBoss BRMS and also by an externalized authorization system like what we are proposing. What you are asking makes a lot of sense as this is something common for protocols such as XACML. And will make our policies a lot more "contextualized" as you have control over the data that determine how your policies are evaluated. Like I said, you still have the option to use protocol mappers to push things into the token and use them in your policies. But "runtime" data like what you mentioned is not something you can do right now. But we'll get there ... > > OOTB, I'm not sure. It confused me for a while why the URI was in the > resource configuration, when you couldn't pass a URI for Authorization, but > I've since figured out that the URI is used in the OIDC adapter to select > the resource, not in the server. That's one of the items that was expected > to be available in the Evaluation API. I don't know if it really makes > sense or not, assuming a general purpose resource mechanism. > That is correct. The adapters are using URI to map a path to a resource. But you can also have resources without an URI and still map them with paths in your application within the "policy-enforcer" in keycloak.json. For instance, you may define that "Resource A" (name) is associated with path "/some/path/to/access". You are still able to obtain the resource (and related data) from policies. It should be possible to obtain the URI too. From the evaluation object you can obtain a resource permission and then the resource (and/or scopes) being requested. In the future we want to support resource attributes. I think that would also help to cover more use cases. For instance, considering your use case where you need to authorize access based on an dynamic attribute. We may have a "amount" attribute on the resource and a general permission associated with this resource that tells that only the owner is allowed to access. When you receive permissions for the resource you could also get the attributes associated with it and then perform local checks in your application (probably using the AuthorizationContext). In this case, if you change the "amount" on the KC server you won't need to change your application. Just an idea. > > On Fri, Feb 3, 2017 at 12:26 PM Pedro Igor Silva > wrote: > >> Hi Scott, >> >> You can't pass additional attributes along with an authorization request. >> However, that is something we want to support on future versions. >> >> Right now, the information you get is basically what is in an access >> token. So whatever you push as a claim (e.g.: using mappers) it will be >> available to your policies. >> >> That is an important addition to our API in order to push more context to >> policies, as you are requesting. >> >> One thing to keep in mind is that we can't blindly trust authorization >> requests from clients are they can be easily manipulated. What type of >> client are you using ? >> >> Another question, what are you missing in the Evaluation API ? Is there >> anything we can provide OOTB ? >> >> Regards. >> Pedro Igor >> >> On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott >> wrote: >> >> Would therebe any way to pass additional attributes (say, something from a >> REST API call's headers or body) to an authorization request, and access >> it >> in a Javascript or rules based policy? I see that what is available in the >> Evaluation API currently is pretty limited. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> From lists at merit.unu.edu Fri Feb 3 16:24:36 2017 From: lists at merit.unu.edu (mj) Date: Fri, 3 Feb 2017 22:24:36 +0100 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: Message-ID: Hi, On 02/03/2017 09:23 PM, Muein Muzamil wrote: > When we try to upload this metadata (downloaded from the public URL) to > PingOne, it doesn't like it (metadata from installation tab works fine). Is > there any reason for this? Just to say: we too. We don't know PingOne, but for a saml SP we are using, only the client-specific metadata file from the installation tab works. Took quite a while to notice that... Have a nice weekend, MJ From shmuein+keycloak-dev at gmail.com Fri Feb 3 17:58:13 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Fri, 3 Feb 2017 16:58:13 -0600 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: Message-ID: You are right that we can use Client-specific metadata but the Issue is that to be able to download the client tailored metadata, you first need to create a client in keyCloak to generate this. In some cases, SPs directly allows you to import IDP meta-data. So we have to use the generic metadata in that case. Regards, Muein On Fri, Feb 3, 2017 at 3:24 PM, mj wrote: > Hi, > > On 02/03/2017 09:23 PM, Muein Muzamil wrote: > > When we try to upload this metadata (downloaded from the public URL) to > > PingOne, it doesn't like it (metadata from installation tab works fine). > Is > > there any reason for this? > > Just to say: we too. We don't know PingOne, but for a saml SP we are > using, only the client-specific metadata file from the installation tab > works. > > Took quite a while to notice that... > > Have a nice weekend, > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Fri Feb 3 18:10:28 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 3 Feb 2017 18:10:28 -0500 Subject: [keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter In-Reply-To: <5c9e386d-79e7-3009-9201-f03de775f5c2@redhat.com> References: <5c9e386d-79e7-3009-9201-f03de775f5c2@redhat.com> Message-ID: Log a jira. We should probably just wrap session.invalidate() to make sure no exception percolates up. On 2/3/17 11:50 AM, Petr ?irok? wrote: > Hello everyone, > > I am having a logout issue when using the EAP7/WF10 adapter > (2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I > also tried the upstream Keycloak 2.5.1.Final). > > This is a simplified version of the code (full reproducer here > https://github.com/psiroky/servlet-app-keycloak-reproducer): > > public void doGet(HttpServletRequest request, HttpServletResponse > response) throws ServletException, IOException { > .... > request.logout(); > HttpSession session = request.getSession(false); > if (session != null) { > session.invalidate(); > } > ... > } > > The code first calls request.logout() and then session.invalidate(). > This works OK when we are _not_ using the Keycloak adapter. However, > once we switch to Keycloak adapter we end up with > "java.lang.IllegalStateException:UT000021: Session already invalidated". > I've been debugging the calls and it happens, because the > request.logout() bubbles down to the Keycloak adapter code which calls > session.invalidate() as well. For some reason (bug in Undertow/EAP?) the > request.getSession(false) then returns what it seems to be a valid > session (the invalidated flag=false). The session.invalidate() call > happens again, but the session was in fact already invalidated and thus > Undertow throws that IllegalStateException. > > Please note that exactly the same code works on EAP 6 (+ EAP6 adapter). > The session also gets invalidated as part of logout(), but then the > request.getSession(false) returns null, so the second call to > invalidate() does not happen (this kind of points to Undertow as the > culprit). > > I am trying to figure out what the root cause is: > > 1) Our application should _not_ call both request.logout() and then > session.invalidate() (even though it works for EAP6 and also with e.g. > basic auth without the Keycloak integration) > > 2) Keycloak adapter should not call session.invalidate() as part of > request.logout() > > 3) Undertow does not properly propagate the invalidate() call by the > Keycloak adapter. > > 4) Something completely different? > > > Thanks, > Petr > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psiroky at redhat.com Sat Feb 4 11:31:36 2017 From: psiroky at redhat.com (=?UTF-8?B?UGV0ciDFoGlyb2vDvQ==?=) Date: Sat, 4 Feb 2017 17:31:36 +0100 Subject: [keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter In-Reply-To: References: <5c9e386d-79e7-3009-9201-f03de775f5c2@redhat.com> Message-ID: <7d6a7353-bed9-ebc5-0764-ac176901998f@redhat.com> The exception does not come from the Keycloak adapter code (which does the first session.invalidate()), but rather from our code which calls the session.invalidate() again (after calling the request.logout()). I am not saying this is necessarily bug in Keycloak (calling session.invalidate() as part of request.logout()) I am just trying to figure out where the issue is. On 02/04/2017 12:10 AM, Bill Burke wrote: > Log a jira. We should probably just wrap session.invalidate() to make > sure no exception percolates up. > > > On 2/3/17 11:50 AM, Petr ?irok? wrote: >> Hello everyone, >> >> I am having a logout issue when using the EAP7/WF10 adapter >> (2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I >> also tried the upstream Keycloak 2.5.1.Final). >> >> This is a simplified version of the code (full reproducer here >> https://github.com/psiroky/servlet-app-keycloak-reproducer): >> >> public void doGet(HttpServletRequest request, HttpServletResponse >> response) throws ServletException, IOException { >> .... >> request.logout(); >> HttpSession session = request.getSession(false); >> if (session != null) { >> session.invalidate(); >> } >> ... >> } >> >> The code first calls request.logout() and then session.invalidate(). >> This works OK when we are _not_ using the Keycloak adapter. However, >> once we switch to Keycloak adapter we end up with >> "java.lang.IllegalStateException:UT000021: Session already invalidated". >> I've been debugging the calls and it happens, because the >> request.logout() bubbles down to the Keycloak adapter code which calls >> session.invalidate() as well. For some reason (bug in Undertow/EAP?) the >> request.getSession(false) then returns what it seems to be a valid >> session (the invalidated flag=false). The session.invalidate() call >> happens again, but the session was in fact already invalidated and thus >> Undertow throws that IllegalStateException. >> >> Please note that exactly the same code works on EAP 6 (+ EAP6 adapter). >> The session also gets invalidated as part of logout(), but then the >> request.getSession(false) returns null, so the second call to >> invalidate() does not happen (this kind of points to Undertow as the >> culprit). >> >> I am trying to figure out what the root cause is: >> >> 1) Our application should _not_ call both request.logout() and then >> session.invalidate() (even though it works for EAP6 and also with e.g. >> basic auth without the Keycloak integration) >> >> 2) Keycloak adapter should not call session.invalidate() as part of >> request.logout() >> >> 3) Undertow does not properly propagate the invalidate() call by the >> Keycloak adapter. >> >> 4) Something completely different? >> >> >> Thanks, >> Petr >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jdennis at redhat.com Sat Feb 4 11:41:40 2017 From: jdennis at redhat.com (John Dennis) Date: Sat, 4 Feb 2017 11:41:40 -0500 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: Message-ID: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> On 02/03/2017 03:23 PM, Muein Muzamil wrote: > Hi All, > > Currently, KeyCloak supports two mechanisms to download SAML metadata. > > One is using this public URL > /auth/realms/{realm}/protocol/saml/descriptor. > The Second option is to download it from the installation tab of the client > or using this API /admin/realms/{realm}/clients/ > {id}/installation/providers/{providerId} > > It seems that there are some differences between them. Especially the first > option returns you metadata with an extra tag. Such as > > xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > > ......... > > If the SP is unable to parse SP metadata containing an EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at fault. All the EntitiesDescriptor is is a container for multiple EntityDescriptor elements, it is perfectly permissible to have a container contain only 1 element just as it's acceptable to omit the container and have a bare element. If your SP cannot parse a metadata file containing a EntitiesDescriptor tag it's easy to strip it off the xml with a text editor. Irrespective of the SP's ability to parse metadata containing an EntitiesDescriptor element is the requirement stated in Section 4.1.1 of the SAML Metadata spec which requires metadata published at the IdP's well known location for metadata retrieval to contain *only* a EntityDescriptor as the root element. Since /auth/realms/{realm}/protocol/saml/descriptor is as close as Keycloak gets to published well known location for IdP metadata retrieval the use of a EntitiesDescriptor violates the SAML spec. I don't believe there is JIRA filed for this yet. However, I emphasize this is independent of the SP's ability ability to parse the IdP metadata because it does not know where the IdP metadata originated from. It should iterate over all the EntityDescriptor's looking for an IDPSSODescriptor and then if it wants to confirm exactly one was found (or it could just load all of them, depends on the SP). > When we try to upload this metadata (downloaded from the public URL) to > PingOne, it doesn't like it (metadata from installation tab works fine). There are other inconsistencies in the IdP metadata depending on how it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The inconsistent IdP metadata is a known problem and has been reported in this JIRA: https://issues.jboss.org/browse/KEYCLOAK-3373 > Is there any reason for this? Any reason for the inconsistencies, no. -- John From bburke at redhat.com Sat Feb 4 14:21:36 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 4 Feb 2017 14:21:36 -0500 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> References: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> Message-ID: On 2/4/17 11:41 AM, John Dennis wrote: > On 02/03/2017 03:23 PM, Muein Muzamil wrote: >> Hi All, >> >> Currently, KeyCloak supports two mechanisms to download SAML metadata. >> >> One is using this public URL >> /auth/realms/{realm}/protocol/saml/descriptor. >> The Second option is to download it from the installation tab of the client >> or using this API /admin/realms/{realm}/clients/ >> {id}/installation/providers/{providerId} >> >> It seems that there are some differences between them. Especially the first >> option returns you metadata with an extra tag. Such as >> >> > xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> >> >> ......... >> >> > If the SP is unable to parse SP metadata containing an > EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at > fault. All the EntitiesDescriptor is is a container for multiple > EntityDescriptor elements, it is perfectly permissible to have a > container contain only 1 element just as it's acceptable to omit the > container and have a bare element. > > If your SP cannot parse a metadata file containing a EntitiesDescriptor > tag it's easy to strip it off the xml with a text editor. > > Irrespective of the SP's ability to parse metadata containing an > EntitiesDescriptor element is the requirement stated in Section 4.1.1 of > the SAML Metadata spec which requires metadata published at the IdP's > well known location for metadata retrieval to contain *only* a > EntityDescriptor as the root element. Since > /auth/realms/{realm}/protocol/saml/descriptor is as close as > Keycloak gets to published well known location for IdP metadata > retrieval the use of a EntitiesDescriptor violates the SAML spec. I > don't believe there is JIRA filed for this yet. However, I emphasize > this is independent of the SP's ability ability to parse the IdP > metadata because it does not know where the IdP metadata originated > from. It should iterate over all the EntityDescriptor's looking for an > IDPSSODescriptor and then if it wants to confirm exactly one was found > (or it could just load all of them, depends on the SP). > >> When we try to upload this metadata (downloaded from the public URL) to >> PingOne, it doesn't like it (metadata from installation tab works fine). > There are other inconsistencies in the IdP metadata depending on how > it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The > inconsistent IdP metadata is a known problem and has been reported in > this JIRA: > > https://issues.jboss.org/browse/KEYCLOAK-3373 > >> Is there any reason for this? > Any reason for the inconsistencies, no. > There is a reason....They are different because the published global one is all possible bindings and formats the IDP supports. The one generated in the "Installation" tab is based on how the client was configured and thus may not contain things like redirect bindings. Basically, its how the IDP wants the SP to communicate with it. Cheers, Bill From ushanas at gmail.com Sun Feb 5 00:54:41 2017 From: ushanas at gmail.com (Ushanas Shastri) Date: Sun, 5 Feb 2017 11:24:41 +0530 Subject: [keycloak-user] Scopes auto complete on Resources gets only limited records. In-Reply-To: References: Message-ID: Hello Pedro, Yes, right now, I'm asking the team to do this, have terms such that they are more unique. We had more than 20 that met the same search criteria. I think it would be better to allow a search that got 20 results, but allow a "next 20" request. Regards, Ushanas. On 3 February 2017 at 22:13, Pedro Igor Silva wrote: > Hey Ushanas, > > I think limit is 20. Isn't refine your term an option to find the scope > you want to select ? > > Regards. > Pedro Igor > > On Fri, Feb 3, 2017 at 11:47 AM, Ushanas Shastri > wrote: > >> Hello, >> >> In the resources screen, when we add new resource, and want to select >> some Scopes, the auto complete gets limited records, which look like >> page >> size chunks from the Scopes screen. >> >> If I have say 50 Scopes, all of which have parts of the word Search, >> then >> beyond the initial list, the other scopes don't show up. >> >> Regards, Ushanas. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From rodel.talampas at helixleisure.com Mon Feb 6 02:33:34 2017 From: rodel.talampas at helixleisure.com (Rodel Talampas) Date: Mon, 6 Feb 2017 07:33:34 +0000 Subject: [keycloak-user] Group / Subgroup Creation in Java Message-ID: Hi All, Need help on the following scenario. Been doing some POC for our keycloak user management project and having problems passing my unit test as when I create 3 level subgroups, my Keycloak Server hangs. Sample Junit Test code: ====================================================== createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_2"); createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_2"); ==================================== private static void createSubGroups(Keycloak keycloak, String realmName, String groupName, String realmClient){ GroupRepresentation parentSub = null; boolean found = false; for (GroupRepresentation group: keycloak.realm(realmName).groups().groups()){ for (GroupRepresentation sub: group.getSubGroups()){ if (sub.getName().equals(groupName)) { parentSub = sub; found = true; break; } } if (found) break; } GroupResource parentSubResource = keycloak.realm(realmName).groups().group(parentSub.getId()); GroupRepresentation subGroup1 = new GroupRepresentation(); subGroup1.setName(groupName + "-" + realmClient); subGroup1.setPath("/Group_1/" + groupName); parentSubResource.subGroup(subGroup1); } ========== Target Output Below ====== Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 DUTY_MANAGER_Client_2 CASHIER CASHIER_Client_1 CASHIER_Client_2 ================================= My code will only work properly for the first 2 calls of the method. On the 3rd call, it will somehow hang on the loop. Am not able to debug nor step through in Junit. It will only produce the following: Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 CASHIER CASHIER_Client_1 I also tried of instead using a loop I use the getGroupByPath from the realmResource but still the same issue. The only thing left for me is to call the Restful Service directly from my code. Any suggestions will be very much appreciated. Thanks Rodel From sthorger at redhat.com Mon Feb 6 02:37:27 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 08:37:27 +0100 Subject: [keycloak-user] Getting Access token over REST API In-Reply-To: <1759261461.469054.1486144241819@mail.yahoo.com> References: <1445092911.665614.1485990047630.ref@mail.yahoo.com> <1445092911.665614.1485990047630@mail.yahoo.com> <1759261461.469054.1486144241819@mail.yahoo.com> Message-ID: On 3 February 2017 at 18:50, akash agrawal wrote: > Thanks for replying Stian. Our APIs are external APIs and need to provide > services including authentication. Users of these APIs/services will be > external applications, external vendors APIs, mobile apps. The > authentication needs to happen over Auth service/APIs as well. > External applications and external vendors should use a service account and client credentials grant. Mobile apps should use the authorization code flow with the login screen. > > The link you shared has end points. Can they be used to get tokens in a > production grade setting? > Of course, we don't have endpoints that are not aimed at production deployments. > > Additionally, Why do say, getting tokens over REST end point is wrong way? > Getting tokens over REST endpoints for regular users is not the right way for many reasons. It's not SSO, less secure, exposes authentication details as well as credentials to the applications, etc, etc.. > > Thanks. > Akash > > ------------------------------ > *From:* Stian Thorgersen > *To:* akash agrawal > *Cc:* "keycloak-user at lists.jboss.org" > *Sent:* Friday, February 3, 2017 12:53 AM > *Subject:* Re: [keycloak-user] Getting Access token over REST API > > I would strongly suggest you reconsider and use the Keycloak login as > there are many many reasons why that is a better approach. I'm not going to > list it again, because I've done that to many times to count. The login > page is highly customizable so you can make it look exactly how you like. > Any specific reasons why this is not an option? > > If you still insist on doing it the "wrong way" then use the OAuth2 > resource owner credential grant instead, take a look at > https://keycloak.gitbooks.io/securing-client-applications-guide/content/ > topics/oidc/oidc-generic.html for more details. > > On 2 February 2017 at 00:00, akash agrawal > wrote: > > Hi, > I am evaluating Keycloak for our Identity management needs. We have a > collection of REST APIs which we want to secure using OAuth/OpenIdConnect. > I am looking over Keycloak documentation to determine if a client > application can call a REST endpoint (production grade) to get the access > token. Are there other alternatives to get access token? Using KeyCloak > user interface to login and get an access token is not an option. > Appreciate your help. Thanks. > Akash > ______________________________ _________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/ mailman/listinfo/keycloak-user > > > > > > From sthorger at redhat.com Mon Feb 6 02:39:32 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 08:39:32 +0100 Subject: [keycloak-user] Group / Subgroup Creation in Java In-Reply-To: References: Message-ID: Most create methods in the admin java lib will return a result object. You need to call close on this to release the underlying http connection. This could be the cause. On 6 February 2017 at 08:33, Rodel Talampas wrote: > Hi All, > > Need help on the following scenario. > > Been doing some POC for our keycloak user management project and having > problems passing my unit test as when I create 3 level subgroups, my > Keycloak Server hangs. > > Sample Junit Test code: > ====================================================== > createSubGroups( > keycloak, "REALM1", CASHIER_GROUP, > "CLIENT_1"); > > createSubGroups( > keycloak, "REALM1", DUTY_MANAGER_GROUP, > "CLIENT_1"); > > createSubGroups( > keycloak, "REALM1", DUTY_MANAGER_GROUP, > "CLIENT_2"); > > createSubGroups( > keycloak, "REALM1", CASHIER_GROUP, > "CLIENT_2"); > > ==================================== > private static void createSubGroups(Keycloak keycloak, String realmName, > String groupName, > String realmClient){ > > GroupRepresentation parentSub = null; > boolean found = false; > for (GroupRepresentation group: keycloak.realm(realmName). > groups().groups()){ > for (GroupRepresentation sub: > group.getSubGroups()){ > if (sub.getName().equals(groupName)) > { > parentSub = sub; > found = true; > break; > } > } > if (found) break; > } > > GroupResource parentSubResource = > keycloak.realm(realmName).groups().group(parentSub.getId()); > GroupRepresentation subGroup1 = new GroupRepresentation(); > subGroup1.setName(groupName + "-" + realmClient); > subGroup1.setPath("/Group_1/" + groupName); > parentSubResource.subGroup(subGroup1); > } > > ========== Target Output Below ====== > > Groups > Group_1 > DUTY_MANAGER > DUTY_MANAGER_Client_1 > DUTY_MANAGER_Client_2 > CASHIER > CASHIER_Client_1 > CASHIER_Client_2 > > ================================= > > My code will only work properly for the first 2 calls of the method. On > the 3rd call, it will somehow hang on the loop. > Am not able to debug nor step through in Junit. > > It will only produce the following: > Groups > Group_1 > DUTY_MANAGER > DUTY_MANAGER_Client_1 > CASHIER > CASHIER_Client_1 > > > I also tried of instead using a loop I use the getGroupByPath from the > realmResource but still the same issue. > The only thing left for me is to call the Restful Service directly from my > code. > > Any suggestions will be very much appreciated. > > Thanks > Rodel > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rodel.talampas at helixleisure.com Mon Feb 6 02:45:42 2017 From: rodel.talampas at helixleisure.com (Rodel Talampas) Date: Mon, 6 Feb 2017 07:45:42 +0000 Subject: [keycloak-user] Group / Subgroup Creation in Java In-Reply-To: References: Message-ID: Thanks Stian ? We are new to keycloak and this solves the problem ? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Monday, February 6, 2017 3:40 PM To: Rodel Talampas Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Group / Subgroup Creation in Java Most create methods in the admin java lib will return a result object. You need to call close on this to release the underlying http connection. This could be the cause. On 6 February 2017 at 08:33, Rodel Talampas > wrote: Hi All, Need help on the following scenario. Been doing some POC for our keycloak user management project and having problems passing my unit test as when I create 3 level subgroups, my Keycloak Server hangs. Sample Junit Test code: ====================================================== createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_1"); createSubGroups( keycloak, "REALM1", DUTY_MANAGER_GROUP, "CLIENT_2"); createSubGroups( keycloak, "REALM1", CASHIER_GROUP, "CLIENT_2"); ==================================== private static void createSubGroups(Keycloak keycloak, String realmName, String groupName, String realmClient){ GroupRepresentation parentSub = null; boolean found = false; for (GroupRepresentation group: keycloak.realm(realmName).groups().groups()){ for (GroupRepresentation sub: group.getSubGroups()){ if (sub.getName().equals(groupName)) { parentSub = sub; found = true; break; } } if (found) break; } GroupResource parentSubResource = keycloak.realm(realmName).groups().group(parentSub.getId()); GroupRepresentation subGroup1 = new GroupRepresentation(); subGroup1.setName(groupName + "-" + realmClient); subGroup1.setPath("/Group_1/" + groupName); parentSubResource.subGroup(subGroup1); } ========== Target Output Below ====== Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 DUTY_MANAGER_Client_2 CASHIER CASHIER_Client_1 CASHIER_Client_2 ================================= My code will only work properly for the first 2 calls of the method. On the 3rd call, it will somehow hang on the loop. Am not able to debug nor step through in Junit. It will only produce the following: Groups Group_1 DUTY_MANAGER DUTY_MANAGER_Client_1 CASHIER CASHIER_Client_1 I also tried of instead using a loop I use the getGroupByPath from the realmResource but still the same issue. The only thing left for me is to call the Restful Service directly from my code. Any suggestions will be very much appreciated. Thanks Rodel _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Feb 6 02:56:17 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 08:56:17 +0100 Subject: [keycloak-user] keycloak.js updateToken does not validate refresh token expiration date In-Reply-To: <159ef4afb04-4f98-1195c@webprd-m66.mail.aol.com> References: <159ef4afb04-4f98-1195c@webprd-m66.mail.aol.com> Message-ID: As tokens aren't stored I didn't really anticipate that the refresh token would expire as that would mean leaving one tab open for a long time. It would probably be better to have it call onAuthLogout when it does expire. You can create a JIRA request for that. In the mean time you can verify it yourself if updateToken fails and do a login if it's expired. On 30 January 2017 at 13:13, wrote: > keycloak.js updateToken does not validate refresh token expiration date > > in example https://github.com/keycloak/keycloak/blob/master/examples/ > demo-template/angular2-product-app/src/main/webapp/app/keycloak.service.ts > > when i call getToken() method after refresh token expires i get > console.info('[KEYCLOAK] Refreshing token: token expired'); from > keycloak.js:400 > with /auth/realms/InfiniteBirEUmowy/protocol/openid-connect/token 400 > (Bad Request) [KEYCLOAK] Failed to refresh token > > I need to check if refresh token does not expired and if it is call > KeycloakService.auth.authz.login(); > > Why this token refresh expiration check is not handled by updateToken > inside keycloak.js updateToken()? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Feb 6 02:58:39 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 08:58:39 +0100 Subject: [keycloak-user] keycloak user store provider and modules logic In-Reply-To: <0a5bf9e94a9049fa835cdb0448aa2bd9@Taylor.core.klopotek.local> References: <0a5bf9e94a9049fa835cdb0448aa2bd9@Taylor.core.klopotek.local> Message-ID: Try the new deployment approach, check out docs and examples for details, but in summary you add a jboss-deployment-structore.xml for your dependencies or you can also include deps inside the deployment itself and you put it into standalone/deployments. You can also still use the modules approach in 2.5.1. Providers directory doesn't allow having any additional dependencies, so that only works for providers that have no need for additional dependencies. On 30 January 2017 at 16:35, Giordano, Antonio wrote: > Hi all, > > We are moving from keycloak 1.7 to 2.5.1 and we have some troubles in the > deployment of a jar relative to our user storage provider. > > In the old version we deploy all jars and properties with jboss modules > logic but in new version there is a specific folder "providers" where we > have to deploy our user storage provider. > > Unfortunately seems that our jar can't use resources loaded in modules > section of wildfly (other jars or props) and needs all resources in his > package. > > My question is: which is the correct way in 2.5.1 to deploy a keycloak > provider that use resources defined in wildfly classpath via modules logic? > > Thanks for your help > > agi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From plunkett_mcgurk at accelerite.com Mon Feb 6 05:47:29 2017 From: plunkett_mcgurk at accelerite.com (Plunkett McGurk) Date: Mon, 6 Feb 2017 10:47:29 +0000 Subject: [keycloak-user] Angular2 app with non-authenticated pages Message-ID: Hi Guys, In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/main.ts) I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. From psilva at redhat.com Mon Feb 6 06:01:06 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 6 Feb 2017 09:01:06 -0200 Subject: [keycloak-user] Scopes auto complete on Resources gets only limited records. In-Reply-To: References: Message-ID: It seems we have an issue [1] for this already. [1] https://issues.jboss.org/browse/KEYCLOAK-4372 On Sun, Feb 5, 2017 at 3:54 AM, Ushanas Shastri wrote: > Hello Pedro, > > Yes, right now, I'm asking the team to do this, have terms such that they > are more unique. We had more than 20 that met the same search criteria. I > think it would be better to allow a search that got 20 results, but allow a > "next 20" request. > > Regards, Ushanas. > > On 3 February 2017 at 22:13, Pedro Igor Silva wrote: > >> Hey Ushanas, >> >> I think limit is 20. Isn't refine your term an option to find the scope >> you want to select ? >> >> Regards. >> Pedro Igor >> >> On Fri, Feb 3, 2017 at 11:47 AM, Ushanas Shastri >> wrote: >> >>> Hello, >>> >>> In the resources screen, when we add new resource, and want to select >>> some Scopes, the auto complete gets limited records, which look like >>> page >>> size chunks from the Scopes screen. >>> >>> If I have say 50 Scopes, all of which have parts of the word Search, >>> then >>> beyond the initial list, the other scopes don't show up. >>> >>> Regards, Ushanas. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From david_delbecq at trimble.com Mon Feb 6 06:01:55 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Mon, 06 Feb 2017 11:01:55 +0000 Subject: [keycloak-user] Client setup recommandation In-Reply-To: References: Message-ID: Could you elaborate on why this is a bad idea? This seems to be dedicated to the kind of request if have, getting a refresh token valid for a long period, while keeping regular client with shorter refresh token. On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen wrote: > It's all controlled by the session and there are no way to get tokens that > work for longer. Issuing offline tokens to a web application would be a > really bad idea. If you want users to remain authenticated set the idle to > a higher value. That's it. > > On 25 January 2017 at 15:09, David Delbecq > wrote: > > Hello, > > we have a javascript web application we are migrating to keycloak. I am not > sue what are the recommandations on setting up configuration for that > client with the following requirement: > > Once user triggers the "login" and gets keycloak authenticated, we should > get a bearer token to use later on REST services. > The user should not be requested again to login, unless he logs out. Even > if he closes his browser. So we need a way to keep or replace token on a > regular basis. Is there some keycloak REST service we can poll on a regular > basis for this? > Sometimes the user goes "off grid" (no network communication) for several > hours. How can we ensure we still keep logged in? > > My first idea was to just increase the SSO timeout and token validity to 30 > days. But it seems like a bad idea from my reading of keycloak > documentation. So i tried to use an offline token instead, but it seems the > implicit flow doesn't allow you to get an offline token. All token i get > after login are marked as expiring within 15 minutes. > > What's the recommended way to get long lived refresh token, using implicit > flow? > > -- > > > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From kevin.berendsen at pharmapartners.nl Mon Feb 6 06:03:11 2017 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Mon, 6 Feb 2017 11:03:11 +0000 Subject: [keycloak-user] Angular2 app with non-authenticated pages Message-ID: <79c79a35deab492da6d7322118f9971a@FERB.ppg.lan> Hi, Our initiation of the Keycloak JS adapter happens after the user tries his first attempt to access an authenticated-only page. We developed a very simple abstract class that will act as our authenticated component and will be extended by all components which requires an authenticated user. So our initiation logic is contained by our abstract authenticated component class. This solution only requires a little refactoring in your codebase and some additional code. Tip: remove the reload page logic in the catch clause when you try to initiate the Keycloak JS adapter. You might end up in redirect infinite loops. Kind regards, Kevin Berendsen -----Oorspronkelijk bericht----- Date: Mon, 6 Feb 2017 10:47:29 +0000 From: Plunkett McGurk Subject: [keycloak-user] Angular2 app with non-authenticated pages To: "keycloak-user at lists.jboss.org" Message-ID: Content-Type: text/plain; charset="us-ascii" Hi Guys, In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/main.ts) I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages Many thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. ------------------------------ From sthorger at redhat.com Mon Feb 6 06:15:05 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 12:15:05 +0100 Subject: [keycloak-user] Client setup recommandation In-Reply-To: References: Message-ID: Offline tokens should really only be used when it's possible to securely store the token. Web applications and locale storage are not the most secure. I would certainly consider carefully what scope you provide in the token to make sure it's not used for sensitive operations. It also means that users would have to logout separately from the web app. It's no longer covered by things like remember me, remote logout, etc.. You're providing a permanent "login" to a web app, which then a user has to know to separately logout. Devil is in the details though. For some web apps it may make sense, but I'd be careful before going down that path. On 6 February 2017 at 12:01, David Delbecq wrote: > Could you elaborate on why this is a bad idea? This seems to be dedicated > to the kind of request if have, getting a refresh token valid for a long > period, while keeping regular client with shorter refresh token. > > > > On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen > wrote: > > > It's all controlled by the session and there are no way to get tokens > that > > work for longer. Issuing offline tokens to a web application would be a > > really bad idea. If you want users to remain authenticated set the idle > to > > a higher value. That's it. > > > > On 25 January 2017 at 15:09, David Delbecq > > wrote: > > > > Hello, > > > > we have a javascript web application we are migrating to keycloak. I am > not > > sue what are the recommandations on setting up configuration for that > > client with the following requirement: > > > > Once user triggers the "login" and gets keycloak authenticated, we should > > get a bearer token to use later on REST services. > > The user should not be requested again to login, unless he logs out. Even > > if he closes his browser. So we need a way to keep or replace token on a > > regular basis. Is there some keycloak REST service we can poll on a > regular > > basis for this? > > Sometimes the user goes "off grid" (no network communication) for several > > hours. How can we ensure we still keep logged in? > > > > My first idea was to just increase the SSO timeout and token validity to > 30 > > days. But it seems like a bad idea from my reading of keycloak > > documentation. So i tried to use an offline token instead, but it seems > the > > implicit flow doesn't allow you to get an offline token. All token i get > > after login are marked as expiring within 15 minutes. > > > > What's the recommended way to get long lived refresh token, using > implicit > > flow? > > > > -- > > > > > > > > David Delbecq > > Software engineer, Transport & Logistics > > Geldenaaksebaan 329, 1st floor | 3001 Leuven > > > > +32 16 391 121 <+32%2016%20391%20121> Direct > > david.delbecq at trimbletl.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ssilvert at redhat.com Mon Feb 6 07:52:31 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 6 Feb 2017 07:52:31 -0500 Subject: [keycloak-user] Angular2 app with non-authenticated pages In-Reply-To: References: Message-ID: <8a66b379-fcd7-49ac-3796-5b27524675c8@redhat.com> Good suggestion. I've created a JIRA and assigned it to myself as a task. I probably won't get to it for awhile so if anyone else wants to do it please let me know. https://issues.jboss.org/browse/KEYCLOAK-4380 On 2/6/2017 5:47 AM, Plunkett McGurk wrote: > Hi Guys, > > In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/main.ts) > > I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. > > So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages > > Many thanks > Plunkett > > > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Mon Feb 6 07:53:00 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 6 Feb 2017 07:53:00 -0500 Subject: [keycloak-user] Angular2 app with non-authenticated pages In-Reply-To: <79c79a35deab492da6d7322118f9971a@FERB.ppg.lan> References: <79c79a35deab492da6d7322118f9971a@FERB.ppg.lan> Message-ID: <5b2af0ce-0050-3d9e-c2fe-edbc8c6ea72e@redhat.com> Thanks for the tips. On 2/6/2017 6:03 AM, Kevin Berendsen wrote: > > Hi, > > Our initiation of the Keycloak JS adapter happens after the user tries his first attempt to access an authenticated-only page. We developed a very simple abstract class that will act as our authenticated component and will be extended by all components which requires an authenticated user. So our initiation logic is contained by our abstract authenticated component class. > > This solution only requires a little refactoring in your codebase and some additional code. > > Tip: remove the reload page logic in the catch clause when you try to initiate the Keycloak JS adapter. You might end up in redirect infinite loops. > > Kind regards, > Kevin Berendsen > > -----Oorspronkelijk bericht----- > Date: Mon, 6 Feb 2017 10:47:29 +0000 > From: Plunkett McGurk > Subject: [keycloak-user] Angular2 app with non-authenticated pages > To: "keycloak-user at lists.jboss.org" > Message-ID: > > > Content-Type: text/plain; charset="us-ascii" > > Hi Guys, > > In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/main.ts) > > I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. > > So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages > > Many thanks > Plunkett > > > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Mon Feb 6 08:31:37 2017 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Mon, 6 Feb 2017 19:01:37 +0530 Subject: [keycloak-user] Keycloak-Proxy OR mod_auth_openidc Message-ID: Hi I was working on a legacy app, which doesn't support keycloak adapter to be configured there. I did some POC and figured out that there are 2 solutions i.e. Keycloak Proxy and another is apache mods "mod_auth_openidc". I could successfully integrate both the solutions with keycloak and could setup the authentication Any suggestions on which one to use when..? Which can be a better candidate among the two..? Any suggestions are deeply appreciated. Thanks in advance. Cheers Abhishek Raghav From mark.pardijs at topicus.nl Mon Feb 6 09:07:31 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Mon, 6 Feb 2017 14:07:31 +0000 Subject: [keycloak-user] Release date 2.5.3.Final Message-ID: When will release 2.5.3.Final be published? In Jira it has status Released (https://issues.jboss.org/projects/KEYCLOAK/versions/12333576) but in the downloads section or docker repo the version is still 2.5.1.Final. From dev.ebondu at gmail.com Mon Feb 6 09:17:17 2017 From: dev.ebondu at gmail.com (ebondu) Date: Mon, 6 Feb 2017 07:17:17 -0700 (MST) Subject: [keycloak-user] Angular 2 with Webpack In-Reply-To: References: <1485876734180-2545.post@n6.nabble.com> <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de> <1485943294984-2553.post@n6.nabble.com> <1485963870680-2560.post@n6.nabble.com> <1486027696642-2568.post@n6.nabble.com> Message-ID: <1486390637017-2622.post@n6.nabble.com> @Brian, I just updated the lib and added an Angular2 / Webpack2 example app you should be able to deploy in the demo distribution. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2622.html Sent from the keycloak-user mailing list archive at Nabble.com. From istvan.orban at gmail.com Mon Feb 6 10:40:39 2017 From: istvan.orban at gmail.com (Istvan Orban) Date: Mon, 6 Feb 2017 15:40:39 +0000 Subject: [keycloak-user] Exposing keycloak to clients or hide it Message-ID: Hi Everyone, I have set-up keycloak locally and I like it a lot. I generally like to hide implementation detail from related services so that they can be decoupled. I know keycloak have libs for plenty of different frameworks etc, although I am thinking about setting it up using Apache and mod_auth_openidc The advantage is that our software will have openid connect as a dependency rather than keycloak. I would like to ask you what I am missing out with such a setup? Are there any major features I am loosing by not using keycloak specific clients libs to connect my appllications to keycloak directly? Thanks for any insights ! Istvan From mark.pardijs at topicus.nl Mon Feb 6 10:41:53 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Mon, 6 Feb 2017 15:41:53 +0000 Subject: [keycloak-user] IdP initiated SSO to Account page? Message-ID: Hi, I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account? As far as I can see, I have to do the following steps: 1. In the ?master? keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there?s no such thing as ?OpenID Connect IdP initiated SSO as far as I can see) 2. In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID} The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account? error, since the account page doesn?t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET) I could make a third client with as only function showing a link to the account page but don?t know if this is the right way to go. From sthorger at redhat.com Mon Feb 6 13:55:05 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 19:55:05 +0100 Subject: [keycloak-user] Removing Mongo support from Keycloak Message-ID: At times you have to make hard decisions and this has been one of those. We have decided to remove Mongo support from Keycloak. The primary motivation behind this decision is that we simply don't have the resources to maintain and further develop the back-end for both relational databases and Mongo. Further, there are some fundamental issues with our current use of Mongo that would require a large amount of work to become fully production ready. This primarily boils down to the lack of ACID transactions in Mongo. We hope that this decision won't result in too much trouble for those of you that are currently using Mongo as the back-end for Keycloak. It should be relatively painless to migrate to a relational database with our export/import feature. If you do run into issues with this please let us know on the mailing list and we will do whatever we can to help make the transition as smooth as possible. If anyone from the community would like to take over the Mongo support and maintain it as a separate extension please let us know. We can help with extracting the code and work together in making it easy to install it as an extension. Migrating from Mongo to relational database First step is to export the full database. You can do this by stopping the Keycloak server and running: bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup This will export all data from Mongo to JSON files within the directory backup. For full details refer to the Server Administration Guide . Next step is to install a relational database and configure it in Keycloak. Take your pick we support quite a few. For full details refer to the Server Installation Guide . Once you have the relational database ready and configured, you can start Keycloak and import the data exported from Mongo. To do this run Keycloak with: bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup Hopefully you're now up and running with all your realms and users migrated to the relational database. If not, let us know on the user mailing list and we'll help you out as soon as possible. From shmuein+keycloak-dev at gmail.com Mon Feb 6 13:56:17 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Mon, 6 Feb 2017 12:56:17 -0600 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> Message-ID: Bill, Your point about having client tailored metadata make sense based on what is configured for that SP. Can you please also explain why the public endpoint has an extra tag whereas from installation tab it is not there, is it intentional or should I create a JIRA ticket for this? ......... Regards, Muein On Sat, Feb 4, 2017 at 1:21 PM, Bill Burke wrote: > > > On 2/4/17 11:41 AM, John Dennis wrote: > > On 02/03/2017 03:23 PM, Muein Muzamil wrote: > >> Hi All, > >> > >> Currently, KeyCloak supports two mechanisms to download SAML metadata. > >> > >> One is using this public URL > >> /auth/realms/{realm}/protocol/saml/descriptor. > >> The Second option is to download it from the installation tab of the > client > >> or using this API /admin/realms/{realm}/clients/ > >> {id}/installation/providers/{providerId} > >> > >> It seems that there are some differences between them. Especially the > first > >> option returns you metadata with an extra tag. > Such as > >> > >> >> xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > >> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > >> > >> ......... > >> > >> > > If the SP is unable to parse SP metadata containing an > > EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at > > fault. All the EntitiesDescriptor is is a container for multiple > > EntityDescriptor elements, it is perfectly permissible to have a > > container contain only 1 element just as it's acceptable to omit the > > container and have a bare element. > > > > If your SP cannot parse a metadata file containing a EntitiesDescriptor > > tag it's easy to strip it off the xml with a text editor. > > > > Irrespective of the SP's ability to parse metadata containing an > > EntitiesDescriptor element is the requirement stated in Section 4.1.1 of > > the SAML Metadata spec which requires metadata published at the IdP's > > well known location for metadata retrieval to contain *only* a > > EntityDescriptor as the root element. Since > > /auth/realms/{realm}/protocol/saml/descriptor is as close as > > Keycloak gets to published well known location for IdP metadata > > retrieval the use of a EntitiesDescriptor violates the SAML spec. I > > don't believe there is JIRA filed for this yet. However, I emphasize > > this is independent of the SP's ability ability to parse the IdP > > metadata because it does not know where the IdP metadata originated > > from. It should iterate over all the EntityDescriptor's looking for an > > IDPSSODescriptor and then if it wants to confirm exactly one was found > > (or it could just load all of them, depends on the SP). > > > >> When we try to upload this metadata (downloaded from the public URL) to > >> PingOne, it doesn't like it (metadata from installation tab works fine). > > There are other inconsistencies in the IdP metadata depending on how > > it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The > > inconsistent IdP metadata is a known problem and has been reported in > > this JIRA: > > > > https://issues.jboss.org/browse/KEYCLOAK-3373 > > > >> Is there any reason for this? > > Any reason for the inconsistencies, no. > > > There is a reason....They are different because the published global one > is all possible bindings and formats the IDP supports. The one > generated in the "Installation" tab is based on how the client was > configured and thus may not contain things like redirect bindings. > Basically, its how the IDP wants the SP to communicate with it. > > Cheers, > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Feb 6 14:20:03 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Feb 2017 20:20:03 +0100 Subject: [keycloak-user] Release date 2.5.3.Final In-Reply-To: References: Message-ID: 2.5.3 won't be released in community. It was a tag made only for internal build of RH-SSO (supported version of Keycloak). 2.5.4 will be out in a week or two and will contain the fix you're waiting for. On 6 February 2017 at 15:07, Mark Pardijs wrote: > When will release 2.5.3.Final be published? In Jira it has status Released > (https://issues.jboss.org/projects/KEYCLOAK/versions/12333576) but in the > downloads section or docker repo the version is still 2.5.1.Final. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Feb 7 04:04:44 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 7 Feb 2017 10:04:44 +0100 Subject: [keycloak-user] IdP initiated SSO to Account page? In-Reply-To: References: Message-ID: The account page doesn't support SAML, only OIDC. To achieve what you want we'd have to add idp_hint query param support to the account page and make it include that to it's authentication request. Would be pretty simply to do. You can create a JIRA feature request for it. Even better if it came with a PR including tests. On 6 February 2017 at 16:41, Mark Pardijs wrote: > Hi, > > I want to give my users the possibility to edit their account settings > from an federated IdP. Is there a way to do an IdP initiated SSO from a > federated IdP which links directly to the account page at > {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account? > > As far as I can see, I have to do the following steps: > > > 1. In the ?master? keycloak: add a new SAML client with URL > {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there?s no > such thing as ?OpenID Connect IdP initiated SSO as far as I can see) > 2. In the federated IdP: send a SAMLResponse to http:// > {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${ > fedIdP}/endpoint/clients/${CLIENT_ID} > > The login goes successfully, but after login I see a 403 "Failed executing > POST /realms/master/account? error, since the account page doesn?t accept > POST requests. If I refresh the browser window which is pointing at the > account page all is well, since this last request is a GET request. (See > http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html > for the same question about POST/GET) > > I could make a third client with as only function showing a link to the > account page but don?t know if this is the right way to go. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Feb 7 04:07:26 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 7 Feb 2017 10:07:26 +0100 Subject: [keycloak-user] Exposing keycloak to clients or hide it In-Reply-To: References: Message-ID: There are two main things you'd miss: * Direct support for roles - there are ways to do this though * Backchannel logout - our logout mechanism for OIDC is currently proprietary as there was no OIDC spec for it when we implemented it, and it's still only a draft I believe On 6 February 2017 at 16:40, Istvan Orban wrote: > Hi Everyone, > > I have set-up keycloak locally and I like it a lot. I generally like to > hide implementation detail from related services so that they can be > decoupled. > I know keycloak have libs for plenty of different frameworks etc, although > I am thinking about setting it up using Apache and mod_auth_openidc > The advantage is that our software will have openid connect as a dependency > rather than keycloak. I would like to ask you what I am missing out with > such a setup? > Are there any major features I am loosing by not using keycloak specific > clients libs to connect my appllications to keycloak directly? > > Thanks for any insights ! > > Istvan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From istvan.orban at gmail.com Tue Feb 7 04:17:29 2017 From: istvan.orban at gmail.com (Istvan Orban) Date: Tue, 7 Feb 2017 09:17:29 +0000 Subject: [keycloak-user] Exposing keycloak to clients or hide it In-Reply-To: References: Message-ID: Hi, Thanks for getting back to me on this one! On the backchannel logout bit: I reckon you guys are planning to conform to OIDC spec. Do you have a rought idea on timeline? I want to make sure that I keep an eye out and perhaps implement this as it becomes available. Thanks for your answer again! Kind Regards On 7 February 2017 at 09:07, Stian Thorgersen wrote: > There are two main things you'd miss: > > * Direct support for roles - there are ways to do this though > * Backchannel logout - our logout mechanism for OIDC is currently > proprietary as there was no OIDC spec for it when we implemented it, and > it's still only a draft I believe > > On 6 February 2017 at 16:40, Istvan Orban wrote: > >> Hi Everyone, >> >> I have set-up keycloak locally and I like it a lot. I generally like to >> hide implementation detail from related services so that they can be >> decoupled. >> I know keycloak have libs for plenty of different frameworks etc, although >> I am thinking about setting it up using Apache and mod_auth_openidc >> The advantage is that our software will have openid connect as a >> dependency >> rather than keycloak. I would like to ask you what I am missing out with >> such a setup? >> Are there any major features I am loosing by not using keycloak specific >> clients libs to connect my appllications to keycloak directly? >> >> Thanks for any insights ! >> >> Istvan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I * From plunkett_mcgurk at accelerite.com Tue Feb 7 04:32:11 2017 From: plunkett_mcgurk at accelerite.com (Plunkett McGurk) Date: Tue, 7 Feb 2017 09:32:11 +0000 Subject: [keycloak-user] Angular2 app with non-authenticated pages In-Reply-To: <5b2af0ce-0050-3d9e-c2fe-edbc8c6ea72e@redhat.com> References: <79c79a35deab492da6d7322118f9971a@FERB.ppg.lan> <5b2af0ce-0050-3d9e-c2fe-edbc8c6ea72e@redhat.com> Message-ID: Hi Guys, I appreciate you looking into this Many thanks Plunkett -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan Silvert Sent: 06 February 2017 12:53 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Angular2 app with non-authenticated pages Thanks for the tips. On 2/6/2017 6:03 AM, Kevin Berendsen wrote: > > Hi, > > Our initiation of the Keycloak JS adapter happens after the user tries his first attempt to access an authenticated-only page. We developed a very simple abstract class that will act as our authenticated component and will be extended by all components which requires an authenticated user. So our initiation logic is contained by our abstract authenticated component class. > > This solution only requires a little refactoring in your codebase and some additional code. > > Tip: remove the reload page logic in the catch clause when you try to initiate the Keycloak JS adapter. You might end up in redirect infinite loops. > > Kind regards, > Kevin Berendsen > > -----Oorspronkelijk bericht----- > Date: Mon, 6 Feb 2017 10:47:29 +0000 > From: Plunkett McGurk > Subject: [keycloak-user] Angular2 app with non-authenticated pages > To: "keycloak-user at lists.jboss.org" > Message-ID: > > > Content-Type: text/plain; charset="us-ascii" > > Hi Guys, > > In the Angular2 examples code the Keycloak service is initialised before Angular2 is bootstrapped. (https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/main.ts) > > I'm my Angular2 app I have a landing page which should be non-secured i.e. I don't need to login to view it. However because Keycloak wraps everything, it first hits the landing page and then redirects the user to login. > > So can anyone explain the proper way to do this? It would be great if the examples could be extended to show how keycloak can be integrated with non-secure pages > > Many thanks > Plunkett > > > > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. From mark.pardijs at topicus.nl Tue Feb 7 04:37:38 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Tue, 7 Feb 2017 09:37:38 +0000 Subject: [keycloak-user] IdP initiated SSO to Account page? In-Reply-To: References: Message-ID: <57554149-DED9-490B-A055-A8D0C2BA9F37@topicus.nl> I see what you mean by the idp_hint, but wouldn?t this exclude the IdP initiated SSO possibility? My use case is ?User logs in to IdP ?federated', IdP ?federated' does an IdP initiated SSO to IdP ?master? with as ?client? the account page as documented here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html. This works with a ?normal? client, but not for the account client. Op 7 feb. 2017, om 10:04 heeft Stian Thorgersen > het volgende geschreven: The account page doesn't support SAML, only OIDC. To achieve what you want we'd have to add idp_hint query param support to the account page and make it include that to it's authentication request. Would be pretty simply to do. You can create a JIRA feature request for it. Even better if it came with a PR including tests. On 6 February 2017 at 16:41, Mark Pardijs > wrote: Hi, I want to give my users the possibility to edit their account settings from an federated IdP. Is there a way to do an IdP initiated SSO from a federated IdP which links directly to the account page at {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account? As far as I can see, I have to do the following steps: 1. In the ?master? keycloak: add a new SAML client with URL {KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/account. (Since there?s no such thing as ?OpenID Connect IdP initiated SSO as far as I can see) 2. In the federated IdP: send a SAMLResponse to http://{KEYCLOAK_SERVER_URL}/auth/realms/${REALM}/broker/${fedIdP}/endpoint/clients/${CLIENT_ID} The login goes successfully, but after login I see a 403 "Failed executing POST /realms/master/account? error, since the account page doesn?t accept POST requests. If I refresh the browser window which is pointing at the account page all is well, since this last request is a GET request. (See http://lists.jboss.org/pipermail/keycloak-user/2014-October/000989.html for the same question about POST/GET) I could make a third client with as only function showing a link to the account page but don?t know if this is the right way to go. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From asrafalianwarali.shaikh at gi-de.com Tue Feb 7 06:59:08 2017 From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali) Date: Tue, 7 Feb 2017 11:59:08 +0000 Subject: [keycloak-user] implementing new password policy In-Reply-To: References: Message-ID: <827b04ee30254739b2a886d27107fe3f@DEL1EXMBXP2P.accounts.intern> Hi Stian, I have managed to implement new password policy as a module. Thanks for your response Regards, Asraf Shaikh From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, February 01, 2017 1:28 PM To: Shaikh Asrafali Anwarali Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] implementing new password policy There's docs for custom providers in the server development guide. Other than that there's nothing, Take a look at the Keycloak source for an example: https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/policy/LowerCasePasswordPolicyProvider.java On 31 January 2017 at 05:04, Shaikh Asrafali Anwarali > wrote: Hi , Hope you are doing well. I am currently trying to implement new password policy, is there any kind of documentation or guide available which helps in implementation. Or any example. Thanks in advance. Regards, Asraf Shaikh _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From asrafalianwarali.shaikh at gi-de.com Tue Feb 7 07:09:48 2017 From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali) Date: Tue, 7 Feb 2017 12:09:48 +0000 Subject: [keycloak-user] Implementing New Required Action Message-ID: <51642c46a70d4c84b431eb3aec3c0295@DEL1EXMBXP2P.accounts.intern> Hi, At present I am implementing New Required Action, similar to that of updatePassword required action. I did go through Authenticator example . Question is for implementing new required action do we need to provide implementation for Authenticator and AuthenticatorFactory? Is there any guidelines for implementing required action apart from the Authenticator example. Regards, Asraf Shaikh From sagarahire at arvindinternet.com Tue Feb 7 08:16:44 2017 From: sagarahire at arvindinternet.com (Sagar Ahire) Date: Tue, 7 Feb 2017 18:46:44 +0530 Subject: [keycloak-user] [HELP] Unable To Deploy Authenticator-Requirement-Action-Example Message-ID: Hello, In Keycloak 2.4.0 I tried to deploy authenticator requirement action example (keycloak-2.4.0.Final/examples/providers/authenticator) using the following command: $ mvn clean install wildfly:deploy Getting: [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.0.1.Final:deploy (default-cli) on project authenticator-required-action-example: Deployment failed and was rolled back. -> [Help 1] -PFA for server log. I also tried to copy authentication-requirement-action-example.jar into standalone/deployment/providers directory but didn't work. Can someone please help with this? regards, -Sagar From smichea at gmail.com Tue Feb 7 09:47:21 2017 From: smichea at gmail.com (Sebastien Michea) Date: Tue, 7 Feb 2017 15:47:21 +0100 Subject: [keycloak-user] Call to protected resource Message-ID: Hi, I have a general question. Let say i have a javaee webapp that need to call an external API or resource secured for instance with openidConnect. Can keycloak help me in some way in order to implement the authentication flow? Thank you Best regards From salvatore.incandela at redhat.com Tue Feb 7 10:12:17 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Tue, 7 Feb 2017 16:12:17 +0100 Subject: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter] Message-ID: Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but this seems to be ignored. Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that once an EqualsCondition was found this one is considered and the others ignored. *if (condition instanceof EqualCondition) {* . . return results; } I'm sure that I'm doing something wrong, some ideas? -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From RLewis at carbonite.com Tue Feb 7 10:21:06 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Tue, 7 Feb 2017 15:21:06 +0000 Subject: [keycloak-user] External Username, Password, Email... dataset with Keycloak In-Reply-To: <0D5EE78E-BD21-421C-8E1C-B01434014084@carbonite.com> References: <1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com> <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com> <0D5EE78E-BD21-421C-8E1C-B01434014084@carbonite.com> Message-ID: Is there anyone who would know what would need to be changed to make the migration provider work with Keycloak >= 2.5.0? Thanks, Reed On 1/27/17, 12:48 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Reed Lewis" wrote: [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing] Scott, We are using your keycloak migration provider from here: https://github.com/Smartling/keycloak-user-migration-provider But the issue it seems is that version 2.50 and above of Keycloak has removed the AP that was being used. Is there any way to easily migrate the code to use whatever Keycloak provides now? Thank you, Reed Lewis From: Scott Rossillo Date: Wednesday, January 27, 2016 at 1:02 PM To: Reed Lewis Cc: Thomas Darimont , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP. I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com where the IDP is the username prefix. Does that make sense / sufficiently address the use case? ~ Scott On Jan 27, 2016, at 12:34 PM, Reed Lewis > wrote: This is working for me now. I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made. The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider. How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider? Thank you, Reed Lewis From: Scott Rossillo > Date: Friday, January 15, 2016 at 4:42 PM To: Thomas Darimont >, Reed Lewis > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak We just put up and blog post[0] and some sample code[1] on how to do this type of migration. [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com [atest News + Events] [owered by Sigstr] On Jan 15, 2016, at 11:06 AM, Thomas Darimont > wrote: Hello Reed, as you already wrote, you can write a federation provider that queries your backend service via REST for user data. Within the federation provider you can then import the user data returned from the REST call. This would work as follows - within the method: org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String) you call your backend REST service. As a next step you create a new user with the given username UserModel keycloakUser = session.userStorage().addUser(realm, username); Then you copy all the user data from your backend into Keycloak's UserModel. After that your backend user has a corresponding representation in Keycloak with a reference to this federation provider (id) via the "userModel.federationLink" property. The federation link will also be shown in the user page in the keycloak admin console. As long as the federation link is in place keycloak will ask the federation provider for the latest user data. Once you decide to cut the link to the federation provider you can simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation link right after you added the user to Keycloak. Keycloak has no link information after that anymore and it will only use the user data stored in the Keycloak database for that particular user. You also have the option to do that for all your users via: org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel) or just use on demand per User when he / she want's to login for the first time. Cheers, Thomas 2016-01-15 16:16 GMT+01:00 Reed Lewis >: Hi, We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak. Can this be done with some modification of federation? We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mcginnis.nathan at gmail.com Tue Feb 7 12:49:03 2017 From: mcginnis.nathan at gmail.com (Nathan McGinnis) Date: Tue, 7 Feb 2017 12:49:03 -0500 Subject: [keycloak-user] Issues starting up keycloak after DB migration to 2.2.1 from 1.8.0 Message-ID: Hi Everyone, I'm unable to start our keycloak server and could some assistance. Just to give a quick recap of background and steps we've taken.. We've been using keycloak 1.8.0 for a while and are in the process of migrating to a 2.2.1 instance in AWS. We're running standalone HA mode with two nodes behind a public ELB. I have configured JDBC Ping to save session state across both nodes in preproduction and it works there. I have configured production the same way as preprod (we're also using Chef so I know its configured the same). In production, we've taken a backup of the keycloak postgresql DB (1.8.0) and restored it to the keycloak DB our 2.2.1 instance is pointed to. I have set migrationStrategy to manual and it produced a .sql file to run. We had some issues running it related to indicies and tables and such already existing so we decided to run each statement line by line. This got us past the "Database not up-to-date" error, but we're now seeing this in the server.log which causes the startup to fail. Does anyone have an idea what the problem could be? 2017-02-07 17:16:50,380 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 55) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment. default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services. resources.KeycloakApplication(javax.servlet.ServletContext, org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication( javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start( ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet( ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start( DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService. startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. run(UndertowDeploymentService.java:82) ... 6 more Caused by: javax.persistence.EntityNotFoundException: Unable to find org.keycloak.models.jpa.entities.ClientEntity with id asdfg123-123x-123e-1xx1-sdkasdjf7123 at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImp l$JpaEntityNotFoundDelegate.handleEntityNotFound( EntityManagerFactoryBuilderImpl.java:144) at org.hibernate.proxy.AbstractLazyInitializer.checkTargetState( AbstractLazyInitializer.java:242) at org.hibernate.proxy.AbstractLazyInitializer.initialize( AbstractLazyInitializer.java:159) at org.hibernate.proxy.AbstractLazyInitializer.getImplementation( AbstractLazyInitializer.java:266) at org.hibernate.proxy.pojo.javassist.JavassistLazyInitializer.invoke( JavassistLazyInitializer.java:68) at org.keycloak.models.jpa.entities.ClientEntity_$$_jvst1c4_8.getRealm( ClientEntity_$$_jvst1c4_8.java) at org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient( RealmAdapter.java:1234) at org.keycloak.models.cache.infinispan.entities.CachedRealm.( CachedRealm.java:241) at org.keycloak.models.cache.infinispan.RealmCacheSession. getRealm(RealmCacheSession.java:379) at org.keycloak.migration.migrators.MigrateTo1_9_0. migrate(MigrateTo1_9_0.java:45) at org.keycloak.migration.MigrationModelManager.migrate( MigrationModelManager.java:74) at org.keycloak.services.resources.KeycloakApplication.migrateModel( KeycloakApplication.java:221) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap( KeycloakApplication.java:162) at org.keycloak.services.resources.KeycloakApplication$ 1.run(KeycloakApplication.java:121) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( KeycloakModelUtils.java:295) at org.keycloak.services.resources.KeycloakApplication. (KeycloakApplication.java:112) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance( NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( ConstructorInjectorImpl.java:150) ... 19 more From asrafalianwarali.shaikh at gi-de.com Wed Feb 8 00:24:14 2017 From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali) Date: Wed, 8 Feb 2017 05:24:14 +0000 Subject: [keycloak-user] How to check whether user account is activated Message-ID: Hi, I need to check whether user account is activated or not, below is the scenario Whenever we create user and assign some temporary password, so that user changes password immediately after login. immediately after login message is prompt "You need to change your password to activate your account." Wherein user needs to set his new password. So question is until new password is set account is not activated, so by which property can we know that user account is not activated. I need to check this in my new custom required action. Regards, Asraf Shaikh From mposolda at redhat.com Wed Feb 8 03:03:36 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 8 Feb 2017 09:03:36 +0100 Subject: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter] In-Reply-To: References: Message-ID: <232ef41e-858b-0e00-2e52-bc8405729daa@redhat.com> On 07/02/17 16:12, Salvatore Incandela wrote: > Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom > query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but > this seems to be ignored. > Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that > once an EqualsCondition was found this one is considered and the others > ignored. > > *if (condition instanceof EqualCondition) {* > . > . > return results; > } Nope, if you look at the code more deeply, you can find that this one is used just for the special case when you query by UUID. Maybe it can help to enable TRACE logging for the class org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your standalone.xml . With this enabled, you should be able to see some additional logging messages in server.log like: TRACE Using filter for LDAP search: ... you can see in which DN you're searching and how exactly your LDAP filter looks like. Hopefully this can help to figure what is wrong. Marek > > I'm sure that I'm doing something wrong, some ideas? > From salvatore.incandela at redhat.com Wed Feb 8 04:41:23 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Wed, 8 Feb 2017 10:41:23 +0100 Subject: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter] In-Reply-To: <232ef41e-858b-0e00-2e52-bc8405729daa@redhat.com> References: <232ef41e-858b-0e00-2e52-bc8405729daa@redhat.com> Message-ID: This is what is see from log files: *2017-02-08 10:36:41,667 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-44) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it , uuid: example, attributes: {uid=[example], userPassword=[[B at 6ba1b2f0], mail=[example at example.it ], givenName=[example], sn=[example], title=[disabled], modifyTimestamp=[20170207194557Z], createTimestamp=[20170207114007Z]}, readOnly attribute names: [givenname, sn, userpassword, mail, uid, modifytimestamp, title, createtimestamp] ]* Why in the case of UUID search the Custom User LDAP Filter is ignored? On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda wrote: > On 07/02/17 16:12, Salvatore Incandela wrote: > >> Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom >> query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but >> this seems to be ignored. >> Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that >> once an EqualsCondition was found this one is considered and the others >> ignored. >> >> *if (condition instanceof EqualCondition) {* >> . >> . >> return results; >> } >> > Nope, if you look at the code more deeply, you can find that this one is > used just for the special case when you query by UUID. > > Maybe it can help to enable TRACE logging for the class > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your > standalone.xml . With this enabled, you should be able to see some > additional logging messages in server.log like: > > TRACE Using filter for LDAP search: ... > > you can see in which DN you're searching and how exactly your LDAP filter > looks like. Hopefully this can help to figure what is wrong. > > Marek > > >> I'm sure that I'm doing something wrong, some ideas? >> >> > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From kevin.berendsen at pharmapartners.nl Wed Feb 8 05:46:22 2017 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Wed, 8 Feb 2017 10:46:22 +0000 Subject: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter] Message-ID: <960559ce-f4cb-4e2f-8964-7a46bb51bcb5@email.android.com> Hi, Depending on the implementation of your LDAP server, 'uid' is most likely the unique identifier so not once should there be two LDAP entries with the same value. If you're searching based on your uuid which most likely set to 'uid', then other conditions shouldnt matter as only one can return anyway. Remove 'uid' from your baseDN could fix your issue. Even better to help you out, could you send your LDAP federation config? Leave out all the information that you may consider sensitive such as passwords. - Kevin On 8 Feb 2017 10:46 am, Salvatore Incandela wrote: This is what is see from log files: *2017-02-08 10:36:41,667 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-44) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it , uuid: example, attributes: {uid=[example], userPassword=[[B at 6ba1b2f0], mail=[example at example.it ], givenName=[example], sn=[example], title=[disabled], modifyTimestamp=[20170207194557Z], createTimestamp=[20170207114007Z]}, readOnly attribute names: [givenname, sn, userpassword, mail, uid, modifytimestamp, title, createtimestamp] ]* Why in the case of UUID search the Custom User LDAP Filter is ignored? On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda wrote: > On 07/02/17 16:12, Salvatore Incandela wrote: > >> Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I put a custom >> query in the *Custom User LDAP Filter* parameter ("(title=enabled)"), but >> this seems to be ignored. >> Looking on the LDAPIdentityStore.fetchQueryResults method. It seems that >> once an EqualsCondition was found this one is considered and the others >> ignored. >> >> *if (condition instanceof EqualCondition) {* >> . >> . >> return results; >> } >> > Nope, if you look at the code more deeply, you can find that this one is > used just for the special case when you query by UUID. > > Maybe it can help to enable TRACE logging for the class > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your > standalone.xml . With this enabled, you should be able to see some > additional logging messages in server.log like: > > TRACE Using filter for LDAP search: ... > > you can see in which DN you're searching and how exactly your LDAP filter > looks like. Hopefully this can help to figure what is wrong. > > Marek > > >> I'm sure that I'm doing something wrong, some ideas? >> >> > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 8 06:17:47 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 8 Feb 2017 12:17:47 +0100 Subject: [keycloak-user] [Keycloak][Ldap Federation][Custom User LDAP Filter] In-Reply-To: References: <232ef41e-858b-0e00-2e52-bc8405729daa@redhat.com> Message-ID: There should be On 08/02/17 10:41, Salvatore Incandela wrote: > This is what is see from log files: > /2017-02-08 10:36:41,667 TRACE > [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] > (default task-44) Found ldap object and populated with the attributes. > LDAP Object: LDAP Object [ dn: uid=example,ou=People,dc=example,dc=it > , uuid: example, attributes: {uid=[example], > userPassword=[[B at 6ba1b2f0], mail=[example at example.it > ], givenName=[example], sn=[example], > title=[disabled], modifyTimestamp=[20170207194557Z], > createTimestamp=[20170207114007Z]}, readOnly attribute names: > [givenname, sn, userpassword, mail, uid, modifytimestamp, title, > createtimestamp] ]/ Any other TRACE message like:Using filter for LDAP search ..... ? > > Why in the case of UUID search the Custom User LDAP Filter is ignored? Yes, it is used just at the point when you're searching LDAP for example by username, email etc. When you search by UUID, you lookup for the concrete LDAP object by id, which you already retrieved before. You can try to search for example from admin console to see the filters applied. Marek > > On Wed, Feb 8, 2017 at 9:03 AM, Marek Posolda > wrote: > > On 07/02/17 16:12, Salvatore Incandela wrote: > > Hi Guys, I'm configuring keycloak 7.0 with Ldap Federation, I > put a custom > query in the *Custom User LDAP Filter* parameter > ("(title=enabled)"), but > this seems to be ignored. > Looking on the LDAPIdentityStore.fetchQueryResults method. It > seems that > once an EqualsCondition was found this one is considered and > the others > ignored. > > *if (condition instanceof EqualCondition) {* > . > . > return results; > } > > Nope, if you look at the code more deeply, you can find that this > one is used just for the special case when you query by UUID. > > Maybe it can help to enable TRACE logging for the class > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore in your > standalone.xml . With this enabled, you should be able to see some > additional logging messages in server.log like: > > TRACE Using filter for LDAP search: ... > > you can see in which DN you're searching and how exactly your LDAP > filter looks like. Hopefully this can help to figure what is wrong. > > Marek > > > I'm sure that I'm doing something wrong, some ideas? > > > > > > -- > Salvatore Incandela > Middleware Consultant > ------------------------------ > Red Hat - www.redhat.com > Via Andrea Doria 41M > 00192 Roma (Italy) > Mobile +39 349 6196615 > Fax +39 06 39728535 > E-mail salvatore.incandela at redhat.com > From david_delbecq at trimble.com Wed Feb 8 07:06:27 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Wed, 08 Feb 2017 12:06:27 +0000 Subject: [keycloak-user] Client setup recommandation In-Reply-To: References: Message-ID: In this case this is indeed a webapp that tries to act as much as possible as a native app, but without the burden of having to build and release for each mobile device. I will continue to analyze those informations and see if we can find a way around our issues without an offline token. Thanks for your explanations. On Mon, Feb 6, 2017 at 12:15 PM Stian Thorgersen wrote: > Offline tokens should really only be used when it's possible to securely > store the token. Web applications and locale storage are not the most > secure. I would certainly consider carefully what scope you provide in the > token to make sure it's not used for sensitive operations. > > It also means that users would have to logout separately from the web app. > It's no longer covered by things like remember me, remote logout, etc.. > You're providing a permanent "login" to a web app, which then a user has to > know to separately logout. > > Devil is in the details though. For some web apps it may make sense, but > I'd be careful before going down that path. > > On 6 February 2017 at 12:01, David Delbecq > wrote: > > Could you elaborate on why this is a bad idea? This seems to be dedicated > to the kind of request if have, getting a refresh token valid for a long > period, while keeping regular client with shorter refresh token. > > > > On Fri, Feb 3, 2017 at 9:35 AM Stian Thorgersen > wrote: > > > It's all controlled by the session and there are no way to get tokens > that > > work for longer. Issuing offline tokens to a web application would be a > > really bad idea. If you want users to remain authenticated set the idle > to > > a higher value. That's it. > > > > On 25 January 2017 at 15:09, David Delbecq > > wrote: > > > > Hello, > > > > we have a javascript web application we are migrating to keycloak. I am > not > > sue what are the recommandations on setting up configuration for that > > client with the following requirement: > > > > Once user triggers the "login" and gets keycloak authenticated, we should > > get a bearer token to use later on REST services. > > The user should not be requested again to login, unless he logs out. Even > > if he closes his browser. So we need a way to keep or replace token on a > > regular basis. Is there some keycloak REST service we can poll on a > regular > > basis for this? > > Sometimes the user goes "off grid" (no network communication) for several > > hours. How can we ensure we still keep logged in? > > > > My first idea was to just increase the SSO timeout and token validity to > 30 > > days. But it seems like a bad idea from my reading of keycloak > > documentation. So i tried to use an offline token instead, but it seems > the > > implicit flow doesn't allow you to get an offline token. All token i get > > after login are marked as expiring within 15 minutes. > > > > What's the recommended way to get long lived refresh token, using > implicit > > flow? > > > > -- > > > > > > > > David Delbecq > > Software engineer, Transport & Logistics > > Geldenaaksebaan 329, 1st floor | 3001 Leuven > > > > +32 16 391 121 <+32%2016%20391%20121> Direct > > david.delbecq at trimbletl.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From max.catarino at rps.com.br Wed Feb 8 09:30:48 2017 From: max.catarino at rps.com.br (max.catarino at rps.com.br) Date: Wed, 08 Feb 2017 12:30:48 -0200 Subject: [keycloak-user] Keycloak Admin Client, create user, error 500, Internal Server Error Message-ID: <060ee8d3591c98e1db8d081c3b077b25@rps.com.br> I'm using Keycloak 2.5.1 Final, Keycloak Admin Client 2.5.1 Final, Resteasy Client 3.1.0 Final and Resteasy Jacksom2 Provider 3.1.0 Final. I'm using the code above to test create an user using the Admin Client. When the application run the create method, the response returns error 500, Internal Server Error with the trace above on Undertown server. I'm missing something? Keycloak kc = KeycloakBuilder.builder() .serverUrl("https://IP:8443/auth/realms/sgp/protocol/openid-connect/auth") .realm("testrealm") .username(adminUser) .password(adminPassword) .clientId("admin-cli") .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); userRep = new UserRepresentation(); userRep.setFirstName("John"); userRep.setLastName("Doe"); userRep.setEmail("john.doe at test.com"); userRep.setEnable(Boolean.TRUE); Response response = kc.realm(realmId).users().create(userRep); 17:19:58,337 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /auth/admin/realms/testrealm/users: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:230) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more From mstrukel at redhat.com Wed Feb 8 11:48:02 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 8 Feb 2017 17:48:02 +0100 Subject: [keycloak-user] Keycloak Admin Client, create user, error 500, Internal Server Error In-Reply-To: <060ee8d3591c98e1db8d081c3b077b25@rps.com.br> References: <060ee8d3591c98e1db8d081c3b077b25@rps.com.br> Message-ID: You forgot to set username on your user: userRep.setUsername("johndoe"); On Wed, Feb 8, 2017 at 3:30 PM, wrote: > > > I'm using Keycloak 2.5.1 Final, Keycloak Admin Client 2.5.1 Final, > Resteasy Client 3.1.0 Final and Resteasy Jacksom2 Provider 3.1.0 Final. > I'm using the code above to test create an user using the Admin Client. > When the application run the create method, the response returns error > 500, Internal Server Error with the trace above on Undertown server. > > I'm missing something? > > Keycloak kc = KeycloakBuilder.builder() > > .serverUrl("https://IP:8443/auth/realms/sgp/protocol/openid-connect/auth") > .realm("testrealm") > .username(adminUser) > .password(adminPassword) > .clientId("admin-cli") > .resteasyClient(new > ResteasyClientBuilder().connectionPoolSize(10).build()) > .build(); > > userRep = new UserRepresentation(); > userRep.setFirstName("John"); > userRep.setLastName("Doe"); > userRep.setEmail("john.doe at test.com"); > userRep.setEnable(Boolean.TRUE); > > Response response = kc.realm(realmId).users().create(userRep); > > 17:19:58,337 ERROR [io.undertow.request] (default task-14) UT005023: > Exception handling request to /auth/admin/realms/testrealm/users: > org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException( > ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at > org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername( > UserCacheSession.java:230) > at > org.keycloak.services.resources.admin.UsersResource. > createUser(UsersResource.java:211) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > ... 37 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From RLewis at carbonite.com Wed Feb 8 13:39:29 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 8 Feb 2017 18:39:29 +0000 Subject: [keycloak-user] Two Factor Authentication in Keycloak using text message or email to the user. Message-ID: <1E7C6A46-7901-443A-8475-805D7D0378E8@carbonite.com> We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily? I would guess there would need to be a plug in to do this, but want to make sure it would be possible first. Reed From shmuein+keycloak-dev at gmail.com Wed Feb 8 13:49:38 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Wed, 8 Feb 2017 12:49:38 -0600 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> Message-ID: Quick reminder to question below. Can you please also explain why the public endpoint has an extra tag whereas it is not there in meta data downloaded from installation tab, is it intentional or should I create a JIRA ticket for this? ......... regards, Muein On Mon, Feb 6, 2017 at 12:56 PM, Muein Muzamil < shmuein+keycloak-dev at gmail.com> wrote: > Bill, > > Your point about having client tailored metadata make sense based on what > is configured for that SP. Can you please also explain why the public > endpoint has an extra tag whereas from installation > tab it is not there, is it intentional or should I create a JIRA ticket for > this? > > xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> > > ......... > > > > Regards, > Muein > > On Sat, Feb 4, 2017 at 1:21 PM, Bill Burke wrote: > >> >> >> On 2/4/17 11:41 AM, John Dennis wrote: >> > On 02/03/2017 03:23 PM, Muein Muzamil wrote: >> >> Hi All, >> >> >> >> Currently, KeyCloak supports two mechanisms to download SAML metadata. >> >> >> >> One is using this public URL >> >> /auth/realms/{realm}/protocol/saml/descriptor. >> >> The Second option is to download it from the installation tab of the >> client >> >> or using this API /admin/realms/{realm}/clients/ >> >> {id}/installation/providers/{providerId} >> >> >> >> It seems that there are some differences between them. Especially the >> first >> >> option returns you metadata with an extra tag. >> Such as >> >> >> >> > >> xmlns="urn:oasis:names:tc:SAML:2.0:metadata" >> >> xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> >> >> >> >> ......... >> >> >> >> >> > If the SP is unable to parse SP metadata containing an >> > EntitiesDescriptor in addtion to an EntityDescriptor then the SP is at >> > fault. All the EntitiesDescriptor is is a container for multiple >> > EntityDescriptor elements, it is perfectly permissible to have a >> > container contain only 1 element just as it's acceptable to omit the >> > container and have a bare element. >> > >> > If your SP cannot parse a metadata file containing a EntitiesDescriptor >> > tag it's easy to strip it off the xml with a text editor. >> > >> > Irrespective of the SP's ability to parse metadata containing an >> > EntitiesDescriptor element is the requirement stated in Section 4.1.1 of >> > the SAML Metadata spec which requires metadata published at the IdP's >> > well known location for metadata retrieval to contain *only* a >> > EntityDescriptor as the root element. Since >> > /auth/realms/{realm}/protocol/saml/descriptor is as close as >> > Keycloak gets to published well known location for IdP metadata >> > retrieval the use of a EntitiesDescriptor violates the SAML spec. I >> > don't believe there is JIRA filed for this yet. However, I emphasize >> > this is independent of the SP's ability ability to parse the IdP >> > metadata because it does not know where the IdP metadata originated >> > from. It should iterate over all the EntityDescriptor's looking for an >> > IDPSSODescriptor and then if it wants to confirm exactly one was found >> > (or it could just load all of them, depends on the SP). >> > >> >> When we try to upload this metadata (downloaded from the public URL) to >> >> PingOne, it doesn't like it (metadata from installation tab works >> fine). >> > There are other inconsistencies in the IdP metadata depending on how >> > it's retrieved from Keycloak aside from the EntitiesDescriptor tag. The >> > inconsistent IdP metadata is a known problem and has been reported in >> > this JIRA: >> > >> > https://issues.jboss.org/browse/KEYCLOAK-3373 >> > >> >> Is there any reason for this? >> > Any reason for the inconsistencies, no. >> > >> There is a reason....They are different because the published global one >> is all possible bindings and formats the IDP supports. The one >> generated in the "Installation" tab is based on how the client was >> configured and thus may not contain things like redirect bindings. >> Basically, its how the IDP wants the SP to communicate with it. >> >> Cheers, >> >> Bill >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From thomas.darimont at googlemail.com Wed Feb 8 14:04:09 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 8 Feb 2017 20:04:09 +0100 Subject: [keycloak-user] Two Factor Authentication in Keycloak using text message or email to the user. In-Reply-To: <1E7C6A46-7901-443A-8475-805D7D0378E8@carbonite.com> References: <1E7C6A46-7901-443A-8475-805D7D0378E8@carbonite.com> Message-ID: Hello Reed, have a look at this JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-241 The is a more general ticket about improving the 2FA support - perhaphs you find some additional answers there. https://issues.jboss.org/browse/KEYCLOAK-4182 Cheers, Thomas 2017-02-08 19:39 GMT+01:00 Reed Lewis : > We wish to use two factor Authentication with Keycloak, but not the built > in authenticator, but instead a more user friendly of sending a text > message to the user which the user will type into a box on the screen to > successfully log in. Would that be something that could be done with > Keycloak easily? > > I would guess there would need to be a plug in to do this, but want to > make sure it would be possible first. > > Reed > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kevin.berendsen at pharmapartners.nl Wed Feb 8 14:06:20 2017 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Wed, 8 Feb 2017 19:06:20 +0000 Subject: [keycloak-user] Two Factor Authentication in Keycloak using text message or email to the user. Message-ID: <1389ee95-eb63-41ff-864e-cb80be2eecff@email.android.com> Hi Reed, It sure is possible but every text message gateway vendor probably has its own custom API so you need to create your own authenticator unless someone else did it for the same vendor. It sure is possible and if you get to know the Authentication SPI of Keycloak, its most likely done within two weeks (includes testing and playing around with the code). We are doing the very same thing in about 2 weeks. On 8 Feb 2017 7:50 pm, Reed Lewis wrote: We wish to use two factor Authentication with Keycloak, but not the built in authenticator, but instead a more user friendly of sending a text message to the user which the user will type into a box on the screen to successfully log in. Would that be something that could be done with Keycloak easily? I would guess there would need to be a plug in to do this, but want to make sure it would be possible first. Reed _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From max.catarino at rps.com.br Wed Feb 8 14:48:25 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Wed, 8 Feb 2017 12:48:25 -0700 (MST) Subject: [keycloak-user] Keycloak Admin Client, create user, error 500, Internal Server Error In-Reply-To: References: <060ee8d3591c98e1db8d081c3b077b25@rps.com.br> Message-ID: <1486583305725-2653.post@n6.nabble.com> Thank you for repply. In the docs and examples username is not required. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Keycloak-Admin-Client-create-user-error-500-Internal-Server-Error-tp2647p2653.html Sent from the keycloak-user mailing list archive at Nabble.com. From juandiego83 at gmail.com Wed Feb 8 19:03:47 2017 From: juandiego83 at gmail.com (Juan Diego) Date: Wed, 8 Feb 2017 19:03:47 -0500 Subject: [keycloak-user] Using a service account for an app Message-ID: Hi, Sorry I am a little bit confused on how to use a service account. And if I am doing this correctly. I was reading this https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/oidc/service-accounts.html So at the moment I have a java rest api backend that is set as an access type bearer-only, a front end in angular 1.5 that is a public access type. And they work ok with keycloak. So I am creating a third app (it is not web), in java. I want this app to be able to access my rest services without logging in or creating public services. So for what I understand I should create client of type confidential, and allow services accounts. So here is the part that I am a kind of lost. I only have one role called users, that I was using on my backend and front end. Should I create a new role for my app, and should I add this role on my backend? Thanks From bburke at redhat.com Wed Feb 8 19:41:39 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 8 Feb 2017 19:41:39 -0500 Subject: [keycloak-user] Differences between SAML descriptors In-Reply-To: References: <8ed4103a-444e-b8d8-3d03-7f4f863f6e1a@redhat.com> Message-ID: There is no reasoning why there is an element. I think I just copied an example from a SAML spec and assumed that was the correct way to publish it. Can't remember, it was years ago....:) I created a JIRA for this https://issues.jboss.org/browse/KEYCLOAK-4399 On 2/8/17 1:49 PM, Muein Muzamil wrote: > Quick reminder to question below. > > Can you please also explain why the public endpoint has an extra > tag whereas it is not there in meta data > downloaded from installation tab, is it intentional or should I create > a JIRA ticket for this? > > xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > "> > entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y > "> > ......... > > > > regards, > Muein > > On Mon, Feb 6, 2017 at 12:56 PM, Muein Muzamil > > wrote: > > Bill, > > Your point about having client tailored metadata make sense based > on what is configured for that SP. Can you please also explain why > the public endpoint has an extra tag whereas > from installation tab it is not there, is it intentional or should > I create a JIRA ticket for this? > > xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > "> > entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y > "> > ......... > > > > Regards, > Muein > > On Sat, Feb 4, 2017 at 1:21 PM, Bill Burke > wrote: > > > > On 2/4/17 11:41 AM, John Dennis wrote: > > On 02/03/2017 03:23 PM, Muein Muzamil wrote: > >> Hi All, > >> > >> Currently, KeyCloak supports two mechanisms to download > SAML metadata. > >> > >> One is using this public URL > >> /auth/realms/{realm}/protocol/saml/descriptor. > >> The Second option is to download it from the installation > tab of the client > >> or using this API /admin/realms/{realm}/clients/ > >> {id}/installation/providers/{providerId} > >> > >> It seems that there are some differences between them. > Especially the first > >> option returns you metadata with an extra > tag. Such as > >> > >> >> xmlns="urn:oasis:names:tc:SAML:2.0:metadata" > >> xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > "> > >> entityID="http://10.164.44.249:1130/auth/realms/7BOM25F24Y > > >> "> > >> ......... > >> > >> > > If the SP is unable to parse SP metadata containing an > > EntitiesDescriptor in addtion to an EntityDescriptor then > the SP is at > > fault. All the EntitiesDescriptor is is a container for multiple > > EntityDescriptor elements, it is perfectly permissible to have a > > container contain only 1 element just as it's acceptable to > omit the > > container and have a bare element. > > > > If your SP cannot parse a metadata file containing a > EntitiesDescriptor > > tag it's easy to strip it off the xml with a text editor. > > > > Irrespective of the SP's ability to parse metadata containing an > > EntitiesDescriptor element is the requirement stated in > Section 4.1.1 of > > the SAML Metadata spec which requires metadata published at > the IdP's > > well known location for metadata retrieval to contain *only* a > > EntityDescriptor as the root element. Since > > /auth/realms/{realm}/protocol/saml/descriptor is as > close as > > Keycloak gets to published well known location for IdP metadata > > retrieval the use of a EntitiesDescriptor violates the SAML > spec. I > > don't believe there is JIRA filed for this yet. However, I > emphasize > > this is independent of the SP's ability ability to parse the IdP > > metadata because it does not know where the IdP metadata > originated > > from. It should iterate over all the EntityDescriptor's > looking for an > > IDPSSODescriptor and then if it wants to confirm exactly one > was found > > (or it could just load all of them, depends on the SP). > > > >> When we try to upload this metadata (downloaded from the > public URL) to > >> PingOne, it doesn't like it (metadata from installation tab > works fine). > > There are other inconsistencies in the IdP metadata > depending on how > > it's retrieved from Keycloak aside from the > EntitiesDescriptor tag. The > > inconsistent IdP metadata is a known problem and has been > reported in > > this JIRA: > > > > https://issues.jboss.org/browse/KEYCLOAK-3373 > > > > >> Is there any reason for this? > > Any reason for the inconsistencies, no. > > > There is a reason....They are different because the published > global one > is all possible bindings and formats the IDP supports. The one > generated in the "Installation" tab is based on how the client was > configured and thus may not contain things like redirect bindings. > Basically, its how the IDP wants the SP to communicate with it. > > Cheers, > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From gaalvarez0910 at gmail.com Wed Feb 8 21:22:05 2017 From: gaalvarez0910 at gmail.com (Gustavo Alvarez) Date: Thu, 09 Feb 2017 02:22:05 +0000 Subject: [keycloak-user] Change locale (language) for select list information. In-Reply-To: References: Message-ID: Hi all. I am using the keycloak 2.3.0 Final. I changed the language for a master realm, created a client and the information is presented whit the new language, except some list retrieved from database in English, for example in the menu 'Authentication' tab 'Bindings' the select list in browser flow Do not change the language, always is English. Can I change the language of this information ?? Thanks for your help. Gaalvarez. From istvan.orban at gmail.com Thu Feb 9 04:08:37 2017 From: istvan.orban at gmail.com (Istvan Orban) Date: Thu, 9 Feb 2017 09:08:37 +0000 Subject: [keycloak-user] implement one way user sync from legacy db to keycloak Message-ID: Hi Guys, I am in the process of moving to keycloak and I need to make a decision how to migrate my users. I think I have two options 1, migrate users using JSON import. I can grab the password from the db as they are encrypted with a reversible encryption :) In this case I have one question. I need to generate an output JSON and for that I need to see how keycloak salts and encrypts the passwords by default. Can you point me to the class that does this ? Can I include keycloak as a dependency and call the same class to do the work for me ? 2, migrate uses on-the-fly I did find this example -> examples/userstorage/readonly/PropertyFileUserStorageProvider.java which is a great starting point although I have one question on this one. Do I need to implement CredentialInputUpdater All I need to do is one way import of the users from my DB which I will probably do via an API call I do not wish to sync users back to the legacy db at all. Would it be enough to simply just implement these interfaces -> UserStorageProvider, UserLookupProvider, CredentialInputValidator, Also I did find an enum in UserStorageProvider called EditMode and I could not find out where to use this enum ? Do I need to worry about this at all? Thanks for any help ! -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I * From mstrukel at redhat.com Thu Feb 9 05:50:31 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 9 Feb 2017 11:50:31 +0100 Subject: [keycloak-user] Keycloak Admin Client, create user, error 500, Internal Server Error In-Reply-To: <1486583305725-2653.post@n6.nabble.com> References: <060ee8d3591c98e1db8d081c3b077b25@rps.com.br> <1486583305725-2653.post@n6.nabble.com> Message-ID: Username is a required info. Can you point out where in the docs and examples it says that username is not required? On Wed, Feb 8, 2017 at 8:48 PM, Maximiliano wrote: > Thank you for repply. > In the docs and examples username is not required. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/keycloak-user-Keycloak-Admin-Client-create- > user-error-500-Internal-Server-Error-tp2647p2653.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From guus.der.kinderen at gmail.com Thu Feb 9 10:57:26 2017 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 9 Feb 2017 16:57:26 +0100 Subject: [keycloak-user] Using another name than Keycloak's? Message-ID: Hi, We're attempting to protect a service using Keycloak. We've noticed that some values that are valid usernames in Keycloak, are not valid in our service. We'd like to be able to use a username in our service that's different from the username that is used in Keycloak. Preferably, we'd like Keycloak to store the association between 'our' username and the Keycloak user. Is something like this feasible with the existing integration features that are offered by Keycloak? Regards, Guus From Ori.Doolman at amdocs.com Thu Feb 9 11:11:39 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Thu, 9 Feb 2017 16:11:39 +0000 Subject: [keycloak-user] Additional attributes for an authorization request Message-ID: Hi Pedro Igor, You wrote: You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. I have some questions about that: 1. Which future version will support that? Any plan for it at the moment? 2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers? For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)? Thank you, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From leo.nunes at gjccorp.com.br Thu Feb 9 11:47:11 2017 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Thu, 9 Feb 2017 16:47:11 +0000 Subject: [keycloak-user] Keycloak using HTTPS, error login Facebook Message-ID: Hi Everyone, I?m using Keycloak 1.9.8 in production. Everything was working fine before I configured to use HTTPS. Now when I try to login using Facebook, I get the error below. Normal login with email and password is working fine. Steps: * Go to a restricted page * On Keycloak login page click on the Facebook icon * Login at Facebook * When Facebook tries to redirect back, after a couple minutes I get the error below 2017-02-09 14:36:22,502 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-1) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) at sun.net.NetworkClient.doConnect(NetworkClient.java:180) at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264) at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2017-02-09 14:36:22,503 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=accounts, clientId=null, userId=null, ipAddress=10.112.0.28, error=identity_provider_login_failure -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation From strk at kbt.io Thu Feb 9 12:02:36 2017 From: strk at kbt.io (Sandro Santilli) Date: Thu, 9 Feb 2017 18:02:36 +0100 Subject: [keycloak-user] Node.js Adapter usage Message-ID: <20170209170236.GC24700@localhost> Hi all, I've just subscribed to this list as I'm working on adding keycloak support in a node.js project. Unfortunately, following the instructions on [1] I was unable to pass the `var keycloack = new Keycloak()` step, in that `Keycloak` class is not defined. [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/nodejs-adapter.html I guess I have to require the module, but when I try `var Keycloak = require('keycloak-connect')` I get a failure message: /usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_modules/keycloak-connect/index.js:254 .then(grant => { return this.grantManager.ensureFreshness(grant); }) ^ SyntaxError: Unexpected token > at Module._compile (module.js:439:25) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) at Function.Module._load (module.js:312:12) at Module.require (module.js:364:17) at require (module.js:380:17) at Object. (/usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/http/server.js:10:16) at Module._compile (module.js:456:26) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) This is with node-0.10 though, while node-4.2.6 does not complain there (but does in another place). So, a few questions: 1. Where to report the lack of `require('keycloak-connect')` instruction in the documentation ? 2. What's the least supported node version ? 3. Are there working examples I could look at ? Thanks in advance --strk; () ASCII ribbon campaign -- Keep it simple ! /\ https://strk.kbt.io/rants/ascii_mails.txt From leo.nunes at gjccorp.com.br Thu Feb 9 12:19:37 2017 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Thu, 9 Feb 2017 17:19:37 +0000 Subject: [keycloak-user] Keycloak using HTTPS, error login Facebook Message-ID: I?m sorry everyone, the server I was testing the HTTPS didn?t have access to the Internet. After fixing the Internet connection everything is working fine. -- Leonardo On 09/02/17 14:47, "keycloak-user-bounces at lists.jboss.org on behalf of LEONARDO NUNES" wrote: >[Este remetente foi reprovado em nossas verifica??es de detec??o de >fraude e pode n?o ser quem ele parece ser. Saiba mais sobre falsifica??o >em http://aka.ms/LearnAboutSpoofing] > >Hi Everyone, > >I?m using Keycloak 1.9.8 in production. >Everything was working fine before I configured to use HTTPS. >Now when I try to login using Facebook, I get the error below. >Normal login with email and password is working fine. > >Steps: > > * Go to a restricted page > * On Keycloak login page click on the Facebook icon > * Login at Facebook > * When Facebook tries to redirect back, after a couple minutes I get >the error below > > >2017-02-09 14:36:22,502 ERROR >[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default >task-1) Failed to make identity provider oauth callback: >java.net.ConnectException: Connection timed out >at java.net.PlainSocketImpl.socketConnect(Native Method) >at >java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:35 >0) >at >java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl. >java:206) >at >java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) >at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >at java.net.Socket.connect(Socket.java:589) >at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) >at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173) >at sun.net.NetworkClient.doConnect(NetworkClient.java:180) >at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) >at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) >at sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:264) >at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) >at >sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpCl >ient(AbstractDelegateHttpsURLConnection.java:191) >at >sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnectio >n.java:1105) >at >sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection >.java:999) >at >sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abst >ractDelegateHttpsURLConnection.java:177) >at >sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnec >tion.java:1283) >at >sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnect >ion.java:1258) >at >sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURL >ConnectionImpl.java:250) >at >org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141) >at >org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authRespo >nse(AbstractOAuth2IdentityProvider.java:228) >at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >at >sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: >62) >at >sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm >pl.java:43) >at java.lang.reflect.Method.invoke(Method.java:498) >at >org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java: >139) >at >org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMetho >dInvoker.java:295) >at >org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker >.java:249) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resour >ceLocatorInvoker.java:138) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvok >er.java:107) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resour >ceLocatorInvoker.java:133) >at >org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvok >er.java:101) >at >org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher >.java:395) >at >org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher >.java:202) >at >org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.servi >ce(ServletContainerDispatcher.java:221) >at >org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(Ht >tpServletDispatcher.java:56) >at >org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(Ht >tpServletDispatcher.java:51) >at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >at >io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.j >ava:85) >at >io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filter >Handler.java:129) >at >org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Keyclo >akSessionServletFilter.java:88) >at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >at >io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filter >Handler.java:131) >at >io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.jav >a:84) >at >io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleReq >uest(ServletSecurityRoleHandler.java:62) >at >io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(Servl >etDispatchingHandler.java:36) >at >org.wildfly.extension.undertow.security.SecurityContextAssociationHandler. >handleRequest(SecurityContextAssociationHandler.java:78) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.han >dleRequest(SSLInformationAssociationHandler.java:131) >at >io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.han >dleRequest(ServletAuthenticationCallHandler.java:57) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest >(AbstractConfidentialityHandler.java:46) >at >io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHand >ler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >at >io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReques >t(AuthenticationMechanismsHandler.java:60) >at >io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.ha >ndleRequest(CachedAuthenticatedSessionHandler.java:77) >at >io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(No >tificationReceiverHandler.java:50) >at >io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.ha >ndleRequest(AbstractSecurityContextAssociationHandler.java:43) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRe >quest(JACCContextIdHandler.java:61) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandle >r.java:43) >at >io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Serv >letInitialHandler.java:284) >at >io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Servlet >InitialHandler.java:263) >at >io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIniti >alHandler.java:81) >at >io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Servlet >InitialHandler.java:174) >at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >at >io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >at >java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java: >1142) >at >java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java >:617) >at java.lang.Thread.run(Thread.java:745) > >2017-02-09 14:36:22,503 WARN [org.keycloak.events] (default task-1) >type=LOGIN_ERROR, realmId=accounts, clientId=null, userId=null, >ipAddress=10.112.0.28, error=identity_provider_login_failure > > > > >-- >Leonardo Nunes >________________________________ >Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta >mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela >contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? >recebeu esta mensagem por engano, por favor avise imediatamente o >remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua >coopera??o. > >This message may contain confidential and/or privileged information. If >you are not the addressee or authorized to receive this for the >addressee, you must not use, copy, disclose or take any action based on >this message or any information herein. If you have received this message >in error, please advise the sender immediately by reply e-mail and delete >this message. Thank you for your cooperation >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From jason at naidmincloud.com Thu Feb 9 13:29:06 2017 From: jason at naidmincloud.com (Jason B) Date: Thu, 9 Feb 2017 10:29:06 -0800 Subject: [keycloak-user] Authentication API Message-ID: Hi, I would like to handle user registration outside of Keycloak instead of using built in registration feature. But I am having difficulty in figuring out how to allow user to login into Keycloak seamlessly after registration is completed. Does Keycloak supports Authentication as API.. like a web service call and is there any way we can create a session for a user through API? Thanks! From jason at naidmincloud.com Thu Feb 9 13:40:48 2017 From: jason at naidmincloud.com (Jason B) Date: Thu, 9 Feb 2017 10:40:48 -0800 Subject: [keycloak-user] OAuth token introspection In-Reply-To: References: Message-ID: Hi Stian, Thanks for the response. I got the token_type issue. But when it comes to scope I am still having questions. According to the RFC , scope attribute is optional but shouldn't we interpret as below? - During the initial handshake if the request doesn't contain scope parameter then it will become optional in introspection response. - During the initial OAuth 2.0 handshake if the incoming request contains scope as query string parameter then it must present in introspection response with all granted scopes info. Thanks! On Fri, Feb 3, 2017 at 12:43 AM, Stian Thorgersen wrote: > 1 looks like a bug and it simply has the wrong name. > > 2 scope is optional and we don't support this at the moment > > On 27 January 2017 at 05:52, Jason B wrote: > >> Hi, >> >> I am trying to understand the OAuth 2.0 capabilities of Keycloak server >> and >> I have a few questions with respective to the implementation of OAuth >> introspection spec. >> >> This is how a sample introspection response looking like >> >> { >> "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108", >> "exp": 1485492229, >> "nbf": 0, >> "iat": 1485491929, >> "iss": "http://localhost:8080/auth/realms/nkadali", >> "aud": "proxy", >> "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf", >> "typ": "Bearer", >> "azp": "proxy", >> "auth_time": 1485487408, >> "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7", >> "name": "", >> "preferred_username": "jason", >> "acr": "0", >> "client_session": "5d761332-97eb-404d-8624-3de4eca967cd", >> "allowed-origins": [], >> "realm_access": { >> "roles": [ >> "uma_authorization" >> ] >> }, >> "resource_access": { >> "account": { >> "roles": [ >> "manage-account", >> "view-profile" >> ] >> } >> }, >> "client_id": "proxy", >> "username": "jason", >> "active": true >> } >> >> >> I have two question based on this response. >> >> 1. According to the OAuth OAuth 2.0 Token Introspection ( >> https://tools.ietf.org/html/rfc7662) the json response body may >> contain >> "token_type" member. But why keycloak representing "token_type" as >> "typ"? >> Is there any specific reason? >> 2. I don't see any "scope" attribute in the response body even though I >> supplied scope parameter while requesting for the access token. Any >> idea on >> how to get scopes associated with the supplied access token? >> >> >> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From bburke at redhat.com Thu Feb 9 14:59:12 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 9 Feb 2017 14:59:12 -0500 Subject: [keycloak-user] Authentication API In-Reply-To: References: Message-ID: Yes, you can create users through Admin REST API. You can also obtain tokens via the direct grant flow that OAuth has: http://www.keycloak.org/documentation On 2/9/17 1:29 PM, Jason B wrote: > Hi, > > I would like to handle user registration outside of Keycloak instead of > using built in registration feature. But I am having difficulty in > figuring out how to allow user to login into Keycloak seamlessly after > registration is completed. > > Does Keycloak supports Authentication as API.. like a web service call and > is there any way we can create a session for a user through API? > > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Feb 9 15:10:15 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 9 Feb 2017 15:10:15 -0500 Subject: [keycloak-user] Auth SPI being refactored in 3.0 Message-ID: The Authentication SPI is being refactored in 3.0. Like what happened in Keycloak 2.x and the User Storage SPI, the Authentication SPI will be refactored and improved through various 3.x releases. We'll clean up areas, rewrite certain areas, and get the SPI ready so that it can be stable and supportable for the foreseeable future. We are also doing this work so that we can support things like step-up authentication and FIDO etc. although the latter is for much later down the road. The first area that will be tackled will be the Form SPI. Regards, Bill From david_delbecq at trimble.com Thu Feb 9 18:33:58 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Thu, 09 Feb 2017 23:33:58 +0000 Subject: [keycloak-user] keycloak.js library, init callback never called? Message-ID: Hello, I have a strange issue with the keycloak.js library. I have this code var loader = $q.defer(); var keycloakAuth = new Keycloak(keycloakConfig); var keycloakInit = ...... keycloakAuth.init(keycloakInit).success(function (authenticated) { auth.loggedIn = authenticated; if (authenticated){ KeycloakStorage.setStatus(keycloakAuth); } auth.authz = keycloakAuth; loader.resolve('loaded'); }).error(function () { loader.reject('Failed to load keycloak settings'); }); The init is in check-sso mode and include the refresh and access token last saved in borwser storage. However, when there is some keycloak misconfiguration (here CORS value were bad in client config of keycloak), the iframe generates a 404 without any log event in keycloak, and on javascript side, neither the success nor the error callback get called. I had the feeling, reading the doc, that i should have the guarantee that either error or success will be called. Am i understanding the documentation wrong or is it a bug in Keycloak.js ? Best regards. -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From mposolda at redhat.com Fri Feb 10 02:54:52 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Feb 2017 08:54:52 +0100 Subject: [keycloak-user] Using another name than Keycloak's? In-Reply-To: References: Message-ID: I guess the "principal-attribute" adapter option is what you are looking for? For more details see http://www.keycloak.org/docs/2.5/securing_apps_guide/topics/oidc/java/java-adapter-config.html . Marek On 09/02/17 16:57, Guus der Kinderen wrote: > Hi, > > We're attempting to protect a service using Keycloak. We've noticed that > some values that are valid usernames in Keycloak, are not valid in our > service. > > We'd like to be able to use a username in our service that's different from > the username that is used in Keycloak. Preferably, we'd like Keycloak to > store the association between 'our' username and the Keycloak user. > > Is something like this feasible with the existing integration features that > are offered by Keycloak? > > Regards, > > Guus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dradzikowski at bluesoft.net.pl Fri Feb 10 03:35:50 2017 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Fri, 10 Feb 2017 09:35:50 +0100 Subject: [keycloak-user] Changing login form in OIDC Authorization Code Flow Message-ID: Hi, I'm trying to use OpenID Connect interface provided by Keycloak and I've got one doubt: is there any way to customize the login form returned by Keycloak to /protocol/openid-connect/auth request in Authorization Code Flow? By customizing I mean not only changing the page itself, but also the way the form is processed, e.g. it would call external service and after successful authentication, user would be redirected to redirect_uri with code granted (assuming session in Keycloak was created somehow in the meantime). If there isn't as I guess, would it be acceptable to implement such a feature and merge it? I suppose it would be compliant with OpenID Connect Authorization Code Flow. -- Pozdrawiam, Daniel Radzikowski. ?? From dradzikowski at bluesoft.net.pl Fri Feb 10 03:39:05 2017 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Fri, 10 Feb 2017 09:39:05 +0100 Subject: [keycloak-user] Changing login form in OIDC Authorization Code Flow In-Reply-To: References: Message-ID: 2017-02-10 9:35 GMT+01:00 Daniel Radzikowski : > Hi, > > I'm trying to use OpenID Connect interface provided by Keycloak and I've > got one doubt: is there any way to customize the login form returned by > Keycloak to /protocol/openid-connect/auth request in Authorization Code > Flow? By customizing I mean not only changing the page itself, but also the > way the form is processed, e.g. it would call external service and after > successful authentication, user would be redirected to redirect_uri with > code granted (assuming session in Keycloak was created somehow in the > meantime). > > If there isn't as I guess, would it be acceptable to implement such a > feature and merge it? I suppose it would be compliant with OpenID Connect > Authorization Code Flow. > -- > Pozdrawiam, > Daniel Radzikowski. > ?? > -- Pozdrawiam, Daniel Radzikowski. From guus.der.kinderen at gmail.com Fri Feb 10 04:01:00 2017 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 10 Feb 2017 10:01:00 +0100 Subject: [keycloak-user] Using another name than Keycloak's? In-Reply-To: References: Message-ID: That looks like a fit, yes! OpenID Connection ID Token attribute to populate the UserPrincipal name > with. If token attribute is null, defaults to sub. Possible values are sub, > preferred_username, email, name, nickname, given_name, family_name. Am I right to assume though that I cannot use any attribute, just one of the ones listed? On 10 February 2017 at 08:54, Marek Posolda wrote: > I guess the "principal-attribute" adapter option is what you are looking > for? For more details see http://www.keycloak.org/docs/2 > .5/securing_apps_guide/topics/oidc/java/java-adapter-config.html . > > Marek > > > On 09/02/17 16:57, Guus der Kinderen wrote: > >> Hi, >> >> We're attempting to protect a service using Keycloak. We've noticed that >> some values that are valid usernames in Keycloak, are not valid in our >> service. >> >> We'd like to be able to use a username in our service that's different >> from >> the username that is used in Keycloak. Preferably, we'd like Keycloak to >> store the association between 'our' username and the Keycloak user. >> >> Is something like this feasible with the existing integration features >> that >> are offered by Keycloak? >> >> Regards, >> >> Guus >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From mposolda at redhat.com Fri Feb 10 04:24:15 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Feb 2017 10:24:15 +0100 Subject: [keycloak-user] Using another name than Keycloak's? In-Reply-To: References: Message-ID: <488db15a-ecc8-973c-541f-80fb28c82de9@redhat.com> On 10/02/17 10:01, Guus der Kinderen wrote: > That looks like a fit, yes! > > OpenID Connection ID Token attribute to populate the UserPrincipal > name with. If token attribute is null, defaults to sub. Possible > values are sub, preferred_username, email, name, nickname, > given_name, family_name. > > > Am I right to assume though that I cannot use any attribute, just one > of the ones listed? Looking at AdapterUtils.getPrincipalName and looks like yes. Just those listed here, are allowed ATM... But as a workaround, you can create protocolMapper, which will map your desired attribute to the token "nickname" (or any other claim you're not using in your app) and then use nickname as value of principal_attribute on adapter side? Marek > > On 10 February 2017 at 08:54, Marek Posolda > wrote: > > I guess the "principal-attribute" adapter option is what you are > looking for? For more details see > http://www.keycloak.org/docs/2.5/securing_apps_guide/topics/oidc/java/java-adapter-config.html > > . > > Marek > > > On 09/02/17 16:57, Guus der Kinderen wrote: > > Hi, > > We're attempting to protect a service using Keycloak. We've > noticed that > some values that are valid usernames in Keycloak, are not > valid in our > service. > > We'd like to be able to use a username in our service that's > different from > the username that is used in Keycloak. Preferably, we'd like > Keycloak to > store the association between 'our' username and the Keycloak > user. > > Is something like this feasible with the existing integration > features that > are offered by Keycloak? > > Regards, > > Guus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From dradzikowski at bluesoft.net.pl Fri Feb 10 04:25:22 2017 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Fri, 10 Feb 2017 10:25:22 +0100 Subject: [keycloak-user] Notifying clients after session creation in Keycloak Message-ID: Hi, I'm working on custom SSO, which uses Direct Grant API to store sessions in Keycloak. The SSO creates own cookie and data related to it and then creates session in Keycloak calling /protocol/openid-connect/token, hiding returned tokens behind the cookie. I'm aware that solution isn't the best one, but that's not the case now. ?What I need now is ?to provide OpenID Connect Authorization Code Flow to external clients of my custom SSO. The easiest solution would be if they called Keycloak directly, but then the session in custom SSO is not created and the Keycloak session in not related to the user data stored in custom SSO. The question is if there is any way to notify clients (custom SSO) after successful session creation in Keycloak? It would need to call the custom SSO with the contents of /protocol/openid-connect/token response, allowing the custom SSO to store tokens behind the cookie. What if I implemented such a feature and merged it to Keycloak? -- Pozdrawiam, Daniel Radzikowski. From ruiwp_93 at hotmail.com Fri Feb 10 05:17:34 2017 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Fri, 10 Feb 2017 03:17:34 -0700 (MST) Subject: [keycloak-user] keycloak.js different registration page [Angular 2] Message-ID: <1486721854566-2675.post@n6.nabble.com> Hello, I secured my app with the keycloak.js adapter as shown in the angular 2 example. I modified the login theme to look more like my app and now I was trying to be able to use my own registration page. Is there anyway to redirect to the keycloak login in every page but the registration one? Or what other way is there to do this? Maybe use registrations endpoint and edit the registration template to send the form data to my own endpoint? Best Regards, Rui -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-js-different-registration-page-Angular-2-tp2675.html Sent from the keycloak-user mailing list archive at Nabble.com. From christian.froehlich at agfa.com Fri Feb 10 05:56:30 2017 From: christian.froehlich at agfa.com (Christian Froehlich) Date: Fri, 10 Feb 2017 11:56:30 +0100 Subject: [keycloak-user] Antwort: Re: web origins of clients and using wildcards In-Reply-To: References: Message-ID: I got the error in version 2.3.0.Final and the error is gone with the current version 2.5.1.Final! Thanks a lot! Regards Christian Von: Stian Thorgersen An: Christian Froehlich/AWPWB/AGFA at AGFA Kopie: keycloak-user Datum: 31.01.2017 09:07 Betreff: Re: [keycloak-user] web origins of clients and using wildcards '*' as value for web origin works just fine here so I can't reproduce your issue. What version? If you're not on the latest release try upgrading On 26 January 2017 at 09:31, Christian Froehlich < christian.froehlich at agfa.com> wrote: Hi, the tool tip of Web Origins at the client administration ui says: "...To permit all origins add '*'.", but it doesn't work. It seems that wildcards in web origins does not work at all. Using wildcards would be great in our development sides where we often works with ips instead of real dns names. So currently we have to add a set of web origins with the possible ips like https://192.168.99.100, https://192.168.99.101,... Is it a bug or just a wrong tool tip or am I completely wrong with my assumption? Regards Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 10 08:39:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Feb 2017 14:39:56 +0100 Subject: [keycloak-user] Changing login form in OIDC Authorization Code Flow In-Reply-To: References: Message-ID: <4dcb3868-24eb-3509-3b7d-30c8902aee89@redhat.com> We have Authentication SPI (see docs and example distribution for details and directory "providers" in it). We also have identityProvider SPI, which allows to redirect to external OIDC, OAuth2 or SAML provider to authentication and then redirect back to Keycloak. If your external service can communicate via some of these protocols, you could be fine without even need to code any custom authenticators. Marek On 10/02/17 09:35, Daniel Radzikowski wrote: > Hi, > > I'm trying to use OpenID Connect interface provided by Keycloak and I've > got one doubt: is there any way to customize the login form returned by > Keycloak to /protocol/openid-connect/auth request in Authorization Code > Flow? By customizing I mean not only changing the page itself, but also the > way the form is processed, e.g. it would call external service and after > successful authentication, user would be redirected to redirect_uri with > code granted (assuming session in Keycloak was created somehow in the > meantime). > > If there isn't as I guess, would it be acceptable to implement such a > feature and merge it? I suppose it would be compliant with OpenID Connect > Authorization Code Flow. From anunay.sinha at arvindinternet.com Fri Feb 10 09:09:07 2017 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Fri, 10 Feb 2017 14:09:07 +0000 Subject: [keycloak-user] Keycloak Social Login Message-ID: Hi I am using keycloak as security layer and working towards enabling social login. Social login was working and I was able to integrate Facebook with just configurations using the doicuments. However I have a requirement where in I need to provide an API end points for the same. Our mobile devices will be communicating to facebook via the app and will have the token from the facebook (Implicit Flow). I will then be exchanging the token with keycloak for the keycloak access token. I have two questions 1. Is this approach correct, if not why 2. How can I achieve this. I was thinking of writing a custom authenticator (Am not sure if thats the right approoach as I have to register user are well if FB Access token user is not available with us (We can afford to login user and with jsut emailID as we can onbaord new users later) I am blocked because authenticator is not working with any build from 2.4.0 onwards Let me know if my approach is correct and if so how to proceed about it. From harishjadhav1979 at yahoo.com Fri Feb 10 09:32:49 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Fri, 10 Feb 2017 14:32:49 +0000 (UTC) Subject: [keycloak-user] Issue with LDAP federation import References: <2131662825.1981761.1486737169488.ref@mail.yahoo.com> Message-ID: <2131662825.1981761.1486737169488@mail.yahoo.com> Hello Keycloak Team, I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' Can you please help on how to sync both users as technically both users are different having different email ids and domains. Thanks in advance. ThanksHarish From bburke at redhat.com Fri Feb 10 09:57:32 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 10 Feb 2017 09:57:32 -0500 Subject: [keycloak-user] Issue with LDAP federation import In-Reply-To: <2131662825.1981761.1486737169488@mail.yahoo.com> References: <2131662825.1981761.1486737169488.ref@mail.yahoo.com> <2131662825.1981761.1486737169488@mail.yahoo.com> Message-ID: <52657892-0c99-3720-225c-5a018c7462d9@redhat.com> You can't have 2 users with same username. The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > > However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From glavoie at gmail.com Fri Feb 10 11:07:55 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Fri, 10 Feb 2017 11:07:55 -0500 Subject: [keycloak-user] SAML Assertion Signature Algorithm Validation Message-ID: Hi, I'm currently testing different SAML signature algorithms with our application and I noticed that regardless of the chosen signature algorithm for a SAML client, Keycloak will accept assertions signed with another algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP). With many other IdPs, when a signature algorithm is chosen, there's a validation that the same algorithm is used in both directions. I think this is something that Keycloak should do too as a security measure. Can this be done right now or an enhancement request would be required? Thanks, -- Gabriel Lavoie glavoie at gmail.com From harishjadhav1979 at yahoo.com Fri Feb 10 11:17:06 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Fri, 10 Feb 2017 16:17:06 +0000 (UTC) Subject: [keycloak-user] Issue with LDAP federation import References: <594238518.2003018.1486743426058.ref@mail.yahoo.com> Message-ID: <594238518.2003018.1486743426058@mail.yahoo.com> Hi Team, Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. Is there any workaround available for this? Thanks Harish -------------------------------------------- On Fri, 2/10/17, Bill Burke wrote: Subject: Re: [keycloak-user] Issue with LDAP federation import To: keycloak-user at lists.jboss.org Date: Friday, February 10, 2017, 8:27 PM You can't have 2 users with same username.? The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > >???However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jason at naidmincloud.com Fri Feb 10 12:59:27 2017 From: jason at naidmincloud.com (Jason B) Date: Fri, 10 Feb 2017 09:59:27 -0800 Subject: [keycloak-user] SAML Binding - ECP Profile Message-ID: Hi, I am trying to work on SAML ECP profile. According to Keycloak's server administration documentation this SAML binding is supported. But when I configure IdP/SSO in metadata I am not seeing any description/meta specific to ECP binding. Any documentation available on how to use ECP profile in Keycloak? Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform Keycloak to use specific binding? Is there any query string parameter available that I can use? Thanks! From jason at naidmincloud.com Fri Feb 10 13:06:51 2017 From: jason at naidmincloud.com (Jason B) Date: Fri, 10 Feb 2017 10:06:51 -0800 Subject: [keycloak-user] Authentication API In-Reply-To: References: Message-ID: Hi Bill, We are handling user registration completely external to keycloak due to business processes and for this we can't use Keycloak REST APIs. Once user completes registration, user will receive a activation link and when user clicks on activation link user will be redirected to activation service which is external to keycloak. By this time we won't have user credentials to use direct grant access but we will have username only. So I am thinking of building a rest web service for this but not sure how to create session for a given user programmatically. Thanks! On Thu, Feb 9, 2017 at 11:59 AM, Bill Burke wrote: > Yes, you can create users through Admin REST API. You can also obtain > tokens via the direct grant flow that OAuth has: > > http://www.keycloak.org/documentation > > > On 2/9/17 1:29 PM, Jason B wrote: > > Hi, > > > > I would like to handle user registration outside of Keycloak instead of > > using built in registration feature. But I am having difficulty in > > figuring out how to allow user to login into Keycloak seamlessly after > > registration is completed. > > > > Does Keycloak supports Authentication as API.. like a web service call > and > > is there any way we can create a session for a user through API? > > > > > > Thanks! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jdennis at redhat.com Fri Feb 10 14:19:00 2017 From: jdennis at redhat.com (John Dennis) Date: Fri, 10 Feb 2017 14:19:00 -0500 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: Message-ID: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> On 02/10/2017 12:59 PM, Jason B wrote: > Hi, > > I am trying to work on SAML ECP profile. According to Keycloak's server > administration documentation this SAML binding is supported. But when I > configure IdP/SSO in metadata I am not seeing any description/meta specific > to ECP binding. Any documentation available on how to use ECP profile in > Keycloak? > > Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform > Keycloak to use specific binding? Is there any query string parameter > available that I can use? ECP definitely works with Keycloak, we use all the time. You want to use the SOAP endpoint, e.g. You may not see this endpoint in your IdP metadata depending on how you obtained the metadata from Keycloak. It always appears if you use the /auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you use the "Installation" on the client to get the IDPSSODescriptor it won't appear unless you configure the client to use the endpoint (keycloak only populates HTTP-POST using this method). IMHO this inconsistency is broken, but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me is further evidence a client specific view of the IdP metadata is not a good idea). But back to the original question of how to use ECP with Keycloak. There is very little you need to do in Keycloak. You only need to determine the SOAP endpoint [1] and of course have the SP registered. Make sure PAOS endpoint as it appears in the SP metadata is in the list of redirectURI's for Keycloak's SP client. That's it. Most of the configuration occurs in the ECP client. The ECP client must know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only supports basic and digest HTTP authentication with ECP. [1] FWIW Keycloak uses the same endpoint for all bindings, however you should not count on this, you should get the binding endpoint from the metadata. -- John From jason at naidmincloud.com Fri Feb 10 15:25:11 2017 From: jason at naidmincloud.com (Jason B) Date: Fri, 10 Feb 2017 12:25:11 -0800 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: Thanks John for your inputs. Will give it a try. On Fri, Feb 10, 2017 at 11:19 AM, John Dennis wrote: > On 02/10/2017 12:59 PM, Jason B wrote: > >> Hi, >> >> I am trying to work on SAML ECP profile. According to Keycloak's server >> administration documentation this SAML binding is supported. But when I >> configure IdP/SSO in metadata I am not seeing any description/meta >> specific >> to ECP binding. Any documentation available on how to use ECP profile in >> Keycloak? >> >> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform >> Keycloak to use specific binding? Is there any query string parameter >> available that I can use? >> > > ECP definitely works with Keycloak, we use all the time. > > You want to use the SOAP endpoint, e.g. > > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" > Location="https:xxx/auth/realms/xxx/protocol/saml" > /> > > You may not see this endpoint in your IdP metadata depending on how you > obtained the metadata from Keycloak. It always appears if you use the > /auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you > use the "Installation" on the client to get the IDPSSODescriptor it won't > appear unless you configure the client to use the endpoint (keycloak only > populates HTTP-POST using this method). IMHO this inconsistency is broken, > but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me > is further evidence a client specific view of the IdP metadata is not a > good idea). > > But back to the original question of how to use ECP with Keycloak. There > is very little you need to do in Keycloak. You only need to determine the > SOAP endpoint [1] and of course have the SP registered. Make sure PAOS > endpoint as it appears in the SP metadata is in the list of redirectURI's > for Keycloak's SP client. That's it. > > Most of the configuration occurs in the ECP client. The ECP client must > know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only > supports basic and digest HTTP authentication with ECP. > > [1] FWIW Keycloak uses the same endpoint for all bindings, however you > should not count on this, you should get the binding endpoint from the > metadata. > > -- > John > From TBarcia at wfscorp.com Fri Feb 10 16:21:53 2017 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Fri, 10 Feb 2017 21:21:53 +0000 Subject: [keycloak-user] Connection Reset using LDAPS Message-ID: <8def5651e4f3490b9ae0ab1d67815110@MIA-WEX-P16.wfs.com> In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results. I tried adding the following to the startup: -Djdk.tls.client.protocols=TLSv1 Based on an article regarding java8 and AD but it does not appear to have made any difference. The error: 14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.(InitialContext.java:89) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 78 more 14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.keycloak.models.ModelException: LDAP Query failed at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 1c8e5a6 at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) ... 58 more Caused by: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.(InitialContext.java:89) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) ... 59 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 78 more *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** From jason at naidmincloud.com Fri Feb 10 17:07:50 2017 From: jason at naidmincloud.com (Jason B) Date: Fri, 10 Feb 2017 14:07:50 -0800 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: Quick question: Can keycloak act as ECP client? Or it need be some kind of gateway/proxy server sitting in front of Service Provider intercepting the requests going to service provider? On Fri, Feb 10, 2017 at 12:25 PM, Jason B wrote: > Thanks John for your inputs. Will give it a try. > > > On Fri, Feb 10, 2017 at 11:19 AM, John Dennis wrote: > >> On 02/10/2017 12:59 PM, Jason B wrote: >> >>> Hi, >>> >>> I am trying to work on SAML ECP profile. According to Keycloak's server >>> administration documentation this SAML binding is supported. But when I >>> configure IdP/SSO in metadata I am not seeing any description/meta >>> specific >>> to ECP binding. Any documentation available on how to use ECP profile in >>> Keycloak? >>> >>> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform >>> Keycloak to use specific binding? Is there any query string parameter >>> available that I can use? >>> >> >> ECP definitely works with Keycloak, we use all the time. >> >> You want to use the SOAP endpoint, e.g. >> >> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" >> Location="https:xxx/auth/realms/xxx/protocol/saml" >> /> >> >> You may not see this endpoint in your IdP metadata depending on how you >> obtained the metadata from Keycloak. It always appears if you use the >> /auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you >> use the "Installation" on the client to get the IDPSSODescriptor it won't >> appear unless you configure the client to use the endpoint (keycloak only >> populates HTTP-POST using this method). IMHO this inconsistency is broken, >> but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me >> is further evidence a client specific view of the IdP metadata is not a >> good idea). >> >> But back to the original question of how to use ECP with Keycloak. There >> is very little you need to do in Keycloak. You only need to determine the >> SOAP endpoint [1] and of course have the SP registered. Make sure PAOS >> endpoint as it appears in the SP metadata is in the list of redirectURI's >> for Keycloak's SP client. That's it. >> >> Most of the configuration occurs in the ECP client. The ECP client must >> know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only >> supports basic and digest HTTP authentication with ECP. >> >> [1] FWIW Keycloak uses the same endpoint for all bindings, however you >> should not count on this, you should get the binding endpoint from the >> metadata. >> >> -- >> John >> > > From bburke at redhat.com Fri Feb 10 17:16:31 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 10 Feb 2017 17:16:31 -0500 Subject: [keycloak-user] Authentication API In-Reply-To: References: Message-ID: I've been meaning to implement something like this for awhile. 1. Create a new registration flow. 2. Create authentictor for reg flow. This authenticator will be configured to redirect to your external registration service. 3.Use the POST trick that SAML post binding does to distribute the session code to the remote external registration service 4. Registration service executes registration for user. 5. Registration service then creates a JWS using strong HMAC or Keypair. The JWS contains a json doc that includes the username of the new user. 6. Registration does the POST trick again and redirects back to the registratio flow using the session code provided in #3. 7. Authenticator validates the JWS and sets the user and completes the flow. User is redirect back to application. Hope I am making sense. On 2/10/17 1:06 PM, Jason B wrote: > Hi Bill, > > We are handling user registration completely external to keycloak due > to business processes and for this we can't use Keycloak REST APIs. > > Once user completes registration, user will receive a activation link > and when user clicks on activation link user will be redirected to > activation service which is external to keycloak. By this time we > won't have user credentials to use direct grant access but we will > have username only. > > So I am thinking of building a rest web service for this but not sure > how to create session for a given user programmatically. > > Thanks! > > > On Thu, Feb 9, 2017 at 11:59 AM, Bill Burke > wrote: > > Yes, you can create users through Admin REST API. You can also obtain > tokens via the direct grant flow that OAuth has: > > http://www.keycloak.org/documentation > > > > On 2/9/17 1:29 PM, Jason B wrote: > > Hi, > > > > I would like to handle user registration outside of Keycloak > instead of > > using built in registration feature. But I am having difficulty in > > figuring out how to allow user to login into Keycloak seamlessly > after > > registration is completed. > > > > Does Keycloak supports Authentication as API.. like a web > service call and > > is there any way we can create a session for a user through API? > > > > > > Thanks! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From alkazako at redhat.com Fri Feb 10 17:33:48 2017 From: alkazako at redhat.com (Alexey Kazakov) Date: Fri, 10 Feb 2017 14:33:48 -0800 Subject: [keycloak-user] Updating user Message-ID: <5bc16e25-ec8e-d67b-b833-37278026a9bc@redhat.com> Hi, Is it possible to update a user remotely using this user's access token? I know that I can do it using Admin REST API but in this case I have to use the admin user's access token which I would like to avoid. We want to use our own user profile page + our backend service. User updates his/her info. UI calls our endpoint providing the user's token. Backend does some internal work related to the user's profile change then updates Keycloak. The missing part is how do we update the Keycloak user account using the user's token only and without obtaining the admin token. Something similar to /realms//protocol/openid-connect/userinfo but for updating the user's account. Or Admin REST API is the only way to do it? Thank you. From java at neposoft.com Fri Feb 10 19:57:58 2017 From: java at neposoft.com (java_os) Date: Fri, 10 Feb 2017 19:57:58 -0500 Subject: [keycloak-user] OPTIONS 401 - CORS problem Message-ID: <6c0c08b5f0d06e14a95db64cc53fd93e.squirrel@neposoft.com> Group I have an angular spa deployed on host A - apache httpd (static content) making REST api calls into a spring-boot hosted by host B. The 2 servers are different domains. Spa is protected by Keycloak.js. Am able to bring in the index. When I click on a rest call, browser sends over first OPTIONS request to make sure server B is ready to accept since it is an XHR cross domain call. But the problem is that OPTIONS is being sent without Authorization: Bearer 'token' and so the rest webserver rejects the call with 401 -Unauthorized. Each REST call from the SPA to the cross domain REST is rejected. Am I the first one to hit this? I saw people solving this with regular un-secured apps, but in my case Keycloak using spring-security rejects it. Anyone in the group can help me - anyone has deployed the client and server (being bearer keycloak protected) and solved this problem. Have tried various things inside spring-boot to allow options/cors, etc - none worked. Thank you for help. From teatimej at gmail.com Fri Feb 10 21:14:32 2017 From: teatimej at gmail.com (Michael Mok) Date: Sat, 11 Feb 2017 10:14:32 +0800 Subject: [keycloak-user] update password failed - invalid code Message-ID: Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set X-Forwarded-Proto "https" Require all granted #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login- actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks. From teatimej at gmail.com Fri Feb 10 22:37:22 2017 From: teatimej at gmail.com (Michael Mok) Date: Sat, 11 Feb 2017 11:37:22 +0800 Subject: [keycloak-user] Fwd: update password failed - invalid code In-Reply-To: References: Message-ID: Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set X-Forwarded-Proto "https" Require all granted #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions /execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lv bqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login- actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks. From teatimej at gmail.com Fri Feb 10 23:00:11 2017 From: teatimej at gmail.com (Michael Mok) Date: Sat, 11 Feb 2017 12:00:11 +0800 Subject: [keycloak-user] update password failed Message-ID: Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set X-Forwarded-Proto "https" Require all granted #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions /execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lv bqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login- actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIM H5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks. From dr.vahid.dehghan at gmail.com Sat Feb 11 06:59:00 2017 From: dr.vahid.dehghan at gmail.com (TheAzariturk .) Date: Sat, 11 Feb 2017 15:29:00 +0330 Subject: [keycloak-user] admin login,domain cluster mode Message-ID: hi we create domain mode cluster with 4 hc(host controller), i create admin user with add-user-keycloak --sc.........but i cant loggin with it, so when i stop 2 HC i can login with admin, please help that what is it???? note that i have shared databse. thanks From java at neposoft.com Sat Feb 11 08:02:06 2017 From: java at neposoft.com (java_os) Date: Sat, 11 Feb 2017 08:02:06 -0500 Subject: [keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem In-Reply-To: <6c0c08b5f0d06e14a95db64cc53fd93e.squirrel@neposoft.com> References: <6c0c08b5f0d06e14a95db64cc53fd93e.squirrel@neposoft.com> Message-ID: I solved it - all through Spring Security Config in boot. I had to remove http.anonymous().disable() then I had to allow OPTIONS on : http.authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() making sure we're not handle OPTIONS on any rest points I guess should be safe enough. Other than that , cross domain rest calls work now. Hopefully this will help anyone hitting this issue. > Group > > I have an angular spa deployed on host A - apache httpd (static content) > making REST api calls into a spring-boot > hosted by host B. The 2 servers are different domains. > Spa is protected by Keycloak.js. Am able to bring in the index. When I > click on a rest call, > browser sends over first OPTIONS request to make sure server B is ready to > accept since it is an XHR cross domain call. > But the problem is that OPTIONS is being sent without Authorization: > Bearer 'token' and so the rest webserver rejects the call > with 401 -Unauthorized. Each REST call from the SPA to the cross domain > REST is rejected. > Am I the first one to hit this? > I saw people solving this with regular un-secured apps, but in my case > Keycloak using spring-security rejects it. > Anyone in the group can help me - anyone has deployed the client and > server (being bearer keycloak protected) and solved > this problem. > Have tried various things inside spring-boot to allow options/cors, etc - > none worked. > > Thank you for help. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From java at neposoft.com Sat Feb 11 08:44:49 2017 From: java at neposoft.com (java_os) Date: Sat, 11 Feb 2017 08:44:49 -0500 Subject: [keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem In-Reply-To: References: <6c0c08b5f0d06e14a95db64cc53fd93e.squirrel@neposoft.com> Message-ID: But it's not working for IE11 - XMLHttpRequest: Network Error 0x80070005, Access is denied. Anyone any tips on this? Chrome/Firefox work Thanks > I solved it - all through Spring Security Config in boot. I had to remove > http.anonymous().disable() > then I had to allow OPTIONS on : > http.authorizeRequests() > .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() > making sure we're not handle OPTIONS on any rest points I guess should be > safe enough. > Other than that , cross domain rest calls work now. > Hopefully this will help anyone hitting this issue. > > >> Group >> >> I have an angular spa deployed on host A - apache httpd (static content) >> making REST api calls into a spring-boot >> hosted by host B. The 2 servers are different domains. >> Spa is protected by Keycloak.js. Am able to bring in the index. When I >> click on a rest call, >> browser sends over first OPTIONS request to make sure server B is ready >> to >> accept since it is an XHR cross domain call. >> But the problem is that OPTIONS is being sent without Authorization: >> Bearer 'token' and so the rest webserver rejects the call >> with 401 -Unauthorized. Each REST call from the SPA to the cross domain >> REST is rejected. >> Am I the first one to hit this? >> I saw people solving this with regular un-secured apps, but in my case >> Keycloak using spring-security rejects it. >> Anyone in the group can help me - anyone has deployed the client and >> server (being bearer keycloak protected) and solved >> this problem. >> Have tried various things inside spring-boot to allow options/cors, etc >> - >> none worked. >> >> Thank you for help. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From java at neposoft.com Sat Feb 11 10:03:55 2017 From: java at neposoft.com (java_os) Date: Sat, 11 Feb 2017 10:03:55 -0500 Subject: [keycloak-user] SOLVED ! -> OPTIONS 401 - CORS problem In-Reply-To: References: <6c0c08b5f0d06e14a95db64cc53fd93e.squirrel@neposoft.com> Message-ID: Adding the webserver (where spa is deployed) to the IO trusted sites, makes IE work. Wondering why, since CORS were rejected by the jboss server , on the rest not my the apache httpd. But hey, in chrome , you do not need to do anything, allowing OPTIONS on rest boot makes it right. Anyone here can comment on if allowing OPTIONS in spring security config is a security risk? Provided that OPTIONS is not handles on any rest api calls? cheers > But it's not working for IE11 - XMLHttpRequest: Network Error 0x80070005, > Access is denied. > Anyone any tips on this? > Chrome/Firefox work > Thanks > >> I solved it - all through Spring Security Config in boot. I had to >> remove >> http.anonymous().disable() >> then I had to allow OPTIONS on : >> http.authorizeRequests() >> .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() >> making sure we're not handle OPTIONS on any rest points I guess should >> be >> safe enough. >> Other than that , cross domain rest calls work now. >> Hopefully this will help anyone hitting this issue. >> >> >>> Group >>> >>> I have an angular spa deployed on host A - apache httpd (static >>> content) >>> making REST api calls into a spring-boot >>> hosted by host B. The 2 servers are different domains. >>> Spa is protected by Keycloak.js. Am able to bring in the index. When I >>> click on a rest call, >>> browser sends over first OPTIONS request to make sure server B is ready >>> to >>> accept since it is an XHR cross domain call. >>> But the problem is that OPTIONS is being sent without Authorization: >>> Bearer 'token' and so the rest webserver rejects the call >>> with 401 -Unauthorized. Each REST call from the SPA to the cross domain >>> REST is rejected. >>> Am I the first one to hit this? >>> I saw people solving this with regular un-secured apps, but in my case >>> Keycloak using spring-security rejects it. >>> Anyone in the group can help me - anyone has deployed the client and >>> server (being bearer keycloak protected) and solved >>> this problem. >>> Have tried various things inside spring-boot to allow options/cors, etc >>> - >>> none worked. >>> >>> Thank you for help. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From patrycja.vrebos at gmail.com Sat Feb 11 15:28:20 2017 From: patrycja.vrebos at gmail.com (Patrycja Vrebos) Date: Sat, 11 Feb 2017 21:28:20 +0100 Subject: [keycloak-user] custom providers Message-ID: Hi Keycloak users, I am new to keycloak. With my team we are using Red Hat Single Sign-On 7.0 with Keycloak 1.9.8. I need to customize this a little bit. We support diffrent languages and actually some message are not display us we want. For example message in Racaptcha is not in language as expected. I found example how to register Google Recaptcha and how to add validation of form elements on the page: *https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html * So I suppose if I will register my own Recaptcha I will can specify message I want to display. As written I need to deploy my jar (j*ust copy it to the standalone/configuration/providers directory*) First, I didn't find *providers *directory in configuration so I created one where I copied my jar and I restarted my server. Then I tried to add my FormAction to the registration Flow but I don't see any diffrence in admin console. I mean I don't think my jar was deployed( I new to jboss) I found there also another way to deploy jar: *throw jar in Keycloak deploy directiry* but I don't understand what is meant by the "Keycloak deploy/ directory" mentioned in the documentation. Another change I want to do is: in reset password page add email validation. I found some example. *Keycloak is designed to cover most use-cases without requiring custom code, but we also want it to be customizable. To achive this **Keycloak has a number of Service Provider Interfaces (SPI) which you can implement your own providers for*. Could you please recommend one which I should implement for this goal. I will appreciate any help. Best regards, Patrycja From teatimej at gmail.com Sat Feb 11 20:34:30 2017 From: teatimej at gmail.com (Michael Mok) Date: Sun, 12 Feb 2017 09:34:30 +0800 Subject: [keycloak-user] email to reset password falied - keycloak 2.5.0 Message-ID: Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set X-Forwarded-Proto "https" Require all granted #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks. From moktc at hotmail.com Sat Feb 11 21:47:04 2017 From: moktc at hotmail.com (Michael Mok) Date: Sun, 12 Feb 2017 02:47:04 +0000 Subject: [keycloak-user] email to reset password falied - keycloak 2.5.0 Message-ID: Was trying to send this via my other email but did not reach the mailing list. trying again with my other email. Hi All Need help trying to allow the user to update their password. The use case 1) Login to admin 2) Select a user, goto credential and select Update Password as reset again and sent email 3) User received email and click on the link (within the minute) 4) Keycloak complains with error We are sorry - an error occurred please login again. Setup Keycloak 2.5.1 Final Apache 2.4 - SSL enabled Mod proxy ajp OS ubuntu 14.04 Keycloak standalone.xml ajp config Apache 2 http conf ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set X-Forwarded-Proto "https" Require all granted #Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth ajp://localhost:8009/auth Link received in the Update Your Account email https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc Apache log [11/Feb/2017:01:37:06 +0000] "GET /auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc HTTP/1.1" 500 2441 Keycloak log 01:37:06,091 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7, clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code Thanks. From palermo at pobox.com Sun Feb 12 07:26:25 2017 From: palermo at pobox.com (Bruno Palermo) Date: Sun, 12 Feb 2017 12:26:25 +0000 Subject: [keycloak-user] Custom Email Provider Message-ID: Hi, I'm implementing a custom AWS SES email provider. How can I choose which implementation to use for send emails? Thanks, Bruno From bruno at abstractj.org Mon Feb 13 04:22:00 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 13 Feb 2017 07:22:00 -0200 Subject: [keycloak-user] Connection Reset using LDAPS In-Reply-To: <8def5651e4f3490b9ae0ab1d67815110@MIA-WEX-P16.wfs.com> References: <8def5651e4f3490b9ae0ab1d67815110@MIA-WEX-P16.wfs.com> Message-ID: Hi Thomas, is the same happening with the latest Keycloak release? Have you tried this http://lists.jboss.org/pipermail/keycloak-user/2016-February/004945.html ? On Fri, Feb 10, 2017 at 7:21 PM, Thomas Barcia wrote: > In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results. > > I tried adding the following to the startup: > > -Djdk.tls.client.protocols=TLSv1 > > Based on an article regarding java8 and AD but it does not appear to have made any difference. > > The error: > > 14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > > 14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.keycloak.models.ModelException: LDAP Query failed > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 1c8e5a6 > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > ... 58 more > Caused by: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > ... 59 more > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From sthorger at redhat.com Mon Feb 13 04:38:28 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 13 Feb 2017 10:38:28 +0100 Subject: [keycloak-user] Custom Email Provider In-Reply-To: References: Message-ID: Set the default provider in standalone.xml. See server developer guide for more details. On 12 February 2017 at 13:26, Bruno Palermo wrote: > Hi, > > > I'm implementing a custom AWS SES email provider. > > > How can I choose which implementation to use for send emails? > > > Thanks, > > Bruno > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From suryo.lho.96 at gmail.com Mon Feb 13 04:47:19 2017 From: suryo.lho.96 at gmail.com (suryo) Date: Mon, 13 Feb 2017 16:47:19 +0700 Subject: [keycloak-user] Wildfly/swarm - keycloak - mongodb Message-ID: <58a180a8.9821620a.a4bb8.70d2@mx.google.com> Since keycloak doesn't support mongo anymore, is it still possible keycloak and wildfly with mongodb (with ssl connect)? From patrycja.vrebos at gmail.com Mon Feb 13 05:54:54 2017 From: patrycja.vrebos at gmail.com (Patrycja Vrebos) Date: Mon, 13 Feb 2017 11:54:54 +0100 Subject: [keycloak-user] custom providers In-Reply-To: References: Message-ID: Hi all, Can anyone to help with this issue? Best Regards, Patrycja 2017-02-11 21:28 GMT+01:00 Patrycja Vrebos : > Hi Keycloak users, > > I am new to keycloak. > With my team we are using Red Hat Single Sign-On 7.0 with Keycloak 1.9.8. > I need to customize this a little bit. We support diffrent languages and > actually some message are not display us we want. > For example message in Racaptcha is not in language as expected. > I found example how to register Google Recaptcha and how to add > validation of form elements on the page: > *https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html > * > So I suppose if I will register my own Recaptcha I will can specify > message I want to display. > As written I need to deploy my jar (j*ust copy it to the > standalone/configuration/providers directory*) > First, I didn't find *providers *directory in configuration so I created > one where I copied my jar and I restarted my server. Then I tried to add my > FormAction to the registration Flow but I don't see any diffrence in admin > console. I mean I don't think my jar was deployed( I new to jboss) > I found there also another way to deploy jar: *throw jar in Keycloak > deploy directiry* but I don't understand what is meant by the "Keycloak > deploy/ directory" mentioned in the documentation. > > Another change I want to do is: in reset password page add email > validation. > I found some example. *Keycloak is designed to cover most use-cases > without requiring custom code, but we also want it to be customizable. To > achive this **Keycloak has a number of Service Provider Interfaces (SPI) > which you can implement your own providers for*. > Could you please recommend one which I should implement for this goal. > > I will appreciate any help. > > Best regards, > Patrycja > > From thomas.darimont at googlemail.com Mon Feb 13 06:20:13 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 13 Feb 2017 12:20:13 +0100 Subject: [keycloak-user] Configuring event logging in Keycloak Message-ID: Hello group, I needed to configure Keycloak to also show success events in the logs in order to to be able to show the login count over time in a graylog dashboard. For this to work I needed to change the log level for the "success-level" within the keycloak jboss-logging event-listener configuration. As some other folks might want to do that as well I'd like to share my jboss-cli config snippet with you. Cheers, Thomas cd $KEYCLOAK_HOME bin/jboss-cli.sh # Start keycloak in embedded mode for configuration embed-server --server-config=standalone-ha.xml --std-out=echo # Configure jboss-logging event listener /subsystem=keycloak-server/spi=eventsListener:add(default-provider=jboss-logging) /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true) # Propgate success events to INFO instead of DEBUG # This allows to track successful logins in log analysis /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info) /subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn) From palermo at pobox.com Mon Feb 13 06:41:40 2017 From: palermo at pobox.com (Bruno Palermo) Date: Mon, 13 Feb 2017 09:41:40 -0200 Subject: [keycloak-user] Custom Email Provider In-Reply-To: References: Message-ID: <1486986100.5170.6.camel@pobox.com> Stian, I looked at: http://www.keycloak.org/docs/2.5/server_development_guide/topics/provid ers.html and http://www.keycloak.org/docs/2.5/server_development_guide/topics/extens ions.html And couldn't found any reference how to setup the default emailProvider. Looking at the standalone.xml, on section I can found settings for spi:? - eventsStore - realm - user - userCache - UserSessionPersister - AuthorizationPersister - timer - connectionsHttpClient - connectionsJpa - realmCache - connectionsInfinispan - jta-lookup - publicStorage But not for email provider. Thanks, Bruno On Seg, 2017-02-13 at 10:38 +0100, Stian Thorgersen wrote: > Set the default provider in standalone.xml. See server developer > guide for more details. > > On 12 February 2017 at 13:26, Bruno Palermo > wrote: > > Hi, > > > > > > I'm implementing a custom AWS SES email provider. > > > > > > How can I choose which implementation to use for send emails? > > > > > > Thanks, > > > > Bruno > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From psilva at redhat.com Mon Feb 13 07:08:34 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 13 Feb 2017 10:08:34 -0200 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman wrote: > Hi Pedro Igor, > You wrote: > You can't pass additional attributes along with an authorization request. > However, that is something we want to support on future versions. > > I have some questions about that: > > 1. Which future version will support that? Any plan for it at the > moment? > Sorry, but can't give you any dates. There are quite a few things in authz services roadmap, but right now we have some time and resource constraints that are blocking us to follow a plan/roadmap. > > 2. Until it is supported, what would be the best practice > recommendation to authorize resources such as account numbers? > > For example: The REST API (resource) I want to protect in the resource > server is /api/getAccountDetails/{accountNum}. How should I configure > the policy/permissions/resources/scopes in the PDP and how should I > utilize the PEP (I'm using Java adapter for JBOSS Fuse)? > It seems this one is already supported. I would suggest you to take a look at the PhotoZ example about how to protect individual resources. There you will find: 1) How to create resources from your resource server using the Protection API using the Java AuthZ Client API. 2) How "typed" resources work, where you define permissions to a generic resources and these permissions are also applied to resources with the same type. 3) How to configure "policy-enforcer" to handle paths with a pattern in order to resolve a specific resource instance (e.g.: the account details in your example). Something like that: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] } > > Thank you, > Ori. > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From harishjadhav1979 at yahoo.com Mon Feb 13 07:23:30 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Mon, 13 Feb 2017 12:23:30 +0000 (UTC) Subject: [keycloak-user] Issue with LDAP federation import In-Reply-To: <594238518.2003018.1486743426058@mail.yahoo.com> References: <594238518.2003018.1486743426058.ref@mail.yahoo.com> <594238518.2003018.1486743426058@mail.yahoo.com> Message-ID: <223245594.3329330.1486988610034@mail.yahoo.com> Team, Can some one help on this please? ThanksHarish On Friday, February 10, 2017 9:47 PM, harish jadhav wrote: Hi Team, Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. Is there any workaround available for this? Thanks Harish -------------------------------------------- On Fri, 2/10/17, Bill Burke wrote: Subject: Re: [keycloak-user] Issue with LDAP federation import To: keycloak-user at lists.jboss.org Date: Friday, February 10, 2017, 8:27 PM You can't have 2 users with same username.? The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > >???However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From harishjadhav1979 at yahoo.com Mon Feb 13 07:33:08 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Mon, 13 Feb 2017 12:33:08 +0000 (UTC) Subject: [keycloak-user] Re Rest API for authentication References: <862850848.3244948.1486989188582.ref@mail.yahoo.com> Message-ID: <862850848.3244948.1486989188582@mail.yahoo.com> Hello Team, I have one web application which will be hosted in cloud. I am planning to use keycloak for only authentication purpose and keycloak will be running in on-premise customer location. My plan is to - 1. Import the users to my application through my own import mechanism and later push it to Keycloak over Rest API 2. Present a custom login page in my application which ask username/password and pass it to Keycloak for authentication over Rest API 3. Authentication can be through LDAP or SAML IDP ADFS4. Get the token and use it for accessing the service based on authorization I have some restriction on not to use keycloak login page so cannot use redirection to keycloak login page. Please let me know whether it works out and also give some pointer on Rest API on SAML. My requirement is that I need to authenticate the user either through LDAP, SAML providers. I know some basic auth using Rest but not getting idea on SAML. ThanksHarish From pslegr at redhat.com Mon Feb 13 07:41:59 2017 From: pslegr at redhat.com (pslegr) Date: Mon, 13 Feb 2017 13:41:59 +0100 Subject: [keycloak-user] Issue with LDAP federation import In-Reply-To: <223245594.3329330.1486988610034@mail.yahoo.com> References: <594238518.2003018.1486743426058.ref@mail.yahoo.com> <594238518.2003018.1486743426058@mail.yahoo.com> <223245594.3329330.1486988610034@mail.yahoo.com> Message-ID: <58A1A997.40308@redhat.com> On 13.2.2017 13:23, harish jadhav wrote: > Team, > Can some one help on this please? > ThanksHarish > > > On Friday, February 10, 2017 9:47 PM, harish jadhav wrote: > > > Hi Team, > > Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. > > Is there any workaround available for this? > > Thanks > Harish > > > -------------------------------------------- > On Fri, 2/10/17, Bill Burke wrote: > > Subject: Re: [keycloak-user] Issue with LDAP federation import > To: keycloak-user at lists.jboss.org > Date: Friday, February 10, 2017, 8:27 PM > > You can't have 2 > users with same username. The sync is pulling users > from 2nd federation provider, sees that its > already been imported (by > 1st Federation > sync) and fails to import that user. Imagine the use case, you are having 2 separate organizations, or recently handled separately and you now want to migrate all users under the same domain. It would be good to have a feature, which allows you to identify users - which failed and being able to sync them manually afterwards or via semi-automated way - asking either for - migration of new userinfo under the existing username - pulling the user info, but with changed username however, this sounds like a completely new feature different from what original question was > > > On 2/10/17 9:32 AM, harish jadhav wrote: > > Hello Keycloak Team, > > > I am new to keycloak and trying to integrate with my > application. Just to do some kind of analysis, I have > started with LDAP import. I have two LDAP servers having > different domains say tkd.com and teckno.com respectively ( > running at 172.16.11.100 and 172.16.12.100 respectively) and > I am able to import the users from both the directories. I > have created two LDAP federation in single realm. > > > > However > one issue which I am facing is I am unable to import one > particular user by second federation - I have one user > having name ronny at tkd.com > with username Ronny in 172.16.11.100 and ronny at teckno.com > with same username Ronny in 172.16.12.100. The error I am > getting is > > > > User > 'Ronny' is not updated during sync as he already > exists in Keycloak database but is not linked to federation > provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > > Can you please help on how to sync both > users as technically both users are different having > different email ids and domains. > > Thanks > in advance. > > ThanksHarish > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kevin.berendsen at pharmapartners.nl Mon Feb 13 07:57:43 2017 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Mon, 13 Feb 2017 12:57:43 +0000 Subject: [keycloak-user] Issue with LDAP federation import In-Reply-To: <223245594.3329330.1486988610034@mail.yahoo.com> References: <594238518.2003018.1486743426058.ref@mail.yahoo.com> <594238518.2003018.1486743426058@mail.yahoo.com> <223245594.3329330.1486988610034@mail.yahoo.com> Message-ID: <3d9c723e72b04c8f9d5d4cba9a95abb0@FERB.ppg.lan> Hi Harish There's a workaround and it's a little tricky and might need some more effort. Our LDAP structure is a little vague and different from what it should be but that choice was made a long time. However, our workaround could be applied to your issue as well. Pick an attribute of your LDAP object that is absolutely unique to any object like the username should be but then another object. For example: Pick attribute veryUniqueAttr instead of uid as username. Then develop your own authenticator: * Queries for users based on the actual username and might return multiple users; * Iterate through the users and check if the password matches the input; * If the password matches, then set the context to success and set the last iterated user as user into the session. * If none matches, then login failed. It's simple and affective but I don't like the sound of it. I highly recommend you creating TWO realms instead. Google for 'Keycloak multi-tenant' and you'd find an easy way to use the same Keycloak Client with two realms and I think that may solve your problem. -----Oorspronkelijk bericht----- Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens harish jadhav Verzonden: maandag 13 februari 2017 13:24 Aan: keycloak-user at lists.jboss.org; Bill Burke Onderwerp: Re: [keycloak-user] Issue with LDAP federation import Team, Can some one help on this please? ThanksHarish On Friday, February 10, 2017 9:47 PM, harish jadhav wrote: Hi Team, Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. Is there any workaround available for this? Thanks Harish -------------------------------------------- On Fri, 2/10/17, Bill Burke wrote: Subject: Re: [keycloak-user] Issue with LDAP federation import To: keycloak-user at lists.jboss.org Date: Friday, February 10, 2017, 8:27 PM You can't have 2 users with same username.? The sync is pulling users from 2nd federation provider, sees that its already been imported (by 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > >???However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From harishjadhav1979 at yahoo.com Mon Feb 13 08:15:30 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Mon, 13 Feb 2017 13:15:30 +0000 (UTC) Subject: [keycloak-user] Issue with LDAP federation import In-Reply-To: <3d9c723e72b04c8f9d5d4cba9a95abb0@FERB.ppg.lan> References: <594238518.2003018.1486743426058.ref@mail.yahoo.com> <594238518.2003018.1486743426058@mail.yahoo.com> <223245594.3329330.1486988610034@mail.yahoo.com> <3d9c723e72b04c8f9d5d4cba9a95abb0@FERB.ppg.lan> Message-ID: <1644936231.3332842.1486991730513@mail.yahoo.com> Thank you all of you for guiding me to solve the problem. I can now think on suggested approaches and come up with solution, different realm tagging to same KC client should be an acceptable solution. Thank you very much ! Harish On Monday, February 13, 2017 6:33 PM, Kevin Berendsen wrote: Hi Harish There's a workaround and it's a little tricky and might need some more effort. Our LDAP structure is a little vague and different from what it should be but that choice was made a long time. However, our workaround could be applied to your issue as well. Pick an attribute of your LDAP object that is absolutely unique to any object like the username should be but then another object. For example: Pick attribute veryUniqueAttr instead of uid as username. Then develop your own authenticator: * Queries for users based on the actual username and might return multiple users; * Iterate through the users and check if the password matches the input; * If the password matches, then set the context to success and set the last iterated user as user into the session. * If none matches, then login failed. It's simple and affective but I don't like the sound of it. I highly recommend you creating TWO realms instead. Google for 'Keycloak multi-tenant' and you'd find an easy way to use the same Keycloak Client with two realms and I think that may solve your problem. -----Oorspronkelijk bericht----- Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens harish jadhav Verzonden: maandag 13 februari 2017 13:24 Aan: keycloak-user at lists.jboss.org; Bill Burke Onderwerp: Re: [keycloak-user] Issue with LDAP federation import Team, Can some one help on this please? ThanksHarish ? ? On Friday, February 10, 2017 9:47 PM, harish jadhav wrote: Hi Team, Thanks for immediate response. As both users are different persons and reside in different domain with different email id, I was expecting it to treat as different user and in fact objectguid will be different for both users. And as both users belong to same organisation, I can't use different realm also. Is there any workaround available for this? Thanks Harish -------------------------------------------- On Fri, 2/10/17, Bill Burke wrote: Subject: Re: [keycloak-user] Issue with LDAP federation import To: keycloak-user at lists.jboss.org Date: Friday, February 10, 2017, 8:27 PM You can't have 2 users with same username.? The sync is pulling users? from 2nd federation provider, sees that its? already been imported (by? 1st Federation sync) and fails to import that user. On 2/10/17 9:32 AM, harish jadhav wrote: > Hello Keycloak Team, > I am new to keycloak and trying to integrate with my application. Just to do some kind of analysis, I have started with LDAP import. I have two LDAP servers having different domains say tkd.com and teckno.com respectively ( running at 172.16.11.100 and 172.16.12.100 respectively) and I am able to import the users from both the directories. I have created two LDAP federation in single realm. > >???However one issue which I am facing is I am unable to import one particular user by second federation - I have one user having name ronny at tkd.com with username Ronny in 172.16.11.100 and ronny at teckno.com with same username Ronny in 172.16.12.100. The error I am getting is > > User 'Ronny' is not updated during sync as he already exists in Keycloak database but is not linked to federation provider '1081bf4c-b54d-44db-b172-b229ae6aad4e' > Can you please help on how to sync both users as technically both users are different having different email ids and domains. > Thanks in advance. > ThanksHarish > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From TBarcia at wfscorp.com Mon Feb 13 08:28:33 2017 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Mon, 13 Feb 2017 13:28:33 +0000 Subject: [keycloak-user] Connection Reset using LDAPS In-Reply-To: References: <8def5651e4f3490b9ae0ab1d67815110@MIA-WEX-P16.wfs.com> Message-ID: Bruno, I have not tried that but I did try TLSv1. We saw the same issues with previous versions of Keycloak but have not upgraded to 2.5.0 yet. -----Original Message----- From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: Monday, February 13, 2017 4:22 AM To: Thomas Barcia Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Connection Reset using LDAPS Hi Thomas, is the same happening with the latest Keycloak release? Have you tried this http://lists.jboss.org/pipermail/keycloak-user/2016-February/004945.html ? On Fri, Feb 10, 2017 at 7:21 PM, Thomas Barcia wrote: > In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results. > > I tried adding the following to the startup: > > -Djdk.tls.client.protocols=TLSv1 > > Based on an article regarding java8 and AD but it does not appear to have made any difference. > > The error: > > 14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > > 14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.keycloak.models.ModelException: LDAP Query failed > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 1c8e5a6 > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > ... 58 more > Caused by: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > ... 59 more > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, > copying, use, or distribution of the information included in this > communication and any attachments is strictly prohibited. If you have > received this communication in error, please notify us immediately by > replying to this communication and delete the communication, including > any attachments, from your computer. Electronic communications sent to > or from World Fuel Services Corporation or its subsidiaries or its > affiliates may be monitored for quality assurance and compliance > purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From jdennis at redhat.com Mon Feb 13 10:30:05 2017 From: jdennis at redhat.com (John Dennis) Date: Mon, 13 Feb 2017 10:30:05 -0500 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: On 02/10/2017 05:07 PM, Jason B wrote: > Quick question: Can keycloak act as ECP client? Or it need be some kind > of gateway/proxy server sitting in front of Service Provider > intercepting the requests going to service provider? I think you might be confused as to how ECP works. An ECP client sits *between* the SP and the IdP. An IdP such as Keycloak does not implement ECP, rather ECP is implemented in the ECP client. An IdP participates in an ECP flow by advertising a SingleSignOn SOAP binding protected by some form of HTTP authentication (typically basic and digest). The ECP client utilizes the IdP's SOAP binding. A good explanation of ECP and an example flow can be found in the SAML Technical overview in section 5.2: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf The ECP specification give all the gory details: http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html -- John From bburke at redhat.com Mon Feb 13 10:38:20 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 13 Feb 2017 10:38:20 -0500 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: On 2/13/17 10:30 AM, John Dennis wrote: > On 02/10/2017 05:07 PM, Jason B wrote: >> Quick question: Can keycloak act as ECP client? Or it need be some kind >> of gateway/proxy server sitting in front of Service Provider >> intercepting the requests going to service provider? > I think you might be confused as to how ECP works. An ECP client sits > *between* the SP and the IdP. An IdP such as Keycloak does not implement > ECP, rather ECP is implemented in the ECP client. An IdP participates in > an ECP flow by advertising a SingleSignOn SOAP binding protected by some > form of HTTP authentication (typically basic and digest). The ECP client > utilizes the IdP's SOAP binding. > > A good explanation of ECP and an example flow can be found in the SAML > Technical overview in section 5.2: > > https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf > > > The ECP specification give all the gory details: > > http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html > And...after reading this spec you'll realize how much ECP sucks. Switch to OAuth and bearer tokens...much simpler and easier on the client than having to install a SOAP stack. Bill From TBarcia at wfscorp.com Mon Feb 13 10:45:36 2017 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Mon, 13 Feb 2017 15:45:36 +0000 Subject: [keycloak-user] Connection Reset using LDAPS In-Reply-To: References: <8def5651e4f3490b9ae0ab1d67815110@MIA-WEX-P16.wfs.com> Message-ID: <8869000a02d3439896516769c7e94e99@MIA-WEX-P16.wfs.com> I tried setting SSLv3 as specified and there is no change. I checked with the Windows team and they are not seeing any errors in the AD logs. Any other ideas? -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Barcia Sent: Monday, February 13, 2017 8:29 AM To: Bruno Oliveira Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Connection Reset using LDAPS Bruno, I have not tried that but I did try TLSv1. We saw the same issues with previous versions of Keycloak but have not upgraded to 2.5.0 yet. -----Original Message----- From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: Monday, February 13, 2017 4:22 AM To: Thomas Barcia Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Connection Reset using LDAPS Hi Thomas, is the same happening with the latest Keycloak release? Have you tried this http://lists.jboss.org/pipermail/keycloak-user/2016-February/004945.html ? On Fri, Feb 10, 2017 at 7:21 PM, Thomas Barcia wrote: > In my Keycloak 2.2.1 environment we see continuous yet erratic errors in connecting to AD via LDAPS. For example, if I search for a user I may get a general server error and then click search again and receive results. > > I tried adding the following to the startup: > > -Djdk.tls.client.protocols=TLSv1 > > Based on an article regarding java8 and AD but it does not appear to have made any difference. > > The error: > > 14:56:20,143 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [OU=redacted,DC= redacted,DC=com] and filter [(&(UserPrincipalName=limttestio)(objectclass=person)(objectclass=organizationalPerson)(objectclass=user))]: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > > 14:56:20,148 ERROR [io.undertow.request] (default task-21) UT005023: Exception handling request to /auth/realms/redacted/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: LDAP Query failed > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.keycloak.models.ModelException: LDAP Query failed > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) > at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:284) > at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:111) > at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:152) > at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:217) > at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:118) > at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:223) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildRefreshToken(TokenEndpoint.java:298) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:126) > at sun.reflect.GeneratedMethodAccessor410.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery at 1c8e5a6 > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:169) > at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) > ... 58 more > Caused by: javax.naming.CommunicationException: simple bind failed: :636 [Root exception is java.net.SocketException: Connection reset] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) > at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) > at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) > at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:114) > at org.jboss.as.naming.InitialContext.init(InitialContext.java:99) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.jboss.as.naming.InitialContext.(InitialContext.java:89) > at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) > at javax.naming.InitialContext.init(InitialContext.java:244) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:154) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:473) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) > ... 59 more > Caused by: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:209) > at java.net.SocketInputStream.read(SocketInputStream.java:141) > at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) > at sun.security.ssl.InputRecord.read(InputRecord.java:503) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) > at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) > ... 78 more > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, > copying, use, or distribution of the information included in this > communication and any attachments is strictly prohibited. If you have > received this communication in error, please notify us immediately by > replying to this communication and delete the communication, including > any attachments, from your computer. Electronic communications sent to > or from World Fuel Services Corporation or its subsidiaries or its > affiliates may be monitored for quality assurance and compliance > purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From musti.kuru at gmail.com Mon Feb 13 11:18:00 2017 From: musti.kuru at gmail.com (Mustafa Kuru) Date: Mon, 13 Feb 2017 17:18:00 +0100 Subject: [keycloak-user] Keycloak LDAP configuration - deletes ldap user from Keycloak Message-ID: Hi, We are using ldap Federation Provider in READONLY Edit Mode. I saw in Keycloak logs a lot of exceptions like "*Could not query server using DN*" (javax.naming.ServiceUnavailableException) OR "*LDAP: error code 52 - Proxy can't contact remote server*". In our case some ldap users were deleted from Keycloak and reimported into Keycloak from LDAP. We don't know why. Can these exceptions above cause this problem. Or what is the behaviour of Keycloak if it can not connect to ldap or gets empty response from ldap? Delete corresponding user from Keycloak? Thanks in advance. Mustafa Kuru From jason at naidmincloud.com Mon Feb 13 14:03:42 2017 From: jason at naidmincloud.com (Jason B) Date: Mon, 13 Feb 2017 11:03:42 -0800 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: Thank for the detailed response. I agree with you. Actually the requirement, I am trying to implement is IdP discovery services. I want to find out a correct realm for a user based on use's email address. Initially I thought it can be implemented using ECP profile but later realized it is not the solution I am looking for. Thinking of writing a UI service infront of keycloak to intercept the incoming AuthN request (SP SSO) to capture the user's email address to determine the correct realm IDP. Did you come across similar scenario? Thanks! On Feb 13, 2017 9:13 PM, "Bill Burke" wrote: > > > On 2/13/17 10:30 AM, John Dennis wrote: > > On 02/10/2017 05:07 PM, Jason B wrote: > >> Quick question: Can keycloak act as ECP client? Or it need be some kind > >> of gateway/proxy server sitting in front of Service Provider > >> intercepting the requests going to service provider? > > I think you might be confused as to how ECP works. An ECP client sits > > *between* the SP and the IdP. An IdP such as Keycloak does not implement > > ECP, rather ECP is implemented in the ECP client. An IdP participates in > > an ECP flow by advertising a SingleSignOn SOAP binding protected by some > > form of HTTP authentication (typically basic and digest). The ECP client > > utilizes the IdP's SOAP binding. > > > > A good explanation of ECP and an example flow can be found in the SAML > > Technical overview in section 5.2: > > > > https://www.oasis-open.org/committees/download.php/27819/ > sstc-saml-tech-overview-2.0-cd-02.pdf > > > > > > The ECP specification give all the gory details: > > > > http://docs.oasis-open.org/security/saml/Post2.0/saml- > ecp/v2.0/saml-ecp-v2.0.html > > > > And...after reading this spec you'll realize how much ECP sucks. Switch > to OAuth and bearer tokens...much simpler and easier on the client than > having to install a SOAP stack. > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jdennis at redhat.com Mon Feb 13 14:40:33 2017 From: jdennis at redhat.com (John Dennis) Date: Mon, 13 Feb 2017 14:40:33 -0500 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: <8bbeb2d0-ffca-1a3e-8125-aa9d30a15543@redhat.com> On 02/13/2017 02:03 PM, Jason B wrote: > Thank for the detailed response. I agree with you. > > Actually the requirement, I am trying to implement is IdP discovery > services. I want to find out a correct realm for a user based on use's > email address. Initially I thought it can be implemented using ECP profile > but later realized it is not the solution I am looking for. > > Thinking of writing a UI service infront of keycloak to intercept the > incoming AuthN request (SP SSO) to capture the user's email address to > determine the correct realm IDP. Huh? That doesn't make much sense. The SP *must* know a priori the Keycloak realm because in Keycloak an IdP is owned by a realm. In addition the SAML AuthnRequest *must* already include the Keycloak realm in the request *and* the request *must* be sent to an binding endpoint in the the Keycloak realm. Further more any Keycloak deployment which permits sniffing SAML messages is fundamentally broken (because it should be deployed using TLS). Not to mention even if you bypassed TLS you still would not be able to decrypt any SAML messages where the SP requires encryption because you don't have access to the encryption key. And yet another problem in your proposal is that an AuthnRequest does not (necessarily) contain an email address. Depending on how the client is configured it might supply an email address as an attribute in the Assertion. AuthnRequest != Assertion. There are other ways to perform IdP discovery. -- John From bburke at redhat.com Mon Feb 13 15:47:15 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 13 Feb 2017 15:47:15 -0500 Subject: [keycloak-user] SAML Binding - ECP Profile In-Reply-To: References: <58ec0cff-9182-57c5-be83-906fb605be7d@redhat.com> Message-ID: Why do you need multiple realms? One Keycloak realm can federate multiple user stores (i.e. multiple LDAP servers). On 2/13/17 2:03 PM, Jason B wrote: > Thank for the detailed response. I agree with you. > > Actually the requirement, I am trying to implement is IdP discovery > services. I want to find out a correct realm for a user based on use's > email address. Initially I thought it can be implemented using ECP > profile but later realized it is not the solution I am looking for. > > Thinking of writing a UI service infront of keycloak to intercept the > incoming AuthN request (SP SSO) to capture the user's email address to > determine the correct realm IDP. > > Did you come across similar scenario? > > Thanks! > > On Feb 13, 2017 9:13 PM, "Bill Burke" > wrote: > > > > On 2/13/17 10:30 AM, John Dennis wrote: > > On 02/10/2017 05:07 PM, Jason B wrote: > >> Quick question: Can keycloak act as ECP client? Or it need be > some kind > >> of gateway/proxy server sitting in front of Service Provider > >> intercepting the requests going to service provider? > > I think you might be confused as to how ECP works. An ECP client > sits > > *between* the SP and the IdP. An IdP such as Keycloak does not > implement > > ECP, rather ECP is implemented in the ECP client. An IdP > participates in > > an ECP flow by advertising a SingleSignOn SOAP binding protected > by some > > form of HTTP authentication (typically basic and digest). The > ECP client > > utilizes the IdP's SOAP binding. > > > > A good explanation of ECP and an example flow can be found in > the SAML > > Technical overview in section 5.2: > > > > > https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf > > > > > > > The ECP specification give all the gory details: > > > > > http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html > > > > > And...after reading this spec you'll realize how much ECP sucks. > Switch > to OAuth and bearer tokens...much simpler and easier on the client > than > having to install a SOAP stack. > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From lganga14 at gmail.com Tue Feb 14 01:43:24 2017 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Tue, 14 Feb 2017 12:13:24 +0530 Subject: [keycloak-user] Need help in resending registration emails Message-ID: Hi, We are using keycloak for our authentcation. Our smtp service went down when few users tried to register. So the registration process went through but the emails were not sent. The user's current status is in "verify email". Please let me know on how to resend the verification email for those registered users. Regards, Ganga Lakshmanasamy From hmlnarik at redhat.com Tue Feb 14 03:15:59 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 14 Feb 2017 09:15:59 +0100 Subject: [keycloak-user] SAML Assertion Signature Algorithm Validation In-Reply-To: References: Message-ID: There's no such functionality yet. Could you please file a feature request in JIRA? --Hynek On Fri, Feb 10, 2017 at 5:07 PM, Gabriel Lavoie wrote: > Hi, > I'm currently testing different SAML signature algorithms with our > application and I noticed that regardless of the chosen signature algorithm > for a SAML client, Keycloak will accept assertions signed with another > algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP). > > With many other IdPs, when a signature algorithm is chosen, there's a > validation that the same algorithm is used in both directions. I think this > is something that Keycloak should do too as a security measure. Can this be > done right now or an enhancement request would be required? > > Thanks, > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From Ori.Doolman at amdocs.com Tue Feb 14 03:57:42 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Tue, 14 Feb 2017 08:57:42 +0000 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Hi Pedro, Thank you for the answer. There is still one thing I fail to understand around point (3) where you wrote: ?to resolve a specific resource instance?. In the photoz application code, when an album is created, an associated resource is created that is owned by the user that created the album ResourceRepresentation albumResource = new ResourceRepresentation(album.getName(), scopes, "/album/" + album.getId(), "http://photoz.com/album"); It matches on the PEP policy-enforcer configuration: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] }, Which matches the PDP typed resource configuration: { "name": "Album Resource", "uri": "/album/*", "type": "http://photoz.com/album", "scopes": [ { "name": "urn:photoz.com:scopes:album:view" }, { "name": "urn:photoz.com:scopes:album:delete" }, { "name": "urn:photoz.com:scopes:album:create" } ] }, Which ends up with the rule: rule "Authorize Resource Owner" dialect "mvel" when $evaluation : Evaluation( $identity: context.identity, $permission: permission, $permission.resource != null && $permission.resource.owner.equals($identity.id) ) then $evaluation.grant(); end So the "magic" lies with the typed resource uri "/album/*". This is what making it to match also the path in the policy enforcer (and the actual url in runtime of the rest API). The demo creates many album resources, one for each new album created. But when it is evaluating the policy, how does $permission.resource references to the proper album resource each time and not just to the typed ?Album Resource? resource? This is the part I failed to understand. Does the $permission.resource value at runtime actually becomes "/album/17" (for example)? Regards, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 13 ?????? 2017 14:09 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: Hi Pedro Igor, You wrote: You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. I have some questions about that: 1. Which future version will support that? Any plan for it at the moment? Sorry, but can't give you any dates. There are quite a few things in authz services roadmap, but right now we have some time and resource constraints that are blocking us to follow a plan/roadmap. 2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers? For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)? It seems this one is already supported. I would suggest you to take a look at the PhotoZ example about how to protect individual resources. There you will find: 1) How to create resources from your resource server using the Protection API using the Java AuthZ Client API. 2) How "typed" resources work, where you define permissions to a generic resources and these permissions are also applied to resources with the same type. 3) How to configure "policy-enforcer" to handle paths with a pattern in order to resolve a specific resource instance (e.g.: the account details in your example). Something like that: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] } Thank you, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From psilva at redhat.com Tue Feb 14 05:54:14 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 14 Feb 2017 08:54:14 -0200 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman wrote: > Hi Pedro, > > > > Thank you for the answer. > > There is still one thing I fail to understand around point (3) where you > wrote: ?to resolve a specific resource instance?. > > > > > > In the photoz application code, when an album is created, an associated > resource is created that is owned by the user that created the album > > > > ResourceRepresentation albumResource = new > ResourceRepresentation(album.getName(), scopes, "/album/" + > album.getId(), "http://photoz.com/album"); > > > > It matches on the PEP policy-enforcer configuration: > > > > { > > "name" : "Album Resource", > > "path" : "/album/{id}", > > "methods" : [ > > { > > "method": "DELETE", > > "scopes" : ["urn:photoz.com:scopes:album:delete"] > > }, > > { > > "method": "GET", > > "scopes" : ["urn:photoz.com:scopes:album:view"] > > } > > ] > > }, > > > > Which matches the PDP typed resource configuration: > > > > { > > "name": "Album Resource", > > "uri": "/album/*", > > "type": "http://photoz.com/album", > > "scopes": [ > > { > > "name": "urn:photoz.com:scopes:album:view" > > }, > > { > > "name": "urn:photoz.com:scopes:album:delete" > > }, > > { > > "name": "urn:photoz.com:scopes:album:create" > > } > > ] > > }, > > > > Which ends up with the rule: > > > > rule "Authorize Resource Owner" > > dialect "mvel" > > when > > $evaluation : Evaluation( > > $identity: context.identity, > > $permission: permission, > > $permission.resource != null && $permission.resource.owner.equ > als($identity.id) > > ) > > then > > $evaluation.grant(); > > end > > > > > > > > So the "magic" lies with the typed resource uri "/album/*". > This is what making it to match also the path in the policy enforcer (and > the actual url in runtime of the rest API). > Exactly. One of the main points here is that you can map any path in your application to a resource, so you don't necessarily need to set URIs to your resources as long as you provide a configuration like above. > > The demo creates many album resources, one for each new album created. > But when it is evaluating the policy, how does > $permission.resource references to the proper album resource each time > and not just to the typed ?Album Resource? resource? > This is the part I failed to understand. > Does the $permission.resource value at runtime actually becomes > "/album/17" (for example)? > Yes. > > > > Regards, > > Ori. > > > > > > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > *Sent:* ??? ? 13 ?????? 2017 14:09 > *To:* Ori Doolman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Additional attributes for an authorization > request > > > > On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: > > Hi Pedro Igor, > You wrote: > You can't pass additional attributes along with an authorization request. > However, that is something we want to support on future versions. > > I have some questions about that: > > 1. Which future version will support that? Any plan for it at the > moment? > > > > Sorry, but can't give you any dates. There are quite a few things in authz > services roadmap, but right now we have some time and resource constraints > that are blocking us to follow a plan/roadmap. > > > > > 2. Until it is supported, what would be the best practice > recommendation to authorize resources such as account numbers? > > For example: The REST API (resource) I want to protect in the resource > server is /api/getAccountDetails/{accountNum}. How should I configure > the policy/permissions/resources/scopes in the PDP and how should I > utilize the PEP (I'm using Java adapter for JBOSS Fuse)? > > > > It seems this one is already supported. I would suggest you to take a look > at the PhotoZ example about how to protect individual resources. There you > will find: > > > > 1) How to create resources from your resource server using the Protection > API using the Java AuthZ Client API. > > 2) How "typed" resources work, where you define permissions to a generic > resources and these permissions are also applied to resources with the same > type. > > 3) How to configure "policy-enforcer" to handle paths with a pattern in > order to resolve a specific resource instance (e.g.: the account details in > your example). Something like that: > > > > { > > "name" : "Album Resource", > > "path" : "/album/{id}", > > "methods" : [ > > { > > "method": "DELETE", > > "scopes" : ["urn:photoz.com:scopes:album:delete"] > > }, > > { > > "method": "GET", > > "scopes" : ["urn:photoz.com:scopes:album:view"] > > } > > ] > > } > > > > > > Thank you, > Ori. > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > you may review at http://www.amdocs.com/email_disclaimer.asp > From david_delbecq at trimble.com Tue Feb 14 05:56:55 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Tue, 14 Feb 2017 10:56:55 +0000 Subject: [keycloak-user] Impersonation not working from REST calls? Message-ID: Hello, i have some issues to get impersonation to work in my webapp. There is a feature in web for an admin to show all business data and accounts, select one account and become that user. Scenario 1) i connect as user davidd to /auth/admin//console. I select the user I want to impersonate, click on impersonate. Browser request sniffing show a REST call: POST: /auth/admin//TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation followed by loading of account profile page of that user Scenario 2) I connect to my app as davidd. I select the user i want to become and start the impersonation process. My webapp first call /kc_query_bearer_token to get a token, then calls using xmlhttprequest /auth/admin//TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation setting Bearer token in header, and same payload as in (1). I get an HTTP OK reply from keycloak. I then go to the root of my webapp and am redirected to login screen. My admin user was thus correctly logged out, but the new user is not set up for some reason. What am i missing to get impersonation to work from my webapp? Should i extract cookies from reply and put them in my own domain for example? -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From avinash at avinash.com.np Tue Feb 14 05:59:55 2017 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Tue, 14 Feb 2017 16:44:55 +0545 Subject: [keycloak-user] custom providers In-Reply-To: References: Message-ID: Hello Patrycja, Since I've been looking into providers in the recent days I can try to point you to the right direction. There are number of provider examples in https://github.com/keycloak/keycloak/tree/master/examples/providers I have also not found the perfect way to deploying or developing providers, if you find something interesting i'll be keeping an eye on it in the mailing list. Regards, Avinash On 13 February 2017 at 16:39, Patrycja Vrebos wrote: > Hi all, > > Can anyone to help with this issue? > > Best Regards, > Patrycja > > 2017-02-11 21:28 GMT+01:00 Patrycja Vrebos : > > > Hi Keycloak users, > > > > I am new to keycloak. > > With my team we are using Red Hat Single Sign-On 7.0 with Keycloak > 1.9.8. > > I need to customize this a little bit. We support diffrent languages and > > actually some message are not display us we want. > > For example message in Racaptcha is not in language as expected. > > I found example how to register Google Recaptcha and how to add > > validation of form elements on the page: > > *https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/auth-spi.html > > content/topics/auth-spi.html>* > > So I suppose if I will register my own Recaptcha I will can specify > > message I want to display. > > As written I need to deploy my jar (j*ust copy it to the > > standalone/configuration/providers directory*) > > First, I didn't find *providers *directory in configuration so I created > > one where I copied my jar and I restarted my server. Then I tried to add > my > > FormAction to the registration Flow but I don't see any diffrence in > admin > > console. I mean I don't think my jar was deployed( I new to jboss) > > I found there also another way to deploy jar: *throw jar in Keycloak > > deploy directiry* but I don't understand what is meant by the "Keycloak > > deploy/ directory" mentioned in the documentation. > > > > Another change I want to do is: in reset password page add email > > validation. > > I found some example. *Keycloak is designed to cover most use-cases > > without requiring custom code, but we also want it to be customizable. To > > achive this **Keycloak has a number of Service Provider Interfaces (SPI) > > which you can implement your own providers for*. > > Could you please recommend one which I should implement for this goal. > > > > I will appreciate any help. > > > > Best regards, > > Patrycja > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --- Avinash Kundaliya avinash at avinash.com.np http://avinash.com.np From harishjadhav1979 at yahoo.com Tue Feb 14 06:02:24 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Tue, 14 Feb 2017 11:02:24 +0000 (UTC) Subject: [keycloak-user] Re Rest API for authentication In-Reply-To: <862850848.3244948.1486989188582@mail.yahoo.com> References: <862850848.3244948.1486989188582.ref@mail.yahoo.com> <862850848.3244948.1486989188582@mail.yahoo.com> Message-ID: <265983533.4049897.1487070144992@mail.yahoo.com> Team, Kindly advice on this. ThanksHarish On Monday, February 13, 2017 6:03 PM, harish jadhav wrote: Hello Team, I have one web application which will be hosted in cloud. I am planning to use keycloak for only authentication purpose and keycloak will be running in on-premise customer location. My plan is to - 1. Import the users to my application through my own import mechanism and later push it to Keycloak over Rest API 2. Present a custom login page in my application which ask username/password and pass it to Keycloak for authentication over Rest API 3. Authentication can be through LDAP or SAML IDP ADFS4. Get the token and use it for accessing the service based on authorization I have some restriction on not to use keycloak login page so cannot use redirection to keycloak login page. Please let me know whether it works out and also give some pointer on Rest API on SAML. My requirement is that I need to authenticate the user either through LDAP, SAML providers. I know some basic auth using Rest but not getting idea on SAML. ThanksHarish From david_delbecq at trimble.com Tue Feb 14 06:05:28 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Tue, 14 Feb 2017 11:05:28 +0000 Subject: [keycloak-user] Impersonation not working from REST calls? In-Reply-To: References: Message-ID: Never mind, it's working now, i forgot to set the allow-credentials in xmlhttprequest. Without that, cookies are not saved from reply. On Tue, Feb 14, 2017 at 11:56 AM David Delbecq wrote: > Hello, > > i have some issues to get impersonation to work in my webapp. There is a > feature in web for an admin to show all business data and accounts, select > one account and become that user. > > > > > Scenario 1) i connect as user davidd to > /auth/admin//console. I select the user I want to > impersonate, click on impersonate. Browser request sniffing show a REST > call: POST: > /auth/admin//TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation > followed by loading of account profile page of that user > > > Scenario 2) I connect to my app as davidd. I select the user i want to > become and start the impersonation process. My webapp first call > /kc_query_bearer_token to get a token, then calls using xmlhttprequest > /auth/admin//TrimbleTL/users/4f568e43-89d3-4224-a908-aefe71383c82/impersonation > setting Bearer token in header, and same payload as in (1). I get an HTTP > OK reply from keycloak. I then go to the root of my webapp and am > redirected to login screen. My admin user was thus correctly logged out, > but the new user is not set up for some reason. > > > What am i missing to get impersonation to work from my webapp? Should i > extract cookies from reply and put them in my own domain for example? > -- > > David Delbecq > Software engineer, Transport & Logistics > Geldenaaksebaan 329, 1st floor | 3001 Leuven > +32 16 391 121 <+32%2016%20391%20121> Direct > david.delbecq at trimbletl.com > > > -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From cco at capraconsulting.no Tue Feb 14 07:01:42 2017 From: cco at capraconsulting.no (Colin Coleman) Date: Tue, 14 Feb 2017 13:01:42 +0100 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI Message-ID: Hello, Is there a setting limiting the number of realms that can be created with the CLI? When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms kcadm.sh create realms -s realm=test3 -s enabled=true kcadm.sh create realms -s realm=test4 -s enabled=true kcadm.sh create realms -s realm=test5 -s enabled=true . . . I get . . Created new realm with id 'test13' Created new realm with id 'test14' HTTP error - 400 Bad Request HTTP error - 400 Bad Request . . . Colin From Ori.Doolman at amdocs.com Tue Feb 14 07:10:03 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Tue, 14 Feb 2017 12:10:03 +0000 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Hi Pedro, This is great, and will work for all album APIs of the format /album/{id}. I wonder if the $permission.resource takes its value from the policy-enforcer path or from the URL of the API call at runtime? I suppose the latter and I suppose it is always the full URL path from the http request. In our resource server I have also APIs with additional path level similar to: /album/{albumId}/picture/{picId} For this API, I still want to check that user is allowed to access the album. How would such an API be forced to match same policy of the album? Should I configure the following path in policy-enforcer: "path" : "/album/{id}/*? and have a more sophisticated policy rule based on the runtime value $permission.resource which now becomes ?/album/17/picture/12? (for example) and truncate the string to ?/album/17? and perform the condition on it as the album resource? Or is there a better method? Thanks, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 14 ?????? 2017 12:54 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman > wrote: Hi Pedro, Thank you for the answer. There is still one thing I fail to understand around point (3) where you wrote: ?to resolve a specific resource instance?. In the photoz application code, when an album is created, an associated resource is created that is owned by the user that created the album ResourceRepresentation albumResource = new ResourceRepresentation(album.getName(), scopes, "/album/" + album.getId(), "http://photoz.com/album"); It matches on the PEP policy-enforcer configuration: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] }, Which matches the PDP typed resource configuration: { "name": "Album Resource", "uri": "/album/*", "type": "http://photoz.com/album", "scopes": [ { "name": "urn:photoz.com:scopes:album:view" }, { "name": "urn:photoz.com:scopes:album:delete" }, { "name": "urn:photoz.com:scopes:album:create" } ] }, Which ends up with the rule: rule "Authorize Resource Owner" dialect "mvel" when $evaluation : Evaluation( $identity: context.identity, $permission: permission, $permission.resource != null && $permission.resource.owner.equals($identity.id) ) then $evaluation.grant(); end So the "magic" lies with the typed resource uri "/album/*". This is what making it to match also the path in the policy enforcer (and the actual url in runtime of the rest API). Exactly. One of the main points here is that you can map any path in your application to a resource, so you don't necessarily need to set URIs to your resources as long as you provide a configuration like above. The demo creates many album resources, one for each new album created. But when it is evaluating the policy, how does $permission.resource references to the proper album resource each time and not just to the typed ?Album Resource? resource? This is the part I failed to understand. Does the $permission.resource value at runtime actually becomes "/album/17" (for example)? Yes. Regards, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 13 ?????? 2017 14:09 To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: Hi Pedro Igor, You wrote: You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. I have some questions about that: 1. Which future version will support that? Any plan for it at the moment? Sorry, but can't give you any dates. There are quite a few things in authz services roadmap, but right now we have some time and resource constraints that are blocking us to follow a plan/roadmap. 2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers? For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)? It seems this one is already supported. I would suggest you to take a look at the PhotoZ example about how to protect individual resources. There you will find: 1) How to create resources from your resource server using the Protection API using the Java AuthZ Client API. 2) How "typed" resources work, where you define permissions to a generic resources and these permissions are also applied to resources with the same type. 3) How to configure "policy-enforcer" to handle paths with a pattern in order to resolve a specific resource instance (e.g.: the account details in your example). Something like that: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] } Thank you, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From kevin.thorpe at p-i.net Tue Feb 14 07:10:46 2017 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Tue, 14 Feb 2017 12:10:46 +0000 Subject: [keycloak-user] Can we distinguish between 'new account' and 'password reset' in the emails? Message-ID: Hi, not sure if this is possible or if it's a feature request. When we add a new user to our Keycloak database we set them up and send a 'reset action email'. This is to comply with our policies that we never send passwords via e-mail. Is there any way in the email template to detect if this is a new user or a true password reset? Maybe by checking if they've never logged in. We would like the e-mail to read differently to welcome them as a new user, On a slightly different point can we define the redirect location after a password reset? The reset as it is now works but leaves the user on the Keycloak site, not the site they were expecting to gain access to. Kevin Thorpe *VP Enterprise Platform* w: www.p-i.net p: *+44 (0)20 3005 6750 <+44%2020%203005%206750>* a: 7th Floor, 52 Grosvenor Gardens, London SW1W 0AU _________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited From jitendrachouhan03 at gmail.com Tue Feb 14 07:27:20 2017 From: jitendrachouhan03 at gmail.com (Jitendra Chouhan) Date: Tue, 14 Feb 2017 17:57:20 +0530 Subject: [keycloak-user] Keycloak SAML Sample Message-ID: Can any point us to any example how to secure SpringBoot app with Keycloak using SAML protocol. We are not able to locate any specific adapter that can be used to secure spring boot application using SAML. Thanks, Jitendra Chouhan From david_delbecq at trimble.com Tue Feb 14 10:24:23 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Tue, 14 Feb 2017 15:24:23 +0000 Subject: [keycloak-user] missing autodetect-bearer-only from secure-deployment xsd? Message-ID: Hello, i tried to enabled "autodetect bearer only" feature in my application, so that soap requests get proper reply. however, it seems you can only set this value inside keycloak.json, not inside the adapter subsystem config. Worse, if an adapter subsystem config is done, keycloak.json is ignored. Is this a bug i should report or am i missing some documentation? So far i looked here: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/wildfly/wildfly-subsystem/src/main/resources/schema/wildfly-keycloak_1_1.xsd https://github.com/keycloak/keycloak/pull/3663 https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html When i set my adapter config like this: ${authRealm} .... true I get this error from wildfly [Host Controller] 16:21:20,175 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0033: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration [Host Controller] at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131) [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:643) [Host Controller] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:271) [Host Controller] at java.lang.Thread.run(Thread.java:745) [Host Controller] Caused by: javax.xml.stream.XMLStreamException: Unknown secure-deployment tag autodetect-bearer-only [Host Controller] at org.keycloak.subsystem.adapter.extension.KeycloakSubsystemParser.readDeployment(KeycloakSubsystemParser.java:107) -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From psilva at redhat.com Tue Feb 14 11:43:14 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 14 Feb 2017 14:43:14 -0200 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: On Tue, Feb 14, 2017 at 10:10 AM, Ori Doolman wrote: > Hi Pedro, > > > > This is great, and will work for all album APIs of the format /album/{id}. > > I wonder if the $permission.resource takes its value from the > policy-enforcer path or from the URL of the API call at runtime? I suppose > the latter and I suppose it is always the *full* URL path from the http > request. > Yes, from the latter. > > > In our resource server I have also APIs with additional path level similar > to: > > > > /album/{albumId}/picture/{picId} > > > > For this API, I still want to check that user is allowed to access the > album. > > How would such an API be forced to match same policy of the album? > > > > Should I configure the following path in policy-enforcer: > > "path" : "/album/{id}/*? > > > > and have a more sophisticated policy rule based on the runtime value > $permission.resource which now becomes ?/album/17/picture/12? (for > example) and truncate the string to ?/album/17? and perform the condition > on it as the album resource? > > > > Or is there a better method? > I think you don't actually need that wildcard at the end, so this should work: "path" : "/album/{id}? When checking paths with a pattern, the enforcer queries the server for a resource with the runtime path. For instance, if your pattern is /album/{id} and client is trying to access /album/1/picture/2, the enforcer will query the server for a resource with an URI that matches /album/1/picture/2. In case of that PhotoZ App (which is using UMA protocol), the enforcer is going to return to the client a permission ticket for the resource previously resolved. Then when the client finally send an authorization request to KC, KC is going to evaluate all permissions for the resource. Giving you as a result a final token with past permissions plus new ones (if granted). This is how UMA flow works, basically .... However, I know our enforcer is very limited in respect to patterns within patterns. That is something we need to improve .... > > > Thanks, > > Ori. > > > > > > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > *Sent:* ??? ? 14 ?????? 2017 12:54 > > *To:* Ori Doolman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Additional attributes for an authorization > request > > > > On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman > wrote: > > Hi Pedro, > > > > Thank you for the answer. > > There is still one thing I fail to understand around point (3) where you > wrote: ?to resolve a specific resource instance?. > > > > > > In the photoz application code, when an album is created, an associated > resource is created that is owned by the user that created the album > > > > ResourceRepresentation albumResource = new > ResourceRepresentation(album.getName(), scopes, "/album/" + > album.getId(), "http://photoz.com/album"); > > > > It matches on the PEP policy-enforcer configuration: > > > > { > > "name" : "Album Resource", > > "path" : "/album/{id}", > > "methods" : [ > > { > > "method": "DELETE", > > "scopes" : ["urn:photoz.com:scopes:album:delete"] > > }, > > { > > "method": "GET", > > "scopes" : ["urn:photoz.com:scopes:album:view"] > > } > > ] > > }, > > > > Which matches the PDP typed resource configuration: > > > > { > > "name": "Album Resource", > > "uri": "/album/*", > > "type": "http://photoz.com/album", > > "scopes": [ > > { > > "name": "urn:photoz.com:scopes:album:view" > > }, > > { > > "name": "urn:photoz.com:scopes:album:delete" > > }, > > { > > "name": "urn:photoz.com:scopes:album:create" > > } > > ] > > }, > > > > Which ends up with the rule: > > > > rule "Authorize Resource Owner" > > dialect "mvel" > > when > > $evaluation : Evaluation( > > $identity: context.identity, > > $permission: permission, > > $permission.resource != null && $permission.resource.owner. > equals($identity.id) > > ) > > then > > $evaluation.grant(); > > end > > > > > > > > So the "magic" lies with the typed resource uri "/album/*". > This is what making it to match also the path in the policy enforcer (and > the actual url in runtime of the rest API). > > > > Exactly. One of the main points here is that you can map any path in your > application to a resource, so you don't necessarily need to set URIs to > your resources as long as you provide a configuration like above. > > > > > The demo creates many album resources, one for each new album created. > But when it is evaluating the policy, how does $permission.resource references > to the proper album resource each time and not just to the typed ?Album > Resource? resource? > This is the part I failed to understand. > Does the $permission.resource value at runtime actually becomes > "/album/17" (for example)? > > > > Yes. > > > > > > > > Regards, > > Ori. > > > > > > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > *Sent:* ??? ? 13 ?????? 2017 14:09 > *To:* Ori Doolman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Additional attributes for an authorization > request > > > > On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: > > Hi Pedro Igor, > You wrote: > You can't pass additional attributes along with an authorization request. > However, that is something we want to support on future versions. > > I have some questions about that: > > 1. Which future version will support that? Any plan for it at the > moment? > > > > Sorry, but can't give you any dates. There are quite a few things in authz > services roadmap, but right now we have some time and resource constraints > that are blocking us to follow a plan/roadmap. > > > > > 2. Until it is supported, what would be the best practice > recommendation to authorize resources such as account numbers? > > For example: The REST API (resource) I want to protect in the resource > server is /api/getAccountDetails/{accountNum}. How should I configure > the policy/permissions/resources/scopes in the PDP and how should I > utilize the PEP (I'm using Java adapter for JBOSS Fuse)? > > > > It seems this one is already supported. I would suggest you to take a look > at the PhotoZ example about how to protect individual resources. There you > will find: > > > > 1) How to create resources from your resource server using the Protection > API using the Java AuthZ Client API. > > 2) How "typed" resources work, where you define permissions to a generic > resources and these permissions are also applied to resources with the same > type. > > 3) How to configure "policy-enforcer" to handle paths with a pattern in > order to resolve a specific resource instance (e.g.: the account details in > your example). Something like that: > > > > { > > "name" : "Album Resource", > > "path" : "/album/{id}", > > "methods" : [ > > { > > "method": "DELETE", > > "scopes" : ["urn:photoz.com:scopes:album:delete"] > > }, > > { > > "method": "GET", > > "scopes" : ["urn:photoz.com:scopes:album:view"] > > } > > ] > > } > > > > > > Thank you, > Ori. > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > you may review at http://www.amdocs.com/email_disclaimer.asp > From RLewis at carbonite.com Tue Feb 14 12:12:20 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Tue, 14 Feb 2017 17:12:20 +0000 Subject: [keycloak-user] Attempting to build authenticator example and failing. Message-ID: <7B04DBE8-CFBC-4390-879F-350CCA93D139@carbonite.com> I downloaded Keycloak version 2.5.1 example file. Extracted it onto a CentOS 7 machine, and installed Java-1.8.0 and java-devel. When I attempted to use the example file: /examples/providers/authenticator By typing: mvn clean install wildfly:deploy I got the following error on the terminal where I was executing mvn: ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project authenticator-required-action-example: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\" [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}}}} [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException [root at localhost authenticator]# pwd /root/keycloak-demo-2.5.1.Final/examples/providers/authenticator Thank you, Reed Lewis This was what was displayed on the Keycloak server. 12:06:20,685 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "authenticator-required-action-example.jar" (runtime-name: "authenticator-required-action-example.jar") 12:06:20,761 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-4) Deploying Keycloak provider: {0} 12:06:20,767 WARN [org.jboss.modules] (MSC service thread 1-4) Failed to define class org.keycloak.examples.authenticator.SecretQuestionAuthenticatorFactory in Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) at org.jboss.modules.Module.loadModuleClass(Module.java:605) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 12:06:20,768 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "authenticator-required-action-example.jar" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module "deployment.authenticator-required-action-example.jar:main" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) at org.jboss.modules.Module.loadModuleClass(Module.java:605) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) ... 5 more 12:06:20,769 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "authenticator-required-action-example.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\" Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}} 12:06:20,769 ERROR [org.jboss.as.server] (management-handler-thread - 4) WFLYSRV0021: Deploy of deployment "authenticator-required-action-example.jar" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"authenticator-required-action-example.jar\" Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory (Module \"deployment.authenticator-required-action-example.jar:main\" from Service Module Loader): org/keycloak/authentication/AuthenticatorFactory"}} 12:06:20,772 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment authenticator-required-action-example.jar (runtime-name: authenticator-required-action-example.jar) in 2ms 12:06:20,773 INFO [org.jboss.as.controller] (management-handler-thread - 4) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.deployment.unit."authenticator-required-action-example.jar".POST_MODULE From mstrukel at redhat.com Tue Feb 14 12:16:20 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 14 Feb 2017 18:16:20 +0100 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI In-Reply-To: References: Message-ID: There is no such restriction, and I can't reproduce your issue. Is there any stacktrace on the server? Do you get any more information on the client if you add -x option? On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman wrote: > Hello, > > > > Is there a setting limiting the number of realms that can be created with > the CLI? > > When creating realms via the CLI I start getting HTTP error - 400 Bad > Request after about 20 realms > > > > > > kcadm.sh create realms -s realm=test3 -s enabled=true > > kcadm.sh create realms -s realm=test4 -s enabled=true > > kcadm.sh create realms -s realm=test5 -s enabled=true > > . > > . > > . > > > > I get > > > > . > > . > > Created new realm with id 'test13' > > Created new realm with id 'test14' > > HTTP error - 400 Bad Request > > HTTP error - 400 Bad Request > > . > > . > > . > > > > > > Colin > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sts at ono.at Tue Feb 14 12:19:16 2017 From: sts at ono.at (Stefan Schlesinger) Date: Tue, 14 Feb 2017 18:19:16 +0100 Subject: [keycloak-user] Special Characters & Direct Access Grant Authentication Message-ID: <6F41CAC4-C246-4CD8-B6BA-08F84ADBF0A3@ono.at> Hi, short question. When trying to login a user via the Direct Access Grant API, it looks like the password is not accepted in case it contains special characters. Anyone knows what format the special characters in passwords need to be supplied in? This is how my post request looks like, the password contains a ?, which is correctly encoded as %22. > POST https://auth.example.com/auth/realms/master/protocol/openid-connect/token > Accept-Encoding: gzip, x-gzip, deflate, x-bzip2 > Content-Length: 156 > Content-Type: application/x-www-form-urlencoded > > scope=openid&username=example_user&password=asdf%22&totp=123456&grant_type=password&client_id=auth.example.com&client_secret=secret Running keycloak 2.5.1. Best, Stefan. From mohashi at redhat.com Tue Feb 14 19:44:34 2017 From: mohashi at redhat.com (Marcelo Ohashi) Date: Tue, 14 Feb 2017 22:44:34 -0200 Subject: [keycloak-user] Error installing fuse adapters Message-ID: Hi guys, I am trying to install fuse adapters from the rh-sso-7.0.0-maven-repository.zip, but it seems that not all bundles are there. So I'm getting the following error on fuse: Error executing command: Error accessing mvn:org.keycloak/keycloak-jetty92-adapter/1.9.8.Final-redhat-1 Does anyone know if there's another repository that I could use? Best regards, -- Marcelo Ohashi Middleware Architect | Red Hat Brasil M: +55 11 9 7338-6338 Av. Brigadeiro Faria Lima 3900, 8? Andar. S?o Paulo, Brasil. RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com [image: Red Hat] From akaya at expedia.com Wed Feb 15 01:06:30 2017 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 15 Feb 2017 06:06:30 +0000 Subject: [keycloak-user] Configuring keycloak with JSON instead of UI Message-ID: <125A023F-FB6F-4DA9-AEF0-9ECC2DEF4351@expedia.com> Hello, I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment. My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable: 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch. 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all. My question is, what is the best practice to configure keycloak in multiple environments? From swapnil.kshirsagar at cuelogic.com Wed Feb 15 02:48:42 2017 From: swapnil.kshirsagar at cuelogic.com (swapnil.kshirsagar) Date: Wed, 15 Feb 2017 00:48:42 -0700 (MST) Subject: [keycloak-user] custom user attribute access in JS policies Message-ID: <1487144922058-2742.post@n6.nabble.com> Hello, I need a sample JavaScript Policy code and steps to access custom user attribute inside a JavaScript policies. Thank you. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/custom-user-attribute-access-in-JS-policies-tp2742.html Sent from the keycloak-user mailing list archive at Nabble.com. From swapnil.kshirsagar at cuelogic.com Wed Feb 15 03:11:26 2017 From: swapnil.kshirsagar at cuelogic.com (swapnil.kshirsagar) Date: Wed, 15 Feb 2017 01:11:26 -0700 (MST) Subject: [keycloak-user] custom user attribute access in JS policies In-Reply-To: <1487144922058-2742.post@n6.nabble.com> References: <1487144922058-2742.post@n6.nabble.com> Message-ID: <1487146286504-2743.post@n6.nabble.com> I wrote a policy which is evaluated correctly but when I access it from entitlement API the rpt does not contain the resource in permission??? I think the issue is with evaluation context.So I want to know how to access the custom user attributes in JS policies so that I can rewrite my policy. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/custom-user-attribute-access-in-JS-policies-tp2742p2743.html Sent from the keycloak-user mailing list archive at Nabble.com. From musti.kuru at gmail.com Wed Feb 15 03:12:36 2017 From: musti.kuru at gmail.com (Mustafa Kuru) Date: Wed, 15 Feb 2017 09:12:36 +0100 Subject: [keycloak-user] Keycloak LDAP configuration - deletes ldap user from Keycloak Message-ID: Hi, We are using ldap Federation Provider in READONLY Edit Mode. I saw in Keycloak logs a lot of exceptions like "*Could not query server using DN*" (javax.naming. ServiceUnavailableException) OR "*LDAP: error code 52 - Proxy can't contact remote server*". In our case some ldap users were deleted from Keycloak and reimported into Keycloak from LDAP. We don't know why. Can these exceptions above cause this problem. Or what is the behaviour of Keycloak if it can not connect to ldap or gets empty response from ldap? Delete corresponding user from Keycloak? Thanks in advance. Mustafa Kuru From cco at capraconsulting.no Wed Feb 15 04:05:24 2017 From: cco at capraconsulting.no (Colin Coleman) Date: Wed, 15 Feb 2017 10:05:24 +0100 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI In-Reply-To: References: Message-ID: <52C1CD27-1D7F-4718-BBCC-E78FCF0C4295@capraconsulting.no> There is no stacktrace on the logs ? I turned the level up to debug and could find nothing then either. The only difference between a success when there were less than 20 realms and a failure when there were more than 20 realms was a lack of? debug lines from org.hibernate which seems to show that the database never gets queried when a 400 is produced. My Stack is: Ubuntu 16.04 openjdk version "1.8.0_121" PostgreSQL 9.6.1 (running on different machine) keycloak-2.5.1.Final ? running uning standalone-ha.xml DB driver: postgresql-9.4.1212.jre6.jar Writing this I notice that the db driver and db are not on the same level ? I will update this and test again. ------------------------------------------------ Colin From: Marko Strukelj Date: Tuesday, 14 February 2017 at 18:16 To: Colin Coleman Cc: keycloak-user Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI There is no such restriction, and I can't reproduce your issue. Is there any stacktrace on the server? Do you get any more information on the client if you add -x option? On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman wrote: Hello, Is there a setting limiting the number of realms that can be created with the CLI? When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms kcadm.sh create realms -s realm=test3 -s enabled=true kcadm.sh create realms -s realm=test4 -s enabled=true kcadm.sh create realms -s realm=test5 -s enabled=true . . . I get . . Created new realm with id 'test13' Created new realm with id 'test14' HTTP error - 400 Bad Request HTTP error - 400 Bad Request . . . Colin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From harishjadhav1979 at yahoo.com Wed Feb 15 04:12:31 2017 From: harishjadhav1979 at yahoo.com (harish jadhav) Date: Wed, 15 Feb 2017 09:12:31 +0000 (UTC) Subject: [keycloak-user] Re Rest API for authentication In-Reply-To: <265983533.4049897.1487070144992@mail.yahoo.com> References: <862850848.3244948.1486989188582.ref@mail.yahoo.com> <862850848.3244948.1486989188582@mail.yahoo.com> <265983533.4049897.1487070144992@mail.yahoo.com> Message-ID: <520615915.4791885.1487149951742@mail.yahoo.com> Team, Please help me out on this. ThanksHarish On Tuesday, February 14, 2017 4:32 PM, harish jadhav wrote: Team, Kindly advice on this. ThanksHarish On Monday, February 13, 2017 6:03 PM, harish jadhav wrote: Hello Team, I have one web application which will be hosted in cloud. I am planning to use keycloak for only authentication purpose and keycloak will be running in on-premise customer location. My plan is to - 1. Import the users to my application through my own import mechanism and later push it to Keycloak over Rest API 2. Present a custom login page in my application which ask username/password and pass it to Keycloak for authentication over Rest API 3. Authentication can be through LDAP or SAML IDP ADFS4. Get the token and use it for accessing the service based on authorization I have some restriction on not to use keycloak login page so cannot use redirection to keycloak login page. Please let me know whether it works out and also give some pointer on Rest API on SAML. My requirement is that I need to authenticate the user either through LDAP, SAML providers. I know some basic auth using Rest but not getting idea on SAML. ThanksHarish From jason at naidmincloud.com Wed Feb 15 04:47:49 2017 From: jason at naidmincloud.com (Jason B) Date: Wed, 15 Feb 2017 15:17:49 +0530 Subject: [keycloak-user] Force Keycloak to use external IdP as authentication mechanism Message-ID: We have a requirement to disable local login (username/password) and allow login through IdPs configured in Identity broker. To test this scenario I have configured Salesforce as SP and Keycloak as IDP. And in IdP (keycloak) disabled "Forms" based login and configured an external IdP as identity broker. But this configuration resulting in "Invalid username or password." error in keycloak. In logs I observed following stack trace. 01:36:06,532 WARN [org.keycloak.services] (default task-40) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523) at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221) at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514) at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536) at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 01:36:06,532 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com, userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials, auth_method=saml, redirect_uri= https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB, code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4 Any idea how to disable the username/password prompt during the login and force keycloak to use configured identity brokers? Also, in case I have multiple external IdPs configured as identity brokers in my keycloak instance is there any way to inform keycloak to use particular external IdP (broker). I know we can use kc_idp_hint parameter. This will be helpful during IdP initiated sso but in case it is a SP initiated SSO, how can we specify the default external IdP? Thanks! From mstrukel at redhat.com Wed Feb 15 05:03:30 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 15 Feb 2017 11:03:30 +0100 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI In-Reply-To: <52C1CD27-1D7F-4718-BBCC-E78FCF0C4295@capraconsulting.no> References: <52C1CD27-1D7F-4718-BBCC-E78FCF0C4295@capraconsulting.no> Message-ID: I would expect that error status 400 occurs at parameter checking / input parsing time. If the problem occurs later I would expect error status 500. If you get a failure with the same realm all the time it's probably a problem with some values in that realm's JSON. I'd try and put a breakpoint at the beginning of RealmsAdminResource.importRealm method. You may then get more information if you manage to hit exactly the request that fails. Another thing you can try is using tcpflow, or tcpdump CLI tool and maybe get more information from raw tcp data. For example I use the following on Mac to examine all traffic to port 8080: sudo tcpdump -i lo0 -s 0 -A port 8080 On Wed, Feb 15, 2017 at 10:05 AM, Colin Coleman wrote: > There is no stacktrace on the logs ? I turned the level up > to debug and could find nothing then either. > > The only difference between a success when there were less than 20 realms > and a failure when there were more than 20 realms was a lack of debug > lines from org.hibernate which seems to show that the database never gets > queried when a 400 is produced. > > > > My Stack is: > > Ubuntu 16.04 > > openjdk version "1.8.0_121" > > PostgreSQL 9.6.1 (running on different machine) > > keycloak-2.5.1.Final ? running uning standalone-ha.xml > > DB driver: postgresql-9.4.1212.jre6.jar > > > > Writing this I notice that the db driver and db are not on the same level > ? I will update this and test again. > > > > ------------------------------------------------ > > Colin > > > > *From: *Marko Strukelj > *Date: *Tuesday, 14 February 2017 at 18:16 > *To: *Colin Coleman > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] HTTP error - 400 Bad Request - create > realm CLI > > > > There is no such restriction, and I can't reproduce your issue. > > > > Is there any stacktrace on the server? > > > > Do you get any more information on the client if you add -x option? > > > > > > > > On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman > wrote: > > Hello, > > > > Is there a setting limiting the number of realms that can be created with > the CLI? > > When creating realms via the CLI I start getting HTTP error - 400 Bad > Request after about 20 realms > > > > > > kcadm.sh create realms -s realm=test3 -s enabled=true > > kcadm.sh create realms -s realm=test4 -s enabled=true > > kcadm.sh create realms -s realm=test5 -s enabled=true > > . > > . > > . > > > > I get > > > > . > > . > > Created new realm with id 'test13' > > Created new realm with id 'test14' > > HTTP error - 400 Bad Request > > HTTP error - 400 Bad Request > > . > > . > > . > > > > > > Colin > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From pschiffe at redhat.com Wed Feb 15 05:21:59 2017 From: pschiffe at redhat.com (pschiffe at redhat.com) Date: Wed, 15 Feb 2017 11:21:59 +0100 Subject: [keycloak-user] do not import users when brokering In-Reply-To: References: Message-ID: <1487154119.31840.12.camel@localhost> Hello, I've created RFE here: https://issues.jboss.org/browse/KEYCLOAK-4429 Please, take a look as this is quite important to us. Thanks, peter On Tue, 2017-01-24 at 13:49 +0100, Peter Schiffer wrote: > Thanks Stian, is this RFE tracked somewhere? Should I create an issue > in JIRA? This feature is important for us from scalability point of > view; when all the data are available in remote idp, we don't want to > maintain another "cache like" database. > > Thanks, > > peter > > On Tue, Jan 24, 2017 at 8:48 AM, Stian Thorgersen m> wrote: > > It's not currently possible, but it is something we may add at some > > point. > > > > On 23 January 2017 at 19:29, Peter Schiffer > > wrote: > > > Hello all, > > > > > > I'm working on some POC with keycloak and OpenShift [1] and I'm > > > wondering - > > > is it possible to configure Keycloak in a way, that it won't > > > create new > > > users in local database when acting as a broker? For example, in > > > this case > > > [2], I want to be able to login as `user` from saml broker, but > > > without > > > creating the new user in saml-authentication-broker. Is it > > > possible? > > > > > > Thanks, > > > > > > peter > > > > > > [1] https://github.com/pschiffe/keycloak-demo > > > [2] https://github.com/keycloak/keycloak/tree/master/examples/ > > > broker/saml-broker-authentication > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > From h.benz at first8.nl Wed Feb 15 05:44:18 2017 From: h.benz at first8.nl (Hartmut Benz) Date: Wed, 15 Feb 2017 11:44:18 +0100 Subject: [keycloak-user] Need help in resending registration emails In-Reply-To: References: Message-ID: <3c6c08d9-34bc-b378-f927-70bf6367a1e5@first8.nl> Hi Ganga, when one of these users will try to log in now (s)he will get an message to validate the email. This message contains a link/the option to re-send the validation email. /Hartmut On 14/02/2017 07:43, Ganga Lakshmanasamy wrote: > Hi, > > We are using keycloak for our authentcation. Our smtp service went down > when few users tried to register. So the registration process went through > but the emails were not sent. The user's current status is in "verify > email". Please let me know on how to resend the verification email for > those registered users. > > Regards, > Ganga Lakshmanasamy > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cco at capraconsulting.no Wed Feb 15 06:04:34 2017 From: cco at capraconsulting.no (Colin Coleman) Date: Wed, 15 Feb 2017 12:04:34 +0100 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI In-Reply-To: References: Message-ID: <24A76700-A8EA-4C9A-9E9A-736DA9E12A88@capraconsulting.no> The ?x trick gave me enough info to find this? https://issues.jboss.org/browse/KEYCLOAK-1268 And even if the workarounds work it looks like keycloak was not designed and is not tested for the sort of multi-tenant setup I was trying to do. The jdbc driver version was a red herring ? everything is the latest version Using the CLI with ?x I got the following HTTP error - 400 Bad Request org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - 400 Bad Request ??????????????? at org.keycloak.client.admin.cli.util.HeadersBodyStatus.checkSuccess(HeadersBodyStatus.java:61) ??????????????? at org.keycloak.client.admin.cli.util.HttpUtil.checkSuccess(HttpUtil.java:329) ??????????????? at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363) ??????????????? at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126) ??????????????? at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63) ??????????????? at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48) ??????????????? at org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54) ??????????????? at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53) ??????????????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ??????????????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ??????????????? at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: 400 Request Header Or Cookie Too Large

400 Bad Request

Request Header Or Cookie Too Large
awselb/2.0
Colin From: Colin Coleman Date: Wednesday, 15 February 2017 at 10:05 To: Marko Strukelj Cc: keycloak-user Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI There is no stacktrace on the logs ? I turned the level up to debug and could find nothing then either. The only difference between a success when there were less than 20 realms and a failure when there were more than 20 realms was a lack of debug lines from org.hibernate which seems to show that the database never gets queried when a 400 is produced. My Stack is: Ubuntu 16.04 openjdk version "1.8.0_121" PostgreSQL 9.6.1 (running on different machine) keycloak-2.5.1.Final ? running uning standalone-ha.xml DB driver: postgresql-9.4.1212.jre6.jar Writing this I notice that the db driver and db are not on the same level ? I will update this and test again. ------------------------------------------------ Colin From: Marko Strukelj Date: Tuesday, 14 February 2017 at 18:16 To: Colin Coleman Cc: keycloak-user Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI There is no such restriction, and I can't reproduce your issue. Is there any stacktrace on the server? Do you get any more information on the client if you add -x option? On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman wrote: Hello, Is there a setting limiting the number of realms that can be created with the CLI? When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms kcadm.sh create realms -s realm=test3 -s enabled=true kcadm.sh create realms -s realm=test4 -s enabled=true kcadm.sh create realms -s realm=test5 -s enabled=true . . . I get . . Created new realm with id 'test13' Created new realm with id 'test14' HTTP error - 400 Bad Request HTTP error - 400 Bad Request . . . Colin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 15 06:42:36 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 15 Feb 2017 12:42:36 +0100 Subject: [keycloak-user] Custom Email Provider In-Reply-To: <1486986100.5170.6.camel@pobox.com> References: <1486986100.5170.6.camel@pobox.com> Message-ID: You just need to add it. SPI name is emailSender. On 13 February 2017 at 12:41, Bruno Palermo wrote: > Stian, > > I looked at: > > http://www.keycloak.org/docs/2.5/server_development_guide/topics/provid > ers.html > > and > > http://www.keycloak.org/docs/2.5/server_development_guide/topics/extens > ions.html > > And couldn't found any reference how to setup the default > emailProvider. > > Looking at the standalone.xml, on xmlns="urn:jboss:domain:keycloak-server:1.1"> section I can found > settings for spi: > > - eventsStore > - realm > - user > - userCache > - UserSessionPersister > - AuthorizationPersister > - timer > - connectionsHttpClient > - connectionsJpa > - realmCache > - connectionsInfinispan > - jta-lookup > - publicStorage > > But not for email provider. > > Thanks, > Bruno > > On Seg, 2017-02-13 at 10:38 +0100, Stian Thorgersen wrote: > > Set the default provider in standalone.xml. See server developer > > guide for more details. > > > > On 12 February 2017 at 13:26, Bruno Palermo > > wrote: > > > Hi, > > > > > > > > > I'm implementing a custom AWS SES email provider. > > > > > > > > > How can I choose which implementation to use for send emails? > > > > > > > > > Thanks, > > > > > > Bruno > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Ori.Doolman at amdocs.com Wed Feb 15 06:55:32 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 15 Feb 2017 11:55:32 +0000 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Pedro, Thank you for all the helpful information. We?ll try that. Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 14 ?????? 2017 18:43 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Tue, Feb 14, 2017 at 10:10 AM, Ori Doolman > wrote: Hi Pedro, This is great, and will work for all album APIs of the format /album/{id}. I wonder if the $permission.resource takes its value from the policy-enforcer path or from the URL of the API call at runtime? I suppose the latter and I suppose it is always the full URL path from the http request. Yes, from the latter. In our resource server I have also APIs with additional path level similar to: /album/{albumId}/picture/{picId} For this API, I still want to check that user is allowed to access the album. How would such an API be forced to match same policy of the album? Should I configure the following path in policy-enforcer: "path" : "/album/{id}/*? and have a more sophisticated policy rule based on the runtime value $permission.resource which now becomes ?/album/17/picture/12? (for example) and truncate the string to ?/album/17? and perform the condition on it as the album resource? Or is there a better method? I think you don't actually need that wildcard at the end, so this should work: "path" : "/album/{id}? When checking paths with a pattern, the enforcer queries the server for a resource with the runtime path. For instance, if your pattern is /album/{id} and client is trying to access /album/1/picture/2, the enforcer will query the server for a resource with an URI that matches /album/1/picture/2. In case of that PhotoZ App (which is using UMA protocol), the enforcer is going to return to the client a permission ticket for the resource previously resolved. Then when the client finally send an authorization request to KC, KC is going to evaluate all permissions for the resource. Giving you as a result a final token with past permissions plus new ones (if granted). This is how UMA flow works, basically .... However, I know our enforcer is very limited in respect to patterns within patterns. That is something we need to improve .... Thanks, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 14 ?????? 2017 12:54 To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman > wrote: Hi Pedro, Thank you for the answer. There is still one thing I fail to understand around point (3) where you wrote: ?to resolve a specific resource instance?. In the photoz application code, when an album is created, an associated resource is created that is owned by the user that created the album ResourceRepresentation albumResource = new ResourceRepresentation(album.getName(), scopes, "/album/" + album.getId(), "http://photoz.com/album"); It matches on the PEP policy-enforcer configuration: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] }, Which matches the PDP typed resource configuration: { "name": "Album Resource", "uri": "/album/*", "type": "http://photoz.com/album", "scopes": [ { "name": "urn:photoz.com:scopes:album:view" }, { "name": "urn:photoz.com:scopes:album:delete" }, { "name": "urn:photoz.com:scopes:album:create" } ] }, Which ends up with the rule: rule "Authorize Resource Owner" dialect "mvel" when $evaluation : Evaluation( $identity: context.identity, $permission: permission, $permission.resource != null && $permission.resource.owner.equals($identity.id) ) then $evaluation.grant(); end So the "magic" lies with the typed resource uri "/album/*". This is what making it to match also the path in the policy enforcer (and the actual url in runtime of the rest API). Exactly. One of the main points here is that you can map any path in your application to a resource, so you don't necessarily need to set URIs to your resources as long as you provide a configuration like above. The demo creates many album resources, one for each new album created. But when it is evaluating the policy, how does $permission.resource references to the proper album resource each time and not just to the typed ?Album Resource? resource? This is the part I failed to understand. Does the $permission.resource value at runtime actually becomes "/album/17" (for example)? Yes. Regards, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 13 ?????? 2017 14:09 To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: Hi Pedro Igor, You wrote: You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. I have some questions about that: 1. Which future version will support that? Any plan for it at the moment? Sorry, but can't give you any dates. There are quite a few things in authz services roadmap, but right now we have some time and resource constraints that are blocking us to follow a plan/roadmap. 2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers? For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)? It seems this one is already supported. I would suggest you to take a look at the PhotoZ example about how to protect individual resources. There you will find: 1) How to create resources from your resource server using the Protection API using the Java AuthZ Client API. 2) How "typed" resources work, where you define permissions to a generic resources and these permissions are also applied to resources with the same type. 3) How to configure "policy-enforcer" to handle paths with a pattern in order to resolve a specific resource instance (e.g.: the account details in your example). Something like that: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] } Thank you, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From ssilvert at redhat.com Wed Feb 15 07:27:34 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 15 Feb 2017 07:27:34 -0500 Subject: [keycloak-user] Configuring keycloak with JSON instead of UI In-Reply-To: <125A023F-FB6F-4DA9-AEF0-9ECC2DEF4351@expedia.com> References: <125A023F-FB6F-4DA9-AEF0-9ECC2DEF4351@expedia.com> Message-ID: <5a003bb8-635d-6ac0-2a50-6bdf0e67f745@redhat.com> On 2/15/2017 1:06 AM, Sarp Kaya wrote: > Hello, > > I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment. > My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable: > > > 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch. If I recall, if you remove an id, a new one will be created. However, sometimes an id is used to refer to other things in the data structure so you have to be careful (Again, going from memory here. Test early and often). > > 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all. > > My question is, what is the best practice to configure keycloak in multiple environments? This can get incredibly complex due to dependencies between entities. But if you keep it simple enough the current import facilities can suffice. The best answer I can give is that it just depends on what you are trying to do. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Wed Feb 15 08:09:18 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 15 Feb 2017 13:09:18 +0000 Subject: [keycloak-user] REST APIs: Get a list of users by custom attribute value Message-ID: Hello, I configured the users to contain a custom attribute, X. Now, I need to query KC for all the users that has attribute X with the value Y. The REST APIs allows to query for a list of users by: GET /admin/realms/{realm}/users Which returns a UserRepresentation array. However, it only allows to search/filter by a String contained in username, first or last name, or email. Is there any way to select users by their attribute values? Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From mark.pardijs at topicus.nl Wed Feb 15 08:11:49 2017 From: mark.pardijs at topicus.nl (Mark Pardijs) Date: Wed, 15 Feb 2017 13:11:49 +0000 Subject: [keycloak-user] Force Keycloak to use external IdP as authentication mechanism In-Reply-To: References: Message-ID: <6A2EE5A7-30C8-46A8-8191-4F15A6C406A8@topicus.nl> Maybe this helps: in the Browser authentication flow you can configure a Default Identity Provider in the Identity Provider Redirector execution. Op 15 feb. 2017, om 10:47 heeft Jason B > het volgende geschreven: We have a requirement to disable local login (username/password) and allow login through IdPs configured in Identity broker. To test this scenario I have configured Salesforce as SP and Keycloak as IDP. And in IdP (keycloak) disabled "Forms" based login and configured an external IdP as identity broker. But this configuration resulting in "Invalid username or password." error in keycloak. In logs I observed following stack trace. 01:36:06,532 WARN [org.keycloak.services] (default task-40) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523) at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221) at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514) at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536) at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 01:36:06,532 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com, userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials, auth_method=saml, redirect_uri= https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB, code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4 Any idea how to disable the username/password prompt during the login and force keycloak to use configured identity brokers? Also, in case I have multiple external IdPs configured as identity brokers in my keycloak instance is there any way to inform keycloak to use particular external IdP (broker). I know we can use kc_idp_hint parameter. This will be helpful during IdP initiated sso but in case it is a SP initiated SSO, how can we specify the default external IdP? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mstrukel at redhat.com Wed Feb 15 09:57:22 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 15 Feb 2017 15:57:22 +0100 Subject: [keycloak-user] REST APIs: Get a list of users by custom attribute value In-Reply-To: References: Message-ID: There is no support for this in Admin REST API. You could in principle create a custom endpoint where you can implement such a functionality. See https://github.com/keycloak/keycloak/tree/2.5.3.Final/examples/providers/rest for example. You'd have to make sure to protect your endpoint so its only accessible to admin client. See how /users endpoint does this: https://github.com/keycloak/keycloak/blob/2.5.3.Final/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L674 Since actual querying for users is performed based on a storage mechanism - there are multiple different implementations of UserQueryProvider (JpaUserProvider, LDAPStorageProvider) you'd have to extends those using Keycloak SPIs and tweak server configuration so that your implementations are used. On Wed, Feb 15, 2017 at 2:09 PM, Ori Doolman wrote: > Hello, > I configured the users to contain a custom attribute, X. > Now, I need to query KC for all the users that has attribute X with the > value Y. > > The REST APIs allows to query for a list of users by: > > GET /admin/realms/{realm}/users > > Which returns a UserRepresentation rest-api/index.html#_userrepresentation> array. > > However, it only allows to search/filter by a String contained in > username, first or last name, or email. > > Is there any way to select users by their attribute values? > > > Thanks, > Ori. > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dradzikowski at bluesoft.net.pl Wed Feb 15 10:59:53 2017 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Wed, 15 Feb 2017 16:59:53 +0100 Subject: [keycloak-user] New authenticator with CompletableFuture as the only authenticating factor Message-ID: Hi, I'm trying to implement new authenticator for Mobile Connect. It is a bit unusual flow, where the first method *void authenticate(AuthenticationFlowContext context)* before returning a challenge, calls a REST API, which prompts user mobile phone with 'Click OK' button. This API call waits until the user clicks OK (or timeouts), so in order not to block the request, it is wrapped in CompletableFuture and the login page (with no inputs) is immediately returned to the browser. (browser should't wait for the API call result). The problem is when the CompletableFuture is completed and calls a callback. It's the place where the authentication should occur, but I don't have any idea how to do it. The only authenticating factor is OK response from this API. Can I set the authentication somehow bypassing the whole processor (calling method *action(AuthenticationFlowContext context)* on its way)? I thought I will eventually call the *action *from the browser (with ajax) and only check if the session is already created. The only thing that I can pass to the callback is an AuthenticationFlowContext data obtained from the first *action(AuthenticationFlowContext context)* call. Is there any way to do it? -- Pozdrawiam, Daniel Radzikowski. From psiroky at redhat.com Wed Feb 15 12:18:48 2017 From: psiroky at redhat.com (=?UTF-8?B?UGV0ciDFoGlyb2vDvQ==?=) Date: Wed, 15 Feb 2017 18:18:48 +0100 Subject: [keycloak-user] Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter In-Reply-To: <7d6a7353-bed9-ebc5-0764-ac176901998f@redhat.com> References: <5c9e386d-79e7-3009-9201-f03de775f5c2@redhat.com> <7d6a7353-bed9-ebc5-0764-ac176901998f@redhat.com> Message-ID: <4ae9e35c-f301-384e-d64a-cd7f67c51f00@redhat.com> Just to follow up. The root cause of this issue is bug in Undertow, which has been fixed for UT 1.4.7.Final. Workaround is to catch the IllegalStateException coming from the session.invalidate(). Petr On 02/04/2017 05:31 PM, Petr ?irok? wrote: > The exception does not come from the Keycloak adapter code (which does > the first session.invalidate()), but rather from our code which calls > the session.invalidate() again (after calling the request.logout()). I > am not saying this is necessarily bug in Keycloak (calling > session.invalidate() as part of request.logout()) I am just trying to > figure out where the issue is. > > > On 02/04/2017 12:10 AM, Bill Burke wrote: >> Log a jira. We should probably just wrap session.invalidate() to make >> sure no exception percolates up. >> >> >> On 2/3/17 11:50 AM, Petr ?irok? wrote: >>> Hello everyone, >>> >>> I am having a logout issue when using the EAP7/WF10 adapter >>> (2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I >>> also tried the upstream Keycloak 2.5.1.Final). >>> >>> This is a simplified version of the code (full reproducer here >>> https://github.com/psiroky/servlet-app-keycloak-reproducer): >>> >>> public void doGet(HttpServletRequest request, HttpServletResponse >>> response) throws ServletException, IOException { >>> .... >>> request.logout(); >>> HttpSession session = request.getSession(false); >>> if (session != null) { >>> session.invalidate(); >>> } >>> ... >>> } >>> >>> The code first calls request.logout() and then session.invalidate(). >>> This works OK when we are _not_ using the Keycloak adapter. However, >>> once we switch to Keycloak adapter we end up with >>> "java.lang.IllegalStateException:UT000021: Session already invalidated". >>> I've been debugging the calls and it happens, because the >>> request.logout() bubbles down to the Keycloak adapter code which calls >>> session.invalidate() as well. For some reason (bug in Undertow/EAP?) the >>> request.getSession(false) then returns what it seems to be a valid >>> session (the invalidated flag=false). The session.invalidate() call >>> happens again, but the session was in fact already invalidated and thus >>> Undertow throws that IllegalStateException. >>> >>> Please note that exactly the same code works on EAP 6 (+ EAP6 adapter). >>> The session also gets invalidated as part of logout(), but then the >>> request.getSession(false) returns null, so the second call to >>> invalidate() does not happen (this kind of points to Undertow as the >>> culprit). >>> >>> I am trying to figure out what the root cause is: >>> >>> 1) Our application should _not_ call both request.logout() and then >>> session.invalidate() (even though it works for EAP6 and also with e.g. >>> basic auth without the Keycloak integration) >>> >>> 2) Keycloak adapter should not call session.invalidate() as part of >>> request.logout() >>> >>> 3) Undertow does not properly propagate the invalidate() call by the >>> Keycloak adapter. >>> >>> 4) Something completely different? >>> >>> >>> Thanks, >>> Petr >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Wed Feb 15 14:43:22 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 15 Feb 2017 14:43:22 -0500 Subject: [keycloak-user] New authenticator with CompletableFuture as the only authenticating factor In-Reply-To: References: Message-ID: <59d63dee-1ac9-a068-4784-6e742458068c@redhat.com> We don't support async HTTP. So you either need to block or have your login page poll. If you poll, then your async callback is gonna have to re-create a KeycloakSession object. I suggest you have your authenticate() method check to see if a clientSession attribute is set or not and have the callback locate the clientSession and set this variable. Hope I'm making sense. On 2/15/17 10:59 AM, Daniel Radzikowski wrote: > Hi, > > I'm trying to implement new authenticator for Mobile Connect. It is a bit > unusual flow, where the first method *void > authenticate(AuthenticationFlowContext context)* before returning a > challenge, calls a REST API, which prompts user mobile phone with 'Click > OK' button. This API call waits until the user clicks OK (or timeouts), so > in order not to block the request, it is wrapped in CompletableFuture and > the login page (with no inputs) is immediately returned to the browser. > (browser should't wait for the API call result). > > The problem is when the CompletableFuture is completed and calls a > callback. It's the place where the authentication should occur, but I don't > have any idea how to do it. The only authenticating factor is OK response > from this API. Can I set the authentication somehow bypassing the whole > processor (calling method *action(AuthenticationFlowContext context)* on > its way)? I thought I will eventually call the *action *from the browser > (with ajax) and only check if the session is already created. The only > thing that I can pass to the callback is an AuthenticationFlowContext data > obtained from the first *action(AuthenticationFlowContext context)* call. > Is there any way to do it? > From chris.savory at edlogics.com Wed Feb 15 15:38:22 2017 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 15 Feb 2017 20:38:22 +0000 Subject: [keycloak-user] Identity Brokering Question Message-ID: <8B82CBF3-00B5-4A3B-82F9-028DCFBB6692@edlogics.com> Is it possible to set up multiple keycloak realms as an identity broker to a single realm? For example, we have a site that is mutli-tenant and users are in different realms. Each site will connect to realm A, B, or C depending on where the user goes to log in. I want to build a micro-service that is available to serve authenticated requests from all the sites. So, can I set up a realm D that will accept bearer tokens from realms A, B or C? -- Christopher Savory Software Engineer | EdLogics From palermo at pobox.com Wed Feb 15 17:09:33 2017 From: palermo at pobox.com (Bruno Palermo) Date: Wed, 15 Feb 2017 20:09:33 -0200 Subject: [keycloak-user] EntityManager and JpaEntityProvider SPI Error Message-ID: <5af2c9e2-33d6-113e-b774-005045c8a886@pobox.com> Hi, I've implemented a custom resource using ResourceProvider SPI and a custom JPA entity using JpaEntityProvider SPI. If I try to import a EntityManager inside my custom resource, using: EntityManager em = session.getProvider(JpaConnectionProvider.class) .getEntityManager(); When I try to access, I receive the following error: *Stack Trace* java.lang.NoClassDefFoundError: javax/persistence/EntityManager java.lang.Class.getDeclaredMethods0(Native Method) java.lang.Class.privateGetDeclaredMethods(Class.java:2701) java.lang.Class.getDeclaredMethods(Class.java:1975) org.jboss.resteasy.util.GetRestful.hasJAXRSAnnotations(GetRestful.java:109) org.jboss.resteasy.util.GetRestful.isSubResourceClass(GetRestful.java:38) org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:121) org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:790) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) java.lang.Thread.run(Thread.java:745) If I remove the EntityManager code, the resource works fine. Any ideas? Thanks, Bruno From adam.keily at adelaide.edu.au Wed Feb 15 17:21:42 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 15 Feb 2017 22:21:42 +0000 Subject: [keycloak-user] Force Keycloak to use external IdP as authentication mechanism In-Reply-To: References: Message-ID: It probably depends on how many IdP's you want to support. If you only have one, you can enable the setting in the IdP configuration for 'Authenticate by Default'. This will bypass the local login. You'll need to modify / copy the first broker login auth flow to create the user upon successful auth. Otherwise you'll get a failed login. Probably doesn't answer all your questions but hope it helps. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Jason B Sent: Wednesday, 15 February 2017 8:18 PM To: keycloak-user Subject: [keycloak-user] Force Keycloak to use external IdP as authentication mechanism We have a requirement to disable local login (username/password) and allow login through IdPs configured in Identity broker. To test this scenario I have configured Salesforce as SP and Keycloak as IDP. And in IdP (keycloak) disabled "Forms" based login and configured an external IdP as identity broker. But this configuration resulting in "Invalid username or password." error in keycloak. In logs I observed following stack trace. 01:36:06,532 WARN [org.keycloak.services] (default task-40) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:795) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:527) at org.keycloak.protocol.saml.SamlService.newBrowserAuthentication(SamlService.java:523) at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:310) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:221) at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.execute(SamlService.java:514) at org.keycloak.protocol.saml.SamlService.redirectBinding(SamlService.java:536) at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 01:36:06,532 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com, userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials, auth_method=saml, redirect_uri= https://jason-dev-ed.my.salesforce.com?so=00D62000005vWGB, code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4 Any idea how to disable the username/password prompt during the login and force keycloak to use configured identity brokers? Also, in case I have multiple external IdPs configured as identity brokers in my keycloak instance is there any way to inform keycloak to use particular external IdP (broker). I know we can use kc_idp_hint parameter. This will be helpful during IdP initiated sso but in case it is a SP initiated SSO, how can we specify the default external IdP? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Wed Feb 15 17:32:21 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 15 Feb 2017 22:32:21 +0000 Subject: [keycloak-user] mapper for client_session, clientid, clientAddress Message-ID: Hi, I am using KC 2.4 and OIDC implicit flow with a public client. In the client mapper, I have the following claims mapped and enabled for the Access Token : client_session, clientid, clientAddress. However, they don't return as part of the token. Other claims don't have this problem. I noticed that all of those 3 claims are of type 'User Session Note'. Is this related to the fact that my client is public? Is there any way to get those properties into the access token? I need, for logging purpose, to get a unique session ID and client information (name + IP address). Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From gaalvarez0910 at gmail.com Wed Feb 15 18:03:58 2017 From: gaalvarez0910 at gmail.com (Gustavo Alvarez) Date: Wed, 15 Feb 2017 23:03:58 +0000 Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization Message-ID: Hello everyone. I am developing a web application with Angular 2 on the front end, and jax-rs services on the backend, I also need authorization with user roles but I have the following problems: 1. The recommendation in the documentation is to establish the angular customer as public, which means that the authorization can not go here. 2. If the backend is set as the confidential customer, the service can not be consumed from angular 2 with the barer symbol. 3. If the backend is configured as a barer only client, the roles are not validated on the authorization defined in keycloak. Can you help me find a better configuration for this environment? Thank you all. Gaalvarez. From andrewrdwyer at gmail.com Wed Feb 15 19:04:20 2017 From: andrewrdwyer at gmail.com (andrew dwyer) Date: Thu, 16 Feb 2017 10:34:20 +1030 Subject: [keycloak-user] Initial Access Tokens disappear on Keycloak server restart Message-ID: I?ve run into the issue of initial access tokens disappearing after I restart my standalone keycloak server. I?ve confirmed this issue still occurs on the latest release (2.5.1.Final). I can see that this issue has been logged previously ( https://issues.jboss.org/browse/KEYCLOAK-3708) but is still unresolved. We?re keen to get this fixed and I?d like to help if I can. Can anyone suggest why this occurs? Thanks Andrew Dwyer From olivier.lievre at altran.com Thu Feb 16 04:35:15 2017 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Thu, 16 Feb 2017 09:35:15 +0000 Subject: [keycloak-user] Export In-Reply-To: <20161213144134.GB13218@abstractj.org> References: <20161208113504.GE17975@abstractj.org> <20161213144134.GB13218@abstractj.org> Message-ID: <5E0EBD68B410924EADA89C5CBD233CD06475E766@XMB-DCFR-35.europe.corp.altran.com> Hello, I had the same issue with version 2.5.1.final, and resolved it by adding jpa In subsystem keycloak-server of configuration file (standalone.xml). In keycloak overlay delivery, this info is missing in default-keycloak-subsys-config.cli. KR, Olivier -----Message d'origine----- De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Bruno Oliveira Envoy??: mardi 13 d?cembre 2016 15:42 ??: Brian Schwartz Cc?: keycloak-user Objet?: Re: [keycloak-user] Export That's odd, I could not reproduce your issue. What I did was: - Export: bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=myrealm.json - Import: bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=myrealm.json I'm attaching my json file to make sure we're talking about the same thing. On 2016-12-08, Brian Schwartz wrote: > The command I ran to get the error is below. Before that, I > downloaded a fresh copy of keycloak 2.4.0.final standalone, started it > up, and entered my configuration. I have one realm other than the > master. It used identity brokering oidc 1.0. I have one simple public oidc client. > > On Dec 8, 2016 5:35 AM, "Bruno Oliveira" wrote: > > > Hi Brian, do you have the steps to reproduce the issue? I never had > > such problem. > > > > On 2016-12-07, Brian Schwartz wrote: > > > Is the keycloak export functionality broken since the last couple > > > of versions? > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak.gitb > > > ooks.io_server-2Dadminstration-2Dguide_&d=DgIDaQ&c=cxWN2QSDopt5Skl > > > NfbjIjg&r=_-9p_K0wFARfQIX1BCw4oNBvhM4d9Cd5Fas_DHDJE8o&m=LEVaH5ey2D > > > 2aY5mp5uKGge7-lwJRhHPukmZlrUmy2AY&s=Z1rzCu91HYojtEXXilUV-Kjjg-HqHc > > > zjpyntyUOke50&e= content/v/2.4/topics/export-import.html > > > > > > > > > > > > I run this command: > > > > > > ./standalone.sh -Dkeycloak.migration.action=export > > > -Dkeycloak.migration.provider=singleFile > > > -Dkeycloak.migration.file= demokeycloak.json > > > > > > > > > > > > I get this error: > > > > > > > > > > > > 14:00:33,664 INFO > > > [org.keycloak.exportimport.singlefile.SingleFileExportProvider] > > > (ServerService Thread Pool -- 48) Exporting model into file > > > /Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json > > > > > > 14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: > > > Server shutdown has been requested. > > > > > > 14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] > > > (MSC service thread 1-4) WFLYJCA0010: Unbound data source > > > [java:jboss/datasources/KeycloakDS] > > > > > > 14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService > > > Thread > > Pool > > > -- 48) MSC000001: Failed to start service jboss.undertow.deployment. > > > default-server.default-host./auth: > > > org.jboss.msc.service.StartException > > in > > > service jboss.undertow.deployment.default-server.default-host./auth: > > > java.lang.RuntimeException: RESTEASY003325: Failed to construct > > > public org.keycloak.services.resources.KeycloakApplication( > > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > > > > > at java.util.concurrent.Executors$RunnableAdapter. > > > call(Executors.java:511) > > > > > > at java.util.concurrent.FutureTask.run(FutureTask. > > java:266) > > > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker( > > > ThreadPoolExecutor.java:1142) > > > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > > > ThreadPoolExecutor.java:617) > > > > > > at java.lang.Thread.run(Thread.java:745) > > > > > > at org.jboss.threads.JBossThread. > > run(JBossThread.java:320) > > > > > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > > construct > > > public org.keycloak.services.resources.KeycloakApplication( > > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > > construct(ConstructorInjectorImpl.java:162) > > > > > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > > > createProviderInstance(ResteasyProviderFactory.java:2209) > > > > > > at org.jboss.resteasy.spi.ResteasyDeployment. > > > createApplication(ResteasyDeployment.java:299) > > > > > > at > > > org.jboss.resteasy.spi.ResteasyDeployment.start( > > > ResteasyDeployment.java:240) > > > > > > at org.jboss.resteasy.plugins.server.servlet. > > > ServletContainerDispatcher.init(ServletContainerDispatcher.java:11 > > > 3) > > > > > > at org.jboss.resteasy.plugins.server.servlet. > > > HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > > > > > at io.undertow.servlet.core. > > LifecyleInterceptorInvocation. > > > proceed(LifecyleInterceptorInvocation.java:117) > > > > > > at org.wildfly.extension.undertow.security. > > > RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > > > > > at io.undertow.servlet.core. > > LifecyleInterceptorInvocation. > > > proceed(LifecyleInterceptorInvocation.java:103) > > > > > > at io.undertow.servlet.core.ManagedServlet$ > > > DefaultInstanceStrategy.start(ManagedServlet.java:231) > > > > > > at io.undertow.servlet.core. > > ManagedServlet.createServlet( > > > ManagedServlet.java:132) > > > > > > at > > > io.undertow.servlet.core.DeploymentManagerImpl.start( > > > DeploymentManagerImpl.java:526) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService.startContext(UndertowDeploymentService. > > java:101) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > > > > > ... 6 more > > > > > > Caused by: java.lang.NullPointerException > > > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > > compare(ModelToRepresentation.java:431) > > > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > > compare(ModelToRepresentation.java:428) > > > > > > at java.util.TimSort.countRunAndMakeAscending( > > > TimSort.java:356) > > > > > > at java.util.TimSort.sort(TimSort.java:220) > > > > > > at java.util.Arrays.sort(Arrays.java:1512) > > > > > > at java.util.ArrayList.sort(ArrayList.java:1454) > > > > > > at > > > java.util.Collections.sort(Collections.java:175) > > > > > > at org.keycloak.models.utils.ModelToRepresentation. > > > exportAuthenticationFlows(ModelToRepresentation.java:428) > > > > > > at org.keycloak.models.utils.ModelToRepresentation. > > > toRepresentation(ModelToRepresentation.java:372) > > > > > > at org.keycloak.exportimport. > > util.ExportUtils.exportRealm( > > > ExportUtils.java:87) > > > > > > at org.keycloak.exportimport.singlefile. > > > SingleFileExportProvider$1.runExportImportTask( > > > SingleFileExportProvider.java:65) > > > > > > at org.keycloak.exportimport. > > util.ExportImportSessionTask. > > > run(ExportImportSessionTask.java:35) > > > > > > at org.keycloak.models.utils.KeycloakModelUtils. > > > runJobInTransaction(KeycloakModelUtils.java:236) > > > > > > at org.keycloak.exportimport.singlefile. > > > SingleFileExportProvider.exportModel(SingleFileExportProvider.java > > > :58) > > > > > > at org.keycloak.exportimport. > > ExportImportManager.runExport( > > > ExportImportManager.java:102) > > > > > > at org.keycloak.services.resources.KeycloakApplication. > > > (KeycloakApplication.java:149) > > > > > > at > > > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > > Method) > > > > > > at sun.reflect.NativeConstructorAccessorImpl. > > newInstance( > > > NativeConstructorAccessorImpl.java:62) > > > > > > at sun.reflect.DelegatingConstructorAccessorI > > > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > > > > > at java.lang.reflect.Constructor. > > > newInstance(Constructor.java:423) > > > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > > construct(ConstructorInjectorImpl.java:150) > > > > > > ... 19 more > > > > > > > > > > > > > > > > > > This has not worked for me since version 2.1.0. > > > > > > I?m currently using version 2.4.0.Final. > > > > > > > > > > > > Thanks > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.o > > > rg_mailman_listinfo_keycloak-2Duser&d=DgIDaQ&c=cxWN2QSDopt5SklNfbj > > > Ijg&r=_-9p_K0wFARfQIX1BCw4oNBvhM4d9Cd5Fas_DHDJE8o&m=LEVaH5ey2D2aY5 > > > mp5uKGge7-lwJRhHPukmZlrUmy2AY&s=aI6ONDWTYxkaXH2hJWrN0gcOE9upqOF-H8 > > > clTdqG-fc&e= > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From dev.ebondu at gmail.com Thu Feb 16 04:43:13 2017 From: dev.ebondu at gmail.com (ebondu) Date: Thu, 16 Feb 2017 02:43:13 -0700 (MST) Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization In-Reply-To: References: Message-ID: <1487238193262-2768.post@n6.nabble.com> Hi, Same scenario for me but with spring as backend and I use two separates realm clients: - the website client is "public" to allow login + page management by using the user's realm role - the backend client is "confidential" with resources authorization/management >From the app, accessing a protected resource is a 3 steps process : try to access to the protected resources with the token obtained during login, if denied by the backend, using the returned WWW-Authenticate header to get an updated access token from the authorization service, access the protected resource with the new token. I guess it is not possible to get a better conf if you need a fine grained authz -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-JAX-RS-Backend-Service-Angular-2-Front-End-Role-Authorization-tp2765p2768.html Sent from the keycloak-user mailing list archive at Nabble.com. From bg_ie at yahoo.com Thu Feb 16 05:30:29 2017 From: bg_ie at yahoo.com (Harry Griff) Date: Thu, 16 Feb 2017 10:30:29 +0000 (UTC) Subject: [keycloak-user] How do I fetch a token via javascript References: <2081441315.561443.1487241029506.ref@mail.yahoo.com> Message-ID: <2081441315.561443.1487241029506@mail.yahoo.com> I'm doing a Proof of Concept and want to be automatically logged in when I start my webapp. Therefore I am trying to get my token via: fetch("http://localhost:8082/auth/realms/mine/protocol/openid-connect/token?client_id=mine_web&username=me&password=me&grant_type=password", { method: "POST" }) .then(function (response) { return response.text(); }) .then(function (text) { console.log('Request successful', text.length,text); }) .catch(function (error) { console.log('Request failed', error) }); But I am getting the error:POST http://localhost:8082/auth/realms/mine/protocol/openid-connect/token?client_id=mine_web&username=me&password=me&grant_type=password 400 (Bad Request) localhost/:1 Fetch API cannot load http://localhost:8082/auth/realms/mine/protocol/openid-connect/token?client_id=mine_web&username=me&password=me&grant_type=password. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:18080' is therefore not allowed access. The response had HTTP status code 400. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. bundle.js:24422 Request failed TypeError: Failed to fetch Chrome is also reporting: {"error":"invalid_request","error_description":"Missing form parameter: grant_type"} I tried this using curl and got the expected response:curl --data "client_id=mine_web&username=me&password=me&grant_type=password" http://localhost:8082/auth/realms/mine/protocol/openid-connect/token How should I configure keycloak to get this to work? From mstrukel at redhat.com Thu Feb 16 08:05:57 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 16 Feb 2017 14:05:57 +0100 Subject: [keycloak-user] Initial Access Tokens disappear on Keycloak server restart In-Reply-To: References: Message-ID: As the JIRA hints, you should be able to work around this issue by setting up a cluster of two instances of Keycloak. In that case restarting one, waiting for cluster to resync, then restart the other one should keep the Initial Access Tokens alive. You can upvote the JIRA to give it greater urgency. On Thu, Feb 16, 2017 at 1:04 AM, andrew dwyer wrote: > I?ve run into the issue of initial access tokens disappearing after I > restart my standalone keycloak server. I?ve confirmed this issue still > occurs on the latest release (2.5.1.Final). > > > > I can see that this issue has been logged previously ( > https://issues.jboss.org/browse/KEYCLOAK-3708) but is still unresolved. > We?re keen to get this fixed and I?d like to help if I can. Can anyone > suggest why this occurs? > > > > Thanks > > > > Andrew Dwyer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sven.thoms at gmail.com Thu Feb 16 08:41:23 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Thu, 16 Feb 2017 14:41:23 +0100 Subject: [keycloak-user] dynamic client registration call idempotency Message-ID: When registering a client dynamically at the well-known registration endpoint: http://keycloak.domain/auth/realms/myrealm/clients-registrations/openid-connect with a given name, clientId and id returned are assigned a unique ID, e.g. id: "fa8eeac6-0fb3-4fa4-8a1b-7c1d091001dc" clientId: "fa8eeac6-0fb3-4fa4-8a1b-7c1d091001dc" name: "test_client" Is there a particular reason that within the same realm, when using OIDC dynamic client registration, registration calls to the URL above are not idempotent? When I make a client registration multiple times using the same client name, I end up getting many instances of the same client, making per-client management of permissions, roles, resources etc. tedious. Furthermore, when querying the Admin REST interface for all clients, no client_id_issued_at field indicating a timestamp is present, so determining which client is the latest one given same names is not possible either. This behavior breaks our automation pipeline. From gaalvarez0910 at gmail.com Thu Feb 16 12:12:06 2017 From: gaalvarez0910 at gmail.com (Gustavo Alvarez) Date: Thu, 16 Feb 2017 17:12:06 +0000 Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization Message-ID: Hello Ebondu. Thanks for you response. Can you said me if do you uses the Keycloak adapter for javascript provided or is necessary other implementation for the proccess that you describes. Thanks. Gaalvarez. From dev.ebondu at gmail.com Thu Feb 16 12:59:16 2017 From: dev.ebondu at gmail.com (ebondu) Date: Thu, 16 Feb 2017 10:59:16 -0700 (MST) Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization In-Reply-To: References: Message-ID: <1487267956593-2773.post@n6.nabble.com> Hi, On the client side, I use a custom lib I developped angular2-keycloak which is based on the official keycloak-js. On the server side, I use the official Spring adapter. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-JAX-RS-Backend-Service-Angular-2-Front-End-Role-Authorization-tp2765p2773.html Sent from the keycloak-user mailing list archive at Nabble.com. From RLewis at carbonite.com Thu Feb 16 13:38:04 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 16 Feb 2017 18:38:04 +0000 Subject: [keycloak-user] Using Keycloak on Linux with A Microsoft SQL server Message-ID: <75EEC384-36EB-4DE3-AE06-3F212663923D@carbonite.com> Has anyone configured Keycloak to use Microsoft SQL server where Keycloak is running on a linux machine? I can make it work correctly with Postgres, but cannot get it to work with Microsoft SQL. Here is my part of the standalone-ha.xml file: jdbc:sqlserver://(IP ADDRESS):1433;databaseName=keycloak sqlserver username password com.microsoft.sqlserver.jdbc.SQLServerXADataSource and here is where I use the datasource. and I am using JDBC_PING to handle multiple systems since the environment I want to use does not support multicast. java:/MSSQLDS CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) And this is the error when I start it up. 13:39:48,758 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:429) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING.attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/keycloak/modules/system/layers/keycloak,/opt/keycloak/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) ... 40 more 13:39:48,760 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-6) Could not open connection to database: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING.attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run(JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:656) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:429) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 18 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590) ... 21 more Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/keycloak/modules/system/layers/keycloak,/opt/keycloak/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) ... 40 more From gaalvarez0910 at gmail.com Thu Feb 16 14:52:47 2017 From: gaalvarez0910 at gmail.com (Gustavo Alvarez) Date: Thu, 16 Feb 2017 19:52:47 +0000 Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization Message-ID: Thanks for this valuable information. I will try using your lib. I tried with official js connector and the example for angular 2, and I get an error in backend if this is configured as confidential, when sends a request to protect resource whit barer token. Is this way incorrect of send token to backend server? Thank you so much. Gaalvarez. From adam.keily at adelaide.edu.au Thu Feb 16 17:08:34 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 16 Feb 2017 22:08:34 +0000 Subject: [keycloak-user] Keycloak Authorizaion with SaaS Message-ID: Hi Guys, Just wondering if it's possible to do any implement any keycloak authorization controls for a SaaS app scenario where we don't have the ability to modify the application? e.g. We want to allow or deny access to an application based on role but no code can be added to the app. From bburke at redhat.com Thu Feb 16 18:16:11 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 16 Feb 2017 18:16:11 -0500 Subject: [keycloak-user] Keycloak Authorizaion with SaaS In-Reply-To: References: Message-ID: See Keycloak Proxy. We haven't really touched that code in years though. Instead we're recommending you proxy your app using Apache + mod-auth-mellon (SAML) or mod-auth-openidc (OIDC). On 2/16/17 5:08 PM, Adam Keily wrote: > Hi Guys, > > Just wondering if it's possible to do any implement any keycloak authorization controls for a SaaS app scenario where we don't have the ability to modify the application? > > e.g. We want to allow or deny access to an application based on role but no code can be added to the app. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From andy.stebbing at adelaide.edu.au Thu Feb 16 19:38:28 2017 From: andy.stebbing at adelaide.edu.au (Andy Stebbing) Date: Fri, 17 Feb 2017 00:38:28 +0000 Subject: [keycloak-user] Keycloak Authorizaion with SaaS In-Reply-To: References: Message-ID: <1487291914.3093.1.camel@adelaide.edu.au> Is it possible to use an SPI component to handle at least coarse grained authorisation? It can intercept the authentication to check the policy via the API? cheers andy On Thu, 2017-02-16 at 18:16 -0500, Bill Burke wrote: > See Keycloak Proxy. We haven't really touched that code in years > though. Instead we're recommending you proxy your app using Apache + > mod-auth-mellon (SAML) or mod-auth-openidc (OIDC). > > > On 2/16/17 5:08 PM, Adam Keily wrote: > > > > Hi Guys, > > > > Just wondering if it's possible to do any implement any keycloak authorization controls for a SaaS app scenario where we don't have the ability to modify > > the application? > > > > e.g. We want to allow or deny access to an application based on role but no code can be added to the app. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mstrukel at redhat.com Fri Feb 17 04:05:01 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 17 Feb 2017 10:05:01 +0100 Subject: [keycloak-user] Using Keycloak on Linux with A Microsoft SQL server In-Reply-To: <75EEC384-36EB-4DE3-AE06-3F212663923D@carbonite.com> References: <75EEC384-36EB-4DE3-AE06-3F212663923D@carbonite.com> Message-ID: It looks like the module for your MS SQL jdbc driver lacks visibility of javax.xml.bind classes. Try adding the dependency on module 'javax.xml.bind.api' to your MSSQL jdbc driver module. In module.xml of the driver module simply add: On Thu, Feb 16, 2017 at 7:38 PM, Reed Lewis wrote: > Has anyone configured Keycloak to use Microsoft SQL server where Keycloak > is running on a linux machine? I can make it work correctly with > Postgres, but cannot get it to work with Microsoft SQL. > > Here is my part of the standalone-ha.xml file: > > > > enabled="true"> > jdbc:sqlserver://(IP > ADDRESS):1433;databaseName=keycloak > sqlserver > > username > password > > > < > /valid-connection-checker> > > > > > com.microsoft.sqlserver.jdbc. > SQLServerXADataSource > > > > > > > and here is where I use the datasource. > > > > > > > value="${jboss.home.dir}/keycloak-database-update.sql"/> > > > > > > and I am using JDBC_PING to handle multiple systems since the environment > I want to use does not support multicast. > > > java:/MSSQLDS > > > CREATE TABLE IF NOT EXISTS jgroupsping ( > own_addr VARCHAR(200) NOT NULL, > cluster_name VARCHAR(200) NOT NULL, > ping_data BYTEA DEFAULT NULL, > PRIMARY KEY (own_addr, cluster_name) > ) > > > > > And this is the error when I start it up. > > > 13:39:48,758 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] > (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new > connection: null: javax.resource.ResourceException: IJ031084: Unable to > create connection > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createLocalManagedConnection( > LocalManagedConnectionFactory.java:343) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.getLocalManagedConnection( > LocalManagedConnectionFactory.java:350) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createManagedConnection( > LocalManagedConnectionFactory.java:285) > at org.jboss.jca.core.connectionmanager.pool.mcp. > SemaphoreConcurrentLinkedDequeManagedConnectionPool. > createConnectionEventListener(SemaphoreConcurrentLinkedDeque > ManagedConnectionPool.java:1319) > at org.jboss.jca.core.connectionmanager.pool.mcp. > SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( > SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) > at org.jboss.jca.core.connectionmanager.pool.AbstractPool. > getSimpleConnection(AbstractPool.java:626) > at org.jboss.jca.core.connectionmanager.pool. > AbstractPool.getConnection(AbstractPool.java:598) > at org.jboss.jca.core.connectionmanager. > AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. > java:590) > at org.jboss.jca.core.connectionmanager.tx. > TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: > 429) > at org.jboss.jca.core.connectionmanager. > AbstractConnectionManager.allocateConnection(AbstractConnectionManager. > java:747) > at org.jboss.jca.adapters.jdbc.WrapperDataSource. > getConnection(WrapperDataSource.java:138) > at org.jboss.as.connector.subsystems.datasources. > WildFlyDataSource.getConnection(WildFlyDataSource.java:66) > at org.jgroups.protocols.JDBC_ > PING.getConnection(JDBC_PING.java:348) > at org.jgroups.protocols.JDBC_PING. > attemptSchemaInitialization(JDBC_PING.java:298) > at org.jgroups.protocols.JDBC_ > PING.init(JDBC_PING.java:130) > at org.jgroups.stack.ProtocolStack.initProtocolStack( > ProtocolStack.java:860) > at org.jgroups.stack.ProtocolStack.setup( > ProtocolStack.java:481) > at org.jgroups.JChannel.init(JChannel.java:853) > at org.jgroups.JChannel.(JChannel.java:159) > at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( > JChannelFactory.java:95) > at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( > JChannelFactory.java:92) > at org.wildfly.security.manager.WildFlySecurityManager. > doChecked(WildFlySecurityManager.java:636) > at org.jboss.as.clustering.jgroups.JChannelFactory. > createChannel(JChannelFactory.java:98) > at org.wildfly.clustering.jgroups.spi.service. > ChannelBuilder.start(ChannelBuilder.java:78) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.startService(ServiceControllerImpl.java:1948) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.run(ServiceControllerImpl.java:1881) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ > DatatypeConverter > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.sendLogon(SQLServerConnection.java:4098) > at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( > SQLServerConnection.java:3160) > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.access$100(SQLServerConnection.java:43) > at com.microsoft.sqlserver.jdbc.SQLServerConnection$ > LogonCommand.doExecute(SQLServerConnection.java:3123) > at com.microsoft.sqlserver.jdbc. > TDSCommand.execute(IOBuffer.java:7505) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > executeCommand(SQLServerConnection.java:2445) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > connectHelper(SQLServerConnection.java:1981) > at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( > SQLServerConnection.java:1628) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > connectInternal(SQLServerConnection.java:1459) > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.connect(SQLServerConnection.java:773) > at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( > SQLServerDriver.java:1168) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createLocalManagedConnection( > LocalManagedConnectionFactory.java:319) > ... 28 more > Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter > from [Module "com.microsoft:main" from local module loader @66133adc > (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ > keycloak/modules/system/layers/keycloak,/opt/keycloak/ > modules/system/layers/base))] > at org.jboss.modules.ModuleClassLoader.findClass( > ModuleClassLoader.java:198) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClass(ConcurrentClassLoader.java:351) > at org.jboss.modules.ConcurrentClassLoader.loadClass( > ConcurrentClassLoader.java:93) > ... 40 more > > 13:39:48,760 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread > 1-6) Could not open connection to database: java.sql.SQLException: > javax.resource.ResourceException: IJ000453: Unable to get managed > connection for java:/MSSQLDS > at org.jboss.jca.adapters.jdbc.WrapperDataSource. > getConnection(WrapperDataSource.java:146) > at org.jboss.as.connector.subsystems.datasources. > WildFlyDataSource.getConnection(WildFlyDataSource.java:66) > at org.jgroups.protocols.JDBC_ > PING.getConnection(JDBC_PING.java:348) > at org.jgroups.protocols.JDBC_PING. > attemptSchemaInitialization(JDBC_PING.java:298) > at org.jgroups.protocols.JDBC_ > PING.init(JDBC_PING.java:130) > at org.jgroups.stack.ProtocolStack.initProtocolStack( > ProtocolStack.java:860) > at org.jgroups.stack.ProtocolStack.setup( > ProtocolStack.java:481) > at org.jgroups.JChannel.init(JChannel.java:853) > at org.jgroups.JChannel.(JChannel.java:159) > at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( > JChannelFactory.java:95) > at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( > JChannelFactory.java:92) > at org.wildfly.security.manager.WildFlySecurityManager. > doChecked(WildFlySecurityManager.java:636) > at org.jboss.as.clustering.jgroups.JChannelFactory. > createChannel(JChannelFactory.java:98) > at org.wildfly.clustering.jgroups.spi.service. > ChannelBuilder.start(ChannelBuilder.java:78) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.startService(ServiceControllerImpl.java:1948) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.run(ServiceControllerImpl.java:1881) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.resource.ResourceException: IJ000453: Unable to get > managed connection for java:/MSSQLDS > at org.jboss.jca.core.connectionmanager. > AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. > java:656) > at org.jboss.jca.core.connectionmanager.tx. > TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: > 429) > at org.jboss.jca.core.connectionmanager. > AbstractConnectionManager.allocateConnection(AbstractConnectionManager. > java:747) > at org.jboss.jca.adapters.jdbc.WrapperDataSource. > getConnection(WrapperDataSource.java:138) > ... 18 more > Caused by: javax.resource.ResourceException: IJ031084: Unable to create > connection > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createLocalManagedConnection( > LocalManagedConnectionFactory.java:343) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.getLocalManagedConnection( > LocalManagedConnectionFactory.java:350) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createManagedConnection( > LocalManagedConnectionFactory.java:285) > at org.jboss.jca.core.connectionmanager.pool.mcp. > SemaphoreConcurrentLinkedDequeManagedConnectionPool. > createConnectionEventListener(SemaphoreConcurrentLinkedDeque > ManagedConnectionPool.java:1319) > at org.jboss.jca.core.connectionmanager.pool.mcp. > SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( > SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) > at org.jboss.jca.core.connectionmanager.pool.AbstractPool. > getSimpleConnection(AbstractPool.java:626) > at org.jboss.jca.core.connectionmanager.pool. > AbstractPool.getConnection(AbstractPool.java:598) > at org.jboss.jca.core.connectionmanager. > AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. > java:590) > ... 21 more > Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ > DatatypeConverter > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.sendLogon(SQLServerConnection.java:4098) > at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( > SQLServerConnection.java:3160) > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.access$100(SQLServerConnection.java:43) > at com.microsoft.sqlserver.jdbc.SQLServerConnection$ > LogonCommand.doExecute(SQLServerConnection.java:3123) > at com.microsoft.sqlserver.jdbc. > TDSCommand.execute(IOBuffer.java:7505) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > executeCommand(SQLServerConnection.java:2445) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > connectHelper(SQLServerConnection.java:1981) > at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( > SQLServerConnection.java:1628) > at com.microsoft.sqlserver.jdbc.SQLServerConnection. > connectInternal(SQLServerConnection.java:1459) > at com.microsoft.sqlserver.jdbc. > SQLServerConnection.connect(SQLServerConnection.java:773) > at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( > SQLServerDriver.java:1168) > at org.jboss.jca.adapters.jdbc.local. > LocalManagedConnectionFactory.createLocalManagedConnection( > LocalManagedConnectionFactory.java:319) > ... 28 more > Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter > from [Module "com.microsoft:main" from local module loader @66133adc > (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ > keycloak/modules/system/layers/keycloak,/opt/keycloak/ > modules/system/layers/base))] > at org.jboss.modules.ModuleClassLoader.findClass( > ModuleClassLoader.java:198) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClass(ConcurrentClassLoader.java:351) > at org.jboss.modules.ConcurrentClassLoader.loadClass( > ConcurrentClassLoader.java:93) > ... 40 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From strk at kbt.io Fri Feb 17 04:19:11 2017 From: strk at kbt.io (Sandro Santilli) Date: Fri, 17 Feb 2017 10:19:11 +0100 Subject: [keycloak-user] Node.js Adapter usage In-Reply-To: <20170209170236.GC24700@localhost> References: <20170209170236.GC24700@localhost> Message-ID: <20170217091911.GC13799@localhost> As I didn't receive any answer here, is I'm using the wrong mailing list ? Should I ask to developers rather than users ? --strk; On Thu, Feb 09, 2017 at 06:02:36PM +0100, Sandro Santilli wrote: > Hi all, I've just subscribed to this list as I'm working on adding keycloak > support in a node.js project. > > Unfortunately, following the instructions on [1] I was unable to pass > the `var keycloack = new Keycloak()` step, in that `Keycloak` class > is not defined. > > [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/nodejs-adapter.html > > I guess I have to require the module, but when I try > `var Keycloak = require('keycloak-connect')` I get a failure message: > > /usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_modules/keycloak-connect/index.js:254 > .then(grant => { return this.grantManager.ensureFreshness(grant); }) > ^ > SyntaxError: Unexpected token > > at Module._compile (module.js:439:25) > at Object.Module._extensions..js (module.js:474:10) > at Module.load (module.js:356:32) > at Function.Module._load (module.js:312:12) > at Module.require (module.js:364:17) > at require (module.js:380:17) > at Object. (/usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/http/server.js:10:16) > at Module._compile (module.js:456:26) > at Object.Module._extensions..js (module.js:474:10) > at Module.load (module.js:356:32) > > This is with node-0.10 though, while node-4.2.6 does not complain there > (but does in another place). > > So, a few questions: > > 1. Where to report the lack of `require('keycloak-connect')` > instruction in the documentation ? > > 2. What's the least supported node version ? > > 3. Are there working examples I could look at ? > > Thanks in advance > > --strk; From Ori.Doolman at amdocs.com Fri Feb 17 04:25:18 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Fri, 17 Feb 2017 09:25:18 +0000 Subject: [keycloak-user] customizing password policy Message-ID: Hi, I couldn't find any SPI for customizing the password policy. In addition to the exiting options (lowercase characters, special characters etc.), I have an additional requirement - password should not contain any dictionary words. I can still have it implemented using the Authenticator SPI - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html The drawback is that it will not be available for configuration from the regular realm Authentication -> Password Policy screen. Is that the proper way to go? Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From dev.ebondu at gmail.com Fri Feb 17 04:26:40 2017 From: dev.ebondu at gmail.com (ebondu) Date: Fri, 17 Feb 2017 02:26:40 -0700 (MST) Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization In-Reply-To: References: Message-ID: <1487323600804-2782.post@n6.nabble.com> Is it a 401 error ? In that case it is probably due to a wrong configuration ? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-JAX-RS-Backend-Service-Angular-2-Front-End-Role-Authorization-tp2765p2782.html Sent from the keycloak-user mailing list archive at Nabble.com. From sblanc at redhat.com Fri Feb 17 04:30:06 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 17 Feb 2017 10:30:06 +0100 Subject: [keycloak-user] Node.js Adapter usage In-Reply-To: <20170209170236.GC24700@localhost> References: <20170209170236.GC24700@localhost> Message-ID: On Thu, Feb 9, 2017 at 6:02 PM, Sandro Santilli wrote: > Hi all, I've just subscribed to this list as I'm working on adding keycloak > support in a node.js project. > > Unfortunately, following the instructions on [1] I was unable to pass > the `var keycloack = new Keycloak()` step, in that `Keycloak` class > is not defined. > > [1] https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/oidc/nodejs-adapter.html > > I guess I have to require the module, but when I try > `var Keycloak = require('keycloak-connect')` I get a failure message: > > /usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_ > modules/keycloak-connect/index.js:254 > .then(grant => { return this.grantManager.ensureFreshness(grant); }) > ^ > SyntaxError: Unexpected token > > at Module._compile (module.js:439:25) > at Object.Module._extensions..js (module.js:474:10) > at Module.load (module.js:356:32) > at Function.Module._load (module.js:312:12) > at Module.require (module.js:364:17) > at require (module.js:380:17) > at Object. (/usr/src/akvo/akvo-maps/akvo- > maps/images/tiler/server/http/server.js:10:16) > at Module._compile (module.js:456:26) > at Object.Module._extensions..js (module.js:474:10) > at Module.load (module.js:356:32) > > This is with node-0.10 though, while node-4.2.6 does not complain there > (but does in another place). > > So, a few questions: > > 1. Where to report the lack of `require('keycloak-connect')` > instruction in the documentation ? > You can open a ticket here : http://jira.jboss.com/jira/browse/KEYCLOAK > > 2. What's the least supported node version ? > Node 4.0.0 is the minimum required > > 3. Are there working examples I could look at ? > We have a quickstart here : https://github.com/keycloak/keycloak-quickstarts/tree/master/service-nodejs > > Thanks in advance > > --strk; > > () ASCII ribbon campaign -- Keep it simple ! > /\ https://strk.kbt.io/rants/ascii_mails.txt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Fri Feb 17 04:34:37 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 17 Feb 2017 10:34:37 +0100 Subject: [keycloak-user] Node.js Adapter usage In-Reply-To: <20170217091911.GC13799@localhost> References: <20170209170236.GC24700@localhost> <20170217091911.GC13799@localhost> Message-ID: It is the right list. People with knowledge about node.js adapter might be busy :) Try explore the code yourself to maybe get closer to what's wrong. On Fri, Feb 17, 2017 at 10:19 AM, Sandro Santilli wrote: > As I didn't receive any answer here, is I'm using the wrong > mailing list ? Should I ask to developers rather than users ? > > --strk; > > On Thu, Feb 09, 2017 at 06:02:36PM +0100, Sandro Santilli wrote: > > Hi all, I've just subscribed to this list as I'm working on adding > keycloak > > support in a node.js project. > > > > Unfortunately, following the instructions on [1] I was unable to pass > > the `var keycloack = new Keycloak()` step, in that `Keycloak` class > > is not defined. > > > > [1] https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/oidc/nodejs-adapter.html > > > > I guess I have to require the module, but when I try > > `var Keycloak = require('keycloak-connect')` I get a failure message: > > > > /usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_ > modules/keycloak-connect/index.js:254 > > .then(grant => { return this.grantManager.ensureFreshness(grant); > }) > > ^ > > SyntaxError: Unexpected token > > > at Module._compile (module.js:439:25) > > at Object.Module._extensions..js (module.js:474:10) > > at Module.load (module.js:356:32) > > at Function.Module._load (module.js:312:12) > > at Module.require (module.js:364:17) > > at require (module.js:380:17) > > at Object. (/usr/src/akvo/akvo-maps/akvo- > maps/images/tiler/server/http/server.js:10:16) > > at Module._compile (module.js:456:26) > > at Object.Module._extensions..js (module.js:474:10) > > at Module.load (module.js:356:32) > > > > This is with node-0.10 though, while node-4.2.6 does not complain there > > (but does in another place). > > > > So, a few questions: > > > > 1. Where to report the lack of `require('keycloak-connect')` > > instruction in the documentation ? > > > > 2. What's the least supported node version ? > > > > 3. Are there working examples I could look at ? > > > > Thanks in advance > > > > --strk; > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Fri Feb 17 04:38:27 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 17 Feb 2017 10:38:27 +0100 Subject: [keycloak-user] Node.js Adapter usage In-Reply-To: References: <20170209170236.GC24700@localhost> <20170217091911.GC13799@localhost> Message-ID: Also, you can find a node.js example in our quickstarts: https://github.com/keycloak/keycloak-quickstarts/tree/master/service-nodejs On Fri, Feb 17, 2017 at 10:34 AM, Marko Strukelj wrote: > It is the right list. People with knowledge about node.js adapter might be > busy :) > > Try explore the code yourself to maybe get closer to what's wrong. > > On Fri, Feb 17, 2017 at 10:19 AM, Sandro Santilli wrote: > >> As I didn't receive any answer here, is I'm using the wrong >> mailing list ? Should I ask to developers rather than users ? >> >> --strk; >> >> On Thu, Feb 09, 2017 at 06:02:36PM +0100, Sandro Santilli wrote: >> > Hi all, I've just subscribed to this list as I'm working on adding >> keycloak >> > support in a node.js project. >> > >> > Unfortunately, following the instructions on [1] I was unable to pass >> > the `var keycloack = new Keycloak()` step, in that `Keycloak` class >> > is not defined. >> > >> > [1] https://keycloak.gitbooks.io/securing-client-applications-gu >> ide/content/topics/oidc/nodejs-adapter.html >> > >> > I guess I have to require the module, but when I try >> > `var Keycloak = require('keycloak-connect')` I get a failure message: >> > >> > /usr/src/akvo/akvo-maps/akvo-maps/images/tiler/server/node_ >> modules/keycloak-connect/index.js:254 >> > .then(grant => { return this.grantManager.ensureFreshness(grant); >> }) >> > ^ >> > SyntaxError: Unexpected token > >> > at Module._compile (module.js:439:25) >> > at Object.Module._extensions..js (module.js:474:10) >> > at Module.load (module.js:356:32) >> > at Function.Module._load (module.js:312:12) >> > at Module.require (module.js:364:17) >> > at require (module.js:380:17) >> > at Object. (/usr/src/akvo/akvo-maps/akvo- >> maps/images/tiler/server/http/server.js:10:16) >> > at Module._compile (module.js:456:26) >> > at Object.Module._extensions..js (module.js:474:10) >> > at Module.load (module.js:356:32) >> > >> > This is with node-0.10 though, while node-4.2.6 does not complain there >> > (but does in another place). >> > >> > So, a few questions: >> > >> > 1. Where to report the lack of `require('keycloak-connect')` >> > instruction in the documentation ? >> > >> > 2. What's the least supported node version ? >> > >> > 3. Are there working examples I could look at ? >> > >> > Thanks in advance >> > >> > --strk; >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From strk at kbt.io Fri Feb 17 04:54:40 2017 From: strk at kbt.io (Sandro Santilli) Date: Fri, 17 Feb 2017 10:54:40 +0100 Subject: [keycloak-user] Node.js Adapter usage In-Reply-To: References: <20170209170236.GC24700@localhost> Message-ID: <20170217095440.GA15158@localhost> On Fri, Feb 17, 2017 at 10:30:06AM +0100, Sebastien Blanc wrote: > On Thu, Feb 9, 2017 at 6:02 PM, Sandro Santilli wrote: > > 1. Where to report the lack of `require('keycloak-connect')` > > instruction in the documentation ? > > > You can open a ticket here : http://jira.jboss.com/jira/browse/KEYCLOAK Done: https://issues.jboss.org/browse/KEYCLOAK-4443 > > 2. What's the least supported node version ? > > > Node 4.0.0 is the minimum required Encoded by merging this PR: https://github.com/keycloak/keycloak-nodejs-connect/pull/72 > > 3. Are there working examples I could look at ? > > > We have a quickstart here : > https://github.com/keycloak/keycloak-quickstarts/tree/master/service-nodejs Thanks ! --strk; From sthorger at redhat.com Fri Feb 17 05:48:31 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 17 Feb 2017 11:48:31 +0100 Subject: [keycloak-user] customizing password policy In-Reply-To: References: Message-ID: https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/policy/PasswordPolicySpi.java On 17 February 2017 at 10:25, Ori Doolman wrote: > Hi, > I couldn't find any SPI for customizing the password policy. > In addition to the exiting options (lowercase characters, special > characters etc.), I have an additional requirement - password should not > contain any dictionary words. > I can still have it implemented using the Authenticator SPI - > https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/auth-spi.html > The drawback is that it will not be available for configuration from the > regular realm Authentication -> Password Policy screen. > > Is that the proper way to go? > > Thanks, > Ori. > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jacobs.yann at gmail.com Fri Feb 17 09:35:39 2017 From: jacobs.yann at gmail.com (Yann Jacobs) Date: Fri, 17 Feb 2017 15:35:39 +0100 Subject: [keycloak-user] [Revoke grants] Application without roles Message-ID: Hi, In reference to an old message sent into maillist : http://lists.jboss.org/pipermail/keycloak-user/2016-November/008346.html I got an application who all users can access (no roles defined/requested) with request consent activated. All seems to be fine but 'Applications' tab into Account don't display my application. According to the ApplicationsBean.java file @ L56 https://github.com/keycloak/keycloak/blob/d941e0716982502ee84255e196f8efb84bce1588/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java#L56 // Don't show applications, which user doesn't have access into (any > available roles) > if (availableRoles.isEmpty()) { > continue; > } Isn't it too restrictive ? Can we imagine an more permisive condition ? Like that : > if (availableRoles.isEmpty() && realmRolesGranted.isEmpty() && > resourceRolesGranted.isEmpty() && claimsGranted.isEmpty() && > additionalGrants.isEmpty()) { > continue; > } Can we consider that we can revoke grants without availableRoles ? Is it a bug or a missing/not supported use-case ? Thx From Cameron.Crockett at ABCorp.com Fri Feb 17 10:28:37 2017 From: Cameron.Crockett at ABCorp.com (Cameron Crockett) Date: Fri, 17 Feb 2017 10:28:37 -0500 Subject: [keycloak-user] Using Keycloak on Linux with A Microsoft SQL server In-Reply-To: References: <75EEC384-36EB-4DE3-AE06-3F212663923D@carbonite.com> Message-ID: <3200AB56-28C8-4D08-AF47-1C81F0A72B3B@abnotena.com> I?m currently running Keycloak on OS X and connecting to MS SQL Server. I have the following working setup (hopefully the steps below will help you out) 1. Create the jdbc module.xml File: modules/system/layers/base/com/microsoft/sqlserver/main/module.xml 2. Get the MS Sql JDBC driver from https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server copy sqljdbc.jar to modules/system/layers/base/com/microsoft/sqlserver/main/ 3. Change configuration for keycloak to use MS SQL (ie: standalone.xml or standalone-ha.xml) ..... jdbc:sqlserver://SQL_SERVER_URL:PORT;DatabaseName=keycloak mssql USERNAME PASSWORD true 30000 com.microsoft.sqlserver.jdbc.SQLServerDriver ..... ?.. ..... Cameron CROCKETT Senior Software Engineer Custom Card Systems, Inc. On Feb 17, 2017, at 3:05 AM, Marko Strukelj > wrote: It looks like the module for your MS SQL jdbc driver lacks visibility of javax.xml.bind classes. Try adding the dependency on module 'javax.xml.bind.api' to your MSSQL jdbc driver module. In module.xml of the driver module simply add: On Thu, Feb 16, 2017 at 7:38 PM, Reed Lewis > wrote: Has anyone configured Keycloak to use Microsoft SQL server where Keycloak is running on a linux machine? I can make it work correctly with Postgres, but cannot get it to work with Microsoft SQL. Here is my part of the standalone-ha.xml file: jdbc:sqlserver://(IP ADDRESS):1433;databaseName=keycloak sqlserver username password < /valid-connection-checker> com.microsoft.sqlserver.jdbc. SQLServerXADataSource and here is where I use the datasource. and I am using JDBC_PING to handle multiple systems since the environment I want to use does not support multicast. java:/MSSQLDS CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) And this is the error when I start it up. 13:39:48,758 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.getLocalManagedConnection( LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createManagedConnection( LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool. createConnectionEventListener(SemaphoreConcurrentLinkedDeque ManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool. getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool. AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:590) at org.jboss.jca.core.connectionmanager.tx. TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: 429) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.allocateConnection(AbstractConnectionManager. java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:138) at org.jboss.as.connector.subsystems.datasources. WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_ PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING. attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_ PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack( ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup( ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager. doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory. createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service. ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ DatatypeConverter at com.microsoft.sqlserver.jdbc. SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc. SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$ LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc. TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection. executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc. SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ keycloak/modules/system/layers/keycloak,/opt/keycloak/ modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass( ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader. performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader. performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass( ConcurrentClassLoader.java:93) ... 40 more 13:39:48,760 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-6) Could not open connection to database: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources. WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_ PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING. attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_ PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack( ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup( ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager. doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory. createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service. ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:656) at org.jboss.jca.core.connectionmanager.tx. TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: 429) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.allocateConnection(AbstractConnectionManager. java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:138) ... 18 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.getLocalManagedConnection( LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createManagedConnection( LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool. createConnectionEventListener(SemaphoreConcurrentLinkedDeque ManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool. getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool. AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:590) ... 21 more Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ DatatypeConverter at com.microsoft.sqlserver.jdbc. SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc. SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$ LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc. TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection. executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc. SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ keycloak/modules/system/layers/keycloak,/opt/keycloak/ modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass( ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader. performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader. performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass( ConcurrentClassLoader.java:93) ... 40 more _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Fri Feb 17 10:52:21 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Fri, 17 Feb 2017 15:52:21 +0000 Subject: [keycloak-user] customizing password policy In-Reply-To: References: Message-ID: Thank you Stian. I didn?t see this SPI documented in https://keycloak.gitbooks.io/server-developer-guide/content/v/2.5/topics/providers.html . Any formal documentation for this SPI? Would the Admin Console screen be updated with the customized policy once the custom policy is deployed ? Ori. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: ??? ? 17 ?????? 2017 12:49 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] customizing password policy https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/policy/PasswordPolicySpi.java On 17 February 2017 at 10:25, Ori Doolman > wrote: Hi, I couldn't find any SPI for customizing the password policy. In addition to the exiting options (lowercase characters, special characters etc.), I have an additional requirement - password should not contain any dictionary words. I can still have it implemented using the Authenticator SPI - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html The drawback is that it will not be available for configuration from the regular realm Authentication -> Password Policy screen. Is that the proper way to go? Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From jblashka at redhat.com Fri Feb 17 10:55:01 2017 From: jblashka at redhat.com (Jared Blashka) Date: Fri, 17 Feb 2017 10:55:01 -0500 Subject: [keycloak-user] Possible bug when trying to modifying custom storage provider configuraiton? Message-ID: I'm not sure if this is an issue with my implementation of UserStorageProvider, but I'm running into an issue when trying to edit blank fields in the provider configuration after initial creation. If I create a new instance of my provider and define values for all of the configuration properties there's no issue. But if I leave some of the configuration properties blank, save my configuration, and then try to supply values for those properties later the form submission errors. It looks like the entirely new values in the update get submitted as a JSON object but any modified value gets submitted as a String array. I tried replicating this behavior with the provided ldap provider but it doesn't happen there. Empty input boxes are still present in $scope.instance.config as an empty String array. But when working with my custom provider empty input boxes aren't present in $scope.instance.config at all after the initial provider creation. I'm also not sure how to mark any of my properties as required. I see that the ldap provider has required fields but it looks like this was hard-coded into the HTML form rather than set in the provider configuration. Is that correct? I'm using the lastest code on the 2.5.x branch, it's 2.5.4.Final-SNAPSHOT currently. Thanks From jboulay at ekito.fr Fri Feb 17 11:13:46 2017 From: jboulay at ekito.fr (Julien Boulay) Date: Fri, 17 Feb 2017 17:13:46 +0100 Subject: [keycloak-user] Native android facebook auth and Keycloak token Message-ID: Hi all, I have a question regarding authentication with facebook and keycloak in a native Android app. Is it possible to connect to facebook through native application, retrieve an authorization code, and then exchange this authorization_code for an access token with keycloak (id_token, refresh_token, token) ? Can I use the facebook broker (for example /auth/realms//broker/facebook/endpoint) for that ? I'm using 2.5.1-final version of keycloak server. Thanks *Julien Boulay* *- Ekito* Developer & Eclectic 15 rue Gabriel P?ri 31000 Toulouse +33 (0)6 80 46 73 78 <+33%206%2080%2046%2073%2078> jboulay at ekito.fr *Visit our Blog !* From RLewis at carbonite.com Fri Feb 17 11:42:17 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 17 Feb 2017 16:42:17 +0000 Subject: [keycloak-user] Using Keycloak on Linux with A Microsoft SQL server In-Reply-To: <3200AB56-28C8-4D08-AF47-1C81F0A72B3B@abnotena.com> References: <75EEC384-36EB-4DE3-AE06-3F212663923D@carbonite.com> <3200AB56-28C8-4D08-AF47-1C81F0A72B3B@abnotena.com> Message-ID: <154CB61F-55E1-4436-B9AF-47BD301B6855@carbonite.com> Thank you. This helped and it works now. From: Cameron Crockett Date: Friday, February 17, 2017 at 10:28 AM To: Marko Strukelj Cc: Reed Lewis , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Using Keycloak on Linux with A Microsoft SQL server I?m currently running Keycloak on OS X and connecting to MS SQL Server. I have the following working setup (hopefully the steps below will help you out) 1. Create the jdbc module.xml File: modules/system/layers/base/com/microsoft/sqlserver/main/module.xml 2. Get the MS Sql JDBC driver from https://docs.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server copy sqljdbc.jar to modules/system/layers/base/com/microsoft/sqlserver/main/ 3. Change configuration for keycloak to use MS SQL (ie: standalone.xml or standalone-ha.xml) ..... jdbc:sqlserver://SQL_SERVER_URL:PORT;DatabaseName=keycloak mssql USERNAME PASSWORD true 30000 com.microsoft.sqlserver.jdbc.SQLServerDriver ..... ?.. ..... Cameron CROCKETT Senior Software Engineer Custom Card Systems, Inc. On Feb 17, 2017, at 3:05 AM, Marko Strukelj > wrote: It looks like the module for your MS SQL jdbc driver lacks visibility of javax.xml.bind classes. Try adding the dependency on module 'javax.xml.bind.api' to your MSSQL jdbc driver module. In module.xml of the driver module simply add: On Thu, Feb 16, 2017 at 7:38 PM, Reed Lewis > wrote: Has anyone configured Keycloak to use Microsoft SQL server where Keycloak is running on a linux machine? I can make it work correctly with Postgres, but cannot get it to work with Microsoft SQL. Here is my part of the standalone-ha.xml file: jdbc:sqlserver://(IP ADDRESS):1433;databaseName=keycloak sqlserver username password < /valid-connection-checker> com.microsoft.sqlserver.jdbc. SQLServerXADataSource and here is where I use the datasource. and I am using JDBC_PING to handle multiple systems since the environment I want to use does not support multicast. java:/MSSQLDS CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) And this is the error when I start it up. 13:39:48,758 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (MSC service thread 1-6) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.getLocalManagedConnection( LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createManagedConnection( LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool. createConnectionEventListener(SemaphoreConcurrentLinkedDeque ManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool. getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool. AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:590) at org.jboss.jca.core.connectionmanager.tx. TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: 429) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.allocateConnection(AbstractConnectionManager. java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:138) at org.jboss.as.connector.subsystems.datasources. WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_ PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING. attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_ PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack( ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup( ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager. doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory. createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service. ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ DatatypeConverter at com.microsoft.sqlserver.jdbc. SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc. SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$ LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc. TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection. executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc. SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ keycloak/modules/system/layers/keycloak,/opt/keycloak/ modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass( ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader. performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader. performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass( ConcurrentClassLoader.java:93) ... 40 more 13:39:48,760 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-6) Could not open connection to database: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources. WildFlyDataSource.getConnection(WildFlyDataSource.java:66) at org.jgroups.protocols.JDBC_ PING.getConnection(JDBC_PING.java:348) at org.jgroups.protocols.JDBC_PING. attemptSchemaInitialization(JDBC_PING.java:298) at org.jgroups.protocols.JDBC_ PING.init(JDBC_PING.java:130) at org.jgroups.stack.ProtocolStack.initProtocolStack( ProtocolStack.java:860) at org.jgroups.stack.ProtocolStack.setup( ProtocolStack.java:481) at org.jgroups.JChannel.init(JChannel.java:853) at org.jgroups.JChannel.(JChannel.java:159) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:95) at org.jboss.as.clustering.jgroups.JChannelFactory$1.run( JChannelFactory.java:92) at org.wildfly.security.manager.WildFlySecurityManager. doChecked(WildFlySecurityManager.java:636) at org.jboss.as.clustering.jgroups.JChannelFactory. createChannel(JChannelFactory.java:98) at org.wildfly.clustering.jgroups.spi.service. ChannelBuilder.start(ChannelBuilder.java:78) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$ StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:/MSSQLDS at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:656) at org.jboss.jca.core.connectionmanager.tx. TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java: 429) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.allocateConnection(AbstractConnectionManager. java:747) at org.jboss.jca.adapters.jdbc.WrapperDataSource. getConnection(WrapperDataSource.java:138) ... 18 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:343) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.getLocalManagedConnection( LocalManagedConnectionFactory.java:350) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createManagedConnection( LocalManagedConnectionFactory.java:285) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool. createConnectionEventListener(SemaphoreConcurrentLinkedDeque ManagedConnectionPool.java:1319) at org.jboss.jca.core.connectionmanager.pool.mcp. SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection( SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496) at org.jboss.jca.core.connectionmanager.pool.AbstractPool. getSimpleConnection(AbstractPool.java:626) at org.jboss.jca.core.connectionmanager.pool. AbstractPool.getConnection(AbstractPool.java:598) at org.jboss.jca.core.connectionmanager. AbstractConnectionManager.getManagedConnection(AbstractConnectionManager. java:590) ... 21 more Caused by: java.lang.NoClassDefFoundError: javax/xml/bind/ DatatypeConverter at com.microsoft.sqlserver.jdbc. SQLServerConnection.sendLogon(SQLServerConnection.java:4098) at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon( SQLServerConnection.java:3160) at com.microsoft.sqlserver.jdbc. SQLServerConnection.access$100(SQLServerConnection.java:43) at com.microsoft.sqlserver.jdbc.SQLServerConnection$ LogonCommand.doExecute(SQLServerConnection.java:3123) at com.microsoft.sqlserver.jdbc. TDSCommand.execute(IOBuffer.java:7505) at com.microsoft.sqlserver.jdbc.SQLServerConnection. executeCommand(SQLServerConnection.java:2445) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectHelper(SQLServerConnection.java:1981) at com.microsoft.sqlserver.jdbc.SQLServerConnection.login( SQLServerConnection.java:1628) at com.microsoft.sqlserver.jdbc.SQLServerConnection. connectInternal(SQLServerConnection.java:1459) at com.microsoft.sqlserver.jdbc. SQLServerConnection.connect(SQLServerConnection.java:773) at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect( SQLServerDriver.java:1168) at org.jboss.jca.adapters.jdbc.local. LocalManagedConnectionFactory.createLocalManagedConnection( LocalManagedConnectionFactory.java:319) ... 28 more Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter from [Module "com.microsoft:main" from local module loader @66133adc (finder: local module finder @7bfcd12c (roots: /opt/keycloak/modules,/opt/ keycloak/modules/system/layers/keycloak,/opt/keycloak/ modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass( ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader. performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader. performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass( ConcurrentClassLoader.java:93) ... 40 more _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From tancy62 at yahoo.com Fri Feb 17 12:10:14 2017 From: tancy62 at yahoo.com (Alabura Fgc) Date: Fri, 17 Feb 2017 17:10:14 +0000 (UTC) Subject: [keycloak-user] attribute retrieval References: <1886736606.1456245.1487351414415.ref@mail.yahoo.com> Message-ID: <1886736606.1456245.1487351414415@mail.yahoo.com> ?Hi everyoneam using the sample Vanilla application deployed on wildfly?how can i retrieve the user attributes together with the token when i authenticate to keycloak.?thank you P?Save a tree! Print this message only if it's absolutely necessary? From gaalvarez0910 at gmail.com Fri Feb 17 13:14:13 2017 From: gaalvarez0910 at gmail.com (Gustavo Alvarez) Date: Fri, 17 Feb 2017 18:14:13 +0000 Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization Message-ID: The error is not 401, I get a 500 error code. The following is the log capture of the backend application: Caused by: java.lang.NullPointerException at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:69) at org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:77) at org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) ... 38 more I use keycloak 2.3.0.Final whit the following configuration: 1. Backend app in EAR package whit jax rs service and the next keycloak.json file: { "realm": "demo", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "afiliacion-web", "credentials": { "secret": "45226cd3-796e-4e38-9f38-8435877c660b" }, "policy-enforcer": {} } and this is web.xml fiel: Client Area client_resources /rest/* GET POST PUT DELETE HEAD * NONE KEYCLOAK demo * 2. Front end app is public client in keycloak, and sends all requests to backend adding the bearer token. Thank you so much Ebondu. Gaalvarez. From john.d.ament at gmail.com Fri Feb 17 16:57:50 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 17 Feb 2017 21:57:50 +0000 Subject: [keycloak-user] Deployment strategies Message-ID: Hi, I was wondering, is there any documented recommendations for deploying keycloak? I can see the downloads, but are there recommendations based on scale or load that help dictate databases to use, clustering requirements and configuration, etc? John From sblanc at redhat.com Fri Feb 17 18:33:39 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 17 Feb 2017 23:33:39 +0000 Subject: [keycloak-user] Deployment strategies In-Reply-To: References: Message-ID: Hi John, Have you already seen this guide https://keycloak.gitbooks.io/server-installation-and-configuration/content/ ? Sebi Le ven. 17 f?vr. 2017 ? 23:19, John D. Ament a ?crit : > Hi, > > I was wondering, is there any documented recommendations for deploying > keycloak? I can see the downloads, but are there recommendations based on > scale or load that help dictate databases to use, clustering requirements > and configuration, etc? > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Sun Feb 19 07:33:05 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Sun, 19 Feb 2017 12:33:05 +0000 Subject: [keycloak-user] Deployment strategies In-Reply-To: References: Message-ID: HI Sebastien, I had seen that, but only after I sent my mail out. My question is more around sizing and deployment, but maybe I'm assuming that's more automatic. - Clustering metnions jgroups. So I'm assuming anything I can do with jgroups I can do here as well, right? Including S3 integration? (No multicast for me) - Is there any database preferences or recommendations based on my sizing? We do mostly mysql. John On Fri, Feb 17, 2017 at 6:33 PM Sebastien Blanc wrote: > Hi John, > > Have you already seen this guide > https://keycloak.gitbooks.io/server-installation-and-configuration/content/ > ? > > Sebi > Le ven. 17 f?vr. 2017 ? 23:19, John D. Ament a > ?crit : > > Hi, > > I was wondering, is there any documented recommendations for deploying > keycloak? I can see the downloads, but are there recommendations based on > scale or load that help dictate databases to use, clustering requirements > and configuration, etc? > > John > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Sun Feb 19 08:11:07 2017 From: bburke at redhat.com (Bill Burke) Date: Sun, 19 Feb 2017 08:11:07 -0500 Subject: [keycloak-user] Deployment strategies In-Reply-To: References: Message-ID: <1f9381c4-322a-5c24-feef-895fa3e9c580@redhat.com> Amazon *should* work, but we haven't tested it ever. MySql is fine, but note that if you do DB replication, it must be synchronous otherwise you are in danger of having stale caches. On 2/19/17 7:33 AM, John D. Ament wrote: > HI Sebastien, > > I had seen that, but only after I sent my mail out. My question is more > around sizing and deployment, but maybe I'm assuming that's more automatic. > > > - Clustering metnions jgroups. So I'm assuming anything I can do with > jgroups I can do here as well, right? Including S3 integration? (No > multicast for me) > - Is there any database preferences or recommendations based on my sizing? > We do mostly mysql. > > John > > On Fri, Feb 17, 2017 at 6:33 PM Sebastien Blanc wrote: > >> Hi John, >> >> Have you already seen this guide >> https://keycloak.gitbooks.io/server-installation-and-configuration/content/ >> ? >> >> Sebi >> Le ven. 17 f?vr. 2017 ? 23:19, John D. Ament a >> ?crit : >> >> Hi, >> >> I was wondering, is there any documented recommendations for deploying >> keycloak? I can see the downloads, but are there recommendations based on >> scale or load that help dictate databases to use, clustering requirements >> and configuration, etc? >> >> John >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Sun Feb 19 09:46:14 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Sun, 19 Feb 2017 14:46:14 +0000 Subject: [keycloak-user] Manually editing standalone.xml vs offline install Message-ID: Hi I was wondering, if I wanted to avoid a build time run of offline install, can I just edit standalone.xml? I already ship a customized standalone.xml so its not an issue to include the file changes. These are the changes I identified: Added: Added: Added: John From supittma at redhat.com Sun Feb 19 12:53:01 2017 From: supittma at redhat.com (Summers Pittman) Date: Sun, 19 Feb 2017 12:53:01 -0500 Subject: [keycloak-user] Native android facebook auth and Keycloak token In-Reply-To: References: Message-ID: On Fri, Feb 17, 2017 at 11:13 AM, Julien Boulay wrote: > Hi all, > > I have a question regarding authentication with facebook and keycloak in a > native Android app. > > Is it possible to connect to facebook through native application, retrieve > an authorization code, and then exchange this authorization_code for an > access token with keycloak (id_token, refresh_token, token) ? > > Can I use the facebook broker (for example > /auth/realms//broker/facebook/endpoint) for > that ? > > Yes it is! The code is a bit bitrotted I'm afraid, but the general example can be found here : https://github.com/secondsun/keycloak-android-authenticator/tree/master/app/src/main/java/org/keycloak/keycloakaccountprovider Basically this code integrates with Android's Account provider to have deep integration with the Android OS. If you want a simpler example we have one in the AeroGear Android cookbook here : https://github.com/aerogear/aerogear-android-cookbook/blob/master/ShootAndShare/app/src/main/java/org/jboss/aerogear/android/cookbook/shootandshare/util/KeycloakHelper.java It uses the Aerogear Android Authz library, but it is basically a standard OAuth flow. > I'm using 2.5.1-final version of keycloak server. > > Thanks > > *Julien Boulay* *- Ekito* > Developer & Eclectic > 15 rue Gabriel P?ri 31000 Toulouse > +33 (0)6 80 46 73 78 <+33%206%2080%2046%2073%2078> > jboulay at ekito.fr > *Visit our Blog !* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ivan at akvo.org Sun Feb 19 14:23:03 2017 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Sun, 19 Feb 2017 20:23:03 +0100 Subject: [keycloak-user] Manually editing standalone.xml vs offline install In-Reply-To: References: Message-ID: Hi, A problem of having a copy of the file is how to deal with upgrades, and the evolution of this file(s). The Docker images use saxon.jar and XSLT transformations to modify the standalone(-ha).xml files, e.g. https://github.com/jboss-dockerfiles/keycloak/blob/master/server-postgres/Dockerfile#L4 This is perhaps a 'safer' approach since the file can evolve and you can still apply your changes (if it finds the xpath matching pattern) My five cents, On 02/19/2017 03:46 PM, John D. Ament wrote: > Hi > > I was wondering, if I wanted to avoid a build time run of offline install, > can I just edit standalone.xml? I already ship a customized standalone.xml > so its not an issue to include the file changes. These are the changes I > identified: > > Added: > Added: > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > Added: > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Iv?n From john.d.ament at gmail.com Sun Feb 19 20:47:56 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 20 Feb 2017 01:47:56 +0000 Subject: [keycloak-user] Keycloak & Okta Message-ID: Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John From john.d.ament at gmail.com Sun Feb 19 20:48:53 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 20 Feb 2017 01:48:53 +0000 Subject: [keycloak-user] Deployment strategies In-Reply-To: <1f9381c4-322a-5c24-feef-895fa3e9c580@redhat.com> References: <1f9381c4-322a-5c24-feef-895fa3e9c580@redhat.com> Message-ID: Thanks Bill. We don't have replication to worry about right now. I'm also considering using the keycloak appliance from swarm, since I'll likely have to add custom replication and datasources. Any thoughts on that? John On Sun, Feb 19, 2017 at 8:12 AM Bill Burke wrote: > Amazon *should* work, but we haven't tested it ever. MySql is fine, but > note that if you do DB replication, it must be synchronous otherwise you > are in danger of having stale caches. > > > On 2/19/17 7:33 AM, John D. Ament wrote: > > HI Sebastien, > > > > I had seen that, but only after I sent my mail out. My question is more > > around sizing and deployment, but maybe I'm assuming that's more > automatic. > > > > > > - Clustering metnions jgroups. So I'm assuming anything I can do with > > jgroups I can do here as well, right? Including S3 integration? (No > > multicast for me) > > - Is there any database preferences or recommendations based on my > sizing? > > We do mostly mysql. > > > > John > > > > On Fri, Feb 17, 2017 at 6:33 PM Sebastien Blanc > wrote: > > > >> Hi John, > >> > >> Have you already seen this guide > >> > https://keycloak.gitbooks.io/server-installation-and-configuration/content/ > >> ? > >> > >> Sebi > >> Le ven. 17 f?vr. 2017 ? 23:19, John D. Ament a > >> ?crit : > >> > >> Hi, > >> > >> I was wondering, is there any documented recommendations for deploying > >> keycloak? I can see the downloads, but are there recommendations based > on > >> scale or load that help dictate databases to use, clustering > requirements > >> and configuration, etc? > >> > >> John > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sbingram at gmail.com Sun Feb 19 21:50:41 2017 From: sbingram at gmail.com (Stephen Ingram) Date: Sun, 19 Feb 2017 18:50:41 -0800 Subject: [keycloak-user] securing 3rd party non-OIDC/SAML applications Message-ID: Reading through the documentation, I'm not sure if I'm understanding the security proxy correctly. We have a few applications that use either Apache htaccess or form type authentication built into the application. Since we don't always have access the source code to add OIDC or SAML capability, I thought the Keycloak security proxy might be a possible solution. I'm wondering if it can work with just anything or does the app have to have at least minimal OIDC or SAML capability? Are there any good examples anywhere? Steve From nowis1337 at gmail.com Mon Feb 20 02:35:47 2017 From: nowis1337 at gmail.com (nowis1337 at gmail.com) Date: Mon, 20 Feb 2017 08:35:47 +0100 Subject: [keycloak-user] Using AJAX during authentication process Message-ID: Hello, Is there a way to use AJAX to ask Keycloak about the authentication process status for the current session during the authentication? I'm trying to implement new Autentication mechanism using the Authentication SPI and I would like to use AJAX polling in it. I'm looking for a way of doing it only within Keycloak to avoid the cross-domain requests. From sthorger at redhat.com Mon Feb 20 02:57:42 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 20 Feb 2017 08:57:42 +0100 Subject: [keycloak-user] customizing password policy In-Reply-To: References: Message-ID: On 17 February 2017 at 16:52, Ori Doolman wrote: > Thank you Stian. > > I didn?t see this SPI documented in https://keycloak.gitbooks.io/ > server-developer-guide/content/v/2.5/topics/providers.html . > > Any formal documentation for this SPI? > No, not all SPIs are documented yet. > Would the Admin Console screen be updated with the customized policy once > the custom policy is deployed ? > Yes > > > Ori. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* ??? ? 17 ?????? 2017 12:49 > *To:* Ori Doolman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] customizing password policy > > > > https://github.com/keycloak/keycloak/blob/master/server- > spi-private/src/main/java/org/keycloak/policy/PasswordPolicySpi.java > > > > On 17 February 2017 at 10:25, Ori Doolman wrote: > > Hi, > I couldn't find any SPI for customizing the password policy. > In addition to the exiting options (lowercase characters, special > characters etc.), I have an additional requirement - password should not > contain any dictionary words. > I can still have it implemented using the Authenticator SPI - > https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/auth-spi.html > The drawback is that it will not be available for configuration from the > regular realm Authentication -> Password Policy screen. > > Is that the proper way to go? > > Thanks, > Ori. > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > you may review at http://www.amdocs.com/email_disclaimer.asp > From sthorger at redhat.com Mon Feb 20 02:59:09 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 20 Feb 2017 08:59:09 +0100 Subject: [keycloak-user] Manually editing standalone.xml vs offline install In-Reply-To: References: Message-ID: JBoss CLI has an offline mode that can be used to script updates to the xml file without running it. Perfect for DockerFiles. On 19 February 2017 at 20:23, Iv?n Perdomo wrote: > Hi, > > A problem of having a copy of the file is how to deal with upgrades, and > the evolution of this file(s). > > The Docker images use saxon.jar and XSLT transformations to modify the > standalone(-ha).xml files, e.g. > > https://github.com/jboss-dockerfiles/keycloak/blob/master/server-postgres/ > Dockerfile#L4 > > This is perhaps a 'safer' approach since the file can evolve and you can > still apply your changes (if it finds the xpath matching pattern) > > My five cents, > > On 02/19/2017 03:46 PM, John D. Ament wrote: > > Hi > > > > I was wondering, if I wanted to avoid a build time run of offline > install, > > can I just edit standalone.xml? I already ship a customized > standalone.xml > > so its not an issue to include the file changes. These are the changes I > > identified: > > > > Added: > > Added: > > > > > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > > Added: > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Iv?n > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dev.ebondu at gmail.com Mon Feb 20 05:04:29 2017 From: dev.ebondu at gmail.com (ebondu) Date: Mon, 20 Feb 2017 03:04:29 -0700 (MST) Subject: [keycloak-user] JAX-RS Backend Service + Angular 2 Front-End + Role Authorization In-Reply-To: References: Message-ID: <1487585069279-2809.post@n6.nabble.com> I am not expert in conf but your policy enforcer description seems to be empty in keycloak.json, maybe you should remove it? Did you tried with version 2.5.1? Did you start from a working exemple like the photoz? In my case, authorizations are declared by resources directly in the realm directly, then the backend loads them from the server at runtime to check accesses. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-JAX-RS-Backend-Service-Angular-2-Front-End-Role-Authorization-tp2765p2809.html Sent from the keycloak-user mailing list archive at Nabble.com. From ivan at akvo.org Mon Feb 20 06:34:36 2017 From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=) Date: Mon, 20 Feb 2017 12:34:36 +0100 Subject: [keycloak-user] Manually editing standalone.xml vs offline install In-Reply-To: References: Message-ID: <4d814170-48f1-4e1c-b9da-0773c7d2beaa@akvo.org> Hi, On 02/20/2017 08:59 AM, Stian Thorgersen wrote: > JBoss CLI has an offline mode that can be used to script updates to the > xml file without running it. Perfect for DockerFiles. Thanks for the tip, will explore that. -- Iv?n From john.d.ament at gmail.com Mon Feb 20 07:18:08 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 20 Feb 2017 12:18:08 +0000 Subject: [keycloak-user] Keycloak & Okta In-Reply-To: References: Message-ID: Ok, so I was able to get SP initiated working fine. I had only tried IDP when I sent this mail out. I'm going through this doc, and its not clear to me on a few areas: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html - I have my application (the SP) and the SAML IDP (Okta in this case). I have a link on the okta portal to login automatically to my SP. - I think the webpage is saying that this only works if I'm using the SAML connector for keycloak, is that accurate? - All of my Okta settings are from getting SP initiated working. Do any of those need to change? - Do I in fact setup Okta as a SAML client in Keycloak? John On Sun, Feb 19, 2017 at 8:47 PM John D. Ament wrote: > Hi > > Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > authenticate (both SP initiated and IdP initiated) it fails with this error > > 01:40:54,626 WARN [org.keycloak.events] (default task-7) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] > (default task-7) staleCodeMessage > > I suspect its a setup issue on my side, so was hoping someone else has > tried this and can give tips. I even tried the import feature, no luck. > > John > From caroline.goovaerts at rigd-loxia.nl Mon Feb 20 09:43:12 2017 From: caroline.goovaerts at rigd-loxia.nl (Goovaerts C (Caroline) (RIGD-LOXIA)) Date: Mon, 20 Feb 2017 14:43:12 +0000 Subject: [keycloak-user] NPE in SAMLIdentityProvider Message-ID: Hi all, While implementing the single logout feature, we ran into a NPE in SAMLIdentityProvider.java. This behavior seems to be independent of using backchannel logout, whether or not: at org.keycloak.broker.saml.SAMLIdentityProvider.backchannelLogout(SAMLIdentityProvider.java:154) at org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178) In our application we invoke httpServletRequest.logout() as suggested in the guide: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/logout.html. Version info: - ADFS server: 3.x - Keycloak server: 2.3.0.Final - Maven Keycloak modules: 2.2.1.Final We'd like to know: - Whether it is sufficient to invoke request.logout() to do a single logout - Why it is broken in the given setup I could not determine whether this is related to https://issues.jboss.org/browse/KEYCLOAK-4398 or not. Thanks & kind regards, Caroline Goovaerts Developer RIGD-LOXIA From jason at naidmincloud.com Mon Feb 20 09:47:42 2017 From: jason at naidmincloud.com (Jason B) Date: Mon, 20 Feb 2017 20:17:42 +0530 Subject: [keycloak-user] Realm Keys Message-ID: Hi, I am wondering where does Keycloak stores realm keys and how they are replicated across servers when deployed multiple Keycloak servers as a single cluster. Is it in database or some local keystore? Are there any special considerations we need to take for realm keys while we deploying it as a cluster? Thanks! From jason at naidmincloud.com Mon Feb 20 09:49:57 2017 From: jason at naidmincloud.com (Jason B) Date: Mon, 20 Feb 2017 20:19:57 +0530 Subject: [keycloak-user] Force Keycloak to use external IdP as authentication mechanism In-Reply-To: References: Message-ID: Configuring a Default Identity Provider helped up to some extent. Thanks! On Thu, Feb 16, 2017 at 3:51 AM, Adam Keily wrote: > It probably depends on how many IdP's you want to support. If you only > have one, you can enable the setting in the IdP configuration for > 'Authenticate by Default'. This will bypass the local login. > > You'll need to modify / copy the first broker login auth flow to create > the user upon successful auth. Otherwise you'll get a failed login. > > Probably doesn't answer all your questions but hope it helps. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Jason B > Sent: Wednesday, 15 February 2017 8:18 PM > To: keycloak-user > Subject: [keycloak-user] Force Keycloak to use external IdP as > authentication mechanism > > We have a requirement to disable local login (username/password) and allow > login through IdPs configured in Identity broker. > To test this scenario I have configured Salesforce as SP and Keycloak as > IDP. And in IdP (keycloak) disabled "Forms" based login and configured an > external IdP as identity broker. > But this configuration resulting in "Invalid username or password." error > in keycloak. In logs I observed following stack trace. > > 01:36:06,532 WARN [org.keycloak.services] (default task-40) > KC-SERVICES0013: Failed authentication: > org.keycloak.authentication.AuthenticationFlowException > at > org.keycloak.authentication.AuthenticationProcessor.authenticateOnly( > AuthenticationProcessor.java:795) > at > org.keycloak.authentication.AuthenticationProcessor.authenticate( > AuthenticationProcessor.java:667) > at > org.keycloak.protocol.AuthorizationEndpointBase. > handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) > at > org.keycloak.protocol.saml.SamlService.newBrowserAuthentication( > SamlService.java:527) > at > org.keycloak.protocol.saml.SamlService.newBrowserAuthentication( > SamlService.java:523) > at > org.keycloak.protocol.saml.SamlService$BindingProtocol. > loginRequest(SamlService.java:310) > at > org.keycloak.protocol.saml.SamlService$BindingProtocol. > handleSamlRequest(SamlService.java:221) > at > org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol. > execute(SamlService.java:514) > at > org.keycloak.protocol.saml.SamlService.redirectBinding( > SamlService.java:536) > at sun.reflect.GeneratedMethodAccessor686.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 01:36:06,532 WARN [org.keycloak.events] (default task-40) > type=LOGIN_ERROR, realmId=salesforce, clientId=https://saml.salesforce.com > , > userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials, > auth_method=saml, redirect_uri= https://jason-dev-ed.my.salesforce.com?so= > 00D62000005vWGB, > code_id=96d4d981-decd-47ed-ae08-09dfa5c6d6f4 > > > Any idea how to disable the username/password prompt during the login and > force keycloak to use configured identity brokers? > > Also, in case I have multiple external IdPs configured as identity brokers > in my keycloak instance is there any way to inform keycloak to use > particular external IdP (broker). I know we can use kc_idp_hint parameter. > This will be helpful during IdP initiated sso but in case it is a SP > initiated SSO, how can we specify the default external IdP? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Mon Feb 20 13:02:13 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 20 Feb 2017 19:02:13 +0100 Subject: [keycloak-user] Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client Message-ID: Hello Group, what is currently the best way to verify an access token with the keycloak-admin-client in an application without a configured keycloak deployment/adapter? In the adapter scenario the PublicKey needed by the RSATokenVerifier is retrieved with a PublicKeyLocator which is provided by the KeycloakDeployment. With no deployment at hand one needs to retrieve the public key dynamically to deal with key rotation. I found two variants to do this - which one do you think is the best? Variant 1) Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys() and find the public key currently referenced by the kid in the JWKSHeader of the AccessToken. However this requires that the current user / client role has at least one role of the realm-management client, e.g. view-realm. Variant 2) Send a GET Request without any authentication to http://192.168.99.1:8080/auth This will return the representation of the PublicRealmResource as JSON which contains the currently active RSA public key for the realm. This variant doesn't require any role on the client / user since it doesn't require authentication. Unfortunately the current keycloak-admin-client doesn't seem to provide a way to access the PublicRealmResource information which requires additional code to fetch the resource. Is there a reason for this or is this "just" an API gap that can be fixed? You can find a gist with a quick demo for the two variants here: https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde Cheers, Thomas From thomas.darimont at googlemail.com Mon Feb 20 13:06:50 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 20 Feb 2017 19:06:50 +0100 Subject: [keycloak-user] Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client In-Reply-To: References: Message-ID: the actual URL for Variant2 is: http://192.168.99.1:8080/auth/realms/apidemo ... 2017-02-20 19:02 GMT+01:00 Thomas Darimont : > Hello Group, > > what is currently the best way to verify an access token with the > keycloak-admin-client in an application without a configured keycloak > deployment/adapter? > > In the adapter scenario the PublicKey needed by the RSATokenVerifier is > retrieved with a PublicKeyLocator which is provided by the > KeycloakDeployment. > > With no deployment at hand one needs to retrieve the public key > dynamically to deal with key rotation. I found two variants to do this - > which one do you think is the best? > > Variant 1) > Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys() > and find the public key currently referenced by the kid in the JWKSHeader > of the AccessToken. > > However this requires that the current user / client role has at least one > role of the realm-management client, e.g. view-realm. > > Variant 2) > Send a GET Request without any authentication to > http://192.168.99.1:8080/auth > This will return the representation of the PublicRealmResource as JSON > which contains the > currently active RSA public key for the realm. > > This variant doesn't require any role on the client / user since it > doesn't require authentication. > Unfortunately the current keycloak-admin-client doesn't seem to provide a > way to access the PublicRealmResource information which requires additional > code to fetch the resource. > > Is there a reason for this or is this "just" an API gap that can be fixed? > > You can find a gist with a quick demo for the two variants here: > https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde > > Cheers, > Thomas > From sven.thoms at gmail.com Mon Feb 20 13:18:20 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Mon, 20 Feb 2017 19:18:20 +0100 Subject: [keycloak-user] how to decode RPT from entitlement API Message-ID: <01ad0de5-b0f1-e576-bfa5-fa1eb484fe25@gmail.com> http://www.keycloak.org/docs/2.5/authorization_services_guide/topics/service/entitlement/entitlement-api-aapi.html How can I decode the RPT from the entitlement API in e.g. Java or Scala? Is there a quick way to do it? From sven.thoms at gmail.com Tue Feb 21 04:11:29 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Tue, 21 Feb 2017 10:11:29 +0100 Subject: [keycloak-user] Entitlement API specific resource POST error In-Reply-To: References: Message-ID: When I try to check a User's permissions for a given resource at a resource server, I get an error. curl -v -X POST \ > -H "Content-Type:application/json" \ > -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi AiSldUIiwia2lkIiA6ICIwRnJ0VnFYazM0M2gwTXFkdjZ4bjcwd21HUjJfdV Y4QmNzNUlBN0F2VjBVIn0.eyJqdGkiOiIwMmNjZDg0ZS03ZTE2LT QxYzYtYjc0MC0yNjdiODc0N2IzMjYiLCJleHAiOjE0ODc2Njc0NjksIm5iZi I6MCwiaWF0IjoxNDg3NjY3MTY5LCJpc3MiOiJodHRwczovL2tleWNsb2FrLm Zpbi51bmlxdWVkb21haW4vYXV0aC9yZWFsbXMvZmZzIiwiYXVkIjoiYWRtaW 4tY2xpIiwic3ViIjoiMmZlZjljOGUtMzc5MC00M2NkLTg5MGYtNDk4ZjJjNz g4ZjI0IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF 90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOWU5ZWIyMWItMDhkOS00OGJlLT gwYWQtOTk5NTQ4MDA0OGQ5IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIj oiYjkwNDFkMDItOTIwOS00ZmI5LWIzMTItN2MxZDkyODBlN2NmIiwiYWxsb3 dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbm FnZW1lbnQiOnsicm9sZXMiOlsidmlldy1jbGllbnRzIl19fSwibmFtZSI6Ii IsInByZWZlcnJlZF91c2VybmFtZSI6ImZmc19zZXJ2aWNlX3VzZXIifQ.BTSv5HIONmb3PGWhKn- z0E79TUVFKAy3K6vDfais_YLpBx9Du_nHB-TlAjQJdPkFMm_ k9VBzAZ7bWxR4ttCyVDb5C8PjfbSDnx6Rx2p7GqxVMWDoWmIlEmx0UQBZ7Nn rHFQbMh5EuuycQUyPf06scH3_Q2tENLmyhdVbodMDpHiVRZkgJ_fzP7rwtXzXAiwXqcJv- RbVoKWsvGKRbTR_22PDpBJIXbuGvE6Xnw6VS2mzA_fBx-yVxBVcsGUDaqHEYAukkWueslw- 9L4A2FMVWxL6VwsmTfwaJvtQhpLOWl9JoYR4Ianai0ZGuaDXNGfyyQOTSeGN7-0_eBUlcFqieQ' \ > -d '"permissions" : [ {"resource_set_name" : "Default Resource", "resource_set_id" : "d7954958-b656-4acf-aa65-d2c46c6b8ad8" }]' \ > https://keycloak.fin.uniquedomain/auth/realms/ffs/ authz/entitlement/test_client > Content-Type:application/json > Content-Length: 123 > * upload completely sent off: 123 out of 123 bytes < HTTP/1.1 400 Bad Request < Connection: keep-alive < X-Powered-By: Undertow/1 < Server: WildFly/10 < Content-Type: text/html < Content-Length: 350 < Date: Tue, 21 Feb 2017 08:53:38 GMT < com.fasterxml.jackson.databind.JsonMappingException: Can not instantiate value of type [simple type, class org.keycloak.authorization. entitlement.representation.EntitlementRequest] from String value ('permissions'); no single-String constructor/factory method According to the Authorization Services Guide, this should work. From bruno at abstractj.org Tue Feb 21 04:25:10 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 21 Feb 2017 09:25:10 +0000 Subject: [keycloak-user] [HELP] Unable To Deploy Authenticator-Requirement-Action-Example In-Reply-To: References: Message-ID: Why don't you try the latest Keycloak? At first glance it seems some environment misconfiguration, but I'd try with the latest released version. What do you see at the server logs? Which version of Wildfly? But first, please try to upgrade. On Tue, Feb 7, 2017 at 11:23 AM Sagar Ahire wrote: > Hello, > > In Keycloak 2.4.0 I tried to deploy authenticator requirement action > example (keycloak-2.4.0.Final/examples/providers/authenticator) using the > following command: > $ mvn clean install wildfly:deploy > > Getting: > [ERROR] Failed to execute goal > org.wildfly.plugins:wildfly-maven-plugin:1.0.1.Final:deploy (default-cli) > on project authenticator-required-action-example: Deployment failed and was > rolled back. -> [Help 1] > > -PFA for server log. > > I also tried to copy authentication-requirement-action-example.jar into > standalone/deployment/providers directory but didn't work. > > Can someone please help with this? > > > regards, > -Sagar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sven.thoms at gmail.com Tue Feb 21 05:37:13 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Tue, 21 Feb 2017 11:37:13 +0100 Subject: [keycloak-user] Entitlement API specific resource POST error In-Reply-To: References: Message-ID: Solved, I forgot about the json brackets around permissions as a whole. Sorry about the confusion. Am 21.02.2017 10:11 vorm. schrieb "Sven Thoms" : > When I try to check a User's permissions for a given resource at a > resource server, I get an error. > > curl -v -X POST \ > > -H "Content-Type:application/json" \ > > -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi > AiSldUIiwia2lkIiA6ICIwRnJ0VnFYazM0M2gwTXFkdjZ4bjcwd21HUjJfdV > Y4QmNzNUlBN0F2VjBVIn0.eyJqdGkiOiIwMmNjZDg0ZS03ZTE2LTQxYzYtYj > c0MC0yNjdiODc0N2IzMjYiLCJleHAiOjE0ODc2Njc0NjksIm5iZiI6MCwiaW > F0IjoxNDg3NjY3MTY5LCJpc3MiOiJodHRwczovL2tleWNsb2FrLmZpbi51bm > lxdWVkb21haW4vYXV0aC9yZWFsbXMvZmZzIiwiYXVkIjoiYWRtaW4tY2xpIi > wic3ViIjoiMmZlZjljOGUtMzc5MC00M2NkLTg5MGYtNDk4ZjJjNzg4ZjI0Ii > widHlwIjoiQmVhcmVyIiwiYXpwIjoiYWRtaW4tY2xpIiwiYXV0aF90aW1lIj > owLCJzZXNzaW9uX3N0YXRlIjoiOWU5ZWIyMWItMDhkOS00OGJlLTgwYWQtOT > k5NTQ4MDA0OGQ5IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiYjkwND > FkMDItOTIwOS00ZmI5LWIzMTItN2MxZDkyODBlN2NmIiwiYWxsb3dlZC1vcm > lnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbn > QiOnsicm9sZXMiOlsidmlldy1jbGllbnRzIl19fSwibmFtZSI6IiIsInByZW > ZlcnJlZF91c2VybmFtZSI6ImZmc19zZXJ2aWNlX3VzZXIifQ.BTSv5HIONmb3PGWhKn- > z0E79TUVFKAy3K6vDfais_YLpBx9Du_nHB-TlAjQJdPkFMm_k9VB > zAZ7bWxR4ttCyVDb5C8PjfbSDnx6Rx2p7GqxVMWDoWmIlEmx0UQBZ7NnrHFQ > bMh5EuuycQUyPf06scH3_Q2tENLmyhdVbodMDpHiVRZkgJ_fzP7rwtXzXAiwXqcJv- > RbVoKWsvGKRbTR_22PDpBJIXbuGvE6Xnw6VS2mzA_fBx-yVxBVcsGUDaqHEYAukkWueslw- > 9L4A2FMVWxL6VwsmTfwaJvtQhpLOWl9JoYR4Ianai0ZGuaDXNGfyyQOTSeGN7-0_eBUlcFqieQ' > \ > > -d '"permissions" : [ {"resource_set_name" : "Default Resource", > "resource_set_id" : "d7954958-b656-4acf-aa65-d2c46c6b8ad8" }]' \ > > https://keycloak.fin.uniquedomain/auth/realms/ffs/authz/ > entitlement/test_client > > Content-Type:application/json > > Content-Length: 123 > > > * upload completely sent off: 123 out of 123 bytes > < HTTP/1.1 400 Bad Request > < Connection: keep-alive > < X-Powered-By: Undertow/1 > < Server: WildFly/10 > < Content-Type: text/html > < Content-Length: 350 > < Date: Tue, 21 Feb 2017 08:53:38 GMT > < > com.fasterxml.jackson.databind.JsonMappingException: Can not instantiate > value of type [simple type, class org.keycloak.authorization.ent > itlement.representation.EntitlementRequest] from String value > ('permissions'); no single-String constructor/factory method > > According to the Authorization Services Guide, this should work. > > > From Ori.Doolman at amdocs.com Tue Feb 21 06:15:30 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Tue, 21 Feb 2017 11:15:30 +0000 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Hi, Another requirement I have in my application is that a single authenticated user is allowed to access many albums (hierarchy of albums, actually) and one album can be accessed by multiple users. Many-to-many relationship. Now I have a problem because I cannot use the same policy and also I cannot have a custom attribute per user with the list of allowed albums (list can become very long). What should be the approach in that case ? The policy I want to have is that all the albums a user can access belong to the same hierarchy (root ID is the same). Maybe this can be used to simplify the solution. Thanks, Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Ori Doolman Sent: ????? 15 ?????? 2017 13:56 To: Pedro Igor Silva Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request Pedro, Thank you for all the helpful information. We?ll try that. Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 14 ?????? 2017 18:43 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Tue, Feb 14, 2017 at 10:10 AM, Ori Doolman > wrote: Hi Pedro, This is great, and will work for all album APIs of the format /album/{id}. I wonder if the $permission.resource takes its value from the policy-enforcer path or from the URL of the API call at runtime? I suppose the latter and I suppose it is always the full URL path from the http request. Yes, from the latter. In our resource server I have also APIs with additional path level similar to: /album/{albumId}/picture/{picId} For this API, I still want to check that user is allowed to access the album. How would such an API be forced to match same policy of the album? Should I configure the following path in policy-enforcer: "path" : "/album/{id}/*? and have a more sophisticated policy rule based on the runtime value $permission.resource which now becomes ?/album/17/picture/12? (for example) and truncate the string to ?/album/17? and perform the condition on it as the album resource? Or is there a better method? I think you don't actually need that wildcard at the end, so this should work: "path" : "/album/{id}? When checking paths with a pattern, the enforcer queries the server for a resource with the runtime path. For instance, if your pattern is /album/{id} and client is trying to access /album/1/picture/2, the enforcer will query the server for a resource with an URI that matches /album/1/picture/2. In case of that PhotoZ App (which is using UMA protocol), the enforcer is going to return to the client a permission ticket for the resource previously resolved. Then when the client finally send an authorization request to KC, KC is going to evaluate all permissions for the resource. Giving you as a result a final token with past permissions plus new ones (if granted). This is how UMA flow works, basically .... However, I know our enforcer is very limited in respect to patterns within patterns. That is something we need to improve .... Thanks, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 14 ?????? 2017 12:54 To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman > wrote: Hi Pedro, Thank you for the answer. There is still one thing I fail to understand around point (3) where you wrote: ?to resolve a specific resource instance?. In the photoz application code, when an album is created, an associated resource is created that is owned by the user that created the album ResourceRepresentation albumResource = new ResourceRepresentation(album.getName(), scopes, "/album/" + album.getId(), "http://photoz.com/album"); It matches on the PEP policy-enforcer configuration: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] }, Which matches the PDP typed resource configuration: { "name": "Album Resource", "uri": "/album/*", "type": "http://photoz.com/album", "scopes": [ { "name": "urn:photoz.com:scopes:album:view" }, { "name": "urn:photoz.com:scopes:album:delete" }, { "name": "urn:photoz.com:scopes:album:create" } ] }, Which ends up with the rule: rule "Authorize Resource Owner" dialect "mvel" when $evaluation : Evaluation( $identity: context.identity, $permission: permission, $permission.resource != null && $permission.resource.owner.equals($identity.id) ) then $evaluation.grant(); end So the "magic" lies with the typed resource uri "/album/*". This is what making it to match also the path in the policy enforcer (and the actual url in runtime of the rest API). Exactly. One of the main points here is that you can map any path in your application to a resource, so you don't necessarily need to set URIs to your resources as long as you provide a configuration like above. The demo creates many album resources, one for each new album created. But when it is evaluating the policy, how does $permission.resource references to the proper album resource each time and not just to the typed ?Album Resource? resource? This is the part I failed to understand. Does the $permission.resource value at runtime actually becomes "/album/17" (for example)? Yes. Regards, Ori. From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: ??? ? 13 ?????? 2017 14:09 To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional attributes for an authorization request On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman > wrote: Hi Pedro Igor, You wrote: You can't pass additional attributes along with an authorization request. However, that is something we want to support on future versions. I have some questions about that: 1. Which future version will support that? Any plan for it at the moment? Sorry, but can't give you any dates. There are quite a few things in authz services roadmap, but right now we have some time and resource constraints that are blocking us to follow a plan/roadmap. 2. Until it is supported, what would be the best practice recommendation to authorize resources such as account numbers? For example: The REST API (resource) I want to protect in the resource server is /api/getAccountDetails/{accountNum}. How should I configure the policy/permissions/resources/scopes in the PDP and how should I utilize the PEP (I'm using Java adapter for JBOSS Fuse)? It seems this one is already supported. I would suggest you to take a look at the PhotoZ example about how to protect individual resources. There you will find: 1) How to create resources from your resource server using the Protection API using the Java AuthZ Client API. 2) How "typed" resources work, where you define permissions to a generic resources and these permissions are also applied to resources with the same type. 3) How to configure "policy-enforcer" to handle paths with a pattern in order to resolve a specific resource instance (e.g.: the account details in your example). Something like that: { "name" : "Album Resource", "path" : "/album/{id}", "methods" : [ { "method": "DELETE", "scopes" : ["urn:photoz.com:scopes:album:delete"] }, { "method": "GET", "scopes" : ["urn:photoz.com:scopes:album:view"] } ] } Thank you, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From istvan.orban at gmail.com Tue Feb 21 08:47:16 2017 From: istvan.orban at gmail.com (Istvan Orban) Date: Tue, 21 Feb 2017 13:47:16 +0000 Subject: [keycloak-user] User SPI and connection management Message-ID: Hi Guys, I managed to implement User SPI for legacy user migration. Can someone shed some light how User SPIs are called in the system? Are they reused among threads or is it threadsafe ? The reason I am asking is that I used RestEasy to migrate user from the legacy platform and resteasy by default uses SingleClientConnManager. I am wondering if I need to implement connection management in the SPI or it is thrown awat between requests so there is no need for connection management. Thanks a lot -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I * From dradzikowski at bluesoft.net.pl Tue Feb 21 10:09:30 2017 From: dradzikowski at bluesoft.net.pl (Daniel Radzikowski) Date: Tue, 21 Feb 2017 16:09:30 +0100 Subject: [keycloak-user] New authenticator with CompletableFuture as the only authenticating factor In-Reply-To: <59d63dee-1ac9-a068-4784-6e742458068c@redhat.com> References: <59d63dee-1ac9-a068-4784-6e742458068c@redhat.com> Message-ID: Thanks for the answer! On callback I'm setting the attribute in client session and it works fine. When submitting the form, *action()* method checks the attribute and creates user session the way I wanted. The question now is how to poll to check if the form can be submitted automatically with JavaScript. Is there any endpoint to see if session attribute has already been set? Or should I use extensions http://www.keycloak.org/docs/2.5/server_development_guide/topics/extensions.html and implement my own endpoint? Any suggestions appreciated. 2017-02-15 20:43 GMT+01:00 Bill Burke : > We don't support async HTTP. So you either need to block or have your > login page poll. If you poll, then your async callback is gonna have to > re-create a KeycloakSession object. I suggest you have your > authenticate() method check to see if a clientSession attribute is set > or not and have the callback locate the clientSession and set this > variable. Hope I'm making sense. > > > On 2/15/17 10:59 AM, Daniel Radzikowski wrote: > > Hi, > > > > I'm trying to implement new authenticator for Mobile Connect. It is a bit > > unusual flow, where the first method *void > > authenticate(AuthenticationFlowContext context)* before returning a > > challenge, calls a REST API, which prompts user mobile phone with 'Click > > OK' button. This API call waits until the user clicks OK (or timeouts), > so > > in order not to block the request, it is wrapped in CompletableFuture and > > the login page (with no inputs) is immediately returned to the browser. > > (browser should't wait for the API call result). > > > > The problem is when the CompletableFuture is completed and calls a > > callback. It's the place where the authentication should occur, but I > don't > > have any idea how to do it. The only authenticating factor is OK response > > from this API. Can I set the authentication somehow bypassing the whole > > processor (calling method *action(AuthenticationFlowContext context)* on > > its way)? I thought I will eventually call the *action *from the browser > > (with ajax) and only check if the session is already created. The only > > thing that I can pass to the callback is an AuthenticationFlowContext > data > > obtained from the first *action(AuthenticationFlowContext context)* > call. > > Is there any way to do it? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Pozdrawiam, Daniel Radzikowski. From salvatore.incandela at redhat.com Tue Feb 21 10:11:33 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Tue, 21 Feb 2017 16:11:33 +0100 Subject: [keycloak-user] Attempting to build authenticator example and failing. In-Reply-To: <7B04DBE8-CFBC-4390-879F-350CCA93D139@carbonite.com> References: <7B04DBE8-CFBC-4390-879F-350CCA93D139@carbonite.com> Message-ID: Hi Reed, I cannot reproduce the same error, I've installed the authenticator without problems, could you try to install manually ? On Tue, Feb 14, 2017 at 6:12 PM, Reed Lewis wrote: > I downloaded Keycloak version 2.5.1 example file. Extracted it onto a > CentOS 7 machine, and installed Java-1.8.0 and java-devel. > > When I attempted to use the example file: /examples/providers/ > authenticator > > By typing: mvn clean install wildfly:deploy > I got the following error on the terminal where I was executing mvn: > > ERROR] Failed to execute goal org.wildfly.plugins:wildfly- > maven-plugin:1.1.0.Beta1:deploy (default-cli) on project > authenticator-required-action-example: Failed to execute goal deploy: > {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that > failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" > => "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: > WFLYSRV0153: Failed to process phase POST_MODULE of deployment > \"authenticator-required-action-example.jar\" > [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link > org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory > (Module \"deployment.authenticator-required-action-example.jar:main\" > from Service Module Loader): org/keycloak/authentication/ > AuthenticatorFactory"}}}} > [ERROR] -> [Help 1] > [ERROR] > [ERROR] To see the full stack trace of the errors, re-run Maven with the > -e switch. > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > [ERROR] > [ERROR] For more information about the errors and possible solutions, > please read the following articles: > [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ > MojoExecutionException > [root at localhost authenticator]# pwd > /root/keycloak-demo-2.5.1.Final/examples/providers/authenticator > > > Thank you, > > Reed Lewis > > This was what was displayed on the Keycloak server. > > 12:06:20,685 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-1) WFLYSRV0027: Starting deployment of "authenticator-required-action-example.jar" > (runtime-name: "authenticator-required-action-example.jar") > 12:06:20,761 INFO [org.keycloak.subsystem.server.extension. > KeycloakProviderDeploymentProcessor] (MSC service thread 1-4) Deploying > Keycloak provider: {0} > 12:06:20,767 WARN [org.jboss.modules] (MSC service thread 1-4) Failed to > define class org.keycloak.examples.authenticator. > SecretQuestionAuthenticatorFactory in Module "deployment.authenticator- > required-action-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: > Failed to link org/keycloak/examples/authenticator/ > SecretQuestionAuthenticatorFactory (Module "deployment.authenticator- > required-action-example.jar:main" from Service Module Loader): > org/keycloak/authentication/AuthenticatorFactory > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorI > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor. > newInstance(Constructor.java:423) > at org.jboss.modules.ModuleClassLoader.defineClass( > ModuleClassLoader.java:446) > at org.jboss.modules.ModuleClassLoader.loadClassLocal( > ModuleClassLoader.java:274) > at org.jboss.modules.ModuleClassLoader$1.loadClassLocal( > ModuleClassLoader.java:78) > at org.jboss.modules.Module.loadModuleClass(Module.java: > 605) > at org.jboss.modules.ModuleClassLoader.findClass( > ModuleClassLoader.java:190) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClass(ConcurrentClassLoader.java:351) > at org.jboss.modules.ConcurrentClassLoader.loadClass( > ConcurrentClassLoader.java:93) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:348) > at java.util.ServiceLoader$LazyIterator.nextService( > ServiceLoader.java:370) > at java.util.ServiceLoader$LazyIterator.next( > ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at org.keycloak.provider.DefaultProviderLoader.load( > DefaultProviderLoader.java:47) > at org.keycloak.provider.ProviderManager.load( > ProviderManager.java:93) > at org.keycloak.services.DefaultKeycloakSessionFactory. > loadFactories(DefaultKeycloakSessionFactory.java:206) > at org.keycloak.services.DefaultKeycloakSessionFactory. > deploy(DefaultKeycloakSessionFactory.java:112) > at org.keycloak.provider.ProviderManagerRegistry.deploy( > ProviderManagerRegistry.java:42) > at org.keycloak.subsystem.server.extension. > KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProc > essor.java:54) > at org.jboss.as.server.deployment. > DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.startService(ServiceControllerImpl.java:1948) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.run(ServiceControllerImpl.java:1881) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 12:06:20,768 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) > MSC000001: Failed to start service jboss.deployment.unit." > authenticator-required-action-example.jar".POST_MODULE: > org.jboss.msc.service.StartException in service jboss.deployment.unit." > authenticator-required-action-example.jar".POST_MODULE: WFLYSRV0153: > Failed to process phase POST_MODULE of deployment "authenticator-required- > action-example.jar" > at org.jboss.as.server.deployment. > DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.startService(ServiceControllerImpl.java:1948) > at org.jboss.msc.service.ServiceControllerImpl$ > StartTask.run(ServiceControllerImpl.java:1881) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NoClassDefFoundError: Failed to link > org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory > (Module "deployment.authenticator-required-action-example.jar:main" from > Service Module Loader): org/keycloak/authentication/AuthenticatorFactory > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorI > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor. > newInstance(Constructor.java:423) > at org.jboss.modules.ModuleClassLoader.defineClass( > ModuleClassLoader.java:446) > at org.jboss.modules.ModuleClassLoader.loadClassLocal( > ModuleClassLoader.java:274) > at org.jboss.modules.ModuleClassLoader$1.loadClassLocal( > ModuleClassLoader.java:78) > at org.jboss.modules.Module.loadModuleClass(Module.java: > 605) > at org.jboss.modules.ModuleClassLoader.findClass( > ModuleClassLoader.java:190) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at org.jboss.modules.ConcurrentClassLoader. > performLoadClass(ConcurrentClassLoader.java:351) > at org.jboss.modules.ConcurrentClassLoader.loadClass( > ConcurrentClassLoader.java:93) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:348) > at java.util.ServiceLoader$LazyIterator.nextService( > ServiceLoader.java:370) > at java.util.ServiceLoader$LazyIterator.next( > ServiceLoader.java:404) > at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > at org.keycloak.provider.DefaultProviderLoader.load( > DefaultProviderLoader.java:47) > at org.keycloak.provider.ProviderManager.load( > ProviderManager.java:93) > at org.keycloak.services.DefaultKeycloakSessionFactory. > loadFactories(DefaultKeycloakSessionFactory.java:206) > at org.keycloak.services.DefaultKeycloakSessionFactory. > deploy(DefaultKeycloakSessionFactory.java:112) > at org.keycloak.provider.ProviderManagerRegistry.deploy( > ProviderManagerRegistry.java:42) > at org.keycloak.subsystem.server.extension. > KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProc > essor.java:54) > at org.jboss.as.server.deployment. > DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > ... 5 more > > 12:06:20,769 ERROR [org.jboss.as.controller.management-operation] > (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - > address: ([("deployment" => "authenticator-required-action-example.jar")]) > - failure description: {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE" > => "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: > WFLYSRV0153: Failed to process phase POST_MODULE of deployment > \"authenticator-required-action-example.jar\" > Caused by: java.lang.NoClassDefFoundError: Failed to link > org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory > (Module \"deployment.authenticator-required-action-example.jar:main\" > from Service Module Loader): org/keycloak/authentication/ > AuthenticatorFactory"}} > 12:06:20,769 ERROR [org.jboss.as.server] (management-handler-thread - 4) > WFLYSRV0021: Deploy of deployment "authenticator-required-action-example.jar" > was rolled back with the following failure message: > {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\" > authenticator-required-action-example.jar\".POST_MODULE" => > "org.jboss.msc.service.StartException in service jboss.deployment.unit.\" > authenticator-required-action-example.jar\".POST_MODULE: WFLYSRV0153: > Failed to process phase POST_MODULE of deployment \"authenticator-required- > action-example.jar\" > Caused by: java.lang.NoClassDefFoundError: Failed to link > org/keycloak/examples/authenticator/SecretQuestionAuthenticatorFactory > (Module \"deployment.authenticator-required-action-example.jar:main\" > from Service Module Loader): org/keycloak/authentication/ > AuthenticatorFactory"}} > 12:06:20,772 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-1) WFLYSRV0028: Stopped deployment authenticator-required-action-example.jar > (runtime-name: authenticator-required-action-example.jar) in 2ms > 12:06:20,773 INFO [org.jboss.as.controller] (management-handler-thread - > 4) WFLYCTL0183: Service status report > WFLYCTL0186: Services which failed to start: service > jboss.deployment.unit."authenticator-required-action- > example.jar".POST_MODULE > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From mstrukel at redhat.com Tue Feb 21 10:25:12 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 21 Feb 2017 16:25:12 +0100 Subject: [keycloak-user] User SPI and connection management In-Reply-To: References: Message-ID: See http://www.keycloak.org/docs/2.5/server_development_guide/topics/providers.html Specifically, there is a 'Note' in there that gives you the answer. Maybe we should add some more explanation in the doc. Let me try here ... ProviderFactories are instantiated lazily on first use, and exist within a context of KeycloakSessionFactory object - there is one instance of this per Keycloak server - i.e. ProviderFactories behave as singleton services. Provider instances are also instantiated lazily on first use, but exist within a context of a KeycloakSession, and there are multiple KeycloakSessions created even during server startup. But once Keycloak is up, one KeycloakSession is typically created per HTTP request. For example, when KeycloakSession.getProvider(JpaConnectionProvider.class) is used multiple times on the same session, the first time it will trigger creation of the new JpaConnectionProvider instance by using the JpaConnectionProviderFactory.create() method, and all subsequent times the same instance will be returned. And if another KeycloakSession is started - by using KeycloakSessionFactory.create() - and method getProvider(JpaConnectionProvider.class) is called on it, that will use existing JpaConnectionProviderFactory instance from the same KeycloakSessionFactory object to create a new JpaConnectionProvider instance. On subsequent calls the same JpaConnectionProvider instance will be returned. On Tue, Feb 21, 2017 at 2:47 PM, Istvan Orban wrote: > Hi Guys, > > I managed to implement User SPI for legacy user migration. > Can someone shed some light how User SPIs are called in the system? > > Are they reused among threads or is it threadsafe ? > > The reason I am asking is that I used RestEasy to migrate user from the > legacy platform and resteasy by default uses SingleClientConnManager. > > I am wondering if I need to implement connection management in the SPI or > it is thrown awat between requests so there is no need for connection > management. > > Thanks a lot > > -- > Kind Regards, > > *----------------------------------------------------------- > -----------------------------------------------------* > *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I * > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From salvatore.incandela at redhat.com Tue Feb 21 10:39:37 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Tue, 21 Feb 2017 16:39:37 +0100 Subject: [keycloak-user] Configuring event logging in Keycloak In-Reply-To: References: Message-ID: Just at the right moment, thanks! On Mon, Feb 13, 2017 at 12:20 PM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello group, > > I needed to configure Keycloak to also show success events in the logs > in order to to be able to show the login count over time in a graylog > dashboard. > > For this to work I needed to change the log level for the "success-level" > within the keycloak jboss-logging event-listener configuration. > > As some other folks might want to do that as well I'd like to share my > jboss-cli config snippet with you. > > Cheers, > Thomas > > cd $KEYCLOAK_HOME > bin/jboss-cli.sh > > # Start keycloak in embedded mode for configuration > embed-server --server-config=standalone-ha.xml --std-out=echo > > # Configure jboss-logging event listener > /subsystem=keycloak-server/spi=eventsListener:add(default-provider=jboss- > logging) > /subsystem=keycloak-server/spi=eventsListener/provider= > jboss-logging:add(enabled=true) > # Propgate success events to INFO instead of DEBUG > # This allows to track successful logins in log analysis > /subsystem=keycloak-server/spi=eventsListener/provider= > jboss-logging:write-attribute(name=properties.success-level,value=info) > /subsystem=keycloak-server/spi=eventsListener/provider= > jboss-logging:write-attribute(name=properties.error-level,value=warn) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From aciuprin at mpi-bremen.de Tue Feb 21 11:18:49 2017 From: aciuprin at mpi-bremen.de (=?utf-8?Q?Andreea_Ciuprina?=) Date: Tue, 21 Feb 2017 17:18:49 +0100 Subject: [keycloak-user] Spring Boot adapter with HTTP verb based authorization Message-ID: Hello! We are building an online application for which we are using Keycloak for authentification and authorization, connected to our Spring Boot backend?using the Spring Boot adapter. We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based? authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc. I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is? not keycloak.json file used for configuration. Therefore, my questions are: 1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?? 2. If the answer to question 1 is yes, then could you please provide a minimal configuration example? Thank you! Best regards,? Andreea --------------------------------------------------------- Andreea?Ciuprina ? Bioinformatics?Group Max?Planck?Institute?for?Marine?Microbiology? Celsiusstra?e?1 28359?Bremen Germany ? Phone:?+49(0)?421?2028?982 Email:?aciuprin at mpi-bremen.de &? Jacobs?University?Bremen,? 28759?Bremen,?Germany Email:?a.ciuprina at jacobs-university.de From sblanc at redhat.com Tue Feb 21 11:43:16 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 21 Feb 2017 17:43:16 +0100 Subject: [keycloak-user] Spring Boot adapter with HTTP verb based authorization In-Reply-To: References: Message-ID: You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead of just policy-enforcer). Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty). But even without using the authorization layer, you should be able to achieve this by configuring the security constraints. keycloak.securityConstraints[1].securityCollections[0].http-method = GET etc ... On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina wrote: > Hello! > > > > We are building an online application for which we are using Keycloak for > authentification and authorization, connected > > to our Spring Boot backend using the Spring Boot adapter. > > > We would like to achive more fine-grained authorization, more > specifically, we would like to set-up HTTP verb based > > authorization, for example, allow only GET requests for some end-points, > GET and POST for others, only POST for other end-points etc. > > > > I am aware of the Policy Enforcer adapter, but I could not find any > specific documentation regarding how to use that with Spring Boot, where > there is > > not keycloak.json file used for configuration. > > > > Therefore, my questions are: > > 1. Can HTTP verb based authorization be achieved using the Spring Boot > adapter? > > 2. If the answer to question 1 is yes, then could you please provide a > minimal configuration example? > > > > Thank you! > > Best regards, > > Andreea > > --------------------------------------------------------- > > Andreea Ciuprina > > Bioinformatics Group > Max Planck Institute for Marine Microbiology > > Celsiusstra?e 1 > 28359 Bremen > Germany > > Phone: +49(0) 421 2028 982 > Email: aciuprin at mpi-bremen.de > > & > > Jacobs University Bremen, > 28759 Bremen, Germany > Email: a.ciuprina at jacobs-university.de > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Wed Feb 22 02:42:27 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 22 Feb 2017 07:42:27 +0000 Subject: [keycloak-user] how to decode RPT from entitlement API In-Reply-To: <01ad0de5-b0f1-e576-bfa5-fa1eb484fe25@gmail.com> References: <01ad0de5-b0f1-e576-bfa5-fa1eb484fe25@gmail.com> Message-ID: Hi Sven, did you get the chance to look at this http://www.keycloak.org/docs/2.5/authorization_services_guide/topics/service/protection/token-introspection.html ? On Mon, Feb 20, 2017 at 3:21 PM Sven Thoms wrote: > > http://www.keycloak.org/docs/2.5/authorization_services_guide/topics/service/entitlement/entitlement-api-aapi.html > > How can I decode the RPT from the entitlement API in e.g. Java or Scala? > Is there a quick way to do it? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From okie.othsam at gmail.com Wed Feb 22 03:13:19 2017 From: okie.othsam at gmail.com (Okie Othsam) Date: Wed, 22 Feb 2017 09:13:19 +0100 Subject: [keycloak-user] Invinity loop while proxy angular2 devserver Message-ID: Hi, I try to prepare a development environment and got a strange loop behavior. I have build a docker scenario with a keycloak/postgresql container that is behind a web server proxy container (tested Apache and nginx). The webserver container proxy also to a local running node.js instance with angualar2 devserver. My sample angular app uses the javascript keycloak adapter and wrapped it with a service. If I run Angular devserver and keycloak without any proxy all works fine. When I use the same servers (modified keycloak.json) behind the proxy, the angular app runs after successful keycloak login in an endless loop. Every second the site is reloaded - without any new login. When I build a release from my angular app and deploy it to the webserver all works fine. But this is not really an alternative because I want setup an universal dev environment :-/ After days of debugging, imo there is a good chance for some race conditions in Javascript adapter between the dynamic iframe and the angular app or I do something essential wrong. My question is now, have anyone here run a similar setup and use it without any problems? Currently my containers run with keycloak version 2.4.0.Final. As next step I will update my setup to 2.5.1.Final and try to reproduce the behavior. Kind regards Eiko From sven.thoms at gmail.com Wed Feb 22 04:46:51 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Wed, 22 Feb 2017 10:46:51 +0100 Subject: [keycloak-user] how to decode RPT from entitlement API In-Reply-To: References: <01ad0de5-b0f1-e576-bfa5-fa1eb484fe25@gmail.com> Message-ID: Hi Bruno Wow, I totally missed that part. Thanks for the hint. I have not yet tried, but it will be ok, I am sure. Am 22.02.2017 8:42 vorm. schrieb "Bruno Oliveira" : Hi Sven, did you get the chance to look at this http://www.keycloak.org/ docs/2.5/authorization_services_guide/topics/service/protection/token- introspection.html ? On Mon, Feb 20, 2017 at 3:21 PM Sven Thoms wrote: > http://www.keycloak.org/docs/2.5/authorization_services_ > guide/topics/service/entitlement/entitlement-api-aapi.html > > How can I decode the RPT from the entitlement API in e.g. Java or Scala? > Is there a quick way to do it? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From aciuprin at mpi-bremen.de Wed Feb 22 08:13:34 2017 From: aciuprin at mpi-bremen.de (=?utf-8?Q?Andreea_Ciuprina?=) Date: Wed, 22 Feb 2017 14:13:34 +0100 Subject: [keycloak-user] Spring Boot adapter with HTTP verb based authorization Message-ID: Hi Sebasien,? Thank you for your answer. After adding your suggestion to the security constrainst, I get the following error: Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint' My configuration looks like this: keycloak.securityConstraints[0].securityCollections[0].name = secured end points keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/* keycloak.securityConstraints[0].securityCollections[0].http-method = GET Do you know what could the problem be? Thank you! Best,? Andreea -----Original message----- From: Sebastien Blanc? Sent: Tuesday 21st February 2017 17:43 To: Andreea Ciuprina Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead ?of just policy-enforcer). Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty). But even without using the authorization layer, you should be able to achieve this by configuring the security constraints. keycloak.securityConstraints[1].securityCollections[0].http-method = GET etc ... On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina > wrote: Hello! We are building an online application for which we are using Keycloak for authentification and authorization, connected to our Spring Boot backend?using the Spring Boot adapter. We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based? authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc. I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is? not keycloak.json file used for configuration. Therefore, my questions are: 1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?? 2. If the answer to question 1 is yes, then could you please provide a minimal configuration example? Thank you! Best regards,? Andreea --------------------------------------------------------- Andreea?Ciuprina ? Bioinformatics?Group Max?Planck?Institute?for?Marine?Microbiology? Celsiusstra?e?1 28359?Bremen Germany ? Phone:?+49(0)?421?2028?982 Email:?aciuprin at mpi-bremen.de &? Jacobs?University?Bremen,? 28759?Bremen,?Germany Email:?a.ciuprina at jacobs-university.de _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Wed Feb 22 08:23:54 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 22 Feb 2017 14:23:54 +0100 Subject: [keycloak-user] Spring Boot adapter with HTTP verb based authorization In-Reply-To: References: Message-ID: Hi, Yes sorry, I replied yesterday without double checking the code, this should work : keycloak.securityConstraints[0].securityCollections[0].methods[0] = GET I will create a ticket to improve the documentation for this. On Wed, Feb 22, 2017 at 2:13 PM, Andreea Ciuprina wrote: > Hi Sebasien, > > > Thank you for your answer. > > After adding your suggestion to the security constrainst, I get the > following error: > > > Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': > Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, > ignoreInvalidFields=false, ignoreUnknownFields=false, > ignoreNestedProperties=false); nested exception is > org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: > Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' > from 'applicationConfig: [classpath:/application.properties]' to > 'securityConstraints[0].securityCollections[0].http-method' property on > 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$ > SecurityConstraint' > > > My configuration looks like this: > > > > keycloak.securityConstraints[0].securityCollections[0].name = secured end > points > keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = > admin > keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > /api/v1/hello/* > keycloak.securityConstraints[0].securityCollections[0].http-method = GET > > Do you know what could the problem be? > > > Thank you! > > Best, > > Andreea > > > > -----Original message----- > *From:* Sebastien Blanc > *Sent:* Tuesday 21st February 2017 17:43 > *To:* Andreea Ciuprina > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Spring Boot adapter with HTTP verb based > authorization > > You can add the configuration about the policy enforcer in your > application.properties, just one difference with the keycloak.json is that > you must write "policy-enforcer-config" (instead > of just policy-enforcer). > > Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter > just passes along the configuration to the underlying Servlet Container > (Tomcat, undertow or Jetty). > > But even without using the authorization layer, you should be able to > achieve this by configuring the security constraints. > > keycloak.securityConstraints[1].securityCollections[0].http-method = GET > etc ... > > > > On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina > wrote: > >> Hello! >> >> >> >> We are building an online application for which we are using Keycloak for >> authentification and authorization, connected >> >> to our Spring Boot backend using the Spring Boot adapter. >> >> >> We would like to achive more fine-grained authorization, more >> specifically, we would like to set-up HTTP verb based >> >> authorization, for example, allow only GET requests for some end-points, >> GET and POST for others, only POST for other end-points etc. >> >> >> >> I am aware of the Policy Enforcer adapter, but I could not find any >> specific documentation regarding how to use that with Spring Boot, where >> there is >> >> not keycloak.json file used for configuration. >> >> >> >> Therefore, my questions are: >> >> 1. Can HTTP verb based authorization be achieved using the Spring Boot >> adapter? >> >> 2. If the answer to question 1 is yes, then could you please provide a >> minimal configuration example? >> >> >> >> Thank you! >> >> Best regards, >> >> Andreea >> >> --------------------------------------------------------- >> >> Andreea Ciuprina >> >> Bioinformatics Group >> Max Planck Institute for Marine Microbiology >> >> Celsiusstra?e 1 >> 28359 Bremen >> Germany >> >> Phone: +49(0) 421 2028 982 >> Email: aciuprin at mpi-bremen.de >> >> & >> >> Jacobs University Bremen, >> 28759 Bremen, Germany >> Email: a.ciuprina at jacobs-university.de >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From aciuprin at mpi-bremen.de Wed Feb 22 10:04:08 2017 From: aciuprin at mpi-bremen.de (=?utf-8?Q?Andreea_Ciuprina?=) Date: Wed, 22 Feb 2017 16:04:08 +0100 Subject: [keycloak-user] Spring Boot adapter with HTTP verb based authorization In-Reply-To: References: Message-ID: This works, thank you very much for your help! :) And yes, a bit more documentation would be nice. Best,? Andreea -----Original message----- From: Sebastien Blanc? Sent: Wednesday 22nd February 2017 14:24 To: Andreea Ciuprina Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization Hi, Yes sorry, I replied yesterday without double checking the code, this should work : ? keycloak.securityConstraints[0].securityCollections[0].methods[0] = GET I will create a ticket to improve the documentation for this. On Wed, Feb 22, 2017 at 2:13 PM, Andreea Ciuprina > wrote: Hi Sebasien,? Thank you for your answer. After adding your suggestion to the security constrainst, I get the following error: Error creating bean with name 'keycloak-org.keycloak.adapters.springboot.KeycloakSpringBootProperties': Could not bind properties to KeycloakSpringBootProperties (prefix=keycloak, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.securityConstraints[0].securityCollections[0].http-method' from 'applicationConfig: [classpath:/application.properties]' to 'securityConstraints[0].securityCollections[0].http-method' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties$SecurityConstraint' My configuration looks like this: keycloak.securityConstraints[0].securityCollections[0].name = secured end points keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /api/v1/hello/* keycloak.securityConstraints[0].securityCollections[0].http-method = GET Do you know what could the problem be? Thank you! Best,? Andreea -----Original message----- From: Sebastien Blanc? > Sent: Tuesday 21st February 2017 17:43 To: Andreea Ciuprina > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Spring Boot adapter with HTTP verb based authorization You can add the configuration about the policy enforcer in your application.properties, just one difference with the keycloak.json is that you must write "policy-enforcer-config" (instead ?of just policy-enforcer). Regarding HTTP Verb authz , it *should* work since Spring Boot Adapter just passes along the configuration to the underlying Servlet Container (Tomcat, undertow or Jetty). But even without using the authorization layer, you should be able to achieve this by configuring the security constraints. keycloak.securityConstraints[1].securityCollections[0].http-method = GET etc ... On Tue, Feb 21, 2017 at 5:18 PM, Andreea Ciuprina > wrote: Hello! We are building an online application for which we are using Keycloak for authentification and authorization, connected to our Spring Boot backend?using the Spring Boot adapter. We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based? authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc. I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is? not keycloak.json file used for configuration. Therefore, my questions are: 1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?? 2. If the answer to question 1 is yes, then could you please provide a minimal configuration example? Thank you! Best regards,? Andreea --------------------------------------------------------- Andreea?Ciuprina ? Bioinformatics?Group Max?Planck?Institute?for?Marine?Microbiology? Celsiusstra?e?1 28359?Bremen Germany ? Phone:?+49(0)?421?2028?982 Email:?aciuprin at mpi-bremen.de &? Jacobs?University?Bremen,? 28759?Bremen,?Germany Email:?a.ciuprina at jacobs-university.de _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sumitdas66 at gmail.com Wed Feb 22 12:52:50 2017 From: sumitdas66 at gmail.com (Sumit Das) Date: Wed, 22 Feb 2017 23:22:50 +0530 Subject: [keycloak-user] Delete Roles on Active Directory when deleted from Keycloak Message-ID: Hi I have done an integration of Keycloak Realm with an Active Directory instance. The realm roles that have been created are mapped with the help of a role-mapper. When I delete any roles from the Realm, the role still persists in the AD instance, even after using the synchronization of "Keycloak Roles to LDAP". How do i ensure that when i delete any role on the Keycloak, it also gets deleted from the AD as well? Please do respond. ?Regards? *Sumit Das* *Mobile No.- +91-9986872466 * From sumitdas66 at gmail.com Wed Feb 22 13:24:05 2017 From: sumitdas66 at gmail.com (Sumit Das) Date: Wed, 22 Feb 2017 23:54:05 +0530 Subject: [keycloak-user] Delete Roles on Active Directory when deleted from Keycloak Message-ID: Hi I have done an integration of Keycloak Realm with an Active Directory instance. The realm roles that have been created are mapped with the help of a role-mapper. When I delete any roles from the Realm, the role still persists in the AD instance, even after using the synchronization of "Keycloak Roles to LDAP". How do i ensure that when i delete any role on the Keycloak, it also gets deleted from the AD as well? I have kept the following configuration:- 1. In LDAP settings: Edit Mode: WRITABLE 2. In Role-mapper: Mode: LDAP_ONLY Still it is not working. Please do respond. ?Regards? *Sumit Das* *Mobile No.- +91-9986872466 * From kevinmarsden88 at gmail.com Wed Feb 22 13:31:13 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Wed, 22 Feb 2017 20:31:13 +0200 Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK Message-ID: Good Day. I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the instructions in the documentation to the letter. I executed the patch script as follows : jboss-cli.bat --connect --file="adapter-install.cli" {"outcome" => "success"} { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } { "outcome" => "success", "result" => [("keycloak" => "1.1.0")], "response-headers" => {"process-state" => "reload-required"} } { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } My standalone.xml has been updated as follows : My web.xml is as follows : webresources /webresources/* user KEYCLOAK user I would gladly appreciate any help at this stage. Kind Regards. Kevin. From sthorger at redhat.com Wed Feb 22 13:39:48 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 22 Feb 2017 19:39:48 +0100 Subject: [keycloak-user] Realm Keys In-Reply-To: References: Message-ID: Database On 20 February 2017 at 15:47, Jason B wrote: > Hi, > > I am wondering where does Keycloak stores realm keys and how they are > replicated across servers when deployed multiple Keycloak servers as a > single cluster. Is it in database or some local keystore? Are there any > special considerations we need to take for realm keys while we deploying it > as a cluster? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sumitdas66 at gmail.com Wed Feb 22 14:34:46 2017 From: sumitdas66 at gmail.com (Sumit Das) Date: Thu, 23 Feb 2017 01:04:46 +0530 Subject: [keycloak-user] Need any advice on issue KEYCLOAK-3923 (LDAP FEDERATION ISSUE) Message-ID: Hi I saw a few comments on the url below:- https://issues.jboss.org/browse/KEYCLOAK-3923 We are also facing the same issue where we want to *delete Roles and Groups from the LDAP(Active Directory)*, which is federating a Keycloak instance, once we *delete the same from the Keycloak instance*. We *want to have this feature* for our convenience. I read about a flag being introduced to facilitate the same. Has the feature been already developed?? Can you provide me with any update about it?? I would *highly appreciate any help* regarding this. Please do respond and shed some light on the issue. ?Regards? *Sumit Das* From bruno at abstractj.org Wed Feb 22 15:26:28 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 22 Feb 2017 20:26:28 +0000 Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK In-Reply-To: References: Message-ID: Hi Kevin, have you configured the adapter? See: https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/jboss-adapter.html On Wed, Feb 22, 2017 at 3:31 PM Kevin Marsden wrote: > Good Day. > > I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the > instructions in the documentation to the letter. > > I executed the patch script as follows : > > jboss-cli.bat --connect --file="adapter-install.cli" > {"outcome" => "success"} > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > { > "outcome" => "success", > "result" => [("keycloak" => "1.1.0")], > "response-headers" => {"process-state" => "reload-required"} > } > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > > My standalone.xml has been updated as follows : > > module="org.keycloak.keycloak-adapter-subsystem"/> > > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > > My web.xml is as follows : > > > > webresources > /webresources/* > > > user > > > > > KEYCLOAK > > > > user > > > I would gladly appreciate any help at this stage. > > Kind Regards. > > Kevin. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kevinmarsden88 at gmail.com Wed Feb 22 15:34:18 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Wed, 22 Feb 2017 22:34:18 +0200 Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK In-Reply-To: References: Message-ID: Hello Bruno. Indeed I have,I extracted the 2.5.1 final adapter zip( https://downloads.jboss.org/keycloak/2.5.1.Final/adapters/keycloak-oidc/keycloak-wildfly-adapter-dist-2.5.1.Final.zip) into my wildfly home,and then ran the adapter-install.cli script as per the documentation,I then restarted my wildfly server,it updates the standalone.xml file correctly it seems,but when deploying the application one gets the following stack trace : ... Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}, Is there any other configuration I need to beyond supplying my keycloak server information in the keycloak.json file ? Thanks for the response ! On Wed, Feb 22, 2017 at 10:26 PM, Bruno Oliveira wrote: > Hi Kevin, have you configured the adapter? See: https://keycloak. > gitbooks.io/securing-client-applications-guide/content/v/ > 2.2/topics/oidc/java/jboss-adapter.html > > On Wed, Feb 22, 2017 at 3:31 PM Kevin Marsden > wrote: > >> Good Day. >> >> I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following >> the >> instructions in the documentation to the letter. >> >> I executed the patch script as follows : >> >> jboss-cli.bat --connect --file="adapter-install.cli" >> {"outcome" => "success"} >> { >> "outcome" => "success", >> "response-headers" => { >> "operation-requires-reload" => true, >> "process-state" => "reload-required" >> } >> } >> { >> "outcome" => "success", >> "result" => [("keycloak" => "1.1.0")], >> "response-headers" => {"process-state" => "reload-required"} >> } >> { >> "outcome" => "success", >> "response-headers" => { >> "operation-requires-reload" => true, >> "process-state" => "reload-required" >> } >> } >> >> My standalone.xml has been updated as follows : >> >> >> >> >> >> > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> >> >> >> >> >> >> My web.xml is as follows : >> >> >> >> webresources >> /webresources/* >> >> >> user >> >> >> >> >> KEYCLOAK >> >> >> >> user >> >> >> I would gladly appreciate any help at this stage. >> >> Kind Regards. >> >> Kevin. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From mposolda at redhat.com Wed Feb 22 16:23:27 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 22 Feb 2017 22:23:27 +0100 Subject: [keycloak-user] Need any advice on issue KEYCLOAK-3923 (LDAP FEDERATION ISSUE) In-Reply-To: References: Message-ID: <47a7fd1d-ed85-033d-f2be-6ace4708dcfa@redhat.com> This is not done yet. It will be good if you can create other JIRA (as the previous is closed already and was also about some other issue) and link this ML discussion and the previous KEYCLOAK-3923 . But not sure when/if improve that... Until it's done in Keycloak, you can likely create your own REST endpoint or ProviderFactory or something and listen to the model event RoleRemovedEvent . See RolePolicyProviderFactory.postInit for inspiration. For the groups, we unfortunately don't yet have callback removal event.. Marek On 22/02/17 20:34, Sumit Das wrote: > Hi > > I saw a few comments on the url below:- > > https://issues.jboss.org/browse/KEYCLOAK-3923 > > > We are also facing the same issue where we want to *delete Roles and Groups > from the LDAP(Active Directory)*, which is federating a Keycloak instance, > once we *delete the same from the Keycloak instance*. > > > We *want to have this feature* for our convenience. I read about a flag > being introduced to facilitate the same. Has the feature been already > developed?? Can you provide me with any update about it?? > > > I would *highly appreciate any help* regarding this. Please do respond and > shed some light on the issue. > > ?Regards? > *Sumit Das* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 22 16:24:45 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 22 Feb 2017 22:24:45 +0100 Subject: [keycloak-user] Delete Roles on Active Directory when deleted from Keycloak In-Reply-To: References: Message-ID: <18ced29d-82f3-8fba-62ad-747d18d85892@redhat.com> Not supported yet as mentioned in other thread... Feel free to create JIRA. Marek On 22/02/17 19:24, Sumit Das wrote: > Hi > > I have done an integration of Keycloak Realm with an Active Directory > instance. The realm roles that have been created are mapped with the help > of a role-mapper. When I delete any roles from the Realm, the role still > persists in the AD instance, even after using the synchronization of > "Keycloak Roles to LDAP". How do i ensure that when i delete any role on > the Keycloak, it also gets deleted from the AD as well? > > I have kept the following configuration:- > 1. In LDAP settings: Edit Mode: WRITABLE > 2. In Role-mapper: Mode: LDAP_ONLY > > Still it is not working. > > Please do respond. > > ?Regards? > > *Sumit Das* > *Mobile No.- +91-9986872466 * > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 22 16:29:54 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 22 Feb 2017 22:29:54 +0100 Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK In-Reply-To: References: Message-ID: I can't see anything obvious from the first look. Maybe there needs to be "realm-name" under "login-config" in web.xml? Do you have keycloak.json inside your WAR? I suggest to look at our examples and compare those with your WAR file. Marek On 22/02/17 19:31, Kevin Marsden wrote: > Good Day. > > I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the > instructions in the documentation to the letter. > > I executed the patch script as follows : > > jboss-cli.bat --connect --file="adapter-install.cli" > {"outcome" => "success"} > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > { > "outcome" => "success", > "result" => [("keycloak" => "1.1.0")], > "response-headers" => {"process-state" => "reload-required"} > } > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > > My standalone.xml has been updated as follows : > > > > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> > > > > > > My web.xml is as follows : > > > > webresources > /webresources/* > > > user > > > > > KEYCLOAK > > > > user > > > I would gladly appreciate any help at this stage. > > Kind Regards. > > Kevin. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sstark at redhat.com Wed Feb 22 16:37:59 2017 From: sstark at redhat.com (Scott Stark) Date: Wed, 22 Feb 2017 16:37:59 -0500 (EST) Subject: [keycloak-user] Doc links seem to be broken, or gitbooks down? In-Reply-To: <415019252.22877861.1487799358483.JavaMail.zimbra@redhat.com> Message-ID: <294576258.22878342.1487799479964.JavaMail.zimbra@redhat.com> I was just going to http://www.keycloak.org/documentation.html to lookup some info, and none of the documentation links are working at the moment. All are returning 404s for me: [mep-starksm64 555]$ wget http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html --2017-02-22 13:35:32-- http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html Resolving www.keycloak.org... 151.101.24.133 Connecting to www.keycloak.org|151.101.24.133|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2017-02-22 13:35:32 ERROR 404: Not Found. From john.d.ament at gmail.com Wed Feb 22 17:18:30 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 22 Feb 2017 22:18:30 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: Changing the subject to be a bit clearer about the problems. I think I'm understanding a bit further. when reading through https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html - It seems like my application has to be SAML. I cannot do an OIDC based solution. - First thing I have to do is add IDP Initiated SSO URL Name to my application. - The confusing part is about if my application requires... this seems a bit odd, since I'm using the Keycloak adapter but sure. - The part that's missing is what gets setup in the actual broker. You mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In general these look like Keycloak specific parameters. Any thoughts? John On Mon, Feb 20, 2017 at 7:18 AM John D. Ament wrote: > Ok, so I was able to get SP initiated working fine. I had only tried IDP > when I sent this mail out. > > I'm going through this doc, and its not clear to me on a few areas: > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > > - I have my application (the SP) and the SAML IDP (Okta in this case). I > have a link on the okta portal to login automatically to my SP. > - I think the webpage is saying that this only works if I'm using the SAML > connector for keycloak, is that accurate? > - All of my Okta settings are from getting SP initiated working. Do any > of those need to change? > - Do I in fact setup Okta as a SAML client in Keycloak? > > John > > > On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > wrote: > > Hi > > Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > authenticate (both SP initiated and IdP initiated) it fails with this error > > 01:40:54,626 WARN [org.keycloak.events] (default task-7) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] > (default task-7) staleCodeMessage > > I suspect its a setup issue on my side, so was hoping someone else has > tried this and can give tips. I even tried the import feature, no luck. > > John > > From ansarihaseb at gmail.com Wed Feb 22 18:09:28 2017 From: ansarihaseb at gmail.com (Haseb Ansari) Date: Thu, 23 Feb 2017 00:09:28 +0100 Subject: [keycloak-user] Does keycloak OIDC supports decryption of JWT token encrypted with JWE ? Message-ID: Hello all, I have setup a custom Open ID Connect provider for my external IDP and the token request on my external IDP sends me an encrypted JWT with JWE (JSON Web Encryption). I have the enc key with me but cannot understand how use it with Identity Provider settings. Please help me out with this issue. Thanks in advance !!!!!! Regards, Haseb From john.d.ament at gmail.com Wed Feb 22 20:23:29 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 01:23:29 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: Looks like I answered half of my question - https://issues.jboss.org/browse/KEYCLOAK-4454 Seems like it will only work if I'm using SAML. John On Wed, Feb 22, 2017 at 5:18 PM John D. Ament wrote: > Changing the subject to be a bit clearer about the problems. > > I think I'm understanding a bit further. when reading through > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > > - It seems like my application has to be SAML. I cannot do an OIDC based > solution. > - First thing I have to do is add IDP Initiated SSO URL Name to my > application. > - The confusing part is about if my application requires... this seems a > bit odd, since I'm using the Keycloak adapter but sure. > - The part that's missing is what gets setup in the actual broker. You > mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In > general these look like Keycloak specific parameters. > > Any thoughts? > > John > > On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > wrote: > > Ok, so I was able to get SP initiated working fine. I had only tried IDP > when I sent this mail out. > > I'm going through this doc, and its not clear to me on a few areas: > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > > - I have my application (the SP) and the SAML IDP (Okta in this case). I > have a link on the okta portal to login automatically to my SP. > - I think the webpage is saying that this only works if I'm using the SAML > connector for keycloak, is that accurate? > - All of my Okta settings are from getting SP initiated working. Do any > of those need to change? > - Do I in fact setup Okta as a SAML client in Keycloak? > > John > > > On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > wrote: > > Hi > > Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > authenticate (both SP initiated and IdP initiated) it fails with this error > > 01:40:54,626 WARN [org.keycloak.events] (default task-7) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] > (default task-7) staleCodeMessage > > I suspect its a setup issue on my side, so was hoping someone else has > tried this and can give tips. I even tried the import feature, no luck. > > John > > From john.d.ament at gmail.com Wed Feb 22 20:35:29 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 01:35:29 +0000 Subject: [keycloak-user] Multitenancy and SAML Adapter Message-ID: Hi, For OIDC, there's this doc on multitenancy: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/multi-tenancy.html Is there something similar for the SAML adapter? John From bburke at redhat.com Wed Feb 22 20:43:42 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 22 Feb 2017 20:43:42 -0500 Subject: [keycloak-user] Doc links seem to be broken, or gitbooks down? In-Reply-To: <294576258.22878342.1487799479964.JavaMail.zimbra@redhat.com> References: <294576258.22878342.1487799479964.JavaMail.zimbra@redhat.com> Message-ID: Try this for now, not sure what's going on: https://www.gitbook.com/@keycloak On 2/22/17 4:37 PM, Scott Stark wrote: > I was just going to http://www.keycloak.org/documentation.html to lookup some info, and none of the documentation links are working at the moment. All are returning 404s for me: > > [mep-starksm64 555]$ wget http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html > --2017-02-22 13:35:32-- http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html > Resolving www.keycloak.org... 151.101.24.133 > Connecting to www.keycloak.org|151.101.24.133|:80... connected. > HTTP request sent, awaiting response... 404 Not Found > 2017-02-22 13:35:32 ERROR 404: Not Found. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Wed Feb 22 21:10:02 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 22 Feb 2017 21:10:02 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to create a URL somewhere that links to your app which will then redirect to Keycloak. On 2/22/17 8:23 PM, John D. Ament wrote: > Looks like I answered half of my question - > https://issues.jboss.org/browse/KEYCLOAK-4454 > > Seems like it will only work if I'm using SAML. > > John > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > wrote: > >> Changing the subject to be a bit clearer about the problems. >> >> I think I'm understanding a bit further. when reading through >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> - It seems like my application has to be SAML. I cannot do an OIDC based >> solution. >> - First thing I have to do is add IDP Initiated SSO URL Name to my >> application. >> - The confusing part is about if my application requires... this seems a >> bit odd, since I'm using the Keycloak adapter but sure. >> - The part that's missing is what gets setup in the actual broker. You >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In >> general these look like Keycloak specific parameters. >> >> Any thoughts? >> >> John >> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament >> wrote: >> >> Ok, so I was able to get SP initiated working fine. I had only tried IDP >> when I sent this mail out. >> >> I'm going through this doc, and its not clear to me on a few areas: >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> - I have my application (the SP) and the SAML IDP (Okta in this case). I >> have a link on the okta portal to login automatically to my SP. >> - I think the webpage is saying that this only works if I'm using the SAML >> connector for keycloak, is that accurate? >> - All of my Okta settings are from getting SP initiated working. Do any >> of those need to change? >> - Do I in fact setup Okta as a SAML client in Keycloak? >> >> John >> >> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament >> wrote: >> >> Hi >> >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to >> authenticate (both SP initiated and IdP initiated) it fails with this error >> >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage >> 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] >> (default task-7) staleCodeMessage >> >> I suspect its a setup issue on my side, so was hoping someone else has >> tried this and can give tips. I even tried the import feature, no luck. >> >> John >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Wed Feb 22 22:15:49 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 03:15:49 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: This is the part that's confusing me. What do you mean by a "URL somewhere that links to your app which will then redirect to keycloak"? Are you talking about triggering the inbound IDP initiated by first calling into my app? If I look at (Okta for instance) they actually have a portal-like site that users can leverage to directly link to their apps. The links generated here are doing IDP initiated SSO, by triggering SAML in the broker then the broker is expected to forward to the client (and mind you, I know very little about SAML, but this is how I'm seeing it behave in the browser). With that said, assuming that I'm going the SAML connector route, it seems like what I have to do is: - Create a SAML client for my application. - Add the IDP initiated stuff to that client via https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html - Add that generated endpoint as the SAML endpoint in the IDP John On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Wed Feb 22 22:18:32 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 03:18:32 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: Ok, I must have fat fingered there at the end. Sorry. With that said, assuming that I want IDP initiated login, it seems like what I have to do is: - Create a SAML client in Keycloak for my application. - Follow the IDP initiated flow from https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html - Point my IDP to the endpoint that gets generated in here. As a result, it seems like I don't have to even create a SAML IDP in Keycloak, unless that somehow gets used for SP initiated. John On Wed, Feb 22, 2017 at 10:15 PM John D. Ament wrote: > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Wed Feb 22 23:23:50 2017 From: bburke at redhat.com (Bill Burke) Date: Wed, 22 Feb 2017 23:23:50 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: Message-ID: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> IDP Initiated SSO means that the login is unsolicited,meaning that the application did not initiate the login. OAuth protocol (and thus OIDC) does not support this. The application has to initiate the login. I'm not sure exactly what you're trying to do, but if you just want a page where you can see a list of apps that you can visit, you can just create a simple static web page with links to your apps formatted and pretty as you want it. Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO and don't support the regular login protocol. On 2/22/17 10:18 PM, John D. Ament wrote: > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems > like what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to > keycloak"? > > Are you talking about triggering the inbound IDP initiated by > first calling into my app? > > If I look at (Okta for instance) they actually have a portal-like > site that users can leverage to directly link to their apps. The > links generated here are doing IDP initiated SSO, by triggering > SAML in the broker then the broker is expected to forward to the > client (and mind you, I know very little about SAML, but this is > how I'm seeing it behave in the browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke > wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then > redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do > an OIDC based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL > Name to my > >> application. > >> - The confusing part is about if my application requires... > this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual > broker. You > >> mention IDP Initiated SSO URL Name but I don't see that > field in IDPs. In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > > > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had > only tried IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a > few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in > this case). I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm > using the SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated > working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > > > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every > time I try to > >> authenticate (both SP initiated and IdP initiated) it fails > with this error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, > clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping > someone else has > >> tried this and can give tips. I even tried the import > feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Feb 22 23:36:24 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 23 Feb 2017 05:36:24 +0100 Subject: [keycloak-user] Keycloak 2.5.4.Final Released Message-ID: Keycloak 2.5.4.Final is out. There's nothing much except a handful bug fixes, but it's still worth upgrading. To download the release go to the Keycloak homepage . Highlights - A few bug fixes The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . From sthorger at redhat.com Thu Feb 23 00:15:23 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 23 Feb 2017 06:15:23 +0100 Subject: [keycloak-user] Doc links seem to be broken, or gitbooks down? In-Reply-To: References: <294576258.22878342.1487799479964.JavaMail.zimbra@redhat.com> Message-ID: Fixed On 23 February 2017 at 02:43, Bill Burke wrote: > Try this for now, not sure what's going on: > > https://www.gitbook.com/@keycloak > > > > On 2/22/17 4:37 PM, Scott Stark wrote: > > I was just going to http://www.keycloak.org/documentation.html to > lookup some info, and none of the documentation links are working at the > moment. All are returning 404s for me: > > > > [mep-starksm64 555]$ wget http://www.keycloak.org/docs/ > 2.5/getting-started-tutorials/index.html > > --2017-02-22 13:35:32-- http://www.keycloak.org/docs/ > 2.5/getting-started-tutorials/index.html > > Resolving www.keycloak.org... 151.101.24.133 > > Connecting to www.keycloak.org|151.101.24.133|:80... connected. > > HTTP request sent, awaiting response... 404 Not Found > > 2017-02-22 13:35:32 ERROR 404: Not Found. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sstark at redhat.com Thu Feb 23 00:36:57 2017 From: sstark at redhat.com (Scott Stark) Date: Thu, 23 Feb 2017 00:36:57 -0500 (EST) Subject: [keycloak-user] Doc links seem to be broken, or gitbooks down? In-Reply-To: References: <294576258.22878342.1487799479964.JavaMail.zimbra@redhat.com> Message-ID: <992236929.23165092.1487828217392.JavaMail.zimbra@redhat.com> Thanks, the doc links are working again as well. ----- Original Message ----- From: "Bill Burke" To: keycloak-user at lists.jboss.org Sent: Wednesday, February 22, 2017 5:43:42 PM Subject: Re: [keycloak-user] Doc links seem to be broken, or gitbooks down? Try this for now, not sure what's going on: https://www.gitbook.com/@keycloak On 2/22/17 4:37 PM, Scott Stark wrote: > I was just going to http://www.keycloak.org/documentation.html to lookup some info, and none of the documentation links are working at the moment. All are returning 404s for me: > > [mep-starksm64 555]$ wget http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html > --2017-02-22 13:35:32-- http://www.keycloak.org/docs/2.5/getting-started-tutorials/index.html > Resolving www.keycloak.org... 151.101.24.133 > Connecting to www.keycloak.org|151.101.24.133|:80... connected. > HTTP request sent, awaiting response... 404 Not Found > 2017-02-22 13:35:32 ERROR 404: Not Found. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From shane.boulden at gmail.com Thu Feb 23 01:19:18 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Thu, 23 Feb 2017 17:19:18 +1100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users Message-ID: Hi everyone, I'm trying to figure out a fairly straight-forward problem set - - I have a number of users in a Keycloak database, federated from an LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users) - I want to limit access to a client to only certain Keycloak users I thought this would be possible with a role that is shared by the client and the user. However, it looks like Keycloak lets the application itself determine access via a role: http://lists.jboss.org/ pipermail/keycloak-user/2014-November/001205.html But what if I can't update the application's behaviour? Eg; if I want to integrate Keycloak with OpenShift, and OpenShift doesn't consume any information from the OIDC provider? In this particular example, I don't want to limit the users in the Keycloak database - I want to sync all users from LDAP, but limit application access to only a subset. Any assistance is greatly appreciated. Shane From sts at ono.at Thu Feb 23 05:54:39 2017 From: sts at ono.at (Stefan Schlesinger) Date: Thu, 23 Feb 2017 11:54:39 +0100 Subject: [keycloak-user] Directs Grants API & OTP Message-ID: <301556EB-7C48-443E-8647-432C0836AE86@ono.at> Hello, I?m using the Direct Grants API as authentication backend for our Radius server. Currently I?m unable to determine whether an user already has an OTP token configured or not, and thus our Radius server always prompts the user with an Access-Challenge dialog. Users who haven?t configured an OTP token yet won?t be able to login, or in case I can work around this issue, will at least be presented with a question for an OTP token, which they are not aware of. Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC clients can trigger? Best, Stefan. From john.d.ament at gmail.com Thu Feb 23 06:06:53 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 11:06:53 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: Right, at this point I'm not thinking about OIDC any longer as my connector. Does what I described make sense as things to be done? On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: > IDP Initiated SSO means that the login is unsolicited,meaning that the > application did not initiate the login. OAuth protocol (and thus OIDC) > does not support this. The application has to initiate the login. I'm not > sure exactly what you're trying to do, but if you just want a page where > you can see a list of apps that you can visit, you can just create a simple > static web page with links to your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO > and don't support the regular login protocol. > > On 2/22/17 10:18 PM, John D. Ament wrote: > > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems like > what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From mposolda at redhat.com Thu Feb 23 07:55:00 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 23 Feb 2017 13:55:00 +0100 Subject: [keycloak-user] Directs Grants API & OTP In-Reply-To: <301556EB-7C48-443E-8647-432C0836AE86@ono.at> References: <301556EB-7C48-443E-8647-432C0836AE86@ono.at> Message-ID: <704bf2f7-0bf7-4b4e-f151-3022a32a1d22@redhat.com> Hmm.. I am looking at class ValidateOTP and there is initial call to check whether OTP is configured for the user. Once you have this authenticator OPTIONAL, it should work. Do you have this OPTIONAL? Are you using this or other authenticator? Marek On 23/02/17 11:54, Stefan Schlesinger wrote: > Hello, > > I?m using the Direct Grants API as authentication backend for our Radius server. > > Currently I?m unable to determine whether an user already has an OTP token configured or not, > and thus our Radius server always prompts the user with an Access-Challenge dialog. > > Users who haven?t configured an OTP token yet won?t be able to login, or in case I can work > around this issue, will at least be presented with a question for an OTP token, which they > are not aware of. > > Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC > clients can trigger? > > Best, > > Stefan. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Feb 23 08:07:04 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 23 Feb 2017 14:07:04 +0100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: Message-ID: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> I can think of some workarounds. Like for example, create an Authenticator, which will be added to the bottom of the authentication flow. Authenticator will throw an exception in case that unpermitted user is trying to authenticate to the client corresponding to your openshift application. You have the user available (he is already authenticated) and you have also the client (can be determined based on clientId). Maybe even easier is to do that in custom RequiredActionProvider and do this check in "evaluateTriggers". This is workaround as it mixes authentication and authorization (among other issues). But hopefully it can suit your needs. Marek On 23/02/17 07:19, Shane Boulden wrote: > Hi everyone, > > I'm trying to figure out a fairly straight-forward problem set - > > - I have a number of users in a Keycloak database, federated from an > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the users) > - I want to limit access to a client to only certain Keycloak users > > I thought this would be possible with a role that is shared by the client > and the user. However, it looks like Keycloak lets the application itself > determine access via a role: http://lists.jboss.org/ > pipermail/keycloak-user/2014-November/001205.html > > But what if I can't update the application's behaviour? Eg; if I want to > integrate Keycloak with OpenShift, and OpenShift doesn't consume any > information from the OIDC provider? > > In this particular example, I don't want to limit the users in the Keycloak > database - I want to sync all users from LDAP, but limit application access > to only a subset. > > Any assistance is greatly appreciated. > > Shane > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Feb 23 08:09:35 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 23 Feb 2017 14:09:35 +0100 Subject: [keycloak-user] Does keycloak OIDC supports decryption of JWT token encrypted with JWE ? In-Reply-To: References: Message-ID: AFAIK we didn't yet test with the OIDC provider using encrypted token. Could you create JIRA for this and steps to reproduce (which OIDC provider you use. How to setup it etc). Thanks, Marek On 23/02/17 00:09, Haseb Ansari wrote: > Hello all, > > > I have setup a custom Open ID Connect provider for my external IDP and > the token request on my external IDP sends me an encrypted JWT with JWE > (JSON Web Encryption). I have the enc key with me but cannot understand how > use it with Identity Provider settings. > > Please help me out with this issue. > > Thanks in advance !!!!!! > > Regards, > Haseb > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Thu Feb 23 09:24:47 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 23 Feb 2017 15:24:47 +0100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: Hello Shane, you could try to do that with the Javascript based Authenticator. Cheers, Thomas 2017-02-23 14:07 GMT+01:00 Marek Posolda : > I can think of some workarounds. Like for example, create an > Authenticator, which will be added to the bottom of the authentication > flow. Authenticator will throw an exception in case that unpermitted > user is trying to authenticate to the client corresponding to your > openshift application. You have the user available (he is already > authenticated) and you have also the client (can be determined based on > clientId). > > Maybe even easier is to do that in custom RequiredActionProvider and do > this check in "evaluateTriggers". > > This is workaround as it mixes authentication and authorization (among > other issues). But hopefully it can suit your needs. > > Marek > > On 23/02/17 07:19, Shane Boulden wrote: > > Hi everyone, > > > > I'm trying to figure out a fairly straight-forward problem set - > > > > - I have a number of users in a Keycloak database, federated from an > > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the > users) > > - I want to limit access to a client to only certain Keycloak users > > > > I thought this would be possible with a role that is shared by the client > > and the user. However, it looks like Keycloak lets the application itself > > determine access via a role: http://lists.jboss.org/ > > pipermail/keycloak-user/2014-November/001205.html > > > > But what if I can't update the application's behaviour? Eg; if I want to > > integrate Keycloak with OpenShift, and OpenShift doesn't consume any > > information from the OIDC provider? > > > > In this particular example, I don't want to limit the users in the > Keycloak > > database - I want to sync all users from LDAP, but limit application > access > > to only a subset. > > > > Any assistance is greatly appreciated. > > > > Shane > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From skm.8896 at gmail.com Thu Feb 23 09:39:16 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Thu, 23 Feb 2017 20:09:16 +0530 Subject: [keycloak-user] Authenticate a rest api using keycloak access token (received from Authorization header in the HTTP GET request from the front end) in node js Message-ID: down votefavorite var loadData = function () { var url = 'http://localhost:3000/users'; var req = new XMLHttpRequest(); req.open('GET', url, true); req.setRequestHeader('Accept', 'application/json'); req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); req.onreadystatechange = function () { if (req.readyState == 4) { if (req.status == 200) { console.log('Success'); } else if (req.status == 403) { console.log('Forbidden'); } }} req.send(); }; Above is my front end code requesting the REST API and passing the keycloak token in the authorization header which will be needed for authentication at the node js server side. *Now I wanted to know how to secure my Rest Api using Keycloak and authenticate it on the basis of token received from the front end and tell whether the authentic user is requesting the rest api resource or not?* I have created a rest api in node js and used keycloak-connect npm packge. I have mapped the nodejs middleware with keycloak middleware. var express = require('express');var router = express.Router();var app = express();var Keycloak = require('keycloak-connect');var keycloak =new Keycloak(); app.use( keycloak.middleware( { logout: '/logout', admin: '/',} )); router.get('/users',function(req, res, next) {var token=req.headers['authorization']; //Access token received from front end //Now how to authenticate this token with keycloak??? }); I have also included the keycloak.json file in the root folder of my project. From bburke at redhat.com Thu Feb 23 09:56:55 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 23 Feb 2017 09:56:55 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: I'm sorry, I only read the top half of the email thread. Is this what you want? 1. User logs into Okta 2. User clicks on app link in Okta 3. This app is actually secured by Keycloak, not Okta 4. You want some brokering done here between Keycloak and Okta. Is that it? On 2/23/17 6:06 AM, John D. Ament wrote: > Right, at this point I'm not thinking about OIDC any longer as my > connector. Does what I described make sense as things to be done? > > On Wed, Feb 22, 2017 at 11:23 PM Bill Burke > wrote: > > IDP Initiated SSO means that the login is unsolicited,meaning that > the application did not initiate the login. OAuth protocol (and > thus OIDC) does not support this. The application has to initiate > the login. I'm not sure exactly what you're trying to do, but if > you just want a page where you can see a list of apps that you can > visit, you can just create a simple static web page with links to > your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP > Initiated SSO and don't support the regular login protocol. > > > On 2/22/17 10:18 PM, John D. Ament wrote: >> Ok, I must have fat fingered there at the end. Sorry. >> >> With that said, assuming that I want IDP initiated login, it >> seems like what I have to do is: >> >> - Create a SAML client in Keycloak for my application. >> - Follow the IDP initiated flow from >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> - Point my IDP to the endpoint that gets generated in here. >> >> As a result, it seems like I don't have to even create a SAML IDP >> in Keycloak, unless that somehow gets used for SP initiated. >> >> John >> >> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament >> > wrote: >> >> This is the part that's confusing me. What do you mean by a >> "URL somewhere that links to your app which will then >> redirect to keycloak"? >> >> Are you talking about triggering the inbound IDP initiated by >> first calling into my app? >> >> If I look at (Okta for instance) they actually have a >> portal-like site that users can leverage to directly link to >> their apps. The links generated here are doing IDP initiated >> SSO, by triggering SAML in the broker then the broker is >> expected to forward to the client (and mind you, I know very >> little about SAML, but this is how I'm seeing it behave in >> the browser). >> >> With that said, assum >> >> >> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke > > wrote: >> >> OIDC/OAuth doesn't have an IDP initiated protocol. You'll >> have to >> create a URL somewhere that links to your app which will >> then redirect >> to Keycloak. >> >> >> On 2/22/17 8:23 PM, John D. Ament wrote: >> > Looks like I answered half of my question - >> > https://issues.jboss.org/browse/KEYCLOAK-4454 >> > >> > Seems like it will only work if I'm using SAML. >> > >> > John >> > >> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament >> > >> > wrote: >> > >> >> Changing the subject to be a bit clearer about the >> problems. >> >> >> >> I think I'm understanding a bit further. when reading >> through >> >> >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> >> >> - It seems like my application has to be SAML. I >> cannot do an OIDC based >> >> solution. >> >> - First thing I have to do is add IDP Initiated SSO >> URL Name to my >> >> application. >> >> - The confusing part is about if my application >> requires... this seems a >> >> bit odd, since I'm using the Keycloak adapter but sure. >> >> - The part that's missing is what gets setup in the >> actual broker. You >> >> mention IDP Initiated SSO URL Name but I don't see >> that field in IDPs. In >> >> general these look like Keycloak specific parameters. >> >> >> >> Any thoughts? >> >> >> >> John >> >> >> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament >> > >> >> wrote: >> >> >> >> Ok, so I was able to get SP initiated working fine. I >> had only tried IDP >> >> when I sent this mail out. >> >> >> >> I'm going through this doc, and its not clear to me on >> a few areas: >> >> >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> >> >> - I have my application (the SP) and the SAML IDP >> (Okta in this case). I >> >> have a link on the okta portal to login automatically >> to my SP. >> >> - I think the webpage is saying that this only works >> if I'm using the SAML >> >> connector for keycloak, is that accurate? >> >> - All of my Okta settings are from getting SP >> initiated working. Do any >> >> of those need to change? >> >> - Do I in fact setup Okta as a SAML client in Keycloak? >> >> >> >> John >> >> >> >> >> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament >> > >> >> wrote: >> >> >> >> Hi >> >> >> >> Just wondering, has anyone setup Keycloak w/ Okta? >> Every time I try to >> >> authenticate (both SP initiated and IdP initiated) it >> fails with this error >> >> >> >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) >> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, >> clientId=null, >> >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage >> >> 01:40:54,627 ERROR >> [org.keycloak.services.resources.IdentityBrokerService] >> >> (default task-7) staleCodeMessage >> >> >> >> I suspect its a setup issue on my side, so was hoping >> someone else has >> >> tried this and can give tips. I even tried the import >> feature, no luck. >> >> >> >> John >> >> >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From john.d.ament at gmail.com Thu Feb 23 10:10:15 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 15:10:15 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: Effectively, yes. I just got *something* configured, though it resulted in an infinite loop. 1. Created a SAML client for my application, with the following custom settings: - Client ID: my-saml - IDP Initiated SSO URL Name: myapp-saml - Assertion Consumer Service POST Binding URL: http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml 2. Created a SAML IDP for Okta: - SSO URL: https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml 3. In Okta, set the SSO URL to http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml This results in an infinite loop of URLs that look like: http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue - John On Thu, Feb 23, 2017 at 9:57 AM Bill Burke wrote: > I'm sorry, I only read the top half of the email thread. > > Is this what you want? > > 1. User logs into Okta > > 2. User clicks on app link in Okta > > 3. This app is actually secured by Keycloak, not Okta > > 4. You want some brokering done here between Keycloak and Okta. > > Is that it? > > On 2/23/17 6:06 AM, John D. Ament wrote: > > Right, at this point I'm not thinking about OIDC any longer as my > connector. Does what I described make sense as things to be done? > > On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: > > IDP Initiated SSO means that the login is unsolicited,meaning that the > application did not initiate the login. OAuth protocol (and thus OIDC) > does not support this. The application has to initiate the login. I'm not > sure exactly what you're trying to do, but if you just want a page where > you can see a list of apps that you can visit, you can just create a simple > static web page with links to your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO > and don't support the regular login protocol. > > On 2/22/17 10:18 PM, John D. Ament wrote: > > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems like > what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From bburke at redhat.com Thu Feb 23 10:53:14 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 23 Feb 2017 10:53:14 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: Yes, that would be an infinite loop as you are configuring Keycloak to delegate authentication to Okta and Okta to delegate to keycloak. You'd have to: 1. Set up a client for your application in Keycloak 2. Set up a broker in Keycloak that points to Okta and sets that as the automatic delegate. This means no keycloak login screen would be shown and it would delegate directly to Okta for authentication. 3. Log into Okta 4. Get to Okta app screen. 5. Click on app link 6. App redirects to Keycloak for authentication 7. Keycloak redirects automatically to Okta 8. Okta sees you are already logged in 9. Redirects back to Keycloak 10. Creates SAML assertion or OIDC token for client 11. Redirects back to app. On 2/23/17 10:10 AM, John D. Ament wrote: > Effectively, yes. > > I just got *something* configured, though it resulted in an infinite loop. > > 1. Created a SAML client for my application, with the following custom > settings: > - Client ID: my-saml > - IDP Initiated SSO URL Name: myapp-saml > - Assertion Consumer Service POST Binding URL: > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > 2. Created a SAML IDP for Okta: > - SSO URL: > https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml > > 3. In Okta, set the SSO URL to > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > This results in an infinite loop of URLs that look like: > http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue > > - John > > On Thu, Feb 23, 2017 at 9:57 AM Bill Burke > wrote: > > I'm sorry, I only read the top half of the email thread. > > Is this what you want? > > 1. User logs into Okta > > 2. User clicks on app link in Okta > > 3. This app is actually secured by Keycloak, not Okta > > 4. You want some brokering done here between Keycloak and Okta. > > Is that it? > > > On 2/23/17 6:06 AM, John D. Ament wrote: >> Right, at this point I'm not thinking about OIDC any longer as my >> connector. Does what I described make sense as things to be done? >> >> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke > > wrote: >> >> IDP Initiated SSO means that the login is unsolicited,meaning >> that the application did not initiate the login. OAuth >> protocol (and thus OIDC) does not support this. The >> application has to initiate the login. I'm not sure exactly >> what you're trying to do, but if you just want a page where >> you can see a list of apps that you can visit, you can just >> create a simple static web page with links to your apps >> formatted and pretty as you want it. >> >> Some IDPs or apps, Saleforce.com I think, require SAML IDP >> Initiated SSO and don't support the regular login protocol. >> >> >> On 2/22/17 10:18 PM, John D. Ament wrote: >>> Ok, I must have fat fingered there at the end. Sorry. >>> >>> With that said, assuming that I want IDP initiated login, it >>> seems like what I have to do is: >>> >>> - Create a SAML client in Keycloak for my application. >>> - Follow the IDP initiated flow from >>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>> - Point my IDP to the endpoint that gets generated in here. >>> >>> As a result, it seems like I don't have to even create a >>> SAML IDP in Keycloak, unless that somehow gets used for SP >>> initiated. >>> >>> John >>> >>> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament >>> > wrote: >>> >>> This is the part that's confusing me. What do you mean >>> by a "URL somewhere that links to your app which will >>> then redirect to keycloak"? >>> >>> Are you talking about triggering the inbound IDP >>> initiated by first calling into my app? >>> >>> If I look at (Okta for instance) they actually have a >>> portal-like site that users can leverage to directly >>> link to their apps. The links generated here are doing >>> IDP initiated SSO, by triggering SAML in the broker then >>> the broker is expected to forward to the client (and >>> mind you, I know very little about SAML, but this is how >>> I'm seeing it behave in the browser). >>> >>> With that said, assum >>> >>> >>> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke >>> > wrote: >>> >>> OIDC/OAuth doesn't have an IDP initiated protocol. >>> You'll have to >>> create a URL somewhere that links to your app which >>> will then redirect >>> to Keycloak. >>> >>> >>> On 2/22/17 8:23 PM, John D. Ament wrote: >>> > Looks like I answered half of my question - >>> > https://issues.jboss.org/browse/KEYCLOAK-4454 >>> > >>> > Seems like it will only work if I'm using SAML. >>> > >>> > John >>> > >>> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament >>> > >>> > wrote: >>> > >>> >> Changing the subject to be a bit clearer about >>> the problems. >>> >> >>> >> I think I'm understanding a bit further. when >>> reading through >>> >> >>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>> >> >>> >> - It seems like my application has to be SAML. I >>> cannot do an OIDC based >>> >> solution. >>> >> - First thing I have to do is add IDP Initiated >>> SSO URL Name to my >>> >> application. >>> >> - The confusing part is about if my application >>> requires... this seems a >>> >> bit odd, since I'm using the Keycloak adapter but >>> sure. >>> >> - The part that's missing is what gets setup in >>> the actual broker. You >>> >> mention IDP Initiated SSO URL Name but I don't >>> see that field in IDPs. In >>> >> general these look like Keycloak specific parameters. >>> >> >>> >> Any thoughts? >>> >> >>> >> John >>> >> >>> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament >>> > >>> >> wrote: >>> >> >>> >> Ok, so I was able to get SP initiated working >>> fine. I had only tried IDP >>> >> when I sent this mail out. >>> >> >>> >> I'm going through this doc, and its not clear to >>> me on a few areas: >>> >> >>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>> >> >>> >> - I have my application (the SP) and the SAML IDP >>> (Okta in this case). I >>> >> have a link on the okta portal to login >>> automatically to my SP. >>> >> - I think the webpage is saying that this only >>> works if I'm using the SAML >>> >> connector for keycloak, is that accurate? >>> >> - All of my Okta settings are from getting SP >>> initiated working. Do any >>> >> of those need to change? >>> >> - Do I in fact setup Okta as a SAML client in >>> Keycloak? >>> >> >>> >> John >>> >> >>> >> >>> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament >>> > >>> >> wrote: >>> >> >>> >> Hi >>> >> >>> >> Just wondering, has anyone setup Keycloak w/ >>> Okta? Every time I try to >>> >> authenticate (both SP initiated and IdP >>> initiated) it fails with this error >>> >> >>> >> 01:40:54,626 WARN [org.keycloak.events] (default >>> task-7) >>> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, >>> realmId=tenant1, clientId=null, >>> >> userId=null, ipAddress=172.17.0.1, >>> error=staleCodeMessage >>> >> 01:40:54,627 ERROR >>> [org.keycloak.services.resources.IdentityBrokerService] >>> >> (default task-7) staleCodeMessage >>> >> >>> >> I suspect its a setup issue on my side, so was >>> hoping someone else has >>> >> tried this and can give tips. I even tried the >>> import feature, no luck. >>> >> >>> >> John >>> >> >>> >> >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > From martin.hardselius at gmail.com Thu Feb 23 11:17:44 2017 From: martin.hardselius at gmail.com (Martin Hardselius) Date: Thu, 23 Feb 2017 16:17:44 +0000 Subject: [keycloak-user] SAML2.0 Identity Provider modify authn context / extensions Message-ID: Hi, Is there an easy way to add stuff to the authn context or add extensions to the AuthN request? Or even add query parameters to the destination url? Context: The SAML2.0 Provider I'm integrating with supports several auth methods. Usually you would end up on a method select page, where the options are presented to you, once you've been forwarded to the IDP. They do however support selecting an option directly by modifying the authncontext. They also support prefilling information by adding extensions to the authn request or adding supplying it through query params. Kind of like "login hint". So. Easy way, or do I have to extend SAMLIdentityProvider? Martin From salvatore.incandela at redhat.com Thu Feb 23 11:56:31 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Thu, 23 Feb 2017 17:56:31 +0100 Subject: [keycloak-user] [Keycloak][Get identity provides roles] Message-ID: Hi guys, is possible to populate user roles given by an identity provider (another keycloak instance) getting those from the json claim? -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 <+39%20349%20619%206615> Fax +39 06 39728535 <+39%2006%203972%208535> E-mail salvatore.incandela at redhat.com From john.d.ament at gmail.com Thu Feb 23 12:11:06 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 17:11:06 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: Bill, Thanks. How do i set "Automatic Delegate"? John On Thu, Feb 23, 2017 at 10:53 AM Bill Burke wrote: > Yes, that would be an infinite loop as you are configuring Keycloak to > delegate authentication to Okta and Okta to delegate to keycloak. You'd > have to: > > 1. Set up a client for your application in Keycloak > > 2. Set up a broker in Keycloak that points to Okta and sets that as the > automatic delegate. This means no keycloak login screen would be shown and > it would delegate directly to Okta for authentication. > > 3. Log into Okta > > 4. Get to Okta app screen. > > 5. Click on app link > > 6. App redirects to Keycloak for authentication > > 7. Keycloak redirects automatically to Okta > > 8. Okta sees you are already logged in > > 9. Redirects back to Keycloak > > 10. Creates SAML assertion or OIDC token for client > > 11. Redirects back to app. > On 2/23/17 10:10 AM, John D. Ament wrote: > > Effectively, yes. > > I just got *something* configured, though it resulted in an infinite loop. > > 1. Created a SAML client for my application, with the following custom > settings: > - Client ID: my-saml > - IDP Initiated SSO URL Name: myapp-saml > - Assertion Consumer Service POST Binding URL: > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > 2. Created a SAML IDP for Okta: > - SSO URL: > https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml > > 3. In Okta, set the SSO URL to > > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > This results in an infinite loop of URLs that look like: > > http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue > > - John > > On Thu, Feb 23, 2017 at 9:57 AM Bill Burke wrote: > > I'm sorry, I only read the top half of the email thread. > > Is this what you want? > > 1. User logs into Okta > > 2. User clicks on app link in Okta > > 3. This app is actually secured by Keycloak, not Okta > > 4. You want some brokering done here between Keycloak and Okta. > > Is that it? > > On 2/23/17 6:06 AM, John D. Ament wrote: > > Right, at this point I'm not thinking about OIDC any longer as my > connector. Does what I described make sense as things to be done? > > On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: > > IDP Initiated SSO means that the login is unsolicited,meaning that the > application did not initiate the login. OAuth protocol (and thus OIDC) > does not support this. The application has to initiate the login. I'm not > sure exactly what you're trying to do, but if you just want a page where > you can see a list of apps that you can visit, you can just create a simple > static web page with links to your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO > and don't support the regular login protocol. > > On 2/22/17 10:18 PM, John D. Ament wrote: > > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems like > what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From kevinmarsden88 at gmail.com Thu Feb 23 12:20:20 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Thu, 23 Feb 2017 17:20:20 +0000 Subject: [keycloak-user] Unknown authentication mechanism KEYCLOAK In-Reply-To: References: Message-ID: Hello Marek. I managed(after some footwork to get all the dependencies in place),to get the jax-rs quickstart to execute and deploy. It appears that the problem was related to Keycloak libraries that where not made available on the classpath when deploying the application,which makes sense since I was attempting to use a netbeans jax-rs project,and not the maven build process which takes into account all of the dependencies required. I am now able to authenticate requests using an access - token as expected. Thanks for all the help ! On Wed, Feb 22, 2017 at 11:29 PM, Marek Posolda wrote: I can't see anything obvious from the first look. Maybe there needs to be "realm-name" under "login-config" in web.xml? Do you have keycloak.json inside your WAR? I suggest to look at our examples and compare those with your WAR file. Marek On 22/02/17 19:31, Kevin Marsden wrote: Good Day. I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the instructions in the documentation to the letter. I executed the patch script as follows : jboss-cli.bat --connect --file="adapter-install.cli" {"outcome" => "success"} { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } { "outcome" => "success", "result" => [("keycloak" => "1.1.0")], "response-headers" => {"process-state" => "reload-required"} } { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } My standalone.xml has been updated as follows : My web.xml is as follows : webresources /webresources/* user KEYCLOAK user I would gladly appreciate any help at this stage. Kind Regards. Kevin. _______________________________________________ keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Feb 23 12:45:04 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 23 Feb 2017 12:45:04 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> Message-ID: <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> Hmmm....somebody removed this config option....wtf... On 2/23/17 12:11 PM, John D. Ament wrote: > Bill, > > Thanks. How do i set "Automatic Delegate"? > > John > > On Thu, Feb 23, 2017 at 10:53 AM Bill Burke > wrote: > > Yes, that would be an infinite loop as you are configuring > Keycloak to delegate authentication to Okta and Okta to delegate > to keycloak. You'd have to: > > 1. Set up a client for your application in Keycloak > > 2. Set up a broker in Keycloak that points to Okta and sets that > as the automatic delegate. This means no keycloak login screen > would be shown and it would delegate directly to Okta for > authentication. > > 3. Log into Okta > > 4. Get to Okta app screen. > > 5. Click on app link > > 6. App redirects to Keycloak for authentication > > 7. Keycloak redirects automatically to Okta > > 8. Okta sees you are already logged in > > 9. Redirects back to Keycloak > > 10. Creates SAML assertion or OIDC token for client > > 11. Redirects back to app. > > On 2/23/17 10:10 AM, John D. Ament wrote: >> Effectively, yes. >> >> I just got *something* configured, though it resulted in an >> infinite loop. >> >> 1. Created a SAML client for my application, with the following >> custom settings: >> - Client ID: my-saml >> - IDP Initiated SSO URL Name: myapp-saml >> - Assertion Consumer Service POST Binding URL: >> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml >> >> 2. Created a SAML IDP for Okta: >> - SSO URL: >> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml >> >> 3. In Okta, set the SSO URL to >> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml >> >> This results in an infinite loop of URLs that look like: >> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue >> >> - John >> >> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke > > wrote: >> >> I'm sorry, I only read the top half of the email thread. >> >> Is this what you want? >> >> 1. User logs into Okta >> >> 2. User clicks on app link in Okta >> >> 3. This app is actually secured by Keycloak, not Okta >> >> 4. You want some brokering done here between Keycloak and Okta. >> >> Is that it? >> >> >> On 2/23/17 6:06 AM, John D. Ament wrote: >>> Right, at this point I'm not thinking about OIDC any longer >>> as my connector. Does what I described make sense as things >>> to be done? >>> >>> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke >>> > wrote: >>> >>> IDP Initiated SSO means that the login is >>> unsolicited,meaning that the application did not >>> initiate the login. OAuth protocol (and thus OIDC) does >>> not support this. The application has to initiate the >>> login. I'm not sure exactly what you're trying to do, >>> but if you just want a page where you can see a list of >>> apps that you can visit, you can just create a simple >>> static web page with links to your apps formatted and >>> pretty as you want it. >>> >>> Some IDPs or apps, Saleforce.com I think, require SAML >>> IDP Initiated SSO and don't support the regular login >>> protocol. >>> >>> >>> On 2/22/17 10:18 PM, John D. Ament wrote: >>>> Ok, I must have fat fingered there at the end. Sorry. >>>> >>>> With that said, assuming that I want IDP initiated >>>> login, it seems like what I have to do is: >>>> >>>> - Create a SAML client in Keycloak for my application. >>>> - Follow the IDP initiated flow from >>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>> - Point my IDP to the endpoint that gets generated in here. >>>> >>>> As a result, it seems like I don't have to even create >>>> a SAML IDP in Keycloak, unless that somehow gets used >>>> for SP initiated. >>>> >>>> John >>>> >>>> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament >>>> >>> > wrote: >>>> >>>> This is the part that's confusing me. What do you >>>> mean by a "URL somewhere that links to your app >>>> which will then redirect to keycloak"? >>>> >>>> Are you talking about triggering the inbound IDP >>>> initiated by first calling into my app? >>>> >>>> If I look at (Okta for instance) they actually have >>>> a portal-like site that users can leverage to >>>> directly link to their apps. The links generated >>>> here are doing IDP initiated SSO, by triggering >>>> SAML in the broker then the broker is expected to >>>> forward to the client (and mind you, I know very >>>> little about SAML, but this is how I'm seeing it >>>> behave in the browser). >>>> >>>> With that said, assum >>>> >>>> >>>> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke >>>> > wrote: >>>> >>>> OIDC/OAuth doesn't have an IDP initiated >>>> protocol. You'll have to >>>> create a URL somewhere that links to your app >>>> which will then redirect >>>> to Keycloak. >>>> >>>> >>>> On 2/22/17 8:23 PM, John D. Ament wrote: >>>> > Looks like I answered half of my question - >>>> > https://issues.jboss.org/browse/KEYCLOAK-4454 >>>> > >>>> > Seems like it will only work if I'm using SAML. >>>> > >>>> > John >>>> > >>>> > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament >>>> >>> > >>>> > wrote: >>>> > >>>> >> Changing the subject to be a bit clearer >>>> about the problems. >>>> >> >>>> >> I think I'm understanding a bit further. >>>> when reading through >>>> >> >>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>> >> >>>> >> - It seems like my application has to be >>>> SAML. I cannot do an OIDC based >>>> >> solution. >>>> >> - First thing I have to do is add IDP >>>> Initiated SSO URL Name to my >>>> >> application. >>>> >> - The confusing part is about if my >>>> application requires... this seems a >>>> >> bit odd, since I'm using the Keycloak >>>> adapter but sure. >>>> >> - The part that's missing is what gets setup >>>> in the actual broker. You >>>> >> mention IDP Initiated SSO URL Name but I >>>> don't see that field in IDPs. In >>>> >> general these look like Keycloak specific >>>> parameters. >>>> >> >>>> >> Any thoughts? >>>> >> >>>> >> John >>>> >> >>>> >> On Mon, Feb 20, 2017 at 7:18 AM John D. >>>> Ament >>> > >>>> >> wrote: >>>> >> >>>> >> Ok, so I was able to get SP initiated >>>> working fine. I had only tried IDP >>>> >> when I sent this mail out. >>>> >> >>>> >> I'm going through this doc, and its not >>>> clear to me on a few areas: >>>> >> >>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>> >> >>>> >> - I have my application (the SP) and the >>>> SAML IDP (Okta in this case). I >>>> >> have a link on the okta portal to login >>>> automatically to my SP. >>>> >> - I think the webpage is saying that this >>>> only works if I'm using the SAML >>>> >> connector for keycloak, is that accurate? >>>> >> - All of my Okta settings are from getting >>>> SP initiated working. Do any >>>> >> of those need to change? >>>> >> - Do I in fact setup Okta as a SAML client >>>> in Keycloak? >>>> >> >>>> >> John >>>> >> >>>> >> >>>> >> On Sun, Feb 19, 2017 at 8:47 PM John D. >>>> Ament >>> > >>>> >> wrote: >>>> >> >>>> >> Hi >>>> >> >>>> >> Just wondering, has anyone setup Keycloak w/ >>>> Okta? Every time I try to >>>> >> authenticate (both SP initiated and IdP >>>> initiated) it fails with this error >>>> >> >>>> >> 01:40:54,626 WARN [org.keycloak.events] >>>> (default task-7) >>>> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, >>>> realmId=tenant1, clientId=null, >>>> >> userId=null, ipAddress=172.17.0.1, >>>> error=staleCodeMessage >>>> >> 01:40:54,627 ERROR >>>> [org.keycloak.services.resources.IdentityBrokerService] >>>> >> (default task-7) staleCodeMessage >>>> >> >>>> >> I suspect its a setup issue on my side, so >>>> was hoping someone else has >>>> >> tried this and can give tips. I even tried >>>> the import feature, no luck. >>>> >> >>>> >> John >>>> >> >>>> >> >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> > From john.d.ament at gmail.com Thu Feb 23 12:54:37 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 23 Feb 2017 17:54:37 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> Message-ID: :-) Well it seems not needed. Or we can worry about that later. - Is the client I'm setting up for my app a SAML client or OIDC client? Or does it not matter? - When I point Okta to my SAML IDP endpoint ( http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint ) I'm getting " WE'RE SORRY ... This page is no longer valid, please go back to your application and login again" - this kind of makes sense, I don't see how I'm telling the Okta IDP which app to forward to. John On Thu, Feb 23, 2017 at 12:45 PM Bill Burke wrote: > Hmmm....somebody removed this config option....wtf... > > On 2/23/17 12:11 PM, John D. Ament wrote: > > Bill, > > Thanks. How do i set "Automatic Delegate"? > > John > > On Thu, Feb 23, 2017 at 10:53 AM Bill Burke wrote: > > Yes, that would be an infinite loop as you are configuring Keycloak to > delegate authentication to Okta and Okta to delegate to keycloak. You'd > have to: > > 1. Set up a client for your application in Keycloak > > 2. Set up a broker in Keycloak that points to Okta and sets that as the > automatic delegate. This means no keycloak login screen would be shown and > it would delegate directly to Okta for authentication. > > 3. Log into Okta > > 4. Get to Okta app screen. > > 5. Click on app link > > 6. App redirects to Keycloak for authentication > > 7. Keycloak redirects automatically to Okta > > 8. Okta sees you are already logged in > > 9. Redirects back to Keycloak > > 10. Creates SAML assertion or OIDC token for client > > 11. Redirects back to app. > On 2/23/17 10:10 AM, John D. Ament wrote: > > Effectively, yes. > > I just got *something* configured, though it resulted in an infinite loop. > > 1. Created a SAML client for my application, with the following custom > settings: > - Client ID: my-saml > - IDP Initiated SSO URL Name: myapp-saml > - Assertion Consumer Service POST Binding URL: > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > 2. Created a SAML IDP for Okta: > - SSO URL: > https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml > > 3. In Okta, set the SSO URL to > > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > This results in an infinite loop of URLs that look like: > > http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue > > - John > > On Thu, Feb 23, 2017 at 9:57 AM Bill Burke wrote: > > I'm sorry, I only read the top half of the email thread. > > Is this what you want? > > 1. User logs into Okta > > 2. User clicks on app link in Okta > > 3. This app is actually secured by Keycloak, not Okta > > 4. You want some brokering done here between Keycloak and Okta. > > Is that it? > > On 2/23/17 6:06 AM, John D. Ament wrote: > > Right, at this point I'm not thinking about OIDC any longer as my > connector. Does what I described make sense as things to be done? > > On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: > > IDP Initiated SSO means that the login is unsolicited,meaning that the > application did not initiate the login. OAuth protocol (and thus OIDC) > does not support this. The application has to initiate the login. I'm not > sure exactly what you're trying to do, but if you just want a page where > you can see a list of apps that you can visit, you can just create a simple > static web page with links to your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO > and don't support the regular login protocol. > > On 2/22/17 10:18 PM, John D. Ament wrote: > > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems like > what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > From shane.boulden at gmail.com Thu Feb 23 13:16:11 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Fri, 24 Feb 2017 05:16:11 +1100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: Thanks very much Marek and Thomas for taking the time to get back to me. I've found an example of a JS authenticator here: http://www.lookatsrc.com/source/scripts/authenticator-template.js?a=org.keycloak:keycloak-services Is this how I would build the custom authenticator, and extend it to check the user roles and clientID? Thanks Shane On 24 Feb. 2017 01:25, "Thomas Darimont" wrote: > Hello Shane, > > you could try to do that with the Javascript based Authenticator. > > Cheers, > Thomas > > 2017-02-23 14:07 GMT+01:00 Marek Posolda : > >> I can think of some workarounds. Like for example, create an >> Authenticator, which will be added to the bottom of the authentication >> flow. Authenticator will throw an exception in case that unpermitted >> user is trying to authenticate to the client corresponding to your >> openshift application. You have the user available (he is already >> authenticated) and you have also the client (can be determined based on >> clientId). >> >> Maybe even easier is to do that in custom RequiredActionProvider and do >> this check in "evaluateTriggers". >> >> This is workaround as it mixes authentication and authorization (among >> other issues). But hopefully it can suit your needs. >> >> Marek >> >> On 23/02/17 07:19, Shane Boulden wrote: >> > Hi everyone, >> > >> > I'm trying to figure out a fairly straight-forward problem set - >> > >> > - I have a number of users in a Keycloak database, federated from an >> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the >> users) >> > - I want to limit access to a client to only certain Keycloak users >> > >> > I thought this would be possible with a role that is shared by the >> client >> > and the user. However, it looks like Keycloak lets the application >> itself >> > determine access via a role: http://lists.jboss.org/ >> > pipermail/keycloak-user/2014-November/001205.html >> > >> > But what if I can't update the application's behaviour? Eg; if I want to >> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any >> > information from the OIDC provider? >> > >> > In this particular example, I don't want to limit the users in the >> Keycloak >> > database - I want to sync all users from LDAP, but limit application >> access >> > to only a subset. >> > >> > Any assistance is greatly appreciated. >> > >> > Shane >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From shmuein+keycloak-dev at gmail.com Thu Feb 23 14:14:15 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Thu, 23 Feb 2017 13:14:15 -0600 Subject: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI In-Reply-To: <24A76700-A8EA-4C9A-9E9A-736DA9E12A88@capraconsulting.no> References: <24A76700-A8EA-4C9A-9E9A-736DA9E12A88@capraconsulting.no> Message-ID: Hi All, I was looking at the workaround suggested as part of https://issues.jboss.org/browse/KEYCLOAK-1268 to basically remove the client composite roles from the admin role. Do we have any API available for this, which we can call after realm creation? Regards, Muein On Wed, Feb 15, 2017 at 5:04 AM, Colin Coleman wrote: > The ?x trick gave me enough info to find this? > > > > https://issues.jboss.org/browse/KEYCLOAK-1268 > > > > And even if the workarounds work it looks like keycloak was not designed > and is not tested for the sort of multi-tenant setup I was trying to do. > > > > The jdbc driver version was a red herring ? everything is the latest > version > > > > Using the CLI with ?x I got the following > > > > HTTP error - 400 Bad Request > > org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - > 400 Bad Request > > at org.keycloak.client.admin.cli.util.HeadersBodyStatus. > checkSuccess(HeadersBodyStatus.java:61) > > at org.keycloak.client.admin.cli. > util.HttpUtil.checkSuccess(HttpUtil.java:329) > > at org.keycloak.client.admin.cli. > commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363) > > at org.keycloak.client.admin.cli. > commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126) > > at org.jboss.aesh.console.command.container. > DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63) > > at org.jboss.aesh.console.command.container. > DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48) > > at org.keycloak.client.admin.cli. > aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54) > > at org.jboss.aesh.console.AeshProcess.run(AeshProcess. > java:53) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.lang.RuntimeException: > > 400 Request Header Or Cookie Too Large > > > >

400 Bad Request

> >
Request Header Or Cookie Too Large
> >
awselb/2.0
> > > > > > > > Colin > > > > From: Colin Coleman > Date: Wednesday, 15 February 2017 at 10:05 > To: Marko Strukelj > Cc: keycloak-user > Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm > CLI > > > > There is no stacktrace on the logs ? I turned the level up > to debug and could find nothing then either. > > The only difference between a success when there were less than 20 realms > and a failure when there were more than 20 realms was a lack of debug > lines from org.hibernate which seems to show that the database never gets > queried when a 400 is produced. > > > > My Stack is: > > Ubuntu 16.04 > > openjdk version "1.8.0_121" > > PostgreSQL 9.6.1 (running on different machine) > > keycloak-2.5.1.Final ? running uning standalone-ha.xml > > DB driver: postgresql-9.4.1212.jre6.jar > > > > Writing this I notice that the db driver and db are not on the same level > ? I will update this and test again. > > > > ------------------------------------------------ > > Colin > > > > From: Marko Strukelj > Date: Tuesday, 14 February 2017 at 18:16 > To: Colin Coleman > Cc: keycloak-user > Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm > CLI > > > > There is no such restriction, and I can't reproduce your issue. > > > > Is there any stacktrace on the server? > > > > Do you get any more information on the client if you add -x option? > > > > > > > > On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman > wrote: > > Hello, > > > > Is there a setting limiting the number of realms that can be created with > the CLI? > > When creating realms via the CLI I start getting HTTP error - 400 Bad > Request after about 20 realms > > > > > > kcadm.sh create realms -s realm=test3 -s enabled=true > > kcadm.sh create realms -s realm=test4 -s enabled=true > > kcadm.sh create realms -s realm=test5 -s enabled=true > > . > > . > > . > > > > I get > > > > . > > . > > Created new realm with id 'test13' > > Created new realm with id 'test14' > > HTTP error - 400 Bad Request > > HTTP error - 400 Bad Request > > . > > . > > . > > > > > > Colin > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Thu Feb 23 14:54:04 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 23 Feb 2017 14:54:04 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> Message-ID: <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> Maybe I should explain brokering? If you want Keycloak to delegate authentication to a different IDP, then you need to set up an Identity Provider. If you have a child IDP that is delegating authentication to Keycloak the you must set up a client within Keycloak. This client represents the connection to the child IDP. Does that shed any light on things? Is Keycloak delegating authentication to Okra? Or is Okra delegating to Keycloak? Thanks, Bill On 2/23/17 12:54 PM, John D. Ament wrote: > :-) > > Well it seems not needed. Or we can worry about that later. > > - Is the client I'm setting up for my app a SAML client or OIDC > client? Or does it not matter? > - When I point Okta to my SAML IDP endpoint ( > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint > ) > I'm getting " WE'RE SORRY ... This page is no longer valid, please go > back to your application and login again" - this kind of makes sense, > I don't see how I'm telling the Okta IDP which app to forward to. > > John > > On Thu, Feb 23, 2017 at 12:45 PM Bill Burke > wrote: > > Hmmm....somebody removed this config option....wtf... > > > On 2/23/17 12:11 PM, John D. Ament wrote: >> Bill, >> >> Thanks. How do i set "Automatic Delegate"? >> >> John >> >> On Thu, Feb 23, 2017 at 10:53 AM Bill Burke > > wrote: >> >> Yes, that would be an infinite loop as you are configuring >> Keycloak to delegate authentication to Okta and Okta to >> delegate to keycloak. You'd have to: >> >> 1. Set up a client for your application in Keycloak >> >> 2. Set up a broker in Keycloak that points to Okta and sets >> that as the automatic delegate. This means no keycloak login >> screen would be shown and it would delegate directly to Okta >> for authentication. >> >> 3. Log into Okta >> >> 4. Get to Okta app screen. >> >> 5. Click on app link >> >> 6. App redirects to Keycloak for authentication >> >> 7. Keycloak redirects automatically to Okta >> >> 8. Okta sees you are already logged in >> >> 9. Redirects back to Keycloak >> >> 10. Creates SAML assertion or OIDC token for client >> >> 11. Redirects back to app. >> >> On 2/23/17 10:10 AM, John D. Ament wrote: >>> Effectively, yes. >>> >>> I just got *something* configured, though it resulted in an >>> infinite loop. >>> >>> 1. Created a SAML client for my application, with the >>> following custom settings: >>> - Client ID: my-saml >>> - IDP Initiated SSO URL Name: myapp-saml >>> - Assertion Consumer Service POST Binding URL: >>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml >>> >>> 2. Created a SAML IDP for Okta: >>> - SSO URL: >>> https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml >>> >>> 3. In Okta, set the SSO URL to >>> http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml >>> >>> This results in an infinite loop of URLs that look like: >>> http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue >>> >>> - John >>> >>> On Thu, Feb 23, 2017 at 9:57 AM Bill Burke >>> > wrote: >>> >>> I'm sorry, I only read the top half of the email thread. >>> >>> Is this what you want? >>> >>> 1. User logs into Okta >>> >>> 2. User clicks on app link in Okta >>> >>> 3. This app is actually secured by Keycloak, not Okta >>> >>> 4. You want some brokering done here between Keycloak >>> and Okta. >>> >>> Is that it? >>> >>> >>> On 2/23/17 6:06 AM, John D. Ament wrote: >>>> Right, at this point I'm not thinking about OIDC any >>>> longer as my connector. Does what I described make >>>> sense as things to be done? >>>> >>>> On Wed, Feb 22, 2017 at 11:23 PM Bill Burke >>>> > wrote: >>>> >>>> IDP Initiated SSO means that the login is >>>> unsolicited,meaning that the application did not >>>> initiate the login. OAuth protocol (and thus OIDC) >>>> does not support this. The application has to >>>> initiate the login. I'm not sure exactly what >>>> you're trying to do, but if you just want a page >>>> where you can see a list of apps that you can >>>> visit, you can just create a simple static web page >>>> with links to your apps formatted and pretty as you >>>> want it. >>>> >>>> Some IDPs or apps, Saleforce.com I think, require >>>> SAML IDP Initiated SSO and don't support the >>>> regular login protocol. >>>> >>>> >>>> On 2/22/17 10:18 PM, John D. Ament wrote: >>>>> Ok, I must have fat fingered there at the end. >>>>> Sorry. >>>>> >>>>> With that said, assuming that I want IDP initiated >>>>> login, it seems like what I have to do is: >>>>> >>>>> - Create a SAML client in Keycloak for my application. >>>>> - Follow the IDP initiated flow from >>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>>> - Point my IDP to the endpoint that gets generated >>>>> in here. >>>>> >>>>> As a result, it seems like I don't have to even >>>>> create a SAML IDP in Keycloak, unless that somehow >>>>> gets used for SP initiated. >>>>> >>>>> John >>>>> >>>>> On Wed, Feb 22, 2017 at 10:15 PM John D. Ament >>>>> >>>> > wrote: >>>>> >>>>> This is the part that's confusing me. What do >>>>> you mean by a "URL somewhere that links to >>>>> your app which will then redirect to keycloak"? >>>>> >>>>> Are you talking about triggering the inbound >>>>> IDP initiated by first calling into my app? >>>>> >>>>> If I look at (Okta for instance) they actually >>>>> have a portal-like site that users can >>>>> leverage to directly link to their apps. The >>>>> links generated here are doing IDP initiated >>>>> SSO, by triggering SAML in the broker then the >>>>> broker is expected to forward to the client >>>>> (and mind you, I know very little about SAML, >>>>> but this is how I'm seeing it behave in the >>>>> browser). >>>>> >>>>> With that said, assum >>>>> >>>>> >>>>> On Wed, Feb 22, 2017 at 9:50 PM Bill Burke >>>>> > >>>>> wrote: >>>>> >>>>> OIDC/OAuth doesn't have an IDP initiated >>>>> protocol. You'll have to >>>>> create a URL somewhere that links to your >>>>> app which will then redirect >>>>> to Keycloak. >>>>> >>>>> >>>>> On 2/22/17 8:23 PM, John D. Ament wrote: >>>>> > Looks like I answered half of my question - >>>>> > >>>>> https://issues.jboss.org/browse/KEYCLOAK-4454 >>>>> > >>>>> > Seems like it will only work if I'm >>>>> using SAML. >>>>> > >>>>> > John >>>>> > >>>>> > On Wed, Feb 22, 2017 at 5:18 PM John D. >>>>> Ament >>>> > >>>>> > wrote: >>>>> > >>>>> >> Changing the subject to be a bit >>>>> clearer about the problems. >>>>> >> >>>>> >> I think I'm understanding a bit >>>>> further. when reading through >>>>> >> >>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>>> >> >>>>> >> - It seems like my application has to >>>>> be SAML. I cannot do an OIDC based >>>>> >> solution. >>>>> >> - First thing I have to do is add IDP >>>>> Initiated SSO URL Name to my >>>>> >> application. >>>>> >> - The confusing part is about if my >>>>> application requires... this seems a >>>>> >> bit odd, since I'm using the Keycloak >>>>> adapter but sure. >>>>> >> - The part that's missing is what gets >>>>> setup in the actual broker. You >>>>> >> mention IDP Initiated SSO URL Name but >>>>> I don't see that field in IDPs. In >>>>> >> general these look like Keycloak >>>>> specific parameters. >>>>> >> >>>>> >> Any thoughts? >>>>> >> >>>>> >> John >>>>> >> >>>>> >> On Mon, Feb 20, 2017 at 7:18 AM John D. >>>>> Ament >>>> > >>>>> >> wrote: >>>>> >> >>>>> >> Ok, so I was able to get SP initiated >>>>> working fine. I had only tried IDP >>>>> >> when I sent this mail out. >>>>> >> >>>>> >> I'm going through this doc, and its not >>>>> clear to me on a few areas: >>>>> >> >>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >>>>> >> >>>>> >> - I have my application (the SP) and >>>>> the SAML IDP (Okta in this case). I >>>>> >> have a link on the okta portal to login >>>>> automatically to my SP. >>>>> >> - I think the webpage is saying that >>>>> this only works if I'm using the SAML >>>>> >> connector for keycloak, is that accurate? >>>>> >> - All of my Okta settings are from >>>>> getting SP initiated working. Do any >>>>> >> of those need to change? >>>>> >> - Do I in fact setup Okta as a SAML >>>>> client in Keycloak? >>>>> >> >>>>> >> John >>>>> >> >>>>> >> >>>>> >> On Sun, Feb 19, 2017 at 8:47 PM John D. >>>>> Ament >>>> > >>>>> >> wrote: >>>>> >> >>>>> >> Hi >>>>> >> >>>>> >> Just wondering, has anyone setup >>>>> Keycloak w/ Okta? Every time I try to >>>>> >> authenticate (both SP initiated and IdP >>>>> initiated) it fails with this error >>>>> >> >>>>> >> 01:40:54,626 WARN [org.keycloak.events] >>>>> (default task-7) >>>>> >> type=IDENTITY_PROVIDER_LOGIN_ERROR, >>>>> realmId=tenant1, clientId=null, >>>>> >> userId=null, ipAddress=172.17.0.1, >>>>> error=staleCodeMessage >>>>> >> 01:40:54,627 ERROR >>>>> [org.keycloak.services.resources.IdentityBrokerService] >>>>> >> (default task-7) staleCodeMessage >>>>> >> >>>>> >> I suspect its a setup issue on my side, >>>>> so was hoping someone else has >>>>> >> tried this and can give tips. I even >>>>> tried the import feature, no luck. >>>>> >> >>>>> >> John >>>>> >> >>>>> >> >>>>> > >>>>> _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>> >> > From bruno at abstractj.org Thu Feb 23 16:03:21 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 23 Feb 2017 21:03:21 +0000 Subject: [keycloak-user] Authenticate a rest api using keycloak access token (received from Authorization header in the HTTP GET request from the front end) in node js In-Reply-To: References: Message-ID: Hi Saransh, take a look at this example https://github.com/keycloak/keycloak-quickstarts/tree/master/service-nodejs. And also at the docs: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/nodejs-adapter.html On Thu, Feb 23, 2017 at 11:39 AM Saransh Kumar wrote: > down votefavorite > < > http://stackoverflow.com/questions/42394475/authenticate-a-rest-api-using-keycloak-access-token-received-from-authorization# > > > > var loadData = function () { > var url = 'http://localhost:3000/users'; > var req = new XMLHttpRequest(); > req.open('GET', url, true); > req.setRequestHeader('Accept', 'application/json'); > req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); > > req.onreadystatechange = function () { > if (req.readyState == 4) { > if (req.status == 200) { > console.log('Success'); > } else if (req.status == 403) { > console.log('Forbidden'); > } > }} > > req.send(); }; > > Above is my front end code requesting the REST API and passing the keycloak > token in the authorization header which will be needed for authentication > at the node js server side. > > *Now I wanted to know how to secure my Rest Api using Keycloak and > authenticate it on the basis of token received from the front end and tell > whether the authentic user is requesting the rest api resource or not?* > > I have created a rest api in node js and used keycloak-connect npm packge. > I have mapped the nodejs middleware with keycloak middleware. > > var express = require('express');var router = express.Router();var app > = express();var Keycloak = require('keycloak-connect');var keycloak > =new Keycloak(); > > app.use( keycloak.middleware( { > logout: '/logout', > admin: '/',} )); > > router.get('/users',function(req, res, next) {var > token=req.headers['authorization']; //Access token received from front > end > //Now how to authenticate this token with keycloak??? > }); > > I have also included the keycloak.json file in the root folder of my > project. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adam.keily at adelaide.edu.au Thu Feb 23 17:21:51 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 23 Feb 2017 22:21:51 +0000 Subject: [keycloak-user] Different TOC's for different clients Message-ID: Is it possible using Keycloak to present different TOC's, or a custom form, depending on the client the user is trying to access? Somehow we need to detect and intercept the login event on a per client basis. From john.d.ament at gmail.com Thu Feb 23 20:43:26 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 01:43:26 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> Message-ID: Keycloak is delegating to Okta in my case. I almost want to say ELI5, but I'm not sure I'm that far off. I still feel like there's a piece missing in my setup, based on what you're describing. 1. A user logs in to Okta. They see an option for my app, which is in fact Keycloak. 2. User clicks said link, it does IDP initiated auth to Keycloak. 3. User now has a session in keycloak. 4. ?? 5. The user is now in my app. The part that seems to be missing is 4. How am I telling keycloak that when a user comes in this way, they should then come to my app? Is that where I want to use "Assertion Consumer Service POST Binding URL" ? John On Thu, Feb 23, 2017 at 2:54 PM Bill Burke wrote: Maybe I should explain brokering? If you want Keycloak to delegate authentication to a different IDP, then you need to set up an Identity Provider. If you have a child IDP that is delegating authentication to Keycloak the you must set up a client within Keycloak. This client represents the connection to the child IDP. Does that shed any light on things? Is Keycloak delegating authentication to Okra? Or is Okra delegating to Keycloak? Thanks, Bill On 2/23/17 12:54 PM, John D. Ament wrote: :-) Well it seems not needed. Or we can worry about that later. - Is the client I'm setting up for my app a SAML client or OIDC client? Or does it not matter? - When I point Okta to my SAML IDP endpoint ( http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint ) I'm getting " WE'RE SORRY ... This page is no longer valid, please go back to your application and login again" - this kind of makes sense, I don't see how I'm telling the Okta IDP which app to forward to. John On Thu, Feb 23, 2017 at 12:45 PM Bill Burke wrote: Hmmm....somebody removed this config option....wtf... On 2/23/17 12:11 PM, John D. Ament wrote: Bill, Thanks. How do i set "Automatic Delegate"? John On Thu, Feb 23, 2017 at 10:53 AM Bill Burke wrote: Yes, that would be an infinite loop as you are configuring Keycloak to delegate authentication to Okta and Okta to delegate to keycloak. You'd have to: 1. Set up a client for your application in Keycloak 2. Set up a broker in Keycloak that points to Okta and sets that as the automatic delegate. This means no keycloak login screen would be shown and it would delegate directly to Okta for authentication. 3. Log into Okta 4. Get to Okta app screen. 5. Click on app link 6. App redirects to Keycloak for authentication 7. Keycloak redirects automatically to Okta 8. Okta sees you are already logged in 9. Redirects back to Keycloak 10. Creates SAML assertion or OIDC token for client 11. Redirects back to app. On 2/23/17 10:10 AM, John D. Ament wrote: Effectively, yes. I just got *something* configured, though it resulted in an infinite loop. 1. Created a SAML client for my application, with the following custom settings: - Client ID: my-saml - IDP Initiated SSO URL Name: myapp-saml - Assertion Consumer Service POST Binding URL: http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml 2. Created a SAML IDP for Okta: - SSO URL: https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml 3. In Okta, set the SSO URL to http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml This results in an infinite loop of URLs that look like: http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue - John On Thu, Feb 23, 2017 at 9:57 AM Bill Burke wrote: I'm sorry, I only read the top half of the email thread. Is this what you want? 1. User logs into Okta 2. User clicks on app link in Okta 3. This app is actually secured by Keycloak, not Okta 4. You want some brokering done here between Keycloak and Okta. Is that it? On 2/23/17 6:06 AM, John D. Ament wrote: Right, at this point I'm not thinking about OIDC any longer as my connector. Does what I described make sense as things to be done? On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: IDP Initiated SSO means that the login is unsolicited,meaning that the application did not initiate the login. OAuth protocol (and thus OIDC) does not support this. The application has to initiate the login. I'm not sure exactly what you're trying to do, but if you just want a page where you can see a list of apps that you can visit, you can just create a simple static web page with links to your apps formatted and pretty as you want it. Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO and don't support the regular login protocol. On 2/22/17 10:18 PM, John D. Ament wrote: Ok, I must have fat fingered there at the end. Sorry. With that said, assuming that I want IDP initiated login, it seems like what I have to do is: - Create a SAML client in Keycloak for my application. - Follow the IDP initiated flow from https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html - Point my IDP to the endpoint that gets generated in here. As a result, it seems like I don't have to even create a SAML IDP in Keycloak, unless that somehow gets used for SP initiated. John On Wed, Feb 22, 2017 at 10:15 PM John D. Ament wrote: This is the part that's confusing me. What do you mean by a "URL somewhere that links to your app which will then redirect to keycloak"? Are you talking about triggering the inbound IDP initiated by first calling into my app? If I look at (Okta for instance) they actually have a portal-like site that users can leverage to directly link to their apps. The links generated here are doing IDP initiated SSO, by triggering SAML in the broker then the broker is expected to forward to the client (and mind you, I know very little about SAML, but this is how I'm seeing it behave in the browser). With that said, assum On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to create a URL somewhere that links to your app which will then redirect to Keycloak. On 2/22/17 8:23 PM, John D. Ament wrote: > Looks like I answered half of my question - > https://issues.jboss.org/browse/KEYCLOAK-4454 > > Seems like it will only work if I'm using SAML. > > John > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > wrote: > >> Changing the subject to be a bit clearer about the problems. >> >> I think I'm understanding a bit further. when reading through >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> - It seems like my application has to be SAML. I cannot do an OIDC based >> solution. >> - First thing I have to do is add IDP Initiated SSO URL Name to my >> application. >> - The confusing part is about if my application requires... this seems a >> bit odd, since I'm using the Keycloak adapter but sure. >> - The part that's missing is what gets setup in the actual broker. You >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. In >> general these look like Keycloak specific parameters. >> >> Any thoughts? >> >> John >> >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament >> wrote: >> >> Ok, so I was able to get SP initiated working fine. I had only tried IDP >> when I sent this mail out. >> >> I'm going through this doc, and its not clear to me on a few areas: >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html >> >> - I have my application (the SP) and the SAML IDP (Okta in this case). I >> have a link on the okta portal to login automatically to my SP. >> - I think the webpage is saying that this only works if I'm using the SAML >> connector for keycloak, is that accurate? >> - All of my Okta settings are from getting SP initiated working. Do any >> of those need to change? >> - Do I in fact setup Okta as a SAML client in Keycloak? >> >> John >> >> >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament >> wrote: >> >> Hi >> >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to >> authenticate (both SP initiated and IdP initiated) it fails with this error >> >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage >> 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] >> (default task-7) staleCodeMessage >> >> I suspect its a setup issue on my side, so was hoping someone else has >> tried this and can give tips. I even tried the import feature, no luck. >> >> John >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Thu Feb 23 21:14:01 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 02:14:01 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> Message-ID: After I sent this email, it dawned on me what #4 was. I was able to get IDP initiated working. Here's what my setup looks like. So I'm interested, is this correct, is this too much? - Create an IDP for Okta. - App Client: - This represents the real application, receiving the final assertion. - Client Protocol: SAML - IDP Initiated SSO Name: some-value - Assertion Consumer Service POST Binding URL: http://myapp/saml (the /saml comes from the wildfly SAML adapter) Within Okta, I'm entering a URL like this: http://mykeycloak/auth/realms/ <>/broker/<>/endpoint/clients/<> Where: realm: your realm, e.g. tenant1 in my case alias: the value of the "alias" field from your IDP some-value: the IDP Initiated SSO Name value from above After doing this, I'm able to confirm that the principal is coming from Keycloak properly. I'm assuming based on this, I can only do this via the SAML adapter, not the OIDC connector. John On Thu, Feb 23, 2017 at 8:43 PM John D. Ament wrote: > Keycloak is delegating to Okta in my case. I almost want to say ELI5, but > I'm not sure I'm that far off. > > I still feel like there's a piece missing in my setup, based on what > you're describing. > > 1. A user logs in to Okta. They see an option for my app, which is in > fact Keycloak. > 2. User clicks said link, it does IDP initiated auth to Keycloak. > 3. User now has a session in keycloak. > 4. ?? > 5. The user is now in my app. > > The part that seems to be missing is 4. How am I telling keycloak that > when a user comes in this way, they should then come to my app? Is that > where I want to use "Assertion Consumer Service POST Binding URL" ? > > John > > > On Thu, Feb 23, 2017 at 2:54 PM Bill Burke wrote: > > Maybe I should explain brokering? > > If you want Keycloak to delegate authentication to a different IDP, then > you need to set up an Identity Provider. If you have a child IDP that is > delegating authentication to Keycloak the you must set up a client within > Keycloak. This client represents the connection to the child IDP. Does > that shed any light on things? > > Is Keycloak delegating authentication to Okra? Or is Okra delegating to > Keycloak? > > Thanks, > > Bill > > On 2/23/17 12:54 PM, John D. Ament wrote: > > :-) > > Well it seems not needed. Or we can worry about that later. > > - Is the client I'm setting up for my app a SAML client or OIDC client? Or > does it not matter? > - When I point Okta to my SAML IDP endpoint ( > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint > ) > I'm getting " WE'RE SORRY ... This page is no longer valid, please go back > to your application and login again" - this kind of makes sense, I don't > see how I'm telling the Okta IDP which app to forward to. > > John > > On Thu, Feb 23, 2017 at 12:45 PM Bill Burke wrote: > > Hmmm....somebody removed this config option....wtf... > > On 2/23/17 12:11 PM, John D. Ament wrote: > > Bill, > > Thanks. How do i set "Automatic Delegate"? > > John > > On Thu, Feb 23, 2017 at 10:53 AM Bill Burke wrote: > > Yes, that would be an infinite loop as you are configuring Keycloak to > delegate authentication to Okta and Okta to delegate to keycloak. You'd > have to: > > 1. Set up a client for your application in Keycloak > > 2. Set up a broker in Keycloak that points to Okta and sets that as the > automatic delegate. This means no keycloak login screen would be shown and > it would delegate directly to Okta for authentication. > > 3. Log into Okta > > 4. Get to Okta app screen. > > 5. Click on app link > > 6. App redirects to Keycloak for authentication > > 7. Keycloak redirects automatically to Okta > > 8. Okta sees you are already logged in > > 9. Redirects back to Keycloak > > 10. Creates SAML assertion or OIDC token for client > > 11. Redirects back to app. > On 2/23/17 10:10 AM, John D. Ament wrote: > > Effectively, yes. > > I just got *something* configured, though it resulted in an infinite loop. > > 1. Created a SAML client for my application, with the following custom > settings: > - Client ID: my-saml > - IDP Initiated SSO URL Name: myapp-saml > - Assertion Consumer Service POST Binding URL: > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > 2. Created a SAML IDP for Okta: > - SSO URL: > https://myokta/app/oktaaccount_testkeycloak_1/exk9n6rr5eSDbwe4Y0h7/sso/saml > > 3. In Okta, set the SSO URL to > > http://mykeycloak/auth/realms/tenant1/broker/okta/endpoint/clients/myapp-saml > > This results in an infinite loop of URLs that look like: > > http://mykeycloak/auth/realms/tenant1/login-actions/required-action?code=someUUIDLikeValue > > - John > > On Thu, Feb 23, 2017 at 9:57 AM Bill Burke wrote: > > I'm sorry, I only read the top half of the email thread. > > Is this what you want? > > 1. User logs into Okta > > 2. User clicks on app link in Okta > > 3. This app is actually secured by Keycloak, not Okta > > 4. You want some brokering done here between Keycloak and Okta. > > Is that it? > > On 2/23/17 6:06 AM, John D. Ament wrote: > > Right, at this point I'm not thinking about OIDC any longer as my > connector. Does what I described make sense as things to be done? > > On Wed, Feb 22, 2017 at 11:23 PM Bill Burke wrote: > > IDP Initiated SSO means that the login is unsolicited,meaning that the > application did not initiate the login. OAuth protocol (and thus OIDC) > does not support this. The application has to initiate the login. I'm not > sure exactly what you're trying to do, but if you just want a page where > you can see a list of apps that you can visit, you can just create a simple > static web page with links to your apps formatted and pretty as you want it. > > Some IDPs or apps, Saleforce.com I think, require SAML IDP Initiated SSO > and don't support the regular login protocol. > > On 2/22/17 10:18 PM, John D. Ament wrote: > > Ok, I must have fat fingered there at the end. Sorry. > > With that said, assuming that I want IDP initiated login, it seems like > what I have to do is: > > - Create a SAML client in Keycloak for my application. > - Follow the IDP initiated flow from > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > - Point my IDP to the endpoint that gets generated in here. > > As a result, it seems like I don't have to even create a SAML IDP in > Keycloak, unless that somehow gets used for SP initiated. > > John > > On Wed, Feb 22, 2017 at 10:15 PM John D. Ament > wrote: > > This is the part that's confusing me. What do you mean by a "URL > somewhere that links to your app which will then redirect to keycloak"? > > Are you talking about triggering the inbound IDP initiated by first > calling into my app? > > If I look at (Okta for instance) they actually have a portal-like site > that users can leverage to directly link to their apps. The links > generated here are doing IDP initiated SSO, by triggering SAML in the > broker then the broker is expected to forward to the client (and mind you, > I know very little about SAML, but this is how I'm seeing it behave in the > browser). > > With that said, assum > > > On Wed, Feb 22, 2017 at 9:50 PM Bill Burke wrote: > > OIDC/OAuth doesn't have an IDP initiated protocol. You'll have to > create a URL somewhere that links to your app which will then redirect > to Keycloak. > > > On 2/22/17 8:23 PM, John D. Ament wrote: > > Looks like I answered half of my question - > > https://issues.jboss.org/browse/KEYCLOAK-4454 > > > > Seems like it will only work if I'm using SAML. > > > > John > > > > On Wed, Feb 22, 2017 at 5:18 PM John D. Ament > > wrote: > > > >> Changing the subject to be a bit clearer about the problems. > >> > >> I think I'm understanding a bit further. when reading through > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - It seems like my application has to be SAML. I cannot do an OIDC > based > >> solution. > >> - First thing I have to do is add IDP Initiated SSO URL Name to my > >> application. > >> - The confusing part is about if my application requires... this seems a > >> bit odd, since I'm using the Keycloak adapter but sure. > >> - The part that's missing is what gets setup in the actual broker. You > >> mention IDP Initiated SSO URL Name but I don't see that field in IDPs. > In > >> general these look like Keycloak specific parameters. > >> > >> Any thoughts? > >> > >> John > >> > >> On Mon, Feb 20, 2017 at 7:18 AM John D. Ament > >> wrote: > >> > >> Ok, so I was able to get SP initiated working fine. I had only tried > IDP > >> when I sent this mail out. > >> > >> I'm going through this doc, and its not clear to me on a few areas: > >> > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html > >> > >> - I have my application (the SP) and the SAML IDP (Okta in this case). > I > >> have a link on the okta portal to login automatically to my SP. > >> - I think the webpage is saying that this only works if I'm using the > SAML > >> connector for keycloak, is that accurate? > >> - All of my Okta settings are from getting SP initiated working. Do any > >> of those need to change? > >> - Do I in fact setup Okta as a SAML client in Keycloak? > >> > >> John > >> > >> > >> On Sun, Feb 19, 2017 at 8:47 PM John D. Ament > >> wrote: > >> > >> Hi > >> > >> Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to > >> authenticate (both SP initiated and IdP initiated) it fails with this > error > >> > >> 01:40:54,626 WARN [org.keycloak.events] (default task-7) > >> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, > >> userId=null, ipAddress=172.17.0.1, error=staleCodeMessage > >> 01:40:54,627 ERROR > [org.keycloak.services.resources.IdentityBrokerService] > >> (default task-7) staleCodeMessage > >> > >> I suspect its a setup issue on my side, so was hoping someone else has > >> tried this and can give tips. I even tried the import feature, no luck. > >> > >> John > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > From hmlnarik at redhat.com Fri Feb 24 02:30:08 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 24 Feb 2017 08:30:08 +0100 Subject: [keycloak-user] SAML2.0 Identity Provider modify authn context / extensions In-Reply-To: References: Message-ID: The latter, you need to extend SAMLIdentityProvider. I'd suggest adding extensions to the AuthnRequest via SAML2AuthnRequestBuilder.addExtension() method rather than supplying query params for the sake of simplicity. --Hynek On 02/23/2017 05:17 PM, Martin Hardselius wrote: > Hi, > > Is there an easy way to add stuff to the authn context or add extensions to > the AuthN request? Or even add query parameters to the destination url? > > Context: > > The SAML2.0 Provider I'm integrating with supports several auth methods. > Usually you would end up on a method select page, where the options are > presented to you, once you've been forwarded to the IDP. They do however > support selecting an option directly by modifying the authncontext. They > also support prefilling information by adding extensions to the authn > request or adding supplying it through query params. Kind of like "login > hint". > > So. Easy way, or do I have to extend SAMLIdentityProvider? > > Martin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From solsson at gmail.com Fri Feb 24 02:38:57 2017 From: solsson at gmail.com (Staffan) Date: Fri, 24 Feb 2017 08:38:57 +0100 Subject: [keycloak-user] Clustered Keycloak in Kubernetes Message-ID: Hi, I got a direct question based on the mailing list thread http://lists.jboss.org/pipermail/keycloak-user/2016-November/008470.html. The author tried different values in standalone-ha.xml but failed to get docker containers to "discover" each other. Here's is my reply, which I think should be in the mailing list as well: I never got the default JGroups config - UDP broadcast - to work in Kubernetes (except in single-node testing). May work in some k8s clusters, but I ended up switching to TCP. Instead of broadcast I chose JDBC for jgroups "ping". I summarized my conclusions in https://github.com/jboss- dockerfiles/keycloak/pull/62. Regarding port binding I ended up using the interface "eth0" instead of an IP. It allowed external connections in all docker contexts I tested, without being specific to a network setup. You can see the config changes produced by the PR as a diff in the build output, for example: https://hub.docker.com/r/solsson/keycloak-ha-mysql/ builds/btueapadj2mhwhuggjbne4j/ regards /Staffan From martin.hardselius at gmail.com Fri Feb 24 02:43:08 2017 From: martin.hardselius at gmail.com (Martin Hardselius) Date: Fri, 24 Feb 2017 07:43:08 +0000 Subject: [keycloak-user] SAML2.0 Identity Provider modify authn context / extensions In-Reply-To: References: Message-ID: Got it, thanks! On Fri, 24 Feb 2017 at 08:30 Hynek Mlnarik wrote: > The latter, you need to extend SAMLIdentityProvider. I'd suggest adding > extensions to the AuthnRequest via SAML2AuthnRequestBuilder.addExtension() > method rather than supplying query params for the sake of simplicity. > > --Hynek > > On 02/23/2017 05:17 PM, Martin Hardselius wrote: > > Hi, > > > > Is there an easy way to add stuff to the authn context or add extensions > to > > the AuthN request? Or even add query parameters to the destination url? > > > > Context: > > > > The SAML2.0 Provider I'm integrating with supports several auth methods. > > Usually you would end up on a method select page, where the options are > > presented to you, once you've been forwarded to the IDP. They do however > > support selecting an option directly by modifying the authncontext. They > > also support prefilling information by adding extensions to the authn > > request or adding supplying it through query params. Kind of like "login > > hint". > > > > So. Easy way, or do I have to extend SAMLIdentityProvider? > > > > Martin > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From thomas.darimont at googlemail.com Fri Feb 24 04:16:49 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 24 Feb 2017 10:16:49 +0100 Subject: [keycloak-user] Best practices for multi-realm user management with Keycloak-Admin-Client Message-ID: Hello Group, What's the current best practice to manage users in multiple realms via the keycloak-admin-client? A simple variant is to create a dedicated confidential client "internal-realm-admin" in the master realm with only "direct access grants: on" and "service accounts enabled: on" and "standards flow enabled: off". Given that the Keycloak contains two other realms "tenant1" and "tenant2" besides master we want to enable the service account for "internal-realm-admin" to manage users (CRUD) for those realms only. Now this service client gets the following service-account client roles: * "tenant1-realm": "manage-users" and "view-clients" (to list the applications) * "tenant2-realm": "manage-users" and "view-clients" (to list the applications) Now one can use this single client in a centralized service to manage both realms with a keycloak-admin-client constructed like this: KeycloakBuilder.builder() // .realm("master") .serverUrl("http://192.168.99.1:8080/auth") .clientId("internal-realm-manager") .clientSecret("SECRET") .grantType(OAuth2Constants.CLIENT_CREDENTIALS) .build(); To manage users in tenant1 one can now do something like that: keycloak.realm("tenant1").users().create(userRepresentation) and for tenant2 ... keycloak.realm("tenant2").users().create(userRepresentation) Some Advantages: + one can globally manage users via a single centralized client + you can quickly generate a new secret for this single service + you don't need a dedicated user to manage other users Some Disadvantages - in certain environments this can be seen as a too privileged user / client - user management operations are performed with the client service account and not a "real" user I think with this approach one is quite flexible and still has the possibility to create a dedicated (tenant) realm admin user / client and exclude it from the "internal-realm-admin" for tenants who needs explicity control over their user management. Thoughts? Cheers, Thomas From shane.boulden at gmail.com Fri Feb 24 05:33:17 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Fri, 24 Feb 2017 21:33:17 +1100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: I got this working today with a custom auth flow, thanks heaps! Just one thing - I've copied the 'Direct Grant Flow', and added a JS script at the end to only allow certain groups to authenticate using the OpenShift 'oc login' command from a prompt. This works allowing/denying access based on a group, however when a user does not belong to the correct group, the oc login prompt displays the following error: "Error from server: Internal error: unexpected error: 500" Here's the code I used for my JS script: function authenticate(context){ var groups = user.getGroups(); var group_array = groups.toArray(); for (var i in group_array) { var gn = group_array[i].getName(); if (gn === "openshift-access") { context.success(); return; } } context.failure(authenticationflowerror.INVALID_USER) return; } I thought this may be because the OpenShift CLI tool can't interpret the error message back from Keycloak. I've also tried the following, but I get a "ClassNotFound" exception when I try to import the OAuth2 error representation: Authenticationflowerror = Java.type("org.keycloak.authentication. AuthenticationFlowError"); // Throws 'ClassNotFoundException Oauth2 = Java.type("org.keycloak.representations.idm. OAuth2ErrorRepresentation"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.Type("javax.ws.rs.core.MediaType"); function authenticate(context) { var groups = user.getGroups(); var group_array = groups.toArray(); for (var i in group_array) { var gn = group_array[i].getName(); if (gn === "openshift-access") { context.success(); return; } } var errorRep = new Oauth2("invalid_grant","invalid_user_credentials"); response = Response.status(401).type(MediaType.APPLICATION_JSON_ TYPE).build(); context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response); return; } Any ideas or assistance is appreciated. Shane On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden wrote: > Thanks very much Marek and Thomas for taking the time to get back to me. > > I've found an example of a JS authenticator here: > http://www.lookatsrc.com/source/scripts/authenticator- > template.js?a=org.keycloak:keycloak-services > > Is this how I would build the custom authenticator, and extend it to check > the user roles and clientID? > > Thanks > > Shane > > On 24 Feb. 2017 01:25, "Thomas Darimont" > wrote: > >> Hello Shane, >> >> you could try to do that with the Javascript based Authenticator. >> >> Cheers, >> Thomas >> >> 2017-02-23 14:07 GMT+01:00 Marek Posolda : >> >>> I can think of some workarounds. Like for example, create an >>> Authenticator, which will be added to the bottom of the authentication >>> flow. Authenticator will throw an exception in case that unpermitted >>> user is trying to authenticate to the client corresponding to your >>> openshift application. You have the user available (he is already >>> authenticated) and you have also the client (can be determined based on >>> clientId). >>> >>> Maybe even easier is to do that in custom RequiredActionProvider and do >>> this check in "evaluateTriggers". >>> >>> This is workaround as it mixes authentication and authorization (among >>> other issues). But hopefully it can suit your needs. >>> >>> Marek >>> >>> On 23/02/17 07:19, Shane Boulden wrote: >>> > Hi everyone, >>> > >>> > I'm trying to figure out a fairly straight-forward problem set - >>> > >>> > - I have a number of users in a Keycloak database, federated from >>> an >>> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the >>> users) >>> > - I want to limit access to a client to only certain Keycloak users >>> > >>> > I thought this would be possible with a role that is shared by the >>> client >>> > and the user. However, it looks like Keycloak lets the application >>> itself >>> > determine access via a role: http://lists.jboss.org/ >>> > pipermail/keycloak-user/2014-November/001205.html >>> > >>> > But what if I can't update the application's behaviour? Eg; if I want >>> to >>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any >>> > information from the OIDC provider? >>> > >>> > In this particular example, I don't want to limit the users in the >>> Keycloak >>> > database - I want to sync all users from LDAP, but limit application >>> access >>> > to only a subset. >>> > >>> > Any assistance is greatly appreciated. >>> > >>> > Shane >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From thomas.darimont at googlemail.com Fri Feb 24 06:19:36 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 24 Feb 2017 12:19:36 +0100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: FYI I just gave this a spin... It seems that the ScriptAuthenticator currently has no binding for clientSession in order to access the client id for authentication, e.g. this is missing in ScriptBasedAuthenticator bindings.put("clientSession", context.getClientSession()); I'll send a PR which adds that binding. This will then enable to provide client specific authentication behaviour. Chreers, Thomas 2017-02-24 11:33 GMT+01:00 Shane Boulden : > I got this working today with a custom auth flow, thanks heaps! > > Just one thing - I've copied the 'Direct Grant Flow', and added a JS > script at the end to only allow certain groups to authenticate using the > OpenShift 'oc login' command from a prompt. > > This works allowing/denying access based on a group, however when a user > does not belong to the correct group, the oc login prompt displays the > following error: > > "Error from server: Internal error: unexpected error: 500" > > Here's the code I used for my JS script: > > function authenticate(context){ > var groups = user.getGroups(); > var group_array = groups.toArray(); > > for (var i in group_array) { > var gn = group_array[i].getName(); > > if (gn === "openshift-access") { > context.success(); > return; > } > } > context.failure(authenticationflowerror.INVALID_USER) > return; > } > > I thought this may be because the OpenShift CLI tool can't interpret the > error message back from Keycloak. I've also tried the following, but I get > a "ClassNotFound" exception when I try to import the OAuth2 error > representation: > > Authenticationflowerror = Java.type("org.keycloak.authen > tication.AuthenticationFlowError"); > // Throws 'ClassNotFoundException > Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre > sentation"); > Response = Java.type("javax.ws.rs.core.Response"); > MediaType = Java.Type("javax.ws.rs.core.MediaType"); > > function authenticate(context) { > var groups = user.getGroups(); > var group_array = groups.toArray(); > > for (var i in group_array) { > var gn = group_array[i].getName(); > > if (gn === "openshift-access") { > context.success(); > return; > } > } > var errorRep = new Oauth2("invalid_grant","invalid_user_credentials"); > response = Response.status(401).type(MediaType.APPLICATION_JSON_TYPE). > build(); > > context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response); > return; > } > > Any ideas or assistance is appreciated. > > Shane > > On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden > wrote: > >> Thanks very much Marek and Thomas for taking the time to get back to me. >> >> I've found an example of a JS authenticator here: >> http://www.lookatsrc.com/source/scripts/authenticator-templ >> ate.js?a=org.keycloak:keycloak-services >> >> Is this how I would build the custom authenticator, and extend it to >> check the user roles and clientID? >> >> Thanks >> >> Shane >> >> On 24 Feb. 2017 01:25, "Thomas Darimont" >> wrote: >> >>> Hello Shane, >>> >>> you could try to do that with the Javascript based Authenticator. >>> >>> Cheers, >>> Thomas >>> >>> 2017-02-23 14:07 GMT+01:00 Marek Posolda : >>> >>>> I can think of some workarounds. Like for example, create an >>>> Authenticator, which will be added to the bottom of the authentication >>>> flow. Authenticator will throw an exception in case that unpermitted >>>> user is trying to authenticate to the client corresponding to your >>>> openshift application. You have the user available (he is already >>>> authenticated) and you have also the client (can be determined based on >>>> clientId). >>>> >>>> Maybe even easier is to do that in custom RequiredActionProvider and do >>>> this check in "evaluateTriggers". >>>> >>>> This is workaround as it mixes authentication and authorization (among >>>> other issues). But hopefully it can suit your needs. >>>> >>>> Marek >>>> >>>> On 23/02/17 07:19, Shane Boulden wrote: >>>> > Hi everyone, >>>> > >>>> > I'm trying to figure out a fairly straight-forward problem set - >>>> > >>>> > - I have a number of users in a Keycloak database, federated from >>>> an >>>> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the >>>> users) >>>> > - I want to limit access to a client to only certain Keycloak >>>> users >>>> > >>>> > I thought this would be possible with a role that is shared by the >>>> client >>>> > and the user. However, it looks like Keycloak lets the application >>>> itself >>>> > determine access via a role: http://lists.jboss.org/ >>>> > pipermail/keycloak-user/2014-November/001205.html >>>> > >>>> > But what if I can't update the application's behaviour? Eg; if I want >>>> to >>>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any >>>> > information from the OIDC provider? >>>> > >>>> > In this particular example, I don't want to limit the users in the >>>> Keycloak >>>> > database - I want to sync all users from LDAP, but limit application >>>> access >>>> > to only a subset. >>>> > >>>> > Any assistance is greatly appreciated. >>>> > >>>> > Shane >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> > From sthorger at redhat.com Fri Feb 24 07:04:47 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 24 Feb 2017 13:04:47 +0100 Subject: [keycloak-user] Stack Overflow Message-ID: We're considering dropping the Keycloak user mailing list and moving to Stack Overflow instead. Thoughts? From john.d.ament at gmail.com Fri Feb 24 07:15:01 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 12:15:01 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: Just took a quick look at the SO traffic for keycloak. It seems like the ML is higher volume than SO. You may want to start by adding links to SO tags from keycloak.org and see if it picks up. My 0.02. On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen wrote: > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Fri Feb 24 07:16:20 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 12:16:20 +0000 Subject: [keycloak-user] Licensing on Keycloak Documentation Repo Message-ID: Hi I was wondering, I'm assuming that the repo was recently split, can a license file be added to it? https://github.com/keycloak/keycloak-documentation Right now its ambiguous, I'm assuming its either inheriting the parent Apache license or you're using some CC license. John From bruno at abstractj.org Fri Feb 24 07:18:12 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 24 Feb 2017 12:18:12 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: +1 On Fri, Feb 24, 2017 at 9:04 AM Stian Thorgersen wrote: > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 24 07:21:43 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 24 Feb 2017 13:21:43 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: I think it's reasonable easy to move the volume. We'll just stop responding to the user mailing list and direct folks to SO. I primarily looking for feedback on mailing list vs Stack Overflow at this point though. On 24 February 2017 at 13:15, John D. Ament wrote: > Just took a quick look at the SO traffic for keycloak. > > It seems like the ML is higher volume than SO. You may want to start by > adding links to SO tags from keycloak.org and see if it picks up. > > My 0.02. > > On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > wrote: > >> We're considering dropping the Keycloak user mailing list and moving to >> Stack Overflow instead. >> >> Thoughts? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From john.d.ament at gmail.com Fri Feb 24 07:24:57 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 12:24:57 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: Oh? Then my opinion, SO is a noisy mess of questions. I used to use it regularly, not so much lately. I think you would lose value IMHO moving to only SO. John On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen wrote: > I think it's reasonable easy to move the volume. We'll just stop > responding to the user mailing list and direct folks to SO. > > I primarily looking for feedback on mailing list vs Stack Overflow at this > point though. > > On 24 February 2017 at 13:15, John D. Ament > wrote: > > Just took a quick look at the SO traffic for keycloak. > > It seems like the ML is higher volume than SO. You may want to start by > adding links to SO tags from keycloak.org and see if it picks up. > > My 0.02. > > On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > wrote: > > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bruno at abstractj.org Fri Feb 24 07:39:23 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 24 Feb 2017 12:39:23 +0000 Subject: [keycloak-user] Licensing on Keycloak Documentation Repo In-Reply-To: References: Message-ID: Could you please file a Jira to track this issue? On Fri, Feb 24, 2017 at 9:24 AM John D. Ament wrote: > Hi > > I was wondering, I'm assuming that the repo was recently split, can a > license file be added to it? > > https://github.com/keycloak/keycloak-documentation > > Right now its ambiguous, I'm assuming its either inheriting the parent > Apache license or you're using some CC license. > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 24 07:39:49 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 24 Feb 2017 13:39:49 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: Isn't the mailing list also a noisy mess of questions? I've never used Stack Overflow much myself except when it pops up in Google searches. To me it feels like a mailing list, but with the additional extra of being searchable, votes, you can easily link to answers on it and quite important if there's a duplicate question you can just point to the previous answered question. On 24 February 2017 at 13:24, John D. Ament wrote: > Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > regularly, not so much lately. I think you would lose value IMHO moving to > only SO. > > John > > On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > wrote: > >> I think it's reasonable easy to move the volume. We'll just stop >> responding to the user mailing list and direct folks to SO. >> >> I primarily looking for feedback on mailing list vs Stack Overflow at >> this point though. >> >> On 24 February 2017 at 13:15, John D. Ament >> wrote: >> >> Just took a quick look at the SO traffic for keycloak. >> >> It seems like the ML is higher volume than SO. You may want to start by >> adding links to SO tags from keycloak.org and see if it picks up. >> >> My 0.02. >> >> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen >> wrote: >> >> We're considering dropping the Keycloak user mailing list and moving to >> Stack Overflow instead. >> >> Thoughts? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> From rsoares at redhat.com Fri Feb 24 08:08:10 2017 From: rsoares at redhat.com (Rafael T. C. Soares) Date: Fri, 24 Feb 2017 10:08:10 -0300 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: +1 Keycloak will reach a greater audience on SO. ___ Rafael T. C. Soares On 02/24/2017 09:39 AM, Stian Thorgersen wrote: > Isn't the mailing list also a noisy mess of questions? I've never used > Stack Overflow much myself except when it pops up in Google searches. To me > it feels like a mailing list, but with the additional extra of being > searchable, votes, you can easily link to answers on it and quite important > if there's a duplicate question you can just point to the previous answered > question. > > On 24 February 2017 at 13:24, John D. Ament wrote: > >> Oh? Then my opinion, SO is a noisy mess of questions. I used to use it >> regularly, not so much lately. I think you would lose value IMHO moving to >> only SO. >> >> John >> >> On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen >> wrote: >> >>> I think it's reasonable easy to move the volume. We'll just stop >>> responding to the user mailing list and direct folks to SO. >>> >>> I primarily looking for feedback on mailing list vs Stack Overflow at >>> this point though. >>> >>> On 24 February 2017 at 13:15, John D. Ament >>> wrote: >>> >>> Just took a quick look at the SO traffic for keycloak. >>> >>> It seems like the ML is higher volume than SO. You may want to start by >>> adding links to SO tags from keycloak.org and see if it picks up. >>> >>> My 0.02. >>> >>> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen >>> wrote: >>> >>> We're considering dropping the Keycloak user mailing list and moving to >>> Stack Overflow instead. >>> >>> Thoughts? >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Fri Feb 24 08:11:17 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 24 Feb 2017 13:11:17 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: What I think is great about SO, is the fact that people can upvote or downvote questions/answers. Plus, you can count with help of others to review your questions and answers. Which of course makes the discussion more valuable, IMO. On Fri, Feb 24, 2017 at 9:50 AM Stian Thorgersen wrote: > Isn't the mailing list also a noisy mess of questions? I've never used > Stack Overflow much myself except when it pops up in Google searches. To me > it feels like a mailing list, but with the additional extra of being > searchable, votes, you can easily link to answers on it and quite important > if there's a duplicate question you can just point to the previous answered > question. > > On 24 February 2017 at 13:24, John D. Ament > wrote: > > > Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > > regularly, not so much lately. I think you would lose value IMHO moving > to > > only SO. > > > > John > > > > On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > > wrote: > > > >> I think it's reasonable easy to move the volume. We'll just stop > >> responding to the user mailing list and direct folks to SO. > >> > >> I primarily looking for feedback on mailing list vs Stack Overflow at > >> this point though. > >> > >> On 24 February 2017 at 13:15, John D. Ament > >> wrote: > >> > >> Just took a quick look at the SO traffic for keycloak. > >> > >> It seems like the ML is higher volume than SO. You may want to start by > >> adding links to SO tags from keycloak.org and see if it picks up. > >> > >> My 0.02. > >> > >> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > >> wrote: > >> > >> We're considering dropping the Keycloak user mailing list and moving to > >> Stack Overflow instead. > >> > >> Thoughts? > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kevinmarsden88 at gmail.com Fri Feb 24 08:19:58 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Fri, 24 Feb 2017 15:19:58 +0200 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: +1 Whilst the keycloak mailing list messages are well indexed on Google,SO is the first port of call for many trying to resolve an issue. I think there is value in the idea. On Fri, Feb 24, 2017 at 3:08 PM, Rafael T. C. Soares wrote: > +1 > > Keycloak will reach a greater audience on SO. > > ___ > Rafael T. C. Soares > > On 02/24/2017 09:39 AM, Stian Thorgersen wrote: > > Isn't the mailing list also a noisy mess of questions? I've never used > > Stack Overflow much myself except when it pops up in Google searches. To > me > > it feels like a mailing list, but with the additional extra of being > > searchable, votes, you can easily link to answers on it and quite > important > > if there's a duplicate question you can just point to the previous > answered > > question. > > > > On 24 February 2017 at 13:24, John D. Ament > wrote: > > > >> Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > >> regularly, not so much lately. I think you would lose value IMHO > moving to > >> only SO. > >> > >> John > >> > >> On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > >> wrote: > >> > >>> I think it's reasonable easy to move the volume. We'll just stop > >>> responding to the user mailing list and direct folks to SO. > >>> > >>> I primarily looking for feedback on mailing list vs Stack Overflow at > >>> this point though. > >>> > >>> On 24 February 2017 at 13:15, John D. Ament > >>> wrote: > >>> > >>> Just took a quick look at the SO traffic for keycloak. > >>> > >>> It seems like the ML is higher volume than SO. You may want to start > by > >>> adding links to SO tags from keycloak.org and see if it picks up. > >>> > >>> My 0.02. > >>> > >>> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > >>> wrote: > >>> > >>> We're considering dropping the Keycloak user mailing list and moving to > >>> Stack Overflow instead. > >>> > >>> Thoughts? > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > >>> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Fri Feb 24 08:23:58 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 24 Feb 2017 14:23:58 +0100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: PR sent: https://issues.jboss.org/browse/KEYCLOAK-4505 With that PR applied I can do the following: /* * Template for JavaScript based authenticator's. * See org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticatorFactory */ // import enum for error lookup AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); OAuth2ErrorRepresentation = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepresentation"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.type("javax.ws.rs.core.MediaType"); /** * An example authenticate function. * * The following variables are available for convenience: * user - current user {@see org.keycloak.models.UserModel} * realm - current realm {@see org.keycloak.models.RealmModel} * session - current KeycloakSession {@see org.keycloak.models.KeycloakSession} * clientSession - current client session {@see org.keycloak.models.ClientSessionModel} * httpRequest - current HttpRequest {@see org.jboss.resteasy.spi.HttpRequest} * script - current script {@see org.keycloak.models.ScriptModel} * LOG - current logger {@see org.jboss.logging.Logger} * You one can extract current http request headers via: * httpRequest.getHttpHeaders().getHeaderString("Forwarded") * * @param context {@see org.keycloak.authentication.AuthenticationFlowContext} */ function authenticate(context) { var username = user ? user.username : "anonymous"; LOG.info(script.name + " trace auth for: " + username); LOG.info(script.name + " client session for client: " + clientSession.client.clientId); var groups = user.getGroups(); var group_array = groups.toArray(); var authShouldFail = true; for (var i in group_array) { var gn = group_array[i].getName(); LOG.info(script.name + " group name: " + gn); if (gn === "account-access") { authShouldFail = false; break; } } if (authShouldFail //&& clientSession.client.clientId === "dummy-account" ) { var errorRep = new OAuth2ErrorRepresentation("invalid_grant","invalid_user_credentials"); var response = Response.status(401).entity(errorRep).type(MediaType.APPLICATION_JSON_TYPE).build(); LOG.info(script.name + " failed auth for: " + username); context.failure(AuthenticationFlowError.INVALID_USER, response); return; } context.success(); } 2017-02-24 12:19 GMT+01:00 Thomas Darimont : > FYI I just gave this a spin... > > It seems that the ScriptAuthenticator currently has no binding for > clientSession in order to access the client id for authentication, > e.g. this is missing in ScriptBasedAuthenticator > bindings.put("clientSession", context.getClientSession()); > > I'll send a PR which adds that binding. This will then enable to provide > client specific authentication behaviour. > > Chreers, > Thomas > > 2017-02-24 11:33 GMT+01:00 Shane Boulden : > >> I got this working today with a custom auth flow, thanks heaps! >> >> Just one thing - I've copied the 'Direct Grant Flow', and added a JS >> script at the end to only allow certain groups to authenticate using the >> OpenShift 'oc login' command from a prompt. >> >> This works allowing/denying access based on a group, however when a user >> does not belong to the correct group, the oc login prompt displays the >> following error: >> >> "Error from server: Internal error: unexpected error: 500" >> >> Here's the code I used for my JS script: >> >> function authenticate(context){ >> var groups = user.getGroups(); >> var group_array = groups.toArray(); >> >> for (var i in group_array) { >> var gn = group_array[i].getName(); >> >> if (gn === "openshift-access") { >> context.success(); >> return; >> } >> } >> context.failure(authenticationflowerror.INVALID_USER) >> return; >> } >> >> I thought this may be because the OpenShift CLI tool can't interpret the >> error message back from Keycloak. I've also tried the following, but I get >> a "ClassNotFound" exception when I try to import the OAuth2 error >> representation: >> >> Authenticationflowerror = Java.type("org.keycloak.authen >> tication.AuthenticationFlowError"); >> // Throws 'ClassNotFoundException >> Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre >> sentation"); >> Response = Java.type("javax.ws.rs.core.Response"); >> MediaType = Java.Type("javax.ws.rs.core.MediaType"); >> >> function authenticate(context) { >> var groups = user.getGroups(); >> var group_array = groups.toArray(); >> >> for (var i in group_array) { >> var gn = group_array[i].getName(); >> >> if (gn === "openshift-access") { >> context.success(); >> return; >> } >> } >> var errorRep = new Oauth2("invalid_grant","invalid_user_credentials"); >> response = Response.status(401).type(MediaType.APPLICATION_JSON_TYPE).b >> uild(); >> >> context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response); >> return; >> } >> >> Any ideas or assistance is appreciated. >> >> Shane >> >> On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden >> wrote: >> >>> Thanks very much Marek and Thomas for taking the time to get back to me. >>> >>> I've found an example of a JS authenticator here: >>> http://www.lookatsrc.com/source/scripts/authenticator-templ >>> ate.js?a=org.keycloak:keycloak-services >>> >>> Is this how I would build the custom authenticator, and extend it to >>> check the user roles and clientID? >>> >>> Thanks >>> >>> Shane >>> >>> On 24 Feb. 2017 01:25, "Thomas Darimont" >>> wrote: >>> >>>> Hello Shane, >>>> >>>> you could try to do that with the Javascript based Authenticator. >>>> >>>> Cheers, >>>> Thomas >>>> >>>> 2017-02-23 14:07 GMT+01:00 Marek Posolda : >>>> >>>>> I can think of some workarounds. Like for example, create an >>>>> Authenticator, which will be added to the bottom of the authentication >>>>> flow. Authenticator will throw an exception in case that unpermitted >>>>> user is trying to authenticate to the client corresponding to your >>>>> openshift application. You have the user available (he is already >>>>> authenticated) and you have also the client (can be determined based on >>>>> clientId). >>>>> >>>>> Maybe even easier is to do that in custom RequiredActionProvider and do >>>>> this check in "evaluateTriggers". >>>>> >>>>> This is workaround as it mixes authentication and authorization (among >>>>> other issues). But hopefully it can suit your needs. >>>>> >>>>> Marek >>>>> >>>>> On 23/02/17 07:19, Shane Boulden wrote: >>>>> > Hi everyone, >>>>> > >>>>> > I'm trying to figure out a fairly straight-forward problem set - >>>>> > >>>>> > - I have a number of users in a Keycloak database, federated >>>>> from an >>>>> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" the >>>>> users) >>>>> > - I want to limit access to a client to only certain Keycloak >>>>> users >>>>> > >>>>> > I thought this would be possible with a role that is shared by the >>>>> client >>>>> > and the user. However, it looks like Keycloak lets the application >>>>> itself >>>>> > determine access via a role: http://lists.jboss.org/ >>>>> > pipermail/keycloak-user/2014-November/001205.html >>>>> > >>>>> > But what if I can't update the application's behaviour? Eg; if I >>>>> want to >>>>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any >>>>> > information from the OIDC provider? >>>>> > >>>>> > In this particular example, I don't want to limit the users in the >>>>> Keycloak >>>>> > database - I want to sync all users from LDAP, but limit application >>>>> access >>>>> > to only a subset. >>>>> > >>>>> > Any assistance is greatly appreciated. >>>>> > >>>>> > Shane >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >> > From john.d.ament at gmail.com Fri Feb 24 08:49:54 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 24 Feb 2017 13:49:54 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: The difference is that its every question. In addition to SO, would we also look at SF for the infrastructure/deployment side? What about having questions on security.stackexchange since this is a very security oriented project? To be honest, my dislike for it is not the "let's use stackoverflow" its the "let's drop the mailing lists" part. Anyways, I just posted a question on SO. I'll look to see if it gets answered ;-) John On Fri, Feb 24, 2017 at 7:39 AM Stian Thorgersen wrote: > Isn't the mailing list also a noisy mess of questions? I've never used > Stack Overflow much myself except when it pops up in Google searches. To me > it feels like a mailing list, but with the additional extra of being > searchable, votes, you can easily link to answers on it and quite important > if there's a duplicate question you can just point to the previous answered > question. > > On 24 February 2017 at 13:24, John D. Ament > wrote: > > Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > regularly, not so much lately. I think you would lose value IMHO moving to > only SO. > > John > > On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > wrote: > > I think it's reasonable easy to move the volume. We'll just stop > responding to the user mailing list and direct folks to SO. > > I primarily looking for feedback on mailing list vs Stack Overflow at this > point though. > > On 24 February 2017 at 13:15, John D. Ament > wrote: > > Just took a quick look at the SO traffic for keycloak. > > It seems like the ML is higher volume than SO. You may want to start by > adding links to SO tags from keycloak.org and see if it picks up. > > My 0.02. > > On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > wrote: > > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From pnalyvayko at agi.com Fri Feb 24 09:03:37 2017 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 24 Feb 2017 14:03:37 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: , Message-ID: -1 I actually never use SO for keycloak related questions. SO is just not as convenient for me compared to the mailing list. ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Kevin Marsden [kevinmarsden88 at gmail.com] Sent: Friday, February 24, 2017 8:19 AM To: rsoares at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Stack Overflow +1 Whilst the keycloak mailing list messages are well indexed on Google,SO is the first port of call for many trying to resolve an issue. I think there is value in the idea. On Fri, Feb 24, 2017 at 3:08 PM, Rafael T. C. Soares wrote: > +1 > > Keycloak will reach a greater audience on SO. > > ___ > Rafael T. C. Soares > > On 02/24/2017 09:39 AM, Stian Thorgersen wrote: > > Isn't the mailing list also a noisy mess of questions? I've never used > > Stack Overflow much myself except when it pops up in Google searches. To > me > > it feels like a mailing list, but with the additional extra of being > > searchable, votes, you can easily link to answers on it and quite > important > > if there's a duplicate question you can just point to the previous > answered > > question. > > > > On 24 February 2017 at 13:24, John D. Ament > wrote: > > > >> Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > >> regularly, not so much lately. I think you would lose value IMHO > moving to > >> only SO. > >> > >> John > >> > >> On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > >> wrote: > >> > >>> I think it's reasonable easy to move the volume. We'll just stop > >>> responding to the user mailing list and direct folks to SO. > >>> > >>> I primarily looking for feedback on mailing list vs Stack Overflow at > >>> this point though. > >>> > >>> On 24 February 2017 at 13:15, John D. Ament > >>> wrote: > >>> > >>> Just took a quick look at the SO traffic for keycloak. > >>> > >>> It seems like the ML is higher volume than SO. You may want to start > by > >>> adding links to SO tags from keycloak.org and see if it picks up. > >>> > >>> My 0.02. > >>> > >>> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > >>> wrote: > >>> > >>> We're considering dropping the Keycloak user mailing list and moving to > >>> Stack Overflow instead. > >>> > >>> Thoughts? > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > >>> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.raehalme at aitiofinland.com Fri Feb 24 09:05:39 2017 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Fri, 24 Feb 2017 16:05:39 +0200 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: Seems to me that many projects have done similar decisions recently so I doubt it's totally a bad decision :-) That being said, however, I like the fact that with the mailing list I can keep an eye on Keycloak, see what kind of problems users are encountering or use cases they are trying to solve, and sort of collect information for future reference. Maybe you can do that (or similar) with SO as well. Other than reading Google results I haven't been that active on SO. Best regards, Thomas On Fri, Feb 24, 2017 at 3:49 PM, John D. Ament wrote: > The difference is that its every question. In addition to SO, would we > also look at SF for the infrastructure/deployment side? What about having > questions on security.stackexchange since this is a very security oriented > project? > > To be honest, my dislike for it is not the "let's use stackoverflow" its > the "let's drop the mailing lists" part. > > Anyways, I just posted a question on SO. I'll look to see if it gets > answered ;-) > > John > > On Fri, Feb 24, 2017 at 7:39 AM Stian Thorgersen > wrote: > > > Isn't the mailing list also a noisy mess of questions? I've never used > > Stack Overflow much myself except when it pops up in Google searches. To > me > > it feels like a mailing list, but with the additional extra of being > > searchable, votes, you can easily link to answers on it and quite > important > > if there's a duplicate question you can just point to the previous > answered > > question. > > > > On 24 February 2017 at 13:24, John D. Ament > > wrote: > > > > Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > > regularly, not so much lately. I think you would lose value IMHO moving > to > > only SO. > > > > John > > > > On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > > wrote: > > > > I think it's reasonable easy to move the volume. We'll just stop > > responding to the user mailing list and direct folks to SO. > > > > I primarily looking for feedback on mailing list vs Stack Overflow at > this > > point though. > > > > On 24 February 2017 at 13:15, John D. Ament > > wrote: > > > > Just took a quick look at the SO traffic for keycloak. > > > > It seems like the ML is higher volume than SO. You may want to start by > > adding links to SO tags from keycloak.org and see if it picks up. > > > > My 0.02. > > > > On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > > wrote: > > > > We're considering dropping the Keycloak user mailing list and moving to > > Stack Overflow instead. > > > > Thoughts? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Fri Feb 24 09:09:38 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 24 Feb 2017 09:09:38 -0500 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> Message-ID: <54afdb30-4d34-2710-1727-5947facc2ba1@redhat.com> On 2/23/17 9:14 PM, John D. Ament wrote: > After I sent this email, it dawned on me what #4 was. I was able to > get IDP initiated working. Here's what my setup looks like. So I'm > interested, is this correct, is this too much? > > - Create an IDP for Okta. > > - App Client: > - This represents the real application, receiving the final assertion. > - Client Protocol: SAML > - IDP Initiated SSO Name: some-value > - Assertion Consumer Service POST Binding URL: > http://myapp/saml (the /saml comes from the wildfly SAML adapter) > > Within Okta, I'm entering a URL like this: > > http://mykeycloak/auth/realms/<>/broker/<>/endpoint/clients/<> > > Where: > > realm: your realm, e.g. tenant1 in my case > alias: the value of the "alias" field from your IDP > some-value: the IDP Initiated SSO Name value from above > > After doing this, I'm able to confirm that the principal is coming > from Keycloak properly. I'm assuming based on this, I can only do > this via the SAML adapter, not the OIDC connector. > Correct, no OIDC. Reason? Its the OAuth protocol. OAuth only allows the client to initiate authentication. Bill From roger.turnau at pwc.com Fri Feb 24 09:29:48 2017 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Fri, 24 Feb 2017 09:29:48 -0500 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: I like the idea in theory. In practice, SO has morphed over the years from a welcoming technical community into a wretched hive of overweening mod tyranny. I dread having to ask a question there these days, because everyone, it seems, sees that as an opportunity to get nasty. It is far easier to search for answers to questions on SO than it is here, but this list is far more welcoming to newcomers. My regret, I guess, is that both can't be equally active. Roger On Fri, Feb 24, 2017 at 9:05 AM, Thomas Raehalme < thomas.raehalme at aitiofinland.com> wrote: > Seems to me that many projects have done similar decisions recently so I > doubt it's totally a bad decision :-) > > That being said, however, I like the fact that with the mailing list I can > keep an eye on Keycloak, see what kind of problems users are encountering > or use cases they are trying to solve, and sort of collect information for > future reference. > > Maybe you can do that (or similar) with SO as well. Other than reading > Google results I haven't been that active on SO. > > Best regards, > Thomas > > > On Fri, Feb 24, 2017 at 3:49 PM, John D. Ament > wrote: > > > The difference is that its every question. In addition to SO, would we > > also look at SF for the infrastructure/deployment side? What about having > > questions on security.stackexchange since this is a very security > oriented > > project? > > > > To be honest, my dislike for it is not the "let's use stackoverflow" its > > the "let's drop the mailing lists" part. > > > > Anyways, I just posted a question on SO. I'll look to see if it gets > > answered ;-) > > > > John > > > > On Fri, Feb 24, 2017 at 7:39 AM Stian Thorgersen > > wrote: > > > > > Isn't the mailing list also a noisy mess of questions? I've never used > > > Stack Overflow much myself except when it pops up in Google searches. > To > > me > > > it feels like a mailing list, but with the additional extra of being > > > searchable, votes, you can easily link to answers on it and quite > > important > > > if there's a duplicate question you can just point to the previous > > answered > > > question. > > > > > > On 24 February 2017 at 13:24, John D. Ament > > > wrote: > > > > > > Oh? Then my opinion, SO is a noisy mess of questions. I used to use it > > > regularly, not so much lately. I think you would lose value IMHO > moving > > to > > > only SO. > > > > > > John > > > > > > On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen > > > wrote: > > > > > > I think it's reasonable easy to move the volume. We'll just stop > > > responding to the user mailing list and direct folks to SO. > > > > > > I primarily looking for feedback on mailing list vs Stack Overflow at > > this > > > point though. > > > > > > On 24 February 2017 at 13:15, John D. Ament > > > wrote: > > > > > > Just took a quick look at the SO traffic for keycloak. > > > > > > It seems like the ML is higher volume than SO. You may want to start > by > > > adding links to SO tags from keycloak.org and see if it picks up. > > > > > > My 0.02. > > > > > > On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen > > > wrote: > > > > > > We're considering dropping the Keycloak user mailing list and moving to > > > Stack Overflow instead. > > > > > > Thoughts? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau at pwc.com PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From martin.hardselius at gmail.com Fri Feb 24 09:36:32 2017 From: martin.hardselius at gmail.com (Martin Hardselius) Date: Fri, 24 Feb 2017 14:36:32 +0000 Subject: [keycloak-user] SAML2.0 Identity Provider modify authn context / extensions In-Reply-To: References: Message-ID: FYI to anyone else doing stuff related to this. I also needed to add custom authn context class references and ended up re-implementing the SAML2AuthnRequestBuilder. Basically copy-pasting the old one and adding the methods required to add stuff to the RequestedAuthnContextType. Martin On Fri, 24 Feb 2017 at 08:43 Martin Hardselius wrote: > Got it, thanks! > > On Fri, 24 Feb 2017 at 08:30 Hynek Mlnarik wrote: > > The latter, you need to extend SAMLIdentityProvider. I'd suggest adding > extensions to the AuthnRequest via SAML2AuthnRequestBuilder.addExtension() > method rather than supplying query params for the sake of simplicity. > > --Hynek > > On 02/23/2017 05:17 PM, Martin Hardselius wrote: > > Hi, > > > > Is there an easy way to add stuff to the authn context or add extensions > to > > the AuthN request? Or even add query parameters to the destination url? > > > > Context: > > > > The SAML2.0 Provider I'm integrating with supports several auth methods. > > Usually you would end up on a method select page, where the options are > > presented to you, once you've been forwarded to the IDP. They do however > > support selecting an option directly by modifying the authncontext. They > > also support prefilling information by adding extensions to the authn > > request or adding supplying it through query params. Kind of like "login > > hint". > > > > So. Easy way, or do I have to extend SAMLIdentityProvider? > > > > Martin > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From bburke at redhat.com Fri Feb 24 10:12:10 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 24 Feb 2017 10:12:10 -0500 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> Who is this "We" you talk of? Don't you mean "You"? If I have a veto, I veto this move. I hate forums for multiple reasons. I will boycott Stack Overflow and you will not see me answering any user questions there. Not only that, what happens when/if Stack Overflow starts showing targeted advertisements based on the thread? This used to be a huge problem with SourceForge. Advertisements for Websphere started popping up on the JBoss download screens as well as the JBoss user and dev email lists. On 2/24/17 7:04 AM, Stian Thorgersen wrote: > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From salvatore.incandela at redhat.com Fri Feb 24 10:36:40 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Fri, 24 Feb 2017 16:36:40 +0100 Subject: [keycloak-user] [Keycloak][Get identity provides roles] In-Reply-To: References: Message-ID: Hi guys, I've done several tries but I'm still having the same question: is possible to populate user roles given by an identity provider (another keycloak instance) getting those from the json claim? On Thu, Feb 23, 2017 at 5:56 PM, Salvatore Incandela < salvatore.incandela at redhat.com> wrote: > Hi guys, is possible to populate user roles given by an identity provider > (another keycloak instance) getting those from the json claim? > > -- > Salvatore Incandela > Middleware Consultant > ------------------------------ > Red Hat - www.redhat.com > Via Andrea Doria 41M > 00192 Roma (Italy) > Mobile +39 349 6196615 <+39%20349%20619%206615> > Fax +39 06 39728535 <+39%2006%203972%208535> > E-mail salvatore.incandela at redhat.com > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From bburke at redhat.com Fri Feb 24 10:55:41 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 24 Feb 2017 10:55:41 -0500 Subject: [keycloak-user] [Keycloak][Get identity provides roles] In-Reply-To: References: Message-ID: You mean you are doing identity brokering with a parent keycloak instance? Look at Mappers. There are "Claim to Role" and "External Role To Role" mappers. The tooltips will explain what they do. What you have to do is map claims from the external IDP into user attributes and role mappings for the user imported into your Keycloak instance. Then you map from the common user model to the token claims you want generated for your application. Hope that makes sense. On 2/24/17 10:36 AM, Salvatore Incandela wrote: > Hi guys, I've done several tries but I'm still having the same question: is > possible to populate user roles given by an identity provider (another > keycloak instance) getting those from the json claim? > > On Thu, Feb 23, 2017 at 5:56 PM, Salvatore Incandela < > salvatore.incandela at redhat.com> wrote: > >> Hi guys, is possible to populate user roles given by an identity provider >> (another keycloak instance) getting those from the json claim? >> >> -- >> Salvatore Incandela >> Middleware Consultant >> ------------------------------ >> Red Hat - www.redhat.com >> Via Andrea Doria 41M >> 00192 Roma (Italy) >> Mobile +39 349 6196615 <+39%20349%20619%206615> >> Fax +39 06 39728535 <+39%2006%203972%208535> >> E-mail salvatore.incandela at redhat.com >> > > From bburke at redhat.com Fri Feb 24 10:57:03 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 24 Feb 2017 10:57:03 -0500 Subject: [keycloak-user] SAML2.0 Identity Provider modify authn context / extensions In-Reply-To: References: Message-ID: <0f3b6ad0-661f-93cd-511f-85fa0e9c2d82@redhat.com> If you can come up something that is usable by others we'd love a PR. Documentation and testing would be important part of this. On 2/24/17 9:36 AM, Martin Hardselius wrote: > FYI to anyone else doing stuff related to this. > > I also needed to add custom authn context class references and ended up > re-implementing the SAML2AuthnRequestBuilder. Basically copy-pasting the > old one and adding the methods required to add stuff to the > RequestedAuthnContextType. > > Martin > > > On Fri, 24 Feb 2017 at 08:43 Martin Hardselius > wrote: > >> Got it, thanks! >> >> On Fri, 24 Feb 2017 at 08:30 Hynek Mlnarik wrote: >> >> The latter, you need to extend SAMLIdentityProvider. I'd suggest adding >> extensions to the AuthnRequest via SAML2AuthnRequestBuilder.addExtension() >> method rather than supplying query params for the sake of simplicity. >> >> --Hynek >> >> On 02/23/2017 05:17 PM, Martin Hardselius wrote: >>> Hi, >>> >>> Is there an easy way to add stuff to the authn context or add extensions >> to >>> the AuthN request? Or even add query parameters to the destination url? >>> >>> Context: >>> >>> The SAML2.0 Provider I'm integrating with supports several auth methods. >>> Usually you would end up on a method select page, where the options are >>> presented to you, once you've been forwarded to the IDP. They do however >>> support selecting an option directly by modifying the authncontext. They >>> also support prefilling information by adding extensions to the authn >>> request or adding supplying it through query params. Kind of like "login >>> hint". >>> >>> So. Easy way, or do I have to extend SAMLIdentityProvider? >>> >>> Martin >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Fri Feb 24 12:06:20 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 24 Feb 2017 18:06:20 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> References: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> Message-ID: I prefer a good knowledge-base system over mailing list for being easier for searching for already answered questions, and having means to track user interest e.g. by up/downvoting questions and the answers. SO is one example of KB system which does its job well and has established position in the community. The risk is not owning the data - and a possibility of advertising a concurrent product is a relevant point. Are there any other drawbacks? --Hynek On Fri, Feb 24, 2017 at 4:12 PM, Bill Burke wrote: > Who is this "We" you talk of? Don't you mean "You"? If I have a veto, > I veto this move. I hate forums for multiple reasons. I will boycott > Stack Overflow and you will not see me answering any user questions there. > > Not only that, what happens when/if Stack Overflow starts showing > targeted advertisements based on the thread? This used to be a huge > problem with SourceForge. Advertisements for Websphere started popping > up on the JBoss download screens as well as the JBoss user and dev email > lists. > > > On 2/24/17 7:04 AM, Stian Thorgersen wrote: >> We're considering dropping the Keycloak user mailing list and moving to >> Stack Overflow instead. >> >> Thoughts? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From salvatore.incandela at redhat.com Fri Feb 24 12:49:43 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Fri, 24 Feb 2017 18:49:43 +0100 Subject: [keycloak-user] [Keycloak][Get identity provides roles] In-Reply-To: References: Message-ID: Yes in my case I've: *Keycloak A* Shows the Login Form with the Usr and Pwd fields and the IDP button. When I authenticate with IDP I want to import the user roles from Keycloak B, here my configuration: *Identity Provider Mappers * *Mapper Type=Attribute Importer* *Claim=hd_role* *User Attribute Name=roles* *Keycloak B* give the "full_access_role" to the user: Client Mapper Mapper Type=Hardcoded Role name=hd_role Role=full_access_role This configuration doesn't work, how I have to configure Keycloak A in order to import the roles from Keycloak B into the database? On Fri, Feb 24, 2017 at 4:55 PM, Bill Burke wrote: > You mean you are doing identity brokering with a parent keycloak > instance? Look at Mappers. There are "Claim to Role" and "External > Role To Role" mappers. The tooltips will explain what they do. What > you have to do is map claims from the external IDP into user attributes > and role mappings for the user imported into your Keycloak instance. > Then you map from the common user model to the token claims you want > generated for your application. Hope that makes sense. > > > On 2/24/17 10:36 AM, Salvatore Incandela wrote: > > Hi guys, I've done several tries but I'm still having the same question: > is > > possible to populate user roles given by an identity provider (another > > keycloak instance) getting those from the json claim? > > > > On Thu, Feb 23, 2017 at 5:56 PM, Salvatore Incandela < > > salvatore.incandela at redhat.com> wrote: > > > >> Hi guys, is possible to populate user roles given by an identity > provider > >> (another keycloak instance) getting those from the json claim? > >> > >> -- > >> Salvatore Incandela > >> Middleware Consultant > >> ------------------------------ > >> Red Hat - www.redhat.com > >> Via Andrea Doria 41M > >> 00192 Roma (Italy) > >> Mobile +39 349 6196615 <+39%20349%20619%206615> > >> Fax +39 06 39728535 <+39%2006%203972%208535> > >> E-mail salvatore.incandela at redhat.com > >> > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From bburke at redhat.com Fri Feb 24 13:57:17 2017 From: bburke at redhat.com (Bill Burke) Date: Fri, 24 Feb 2017 13:57:17 -0500 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> Message-ID: On 2/24/17 12:06 PM, Hynek Mlnarik wrote: > I prefer a good knowledge-base system over mailing list for being > easier for searching for already answered questions, Our search page on keycloak.org does a good enough targeted search. > and having means > to track user interest e.g. by up/downvoting questions and the > answers. SO is one example of KB system which does its job well and > has established position in the community. The risk is not owning the > data - and a possibility of advertising a concurrent product is a > relevant point. Are there any other drawbacks? Often slow render times, can't browse/respond offline, don't want to have to work through a browser for everything, prefer unified view of all my notifications in one place (my email client). I prefer less UIs I have to work with on a daily basis, not more. I will forget to go to SO if I don't turn on notifications. It will annoy the hell out of me to switch contexts between email and SO if I do turn on notifications. Prefer a simple text interface. I don't want to see advertisements. I don't want to get notified about jobs. I don't want recruiters calling me if they data mine me on SO. Is that enough? I'm serious. I will never ever answer any questions on SO. I stopped answering questions when JBoss moved from a user mail list to forums, I will do the same if it happens for Keycloak. Bill From Dana.Danet at Evisions.com Fri Feb 24 14:07:00 2017 From: Dana.Danet at Evisions.com (Dana Danet) Date: Fri, 24 Feb 2017 19:07:00 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> , Message-ID: Has anyone considered a Gitter channel. I've found great community support with other frameworks. Pleas excuse any tighPose, this was Sent from my iPhone ? > On Feb 24, 2017, at 11:02 AM, Bill Burke wrote: > > > >> On 2/24/17 12:06 PM, Hynek Mlnarik wrote: >> I prefer a good knowledge-base system over mailing list for being >> easier for searching for already answered questions, > Our search page on keycloak.org does a good enough targeted search. > >> and having means >> to track user interest e.g. by up/downvoting questions and the >> answers. SO is one example of KB system which does its job well and >> has established position in the community. The risk is not owning the >> data - and a possibility of advertising a concurrent product is a >> relevant point. Are there any other drawbacks? > Often slow render times, can't browse/respond offline, don't want to > have to work through a browser for everything, prefer unified view of > all my notifications in one place (my email client). I prefer less UIs > I have to work with on a daily basis, not more. I will forget to go to > SO if I don't turn on notifications. It will annoy the hell out of me > to switch contexts between email and SO if I do turn on notifications. > Prefer a simple text interface. I don't want to see advertisements. I > don't want to get notified about jobs. I don't want recruiters calling > me if they data mine me on SO. Is that enough? > > I'm serious. I will never ever answer any questions on SO. I stopped > answering questions when JBoss moved from a user mail list to forums, I > will do the same if it happens for Keycloak. > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From shane.boulden at gmail.com Fri Feb 24 16:47:32 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Sat, 25 Feb 2017 08:47:32 +1100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: Awesome, thanks Thomas! Do you have any suggestions on my 'ClassNotFoundException' for org.keycloak. representations.idm.OAuth2ErrorRepresentation? This is on 2.5.1. Oauth2 = Java.type("org.keycloak.representations.idm. OAuth2ErrorRepresentation"); Shane On Sat, Feb 25, 2017 at 12:23 AM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > PR sent: https://issues.jboss.org/browse/KEYCLOAK-4505 > > With that PR applied I can do the following: > > /* > * Template for JavaScript based authenticator's. > * See org.keycloak.authentication.authenticators.browser. > ScriptBasedAuthenticatorFactory > */ > > // import enum for error lookup > AuthenticationFlowError = Java.type("org.keycloak.authentication. > AuthenticationFlowError"); > OAuth2ErrorRepresentation = Java.type("org.keycloak.representations.idm. > OAuth2ErrorRepresentation"); > Response = Java.type("javax.ws.rs.core.Response"); > MediaType = Java.type("javax.ws.rs.core.MediaType"); > > /** > * An example authenticate function. > * > * The following variables are available for convenience: > * user - current user {@see org.keycloak.models.UserModel} > * realm - current realm {@see org.keycloak.models.RealmModel} > * session - current KeycloakSession {@see org.keycloak.models. > KeycloakSession} > * clientSession - current client session {@see org.keycloak.models. > ClientSessionModel} > * httpRequest - current HttpRequest {@see org.jboss.resteasy.spi. > HttpRequest} > * script - current script {@see org.keycloak.models.ScriptModel} > * LOG - current logger {@see org.jboss.logging.Logger} > * You one can extract current http request headers via: > * httpRequest.getHttpHeaders().getHeaderString("Forwarded") > * > * @param context {@see org.keycloak.authentication. > AuthenticationFlowContext} > */ > function authenticate(context) { > > var username = user ? user.username : "anonymous"; > LOG.info(script.name + " trace auth for: " + username); > LOG.info(script.name + " client session for client: " + > clientSession.client.clientId); > > var groups = user.getGroups(); > var group_array = groups.toArray(); > > var authShouldFail = true; > for (var i in group_array) { > var gn = group_array[i].getName(); > LOG.info(script.name + " group name: " + gn); > if (gn === "account-access") { > authShouldFail = false; > break; > } > } > > if (authShouldFail > //&& clientSession.client.clientId === "dummy-account" > ) { > > var errorRep = new OAuth2ErrorRepresentation(" > invalid_grant","invalid_user_credentials"); > var response = Response.status(401).entity( > errorRep).type(MediaType.APPLICATION_JSON_TYPE).build(); > > LOG.info(script.name + " failed auth for: " + username); > context.failure(AuthenticationFlowError.INVALID_USER, response); > return; > } > > context.success(); > } > > > > 2017-02-24 12:19 GMT+01:00 Thomas Darimont >: > >> FYI I just gave this a spin... >> >> It seems that the ScriptAuthenticator currently has no binding for >> clientSession in order to access the client id for authentication, >> e.g. this is missing in ScriptBasedAuthenticator >> bindings.put("clientSession", context.getClientSession()); >> >> I'll send a PR which adds that binding. This will then enable to provide >> client specific authentication behaviour. >> >> Chreers, >> Thomas >> >> 2017-02-24 11:33 GMT+01:00 Shane Boulden : >> >>> I got this working today with a custom auth flow, thanks heaps! >>> >>> Just one thing - I've copied the 'Direct Grant Flow', and added a JS >>> script at the end to only allow certain groups to authenticate using the >>> OpenShift 'oc login' command from a prompt. >>> >>> This works allowing/denying access based on a group, however when a user >>> does not belong to the correct group, the oc login prompt displays the >>> following error: >>> >>> "Error from server: Internal error: unexpected error: 500" >>> >>> Here's the code I used for my JS script: >>> >>> function authenticate(context){ >>> var groups = user.getGroups(); >>> var group_array = groups.toArray(); >>> >>> for (var i in group_array) { >>> var gn = group_array[i].getName(); >>> >>> if (gn === "openshift-access") { >>> context.success(); >>> return; >>> } >>> } >>> context.failure(authenticationflowerror.INVALID_USER) >>> return; >>> } >>> >>> I thought this may be because the OpenShift CLI tool can't interpret the >>> error message back from Keycloak. I've also tried the following, but I get >>> a "ClassNotFound" exception when I try to import the OAuth2 error >>> representation: >>> >>> Authenticationflowerror = Java.type("org.keycloak.authen >>> tication.AuthenticationFlowError"); >>> // Throws 'ClassNotFoundException >>> Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre >>> sentation"); >>> Response = Java.type("javax.ws.rs.core.Response"); >>> MediaType = Java.Type("javax.ws.rs.core.MediaType"); >>> >>> function authenticate(context) { >>> var groups = user.getGroups(); >>> var group_array = groups.toArray(); >>> >>> for (var i in group_array) { >>> var gn = group_array[i].getName(); >>> >>> if (gn === "openshift-access") { >>> context.success(); >>> return; >>> } >>> } >>> var errorRep = new Oauth2("invalid_grant","invalid_user_credentials"); >>> response = Response.status(401).type(Medi >>> aType.APPLICATION_JSON_TYPE).build(); >>> >>> context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, >>> response); >>> return; >>> } >>> >>> Any ideas or assistance is appreciated. >>> >>> Shane >>> >>> On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden >>> wrote: >>> >>>> Thanks very much Marek and Thomas for taking the time to get back to me. >>>> >>>> I've found an example of a JS authenticator here: >>>> http://www.lookatsrc.com/source/scripts/authenticator-templ >>>> ate.js?a=org.keycloak:keycloak-services >>>> >>>> Is this how I would build the custom authenticator, and extend it to >>>> check the user roles and clientID? >>>> >>>> Thanks >>>> >>>> Shane >>>> >>>> On 24 Feb. 2017 01:25, "Thomas Darimont" >>> m> wrote: >>>> >>>>> Hello Shane, >>>>> >>>>> you could try to do that with the Javascript based Authenticator. >>>>> >>>>> Cheers, >>>>> Thomas >>>>> >>>>> 2017-02-23 14:07 GMT+01:00 Marek Posolda : >>>>> >>>>>> I can think of some workarounds. Like for example, create an >>>>>> Authenticator, which will be added to the bottom of the authentication >>>>>> flow. Authenticator will throw an exception in case that unpermitted >>>>>> user is trying to authenticate to the client corresponding to your >>>>>> openshift application. You have the user available (he is already >>>>>> authenticated) and you have also the client (can be determined based >>>>>> on >>>>>> clientId). >>>>>> >>>>>> Maybe even easier is to do that in custom RequiredActionProvider and >>>>>> do >>>>>> this check in "evaluateTriggers". >>>>>> >>>>>> This is workaround as it mixes authentication and authorization (among >>>>>> other issues). But hopefully it can suit your needs. >>>>>> >>>>>> Marek >>>>>> >>>>>> On 23/02/17 07:19, Shane Boulden wrote: >>>>>> > Hi everyone, >>>>>> > >>>>>> > I'm trying to figure out a fairly straight-forward problem set - >>>>>> > >>>>>> > - I have a number of users in a Keycloak database, federated >>>>>> from an >>>>>> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" >>>>>> the users) >>>>>> > - I want to limit access to a client to only certain Keycloak >>>>>> users >>>>>> > >>>>>> > I thought this would be possible with a role that is shared by the >>>>>> client >>>>>> > and the user. However, it looks like Keycloak lets the application >>>>>> itself >>>>>> > determine access via a role: http://lists.jboss.org/ >>>>>> > pipermail/keycloak-user/2014-November/001205.html >>>>>> > >>>>>> > But what if I can't update the application's behaviour? Eg; if I >>>>>> want to >>>>>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any >>>>>> > information from the OIDC provider? >>>>>> > >>>>>> > In this particular example, I don't want to limit the users in the >>>>>> Keycloak >>>>>> > database - I want to sync all users from LDAP, but limit >>>>>> application access >>>>>> > to only a subset. >>>>>> > >>>>>> > Any assistance is greatly appreciated. >>>>>> > >>>>>> > Shane >>>>>> > _______________________________________________ >>>>>> > keycloak-user mailing list >>>>>> > keycloak-user at lists.jboss.org >>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>> >> > From amaeztu at tesicnor.com Fri Feb 24 17:29:03 2017 From: amaeztu at tesicnor.com (Amaeztu) Date: Fri, 24 Feb 2017 23:29:03 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: <0bdf4336-a4ef-d2e1-13e6-0d9b51da8dd4@redhat.com> , Message-ID: +1 for stackoverflow IMHO. Unarguably there are some downsides, but commodity pays. ---- Dana Danet igorleak idatzi du ---- >Has anyone considered a Gitter channel. I've found great community support with other frameworks. > >Pleas excuse any tighPose, this was Sent from my iPhone ? > >> On Feb 24, 2017, at 11:02 AM, Bill Burke wrote: >> >> >> >>> On 2/24/17 12:06 PM, Hynek Mlnarik wrote: >>> I prefer a good knowledge-base system over mailing list for being >>> easier for searching for already answered questions, >> Our search page on keycloak.org does a good enough targeted search. >> >>> and having means >>> to track user interest e.g. by up/downvoting questions and the >>> answers. SO is one example of KB system which does its job well and >>> has established position in the community. The risk is not owning the >>> data - and a possibility of advertising a concurrent product is a >>> relevant point. Are there any other drawbacks? >> Often slow render times, can't browse/respond offline, don't want to >> have to work through a browser for everything, prefer unified view of >> all my notifications in one place (my email client). I prefer less UIs >> I have to work with on a daily basis, not more. I will forget to go to >> SO if I don't turn on notifications. It will annoy the hell out of me >> to switch contexts between email and SO if I do turn on notifications. >> Prefer a simple text interface. I don't want to see advertisements. I >> don't want to get notified about jobs. I don't want recruiters calling >> me if they data mine me on SO. Is that enough? >> >> I'm serious. I will never ever answer any questions on SO. I stopped >> answering questions when JBoss moved from a user mail list to forums, I >> will do the same if it happens for Keycloak. >> >> Bill >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From JMajors at gohealth.com Fri Feb 24 20:20:49 2017 From: JMajors at gohealth.com (Jeremy Majors) Date: Sat, 25 Feb 2017 01:20:49 +0000 Subject: [keycloak-user] 'Service Accounts Enabled' Client Setting Not Honored During Import In-Reply-To: <1487896102507.97673@gohealth.com> References: <1487896102507.97673@gohealth.com> Message-ID: <1487985649581.83472@gohealth.com> In order to have repeatable deployments of my companies keycloak instances I'm trying to use the import feature of keycloak to ensure that the clients are setup the same way in each environment. ? I have noticed that when I import a client, as opposed to the realm, the 'Authorization Enabled' flag is not set to true even if I have set it to true in the JSON that I'm importing. If I try to set it to true after importing I get an error unless I first turn off 'Service Accounts Enabled' and then attempt to enable 'Authorization Enabled'. The JSON that I'm sending is provided below: { "clientId" : "hello-world-authz-service", "secret" : "secret", "authorizationServicesEnabled" : True, "enabled" : True, "redirectUris" : [ "http://localhost:8080/hello-world-authz-service/*" ], "baseUrl": "http://localhost:8080/hello-world-authz-service", "adminUrl": "http://localhost:8080/hello-world-authz-service", "directAccessGrantsEnabled" : True } The JSON above is actually based upon one of the examples that was provided in the keycloak source code and it works when I import everything as a realm, but not when I use just the client portion. Can anyone provide guidance in regards to how I can import JSON into Keycloak in order to setup a specific client? This is the entire realm json file I refered to: https://github.com/keycloak/keycloak/blob/master/examples/authz/hello-world-authz-service/hello-world-authz-realm.json? I'm running keycloak version 2.5.0.Final Community. Thank you in advance for your guidance, Jeremy? Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it. From bburke at redhat.com Sat Feb 25 15:51:39 2017 From: bburke at redhat.com (Bill Burke) Date: Sat, 25 Feb 2017 15:51:39 -0500 Subject: [keycloak-user] Quick help request In-Reply-To: References: Message-ID: There is an add-user.sh script. On 2/24/17 3:23 PM, Mark True wrote: > Hi Team, > > I am doing the quick start for RH-SSO and I was trying to set up user federation with LDAP, in the process of doing so I accidentally deleted my only user with admin permissions. > > It doesn?t seem like there is a way to fix this, and there was no prohibition or warning about doing so given by the app! This seems like something that could be potentially bad in a live setup with thousands of users, but I do not feel like I know the system enough to call it a proper ?bug?. Thoughts? > > For my purposes though, Is there a way I can add an admin user back manually or do I need to reinstall? > > ?Mark True From andrey.altukhov at gmail.com Sun Feb 26 13:04:02 2017 From: andrey.altukhov at gmail.com (Andrey Altukhov) Date: Sun, 26 Feb 2017 20:04:02 +0200 Subject: [keycloak-user] how to configure Keycloak to use Microsoft SQL server Message-ID: Hi all, Could you please kindly provide instructions how to configure Keycloak to use Microsoft SQL server database? Thanks in advance. From bburke at redhat.com Sun Feb 26 13:43:04 2017 From: bburke at redhat.com (Bill Burke) Date: Sun, 26 Feb 2017 13:43:04 -0500 Subject: [keycloak-user] how to configure Keycloak to use Microsoft SQL server In-Reply-To: References: Message-ID: <9ce02303-8e46-da55-807c-47df9858c362@redhat.com> https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html On 2/26/17 1:04 PM, Andrey Altukhov wrote: > Hi all, > > Could you please kindly provide instructions how to configure Keycloak to > use Microsoft SQL server database? > > Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jose.fajardo.iii at gmail.com Sun Feb 26 19:32:43 2017 From: jose.fajardo.iii at gmail.com (Jose Fajardo) Date: Mon, 27 Feb 2017 11:32:43 +1100 Subject: [keycloak-user] Recommended approach to "Passing thru Custom URL parameters" on AUTH Message-ID: Hi, I'm trying to find the best approach to passing thru custom url parameters from our application to keycloak and for use in the keycloak freemarker templates (login/otp etc) >From our web application we create the "/auth" url eg. http://localhost:8080/auth/realms/lobby/protocol/openid-connect/auth?client_id=lobby-app&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636237436277062376.ZmM2NGVhNWEtOGVhMC00NmRiLWJmZjktNTZkZjM5ODViM2JhZDg3YTU4ZGUtODEzYS00MDVlLTlmZjktMmFiODQxZGU2M2Ux&prompt=login&session_state=lite%5E&custom_param=xxxxxx&login_hint=user at test.com&state=asdfaeasdfasd-adsfadsf This then successfully loads the login page within Keycloak BUT the "session_state" and "custom_param" params are lost and not available for use in the freemarker templates.. Whats the best approach to expose these custom params to login.ftl/loginOTP.ftl etc ? From adam.keily at adelaide.edu.au Sun Feb 26 21:03:41 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Mon, 27 Feb 2017 02:03:41 +0000 Subject: [keycloak-user] Conditional OTP per Client Message-ID: Can the Conditional OTP authenticator be implemented per client. E.g. Force OTP when connecting to ClientA but not ClientB. Would this be done using the request URL from the HTTP header? From shane.boulden at gmail.com Mon Feb 27 02:20:40 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Mon, 27 Feb 2017 18:20:40 +1100 Subject: [keycloak-user] Restrict access to a client to a subset of Keycloak users In-Reply-To: References: <472c5e00-d917-1a98-7f3b-91a6429a2f56@redhat.com> Message-ID: Hey everyone, I didn't manage to find the cause of my 'ClassNotFoundException', but managed to work around it by passing the expected JSON directly to the Response builder: ~~~ AuthenticationFlowError = Java.type("org.keycloak.authentication. AuthenticationFlowError"); Response = Java.type("javax.ws.rs.core.Response"); MediaType = Java.Type("javax.ws.rs.core.MediaType"); function authenticate(context) { var groups = user.getGroups(); var group_array = groups.toArray(); for (var i in group_array) { var gn = group_array[i].getName(); if (gn === "openshift-access") { context.success(); return; } } response = Response.status(401).entity("{\"error\":\"invalid_grant\",\" error_description\":\"invalid_user_credentials\"}").type( MediaType.APPLICATION_JSON_TYPE).build(); context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, response); return; } ~~~ Now when a user attempts to 'oc login' to OpenShift, and they're not in the correct Keycloak group, they receive a '401 Unauthorized' rather than a 500 error. Hope this helps someone else. Shane On Sat, Feb 25, 2017 at 8:47 AM, Shane Boulden wrote: > Awesome, thanks Thomas! > > Do you have any suggestions on my 'ClassNotFoundException' for > org.keycloak.representations.idm.OAuth2ErrorRepresentation? This is on > 2.5.1. > > Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre > sentation"); > > Shane > > On Sat, Feb 25, 2017 at 12:23 AM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> PR sent: https://issues.jboss.org/browse/KEYCLOAK-4505 >> >> With that PR applied I can do the following: >> >> /* >> * Template for JavaScript based authenticator's. >> * See org.keycloak.authentication.authenticators.browser.ScriptBas >> edAuthenticatorFactory >> */ >> >> // import enum for error lookup >> AuthenticationFlowError = Java.type("org.keycloak.authen >> tication.AuthenticationFlowError"); >> OAuth2ErrorRepresentation = Java.type("org.keycloak.repres >> entations.idm.OAuth2ErrorRepresentation"); >> Response = Java.type("javax.ws.rs.core.Response"); >> MediaType = Java.type("javax.ws.rs.core.MediaType"); >> >> /** >> * An example authenticate function. >> * >> * The following variables are available for convenience: >> * user - current user {@see org.keycloak.models.UserModel} >> * realm - current realm {@see org.keycloak.models.RealmModel} >> * session - current KeycloakSession {@see org.keycloak.models.KeycloakSe >> ssion} >> * clientSession - current client session {@see >> org.keycloak.models.ClientSessionModel} >> * httpRequest - current HttpRequest {@see org.jboss.resteasy.spi.HttpReq >> uest} >> * script - current script {@see org.keycloak.models.ScriptModel} >> * LOG - current logger {@see org.jboss.logging.Logger} >> * You one can extract current http request headers via: >> * httpRequest.getHttpHeaders().getHeaderString("Forwarded") >> * >> * @param context {@see org.keycloak.authentication.Au >> thenticationFlowContext} >> */ >> function authenticate(context) { >> >> var username = user ? user.username : "anonymous"; >> LOG.info(script.name + " trace auth for: " + username); >> LOG.info(script.name + " client session for client: " + >> clientSession.client.clientId); >> >> var groups = user.getGroups(); >> var group_array = groups.toArray(); >> >> var authShouldFail = true; >> for (var i in group_array) { >> var gn = group_array[i].getName(); >> LOG.info(script.name + " group name: " + gn); >> if (gn === "account-access") { >> authShouldFail = false; >> break; >> } >> } >> >> if (authShouldFail >> //&& clientSession.client.clientId === "dummy-account" >> ) { >> >> var errorRep = new OAuth2ErrorRepresentation("inv >> alid_grant","invalid_user_credentials"); >> var response = Response.status(401).entity(er >> rorRep).type(MediaType.APPLICATION_JSON_TYPE).build(); >> >> LOG.info(script.name + " failed auth for: " + username); >> context.failure(AuthenticationFlowError.INVALID_USER, response); >> return; >> } >> >> context.success(); >> } >> >> >> >> 2017-02-24 12:19 GMT+01:00 Thomas Darimont > m>: >> >>> FYI I just gave this a spin... >>> >>> It seems that the ScriptAuthenticator currently has no binding for >>> clientSession in order to access the client id for authentication, >>> e.g. this is missing in ScriptBasedAuthenticator >>> bindings.put("clientSession", context.getClientSession()); >>> >>> I'll send a PR which adds that binding. This will then enable to provide >>> client specific authentication behaviour. >>> >>> Chreers, >>> Thomas >>> >>> 2017-02-24 11:33 GMT+01:00 Shane Boulden : >>> >>>> I got this working today with a custom auth flow, thanks heaps! >>>> >>>> Just one thing - I've copied the 'Direct Grant Flow', and added a JS >>>> script at the end to only allow certain groups to authenticate using the >>>> OpenShift 'oc login' command from a prompt. >>>> >>>> This works allowing/denying access based on a group, however when a >>>> user does not belong to the correct group, the oc login prompt displays the >>>> following error: >>>> >>>> "Error from server: Internal error: unexpected error: 500" >>>> >>>> Here's the code I used for my JS script: >>>> >>>> function authenticate(context){ >>>> var groups = user.getGroups(); >>>> var group_array = groups.toArray(); >>>> >>>> for (var i in group_array) { >>>> var gn = group_array[i].getName(); >>>> >>>> if (gn === "openshift-access") { >>>> context.success(); >>>> return; >>>> } >>>> } >>>> context.failure(authenticationflowerror.INVALID_USER) >>>> return; >>>> } >>>> >>>> I thought this may be because the OpenShift CLI tool can't interpret >>>> the error message back from Keycloak. I've also tried the following, but I >>>> get a "ClassNotFound" exception when I try to import the OAuth2 error >>>> representation: >>>> >>>> Authenticationflowerror = Java.type("org.keycloak.authen >>>> tication.AuthenticationFlowError"); >>>> // Throws 'ClassNotFoundException >>>> Oauth2 = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepre >>>> sentation"); >>>> Response = Java.type("javax.ws.rs.core.Response"); >>>> MediaType = Java.Type("javax.ws.rs.core.MediaType"); >>>> >>>> function authenticate(context) { >>>> var groups = user.getGroups(); >>>> var group_array = groups.toArray(); >>>> >>>> for (var i in group_array) { >>>> var gn = group_array[i].getName(); >>>> >>>> if (gn === "openshift-access") { >>>> context.success(); >>>> return; >>>> } >>>> } >>>> var errorRep = new Oauth2("invalid_grant","invali >>>> d_user_credentials"); >>>> response = Response.status(401).type(Medi >>>> aType.APPLICATION_JSON_TYPE).build(); >>>> >>>> context.failure(AuthenticationFlowError.INVALID_CREDENTIALS, >>>> response); >>>> return; >>>> } >>>> >>>> Any ideas or assistance is appreciated. >>>> >>>> Shane >>>> >>>> On Fri, Feb 24, 2017 at 5:16 AM, Shane Boulden >>> > wrote: >>>> >>>>> Thanks very much Marek and Thomas for taking the time to get back to >>>>> me. >>>>> >>>>> I've found an example of a JS authenticator here: >>>>> http://www.lookatsrc.com/source/scripts/authenticator-templ >>>>> ate.js?a=org.keycloak:keycloak-services >>>>> >>>>> Is this how I would build the custom authenticator, and extend it to >>>>> check the user roles and clientID? >>>>> >>>>> Thanks >>>>> >>>>> Shane >>>>> >>>>> On 24 Feb. 2017 01:25, "Thomas Darimont" < >>>>> thomas.darimont at googlemail.com> wrote: >>>>> >>>>>> Hello Shane, >>>>>> >>>>>> you could try to do that with the Javascript based Authenticator. >>>>>> >>>>>> Cheers, >>>>>> Thomas >>>>>> >>>>>> 2017-02-23 14:07 GMT+01:00 Marek Posolda : >>>>>> >>>>>>> I can think of some workarounds. Like for example, create an >>>>>>> Authenticator, which will be added to the bottom of the >>>>>>> authentication >>>>>>> flow. Authenticator will throw an exception in case that unpermitted >>>>>>> user is trying to authenticate to the client corresponding to your >>>>>>> openshift application. You have the user available (he is already >>>>>>> authenticated) and you have also the client (can be determined based >>>>>>> on >>>>>>> clientId). >>>>>>> >>>>>>> Maybe even easier is to do that in custom RequiredActionProvider and >>>>>>> do >>>>>>> this check in "evaluateTriggers". >>>>>>> >>>>>>> This is workaround as it mixes authentication and authorization >>>>>>> (among >>>>>>> other issues). But hopefully it can suit your needs. >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> On 23/02/17 07:19, Shane Boulden wrote: >>>>>>> > Hi everyone, >>>>>>> > >>>>>>> > I'm trying to figure out a fairly straight-forward problem set - >>>>>>> > >>>>>>> > - I have a number of users in a Keycloak database, federated >>>>>>> from an >>>>>>> > LDAP provider with a READ_ONLY policy (ie; I can't "disable" >>>>>>> the users) >>>>>>> > - I want to limit access to a client to only certain Keycloak >>>>>>> users >>>>>>> > >>>>>>> > I thought this would be possible with a role that is shared by the >>>>>>> client >>>>>>> > and the user. However, it looks like Keycloak lets the application >>>>>>> itself >>>>>>> > determine access via a role: http://lists.jboss.org/ >>>>>>> > pipermail/keycloak-user/2014-November/001205.html >>>>>>> > >>>>>>> > But what if I can't update the application's behaviour? Eg; if I >>>>>>> want to >>>>>>> > integrate Keycloak with OpenShift, and OpenShift doesn't consume >>>>>>> any >>>>>>> > information from the OIDC provider? >>>>>>> > >>>>>>> > In this particular example, I don't want to limit the users in the >>>>>>> Keycloak >>>>>>> > database - I want to sync all users from LDAP, but limit >>>>>>> application access >>>>>>> > to only a subset. >>>>>>> > >>>>>>> > Any assistance is greatly appreciated. >>>>>>> > >>>>>>> > Shane >>>>>>> > _______________________________________________ >>>>>>> > keycloak-user mailing list >>>>>>> > keycloak-user at lists.jboss.org >>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>> >>> >> > From skm.8896 at gmail.com Mon Feb 27 06:44:38 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Mon, 27 Feb 2017 17:14:38 +0530 Subject: [keycloak-user] Authenticate a rest api using keycloak access token Message-ID: Hello, How to get user information like username,name, email etc. from the keycloak token in server side node js REST API (secured through bearer auth only )? -------------------------------------------------------------------------------------------------------------------------------------------- *Code:* var express = require('express'); var router = express.Router(); var app = express(); var cors = require('cors'); var Keycloak = require('keycloak-connect'); var session = require('express-session'); var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'c214ad7b-e4f9-4b11-9d79-d25084e7c721', resave: false, saveUninitialized: true, store: memoryStore })); var keycloak =new Keycloak({store: memoryStore}); app.use( keycloak.middleware({logout: '/logout', admin: '/',})); router.options('/', cors()); /* GET users listing. */ //router.get('/',keycloak.protect(),function(req, res, next) { router.get('/', cors(),function(req, res, next) { if (keycloak.protect()) { // How to fetch userInfo here? res.send('Reached here!'); } else { res.send('Failed to authenticate'); } }); module.exports = router; ------------------------------------------------------------------------------------------------------------------------------------------ Also, is there any method so that we can cache the user data from the token assigned to a particular user, so that whenever request from the same user comes again with the same token, we need not query keycloak about the user information? Thanks in advance Saransh From john.d.ament at gmail.com Mon Feb 27 07:20:13 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 27 Feb 2017 12:20:13 +0000 Subject: [keycloak-user] IDP Initiated Login In-Reply-To: <54afdb30-4d34-2710-1727-5947facc2ba1@redhat.com> References: <5dabe271-cd7a-e410-639e-78f214ee7b31@redhat.com> <7f44feef-5d12-0ecb-d284-8d972fb280a2@redhat.com> <370c8c63-b947-51c3-c703-b3e8ce45d71a@redhat.com> <54afdb30-4d34-2710-1727-5947facc2ba1@redhat.com> Message-ID: On Fri, Feb 24, 2017 at 9:09 AM Bill Burke wrote: > > > On 2/23/17 9:14 PM, John D. Ament wrote: > > After I sent this email, it dawned on me what #4 was. I was able to > > get IDP initiated working. Here's what my setup looks like. So I'm > > interested, is this correct, is this too much? > > > > - Create an IDP for Okta. > > > > - App Client: > > - This represents the real application, receiving the final assertion. > > - Client Protocol: SAML > > - IDP Initiated SSO Name: some-value > > - Assertion Consumer Service POST Binding URL: > > http://myapp/saml (the /saml comes from the wildfly SAML adapter) > > > > Within Okta, I'm entering a URL like this: > > > > http://mykeycloak/auth/realms/ > <>/broker/<>/endpoint/clients/<> > > > > Where: > > > > realm: your realm, e.g. tenant1 in my case > > alias: the value of the "alias" field from your IDP > > some-value: the IDP Initiated SSO Name value from above > > > > After doing this, I'm able to confirm that the principal is coming > > from Keycloak properly. I'm assuming based on this, I can only do > > this via the SAML adapter, not the OIDC connector. > > > Correct, no OIDC. Reason? Its the OAuth protocol. OAuth only allows > the client to initiate authentication. > > I ended up raising a feature request. I feel like there should be a way to do this in keycloak, even if it involves tricking the client into believing they initiated the request. Is there a way to deploy both the OIDC and SAML connectors? I'd like to leverage the client side adapters (javascript) but still support SAML. Anyways, once the license file is in place on the doc repo, I plan to raise a PR to clean up this guide. > Bill > From dev.ebondu at gmail.com Mon Feb 27 07:52:06 2017 From: dev.ebondu at gmail.com (ebondu) Date: Mon, 27 Feb 2017 05:52:06 -0700 (MST) Subject: [keycloak-user] Anonymous access to scoped resources Message-ID: <1488199926055-2929.post@n6.nabble.com> Hi all, I am using Keycloak filters to secure a spring REST API and I need to provide an anonymous access to a subset of resources having a given scope (like 'urn:scope:read:public'). To me, anonymous means a unauthenticated user without access token. I defined a dedicted security chain to bybass the authentication filter but the authorization filter is expecting an access token to grant requests, so I can't use it. Do I need to implement my own filter only based on the protection API to retrieve and check scopes of requested resources or is there a better way to grant access to resources for anonymous users ? Thanks. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resources-tp2929.html Sent from the keycloak-user mailing list archive at Nabble.com. From salvatore.incandela at redhat.com Mon Feb 27 09:09:25 2017 From: salvatore.incandela at redhat.com (Salvatore Incandela) Date: Mon, 27 Feb 2017 15:09:25 +0100 Subject: [keycloak-user] [Keycloak][Get identity provides roles] In-Reply-To: References: Message-ID: Sorry guys, any feedback? On Fri, Feb 24, 2017 at 6:49 PM, Salvatore Incandela < salvatore.incandela at redhat.com> wrote: > Yes in my case I've: > > *Keycloak A* Shows the Login Form with the Usr and Pwd fields and the IDP > button. When I authenticate with IDP I want to import the user roles from > Keycloak B, here my configuration: > *Identity Provider Mappers * > *Mapper Type=Attribute Importer* > *Claim=hd_role* > > *User Attribute Name=roles* > > *Keycloak B* give the "full_access_role" to the user: > Client Mapper > Mapper Type=Hardcoded Role > name=hd_role > Role=full_access_role > > This configuration doesn't work, how I have to configure Keycloak A in > order to import the roles from Keycloak B into the database? > > > > On Fri, Feb 24, 2017 at 4:55 PM, Bill Burke wrote: > >> You mean you are doing identity brokering with a parent keycloak >> instance? Look at Mappers. There are "Claim to Role" and "External >> Role To Role" mappers. The tooltips will explain what they do. What >> you have to do is map claims from the external IDP into user attributes >> and role mappings for the user imported into your Keycloak instance. >> Then you map from the common user model to the token claims you want >> generated for your application. Hope that makes sense. >> >> >> On 2/24/17 10:36 AM, Salvatore Incandela wrote: >> > Hi guys, I've done several tries but I'm still having the same >> question: is >> > possible to populate user roles given by an identity provider (another >> > keycloak instance) getting those from the json claim? >> > >> > On Thu, Feb 23, 2017 at 5:56 PM, Salvatore Incandela < >> > salvatore.incandela at redhat.com> wrote: >> > >> >> Hi guys, is possible to populate user roles given by an identity >> provider >> >> (another keycloak instance) getting those from the json claim? >> >> >> >> -- >> >> Salvatore Incandela >> >> Middleware Consultant >> >> ------------------------------ >> >> Red Hat - www.redhat.com >> >> Via Andrea Doria 41M >> >> 00192 Roma (Italy) >> >> Mobile +39 349 6196615 <+39%20349%20619%206615> >> >> Fax +39 06 39728535 <+39%2006%203972%208535> >> >> E-mail salvatore.incandela at redhat.com >> >> >> > >> > >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Salvatore Incandela > Middleware Consultant > ------------------------------ > Red Hat - www.redhat.com > Via Andrea Doria 41M > 00192 Roma (Italy) > Mobile +39 349 6196615 <+39%20349%20619%206615> > Fax +39 06 39728535 <+39%2006%203972%208535> > E-mail salvatore.incandela at redhat.com > -- Salvatore Incandela Middleware Consultant ------------------------------ Red Hat - www.redhat.com Via Andrea Doria 41M 00192 Roma (Italy) Mobile +39 349 6196615 Fax +39 06 39728535 E-mail salvatore.incandela at redhat.com From bburke at redhat.com Mon Feb 27 09:12:14 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 27 Feb 2017 09:12:14 -0500 Subject: [keycloak-user] Conditional OTP per Client In-Reply-To: References: Message-ID: <02124d5a-92fb-2c3d-8da8-3d5e3ca371f4@redhat.com> You'd have to write custom code for that and understand how the authentication flow works. I don't think that conditional OTP thing would work if somebody logged into client A without OTP then visited client B as the cookie authenticator would trigger and just let client B have access. We have plans to implement "step up" authentication, but that is not for awhile. On 2/26/17 9:03 PM, Adam Keily wrote: > Can the Conditional OTP authenticator be implemented per client. E.g. Force OTP when connecting to ClientA but not ClientB. Would this be done using the request URL from the HTTP header? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From skm.8896 at gmail.com Mon Feb 27 09:19:37 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Mon, 27 Feb 2017 19:49:37 +0530 Subject: [keycloak-user] bearer auth only in keyclaok secured rest API(node js) Message-ID: Hello, I have used bearer auth only in my REST API, and I am sending an Authorization Bearer header in GET request from the front end. *Protect.js* ...... return function protect (request, response, next) { if (request.kauth && request.kauth.grant) {* // Line 2* if (!guard || guard(request.kauth.grant.access_token, request, response)) { return next(); } return keycloak.accessDenied(request, response, next); } ........ *When I am invoking protect.js in my GET request:-* router.get('/', cors(), keycloak.protect(), function (req, res, next) { } Line 2, which is the if statement is turning out to be false, so* I wanted to know why is request.kauth and request.kauth.grant returning false?* Thanks in advance Saransh From dt at zyres.com Mon Feb 27 09:20:56 2017 From: dt at zyres.com (Danny Trunk) Date: Mon, 27 Feb 2017 15:20:56 +0100 Subject: [keycloak-user] How to have multiple data sources? Message-ID: <3af4b278-8da7-adbf-a24e-3e66faac8425@zyres.com> Hello, I've followed the instructions from https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/database.html But instead of changing the existing DS and provider, I simply added another one: ... ... jdbc:postgresql://192.168.XX.XX/myproject postgresql 20 myproject password ... ... ... That's because I want to set the datasource per realm (If that's possible?). Now I can't find this connection provider in the admin console. Only the default is listed in Server Info > Providers. Server Version: 2.5.1.Final By the way: This DS configuration is a mess. It would be much more user friendly to simply add a database provider and configure them through the admin console. From john.d.ament at gmail.com Mon Feb 27 09:57:25 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 27 Feb 2017 14:57:25 +0000 Subject: [keycloak-user] Clustering Keycloak via TCP Message-ID: Hi I was wondering, has Keycloak been tested using Wildfly 10.1 TCP based Jgroups? I'm told that the TCP ports are lazy, and I'm never seeing them come up. It looks like Keycloak doesn't have a war file, no web.xml and as a result no distributable flag. John From bburke at redhat.com Mon Feb 27 09:58:48 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 27 Feb 2017 09:58:48 -0500 Subject: [keycloak-user] How to have multiple data sources? In-Reply-To: <3af4b278-8da7-adbf-a24e-3e66faac8425@zyres.com> References: <3af4b278-8da7-adbf-a24e-3e66faac8425@zyres.com> Message-ID: <128ef5da-9220-aacb-26a7-3dcb82dea9b5@redhat.com> It is not possible to have a data source per realm. Why would you want to do this? Why not just provision a different Keycloak deployment? What are you trying to accomplish? On 2/27/17 9:20 AM, Danny Trunk wrote: > From bburke at redhat.com Mon Feb 27 10:24:18 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 27 Feb 2017 10:24:18 -0500 Subject: [keycloak-user] Clustering Keycloak via TCP In-Reply-To: References: Message-ID: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem The only thing in keycloak that needs to leverage clustering/JGroups is our Infinispan cache for Keycloak SSO Sessions. I've never personally tried to use a different JGRoups stack. I believe you can set the "stack" attribute in the transport tag. Let me know if you get it working. I"ll expand on our docs. On 2/27/17 9:57 AM, John D. Ament wrote: > Hi > > I was wondering, has Keycloak been tested using Wildfly 10.1 TCP based > Jgroups? I'm told that the TCP ports are lazy, and I'm never seeing them > come up. It looks like Keycloak doesn't have a war file, no web.xml and as > a result no distributable flag. > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Mon Feb 27 10:59:54 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 27 Feb 2017 15:59:54 +0000 Subject: [keycloak-user] Clustering Keycloak via TCP In-Reply-To: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> References: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> Message-ID: That didn't work. Message: WFLYCTL0197: Unexpected attribute 'stack' encountered at org.jboss.as.controller.parsing.ParseUtils.unexpected John On Mon, Feb 27, 2017 at 10:30 AM Bill Burke wrote: > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem > > The only thing in keycloak that needs to leverage clustering/JGroups is > our Infinispan cache for Keycloak SSO Sessions. I've never personally > tried to use a different JGRoups stack. I believe you can set the > "stack" attribute in the transport tag. Let me know if you get it > working. I"ll expand on our docs. > > > > > > > > On 2/27/17 9:57 AM, John D. Ament wrote: > > Hi > > > > I was wondering, has Keycloak been tested using Wildfly 10.1 TCP based > > Jgroups? I'm told that the TCP ports are lazy, and I'm never seeing them > > come up. It looks like Keycloak doesn't have a war file, no web.xml and > as > > a result no distributable flag. > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Ori.Doolman at amdocs.com Mon Feb 27 11:00:51 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Mon, 27 Feb 2017 16:00:51 +0000 Subject: [keycloak-user] Authorization: Javascript policy Message-ID: Hi, How rich can the Javascript policy be? Is it limited to only specific interface ($evaluation), or can I use any Javascript package/code I want ? Specifically, I need to have a mapping table between a token claim (user attribute) to a list-of-IDs. Can I query another server using HTTP request within a policy code? Or can I query the user database from the policy code? Or can I pre-load the mapping table into PDP memory and query it from policy code? Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From bburke at redhat.com Mon Feb 27 11:30:01 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 27 Feb 2017 11:30:01 -0500 Subject: [keycloak-user] Clustering Keycloak via TCP In-Reply-To: References: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> Message-ID: <6d5f9edf-19ea-3668-a1f2-b49a5e4741cf@redhat.com> Wildfly docs are wrong then :( Maybe this? I'm just guessing. You know I'm just googling stuff and looking at standalone-ha.xml, right? On 2/27/17 10:59 AM, John D. Ament wrote: > That didn't work. > > Message: WFLYCTL0197: Unexpected attribute 'stack' encountered > > at org.jboss.as.controller.parsing.ParseUtils.unexpected > > > > > jndi-name="infinispan/Keycloak"> > > > > > John > > > On Mon, Feb 27, 2017 at 10:30 AM Bill Burke > wrote: > > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem > > The only thing in keycloak that needs to leverage > clustering/JGroups is > our Infinispan cache for Keycloak SSO Sessions. I've never personally > tried to use a different JGRoups stack. I believe you can set the > "stack" attribute in the transport tag. Let me know if you get it > working. I"ll expand on our docs. > > > > > > > > On 2/27/17 9:57 AM, John D. Ament wrote: > > Hi > > > > I was wondering, has Keycloak been tested using Wildfly 10.1 TCP > based > > Jgroups? I'm told that the TCP ports are lazy, and I'm never > seeing them > > come up. It looks like Keycloak doesn't have a war file, no > web.xml and as > > a result no distributable flag. > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From lanabe.lanabe at gmail.com Mon Feb 27 11:50:20 2017 From: lanabe.lanabe at gmail.com (lanabe) Date: Mon, 27 Feb 2017 16:50:20 +0000 Subject: [keycloak-user] Clustering Keycloak via TCP In-Reply-To: <6d5f9edf-19ea-3668-a1f2-b49a5e4741cf@redhat.com> References: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> <6d5f9edf-19ea-3668-a1f2-b49a5e4741cf@redhat.com> Message-ID: I tested the following settings with 2 Keycloak nodes on the same machine(using PostgreSQL), and it works. --- java:jboss/datasources/KeycloakDS --- You can use TCPPING instead of JDBC_PING like this. --- [],[] --- On Tue, Feb 28, 2017 at 1:31 AM Bill Burke wrote: > Wildfly docs are wrong then :( > > Maybe this? I'm just guessing. You know I'm just googling stuff and > looking at standalone-ha.xml, right? > > > > > > > > On 2/27/17 10:59 AM, John D. Ament wrote: > > That didn't work. > > > > Message: WFLYCTL0197: Unexpected attribute 'stack' encountered > > > > at org.jboss.as.controller.parsing.ParseUtils.unexpected > > > > > > > > > > > jndi-name="infinispan/Keycloak"> > > > > > > > > > > John > > > > > > On Mon, Feb 27, 2017 at 10:30 AM Bill Burke > > wrote: > > > > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem > > > > The only thing in keycloak that needs to leverage > > clustering/JGroups is > > our Infinispan cache for Keycloak SSO Sessions. I've never > personally > > tried to use a different JGRoups stack. I believe you can set the > > "stack" attribute in the transport tag. Let me know if you get it > > working. I"ll expand on our docs. > > > > > > jndi-name="infinispan/Keycloak"> > > > > > > > > > > On 2/27/17 9:57 AM, John D. Ament wrote: > > > Hi > > > > > > I was wondering, has Keycloak been tested using Wildfly 10.1 TCP > > based > > > Jgroups? I'm told that the TCP ports are lazy, and I'm never > > seeing them > > > come up. It looks like Keycloak doesn't have a war file, no > > web.xml and as > > > a result no distributable flag. > > > > > > John > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From moon3854 at gmail.com Mon Feb 27 12:25:51 2017 From: moon3854 at gmail.com (Dmitry Korchemkin) Date: Mon, 27 Feb 2017 20:25:51 +0300 Subject: [keycloak-user] SAML Broker configuration based on SAML/Broker examples leads to client_not_found error Message-ID: I was trying to set up two SAML keycloak idp's, based on basic SAML and broker examples provided with keycloak. Using broker example as a reference, i added an IDP to saml-demo client. In this IDP i changed Single Sign-On Service URL to the uri of the second realm - http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml, just like in the broker example. In saml-broker-realm i configure SAML client identically to the broker example. When i try to log in using this new configuration by pressing a new button, i get the following error: type=LOGIN_ERROR, realmId=saml-demo, clientId= http://localhost:8080/auth/realms/saml-demo, userId=null, ipAddress=10.0.2.2, error=client_not_found. I tried googling the issue, but all the answers seem to be linked to keycloak.json, which indeed is not used by SAML example, as far as i can tell. Am i right in my assumption that this configuration will not work by definition due to keycloak.json missing, or this error may be caused by something else? From john.d.ament at gmail.com Mon Feb 27 12:59:53 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 27 Feb 2017 17:59:53 +0000 Subject: [keycloak-user] Clustering Keycloak via TCP In-Reply-To: References: <8c34bbd2-b04b-8056-2344-3498ac6a6c2c@redhat.com> <6d5f9edf-19ea-3668-a1f2-b49a5e4741cf@redhat.com> Message-ID: Ha yeah, so that ended up being a problem with copy and paste between the two. The way it seems to work, infinispan uses the jgroups config for the cluster, which wildfly configures as "ee". So only that requires the "stack="tcp"" part. But then when I pulled the keycloak config out, I pulled the standalone.xml config, not the standalone-ha.xml config. So all good now. Thanks! John On Mon, Feb 27, 2017 at 11:50 AM lanabe wrote: > I tested the following settings with 2 Keycloak nodes on the same > machine(using PostgreSQL), and it works. > > > > --- > > > > > > > > > > name="datasource_jndi_name">java:jboss/datasources/KeycloakDS > > > > > > > > > > > > > > > > > > > > > > > > > > --- > > You can use TCPPING instead of JDBC_PING like this. > > --- > > > > > > [],[] > > > > > > --- > > > On Tue, Feb 28, 2017 at 1:31 AM Bill Burke wrote: > > Wildfly docs are wrong then :( > > Maybe this? I'm just guessing. You know I'm just googling stuff and > looking at standalone-ha.xml, right? > > > > > > > > On 2/27/17 10:59 AM, John D. Ament wrote: > > That didn't work. > > > > Message: WFLYCTL0197: Unexpected attribute 'stack' encountered > > > > at org.jboss.as.controller.parsing.ParseUtils.unexpected > > > > > > > > > > > jndi-name="infinispan/Keycloak"> > > > > > > > > > > John > > > > > > On Mon, Feb 27, 2017 at 10:30 AM Bill Burke > > wrote: > > > > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem > > > > The only thing in keycloak that needs to leverage > > clustering/JGroups is > > our Infinispan cache for Keycloak SSO Sessions. I've never > personally > > tried to use a different JGRoups stack. I believe you can set the > > "stack" attribute in the transport tag. Let me know if you get it > > working. I"ll expand on our docs. > > > > > > jndi-name="infinispan/Keycloak"> > > > > > > > > > > On 2/27/17 9:57 AM, John D. Ament wrote: > > > Hi > > > > > > I was wondering, has Keycloak been tested using Wildfly 10.1 TCP > > based > > > Jgroups? I'm told that the TCP ports are lazy, and I'm never > > seeing them > > > come up. It looks like Keycloak doesn't have a war file, no > > web.xml and as > > > a result no distributable flag. > > > > > > John > > > _______________________________________________ > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From JMajors at gohealth.com Mon Feb 27 15:39:24 2017 From: JMajors at gohealth.com (Jeremy Majors) Date: Mon, 27 Feb 2017 20:39:24 +0000 Subject: [keycloak-user] Does Policy Evaluation Tool Support Client Roles? Message-ID: <1488227965711.14722@gohealth.com> When I'm testing my policies using the Policy Evaluation Tool, I am unable to get the administration application to return any client based roles so that I can test that scenario (currently it only allows me to specify realm based roles). Is this because we shouldn't be testing the client based roles or does the tool simply not support that feature yet. My setup is as follows: * ?No roles are defined at the realm level * Client has defined 2 roles (read/write) * Policy has been setup to allow reading for specific client (using client role). The client role 'read' is required * Permission has been setup to associate the policy with a particular resource's authorization scope. I setup all of the roles under the client so that I don't pollute the realm roles with application specific settings, but potentially that isn't how keycloak is supposed to be used. ? Thanks, Jeremy Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it. From JMajors at gohealth.com Mon Feb 27 16:57:03 2017 From: JMajors at gohealth.com (Jeremy Majors) Date: Mon, 27 Feb 2017 21:57:03 +0000 Subject: [keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool Message-ID: <1488232623127.15736@gohealth.com> I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with. While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role). When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool. Can anyone else reproduce this issue? It's unclear whether it could be related to KEYCLOAK-2964, which has been closed. Thanks in advance, Jeremy Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it. From alkazako at redhat.com Tue Feb 28 01:40:40 2017 From: alkazako at redhat.com (Alexey Kazakov) Date: Mon, 27 Feb 2017 22:40:40 -0800 Subject: [keycloak-user] User's groups in authz policy Message-ID: <8ad3fa2d-4237-9203-08ba-bee8bbf78948@redhat.com> Hi, Is there a way to grand permissions to some resource if the user belongs to some group in general and in a JS policy in particular? Thanks. From dt at zyres.com Tue Feb 28 06:35:20 2017 From: dt at zyres.com (Danny Trunk) Date: Tue, 28 Feb 2017 12:35:20 +0100 Subject: [keycloak-user] How to have multiple data sources? In-Reply-To: <128ef5da-9220-aacb-26a7-3dcb82dea9b5@redhat.com> References: <3af4b278-8da7-adbf-a24e-3e66faac8425@zyres.com> <128ef5da-9220-aacb-26a7-3dcb82dea9b5@redhat.com> Message-ID: <2ac331aa-a28d-e4b3-d95c-814e42785d86@zyres.com> I have multiple projects and need to set different external databases to each of them. I already wrote my own User Storage Provider in order to connect to the OFBiz UserLogin Entity. Maybe this can be accomplished by writing a custom connection provider? Am 27.02.2017 um 15:58 schrieb Bill Burke: > It is not possible to have a data source per realm. Why would you want > to do this? Why not just provision a different Keycloak deployment? > What are you trying to accomplish? > > > On 2/27/17 9:20 AM, Danny Trunk wrote: >> >> From bburke at redhat.com Tue Feb 28 09:27:06 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 28 Feb 2017 09:27:06 -0500 Subject: [keycloak-user] How to have multiple data sources? In-Reply-To: <2ac331aa-a28d-e4b3-d95c-814e42785d86@zyres.com> References: <3af4b278-8da7-adbf-a24e-3e66faac8425@zyres.com> <128ef5da-9220-aacb-26a7-3dcb82dea9b5@redhat.com> <2ac331aa-a28d-e4b3-d95c-814e42785d86@zyres.com> Message-ID: <68751ab3-de24-1d94-7489-f8b9a49d8fd5@redhat.com> It would be a lot less effort and maintenance to just provision a different keycloak server per realm. Really easy in this world of virtualization and cloud computing. Why would you not take this approach? We would gladly accept patches that improved provisioning. But if you're being stubborn, you'd have to refactor the Jpa provider so that it could acquire an EntityManager based on the realm name or id as datasource and Entitymanager have a one-to-one relationship. On 2/28/17 6:35 AM, Danny Trunk wrote: > I have multiple projects and need to set different external databases to > each of them. I already wrote my own User Storage Provider in order to > connect to the OFBiz UserLogin Entity. Maybe this can be accomplished by > writing a custom connection provider? > > > Am 27.02.2017 um 15:58 schrieb Bill Burke: >> It is not possible to have a data source per realm. Why would you want >> to do this? Why not just provision a different Keycloak deployment? >> What are you trying to accomplish? >> >> >> On 2/27/17 9:20 AM, Danny Trunk wrote: >>> >>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Tue Feb 28 09:43:00 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 28 Feb 2017 15:43:00 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: One really annoying point that I just encountered is the "reputation" points system. Answering a question doesn't require reputation but if you want to comment on a answer you must at least have 50 points of reputation, this is pretty frustrating. On Fri, Feb 24, 2017 at 1:04 PM, Stian Thorgersen wrote: > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Tue Feb 28 11:49:06 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Tue, 28 Feb 2017 16:49:06 +0000 Subject: [keycloak-user] Performance Testing keycloak Message-ID: Hi, I wanted to put together some basic perf tests of keycloak. I'm logging in as an admin and doing some basic create user operations. I wrote a simple gatling script to do this work. One issue I'm seeing is that gatling is grabbing the bearer header in the request. I was wondering, do I need to send the bearer or can keycloak rely on the cookie alone? From aciuprin at mpi-bremen.de Tue Feb 28 13:26:19 2017 From: aciuprin at mpi-bremen.de (=?utf-8?Q?Andreea_Ciuprina?=) Date: Tue, 28 Feb 2017 19:26:19 +0100 Subject: [keycloak-user] Keycloak onLoad option Message-ID: Hello! I am running into the following issue when using the Keycloak JavaScript adapter?in order to connect our React frontend client with the Keycloak server. The following code, where the onLoad option is set to "login-required" causes the webpage to refresh every 10 seconds, after logging in: const SEC_UPDATE_TOKEN = 30; const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json"); kc.init({onLoad: "login-required"}).success((authenticated: boolean) => { ? ? if (authenticated) { ? ? ? kc.updateToken(SEC_UPDATE_TOKEN).success(() => { ? ? ? ? ? loadData(); ? ? ? }).error(() => { ? ? ? ? ? alert("Failed to refresh token"); ? ? ? }); ? ? } ? ? else { ? ? // show possibly other page here... ? ? kc.login(); ? ? } }).error(() => { ? ? alert("failed to initialize"); }); If I replace the?onLoad option to "check-sso", the problem dissapears.? Reading the documentation, i.e. this part:? login-required will authenticate the client if the user is logged-in to Keycloak or display the login page if not. check-sso will only authenticate the client if the user is already logged-in, if the user is not logged-in the browser will be redirected back to the application and remain unauthenticated. was not very clear for me, regarding to the behaviour that I am observing in my case. Could you please explain me the difference between "login-required" and "check-sso" and why using one of them instead of the other in my case causes the unwanted, constant page refresh? Thank you! Best regards,? Andreea From kevinmarsden88 at gmail.com Tue Feb 28 13:45:19 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Tue, 28 Feb 2017 18:45:19 +0000 Subject: [keycloak-user] Keycloak onLoad option In-Reply-To: References: Message-ID: Are you by any chance running on the Angular CLI Dev server,port 4200 ? On Tue, Feb 28, 2017 at 8:27 PM Andreea Ciuprina wrote: > Hello! > > > > I am running into the following issue when using the Keycloak JavaScript > adapter in order to connect our React frontend client with the Keycloak > server. > > The following code, where the onLoad option is set to "login-required" > causes the webpage to refresh every 10 seconds, after logging in: > > > > const SEC_UPDATE_TOKEN = 30; > > const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json"); > kc.init({onLoad: "login-required"}).success((authenticated: boolean) => { > if (authenticated) { > kc.updateToken(SEC_UPDATE_TOKEN).success(() => { > loadData(); > }).error(() => { > alert("Failed to refresh token"); > }); > } > else { > // show possibly other page here... > kc.login(); > } > }).error(() => { > alert("failed to initialize"); > }); > > > > If I replace the onLoad option to "check-sso", the problem dissapears. > > Reading the documentation, i.e. this part: > > > > login-required will authenticate the client if the > user is logged-in to Keycloak or display the login page if not. check-sso > will only > authenticate the client if the user is already logged-in, if the user is > not logged-in the browser > will be redirected back to the application and remain unauthenticated. > > was not very clear for me, regarding to the behaviour that I am observing > in my case. > > Could you please explain me the difference between "login-required" and > "check-sso" and why using one of them instead of the other in my case > causes the unwanted, constant page refresh? > > Thank you! > Best regards, > Andreea > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kevinmarsden88 at gmail.com Tue Feb 28 13:51:05 2017 From: kevinmarsden88 at gmail.com (Kevin Marsden) Date: Tue, 28 Feb 2017 18:51:05 +0000 Subject: [keycloak-user] Keycloak onLoad option In-Reply-To: References: Message-ID: Reason I ask is that I have had a similar problem(Angular 2 front-end),and I was able to stop the constant reload by disabling the IFrame SSO check in my on-init method,I believe that it might have something to do with using an externally based Keycloak server,still investigating,but definitely something to do with the SSO side of things. On Tue, Feb 28, 2017 at 8:45 PM Kevin Marsden wrote: > Are you by any chance running on the Angular CLI Dev server,port 4200 ? > > On Tue, Feb 28, 2017 at 8:27 PM Andreea Ciuprina > wrote: > > Hello! > > > > I am running into the following issue when using the Keycloak JavaScript > adapter in order to connect our React frontend client with the Keycloak > server. > > The following code, where the onLoad option is set to "login-required" > causes the webpage to refresh every 10 seconds, after logging in: > > > > const SEC_UPDATE_TOKEN = 30; > > const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json"); > kc.init({onLoad: "login-required"}).success((authenticated: boolean) => { > if (authenticated) { > kc.updateToken(SEC_UPDATE_TOKEN).success(() => { > loadData(); > }).error(() => { > alert("Failed to refresh token"); > }); > } > else { > // show possibly other page here... > kc.login(); > } > }).error(() => { > alert("failed to initialize"); > }); > > > > If I replace the onLoad option to "check-sso", the problem dissapears. > > Reading the documentation, i.e. this part: > > > > login-required will authenticate the client if the > user is logged-in to Keycloak or display the login page if not. check-sso > will only > authenticate the client if the user is already logged-in, if the user is > not logged-in the browser > will be redirected back to the application and remain unauthenticated. > > was not very clear for me, regarding to the behaviour that I am observing > in my case. > > Could you please explain me the difference between "login-required" and > "check-sso" and why using one of them instead of the other in my case > causes the unwanted, constant page refresh? > > Thank you! > Best regards, > Andreea > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mat at uken.com Tue Feb 28 14:06:20 2017 From: mat at uken.com (Mat Pataki) Date: Tue, 28 Feb 2017 19:06:20 +0000 Subject: [keycloak-user] Mobile Game Authentication Flow Message-ID: Hello! I'm a developer at a mobile gaming company, and I'm trying to better understand how/if KeyCloak fits within the paradigm that we have, and that I believe also to be pretty typical in this space. At the moment I am specifically interested in User Registration and Authentication. I should say that I've spent a larger amount of time with the documentation before turning here, so hopefully I'm not missing something completely obvious (although I can't really rule that out!). Third party identity providers such as facebook and google provide mobile SDKs that are capable of completing the OAuth2 flow with their respective identity platforms. In the end, our consuming mobile apps receive an access token if all goes well. We send this token to our current custom backend authentication solution which will validate them, obtain an ID from the identity provider, and link that ID to our own internal ID for the user. It's this backend component that I would like to replace with KeyCloak. For reference, I see very similar code to this in the KeyCloak source, here , which is encouraging! The problem however, is that KC's social login flow, and seemingly the custom SPI flows as well, all begin with the web based registration page. For our use case, we would like to avoid directing our users away from our app during this process, and in fact avoid performing the OAuth2 flow between us and facebook, for example, entirely. This is something we have today via these client SDKs. Down the line we plan to use KeyCloak for it's more traditional use cases, including securing our own micro serves and applications, but that's assuming that we can solve this problem. Any advice would be greatly appreciated! Thanks in advance! Mat From thomas.darimont at googlemail.com Tue Feb 28 14:58:31 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 28 Feb 2017 20:58:31 +0100 Subject: [keycloak-user] Performance Testing keycloak In-Reply-To: References: Message-ID: Hello John, you could have a look at the gatling based benchmark here: https://github.com/rvansa/keycloak-benchmark I seems that it uses a cookie based auth. Cheers, Thomas 2017-02-28 17:49 GMT+01:00 John D. Ament : > Hi, > > I wanted to put together some basic perf tests of keycloak. I'm logging in > as an admin and doing some basic create user operations. > > I wrote a simple gatling script to do this work. One issue I'm seeing is > that gatling is grabbing the bearer header in the request. I was > wondering, do I need to send the bearer or can keycloak rely on the cookie > alone? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Tue Feb 28 15:34:47 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 28 Feb 2017 15:34:47 -0500 Subject: [keycloak-user] Mobile Game Authentication Flow In-Reply-To: References: Message-ID: You want users to be able to login through a social provider? We don't have a REST-based social login abstraction. Its all browser based. Keycloak delegates authentication to social providers. One big problem is that not all social providers are necessarily password only. Depending on the user they might require an OTP or code sent by SMS. So, unless the provider has some kind of challenge response REST API, we wouldn't know what to prompt for credentials. For registration you're going to have to write some custom backend that sits between your mobile app and Keycloak. Right now, we don't have a REST api for unauthenticated user registration. We also don't have fine grain roles so you can say a particular user account is allowed to register new users. For mobile, we were hoping that apps would do mobile redirects to the phone's browser. Our web pages are completely themable and customizable so that you could brand them to your company. On 2/28/17 2:06 PM, Mat Pataki wrote: > Hello! > > I'm a developer at a mobile gaming company, and I'm trying to better > understand how/if KeyCloak fits within the paradigm that we have, and that > I believe also to be pretty typical in this space. At the moment I am > specifically interested in User Registration and Authentication. I should > say that I've spent a larger amount of time with the documentation before > turning here, so hopefully I'm not missing something completely obvious > (although I can't really rule that out!). > > Third party identity providers such as facebook and google provide mobile > SDKs that are capable of completing the OAuth2 flow with their respective > identity platforms. In the end, our consuming mobile apps receive an access > token if all goes well. We send this token to our current custom backend > authentication solution which will validate them, obtain an ID from the > identity provider, and link that ID to our own internal ID for the user. > It's this backend component that I would like to replace with KeyCloak. > > For reference, I see very similar code to this in the KeyCloak source, here > , > which is encouraging! > > The problem however, is that KC's social login flow, and seemingly the > custom SPI flows as well, all begin with the web based registration page. > For our use case, we would like to avoid directing our users away from our > app during this process, and in fact avoid performing the OAuth2 flow > between us and facebook, for example, entirely. This is something we have > today via these client SDKs. > > Down the line we plan to use KeyCloak for it's more traditional use cases, > including securing our own micro serves and applications, but that's > assuming that we can solve this problem. > > Any advice would be greatly appreciated! Thanks in advance! > > Mat > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mat at uken.com Tue Feb 28 16:05:40 2017 From: mat at uken.com (Mat Pataki) Date: Tue, 28 Feb 2017 21:05:40 +0000 Subject: [keycloak-user] Mobile Game Authentication Flow In-Reply-To: References: Message-ID: Thanks Bill, this is really helpful. I suspected that I've have to write something custom for this purpose, but it's good to know that I've not just missed something obvious. There are some pretty strong business reasons to keep our users in our app during authentication, and in particular during the initial user registration, reasons that I don't think are specific to my company, but to mobile games generally. Although I can understand KeyCloak's opinion about using the mobile browser for this purpose, this is very likely a sticking point for many mobile game studios, but I digress. Thanks again for the speedy response! Mat On Tue, Feb 28, 2017 at 3:43 PM Bill Burke wrote: > You want users to be able to login through a social provider? We don't > have a REST-based social login abstraction. Its all browser based. > Keycloak delegates authentication to social providers. One big problem > is that not all social providers are necessarily password only. > Depending on the user they might require an OTP or code sent by SMS. > So, unless the provider has some kind of challenge response REST API, we > wouldn't know what to prompt for credentials. > > For registration you're going to have to write some custom backend that > sits between your mobile app and Keycloak. Right now, we don't have a > REST api for unauthenticated user registration. We also don't have fine > grain roles so you can say a particular user account is allowed to > register new users. > > For mobile, we were hoping that apps would do mobile redirects to the > phone's browser. Our web pages are completely themable and customizable > so that you could brand them to your company. > > > On 2/28/17 2:06 PM, Mat Pataki wrote: > > Hello! > > > > I'm a developer at a mobile gaming company, and I'm trying to better > > understand how/if KeyCloak fits within the paradigm that we have, and > that > > I believe also to be pretty typical in this space. At the moment I am > > specifically interested in User Registration and Authentication. I should > > say that I've spent a larger amount of time with the documentation before > > turning here, so hopefully I'm not missing something completely obvious > > (although I can't really rule that out!). > > > > Third party identity providers such as facebook and google provide mobile > > SDKs that are capable of completing the OAuth2 flow with their respective > > identity platforms. In the end, our consuming mobile apps receive an > access > > token if all goes well. We send this token to our current custom backend > > authentication solution which will validate them, obtain an ID from the > > identity provider, and link that ID to our own internal ID for the user. > > It's this backend component that I would like to replace with KeyCloak. > > > > For reference, I see very similar code to this in the KeyCloak source, > here > > < > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java > >, > > which is encouraging! > > > > The problem however, is that KC's social login flow, and seemingly the > > custom SPI flows as well, all begin with the web based registration page. > > For our use case, we would like to avoid directing our users away from > our > > app during this process, and in fact avoid performing the OAuth2 flow > > between us and facebook, for example, entirely. This is something we have > > today via these client SDKs. > > > > Down the line we plan to use KeyCloak for it's more traditional use > cases, > > including securing our own micro serves and applications, but that's > > assuming that we can solve this problem. > > > > Any advice would be greatly appreciated! Thanks in advance! > > > > Mat > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Tue Feb 28 16:51:49 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 28 Feb 2017 16:51:49 -0500 Subject: [keycloak-user] Mobile Game Authentication Flow In-Reply-To: References: Message-ID: <01a99c6c-a857-dd8f-5abc-017440ee7516@redhat.com> I don't think a registration back end would be that hard to do for you. I'd be curious to know how in-app purchases would work. Isn't that something you have to go through Apple to do if on iphone? I have no idea about Android. Maybe that's a service you could leverage for authentication and identity. Seems like an interesting problem. Get back to us on what you decide to do please! On 2/28/17 4:05 PM, Mat Pataki wrote: > Thanks Bill, this is really helpful. > > I suspected that I've have to write something custom for this purpose, > but it's good to know that I've not just missed something obvious. > > There are some pretty strong business reasons to keep our users in our > app during authentication, and in particular during the initial user > registration, reasons that I don't think are specific to my company, > but to mobile games generally. Although I can understand KeyCloak's > opinion about using the mobile browser for this purpose, this is very > likely a sticking point for many mobile game studios, but I digress. > > Thanks again for the speedy response! > > Mat > > > > On Tue, Feb 28, 2017 at 3:43 PM Bill Burke > wrote: > > You want users to be able to login through a social provider? We > don't > have a REST-based social login abstraction. Its all browser based. > Keycloak delegates authentication to social providers. One big problem > is that not all social providers are necessarily password only. > Depending on the user they might require an OTP or code sent by SMS. > So, unless the provider has some kind of challenge response REST > API, we > wouldn't know what to prompt for credentials. > > For registration you're going to have to write some custom backend > that > sits between your mobile app and Keycloak. Right now, we don't have a > REST api for unauthenticated user registration. We also don't > have fine > grain roles so you can say a particular user account is allowed to > register new users. > > For mobile, we were hoping that apps would do mobile redirects to the > phone's browser. Our web pages are completely themable and > customizable > so that you could brand them to your company. > > > On 2/28/17 2:06 PM, Mat Pataki wrote: > > Hello! > > > > I'm a developer at a mobile gaming company, and I'm trying to better > > understand how/if KeyCloak fits within the paradigm that we > have, and that > > I believe also to be pretty typical in this space. At the moment > I am > > specifically interested in User Registration and Authentication. > I should > > say that I've spent a larger amount of time with the > documentation before > > turning here, so hopefully I'm not missing something completely > obvious > > (although I can't really rule that out!). > > > > Third party identity providers such as facebook and google > provide mobile > > SDKs that are capable of completing the OAuth2 flow with their > respective > > identity platforms. In the end, our consuming mobile apps > receive an access > > token if all goes well. We send this token to our current custom > backend > > authentication solution which will validate them, obtain an ID > from the > > identity provider, and link that ID to our own internal ID for > the user. > > It's this backend component that I would like to replace with > KeyCloak. > > > > For reference, I see very similar code to this in the KeyCloak > source, here > > > , > > which is encouraging! > > > > The problem however, is that KC's social login flow, and > seemingly the > > custom SPI flows as well, all begin with the web based > registration page. > > For our use case, we would like to avoid directing our users > away from our > > app during this process, and in fact avoid performing the OAuth2 > flow > > between us and facebook, for example, entirely. This is > something we have > > today via these client SDKs. > > > > Down the line we plan to use KeyCloak for it's more traditional > use cases, > > including securing our own micro serves and applications, but that's > > assuming that we can solve this problem. > > > > Any advice would be greatly appreciated! Thanks in advance! > > > > Mat > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mat at uken.com Tue Feb 28 17:48:19 2017 From: mat at uken.com (Mat Pataki) Date: Tue, 28 Feb 2017 22:48:19 +0000 Subject: [keycloak-user] Mobile Game Authentication Flow In-Reply-To: <01a99c6c-a857-dd8f-5abc-017440ee7516@redhat.com> References: <01a99c6c-a857-dd8f-5abc-017440ee7516@redhat.com> Message-ID: Sure! For IAPs, yes there is direct communication between our mobile clients and our payment providers (apple, google, amazon, and facebook in our case), however that's at a point well after we've established the user's identity. Thanks again On Tue, Feb 28, 2017 at 4:51 PM Bill Burke wrote: > I don't think a registration back end would be that hard to do for you. > I'd be curious to know how in-app purchases would work. Isn't that > something you have to go through Apple to do if on iphone? I have no idea > about Android. Maybe that's a service you could leverage for > authentication and identity. Seems like an interesting problem. Get back > to us on what you decide to do please! > > On 2/28/17 4:05 PM, Mat Pataki wrote: > > Thanks Bill, this is really helpful. > > I suspected that I've have to write something custom for this purpose, but > it's good to know that I've not just missed something obvious. > > There are some pretty strong business reasons to keep our users in our app > during authentication, and in particular during the initial user > registration, reasons that I don't think are specific to my company, but to > mobile games generally. Although I can understand KeyCloak's opinion about > using the mobile browser for this purpose, this is very likely a sticking > point for many mobile game studios, but I digress. > > Thanks again for the speedy response! > > Mat > > > > On Tue, Feb 28, 2017 at 3:43 PM Bill Burke wrote: > > You want users to be able to login through a social provider? We don't > have a REST-based social login abstraction. Its all browser based. > Keycloak delegates authentication to social providers. One big problem > is that not all social providers are necessarily password only. > Depending on the user they might require an OTP or code sent by SMS. > So, unless the provider has some kind of challenge response REST API, we > wouldn't know what to prompt for credentials. > > For registration you're going to have to write some custom backend that > sits between your mobile app and Keycloak. Right now, we don't have a > REST api for unauthenticated user registration. We also don't have fine > grain roles so you can say a particular user account is allowed to > register new users. > > For mobile, we were hoping that apps would do mobile redirects to the > phone's browser. Our web pages are completely themable and customizable > so that you could brand them to your company. > > > On 2/28/17 2:06 PM, Mat Pataki wrote: > > Hello! > > > > I'm a developer at a mobile gaming company, and I'm trying to better > > understand how/if KeyCloak fits within the paradigm that we have, and > that > > I believe also to be pretty typical in this space. At the moment I am > > specifically interested in User Registration and Authentication. I should > > say that I've spent a larger amount of time with the documentation before > > turning here, so hopefully I'm not missing something completely obvious > > (although I can't really rule that out!). > > > > Third party identity providers such as facebook and google provide mobile > > SDKs that are capable of completing the OAuth2 flow with their respective > > identity platforms. In the end, our consuming mobile apps receive an > access > > token if all goes well. We send this token to our current custom backend > > authentication solution which will validate them, obtain an ID from the > > identity provider, and link that ID to our own internal ID for the user. > > It's this backend component that I would like to replace with KeyCloak. > > > > For reference, I see very similar code to this in the KeyCloak source, > here > > < > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java > >, > > which is encouraging! > > > > The problem however, is that KC's social login flow, and seemingly the > > custom SPI flows as well, all begin with the web based registration page. > > For our use case, we would like to avoid directing our users away from > our > > app during this process, and in fact avoid performing the OAuth2 flow > > between us and facebook, for example, entirely. This is something we have > > today via these client SDKs. > > > > Down the line we plan to use KeyCloak for it's more traditional use > cases, > > including securing our own micro serves and applications, but that's > > assuming that we can solve this problem. > > > > Any advice would be greatly appreciated! Thanks in advance! > > > > Mat > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >