From known.michael at gmail.com  Sun Jan  1 01:24:04 2017
From: known.michael at gmail.com (Known Michael)
Date: Sun, 1 Jan 2017 08:24:04 +0200
Subject: [keycloak-user] Is it possible to add the regular user via CLI?
Message-ID: <CANbmfvjdzWe3dUkoKbza+S_x-pFuThRoGYZ4wyXNbzX-=bf2XQ@mail.gmail.com>

Hey,

I found that it is possible to add the admin user via CLI:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/initialization.html

Do you know if it possible to add the regular user via CLI?

From sthorger at redhat.com  Mon Jan  2 03:15:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 09:15:23 +0100
Subject: [keycloak-user] Brute force detector extension
In-Reply-To: <e9fad9ccc3154e0590db467eb9a5e655@muc1exmbxp1p.accounts.intern>
References: <e9fad9ccc3154e0590db467eb9a5e655@muc1exmbxp1p.accounts.intern>
Message-ID: <CAJgngAczR_OiC2bTvWBgV_zrbYfoZJP=cOuvx9FBym2YTuqpQg@mail.gmail.com>

You can implement a custom provider for the brute force protection that
would do what you want. It wouldn't be configurable through the admin
console though.

I don't see why we couldn't add it as an option to the built-in provider
though so if you are happy to send a PR for it including tests we could
accept it into 3.x.

On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com>
wrote:

> Hi all!
>
> We would like to have ability to configure the brute force detector so it
> can disable a user account after X failed attempts completely and not only
> lock him/her out for a period of time (setting the lockout-time to a few
> years is not enough). In the end we would like the admins of KeyCloak to be
> able to set a timed lockout-period or set a permanent one for different
> realms. I guess this would also require the detector to reset the
> failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we could
> contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 03:20:59 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 09:20:59 +0100
Subject: [keycloak-user] Are there any clients(retail) are using
 keycloak as their sso solution in production?
In-Reply-To: <CAFMZCg=fS_xnYK-F0kVQQRmFa_Qck0pFLHLeaWinO5m4SLQ76Q@mail.gmail.com>
References: <CAFMZCgnuNnOuQb-5Ff=Yek+6r5g3OeiQpsYwZFgwZ_GehqfwYw@mail.gmail.com>
	<1482245503.13800.11.camel@redhat.com>
	<CAFMZCgkP5FPKBQu7kuASSA-sQbC-qkmBOkD+Kf1oCA8Dgxc4Xg@mail.gmail.com>
	<CAJgngAeXigUkhANZat-CCMPoZEb0h4Gc2At-WdAvA=vUCvxqmQ@mail.gmail.com>
	<CAFMZCg=fS_xnYK-F0kVQQRmFa_Qck0pFLHLeaWinO5m4SLQ76Q@mail.gmail.com>
Message-ID: <CAJgngAcw5jc6iLqqWPtTwxb-oKXmiNXHHLZbanBQW9ZrDMhxFQ@mail.gmail.com>

Sorry for the late reply, but I've been away on Christmas holiday.

I've sent a mail to look into why there's no evaluation option there. In
the mean time do you have access to download from
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.rhsso
?

On 21 December 2016 at 16:09, Raghu Laghuvaram <deepu.laghuvaram at gmail.com>
wrote:

> Stian Thorgersen,
>     Thanks for your response and information.
> You said we can evaluate the RH-SSO, but when I go to
> https://access.redhat.com/downloads/ I dont see an option as "Start
> Evaluation" for Red Hat Single Sign-On, am I looking at wrong place?
>
> On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> You can evaluate RH-SSO without contacting sales. It's available at
>> http://access.redhat.com/. Sales may be able to give you some customer
>> references if you ask them.
>>
>> FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO
>> 7.1.0.GA will be based on Keycloak 2.5.z.Final.
>>
>> On 20 December 2016 at 19:16, Raghu Laghuvaram <
>> deepu.laghuvaram at gmail.com> wrote:
>>
>>> Josh Cain,
>>>       Thanks for your response, If possible would you be able to let us
>>> know if there any clients(retail) using RH-SSO in production other than
>>> Red
>>> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I
>>> think
>>> I need to contact sales even for that. I will talk to my leadership and
>>> proceed further.
>>>
>>> Thanks,
>>> Deep.
>>>
>>> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain <jcain at redhat.com> wrote:
>>>
>>> > Hi Raghu,
>>> >
>>> > I can say that Red Hat (access.redhat.com, developers.redhat.com,
>>> etc.)
>>> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very
>>> > well overall as a solution.
>>> >
>>> > If you're wanting to know more about enterprise level support, I'd
>>> > contact sales and strongly consider RH-SSO over Keycloak.
>>> >
>>> > --
>>> > Josh Cain | Software Applications Engineer
>>> > Identity and Access Management
>>> > Red Hat
>>> > +1 256-452-0150
>>> >
>>> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote:
>>> > > We are evaluating Keycloak as SSO solution for our retail application
>>> > > and
>>> > > we would like to know if there are any clients using Keycloak SSO
>>> > > solution
>>> > > in their production? It would gie us a lot of confidence if we know
>>> > > that
>>> > > some one are already using in their production.
>>> > >
>>> > >
>>> > > Thanks,
>>> > > Deep
>>> > > _______________________________________________
>>> > > keycloak-user mailing list
>>> > > keycloak-user at lists.jboss.org
>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From sthorger at redhat.com  Mon Jan  2 03:24:27 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 09:24:27 +0100
Subject: [keycloak-user] Technical Guidance
In-Reply-To: <3FB077AE-82AA-446F-983D-91F7F4D34370@evisions.com>
References: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com>
	<CAJgngAe9A0B8ryG_ntoGCMZwooKzk6oKc8TdQMPT4mC88c5kEQ@mail.gmail.com>
	<DD44BE54-947B-42C7-A865-3D6BB9CA61D2@evisions.com>
	<CAJgngAcnvH2sfJUb=5PuOHxpoS1O9EwZEAoib=_J688=B_PgAQ@mail.gmail.com>
	<3FB077AE-82AA-446F-983D-91F7F4D34370@evisions.com>
Message-ID: <CAJgngAdTuU7UseH93v7RU9M6gZ=jU0+OvGZJ=q0PAKxzrpAP5g@mail.gmail.com>

What about using the Ping provider as the single identity brokering
provider in Keycloak and also set it as the default so the login screen on
Keycloak won't be shown?

On 22 December 2016 at 14:02, Dana Danet <Dana.Danet at evisions.com> wrote:

> I was concerned you might suggest that :).  While a valid option, it
> unfortunately would require me to add hundreds of custom InCommmon
> providers for our customers to handle the user property mappings.  Not to
> mentioned many customer build systems.
>
> Our company has an in-company customer on boarding and integrations team
> has chosen Ping to handle this part of the handshake was would like to hand
> off to Keycloak a SAML 2 token.  Most of them do not like the idea of
> exposing internal request into their systems and would prefer to have the
> login start internally. Additionally I would need to brand every login page
> within Keycloak.
>
> Thoughts?
>
> On Dec 21, 2016, at 10:32 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> Why not just register the customer IdPs directly with Keycloak using
> identity brokering?
>
> On 22 December 2016 at 02:27, Dana Danet <Dana.Danet at evisions.com> wrote:
>
>> Thank you for responding and I apologize if my question was misleading,
>> let me try again.
>>
>> My requirement is to support a SSO IdM/IdP for customers without their
>> own system, ideally in a multi tenant way, and to support SSO for customers
>> that have on-premise SSO implementations, mostly are InCommon.
>>
>> We have decided to implement Ping as a SP to handshake with the
>> on-premise (InCommon) customers. Since these integration points could be
>> more than just InCommon.  My thought is that Ping will accept the authN,
>> translate the properties to a grant (SAML2) and forward to Keycloak to
>> create the JWT.  I attached a image reflecting this below.
>>
>> My question is how would I register within Keycloak that AuthN would be
>> handled by Ping, and to create a JWT.
>>
>>
>>
>>
>> On Dec 15, 2016, at 11:41 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> Not quite sure what you're asking here as there seems to be 3 IdPs?
>> Customer IdP, Ping and Keycloak?
>>
>> On 14 December 2016 at 17:25, Dana Danet <Dana.Danet at evisions.com> wrote:
>>
>>> I just recently introduced KC to a Spring Cloud micro-service
>>> environment as the IDM and Oauth manager of JWT tokens.  Front end clients
>>> are implementing the javascript adapter and backend Spring Boot services
>>> are implemented with the Spring Security adapter (not boot adapter).  Our
>>> Service Gateway (Zuul) simply passes the token to backend services.
>>>
>>> My question is regarding offloading offloading AuthN and IDP to external
>>> systems and then brokering to Keycloak for JWT creation.  Which would look
>>> something like
>>>   ( Customer on premise AuthN) ?> Ping ?>  Keycloak.  Ping has been
>>> introduced purely as an SP to handle customers implementations of
>>> Shibboleth and Incommon.  Initially I was thinking that IDP - Ping SP
>>> mapping is all done via Ping and then a canonical SAML exchange to Keycloak.
>>>
>>> Is this possible?  I would appreciate some guidance here.
>>>
>>> -dana
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>
>

From gomes at memsql.com  Mon Jan  2 04:35:50 2017
From: gomes at memsql.com (David Gomes)
Date: Mon, 2 Jan 2017 01:35:50 -0800
Subject: [keycloak-user] Running into an issue with login.ftl in a
	custom-made theme
In-Reply-To: <CABHi9ABX9tTqhy1yO5CA0t6r3JEq1X1BoMdmuA_QbLQ0xhw16g@mail.gmail.com>
References: <CABHi9ABX9tTqhy1yO5CA0t6r3JEq1X1BoMdmuA_QbLQ0xhw16g@mail.gmail.com>
Message-ID: <CABHi9AB5f6fZLce_qDc_u9CEzyxM+-GPK2jgaqEf=fWPTE9rbw@mail.gmail.com>

Apparently, the issue was that after one edits standalone.xml, the new
settings are only
activated after restarting Keycloak (in my case restarting the jboss
keycloak container).

This is necessary because in order to edit templates and see changes one
must disable
cacheThemes and cacheTemplates in Keycloak?s standalone.xml.

Issue resolved!

On December 29, 2016 at 9:01:54 PM, David Gomes (gomes at memsql.com) wrote:

Good day,

I am writing my own Keycloak theme and I am using the Sunrise
<https://github.com/keycloak/keycloak/tree/master/examples/themes/src/main/resources/theme/sunrise>
 example theme as a starting point.

It seems, however, that when I create a sunrise/login/login.ftl file, such
as the one in the base theme, this file doesn't actually get used for
rendering the login form.

I tried to edit the base theme instead and edit its login/login.ftl. It
seems that editing this file has no effect at all. I wrote this in the file
and the login page for the base theme remained exactly the same.

<#import "template.ftl" as layout>
<@layout.registrationLayout displayInfo=social.displayInfo; section>
</@layout.registrationLayout>

Editing CSS, template.tfl and other things works, but editing the
theme/login/login.ftl has no effect at all.

The relevant settings for my Realm are the following:

"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"requiredCredentials": [ "password" ]

In the Keycloak administration console, editing the current theme works
perfectly fine as well, but I'm not being able to edit the actual login
form in any of the example themes. I tried other files such as register.ftl and
editing this one works perfectly fine.
David Gomes
MemSQL

From sthorger at redhat.com  Mon Jan  2 04:39:07 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 10:39:07 +0100
Subject: [keycloak-user] Is it possible to add the regular user via CLI?
In-Reply-To: <CANbmfvjdzWe3dUkoKbza+S_x-pFuThRoGYZ4wyXNbzX-=bf2XQ@mail.gmail.com>
References: <CANbmfvjdzWe3dUkoKbza+S_x-pFuThRoGYZ4wyXNbzX-=bf2XQ@mail.gmail.com>
Message-ID: <CAJgngAfkyVUxKB1qxUTC1iMC=wVw0Bi3cxQ4bK6qZsOg5QJXkg@mail.gmail.com>

Yes, with the new admin cli:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/admin-cli.html

On 1 January 2017 at 07:24, Known Michael <known.michael at gmail.com> wrote:

> Hey,
>
> I found that it is possible to add the admin user via CLI:
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/initialization.html
>
> Do you know if it possible to add the regular user via CLI?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 04:42:32 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 10:42:32 +0100
Subject: [keycloak-user] Are there any clients(retail) are using
 keycloak as their sso solution in production?
In-Reply-To: <1482944317.1199761.831413089.5EFC0D8F@webmail.messagingengine.com>
References: <1482944317.1199761.831413089.5EFC0D8F@webmail.messagingengine.com>
Message-ID: <CAJgngAfJp6anJ0ZxaQeGNCgVXrYWmDfgML522BcZspFK7=zCxg@mail.gmail.com>

It should not be that hard and we should be offering evaluations and
developer licenses. I'll look into why this it not available at the moment
and get it resolved asap.

I'm also surprised that you are referred to a reseller and I would have
assumed you could get RH-SSO directly from us. I'll look into this as well.

On 28 December 2016 at 17:58, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> We have also been having difficulty getting an evaluation version of
> RH-SSO without contacting sales. Not only is there not a "Start
> Evaluation" link next to Red Hat SSO, but if I log in with a Red Hat
> account and try the "Download Latest" option on the pulldown I get a
> "You do not have access to the requested software" response.
>
> This is particularly annoying because if you contact Red Hat sales they
> then refer you to a reseller, and you still can't get a download before
> interacting with the third party. Honestly, based on our interaction so
> far it's as if they don't want to sell the product.
>
>
> On Wed, Dec 21, 2016 at 10:09 AM, Raghu Laghuvaram
> <deepu.laghuvaram at gmail.com> wrote:
> Stian Thorgersen,
>     Thanks for your response and information.
> You said we can evaluate the RH-SSO, but when I go to
> https://access.redhat.com/downloads/ I dont see an option as "Start
> Evaluation" for Red Hat Single Sign-On, am I looking at wrong place?
>
> On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > You can evaluate RH-SSO without contacting sales. It's available at
> > http://access.redhat.com/. Sales may be able to give you some customer
> > references if you ask them.
> >
> > FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO
> > 7.1.0.GA will be based on Keycloak 2.5.z.Final.
> >
> > On 20 December 2016 at 19:16, Raghu Laghuvaram <
> deepu.laghuvaram at gmail.com
> > > wrote:
> >
> >> Josh Cain,
> >>       Thanks for your response, If possible would you be able to let us
> >> know if there any clients(retail) using RH-SSO in production other than
> >> Red
> >> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I
> think
> >> I need to contact sales even for that. I will talk to my leadership and
> >> proceed further.
> >>
> >> Thanks,
> >> Deep.
> >>
> >> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain <jcain at redhat.com> wrote:
> >>
> >> > Hi Raghu,
> >> >
> >> > I can say that Red Hat (access.redhat.com, developers.redhat.com,
> etc.)
> >> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very
> >> > well overall as a solution.
> >> >
> >> > If you're wanting to know more about enterprise level support, I'd
> >> > contact sales and strongly consider RH-SSO over Keycloak.
> >> >
> >> > --
> >> > Josh Cain | Software Applications Engineer
> >> > Identity and Access Management
> >> > Red Hat
> >> > +1 256-452-0150
> >> >
> >> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote:
> >> > > We are evaluating Keycloak as SSO solution for our retail
> application
> >> > > and
> >> > > we would like to know if there are any clients using Keycloak SSO
> >> > > solution
> >> > > in their production? It would gie us a lot of confidence if we know
> >> > > that
> >> > > some one are already using in their production.
> >> > >
> >> > >
> >> > > Thanks,
> >> > > Deep
> >> > > _______________________________________________
> >> > > keycloak-user mailing list
> >> > > keycloak-user at lists.jboss.org
> >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> http://www.fastmail.com - Does exactly what it says on the tin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Jan  2 06:36:00 2017
From: psilva at redhat.com (Pedro Igor)
Date: Mon, 02 Jan 2017 09:36:00 -0200
Subject: [keycloak-user] is resource owner username or userid
In-Reply-To: <CANGjFTJdXupHW=DiLV=BKiCpnmLQS3NVBLvyw_QT6Az5w+sbRg@mail.gmail.com>
References: <CANGjFTJdXupHW=DiLV=BKiCpnmLQS3NVBLvyw_QT6Az5w+sbRg@mail.gmail.com>
Message-ID: <f1ebbf01-c936-4f5d-8c91-0e6354c6cd1b@getmailbird.com>

Hello,

We store the user id. Please, keep in mind that username may change.

In the token you can use the "sub" claim to obtain the user id.
On 12/29/2016 4:58:33 AM, u?ur kolip <ugur.kolip at gmail.com> wrote:
Hi,
I use keycloak 2.4.0.Final with spring boot adapter, and authz-client
-authz-admin.
When i set owner , i set (getAccessToken().getPreferredUsername()) (my user
name, admin )
But when i try to get resource owner
($evaluation.getPermission().getResource().getOwner()), it returns userid
not username.
is it wrong ? or do you these purposely ?
is username unique ? why does we use username ?

thank you for helping
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  2 07:30:59 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 13:30:59 +0100
Subject: [keycloak-user] Session cookie settings overwritten by undertow
 keycloak adapter
In-Reply-To: <5D6D47A3F675BA46823D762152C022BE48B4739B@spplapp03344.pl.ing-ad>
References: <5D6D47A3F675BA46823D762152C022BE48B4739B@spplapp03344.pl.ing-ad>
Message-ID: <CAJgngAc3g5bEsQDVUwvjNab0X-4kcP96zCM05yK+y8emZJgszw@mail.gmail.com>

Seems broken IMO. Can you create a JIRA?

On 22 December 2016 at 13:10, Goworek Krzysztof INNE <
Krzysztof.Goworek at ingbank.pl> wrote:

> Hello all,
> I am developing a web application using Keycloak on JBoss EAP7 (Wildfly
> 10, Undertow). We have migrated recently from EAP6.4 and now I?ve got
> several issues to solve.
> One of them is session cookie configuration in web.xml which used to work,
> but now is completely ignored.
> After further investigation it looks that keycloak-undertow-adapter module
> is overwriting existing settings with uninitialized configuration object
> (). All of this is done in KeycloakServletExtension class (
> https://github.com/keycloak/keycloak/blob/master/adapters/
> oidc/undertow/src/main/java/org/keycloak/adapters/undertow/
> KeycloakServletExtension.java#L179), lines 177-179 on master.
>
> Can somebody tell me whether this is a bug or maybe this was done on
> purpose? Can I in any way reconfigure these settings somehow later?
> From the code it does not seem to read any configuration values, it just
> sets cookie path basing on context path and leaves the rest fields
> uninitialized. I would expect it sets the path and copies the rest from
> ?servletSessionConfig? field.
> Am I missing something?
>
> Krzysztof
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  2 07:36:16 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 13:36:16 +0100
Subject: [keycloak-user] Create access to secured data for user
In-Reply-To: <1594f389b78-3070-29883@webprd-a54.mail.aol.com>
References: <1594f389b78-3070-29883@webprd-a54.mail.aol.com>
Message-ID: <CAJgngAdZHxMVHzOQYYqdfP3FG2Tou0B3Z00H9enTYXoQeo2LiQ@mail.gmail.com>

It's not really something that we support well. I'd probably just generate
tokens in the app directly as this is not really a use-case an IdP solves.
An SSO server like Keycloak assumes there's a user that authenticates. You
could potentially use a service account to create some limited access
tokens and include the access token directly in the link. The link would
only be valid for a few minutes though. We have considered adding an option
where you can generate tokens with a longer expiration than the realm
default, but that's not something we're planning on doing immediately and
it also has to be done carefully considering the potential security
implications of it.

On 30 December 2016 at 11:13, <adam.michalski at aol.com> wrote:

> Hi.
> My name is Adam and I am new to keycloak.
>
> I want to create link/access point where user does'n input his password or
> send his secret in angular 2 application + rest client secured by keycloak.
> This access is for specified part of data but temporary not single access.
>
> What possibilities keycloak gives to resolve this feature?
>
> I think about generating token in other application on server and send it
> to user by email. This way I can use client secret.
> How to generate valid token accepted in keycloak without connection with
> it? But is this good approach? If it is what can I use to create this in
> best way?
>
>
> Can send request to keycloak for this kind of token for specified client
> for user requested?
>
>
>
> Adam Michalski
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 07:37:34 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 13:37:34 +0100
Subject: [keycloak-user] Update passwords with old hash algorithm
In-Reply-To: <2a1d7825-e969-6e83-0f0f-f448121554b5@zyres.com>
References: <2a1d7825-e969-6e83-0f0f-f448121554b5@zyres.com>
Message-ID: <CAJgngAdncZW4hsETB1a5je44=5szUEfOLG9eYP4hgdcdhLHSvg@mail.gmail.com>

Just change the default password hashing algorith in the password policy
and Keycloak will automatically switch users to the new algorithm when the
authenticate or change the password.

On 23 December 2016 at 11:53, Danny Trunk <dt at zyres.com> wrote:

> Hello everybody,
>
> I've already implemented a custom Password Hash SPI which encodes and
> verifies encoded passwords with an old hash algorithm.
> Now I would like to update those passwords with a new hash algorithm as
> I have access to the raw password in the Password Hash SPI (Keyword:
> self-healing process).
>
> Which possibilities do I have?
>
> Best regards
> Danny.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Jan  2 08:17:59 2017
From: psilva at redhat.com (Pedro Igor)
Date: Mon, 02 Jan 2017 11:17:59 -0200
Subject: [keycloak-user] Fwd: regarding custom attributes and mapping
 resources to users
In-Reply-To: <fea2b8f2-4cc3-9f49-8864-1005eb70403e@avinash.com.np>
References: <e18774a6-dbf8-4bc4-8126-1ddf2e5a64e6@avinash.com.np>
	<ea4c216f-b78b-664d-11b3-632ac8f02215@avinash.com.np>
	<096db3e6-5cff-4c5c-b018-53666cd6ec80@getmailbird.com>
	<fea2b8f2-4cc3-9f49-8864-1005eb70403e@avinash.com.np>
Message-ID: <19ee671e-47ea-4c8e-9d3c-55250757d1e9@getmailbird.com>

Yes, you can use Admin Rest API [1].?

[1] https://keycloak.gitbooks.io/server-developer-guide/content/topics/admin-rest-api.html.
On 12/30/2016 2:04:03 PM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Just thinking about the following scenario:
Is it anyhow possible for a user to change his custom attributes without extending the Account Management Page theme? maybe via the API?
I hope not, but want to confirm as I couldn't find where the custom attributes were defined in the Keycloak source.
Regards,
Avinash


On 12/22/16 17:18, Pedro Igor wrote:

Pedro Igor:?Hello, answers inline.


On 12/22/2016 7:21:13 AM, Avinash Kundaliya <avinash at avinash.com.np> [mailto:avinash at avinash.com.np] wrote:
Hi,
since I got no response to my previous email and i can see some action
happening in the mailing list, I will try to forward my question and
explain it again.

* Can a user update their own custom attributes ? I want to use custom
attributes to store data that would help in creating policies for
their permissions. From what i could understand from previous
discussions, it looks like users cannot, but its not confirmed or
mentioned anywhere.
Pedro Igor:?In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there.


See?https://github.com/keycloak/keycloak/tree/master/examples/themes [https://github.com/keycloak/keycloak/tree/master/examples/themes].


* Related to the question above, is there a defined structure/ pattern
to define resource ownership in keycloak, eg. user-id *"xx"* is a
manger of resource-id *"yy"* , user-id "*aa*" is a viewer of
resource-id "*bb*" and so on and so forth.
Pedro Igor:?Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user.



>From my question last time, What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.
Pedro Igor:?If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources.

For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies.


If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy.

Some help or push in the right direction would be helpful.

Regards,
Avinash


-------- Forwarded Message --------
Subject: regarding custom attributes and mapping resources to users
Date: Tue, 20 Dec 2016 16:14:03 +0545
From: Avinash Kundaliya
To: keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]



Hello Community,

I am fairly new to using keycloak and still getting immersed into the
authentication and authorization jargons. I have some basic queries that
i am curious about.

* Regarding the custom attributes for each user
(https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html [https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html]).
Is this something that a user can edit for themselves or is
something for an administrator to manage custom content for the
user? Basically, as an administrator can I put information that
should be hidden from the user as a custom attribute ?
* My second question is more about architecture of applications with
authentication and authorization. What are the best practices to map
roles to specific resources? For example if i have a role called as
shop_owner how do i map a user with that role to a specific shop
(for example). Is this something that keycloak has defined
structures for ? How can i achieve such a structure with keycloak
and with/without using the keycloak authorization/resource services.

Looking forward to some constructive discussions and some answers to the
basic issues I have.

Regards,
Avinash

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]


From Krzysztof.Goworek at ingbank.pl  Mon Jan  2 08:51:30 2017
From: Krzysztof.Goworek at ingbank.pl (Goworek Krzysztof INNE)
Date: Mon, 2 Jan 2017 13:51:30 +0000
Subject: [keycloak-user] ODP: Session cookie settings overwritten by
 undertow keycloak adapter
In-Reply-To: <CAJgngAc3g5bEsQDVUwvjNab0X-4kcP96zCM05yK+y8emZJgszw@mail.gmail.com>
References: <5D6D47A3F675BA46823D762152C022BE48B4739B@spplapp03344.pl.ing-ad>
	<CAJgngAc3g5bEsQDVUwvjNab0X-4kcP96zCM05yK+y8emZJgszw@mail.gmail.com>
Message-ID: <5D6D47A3F675BA46823D762152C022BE48B47846@spplapp03344.pl.ing-ad>

Created https://issues.jboss.org/browse/KEYCLOAK-4141

Od: Stian Thorgersen [mailto:sthorger at redhat.com]
Wys?ano: 2 stycznia 2017 13:31
Do: Goworek Krzysztof INNE <Krzysztof.Goworek at ingbank.pl>
DW: keycloak-user at lists.jboss.org
Temat: Re: [keycloak-user] Session cookie settings overwritten by undertow keycloak adapter

Seems broken IMO. Can you create a JIRA?

On 22 December 2016 at 13:10, Goworek Krzysztof INNE <Krzysztof.Goworek at ingbank.pl<mailto:Krzysztof.Goworek at ingbank.pl>> wrote:
Hello all,
I am developing a web application using Keycloak on JBoss EAP7 (Wildfly 10, Undertow). We have migrated recently from EAP6.4 and now I?ve got several issues to solve.
One of them is session cookie configuration in web.xml which used to work, but now is completely ignored.
After further investigation it looks that keycloak-undertow-adapter module is overwriting existing settings with uninitialized configuration object (). All of this is done in KeycloakServletExtension class (https://github.com/keycloak/keycloak/blob/master/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakServletExtension.java#L179), lines 177-179 on master.

Can somebody tell me whether this is a bug or maybe this was done on purpose? Can I in any way reconfigure these settings somehow later?
From the code it does not seem to read any configuration values, it just sets cookie path basing on context path and leaves the rest fields uninitialized. I would expect it sets the path and copies the rest from ?servletSessionConfig? field.
Am I missing something?

Krzysztof
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Mon Jan  2 09:05:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:05:23 +0100
Subject: [keycloak-user] Flow supported by keycloak for openId connect
	and jboss
In-Reply-To: <3emgbpoa0tbq14h7kbq2u2kb.1482943436594@email.android.com>
References: <CAApADD2PWpNa0LzYbD3mi5_wNhLkfEDf-3tFm=6EF7wSZQ6ErQ@mail.gmail.com>
	<3emgbpoa0tbq14h7kbq2u2kb.1482943436594@email.android.com>
Message-ID: <CAJgngAf7VSebDYVFTgcujLmCMaPLaGM6sjVJ-R7YX0ZTemwzew@mail.gmail.com>

By JBoss do you mean WildFly and/or JBoss EAP? If so use our adapters and
don't worry about the protocol details.

On 28 December 2016 at 17:43, Amaeztu <amaeztu at tesicnor.com> wrote:

> Hello,
>
> The keycloak software fully passes the openid connect certification.
>
> http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html?m=1
>
> The flow to use in your application is up to you.
>
> Nire Sony Xperia? telefonotik bidalita
>
> ---- Pulkit Gupta igorleak idatzi du ----
>
> >Hi Team,
> >
> >I have a basic question which I searched through the documentation but was
> >not able to find.
> >Can you please let me know which flow is supported by keycloak for OpenId
> >on jboss platform.
> >
> >I am exploring openID connect as a way to secure my Java applications
> using
> >keycloak.
> >These applications are hosted on jboss.
> >
> >--
> >Thanks,
> >Pulkit
> >AMS
> >_______________________________________________
> >keycloak-user mailing list
> >keycloak-user at lists.jboss.org
> >https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:16:28 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:16:28 +0100
Subject: [keycloak-user] Log out server sessions when using bearer
	authentication
In-Reply-To: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>

There's no standard way of doing backchannel logout with OAuth2. There's a
draft spec for OpenID Connect that we may implement in the future.

Keycloak has it's own proprietary backchannel logout, but that's only for
applications that do the login. In your case as it's a JS app that obtains
the tokens there's no backchannel logout involved and instead it relies on
the session cookie + access token timeout. Assuming your JEE app is a rest
service it should create a session that allows invoking without a access
token from the JS app. That way it won't be possible for the JS app to
invoke it once the session is logged out as it won't be able to obtain new
access tokens.

On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no> wrote:

> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a ?traditional? session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created ? either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won?t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I?m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  2 09:20:53 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:20:53 +0100
Subject: [keycloak-user] Passing Data to Registration Fields
In-Reply-To: <CAFMZCgkEZiwz-HCJOBo41j=Ghg9+4UGymeSbkM2+q_y4uuQtYg@mail.gmail.com>
References: <CAFMZCgkEZiwz-HCJOBo41j=Ghg9+4UGymeSbkM2+q_y4uuQtYg@mail.gmail.com>
Message-ID: <CAJgngAdSGxKEtyK+Gpuenr5myHLpAzpZPZChvQKvnJ0ivuDpsA@mail.gmail.com>

No, afraid that's not possible

On 27 December 2016 at 19:38, Raghu Laghuvaram <deepu.laghuvaram at gmail.com>
wrote:

> I am trying to use direct registration link and I want to pass some of the
> fields from my application, is it possible to pass fields such as First
> Name, Last Name and other custom fields if needed?
>
>
> Thanks,
> Deepu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:24:47 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:24:47 +0100
Subject: [keycloak-user] User federation from multiple LDAP servers
In-Reply-To: <82cbab9f-38b7-73e3-7232-090936fcc304@scandiweb.com>
References: <82cbab9f-38b7-73e3-7232-090936fcc304@scandiweb.com>
Message-ID: <CAJgngAcdjvSEh0fpa-QtCisBYDwcL0JbhD8hw1CJYt5oMEcWDw@mail.gmail.com>

I believe you should have a single provider and in the Connection URL field
add multiple URLs with a space between. For example "ldap://localhost:10390
ldap://localhost:10389"

On 22 December 2016 at 17:32, Georgijs Radovs <georgijsr at scandiweb.com>
wrote:

> Hello everyone!
>
>
> Is it possible to set up User Federation from multiple replicating LDAP
> servers?
>
> For example:
>
> We have 2 FreeIPA servers, which are replicating between each other.
>
> And, we have 2 Keycloak servers in standalone-ha mode, using S3_PING
> session failover.
>
> How to add second FreeIPA server to User Federation?
>
> We've tried to add second LDAP server in User Federation and set lower
> priority for it, but when user account sync happens, Keylcoak server
> shows, that user account from FreeIPA server 2 is already linked to
> FreeIPA server 1.
>
>
>
> --
>  <https://www.youtube.com/watch?v=bs0V2F06liw>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:26:42 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:26:42 +0100
Subject: [keycloak-user] Best way to add custom attributes to the user
	session?
In-Reply-To: <A3B4B2FA-5245-4DD2-AA81-C0890D81D5A9@info.nl>
References: <A3B4B2FA-5245-4DD2-AA81-C0890D81D5A9@info.nl>
Message-ID: <CAJgngAfb5ZOrJLJ7ncP7EnujV45RZodJxOivFJfiCM3F-_DghQ@mail.gmail.com>

I think a custom authenticator would be the way to do it as you probably
want to add to the user session when the user is authenticating and not
when tokens are refreshed

On 23 December 2016 at 11:24, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Hi,
>
> We would like to a add custom attributes (using custom logic including
> custom database queries) to the user session in Keycloak on authentication.
> What is the best way to do this? We use an LDAP/AD user federation provider.
>
> Should we write a custom user attribute mapper and add it to our user
> federation provider? I guess we could also write a custom token mapper and
> misuse it a little in that it will only add data to the user session and
> not to the token?
>
> Previously we had a custom token mapper that added this custom data to the
> token, however it is becoming too much data and we have reached the max
> size limit (JWT tokens are transported as HTTP headers and those have a max
> size of 8kb). So now we are thinking of adding this data to the user
> session and Keycloak and when we need it later on get it from Keycloak
> using Keycloak?s REST API.
>
> cheers
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  2 09:30:12 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:30:12 +0100
Subject: [keycloak-user] user group management from servlet app
In-Reply-To: <58608efb.c793620a.24ff.ccd5@mx.google.com>
References: <58608efb.c793620a.24ff.ccd5@mx.google.com>
Message-ID: <CAJgngAdFd3GXTW8VTr9Nk4+6Sxh95Wv-_R1c4Xji6u34r-AAhQ@mail.gmail.com>

You can use a group membership mapper on the client that will add the group
details to the token. After that you can obtain it from
KeycloakSecurityContext.getToken().getOtherClaims().get("claimName").

You can obviously only view and not manage groups from the token. To manage
groups you'll need to use the admin rest api.

On 26 December 2016 at 04:31, <smichea at gmail.com> wrote:

> Hi all,
>
> Is there a way to access/manage groups of a user from the
> KeycloakSecurityContext obtained in a servlet ?
>
> Thank you,
> Sebastien
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:31:03 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:31:03 +0100
Subject: [keycloak-user] Can I create the bearer token by administrator
 on behalf of other users?
In-Reply-To: <AM5PR0701MB2530CEB1A9CFFEA38F66A159F4960@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530CEB1A9CFFEA38F66A159F4960@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAfFN0mZYxz4F5bxAgekjk6xaiT0JNpceTuFJ-4mg1upoQ@mail.gmail.com>

Not quite, but you can impersonate a user through the admin console which
will login the admin as the user you want to impersonate.

On 26 December 2016 at 18:59, Michael Furman <michael_furman at hotmail.com>
wrote:

> Hi,
> I need to the create bearer token by admin on behalf of other users.
> In means:
>
>   1.  I have admin user and password.
>   2.  I have the user name (e.g. bob).
>   3.  I want to create the bearer token and to access the bearer client.
>   4.  When I access the bearer client with the bearer token it
> authenticates user (e.g. bob).
> How can I do it?
> Thank you for your help,
> Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:32:59 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:32:59 +0100
Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
In-Reply-To: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>

Strange. If you can provide steps to reproduce it we can look into it.
Ideally a testcase within our existing testsuite.

On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
> We found an issue with the COMPOSITE_ROLE DB table, the issue might have
> occurred when creating multiple realms in parallel.
>
> We noticed that create realm API fails on timeout and DB showed locks on
> table COMPOSITE_ROLE.
> Further investigation revealed that the COMPOSITE_ROLE table contains a
> lot of duplicate rows, instead of about 4000 rows there were over a million
> rows.
> Deleting the duplicate rows solved the issue.
>
> Any idea what might have caused the duplicated rows ? or how to prevent it
> ?
>
> Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense
> for about 160 realms ? (maybe we need to do some cleanup)
>
>
> Thanks,
> Haim.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:38:17 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:38:17 +0100
Subject: [keycloak-user] Some questions about user authentication with
 external IDP
In-Reply-To: <7F411399-9C99-4727-86DC-9BA812B38867@carbonite.com>
References: <7F411399-9C99-4727-86DC-9BA812B38867@carbonite.com>
Message-ID: <CAJgngAeZ_BeWyqhv6Ra75QL1i-5R2veFtGdutDCigZPS5BurKQ@mail.gmail.com>

We've been wanting to add something along those lines out of the box, but
haven't had the time to work on it. We didn't consider the addition of
asking users to create an account if the username was not there, but that
would be a nice option. We where also thinking about doing the redirect to
IdP based on email domain rather than a list of usernames. I.e. all @
mycorp.com gets redirected to sso.mycorp.com. Both options would be nice
though.

It's a fair bit of work though as we need to have an option on a realm to
have a "username first" option. Then it has impacts on the default
authentication flows as we may need to different flows out of the box.

You could consider contributing this or you could develop your own custom
authentication flow that does it for you exactly how you want it.

On 27 December 2016 at 21:05, Reed Lewis <RLewis at carbonite.com> wrote:

> We are planning on using Keycloak to authenticate users in our
> environment.   There will be multiple sources of user logins.
>
>
> 1.       Local to Keycloak
>
> 2.       Using a Federation provider to pull accounts from on a one time
> basis (The first time the user logs in they will authenticate using the p/w
> in the Federation server, and subsequent logins will occur entirely in
> Keycloak)
>
> 3.       Using a third party IDP (Like Microsoft/ Google/ etc.)   But the
> initial source of these accounts might be local in keycloak.
>
> I of course can do #1, and know how to do #2.    For #3 I have the
> external 3Rd party IDP working.
>
> But what we would like to have is this:
>
>
> 1.       A user goes to a form in which they enter the username only.
>
> 2.       If the user is new, it asks them to create an account
>
> 3.       If the user is new, but we know the login to be associated with a
> third party IDP, we go there, and link the account.
>
> 4.       If the user is not new, and if they are linked to third party
> IDP, it automatically loads that IDP page without having to pick that login.
>
> Here is the workflow we are thinking.
>
> An admin adds a list of accounts (either csv, or somehow else) into
> keycloak, but it says that all these accounts need to be authenticated by
> some third part IDP.   So when a user logs into Keycloak and enters their
> password, it automatically redirects the user to the 3rd part IDP and then
> associates the local keycloak login with the IDP without having to do too
> much.
>
> Does this make sense?
>
> Reed Lewis
>
> Disclaimer
>
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a
> Service (SaaS) for business. Providing a safer and more useful place for
> your human generated data. Specializing in; Security, archiving and
> compliance. To find out more visit the Mimecast website.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:39:10 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:39:10 +0100
Subject: [keycloak-user] can we use authorization with bearer-only ?
In-Reply-To: <8f57e4b3-32a1-4f19-bbe5-d3c3005146f5@getmailbird.com>
References: <CANGjFTK1YVCeqJuxskTYK_FZsKAk+gk8W3mnxvk393rjZkOYqQ@mail.gmail.com>
	<8f57e4b3-32a1-4f19-bbe5-d3c3005146f5@getmailbird.com>
Message-ID: <CAJgngActqUQGqwE5TU7xsfy6OuC+Tz6SM+d132gtA1YiyPgD7A@mail.gmail.com>

Would it not make sense that a bearer-only aka a service is able to use the
authz services? Why does it need to be able to obtain tokens?

On 28 December 2016 at 02:19, Pedro Igor <psilva at redhat.com> wrote:

> Hi,
>
> Your client can't be set as bearer-only on Keycloak Server. You can still
> use bearer-only on the adapter configuration though. Keycloak doesn't allow
> "bearer only" clients (when setting up your client on the server) to obtain
> tokens from the server. Try to change your client to "confidential" on the
> server and set bearer-only on your adapter configuration (keycloak.json).
>
> Regards.
> Pedro Igor
>
> On 12/26/2016 1:34:06 PM, u?ur kolip <ugur.kolip at gmail.com> wrote:
> can we use bearer-only with authorization ?
> if it can be , how can we use ? are there any example ?
> when i try to use with photoz example , i get bad request (or 403 i am not
> sure , i change a lot of thing)
> Because i don't want redirect or store session , it can be used by mobil
> apps .
>
> Thank you for helping
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  2 09:40:57 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 2 Jan 2017 15:40:57 +0100
Subject: [keycloak-user] Setting up webapplication to accept both bearer
 and openid redirect login
In-Reply-To: <CAFtV5cvs_uacV0B1F6LOXuSpC=e=oXVT_umZJ0ytkRVX8PPLPA@mail.gmail.com>
References: <CAFtV5cvs_uacV0B1F6LOXuSpC=e=oXVT_umZJ0ytkRVX8PPLPA@mail.gmail.com>
Message-ID: <CAJgngAcBAFQp_eamRKVqOoRnhhHKjkcOz=+E30pZZnDA0MA2xQ@mail.gmail.com>

"autodetect-bearer-only" in keycloak.json should do the trick. See
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html
.

On 29 December 2016 at 17:11, David Delbecq <david_delbecq at trimble.com>
wrote:

> I have a wildlfy application where i need this behaviour:
>
> 1) If user provides a token during request and try to access a secure area,
> use it (typically soap ant rest requests)
> 2) If user has no credentials to show, issue interactive web login
>
> So far I managed to get either 1) or 2) on the application, depending on
> using bearer-only accesstype or not. But i can't seem to find out how to
> have both behaviour. Below is json export of my current realm config. I am
> currently doing this in wildfly
>
>             <secure-deployment name="shipping.war">
>                     <realm>Shipping</realm>
>                     <auth-server-url>${authURL}</auth-server-url>
>                     <public-client>true</public-client>
>                     <ssl-required>EXTERNAL</ssl-required>
>                     <resource>shipping-soap</resource>
>
> <use-resource-role-mappings>true</use-resource-role-mappings>
>             </secure-deployment>
>
> using this code to get a token from the WS client
>
> Keycloak keycloak =
> Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping",
> username, password, "shipping-soap");
> customHeaders.put("Authorization", Arrays.asList("Bearer:
> "+keycloak.tokenManager().getAccessTokenString()));
>
>
> but when i issue the ws request, i get a redirect to keycloak (see below).
> I suspect i misunderstood some parts of the keycloak configuration and it's
> behaviour, but i am not sure what i did wrong. Can somebody explain me how
> to integrate both webservice and webpages with a single client id?
>
> POST /shipping/service/1.0/shipping HTTP/1.1
> Content-Type: text/xml; charset=UTF-8
> Accept: */*
> Authorization: Bearer:
> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1a
> T2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.
> eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDci
> LCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJp
> c3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBw
> aW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIz
> MjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6
> cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3Rh
> dGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJh
> Y3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYt
> OWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFs
> bV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJl
> c291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1
> dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQi
> Onsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19
> LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_
> mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9!
>  _zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_
> QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh
> 4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-
> 1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9Q
> wkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA
> SOAPAction: ""
> User-Agent: Apache CXF 3.0.5
> Cache-Control: no-cache
> Pragma: no-cache
> Host: localhost:18080
> Connection: keep-alive
> Content-Length: 1784
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><
> soap:Body><ns2:createShipments
> xmlns:ns2="urn:trimbletl:eshipco:shipping:1_0"><
> ShipmentData><id>shipmentid</id><type>full-truckload</type>
> <freightCarryingUnitType>none</freightCarryingUnitType><
> freightCarryingUnitSubType>box-dry-van</freightCarryingUnitSubType><
> freightCarryingUnitDimension>standard</freightCarryingUnitDimension><
> cargoType>break-bulk</cargoType><name>shipment
> name</name><consignor><id>consignorid</id><name>consignor
> name</name><address><street>street1</street><number>1</
> number><city>city1</city><zipcode>zipcode1</zipcode><
> area>area1</area><country>AE</country></address><coordinate>
> <latitude>1</latitude><longitude>2</longitude></coordinate><contact><name>
> name1</name><company>company1</company><phone>phone1</phone>
> </contact><timewindow><startTime>1970-01-01T01:00:01+
> 01:00</startTime><endTime>1970-01-01T01:00:02+01:00</
> endTime></timewindow></consignor><consignee><id>consigneeid</id><name>
> consignee
> name</name><address><street>street3</street><number>3</
> number><city>city3</city><zipcode>zipcode3</zipcode><
> area>area3</area><country>AG</country></address><coordinate>
> <latitude>3</latitude><longitude>4</longitude></coordinate><contact><name>
> name3</name><company>company3</company><phone>phone3</phone>
> </contact><timewindow><startTime>1970-01-01T01:00:03+
> 01:00</startTime><endTime>1970-01-01T01:00:04+01:00</
> endTime></timewindow></consignee><goods><id>box</id><
> amount>1</amount><volume>100.0</volume><weight>1000.0</
> weight><loadingMeter>10.0</loadingMeter><length>6</
> length><width>4</width><height>5</height><ref>testref</ref><desc>some
> description</desc></goods><property><key>type.goods</key>
> <value>1000</value></property></ShipmentData></ns2:
> createShipments></soap:Body></soap:Envelope>HTTP/1.1
> 302 Found
> Expires: 0
> Cache-Control: no-cache, no-store, must-revalidate
> X-Powered-By: Undertow/1
> Set-Cookie:
> JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision;
> path=/shipping
> Set-Cookie:
> OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857;
> HttpOnly
> Server: WildFly/9
> Pragma: no-cache
> Location:
> http://localhost:13080/auth/realms/Shipping/protocol/
> openid-connect/auth?response_type=code&client_id=shipping-
> soap&redirect_uri=http%3A%2F%2Flocalhost%3A18080%
> 2Fshipping%2Fservice%2F1.0%2Fshipping&state=916%2F8084d5f9-fd05-4267-9d72-
> 026acf016857&login=true&scope=openid
> Date: Thu, 29 Dec 2016 15:43:16 GMT
> Connection: keep-alive
> Content-Length: 0
>
> {
>     "id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750",
>     "clientId" : "shipping-soap",
>     "description" : "Workbench, Adminbench and Administration",
>     "rootUrl" : "http://localhost:8080/",
>     "adminUrl" : "/shipping",
>     "baseUrl" : "/shipping",
>     "surrogateAuthRequired" : false,
>     "enabled" : true,
>     "clientAuthenticatorType" : "client-secret",
>     "secret" : "b556a2b8-bb1d-478e-97a0-14105556427f",
>     "defaultRoles" : [ "authenticated", "ROLE_authenticated" ],
>     "redirectUris" : [ "http://localhost:8080/shipping/*" ],
>     "webOrigins" : [ ],
>     "notBefore" : 0,
>     "bearerOnly" : false,
>     "consentRequired" : false,
>     "standardFlowEnabled" : true,
>     "implicitFlowEnabled" : false,
>     "directAccessGrantsEnabled" : true,
>     "serviceAccountsEnabled" : false,
>     "publicClient" : true,
>     "frontchannelLogout" : false,
>     "protocol" : "openid-connect",
>     "attributes" : {
>       "saml.assertion.signature" : "false",
>       "saml.force.post.binding" : "false",
>       "saml.multivalued.roles" : "false",
>       "saml.encrypt" : "false",
>       "saml_force_name_id_format" : "false",
>       "saml.client.signature" : "false",
>       "saml.authnstatement" : "false",
>       "saml.server.signature" : "false"
>     },
>     "fullScopeAllowed" : true,
>     "nodeReRegistrationTimeout" : -1,
>     "protocolMappers" : [ {
>       "id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f",
>       "name" : "username",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${username}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "username",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "preferred_username",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b",
>       "name" : "locale",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-attribute-mapper",
>       "consentRequired" : false,
>       "consentText" : "${locale}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "locale",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "locale",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e",
>       "name" : "email",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${email}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "email",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "email",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "5429c06f-8b9b-4b33-bbb3-015117922910",
>       "name" : "role list",
>       "protocol" : "saml",
>       "protocolMapper" : "saml-role-list-mapper",
>       "consentRequired" : false,
>       "config" : {
>         "single" : "false",
>         "attribute.nameformat" : "Basic",
>         "attribute.name" : "Role"
>       }
>     }, {
>       "id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70",
>       "name" : "family name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${familyName}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "lastName",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "family_name",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "a371b53c-5543-4188-a16f-005db9a73d7a",
>       "name" : "full name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-full-name-mapper",
>       "consentRequired" : true,
>       "consentText" : "${fullName}",
>       "config" : {
>         "id.token.claim" : "true",
>         "access.token.claim" : "true"
>       }
>     }, {
>       "id" : "e3ca3001-3f19-4654-b84c-7a352306cad1",
>       "name" : "given name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${givenName}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "firstName",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "given_name",
>         "jsonType.label" : "String"
>       }
>     } ],
>     "useTemplateConfig" : false,
>     "useTemplateScope" : false,
>     "useTemplateMappers" : false
>   }
>
>
>
> --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From known.michael at gmail.com  Mon Jan  2 10:11:33 2017
From: known.michael at gmail.com (Known Michael)
Date: Mon, 2 Jan 2017 17:11:33 +0200
Subject: [keycloak-user] Is it possible to add the regular user via CLI?
In-Reply-To: <CAJgngAfkyVUxKB1qxUTC1iMC=wVw0Bi3cxQ4bK6qZsOg5QJXkg@mail.gmail.com>
References: <CANbmfvjdzWe3dUkoKbza+S_x-pFuThRoGYZ4wyXNbzX-=bf2XQ@mail.gmail.com>
	<CAJgngAfkyVUxKB1qxUTC1iMC=wVw0Bi3cxQ4bK6qZsOg5QJXkg@mail.gmail.com>
Message-ID: <CANbmfvjdBWACuQMB7zfqOMGGzkvW+Acjd_cx4PURNgG3+MU7Zg@mail.gmail.com>

Is it 2.5?

On Mon, Jan 2, 2017 at 11:39 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Yes, with the new admin cli: https://keycloak.gitbooks.io/server-
> adminstration-guide/content/topics/admin-cli.html
>
> On 1 January 2017 at 07:24, Known Michael <known.michael at gmail.com> wrote:
>
>> Hey,
>>
>> I found that it is possible to add the admin user via CLI:
>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/initialization.html
>>
>> Do you know if it possible to add the regular user via CLI?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From haimv at perfectomobile.com  Mon Jan  2 10:26:04 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Mon, 2 Jan 2017 15:26:04 +0000
Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
In-Reply-To: <CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>
References: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>
Message-ID: <HE1PR0301MB2570D634414374268D42A60BD26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

The steps to reproduce is to use the keycloak admin API to generate multiple realms in parallel.

Note that it not always reproduced.

Simple defensive solution might be to add constraint to the table, not sure regrading performance impact.


From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Monday, January 02, 2017 4:33 PM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org; Moshe Ben-Shoham <mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael Dikman <michaeld at perfectomobile.com>
Subject: Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue

Strange. If you can provide steps to reproduce it we can look into it. Ideally a testcase within our existing testsuite.

On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.

We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.

Any idea what might have caused the duplicated rows ? or how to prevent it ?

Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)


Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Ce20b3a4d6a4a4b9faeb808d4331c4101%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=2Y1BmkIbZSPBJ4rOlPcqMc%2FTFt3fAwp4ZMuNIGSMbYw%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From avinash at avinash.com.np  Mon Jan  2 10:47:12 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Mon, 2 Jan 2017 21:32:12 +0545
Subject: [keycloak-user] authorization in a hierarchical context
Message-ID: <62c76575-5858-65e1-78f6-05794cb4c41f@avinash.com.np>

Hello,

I have a question more related to the architecture of an application and 
if/how keycloak would fit to it.

The context is I have a hierarchy of resources (There is a Farm 
resource, and the farm has many groups and a group has many animals). I 
want the farm user to have access to everything below it (i.e group and 
animals) and the group user to all the animals.

The easiest way to do this is by doing the authorization in the resource 
server (i.e if the token contains a farm_owner resource, and if the 
resource is and animal owned by a group that the farm owns, then the 
owner gets access to it). But, this somehow feels wrong, as i would like 
to model this authorization policy (if i may call it) in the auth 
server/keycloak.

I have been looking at UMA recently as it somehow seems closest to what 
I want to achieve. But, in UMA, i can only model the owner relation, but 
not the hierarchy of it. Thus, I am not so clear on how to model such 
relations using that as well. Probably, its not a good idea to model 
this in the auth server.

It would be great if there is some mechanism within keycloak to model 
such relations or authorization structures. As of now, we do plan to use 
keycloak for authentication and possibly, pass roles if any would make 
sense.

Thanks for the help in advance, and I hope I have been able to explain 
my issue clearly.

Regards,
Avinash


From mstrukel at redhat.com  Mon Jan  2 10:51:33 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 2 Jan 2017 16:51:33 +0100
Subject: [keycloak-user] Is it possible to add the regular user via CLI?
In-Reply-To: <CANbmfvjdBWACuQMB7zfqOMGGzkvW+Acjd_cx4PURNgG3+MU7Zg@mail.gmail.com>
References: <CANbmfvjdzWe3dUkoKbza+S_x-pFuThRoGYZ4wyXNbzX-=bf2XQ@mail.gmail.com>
	<CAJgngAfkyVUxKB1qxUTC1iMC=wVw0Bi3cxQ4bK6qZsOg5QJXkg@mail.gmail.com>
	<CANbmfvjdBWACuQMB7zfqOMGGzkvW+Acjd_cx4PURNgG3+MU7Zg@mail.gmail.com>
Message-ID: <CA+1OW+juWbzSGX8qF1FR6ATXuXfP9aN7w=OFRxSY=Z66zavqpw@mail.gmail.com>

Yes, it's part of 2.5.0.CR1 which you can already download at:
http://www.keycloak.org/downloads.html

On Mon, Jan 2, 2017 at 4:11 PM, Known Michael <known.michael at gmail.com>
wrote:

> Is it 2.5?
>
> On Mon, Jan 2, 2017 at 11:39 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > Yes, with the new admin cli: https://keycloak.gitbooks.io/server-
> > adminstration-guide/content/topics/admin-cli.html
> >
> > On 1 January 2017 at 07:24, Known Michael <known.michael at gmail.com>
> wrote:
> >
> >> Hey,
> >>
> >> I found that it is possible to add the admin user via CLI:
> >> https://keycloak.gitbooks.io/server-adminstration-guide/cont
> >> ent/topics/initialization.html
> >>
> >> Do you know if it possible to add the regular user via CLI?
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From haimv at perfectomobile.com  Mon Jan  2 10:58:00 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Mon, 2 Jan 2017 15:58:00 +0000
Subject: [keycloak-user] Keycloak token expiration and user script
Message-ID: <HE1PR0301MB2570C4E97CBF6D1924B021A5D26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi,

Currently when user execute a script (e.g. using selenium) he generates offline token, our application (selenium server) generates access token for the user from the given offline token.

The problem is that the access token is expired after 5 minutes (default configuration of Access Token Lifespan in the realm settings).

If we increase the default value it means that the UI tokens will also be affected, and it might be less secure.

What's the best way you recommend to solve it ? should the application (our selenium server) refresh the token every 5 minutes until the script is finished ? or there is another option ? some kind of different token for that purpose ?


Thanks for your help and time,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From psilva at redhat.com  Mon Jan  2 14:53:24 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 2 Jan 2017 17:53:24 -0200
Subject: [keycloak-user] authorization in a hierarchical context
In-Reply-To: <CAPFwKyhw_ZDBhSgOJNycSP6gUSse28hnDa_s2fCPO0mwDiN9WQ@mail.gmail.com>
References: <62c76575-5858-65e1-78f6-05794cb4c41f@avinash.com.np>
	<CAJrcDBezfSNwhg8_OjSXf7Ffea52woX8vsQrqU8PV0Og=7TKmA@mail.gmail.com>
	<CAPFwKyhw_ZDBhSgOJNycSP6gUSse28hnDa_s2fCPO0mwDiN9WQ@mail.gmail.com>
Message-ID: <CAJrcDBeSbiwf6u5uqBTuaPrD5s_aJm_zTqR0ULuSrdvoidhkxg@mail.gmail.com>

On Mon, Jan 2, 2017 at 2:40 PM, Avinash Kundaliya <avinash at avinash.com.np>
wrote:

> Hello,
> I see, is it something in the UMA spec that says about resource hierarchy
> or we don't have on the server for other reasons?
> Regarding the API path, it partially matches the hierarchy but not always,
> that is why I don't want to enforce it with the URI. For example in the
> case of animals we have an /api/animal/{animal_id}
> Is there any other approach you'd suggest?
>
>
AFAIK, there is nothing in UMA spec about hierarchy of resources.

Regarding a different approach, use the path to enforce permissions to an
hierarchy was my best shot.


> Also, there is a role of a herder, who has nothing to do with the
> hierarchy but only related to the animal. Eg: a herder of cows or a herder
> of sheeps.
>
> I can add a role of herder in keycloak and probably add the animal_type to
> the user as a custom attribute, is it possible to register resource_sets
> with attributes, like animal type in case of the animal resource.
>

Resources do have a type, maybe you can use this property to set
animal_type. We don't have support for custom resource attributes though.
However that is something I think we should start supporting in Keycloak.
Maybe custom attributes could help you with the hierarchy problem too.

Would it work for you ?


>
> Is there a book/resource that you could suggest to read more about
> authorization patterns? I have already read along the keycloak guides.
>

Nothing specific as authorization is usually very specific to a domain.
However, I usually like to search for ABAC related material as they usually
provide additional information and patterns that helps to design more
flexible authorization systems. OWASP also provides some great material
around security in general.


>
> Regards,
> Avinash
>
> On Mon, Jan 2, 2017 at 10:12 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> We don't support resource hierarchy on the server so you won`t be able to
>> model your resources as you described. And as you mentioned, I`m not sure
>> either if this is something we want/need to enable on the server.
>>
>> In theory, if your API is using a path/uri layout that allows you to
>> identify this hierarchy, I think you should be able to achieve what you
>> want. For instance, suppose you have:
>>
>> /api/farm/{farm_id}
>> /api/farm/{farm_id}/group/{group_id}
>> /api/farm/{farm_id}/group/{group_id}/animal/{animal_id}
>>
>> And every time you create one of the resources above (farms, groups or
>> animals) you associate a path such as you replace the the patterns above
>> with the identifier of the resource. That PhotoZ example does pretty much
>> the same thing, where resources are protected by using a pattern like
>> /album/{id}. But there we only use a single pattern in a path.
>>
>> I'm just not sure if our policy enforcer is capable of dealing with
>> multiple patterns in a single path. Probably not and probably a bug :)
>>
>> Regards.
>> Pedro Igor
>>
>> On Mon, Jan 2, 2017 at 1:47 PM, Avinash Kundaliya <avinash at avinash.com.np
>> > wrote:
>>
>> Hello,
>>
>> I have a question more related to the architecture of an application and
>> if/how keycloak would fit to it.
>>
>> The context is I have a hierarchy of resources (There is a Farm
>> resource, and the farm has many groups and a group has many animals). I
>> want the farm user to have access to everything below it (i.e group and
>> animals) and the group user to all the animals.
>>
>> The easiest way to do this is by doing the authorization in the resource
>> server (i.e if the token contains a farm_owner resource, and if the
>> resource is and animal owned by a group that the farm owns, then the
>> owner gets access to it). But, this somehow feels wrong, as i would like
>> to model this authorization policy (if i may call it) in the auth
>> server/keycloak.
>>
>> I have been looking at UMA recently as it somehow seems closest to what
>> I want to achieve. But, in UMA, i can only model the owner relation, but
>> not the hierarchy of it. Thus, I am not so clear on how to model such
>> relations using that as well. Probably, its not a good idea to model
>> this in the auth server.
>>
>> It would be great if there is some mechanism within keycloak to model
>> such relations or authorization structures. As of now, we do plan to use
>> keycloak for authentication and possibly, pass roles if any would make
>> sense.
>>
>> Thanks for the help in advance, and I hope I have been able to explain
>> my issue clearly.
>>
>> Regards,
>> Avinash
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>

From sthorger at redhat.com  Tue Jan  3 00:41:49 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 06:41:49 +0100
Subject: [keycloak-user] Keycloak token expiration and user script
In-Reply-To: <HE1PR0301MB2570C4E97CBF6D1924B021A5D26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB2570C4E97CBF6D1924B021A5D26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAe4AJ7X80br9tcpU0p8fYZUv0pRJVU6QspH8m_5Up2gug@mail.gmail.com>

Refresh. We may in the future introduce an option to have different
expiration for different clients, but that's not on the immediate roadmap.

On 2 January 2017 at 16:58, Haim Vana <haimv at perfectomobile.com> wrote:

> Hi,
>
> Currently when user execute a script (e.g. using selenium) he generates
> offline token, our application (selenium server) generates access token for
> the user from the given offline token.
>
> The problem is that the access token is expired after 5 minutes (default
> configuration of Access Token Lifespan in the realm settings).
>
> If we increase the default value it means that the UI tokens will also be
> affected, and it might be less secure.
>
> What's the best way you recommend to solve it ? should the application
> (our selenium server) refresh the token every 5 minutes until the script is
> finished ? or there is another option ? some kind of different token for
> that purpose ?
>
>
> Thanks for your help and time,
> Haim.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Jan  3 00:49:12 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 06:49:12 +0100
Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
In-Reply-To: <HE1PR0301MB2570D634414374268D42A60BD26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>
	<HE1PR0301MB2570D634414374268D42A60BD26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAcyEPhq7UT7-Gs4066qhZq_7XQXAUJCMhFUe5xRYpL_Ng@mail.gmail.com>

You can create a bug report with the steps to reproduce. We can't really
prioritize it though as we don't really test or recommend using that many
realms on a single server. There are known performance impacts of having
many realms (quite a few PRs around this atm that we'll look at merging in
3.x) and also some fundamental reasons why it's not quite right (master
realm and the composite roles mainly).

On 2 January 2017 at 16:26, Haim Vana <haimv at perfectomobile.com> wrote:

> The steps to reproduce is to use the keycloak admin API to generate
> multiple realms in parallel.
>
>
>
> Note that it not always reproduced.
>
>
>
> Simple defensive solution might be to add constraint to the table, not
> sure regrading performance impact.
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Monday, January 02, 2017 4:33 PM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org; Moshe Ben-Shoham <
> mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael
> Dikman <michaeld at perfectomobile.com>
> *Subject:* Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
>
>
>
> Strange. If you can provide steps to reproduce it we can look into it.
> Ideally a testcase within our existing testsuite.
>
>
>
> On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com> wrote:
>
> Hi,
>
> We found an issue with the COMPOSITE_ROLE DB table, the issue might have
> occurred when creating multiple realms in parallel.
>
> We noticed that create realm API fails on timeout and DB showed locks on
> table COMPOSITE_ROLE.
> Further investigation revealed that the COMPOSITE_ROLE table contains a
> lot of duplicate rows, instead of about 4000 rows there were over a million
> rows.
> Deleting the duplicate rows solved the issue.
>
> Any idea what might have caused the duplicated rows ? or how to prevent it
> ?
>
> Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense
> for about 160 realms ? (maybe we need to do some cleanup)
>
>
> Thanks,
> Haim.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Ce20b3a4d6a4a4b9faeb808d4331c4101%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=2Y1BmkIbZSPBJ4rOlPcqMc%2FTFt3fAwp4ZMuNIGSMbYw%3D&reserved=0>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>

From dan at ren.no  Tue Jan  3 02:40:00 2017
From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=)
Date: Tue, 3 Jan 2017 07:40:00 +0000
Subject: [keycloak-user] Log out server sessions when using bearer
 authentication
In-Reply-To: <CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
Message-ID: <VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>

Thanx for the reply. But wouldn?t that be a bit against the whole point with token based authentication? We?ve used Jasig CAS before, and thereby used internal server-only authentication + server session. That?s very similar to Keycloak used the way you describe ? and limiting in several ways. If that was the only option, we would have stayed with CAS. Being stateless & having more control in the client is certainly beneficial in a client-heavy REST-based application, where the client accesses multiple webapps (within the same realm).

I guess we?ll just have to implement some in-house solution then...

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com]
Sendt: mandag 2. januar 2017 15.16
Til: Dan ?sterberg <dan at ren.no>
Kopi: keycloak-user at lists.jboss.org
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

There's no standard way of doing backchannel logout with OAuth2. There's a draft spec for OpenID Connect that we may implement in the future.

Keycloak has it's own proprietary backchannel logout, but that's only for applications that do the login. In your case as it's a JS app that obtains the tokens there's no backchannel logout involved and instead it relies on the session cookie + access token timeout. Assuming your JEE app is a rest service it should create a session that allows invoking without a access token from the JS app. That way it won't be possible for the JS app to invoke it once the session is logged out as it won't be able to obtain new access tokens.

On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Hi,

How can we make single sign out work when passing bearer tokens to a server guarded by a ?traditional? session based Oauth2 client / adapter?

Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created ? either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won?t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.

One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I?m just missing or misunderstanding something...

~Dan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Tue Jan  3 02:51:37 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 08:51:37 +0100
Subject: [keycloak-user] Log out server sessions when using bearer
	authentication
In-Reply-To: <VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>

Not really following what you are saying. Are you saying you want your REST
services to be stateful and use cookie based security rather than tokens?
Or the other way around?

On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no> wrote:

> Thanx for the reply. But wouldn?t that be a bit against the whole point
> with token based authentication? We?ve used Jasig CAS before, and thereby
> used internal server-only authentication + server session. That?s very
> similar to Keycloak used the way you describe ? and limiting in several
> ways. If that was the only option, we would have stayed with CAS. Being
> stateless & having more control in the client is certainly beneficial in a
> client-heavy REST-based application, where the client accesses multiple
> webapps (within the same realm).
>
>
>
> I guess we?ll just have to implement some in-house solution then...
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* mandag 2. januar 2017 15.16
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> There's no standard way of doing backchannel logout with OAuth2. There's a
> draft spec for OpenID Connect that we may implement in the future.
>
>
>
> Keycloak has it's own proprietary backchannel logout, but that's only for
> applications that do the login. In your case as it's a JS app that obtains
> the tokens there's no backchannel logout involved and instead it relies on
> the session cookie + access token timeout. Assuming your JEE app is a rest
> service it should create a session that allows invoking without a access
> token from the JS app. That way it won't be possible for the JS app to
> invoke it once the session is logged out as it won't be able to obtain new
> access tokens.
>
>
>
> On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no> wrote:
>
> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a ?traditional? session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created ? either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won?t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I?m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From haimv at perfectomobile.com  Tue Jan  3 03:48:27 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 3 Jan 2017 08:48:27 +0000
Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
In-Reply-To: <CAJgngAcyEPhq7UT7-Gs4066qhZq_7XQXAUJCMhFUe5xRYpL_Ng@mail.gmail.com>
References: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>
	<HE1PR0301MB2570D634414374268D42A60BD26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAcyEPhq7UT7-Gs4066qhZq_7XQXAUJCMhFUe5xRYpL_Ng@mail.gmail.com>
Message-ID: <HE1PR0301MB25709DC8C71B8847F47B7144D26E0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Thanks for the quick response.

We are using your multi-tenancy support (realm for each customer) since we must have separate definitions, different admin user and other attributes for each customer ? hence we can't really change that.

Can you please elaborate about the performance issues ? is it only within the keycloak UI or also when performing login and  generating offline/access tokens via REST ?

In addition note that we are not using a single server, we have AWS cluster with 2 active machines (master-master) with shared postgresql DB,
Does the performance issues still applies in this architecture ? if so any idea how we can improve it ? (e.g. adding more machines, replace the DB to Mongo if possible, etc)
Also what is the recommended number of realms for that kind of architecture ? (currently we have about 207 realms and growing)

Thanks again,
Haim.

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, January 03, 2017 7:49 AM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org; Moshe Ben-Shoham <mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael Dikman <michaeld at perfectomobile.com>
Subject: Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue

You can create a bug report with the steps to reproduce. We can't really prioritize it though as we don't really test or recommend using that many realms on a single server. There are known performance impacts of having many realms (quite a few PRs around this atm that we'll look at merging in 3.x) and also some fundamental reasons why it's not quite right (master realm and the composite roles mainly).

On 2 January 2017 at 16:26, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
The steps to reproduce is to use the keycloak admin API to generate multiple realms in parallel.

Note that it not always reproduced.

Simple defensive solution might be to add constraint to the table, not sure regrading performance impact.


From: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sent: Monday, January 02, 2017 4:33 PM
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>; Moshe Ben-Shoham <mosheb at perfectomobile.com<mailto:mosheb at perfectomobile.com>>; Boaz Hamo <boazh at perfectomobile.com<mailto:boazh at perfectomobile.com>>; Michael Dikman <michaeld at perfectomobile.com<mailto:michaeld at perfectomobile.com>>
Subject: Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue

Strange. If you can provide steps to reproduce it we can look into it. Ideally a testcase within our existing testsuite.

On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.

We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.

Any idea what might have caused the duplicated rows ? or how to prevent it ?

Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)


Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Ce20b3a4d6a4a4b9faeb808d4331c4101%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=2Y1BmkIbZSPBJ4rOlPcqMc%2FTFt3fAwp4ZMuNIGSMbYw%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From dan at ren.no  Tue Jan  3 04:06:34 2017
From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=)
Date: Tue, 3 Jan 2017 09:06:34 +0000
Subject: [keycloak-user] Log out server sessions when using bearer
 authentication
In-Reply-To: <CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
Message-ID: <VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>

The other way around ? to _mainly_ use stateless REST services. With client-controlled tokens.

The fact that single-sign-out wont affect the client until token renewal is attempted is OK. And in most cases we?ll even eagerly detect that, using a simple a cookie-logic. But the problem is if/when some REST call creates a session. Then that session won?t be invalidated, even if the user (or another user) logs into Keycloak again. We need to address that somehow.

As I see it, we either need to:

1)      Prevent session creation. Easy said, but we don?t control all code, and it?s fairly easy for one programmer to accidentally e.g. inject a session-scoped WELD bean in code reachable from a REST service. If going for this route, we?d at least need mechanisms for detecting if a session was after all created, and notify developers plus maybe auto-destroy it. Or wrap the request so that sessions aren?t created (with uncertain consequences). Since parts of the webapps + shared libraries might be used statefully, it gets a bit messy.

2)      Connect all sessions to the single-sign-out controller (Keycloak).

I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak has some built-in solution.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com]
Sendt: tirsdag 3. januar 2017 08.52
Til: Dan ?sterberg <dan at ren.no>
Kopi: keycloak-user at lists.jboss.org
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

Not really following what you are saying. Are you saying you want your REST services to be stateful and use cookie based security rather than tokens? Or the other way around?

On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Thanx for the reply. But wouldn?t that be a bit against the whole point with token based authentication? We?ve used Jasig CAS before, and thereby used internal server-only authentication + server session. That?s very similar to Keycloak used the way you describe ? and limiting in several ways. If that was the only option, we would have stayed with CAS. Being stateless & having more control in the client is certainly beneficial in a client-heavy REST-based application, where the client accesses multiple webapps (within the same realm).

I guess we?ll just have to implement some in-house solution then...

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: mandag 2. januar 2017 15.16
Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

There's no standard way of doing backchannel logout with OAuth2. There's a draft spec for OpenID Connect that we may implement in the future.

Keycloak has it's own proprietary backchannel logout, but that's only for applications that do the login. In your case as it's a JS app that obtains the tokens there's no backchannel logout involved and instead it relies on the session cookie + access token timeout. Assuming your JEE app is a rest service it should create a session that allows invoking without a access token from the JS app. That way it won't be possible for the JS app to invoke it once the session is logged out as it won't be able to obtain new access tokens.

On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Hi,

How can we make single sign out work when passing bearer tokens to a server guarded by a ?traditional? session based Oauth2 client / adapter?

Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created ? either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won?t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.

One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I?m just missing or misunderstanding something...

~Dan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From david_delbecq at trimble.com  Tue Jan  3 04:12:05 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Tue, 03 Jan 2017 09:12:05 +0000
Subject: [keycloak-user] Setting up webapplication to accept both bearer
 and openid redirect login
In-Reply-To: <CAJgngAcBAFQp_eamRKVqOoRnhhHKjkcOz=+E30pZZnDA0MA2xQ@mail.gmail.com>
References: <CAFtV5cvs_uacV0B1F6LOXuSpC=e=oXVT_umZJ0ytkRVX8PPLPA@mail.gmail.com>
	<CAJgngAcBAFQp_eamRKVqOoRnhhHKjkcOz=+E30pZZnDA0MA2xQ@mail.gmail.com>
Message-ID: <CAFtV5ctdynST-ibkJrzSeAmDu+o0G=bQrzrgzHq6dcENySVvJA@mail.gmail.com>

Great, thanks :)

On Mon, Jan 2, 2017 at 3:40 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> "autodetect-bearer-only" in keycloak.json should do the trick. See
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html
> .
>
> On 29 December 2016 at 17:11, David Delbecq <david_delbecq at trimble.com>
> wrote:
>
> I have a wildlfy application where i need this behaviour:
>
> 1) If user provides a token during request and try to access a secure area,
> use it (typically soap ant rest requests)
> 2) If user has no credentials to show, issue interactive web login
>
> So far I managed to get either 1) or 2) on the application, depending on
> using bearer-only accesstype or not. But i can't seem to find out how to
> have both behaviour. Below is json export of my current realm config. I am
> currently doing this in wildfly
>
>             <secure-deployment name="shipping.war">
>                     <realm>Shipping</realm>
>                     <auth-server-url>${authURL}</auth-server-url>
>                     <public-client>true</public-client>
>                     <ssl-required>EXTERNAL</ssl-required>
>                     <resource>shipping-soap</resource>
>
> <use-resource-role-mappings>true</use-resource-role-mappings>
>             </secure-deployment>
>
> using this code to get a token from the WS client
>
> Keycloak keycloak =
> Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping",
> username, password, "shipping-soap");
> customHeaders.put("Authorization", Arrays.asList("Bearer:
> "+keycloak.tokenManager().getAccessTokenString()));
>
>
> but when i issue the ws request, i get a redirect to keycloak (see below).
> I suspect i misunderstood some parts of the keycloak configuration and it's
> behaviour, but i am not sure what i did wrong. Can somebody explain me how
> to integrate both webservice and webpages with a single client id?
>
> POST /shipping/service/1.0/shipping HTTP/1.1
> Content-Type: text/xml; charset=UTF-8
> Accept: */*
> Authorization: Bearer:
>
>
> eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1aT2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDciLCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBwaW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIzMjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYtOWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9!
>
>
>
>  _zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9QwkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA
> SOAPAction: ""
> User-Agent: Apache CXF 3.0.5
> Cache-Control: no-cache
> Pragma: no-cache
> Host: localhost:18080
> Connection: keep-alive
> Content-Length: 1784
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/
> "><soap:Body><ns2:createShipments
>
> xmlns:ns2="urn:trimbletl:eshipco:shipping:1_0"><ShipmentData><id>shipmentid</id><type>full-truckload</type><freightCarryingUnitType>none</freightCarryingUnitType><freightCarryingUnitSubType>box-dry-van</freightCarryingUnitSubType><freightCarryingUnitDimension>standard</freightCarryingUnitDimension><cargoType>break-bulk</cargoType><name>shipment
> name</name><consignor><id>consignorid</id><name>consignor
>
> name</name><address><street>street1</street><number>1</number><city>city1</city><zipcode>zipcode1</zipcode><area>area1</area><country>AE</country></address><coordinate><latitude>1</latitude><longitude>2</longitude></coordinate><contact><name>name1</name><company>company1</company><phone>phone1</phone></contact><timewindow><startTime>1970-01-01T01:00:01+01:00</startTime><endTime>1970-01-01T01:00:02+01:00</endTime></timewindow></consignor><consignee><id>consigneeid</id><name>consignee
>
> name</name><address><street>street3</street><number>3</number><city>city3</city><zipcode>zipcode3</zipcode><area>area3</area><country>AG</country></address><coordinate><latitude>3</latitude><longitude>4</longitude></coordinate><contact><name>name3</name><company>company3</company><phone>phone3</phone></contact><timewindow><startTime>1970-01-01T01:00:03+01:00</startTime><endTime>1970-01-01T01:00:04+01:00</endTime></timewindow></consignee><goods><id>box</id><amount>1</amount><volume>100.0</volume><weight>1000.0</weight><loadingMeter>10.0</loadingMeter><length>6</length><width>4</width><height>5</height><ref>testref</ref><desc>some
>
> description</desc></goods><property><key>type.goods</key><value>1000</value></property></ShipmentData></ns2:createShipments></soap:Body></soap:Envelope>HTTP/1.1
> 302 Found
> Expires: 0
> Cache-Control: no-cache, no-store, must-revalidate
> X-Powered-By: Undertow/1
> Set-Cookie:
> JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision;
> path=/shipping
> Set-Cookie:
> OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857;
> HttpOnly
> Server: WildFly/9
> Pragma: no-cache
> Location:
>
> http://localhost:13080/auth/realms/Shipping/protocol/openid-connect/auth?response_type=code&client_id=shipping-soap&redirect_uri=http%3A%2F%2Flocalhost%3A18080%2Fshipping%2Fservice%2F1.0%2Fshipping&state=916%2F8084d5f9-fd05-4267-9d72-026acf016857&login=true&scope=openid
> Date: Thu, 29 Dec 2016 15:43:16 GMT
> Connection: keep-alive
> Content-Length: 0
>
> {
>     "id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750",
>     "clientId" : "shipping-soap",
>     "description" : "Workbench, Adminbench and Administration",
>     "rootUrl" : "http://localhost:8080/",
>     "adminUrl" : "/shipping",
>     "baseUrl" : "/shipping",
>     "surrogateAuthRequired" : false,
>     "enabled" : true,
>     "clientAuthenticatorType" : "client-secret",
>     "secret" : "b556a2b8-bb1d-478e-97a0-14105556427f",
>     "defaultRoles" : [ "authenticated", "ROLE_authenticated" ],
>     "redirectUris" : [ "http://localhost:8080/shipping/*" ],
>     "webOrigins" : [ ],
>     "notBefore" : 0,
>     "bearerOnly" : false,
>     "consentRequired" : false,
>     "standardFlowEnabled" : true,
>     "implicitFlowEnabled" : false,
>     "directAccessGrantsEnabled" : true,
>     "serviceAccountsEnabled" : false,
>     "publicClient" : true,
>     "frontchannelLogout" : false,
>     "protocol" : "openid-connect",
>     "attributes" : {
>       "saml.assertion.signature" : "false",
>       "saml.force.post.binding" : "false",
>       "saml.multivalued.roles" : "false",
>       "saml.encrypt" : "false",
>       "saml_force_name_id_format" : "false",
>       "saml.client.signature" : "false",
>       "saml.authnstatement" : "false",
>       "saml.server.signature" : "false"
>     },
>     "fullScopeAllowed" : true,
>     "nodeReRegistrationTimeout" : -1,
>     "protocolMappers" : [ {
>       "id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f",
>       "name" : "username",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${username}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "username",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "preferred_username",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b",
>       "name" : "locale",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-attribute-mapper",
>       "consentRequired" : false,
>       "consentText" : "${locale}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "locale",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "locale",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e",
>       "name" : "email",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${email}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "email",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "email",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "5429c06f-8b9b-4b33-bbb3-015117922910",
>       "name" : "role list",
>       "protocol" : "saml",
>       "protocolMapper" : "saml-role-list-mapper",
>       "consentRequired" : false,
>       "config" : {
>         "single" : "false",
>         "attribute.nameformat" : "Basic",
>         "attribute.name" : "Role"
>       }
>     }, {
>       "id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70",
>       "name" : "family name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${familyName}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "lastName",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "family_name",
>         "jsonType.label" : "String"
>       }
>     }, {
>       "id" : "a371b53c-5543-4188-a16f-005db9a73d7a",
>       "name" : "full name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-full-name-mapper",
>       "consentRequired" : true,
>       "consentText" : "${fullName}",
>       "config" : {
>         "id.token.claim" : "true",
>         "access.token.claim" : "true"
>       }
>     }, {
>       "id" : "e3ca3001-3f19-4654-b84c-7a352306cad1",
>       "name" : "given name",
>       "protocol" : "openid-connect",
>       "protocolMapper" : "oidc-usermodel-property-mapper",
>       "consentRequired" : true,
>       "consentText" : "${givenName}",
>       "config" : {
>         "userinfo.token.claim" : "true",
>         "user.attribute" : "firstName",
>         "id.token.claim" : "true",
>         "access.token.claim" : "true",
>         "claim.name" : "given_name",
>         "jsonType.label" : "String"
>       }
>     } ],
>     "useTemplateConfig" : false,
>     "useTemplateScope" : false,
>     "useTemplateMappers" : false
>   }
>
>
>
>
> --
> <http://www.trimble.com/>
>
>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From sthorger at redhat.com  Tue Jan  3 04:16:08 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 10:16:08 +0100
Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
In-Reply-To: <HE1PR0301MB25709DC8C71B8847F47B7144D26E0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB2570576EFB5B3077AFAC90D6D2690@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAd31VmGFu2m9He2-GgFoS5eNpBfzo=TobhXz6GFoaUB7g@mail.gmail.com>
	<HE1PR0301MB2570D634414374268D42A60BD26F0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
	<CAJgngAcyEPhq7UT7-Gs4066qhZq_7XQXAUJCMhFUe5xRYpL_Ng@mail.gmail.com>
	<HE1PR0301MB25709DC8C71B8847F47B7144D26E0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAfsr0QZzJ2ne5zQ8ZgDCvRp9hYDVix=oEUveyfjFHod-g@mail.gmail.com>

There are many threads around this in the mailing list. Try looking through
it or searching at http://www.keycloak.org/search.html. We simply don't
test with many realms so you'll have to look at what issues others are
having.

Keycloak was not designed to be fully multi-tenant and having many realms.
That doesn't mean it can't work just that it's not a priority to us to make
many realms work. We'll be happy to accept contributions around this area
though.

On 3 January 2017 at 09:48, Haim Vana <haimv at perfectomobile.com> wrote:

> Thanks for the quick response.
>
>
>
> We are using your multi-tenancy support (realm for each customer) since we
> must have separate definitions, different admin user and other attributes
> for each customer ? hence we can't really change that.
>
>
>
> Can you please elaborate about the performance issues ? is it only within
> the keycloak UI or also when performing login and  generating
> offline/access tokens via REST ?
>

>
> In addition note that we are not using a single server, we have AWS
> cluster with 2 active machines (master-master) with shared postgresql DB,
>
> Does the performance issues still applies in this architecture ? if so any
> idea how we can improve it ? (e.g. adding more machines, replace the DB to
> Mongo if possible, etc)
>
> Also what is the recommended number of realms for that kind of
> architecture ? (currently we have about 207 realms and growing)
>
>
>
> Thanks again,
>
> Haim.
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, January 03, 2017 7:49 AM
>
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org; Moshe Ben-Shoham <
> mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael
> Dikman <michaeld at perfectomobile.com>
> *Subject:* Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
>
>
>
> You can create a bug report with the steps to reproduce. We can't really
> prioritize it though as we don't really test or recommend using that many
> realms on a single server. There are known performance impacts of having
> many realms (quite a few PRs around this atm that we'll look at merging in
> 3.x) and also some fundamental reasons why it's not quite right (master
> realm and the composite roles mainly).
>
>
>
> On 2 January 2017 at 16:26, Haim Vana <haimv at perfectomobile.com> wrote:
>
> The steps to reproduce is to use the keycloak admin API to generate
> multiple realms in parallel.
>
>
>
> Note that it not always reproduced.
>
>
>
> Simple defensive solution might be to add constraint to the table, not
> sure regrading performance impact.
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Monday, January 02, 2017 4:33 PM
> *To:* Haim Vana <haimv at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org; Moshe Ben-Shoham <
> mosheb at perfectomobile.com>; Boaz Hamo <boazh at perfectomobile.com>; Michael
> Dikman <michaeld at perfectomobile.com>
> *Subject:* Re: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue
>
>
>
> Strange. If you can provide steps to reproduce it we can look into it.
> Ideally a testcase within our existing testsuite.
>
>
>
> On 27 December 2016 at 15:53, Haim Vana <haimv at perfectomobile.com> wrote:
>
> Hi,
>
> We found an issue with the COMPOSITE_ROLE DB table, the issue might have
> occurred when creating multiple realms in parallel.
>
> We noticed that create realm API fails on timeout and DB showed locks on
> table COMPOSITE_ROLE.
> Further investigation revealed that the COMPOSITE_ROLE table contains a
> lot of duplicate rows, instead of about 4000 rows there were over a million
> rows.
> Deleting the duplicate rows solved the issue.
>
> Any idea what might have caused the duplicated rows ? or how to prevent it
> ?
>
> Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense
> for about 160 realms ? (maybe we need to do some cleanup)
>
>
> Thanks,
> Haim.
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Ce20b3a4d6a4a4b9faeb808d4331c4101%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=2Y1BmkIbZSPBJ4rOlPcqMc%2FTFt3fAwp4ZMuNIGSMbYw%3D&reserved=0>
>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>

From sthorger at redhat.com  Tue Jan  3 04:26:22 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 10:26:22 +0100
Subject: [keycloak-user] Log out server sessions when using bearer
	authentication
In-Reply-To: <VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
	<VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>

As I suggested just make sure the sessions don't contain the security
context and that all requests that require security include an access token
even when there is a session. Problem solved.

Or the much more complicated approach and find some way of centrally track
all sessions to all REST services to destroy all session on logout.
Keycloak can't do that as we only track sessions from application that do
the actual login not services that are invoked by those applications.

On 3 January 2017 at 10:06, Dan ?sterberg <dan at ren.no> wrote:

> The other way around ? to _*mainly*_ use stateless REST services. With
> client-controlled tokens.
>
>
>
> The fact that single-sign-out wont affect the client until token renewal
> is attempted is OK. And in most cases we?ll even eagerly detect that,
> using a simple a cookie-logic. But the problem is if/when some REST call
> creates a session. Then that session won?t be invalidated, even if the user
> (or another user) logs into Keycloak again. We need to address that somehow.
>
>
>
> As I see it, we either need to:
>
> 1)      Prevent session creation. Easy said, but we don?t control all
> code, and it?s fairly easy for one programmer to accidentally e.g. inject a
> session-scoped WELD bean in code reachable from a REST service. If going
> for this route, we?d at least need mechanisms for detecting if a session
> was after all created, and notify developers plus maybe auto-destroy it. Or
> wrap the request so that sessions aren?t created (with uncertain
> consequences). Since parts of the webapps + shared libraries might be
> used statefully, it gets a bit messy.
>
> 2)      Connect all sessions to the single-sign-out controller (Keycloak).
>
>
>
> I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak
> has some built-in solution.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 08.52
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> Not really following what you are saying. Are you saying you want your
> REST services to be stateful and use cookie based security rather than
> tokens? Or the other way around?
>
>
>
> On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no> wrote:
>
> Thanx for the reply. But wouldn?t that be a bit against the whole point
> with token based authentication? We?ve used Jasig CAS before, and thereby
> used internal server-only authentication + server session. That?s very
> similar to Keycloak used the way you describe ? and limiting in several
> ways. If that was the only option, we would have stayed with CAS. Being
> stateless & having more control in the client is certainly beneficial in a
> client-heavy REST-based application, where the client accesses multiple
> webapps (within the same realm).
>
>
>
> I guess we?ll just have to implement some in-house solution then...
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* mandag 2. januar 2017 15.16
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> There's no standard way of doing backchannel logout with OAuth2. There's a
> draft spec for OpenID Connect that we may implement in the future.
>
>
>
> Keycloak has it's own proprietary backchannel logout, but that's only for
> applications that do the login. In your case as it's a JS app that obtains
> the tokens there's no backchannel logout involved and instead it relies on
> the session cookie + access token timeout. Assuming your JEE app is a rest
> service it should create a session that allows invoking without a access
> token from the JS app. That way it won't be possible for the JS app to
> invoke it once the session is logged out as it won't be able to obtain new
> access tokens.
>
>
>
> On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no> wrote:
>
> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a ?traditional? session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created ? either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won?t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I?m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

From dan at ren.no  Tue Jan  3 04:39:21 2017
From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=)
Date: Tue, 3 Jan 2017 09:39:21 +0000
Subject: [keycloak-user] Log out server sessions when using bearer
 authentication
In-Reply-To: <CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
	<VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>
Message-ID: <VI1PR0501MB2286FB5FEEB1CFEDC564FB86C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>

Yes, avoiding to store any security related stuff in the session would ensure that authentication / permissions are read from the current access token. But? the entire problem isn?t solved, since the server session still won?t be invalidated. Lets say I log in and trigger some REST calls. For some of those, a session is created, storing my personal information. Then I log out ? from Keycloak. You log in, and get a new security context but can access my personal information still stored in my old server session. (Naturally, this also goes for the same user logging in again ? seing old session data that he shouldn?t see. It?s just a less severe issue.)

When logging out normally, the client can trigger logout from all x webapps it (might) have accessed. But that won?t happen when logging out via another webapp, or kicking out a session from Keycloak admin console.

Maybe the problem isn?t so big if all precautions are taken. But it?s still a problem, and I still can?t see how it can be completely solved other than by one of the two approaches I outlined.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com]
Sendt: tirsdag 3. januar 2017 10.26
Til: Dan ?sterberg <dan at ren.no>
Kopi: keycloak-user at lists.jboss.org
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

As I suggested just make sure the sessions don't contain the security context and that all requests that require security include an access token even when there is a session. Problem solved.

Or the much more complicated approach and find some way of centrally track all sessions to all REST services to destroy all session on logout. Keycloak can't do that as we only track sessions from application that do the actual login not services that are invoked by those applications.

On 3 January 2017 at 10:06, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
The other way around ? to _mainly_ use stateless REST services. With client-controlled tokens.

The fact that single-sign-out wont affect the client until token renewal is attempted is OK. And in most cases we?ll even eagerly detect that, using a simple a cookie-logic. But the problem is if/when some REST call creates a session. Then that session won?t be invalidated, even if the user (or another user) logs into Keycloak again. We need to address that somehow.

As I see it, we either need to:

1)      Prevent session creation. Easy said, but we don?t control all code, and it?s fairly easy for one programmer to accidentally e.g. inject a session-scoped WELD bean in code reachable from a REST service. If going for this route, we?d at least need mechanisms for detecting if a session was after all created, and notify developers plus maybe auto-destroy it. Or wrap the request so that sessions aren?t created (with uncertain consequences). Since parts of the webapps + shared libraries might be used statefully, it gets a bit messy.

2)      Connect all sessions to the single-sign-out controller (Keycloak).

I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak has some built-in solution.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: tirsdag 3. januar 2017 08.52

Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

Not really following what you are saying. Are you saying you want your REST services to be stateful and use cookie based security rather than tokens? Or the other way around?

On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Thanx for the reply. But wouldn?t that be a bit against the whole point with token based authentication? We?ve used Jasig CAS before, and thereby used internal server-only authentication + server session. That?s very similar to Keycloak used the way you describe ? and limiting in several ways. If that was the only option, we would have stayed with CAS. Being stateless & having more control in the client is certainly beneficial in a client-heavy REST-based application, where the client accesses multiple webapps (within the same realm).

I guess we?ll just have to implement some in-house solution then...

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: mandag 2. januar 2017 15.16
Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

There's no standard way of doing backchannel logout with OAuth2. There's a draft spec for OpenID Connect that we may implement in the future.

Keycloak has it's own proprietary backchannel logout, but that's only for applications that do the login. In your case as it's a JS app that obtains the tokens there's no backchannel logout involved and instead it relies on the session cookie + access token timeout. Assuming your JEE app is a rest service it should create a session that allows invoking without a access token from the JS app. That way it won't be possible for the JS app to invoke it once the session is logged out as it won't be able to obtain new access tokens.

On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Hi,

How can we make single sign out work when passing bearer tokens to a server guarded by a ?traditional? session based Oauth2 client / adapter?

Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created ? either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won?t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.

One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I?m just missing or misunderstanding something...

~Dan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




From sthorger at redhat.com  Tue Jan  3 04:52:43 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 10:52:43 +0100
Subject: [keycloak-user] Log out server sessions when using bearer
	authentication
In-Reply-To: <VI1PR0501MB2286FB5FEEB1CFEDC564FB86C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
	<VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>
	<VI1PR0501MB2286FB5FEEB1CFEDC564FB86C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAeqCO9caoNZpJSs6ALNeC4r4+oCuLeTOrTjsXPajWxBjw@mail.gmail.com>

What about a simple filter that looks at the session state from the token
and associates it with the http session if one is set? If the tokens
session state is different to the http session invalidate it.

On 3 January 2017 at 10:39, Dan ?sterberg <dan at ren.no> wrote:

> Yes, avoiding to store any security related stuff in the session would
> ensure that authentication / permissions are read from the current access
> token. But? the entire problem isn?t solved, since the server session still
> won?t be invalidated. Lets say I log in and trigger some REST calls. For
> some of those, a session is created, storing my personal information. Then
> I log out ? from Keycloak. You log in, and get a new security context but
> can access my personal information still stored in my old server session. (Naturally,
> this also goes for the same user logging in again ? seing old session data
> that he shouldn?t see. It?s just a less severe issue.)
>
>
>
> When logging out normally, the client can trigger logout from all x
> webapps it (might) have accessed. But that won?t happen when logging out
> via another webapp, or kicking out a session from Keycloak admin console.
>
>
>
> Maybe the problem isn?t so big if all precautions are taken. But it?s
> still a problem, and I still can?t see how it can be completely solved
> other than by one of the two approaches I outlined.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 10.26
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> As I suggested just make sure the sessions don't contain the security
> context and that all requests that require security include an access token
> even when there is a session. Problem solved.
>
>
>
> Or the much more complicated approach and find some way of centrally track
> all sessions to all REST services to destroy all session on logout.
> Keycloak can't do that as we only track sessions from application that do
> the actual login not services that are invoked by those applications.
>
>
>
> On 3 January 2017 at 10:06, Dan ?sterberg <dan at ren.no> wrote:
>
> The other way around ? to _*mainly*_ use stateless REST services. With
> client-controlled tokens.
>
>
>
> The fact that single-sign-out wont affect the client until token renewal
> is attempted is OK. And in most cases we?ll even eagerly detect that,
> using a simple a cookie-logic. But the problem is if/when some REST call
> creates a session. Then that session won?t be invalidated, even if the user
> (or another user) logs into Keycloak again. We need to address that somehow.
>
>
>
> As I see it, we either need to:
>
> 1)      Prevent session creation. Easy said, but we don?t control all
> code, and it?s fairly easy for one programmer to accidentally e.g. inject a
> session-scoped WELD bean in code reachable from a REST service. If going
> for this route, we?d at least need mechanisms for detecting if a session
> was after all created, and notify developers plus maybe auto-destroy it. Or
> wrap the request so that sessions aren?t created (with uncertain
> consequences). Since parts of the webapps + shared libraries might be
> used statefully, it gets a bit messy.
>
> 2)      Connect all sessions to the single-sign-out controller (Keycloak).
>
>
>
> I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak
> has some built-in solution.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 08.52
>
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> Not really following what you are saying. Are you saying you want your
> REST services to be stateful and use cookie based security rather than
> tokens? Or the other way around?
>
>
>
> On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no> wrote:
>
> Thanx for the reply. But wouldn?t that be a bit against the whole point
> with token based authentication? We?ve used Jasig CAS before, and thereby
> used internal server-only authentication + server session. That?s very
> similar to Keycloak used the way you describe ? and limiting in several
> ways. If that was the only option, we would have stayed with CAS. Being
> stateless & having more control in the client is certainly beneficial in a
> client-heavy REST-based application, where the client accesses multiple
> webapps (within the same realm).
>
>
>
> I guess we?ll just have to implement some in-house solution then...
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* mandag 2. januar 2017 15.16
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> There's no standard way of doing backchannel logout with OAuth2. There's a
> draft spec for OpenID Connect that we may implement in the future.
>
>
>
> Keycloak has it's own proprietary backchannel logout, but that's only for
> applications that do the login. In your case as it's a JS app that obtains
> the tokens there's no backchannel logout involved and instead it relies on
> the session cookie + access token timeout. Assuming your JEE app is a rest
> service it should create a session that allows invoking without a access
> token from the JS app. That way it won't be possible for the JS app to
> invoke it once the session is logged out as it won't be able to obtain new
> access tokens.
>
>
>
> On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no> wrote:
>
> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a ?traditional? session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created ? either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won?t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I?m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>

From dan at ren.no  Tue Jan  3 05:31:57 2017
From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=)
Date: Tue, 3 Jan 2017 10:31:57 +0000
Subject: [keycloak-user] Log out server sessions when using bearer
 authentication
In-Reply-To: <CAJgngAeqCO9caoNZpJSs6ALNeC4r4+oCuLeTOrTjsXPajWxBjw@mail.gmail.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
	<VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>
	<VI1PR0501MB2286FB5FEEB1CFEDC564FB86C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAeqCO9caoNZpJSs6ALNeC4r4+oCuLeTOrTjsXPajWxBjw@mail.gmail.com>
Message-ID: <VI1PR0501MB2286C5AF0467526FBF2BD22BC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>

That was actually a third alternative that we also initially considered, but discarded. We wouldn?t get single-sign-out on open URLs, and sign-out would be delayed. It?s not ideal, but in practice it would probably be OK? except that later on in the request, Undertow (in Wildfly) would throw an exception whenever someone invoked getSession(...) and used the returned object. However, apparently there are several bug fixes for this in Undertow, so we can attempt to upgrade and try this approach out. Thanx for the reminder.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com]
Sendt: tirsdag 3. januar 2017 10.53
Til: Dan ?sterberg <dan at ren.no>
Kopi: keycloak-user at lists.jboss.org
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

What about a simple filter that looks at the session state from the token and associates it with the http session if one is set? If the tokens session state is different to the http session invalidate it.

On 3 January 2017 at 10:39, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Yes, avoiding to store any security related stuff in the session would ensure that authentication / permissions are read from the current access token. But? the entire problem isn?t solved, since the server session still won?t be invalidated. Lets say I log in and trigger some REST calls. For some of those, a session is created, storing my personal information. Then I log out ? from Keycloak. You log in, and get a new security context but can access my personal information still stored in my old server session. (Naturally, this also goes for the same user logging in again ? seing old session data that he shouldn?t see. It?s just a less severe issue.)

When logging out normally, the client can trigger logout from all x webapps it (might) have accessed. But that won?t happen when logging out via another webapp, or kicking out a session from Keycloak admin console.

Maybe the problem isn?t so big if all precautions are taken. But it?s still a problem, and I still can?t see how it can be completely solved other than by one of the two approaches I outlined.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: tirsdag 3. januar 2017 10.26

Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

As I suggested just make sure the sessions don't contain the security context and that all requests that require security include an access token even when there is a session. Problem solved.

Or the much more complicated approach and find some way of centrally track all sessions to all REST services to destroy all session on logout. Keycloak can't do that as we only track sessions from application that do the actual login not services that are invoked by those applications.

On 3 January 2017 at 10:06, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
The other way around ? to _mainly_ use stateless REST services. With client-controlled tokens.

The fact that single-sign-out wont affect the client until token renewal is attempted is OK. And in most cases we?ll even eagerly detect that, using a simple a cookie-logic. But the problem is if/when some REST call creates a session. Then that session won?t be invalidated, even if the user (or another user) logs into Keycloak again. We need to address that somehow.

As I see it, we either need to:

1)      Prevent session creation. Easy said, but we don?t control all code, and it?s fairly easy for one programmer to accidentally e.g. inject a session-scoped WELD bean in code reachable from a REST service. If going for this route, we?d at least need mechanisms for detecting if a session was after all created, and notify developers plus maybe auto-destroy it. Or wrap the request so that sessions aren?t created (with uncertain consequences). Since parts of the webapps + shared libraries might be used statefully, it gets a bit messy.

2)      Connect all sessions to the single-sign-out controller (Keycloak).

I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak has some built-in solution.

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: tirsdag 3. januar 2017 08.52

Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

Not really following what you are saying. Are you saying you want your REST services to be stateful and use cookie based security rather than tokens? Or the other way around?

On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Thanx for the reply. But wouldn?t that be a bit against the whole point with token based authentication? We?ve used Jasig CAS before, and thereby used internal server-only authentication + server session. That?s very similar to Keycloak used the way you describe ? and limiting in several ways. If that was the only option, we would have stayed with CAS. Being stateless & having more control in the client is certainly beneficial in a client-heavy REST-based application, where the client accesses multiple webapps (within the same realm).

I guess we?ll just have to implement some in-house solution then...

~Dan

Fra: Stian Thorgersen [mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>]
Sendt: mandag 2. januar 2017 15.16
Til: Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>>
Kopi: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Emne: Re: [keycloak-user] Log out server sessions when using bearer authentication

There's no standard way of doing backchannel logout with OAuth2. There's a draft spec for OpenID Connect that we may implement in the future.

Keycloak has it's own proprietary backchannel logout, but that's only for applications that do the login. In your case as it's a JS app that obtains the tokens there's no backchannel logout involved and instead it relies on the session cookie + access token timeout. Assuming your JEE app is a rest service it should create a session that allows invoking without a access token from the JS app. That way it won't be possible for the JS app to invoke it once the session is logged out as it won't be able to obtain new access tokens.

On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no<mailto:dan at ren.no>> wrote:
Hi,

How can we make single sign out work when passing bearer tokens to a server guarded by a ?traditional? session based Oauth2 client / adapter?

Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created ? either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won?t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL.

One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I?m just missing or misunderstanding something...

~Dan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user





From pulgupta at redhat.com  Tue Jan  3 05:47:54 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Tue, 3 Jan 2017 16:17:54 +0530
Subject: [keycloak-user] Flow supported by keycloak for openId connect
	and jboss
In-Reply-To: <CAJgngAf7VSebDYVFTgcujLmCMaPLaGM6sjVJ-R7YX0ZTemwzew@mail.gmail.com>
References: <CAApADD2PWpNa0LzYbD3mi5_wNhLkfEDf-3tFm=6EF7wSZQ6ErQ@mail.gmail.com>
	<3emgbpoa0tbq14h7kbq2u2kb.1482943436594@email.android.com>
	<CAJgngAf7VSebDYVFTgcujLmCMaPLaGM6sjVJ-R7YX0ZTemwzew@mail.gmail.com>
Message-ID: <CAApADD3uo+rmC8Z7-VNw5FfwsqQV06zJu0=r-9nqdS2VMjZyLw@mail.gmail.com>

I am using JBoss EAP.

Regards,
Pulkit


On Mon, Jan 2, 2017 at 7:35 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> By JBoss do you mean WildFly and/or JBoss EAP? If so use our adapters and
> don't worry about the protocol details.
>
> On 28 December 2016 at 17:43, Amaeztu <amaeztu at tesicnor.com> wrote:
>
>> Hello,
>>
>> The keycloak software fully passes the openid connect certification.
>>
>> http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html?m=1
>>
>> The flow to use in your application is up to you.
>>
>> Nire Sony Xperia? telefonotik bidalita
>>
>> ---- Pulkit Gupta igorleak idatzi du ----
>>
>> >Hi Team,
>> >
>> >I have a basic question which I searched through the documentation but
>> was
>> >not able to find.
>> >Can you please let me know which flow is supported by keycloak for OpenId
>> >on jboss platform.
>> >
>> >I am exploring openID connect as a way to secure my Java applications
>> using
>> >keycloak.
>> >These applications are hosted on jboss.
>> >
>> >--
>> >Thanks,
>> >Pulkit
>> >AMS
>> >_______________________________________________
>> >keycloak-user mailing list
>> >keycloak-user at lists.jboss.org
>> >https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Thanks,
Pulkit
AMS

From sthorger at redhat.com  Tue Jan  3 06:05:14 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 12:05:14 +0100
Subject: [keycloak-user] Log out server sessions when using bearer
	authentication
In-Reply-To: <VI1PR0501MB2286C5AF0467526FBF2BD22BC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
References: <VI1PR0501MB2286827B5E4FBD555E8094C0C76B0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAftvbqRSF7ccAZO+-odvcu_QKvM0-Hi11MoiwKvbSkoqg@mail.gmail.com>
	<VI1PR0501MB22869E7A3BE23026D5DC08EAC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcExYwuwktwdTS4XPu75nqCyUAurbROmEnypCXyfaJeuA@mail.gmail.com>
	<VI1PR0501MB2286F762E94DBA1216510567C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAcMppffHy_555OktD5dYswdacURPAeLZ=0DZWpuK1q4rg@mail.gmail.com>
	<VI1PR0501MB2286FB5FEEB1CFEDC564FB86C76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
	<CAJgngAeqCO9caoNZpJSs6ALNeC4r4+oCuLeTOrTjsXPajWxBjw@mail.gmail.com>
	<VI1PR0501MB2286C5AF0467526FBF2BD22BC76E0@VI1PR0501MB2286.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAdHWF6fnJSP3vSP=Gr=7ShXbOG-r7vB76pJcpJ1Cia9yw@mail.gmail.com>

Invalidating the session wouldn't have any effect on invalidating the
access token in either case. So if any "service" or intermediary keeps the
access token around there's not really a way to invalidate it with the
exception of pushing a not before policy for the realm or checking the
tokens using the token introspection endpoint for each and every request.
Sign out does however invalidate the session cookie which results in
keycloak.js dropping the tokens from memory. It's also less important for
JS adapter as it doesn't actually store the tokens at all. So once the tab
is closed it's lost the tokens in any case.

On 3 January 2017 at 11:31, Dan ?sterberg <dan at ren.no> wrote:

> That was actually a third alternative that we also initially considered,
> but discarded. We wouldn?t get single-sign-out on open URLs, and sign-out
> would be delayed. It?s not ideal, but in practice it would probably be OK?
> except that later on in the request, Undertow (in Wildfly) would throw an
> exception whenever someone invoked getSession(...) and used the returned
> object. However, apparently there are several bug fixes for this in
> Undertow, so we can attempt to upgrade and try this approach out. Thanx for
> the reminder.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 10.53
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> What about a simple filter that looks at the session state from the token
> and associates it with the http session if one is set? If the tokens
> session state is different to the http session invalidate it.
>
>
>
> On 3 January 2017 at 10:39, Dan ?sterberg <dan at ren.no> wrote:
>
> Yes, avoiding to store any security related stuff in the session would
> ensure that authentication / permissions are read from the current access
> token. But? the entire problem isn?t solved, since the server session still
> won?t be invalidated. Lets say I log in and trigger some REST calls. For
> some of those, a session is created, storing my personal information. Then
> I log out ? from Keycloak. You log in, and get a new security context but
> can access my personal information still stored in my old server session. (Naturally,
> this also goes for the same user logging in again ? seing old session data
> that he shouldn?t see. It?s just a less severe issue.)
>
>
>
> When logging out normally, the client can trigger logout from all x
> webapps it (might) have accessed. But that won?t happen when logging out
> via another webapp, or kicking out a session from Keycloak admin console.
>
>
>
> Maybe the problem isn?t so big if all precautions are taken. But it?s
> still a problem, and I still can?t see how it can be completely solved
> other than by one of the two approaches I outlined.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 10.26
>
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> As I suggested just make sure the sessions don't contain the security
> context and that all requests that require security include an access token
> even when there is a session. Problem solved.
>
>
>
> Or the much more complicated approach and find some way of centrally track
> all sessions to all REST services to destroy all session on logout.
> Keycloak can't do that as we only track sessions from application that do
> the actual login not services that are invoked by those applications.
>
>
>
> On 3 January 2017 at 10:06, Dan ?sterberg <dan at ren.no> wrote:
>
> The other way around ? to _*mainly*_ use stateless REST services. With
> client-controlled tokens.
>
>
>
> The fact that single-sign-out wont affect the client until token renewal
> is attempted is OK. And in most cases we?ll even eagerly detect that,
> using a simple a cookie-logic. But the problem is if/when some REST call
> creates a session. Then that session won?t be invalidated, even if the user
> (or another user) logs into Keycloak again. We need to address that somehow.
>
>
>
> As I see it, we either need to:
>
> 1)      Prevent session creation. Easy said, but we don?t control all
> code, and it?s fairly easy for one programmer to accidentally e.g. inject a
> session-scoped WELD bean in code reachable from a REST service. If going
> for this route, we?d at least need mechanisms for detecting if a session
> was after all created, and notify developers plus maybe auto-destroy it. Or
> wrap the request so that sessions aren?t created (with uncertain
> consequences). Since parts of the webapps + shared libraries might be
> used statefully, it gets a bit messy.
>
> 2)      Connect all sessions to the single-sign-out controller (Keycloak).
>
>
>
> I evaluated 2) to be the cleaner approach, but wanted to know if Keycloak
> has some built-in solution.
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* tirsdag 3. januar 2017 08.52
>
>
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> Not really following what you are saying. Are you saying you want your
> REST services to be stateful and use cookie based security rather than
> tokens? Or the other way around?
>
>
>
> On 3 January 2017 at 08:40, Dan ?sterberg <dan at ren.no> wrote:
>
> Thanx for the reply. But wouldn?t that be a bit against the whole point
> with token based authentication? We?ve used Jasig CAS before, and thereby
> used internal server-only authentication + server session. That?s very
> similar to Keycloak used the way you describe ? and limiting in several
> ways. If that was the only option, we would have stayed with CAS. Being
> stateless & having more control in the client is certainly beneficial in a
> client-heavy REST-based application, where the client accesses multiple
> webapps (within the same realm).
>
>
>
> I guess we?ll just have to implement some in-house solution then...
>
>
>
> ~Dan
>
>
>
> *Fra:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sendt:* mandag 2. januar 2017 15.16
> *Til:* Dan ?sterberg <dan at ren.no>
> *Kopi:* keycloak-user at lists.jboss.org
> *Emne:* Re: [keycloak-user] Log out server sessions when using bearer
> authentication
>
>
>
> There's no standard way of doing backchannel logout with OAuth2. There's a
> draft spec for OpenID Connect that we may implement in the future.
>
>
>
> Keycloak has it's own proprietary backchannel logout, but that's only for
> applications that do the login. In your case as it's a JS app that obtains
> the tokens there's no backchannel logout involved and instead it relies on
> the session cookie + access token timeout. Assuming your JEE app is a rest
> service it should create a session that allows invoking without a access
> token from the JS app. That way it won't be possible for the JS app to
> invoke it once the session is logged out as it won't be able to obtain new
> access tokens.
>
>
>
> On 29 December 2016 at 11:27, Dan ?sterberg <dan at ren.no> wrote:
>
> Hi,
>
> How can we make single sign out work when passing bearer tokens to a
> server guarded by a ?traditional? session based Oauth2 client / adapter?
>
> Lets say we use bearer authentication via the Javascript adapter, and make
> REST requests to a stateless (no session) server. Lets further say that
> during some later request, a server session will be created ? either
> intentionally to store state, or unintentionally e.g. by some shared code
> (since sessions are auto-created in Java EE). Now single sign out won?t
> work, because Keycloak is neither aware of the server session nor the
> Oauth2 client that has an admin URL.
>
> One solution could be to detect the creation of a session, and internally
> via an extended REST API tell the Keycloak server to create a session also
> for the client with admin URL (connecting it to the created session ID).
> But it just sounds as if this should be covered out-of-the-box, so maybe
> I?m just missing or misunderstanding something...
>
> ~Dan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>

From sthorger at redhat.com  Tue Jan  3 06:07:11 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 3 Jan 2017 12:07:11 +0100
Subject: [keycloak-user] Flow supported by keycloak for openId connect
	and jboss
In-Reply-To: <CAApADD3uo+rmC8Z7-VNw5FfwsqQV06zJu0=r-9nqdS2VMjZyLw@mail.gmail.com>
References: <CAApADD2PWpNa0LzYbD3mi5_wNhLkfEDf-3tFm=6EF7wSZQ6ErQ@mail.gmail.com>
	<3emgbpoa0tbq14h7kbq2u2kb.1482943436594@email.android.com>
	<CAJgngAf7VSebDYVFTgcujLmCMaPLaGM6sjVJ-R7YX0ZTemwzew@mail.gmail.com>
	<CAApADD3uo+rmC8Z7-VNw5FfwsqQV06zJu0=r-9nqdS2VMjZyLw@mail.gmail.com>
Message-ID: <CAJgngAeM=kQtnLZrJWFtP0tkuO33Hn32H1VLUEi=vzrVP-U0+w@mail.gmail.com>

Use our adapter then and you'll get the best experience

On 3 January 2017 at 11:47, Pulkit Gupta <pulgupta at redhat.com> wrote:

> I am using JBoss EAP.
>
> Regards,
> Pulkit
>
>
> On Mon, Jan 2, 2017 at 7:35 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> By JBoss do you mean WildFly and/or JBoss EAP? If so use our adapters and
>> don't worry about the protocol details.
>>
>> On 28 December 2016 at 17:43, Amaeztu <amaeztu at tesicnor.com> wrote:
>>
>>> Hello,
>>>
>>> The keycloak software fully passes the openid connect certification.
>>>
>>> http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html?m=1
>>>
>>> The flow to use in your application is up to you.
>>>
>>> Nire Sony Xperia? telefonotik bidalita
>>>
>>> ---- Pulkit Gupta igorleak idatzi du ----
>>>
>>> >Hi Team,
>>> >
>>> >I have a basic question which I searched through the documentation but
>>> was
>>> >not able to find.
>>> >Can you please let me know which flow is supported by keycloak for
>>> OpenId
>>> >on jboss platform.
>>> >
>>> >I am exploring openID connect as a way to secure my Java applications
>>> using
>>> >keycloak.
>>> >These applications are hosted on jboss.
>>> >
>>> >--
>>> >Thanks,
>>> >Pulkit
>>> >AMS
>>> >_______________________________________________
>>> >keycloak-user mailing list
>>> >keycloak-user at lists.jboss.org
>>> >https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Thanks,
> Pulkit
> AMS
>

From sblanc at redhat.com  Tue Jan  3 08:57:08 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 3 Jan 2017 14:57:08 +0100
Subject: [keycloak-user] how to intercept/flow: VerificationException:
 Token is not active
In-Reply-To: <d77b3285ad57a7adba75ef56112f4422.squirrel@neposoft.com>
References: <e430890dc96525a03baf4b8959f5dbf2.squirrel@neposoft.com>
	<2c96821bfa22035eaa8b54da720b5378.squirrel@neposoft.com>
	<d77b3285ad57a7adba75ef56112f4422.squirrel@neposoft.com>
Message-ID: <CAMZCGg-xGwLEQ2SWsZnBJJPO4NiTO4SE+P-uuaznU-w=BwD7Hg@mail.gmail.com>

Yes the frontend should provide the refreshed token, how does your angular
code works ? Have you seen the example here :
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular-product-app/src/main/webapp/js/app.js#L64-L69
?

On Thu, Dec 22, 2016 at 12:36 PM, java_os <java at neposoft.com> wrote:

> I would think that the front end would block or re-new the token and send
> into the call a valid token to the bearer call.
> I am passing the token extracted from the front-end into the header to the
> bearer rest call. So does keycloak.js re-issuing a new valid token if the
> existing one expired? Currently it does not since I am seeing
> VerificationException on the bearer rest layer.
> thoughts???
>
> > Forgot to mention that the angular piece is under keycloak.js and so this
> > may be able to expire the session before A or B 's token becomes
> inactive?
> > Overall am trying to see how others handle this , as I think this is a
> > regular web/rest scenario that I am not the only one doing it.
> > Hoping to get some help from whoever.
> > Thanks
> >
> >> Hi
> >> I have 2 bearer rest layers (A,B): A calls B. In front I have an angular
> >> web layer calling A -> B.
> >>
> >> What is the best practices to handle "Token is not active" when user
> >> sits
> >> in front idle and token becomes inactive, http session still valid but
> >> KC
> >> token expired? If B reaches token not active, on the call from A to B -
> >> how would I propagate this to the front layer?
> >> A has to consume the ValidationException from B and notify front layer
> >> to
> >> auto logout or prompt the user with a message saying 'your session
> >> expired, please login' or automatically throw the user into the login
> >> prompt in front.
> >>
> >> For this scenario above, anyone share some thoughts?
> >> Thanks
> >>
> >
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From deepu.laghuvaram at gmail.com  Tue Jan  3 10:03:00 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Tue, 3 Jan 2017 10:03:00 -0500
Subject: [keycloak-user] Are there any clients(retail) are using
 keycloak as their sso solution in production?
In-Reply-To: <CAJgngAcw5jc6iLqqWPtTwxb-oKXmiNXHHLZbanBQW9ZrDMhxFQ@mail.gmail.com>
References: <CAFMZCgnuNnOuQb-5Ff=Yek+6r5g3OeiQpsYwZFgwZ_GehqfwYw@mail.gmail.com>
	<1482245503.13800.11.camel@redhat.com>
	<CAFMZCgkP5FPKBQu7kuASSA-sQbC-qkmBOkD+Kf1oCA8Dgxc4Xg@mail.gmail.com>
	<CAJgngAeXigUkhANZat-CCMPoZEb0h4Gc2At-WdAvA=vUCvxqmQ@mail.gmail.com>
	<CAFMZCg=fS_xnYK-F0kVQQRmFa_Qck0pFLHLeaWinO5m4SLQ76Q@mail.gmail.com>
	<CAJgngAcw5jc6iLqqWPtTwxb-oKXmiNXHHLZbanBQW9ZrDMhxFQ@mail.gmail.com>
Message-ID: <CAFMZCg=bWhm0ry6kykh8iS8cfy35Sqnm+ha0OZi=hJhYpXDp2w@mail.gmail.com>

Thanks for the response Stian, I don't have access to download from the
link you provided as well.

On Mon, Jan 2, 2017 at 3:20 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Sorry for the late reply, but I've been away on Christmas holiday.
>
> I've sent a mail to look into why there's no evaluation option there. In
> the mean time do you have access to download from https://access.redhat.
> com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&
> product=core.service.rhsso?
>
> On 21 December 2016 at 16:09, Raghu Laghuvaram <deepu.laghuvaram at gmail.com
> > wrote:
>
>> Stian Thorgersen,
>>     Thanks for your response and information.
>> You said we can evaluate the RH-SSO, but when I go to
>> https://access.redhat.com/downloads/ I dont see an option as "Start
>> Evaluation" for Red Hat Single Sign-On, am I looking at wrong place?
>>
>> On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> You can evaluate RH-SSO without contacting sales. It's available at
>>> http://access.redhat.com/. Sales may be able to give you some customer
>>> references if you ask them.
>>>
>>> FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO
>>> 7.1.0.GA will be based on Keycloak 2.5.z.Final.
>>>
>>> On 20 December 2016 at 19:16, Raghu Laghuvaram <
>>> deepu.laghuvaram at gmail.com> wrote:
>>>
>>>> Josh Cain,
>>>>       Thanks for your response, If possible would you be able to let us
>>>> know if there any clients(retail) using RH-SSO in production other than
>>>> Red
>>>> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I
>>>> think
>>>> I need to contact sales even for that. I will talk to my leadership and
>>>> proceed further.
>>>>
>>>> Thanks,
>>>> Deep.
>>>>
>>>> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain <jcain at redhat.com> wrote:
>>>>
>>>> > Hi Raghu,
>>>> >
>>>> > I can say that Red Hat (access.redhat.com, developers.redhat.com,
>>>> etc.)
>>>> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very
>>>> > well overall as a solution.
>>>> >
>>>> > If you're wanting to know more about enterprise level support, I'd
>>>> > contact sales and strongly consider RH-SSO over Keycloak.
>>>> >
>>>> > --
>>>> > Josh Cain | Software Applications Engineer
>>>> > Identity and Access Management
>>>> > Red Hat
>>>> > +1 256-452-0150
>>>> >
>>>> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote:
>>>> > > We are evaluating Keycloak as SSO solution for our retail
>>>> application
>>>> > > and
>>>> > > we would like to know if there are any clients using Keycloak SSO
>>>> > > solution
>>>> > > in their production? It would gie us a lot of confidence if we know
>>>> > > that
>>>> > > some one are already using in their production.
>>>> > >
>>>> > >
>>>> > > Thanks,
>>>> > > Deep
>>>> > > _______________________________________________
>>>> > > keycloak-user mailing list
>>>> > > keycloak-user at lists.jboss.org
>>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From david_delbecq at trimble.com  Tue Jan  3 10:09:50 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Tue, 03 Jan 2017 15:09:50 +0000
Subject: [keycloak-user] remove permission to a group of users (veto
	keycloak auth)
Message-ID: <CAFtV5ctcC9RwPXyP6vQUwJEgPdr94W0k+7ShvGxW+fbMi+_oPQ@mail.gmail.com>

Hello,
I'm trying to find out the best way to migrate one of our current behaviour
to a keycloak based installation.

We currently have a many to one relationship between user account and
companies. A company can have multiple users in the application. We need to
be able to disable a complete company on one application. What is the best
approach to doing this?

I tried (and failed) to create an additional required login module in
wildfly and have this return false on login() if company has not been
enabled in application. It seems that when you come with a bearer token,
you don't go into login modules (neither mine nor the keycloak one), you
are just immediately recognized by subsystem which then bypass the jaas
login modules of keycloak.

I can't just disable the users, as they still need to be able to log in on
our other applications.

I was thinking into using Groups in keycloak, one for each
company&application combo and add / remove an automatic required role to
block access to disabled companies. But it means a double maintenance
between keycloak and our internal database to maintain the list of
companies.

Is there someway to tap in the the wildfly keycloak subsystem to veto valid
authentications?

thank you.
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From bburke at redhat.com  Tue Jan  3 12:20:15 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 3 Jan 2017 12:20:15 -0500
Subject: [keycloak-user] remove permission to a group of users (veto
 keycloak auth)
In-Reply-To: <CAFtV5ctcC9RwPXyP6vQUwJEgPdr94W0k+7ShvGxW+fbMi+_oPQ@mail.gmail.com>
References: <CAFtV5ctcC9RwPXyP6vQUwJEgPdr94W0k+7ShvGxW+fbMi+_oPQ@mail.gmail.com>
Message-ID: <361405b4-d8fc-8b81-1870-538419eb5063@redhat.com>

You could do it in a servlet filter.


On 1/3/17 10:09 AM, David Delbecq wrote:
> Hello,
> I'm trying to find out the best way to migrate one of our current behaviour
> to a keycloak based installation.
>
> We currently have a many to one relationship between user account and
> companies. A company can have multiple users in the application. We need to
> be able to disable a complete company on one application. What is the best
> approach to doing this?
>
> I tried (and failed) to create an additional required login module in
> wildfly and have this return false on login() if company has not been
> enabled in application. It seems that when you come with a bearer token,
> you don't go into login modules (neither mine nor the keycloak one), you
> are just immediately recognized by subsystem which then bypass the jaas
> login modules of keycloak.
>
> I can't just disable the users, as they still need to be able to log in on
> our other applications.
>
> I was thinking into using Groups in keycloak, one for each
> company&application combo and add / remove an automatic required role to
> block access to disabled companies. But it means a double maintenance
> between keycloak and our internal database to maintain the list of
> companies.
>
> Is there someway to tap in the the wildfly keycloak subsystem to veto valid
> authentications?
>
> thank you.


From Michael.Jacobs at nuance.com  Tue Jan  3 12:21:24 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Tue, 3 Jan 2017 17:21:24 +0000
Subject: [keycloak-user] [EXTERNAL] Re:  Cross-Site Replication
In-Reply-To: <d575a39b-95ba-3c2e-2348-d306fca2d19c@redhat.com>
References: <BN6PR05MB296482EA3F606A6EF657C5DDF89C0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAf7r1WwA7eswTGwnqhsOSY3B-SN2mX+BPK00QW5cXB5=w@mail.gmail.com>
	<d575a39b-95ba-3c2e-2348-d306fca2d19c@redhat.com>
Message-ID: <BN6PR05MB29645C5DFDF943C08CB28984F86E0@BN6PR05MB2964.namprd05.prod.outlook.com>

Thanks for posting this, I will model it out.  I assume this solution still requires DB replication to keep the underlying persisted data in sync.  All that is replicating is the invalidation messages to keep the in-memory caches in sync, correct?

MJ

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Monday, December 19, 2016 1:23 AM
To: stian at redhat.com; Jacobs, Michael <Michael.Jacobs at nuance.com>
Cc: keycloak-user at lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication

On 19/12/16 09:49, Stian Thorgersen wrote:
> We don't currently support cross-DC replication very well and it is 
> something we are looking at improving in 2017. We're tackling this in
> stages:
>
> 1. Dealing with invalidation caches cross-DC - this is already 
> resolved and is done by using external Infinispan/JDG to replicate 
> invalidation messages cross-DC. I don't think we have documentation on 
> how to set this up yet though.
I've added some notes for the basic setup https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_BCytxjKNDdnlCrw-RNT-I&e=
. This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of all the limitations related to sessions (points 2,3,4) .

Marek
> 2. Support with sessions affinity to a specific DC - as long as all
> requests for a session is made to the same cluster everything should work
> already. This is simpler to setup for SAML than for OIDC due to OIDC
> backchannel requests from both browser and applications for the same session
> 3. Support session replication - this requires a fair bit of rework on how
> we do sessions, including during authentication flows, as currently there
> is to much updates to a session to fully replicate these cross DCs
> 4. Support without session affinity - allow requests to go to any DC for
> any session
>
> On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com>
> wrote:
>
>> Greetings,
>>
>> I am looking at setting up Cross-site replication for multiple Keycloak
>> clusters, possibly using DB replication.  I found this question asked back
>> in May 2016, with no reply.
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e= 
>>
>> Does anyone know the best way to set this up?
>>
>>
>> MJ
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e= 
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e= 




From philenz at gmail.com  Tue Jan  3 19:57:16 2017
From: philenz at gmail.com (Phil Evans)
Date: Wed, 04 Jan 2017 00:57:16 +0000
Subject: [keycloak-user] Error when upgrading from keycloak 2.1.0.Final to
	2.5.0.Final
Message-ID: <CAL-CVk=0w+4OJu0W9LBW4jdJWCigHyRmY=nZh-X5WKKmi06QVQ@mail.gmail.com>

Hi all,

I'm trying to upgrade the version of Keycloak my application is using from
2.1.0.Final to 2.5.0.Final.

Unfortunately, when my app starts up I see...

[0m [31m00:35:14,234 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot
Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) - failure description:
{"WFLYCTL0180: Services with missing/unavailable dependencies" => [
    "jboss.concurrent.ee.context.config.auth.auth is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth.InstanceName is
missing [jboss.infinispan.keycloak.keys]",
    "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth.ModuleName is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
is missing [jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth.Validator is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth.InAppClientContainer
is missing [jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.app.auth.AppName is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
is missing [jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.app.auth is missing
[jboss.infinispan.keycloak.keys]",
    "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
missing [jboss.infinispan.keycloak.keys]"
]}
 [0m [0m00:35:14,344 INFO  [org.jboss.as.server] (ServerService Thread
Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name
: "keycloak-server.war")
 [0m [0m00:35:14,348 INFO  [org.jboss.as.controller] (Controller Boot
Thread) WFLYCTL0183: Service status report
WFLYCTL0184:    New missing/unsatisfied dependencies:
      service jboss.infinispan.keycloak.keys (missing) dependents:
[service jboss.naming.context.java.app.auth.AppName, service
jboss.deployment.unit."keycloak-server.war".jca.cachedConnectionManagerSetupProcessor,
service jboss.naming.context.java.module.auth.auth.InAppClientContainer,
service jboss.naming.context.java.module.auth.auth.ValidatorFactory,
WFLYCTL0208: ... and 9 more ]


What's changed to cause this error I'm not seeing with version
2.1.0.Final???

Thanks in advance,
Phil

From sthorger at redhat.com  Wed Jan  4 00:47:31 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 06:47:31 +0100
Subject: [keycloak-user] [EXTERNAL] Re:  Cross-Site Replication
In-Reply-To: <BN6PR05MB29645C5DFDF943C08CB28984F86E0@BN6PR05MB2964.namprd05.prod.outlook.com>
References: <BN6PR05MB296482EA3F606A6EF657C5DDF89C0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAf7r1WwA7eswTGwnqhsOSY3B-SN2mX+BPK00QW5cXB5=w@mail.gmail.com>
	<d575a39b-95ba-3c2e-2348-d306fca2d19c@redhat.com>
	<BN6PR05MB29645C5DFDF943C08CB28984F86E0@BN6PR05MB2964.namprd05.prod.outlook.com>
Message-ID: <CAJgngAfF75zB+hdZ=T+GAS1eyMaJwVMdpC5Vrv1-hg1BT-nsog@mail.gmail.com>

Yes, db replication is still required

On 3 January 2017 at 18:21, Jacobs, Michael <Michael.Jacobs at nuance.com>
wrote:

> Thanks for posting this, I will model it out.  I assume this solution
> still requires DB replication to keep the underlying persisted data in
> sync.  All that is replicating is the invalidation messages to keep the
> in-memory caches in sync, correct?
>
> MJ
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Monday, December 19, 2016 1:23 AM
> To: stian at redhat.com; Jacobs, Michael <Michael.Jacobs at nuance.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication
>
> On 19/12/16 09:49, Stian Thorgersen wrote:
> > We don't currently support cross-DC replication very well and it is
> > something we are looking at improving in 2017. We're tackling this in
> > stages:
> >
> > 1. Dealing with invalidation caches cross-DC - this is already
> > resolved and is done by using external Infinispan/JDG to replicate
> > invalidation messages cross-DC. I don't think we have documentation on
> > how to set this up yet though.
> I've added some notes for the basic setup https://urldefense.proofpoint.
> com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_
> master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-
> DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=
> 50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_
> BCytxjKNDdnlCrw-RNT-I&e=
> . This is the setup for 1 external JDG server and with 2 Keycloak nodes,
> which are not in the cluster, but they both talk to the JDG server. Feel
> free to check it, just be aware of all the limitations related to sessions
> (points 2,3,4) .
>
> Marek
> > 2. Support with sessions affinity to a specific DC - as long as all
> > requests for a session is made to the same cluster everything should work
> > already. This is simpler to setup for SAML than for OIDC due to OIDC
> > backchannel requests from both browser and applications for the same
> session
> > 3. Support session replication - this requires a fair bit of rework on
> how
> > we do sessions, including during authentication flows, as currently there
> > is to much updates to a session to fully replicate these cross DCs
> > 4. Support without session affinity - allow requests to go to any DC for
> > any session
> >
> > On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com
> >
> > wrote:
> >
> >> Greetings,
> >>
> >> I am looking at setting up Cross-site replication for multiple Keycloak
> >> clusters, possibly using DB replication.  I found this question asked
> back
> >> in May 2016, with no reply.
> >>
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e=
> >>
> >> Does anyone know the best way to set this up?
> >>
> >>
> >> MJ
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
>
>
>

From sthorger at redhat.com  Wed Jan  4 01:08:15 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 07:08:15 +0100
Subject: [keycloak-user] Error when upgrading from keycloak 2.1.0.Final
	to 2.5.0.Final
In-Reply-To: <CAL-CVk=0w+4OJu0W9LBW4jdJWCigHyRmY=nZh-X5WKKmi06QVQ@mail.gmail.com>
References: <CAL-CVk=0w+4OJu0W9LBW4jdJWCigHyRmY=nZh-X5WKKmi06QVQ@mail.gmail.com>
Message-ID: <CAJgngAff9N5b9HRjt+Z-JeqGYzpaUJekmRznjyVxVUvR4KO2mQ@mail.gmail.com>

There's some changes required to standalone.xml that we've forgotten to
mention in the migration guide:

Replace <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">....</cache-container> with:

            <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                <local-cache name="realms">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <local-cache name="sessions"/>
                <local-cache name="offlineSessions"/>
                <local-cache name="loginFailures"/>
                <local-cache name="work"/>
                <local-cache name="authorization">
                    <eviction max-entries="100" strategy="LRU"/>
                </local-cache>
                <local-cache name="keys">
                    <eviction max-entries="1000" strategy="LRU"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
            </cache-container>

On 4 January 2017 at 01:57, Phil Evans <philenz at gmail.com> wrote:

> Hi all,
>
> I'm trying to upgrade the version of Keycloak my application is using from
> 2.1.0.Final to 2.5.0.Final.
>
> Unfortunately, when my app starts up I see...
>
> [0m [31m00:35:14,234 ERROR
> [org.jboss.as.controller.management-operation] (Controller Boot
> Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]) - failure description:
> {"WFLYCTL0180: Services with missing/unavailable dependencies" => [
>     "jboss.concurrent.ee.context.config.auth.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.InstanceName is
> missing [jboss.infinispan.keycloak.keys]",
>     "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.ModuleName is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.deployment.unit.\"keycloak-server.war\".jca.
> cachedConnectionManagerSetupProcessor
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.Validator is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.InAppClientContainer
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.app.auth.AppName is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.deployment.unit.\"keycloak-server.war\".ejb3.
> client-context.registration-service
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.app.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
> missing [jboss.infinispan.keycloak.keys]"
> ]}
>  [0m [0m00:35:14,344 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name
> : "keycloak-server.war")
>  [0m [0m00:35:14,348 INFO  [org.jboss.as.controller] (Controller Boot
> Thread) WFLYCTL0183: Service status report
> WFLYCTL0184:    New missing/unsatisfied dependencies:
>       service jboss.infinispan.keycloak.keys (missing) dependents:
> [service jboss.naming.context.java.app.auth.AppName, service
> jboss.deployment.unit."keycloak-server.war".jca.
> cachedConnectionManagerSetupProcessor,
> service jboss.naming.context.java.module.auth.auth.InAppClientContainer,
> service jboss.naming.context.java.module.auth.auth.ValidatorFactory,
> WFLYCTL0208: ... and 9 more ]
>
>
> What's changed to cause this error I'm not seeing with version
> 2.1.0.Final???
>
> Thanks in advance,
> Phil
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Jan  4 01:11:22 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 07:11:22 +0100
Subject: [keycloak-user] Error when upgrading from keycloak 2.1.0.Final
	to 2.5.0.Final
In-Reply-To: <CAJgngAff9N5b9HRjt+Z-JeqGYzpaUJekmRznjyVxVUvR4KO2mQ@mail.gmail.com>
References: <CAL-CVk=0w+4OJu0W9LBW4jdJWCigHyRmY=nZh-X5WKKmi06QVQ@mail.gmail.com>
	<CAJgngAff9N5b9HRjt+Z-JeqGYzpaUJekmRznjyVxVUvR4KO2mQ@mail.gmail.com>
Message-ID: <CAJgngAd6mVmz8xDKJjG_0teTUkm8JuW2bY46Zp36cbB8oV1ddg@mail.gmail.com>

Added https://issues.jboss.org/browse/KEYCLOAK-4151 to make sure we update
the migration guide

On 4 January 2017 at 07:08, Stian Thorgersen <sthorger at redhat.com> wrote:

> There's some changes required to standalone.xml that we've forgotten to
> mention in the migration guide:
>
> Replace <cache-container name="keycloak" jndi-name="infinispan/
> Keycloak">....</cache-container> with:
>
>             <cache-container name="keycloak" jndi-name="infinispan/
> Keycloak">
>                 <local-cache name="realms">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="sessions"/>
>                 <local-cache name="offlineSessions"/>
>                 <local-cache name="loginFailures"/>
>                 <local-cache name="work"/>
>                 <local-cache name="authorization">
>                     <eviction max-entries="100" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="keys">
>                     <eviction max-entries="1000" strategy="LRU"/>
>                     <expiration max-idle="3600000"/>
>                 </local-cache>
>             </cache-container>
>
> On 4 January 2017 at 01:57, Phil Evans <philenz at gmail.com> wrote:
>
>> Hi all,
>>
>> I'm trying to upgrade the version of Keycloak my application is using from
>> 2.1.0.Final to 2.5.0.Final.
>>
>> Unfortunately, when my app starts up I see...
>>
>> [0m [31m00:35:14,234 ERROR
>> [org.jboss.as.controller.management-operation] (Controller Boot
>> Thread) WFLYCTL0013: Operation ("add") failed - address:
>> ([("deployment" => "keycloak-server.war")]) - failure description:
>> {"WFLYCTL0180: Services with missing/unavailable dependencies" => [
>>     "jboss.concurrent.ee.context.config.auth.auth is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth.InstanceName is
>> missing [jboss.infinispan.keycloak.keys]",
>>     "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth.ModuleName is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedCon
>> nectionManagerSetupProcessor
>> is missing [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth.Validator is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth.InAppClientContainer
>> is missing [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.app.auth.AppName is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-
>> context.registration-service
>> is missing [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.app.auth is missing
>> [jboss.infinispan.keycloak.keys]",
>>     "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
>> missing [jboss.infinispan.keycloak.keys]"
>> ]}
>>  [0m [0m00:35:14,344 INFO  [org.jboss.as.server] (ServerService Thread
>> Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name
>> : "keycloak-server.war")
>>  [0m [0m00:35:14,348 INFO  [org.jboss.as.controller] (Controller Boot
>> Thread) WFLYCTL0183: Service status report
>> WFLYCTL0184:    New missing/unsatisfied dependencies:
>>       service jboss.infinispan.keycloak.keys (missing) dependents:
>> [service jboss.naming.context.java.app.auth.AppName, service
>> jboss.deployment.unit."keycloak-server.war".jca.cachedConnec
>> tionManagerSetupProcessor,
>> service jboss.naming.context.java.module.auth.auth.InAppClientContainer,
>> service jboss.naming.context.java.module.auth.auth.ValidatorFactory,
>> WFLYCTL0208: ... and 9 more ]
>>
>>
>> What's changed to cause this error I'm not seeing with version
>> 2.1.0.Final???
>>
>> Thanks in advance,
>> Phil
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sthorger at redhat.com  Wed Jan  4 01:24:13 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 07:24:13 +0100
Subject: [keycloak-user] Keycloak 2.5.0.Final Released
Message-ID: <CAJgngAePz08=9294fgy46PbLOaCBMFoE3oH9AvYN3-ZJ2tgG1g@mail.gmail.com>

Keycloak 2.5.0.Final has just been released.

There are no changes since 2.5.0.CR1. To download the release go to
the Keycloak
homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to
the migration guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/MigrationFromOlderVersions.html>
.

From imbacen at gmail.com  Wed Jan  4 05:20:23 2017
From: imbacen at gmail.com (cen)
Date: Wed, 4 Jan 2017 11:20:23 +0100
Subject: [keycloak-user] Jetty 503 when secured with confidential client+env
 vars, works with public
Message-ID: <4e80e2dd-18e3-0280-a730-d3d798c6e509@gmail.com>

I am using embedded Jetty 9.2. If I use a public client with env vars in 
JSON everything works, if I use env vars for confidential client it 
breaks with "503 service unavailable".

Works:

{
   "realm": "${env.KC_REALM}",
   "realm-public-key": "${env.KC_PUBLIC_KEY}",
   "auth-server-url": "${env.KC_BASE_URL}",
   "ssl-required": "${env.KC_SSL_REQUIRED}",
   "resource": "${env.KC_RESOURCE}",
   "public-client": true
}

Fails:

{
   "realm": "${env.KC_REALM}",
   "realm-public-key": "${env.KC_PUBLIC_KEY}",
   "auth-server-url": "${env.KC_BASE_URL}",
   "ssl-required": "${env.KC_SSL_REQUIRED}",
   "resource": "${env.KC_CLIENT}",
   "credentials": {
       "secret": "${env.KC_CLIENT_SECRET}"
   },
   "use-resource-mappings": true
}


Confidential client works if I copy-paste the JSON from "Installation" 
tab directly (without env vars).

I checked at least 10 times that my env vars are correct and that I 
don't have a typo somewhere.

Unfortunately there are zero logs from Jetty or Keycloak adapter about 
the problem. How would I go troubleshooting this?


From mark.schaefer at markschaefer.de  Wed Jan  4 06:36:06 2017
From: mark.schaefer at markschaefer.de (=?UTF-8?Q?Mark_Sch=c3=a4fer?=)
Date: Wed, 4 Jan 2017 12:36:06 +0100
Subject: [keycloak-user] Feature Request: Better ECP Support for Service
	Provider
Message-ID: <ba8c4583-bd46-5326-c062-89f0e21fa0ff@markschaefer.de>

Recently I tried to use SAML ECP (Enhanced Client Profile) with KeyCloak 
2.3.0.Final and the Tomcat 7 Adapter for a REST-Service. I am aware that 
the ECP Support on the SP side is not officially supported and was only 
implemented for Openstack integration.

Nevertheless I managed to receive a SAML authorization request from the 
SP, forwarding it to the single configured IP resulting in a SAML 
assertion. (With KeyCloak 2.5.0.Final the latter did not work anymore 
and I will post this bug? separately).

The biggest missing feature right now is the missing support for 
multiple IPs in the SP adapter configuration. ECP allows for multiple 
IPs in the first response containing the SAML authorization request.

I suggest to either enhance the SP adapter configuration to allow 
multiple IP elements and to enhance the adapter itself to handle SAML 
responses from either one of theese IPs.

Alternatively, It might be better to enhance KeyCloak itself to redirect 
the ECP SAML authorisation request to the configured IPs in the 
brokering section. This seems to be more complicated and I am not sure 
if SAML or ECP provide this workflow.


Background: the setup of my customer has a REST service as SP providing 
services for the users of 18+ different IPs, a default client 
implementation for this service and about 100 different REST client 
implementations by third party companies. All this takes places in the 
German public healthcare system. SAML is a given since a couple of years 
and the IPs have ample experience with SAML web applications. ECP will 
become mandantory in the coming months. As a consequence we need a solid 
ECP support on the SP side.

From sthorger at redhat.com  Wed Jan  4 07:29:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 13:29:46 +0100
Subject: [keycloak-user] Feature Request: Better ECP Support for Service
	Provider
In-Reply-To: <ba8c4583-bd46-5326-c062-89f0e21fa0ff@markschaefer.de>
References: <ba8c4583-bd46-5326-c062-89f0e21fa0ff@markschaefer.de>
Message-ID: <CAJgngAeg4kbLOrQ6o0nyhB02PDtypW+4CdUmy--GdFA6HkwWXQ@mail.gmail.com>

Outside OpenStack we haven't had much demand for ECP which is why it's not
been a priority to us. Please create JIRA issues for bugs and enhancements
you are looking for, but I can't promise anything with regards to when we
can look at it. Bugs affecting OpenStack is obviously something we'd look
at with higher priority. If you are able to contribute work including tests
we'd be more than happy to accept it.

On 4 January 2017 at 12:36, Mark Sch?fer <mark.schaefer at markschaefer.de>
wrote:

> Recently I tried to use SAML ECP (Enhanced Client Profile) with KeyCloak
> 2.3.0.Final and the Tomcat 7 Adapter for a REST-Service. I am aware that
> the ECP Support on the SP side is not officially supported and was only
> implemented for Openstack integration.
>
> Nevertheless I managed to receive a SAML authorization request from the
> SP, forwarding it to the single configured IP resulting in a SAML
> assertion. (With KeyCloak 2.5.0.Final the latter did not work anymore
> and I will post this bug? separately).
>
> The biggest missing feature right now is the missing support for
> multiple IPs in the SP adapter configuration. ECP allows for multiple
> IPs in the first response containing the SAML authorization request.
>
> I suggest to either enhance the SP adapter configuration to allow
> multiple IP elements and to enhance the adapter itself to handle SAML
> responses from either one of theese IPs.
>
> Alternatively, It might be better to enhance KeyCloak itself to redirect
> the ECP SAML authorisation request to the configured IPs in the
> brokering section. This seems to be more complicated and I am not sure
> if SAML or ECP provide this workflow.
>
>
> Background: the setup of my customer has a REST service as SP providing
> services for the users of 18+ different IPs, a default client
> implementation for this service and about 100 different REST client
> implementations by third party companies. All this takes places in the
> German public healthcare system. SAML is a given since a couple of years
> and the IPs have ample experience with SAML web applications. ECP will
> become mandantory in the coming months. As a consequence we need a solid
> ECP support on the SP side.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Jan  4 07:31:47 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 4 Jan 2017 13:31:47 +0100
Subject: [keycloak-user] Jetty 503 when secured with confidential
 client+env vars, works with public
In-Reply-To: <4e80e2dd-18e3-0280-a730-d3d798c6e509@gmail.com>
References: <4e80e2dd-18e3-0280-a730-d3d798c6e509@gmail.com>
Message-ID: <CAJgngAfQAUM8UtMdx6WuG9pPHDnFTPvLJNKEsDxDo=-Tn_qJQA@mail.gmail.com>

Did you bump to trace log on Keycloak server and Jetty? Maybe that'll show
something interesting. Where's the 503 coming from? Keycloak or Jetty? What
about remote debugging it?

On 4 January 2017 at 11:20, cen <imbacen at gmail.com> wrote:

> I am using embedded Jetty 9.2. If I use a public client with env vars in
> JSON everything works, if I use env vars for confidential client it
> breaks with "503 service unavailable".
>
> Works:
>
> {
>    "realm": "${env.KC_REALM}",
>    "realm-public-key": "${env.KC_PUBLIC_KEY}",
>    "auth-server-url": "${env.KC_BASE_URL}",
>    "ssl-required": "${env.KC_SSL_REQUIRED}",
>    "resource": "${env.KC_RESOURCE}",
>    "public-client": true
> }
>
> Fails:
>
> {
>    "realm": "${env.KC_REALM}",
>    "realm-public-key": "${env.KC_PUBLIC_KEY}",
>    "auth-server-url": "${env.KC_BASE_URL}",
>    "ssl-required": "${env.KC_SSL_REQUIRED}",
>    "resource": "${env.KC_CLIENT}",
>    "credentials": {
>        "secret": "${env.KC_CLIENT_SECRET}"
>    },
>    "use-resource-mappings": true
> }
>
>
> Confidential client works if I copy-paste the JSON from "Installation"
> tab directly (without env vars).
>
> I checked at least 10 times that my env vars are correct and that I
> don't have a typo somewhere.
>
> Unfortunately there are zero logs from Jetty or Keycloak adapter about
> the problem. How would I go troubleshooting this?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From imbacen at gmail.com  Wed Jan  4 09:51:16 2017
From: imbacen at gmail.com (cen)
Date: Wed, 4 Jan 2017 15:51:16 +0100
Subject: [keycloak-user] Jetty 503 when secured with confidential
 client+env vars, works with public
In-Reply-To: <CAJgngAfQAUM8UtMdx6WuG9pPHDnFTPvLJNKEsDxDo=-Tn_qJQA@mail.gmail.com>
References: <4e80e2dd-18e3-0280-a730-d3d798c6e509@gmail.com>
	<CAJgngAfQAUM8UtMdx6WuG9pPHDnFTPvLJNKEsDxDo=-Tn_qJQA@mail.gmail.com>
Message-ID: <2e55b01b-1d34-73c7-55ea-035b7851b152@gmail.com>

It was due to "use-resource-mappings": true not existing (adapter vs 
server version mismatch). But the main problem was jetty logging not 
being configured, hiding the stacktrace.

Thanks.


Stian Thorgersen je 04. 01. 2017 ob 13:31 napisal:
> Did you bump to trace log on Keycloak server and Jetty? Maybe that'll 
> show something interesting. Where's the 503 coming from? Keycloak or 
> Jetty? What about remote debugging it?
>
> On 4 January 2017 at 11:20, cen <imbacen at gmail.com 
> <mailto:imbacen at gmail.com>> wrote:
>
>     I am using embedded Jetty 9.2. If I use a public client with env
>     vars in
>     JSON everything works, if I use env vars for confidential client it
>     breaks with "503 service unavailable".
>
>     Works:
>
>     {
>        "realm": "${env.KC_REALM}",
>        "realm-public-key": "${env.KC_PUBLIC_KEY}",
>        "auth-server-url": "${env.KC_BASE_URL}",
>        "ssl-required": "${env.KC_SSL_REQUIRED}",
>        "resource": "${env.KC_RESOURCE}",
>        "public-client": true
>     }
>
>     Fails:
>
>     {
>        "realm": "${env.KC_REALM}",
>        "realm-public-key": "${env.KC_PUBLIC_KEY}",
>        "auth-server-url": "${env.KC_BASE_URL}",
>        "ssl-required": "${env.KC_SSL_REQUIRED}",
>        "resource": "${env.KC_CLIENT}",
>        "credentials": {
>            "secret": "${env.KC_CLIENT_SECRET}"
>        },
>        "use-resource-mappings": true
>     }
>
>
>     Confidential client works if I copy-paste the JSON from "Installation"
>     tab directly (without env vars).
>
>     I checked at least 10 times that my env vars are correct and that I
>     don't have a typo somewhere.
>
>     Unfortunately there are zero logs from Jetty or Keycloak adapter about
>     the problem. How would I go troubleshooting this?
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From Edgar at info.nl  Wed Jan  4 11:30:50 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Wed, 4 Jan 2017 16:30:50 +0000
Subject: [keycloak-user] Keycloak 2.5.0.Final Released
In-Reply-To: <CAJgngAePz08=9294fgy46PbLOaCBMFoE3oH9AvYN3-ZJ2tgG1g@mail.gmail.com>
References: <CAJgngAePz08=9294fgy46PbLOaCBMFoE3oH9AvYN3-ZJ2tgG1g@mail.gmail.com>
Message-ID: <59595BAD-D09C-49E0-9740-5BCE7A54EDEE@info.nl>

Hi Stian,

I cannot find any Maven artefacts for the 2.5.0.Final release yet? E.g. nothing in:
https://mvnrepository.com/artifact/org.keycloak/keycloak-server-spi

Will they be released still or was nothing changed and can we use the 2.4.0.Final artefacts?

cheers


> On 4 Jan 2017, at 07:24, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Keycloak 2.5.0.Final has just been released.
> 
> There are no changes since 2.5.0.CR1. To download the release go to
> the Keycloak
> homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to
> the migration guide
> <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/MigrationFromOlderVersions.html>
> .
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Edgar at info.nl  Wed Jan  4 11:55:37 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Wed, 4 Jan 2017 16:55:37 +0000
Subject: [keycloak-user] In Keycloak 2.4.0 the keycloak-ldap-federation
 library misses the org.keycloak.federation.ldap package?!
Message-ID: <E43CF81B-FA38-41D8-991E-639D5162C82A@info.nl>

Hi,

We have our own custom Keycloak LDAP federation mappers and for this purpose we use the keycloak-ldap-federation.jar library.

In Keycloak 2.4.0.Final this library suddenly seems to be missing the entire org.keycloak.federation.ldap package?! Only the org.keycloak.storage.ldap package seems to be in there now.

We use this package heavily and I think we need to because I don?t know of another way to create custom LDAP federation mappers?

E.g. our custom federation mapper extends from the org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper class and overrides various methods and therefore needs these classes:

import org.keycloak.federation.ldap.LDAPFederationProvider;
import org.keycloak.federation.ldap.idm.model.LDAPObject;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper;


Is there another library that contains this package?


cheers




From bburke at redhat.com  Wed Jan  4 12:36:32 2017
From: bburke at redhat.com (Bill Burke)
Date: Wed, 4 Jan 2017 12:36:32 -0500
Subject: [keycloak-user] In Keycloak 2.4.0 the keycloak-ldap-federation
 library misses the org.keycloak.federation.ldap package?!
In-Reply-To: <E43CF81B-FA38-41D8-991E-639D5162C82A@info.nl>
References: <E43CF81B-FA38-41D8-991E-639D5162C82A@info.nl>
Message-ID: <29f1c6a0-41c9-25c3-2c73-4587034090bf@redhat.com>

New package is org.keycloak.storage.ldap.  New classname is 
AbstractLDAPStorageMapper.  We will be making more changes to LDAP 
provider soon to support in-memory only (no import).  So, this stuff 
will be in flux for a few more releases.


On 1/4/17 11:55 AM, Edgar Vonk - Info.nl wrote:
> Hi,
>
> We have our own custom Keycloak LDAP federation mappers and for this purpose we use the keycloak-ldap-federation.jar library.
>
> In Keycloak 2.4.0.Final this library suddenly seems to be missing the entire org.keycloak.federation.ldap package?! Only the org.keycloak.storage.ldap package seems to be in there now.
>
> We use this package heavily and I think we need to because I don?t know of another way to create custom LDAP federation mappers?
>
> E.g. our custom federation mapper extends from the org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper class and overrides various methods and therefore needs these classes:
>
> import org.keycloak.federation.ldap.LDAPFederationProvider;
> import org.keycloak.federation.ldap.idm.model.LDAPObject;
> import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
> import org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper;
>
>
> Is there another library that contains this package?
>
>
> cheers
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From pygator at outlook.com  Wed Jan  4 17:57:28 2017
From: pygator at outlook.com (Ricardo Chu)
Date: Wed, 4 Jan 2017 22:57:28 +0000
Subject: [keycloak-user] Looking for a company with expertise with keycloak
Message-ID: <DM5PR18MB111443C7905136E747488F11BA610@DM5PR18MB1114.namprd18.prod.outlook.com>

We have been using Keycloak and the User Storage Federation functionality on a small scale with good results.  Now we would like to implement Keycloak's Identity Broker and User Storage Federation functionality with 50 institutions.  These institutions have a variety of IDPs such as SAML, Shibboleth, CAS, LDAP, AD etc.


Does anyone have good recommendations for companies that have experience with implementing Keycloak and the Identity Broker functionality?


Rick

From sthorger at redhat.com  Thu Jan  5 02:38:18 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Jan 2017 08:38:18 +0100
Subject: [keycloak-user] Keycloak 2.5.0.Final Released
In-Reply-To: <59595BAD-D09C-49E0-9740-5BCE7A54EDEE@info.nl>
References: <CAJgngAePz08=9294fgy46PbLOaCBMFoE3oH9AvYN3-ZJ2tgG1g@mail.gmail.com>
	<59595BAD-D09C-49E0-9740-5BCE7A54EDEE@info.nl>
Message-ID: <CAJgngAfDBtN--HDvtssUApOVdsDAmXKbm44MjQgcnaWQRbKkxQ@mail.gmail.com>

It's in Maven Central [1] so looks like that index is out of date

[1]
https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.keycloak%22%20AND%20a%3A%22keycloak-server-spi%22

On 4 January 2017 at 17:30, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Hi Stian,
>
> I cannot find any Maven artefacts for the 2.5.0.Final release yet? E.g.
> nothing in:
> https://mvnrepository.com/artifact/org.keycloak/keycloak-server-spi
>
> Will they be released still or was nothing changed and can we use the
> 2.4.0.Final artefacts?
>
> cheers
>
>
> > On 4 Jan 2017, at 07:24, Stian Thorgersen <sthorger at redhat.com> wrote:
> >
> > Keycloak 2.5.0.Final has just been released.
> >
> > There are no changes since 2.5.0.CR1. To download the release go to
> > the Keycloak
> > homepage <http://www.keycloak.org/downloads>. Before you upgrade refer
> to
> > the migration guide
> > <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/
> MigrationFromOlderVersions.html>
> > .
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From abhi.raghav007 at gmail.com  Thu Jan  5 04:12:10 2017
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Thu, 5 Jan 2017 14:42:10 +0530
Subject: [keycloak-user] Keycoak- SQL server partnership
Message-ID: <CAJmz6fs78XNrJvOQCK2-Rf5WjzgHDVOoRHc+DcnJyWTB4cS0sg@mail.gmail.com>

Hi

As you all know, Keycloak is saying that they wont support mongo as it
lacks transactional support.
Hence I was thinking of using SQL server as a potential candidate.

Few queries which I have as below:

1. We am envisioning an environment where we will have a lot of keycloak
instances. Each keycloak instance will require its own database. The way we
do it right now, is that we just bring up a new keycloak instance on DCOS
and then specific a new database name resident on the database host and
then the instance comes up. We are not sure whether we can do this with SQL
server much the same way.

2. Not sure what performance characteristics we will get into with a remote
SQL Server..?

3. These are linux based container instances that we are setting up for
keycloak.
Mixing deployment architectures between DCOS containers vs traditional
scaling architectures for databases, can it a issue.?


Is there anyone here using SQL server as their backend in keycloak. Did
anyone face any bad experiences while using SQL server with Keyclak.?

Any suggestions for the same are most welcome.



*- Best Regards*
   Abhishek Raghav

From Edgar at info.nl  Thu Jan  5 05:08:47 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Thu, 5 Jan 2017 10:08:47 +0000
Subject: [keycloak-user] In Keycloak 2.4.0 the keycloak-ldap-federation
 library misses the org.keycloak.federation.ldap package?!
In-Reply-To: <29f1c6a0-41c9-25c3-2c73-4587034090bf@redhat.com>
References: <E43CF81B-FA38-41D8-991E-639D5162C82A@info.nl>
	<29f1c6a0-41c9-25c3-2c73-4587034090bf@redhat.com>
Message-ID: <B652D065-0D4B-4B3B-8562-CE0333799C42@info.nl>

Thanks Bill! I managed to migrate our code to the new API.


On 4 Jan 2017, at 18:36, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:

New package is org.keycloak.storage.ldap.  New classname is
AbstractLDAPStorageMapper.  We will be making more changes to LDAP
provider soon to support in-memory only (no import).  So, this stuff
will be in flux for a few more releases.


On 1/4/17 11:55 AM, Edgar Vonk - Info.nl<http://info.nl/> wrote:
Hi,

We have our own custom Keycloak LDAP federation mappers and for this purpose we use the keycloak-ldap-federation.jar library.

In Keycloak 2.4.0.Final this library suddenly seems to be missing the entire org.keycloak.federation.ldap package?! Only the org.keycloak.storage.ldap package seems to be in there now.

We use this package heavily and I think we need to because I don?t know of another way to create custom LDAP federation mappers?

E.g. our custom federation mapper extends from the org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper class and overrides various methods and therefore needs these classes:

import org.keycloak.federation.ldap.LDAPFederationProvider;
import org.keycloak.federation.ldap.idm.model.LDAPObject;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapper;


Is there another library that contains this package?


cheers



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From marius.wiencke at comsulting.de  Thu Jan  5 07:51:46 2017
From: marius.wiencke at comsulting.de (Dejab)
Date: Thu, 5 Jan 2017 05:51:46 -0700 (MST)
Subject: [keycloak-user] using roles to allow users to access/login to a
	specific client
Message-ID: <1483620706020-2216.post@n6.nabble.com>

Hi There, 

Is there any way to using a client role for a user to access to this client
? 

For example i have multiple clients in my realm and some users. Now i would
like to using roles ( or something else ) for a user to access / login to
one client but not to the other clients.

Is there a way to do that ?




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/using-roles-to-allow-users-to-access-login-to-a-specific-client-tp2216.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From sthorger at redhat.com  Thu Jan  5 08:25:29 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Jan 2017 14:25:29 +0100
Subject: [keycloak-user] using roles to allow users to access/login to a
 specific client
In-Reply-To: <1483620706020-2216.post@n6.nabble.com>
References: <1483620706020-2216.post@n6.nabble.com>
Message-ID: <CAJgngAej-dXK6eFqp-oq8+8obkehXBQ+kETo-2v+jDHOpOXM4Q@mail.gmail.com>

Yes, just add a check in your app that a user has a required role on the
client

On 5 January 2017 at 13:51, Dejab <marius.wiencke at comsulting.de> wrote:

> Hi There,
>
> Is there any way to using a client role for a user to access to this client
> ?
>
> For example i have multiple clients in my realm and some users. Now i would
> like to using roles ( or something else ) for a user to access / login to
> one client but not to the other clients.
>
> Is there a way to do that ?
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/using-roles-to-allow-users-to-access-login-
> to-a-specific-client-tp2216.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From marius.wiencke at comsulting.de  Thu Jan  5 08:49:41 2017
From: marius.wiencke at comsulting.de (Dejab)
Date: Thu, 5 Jan 2017 06:49:41 -0700 (MST)
Subject: [keycloak-user] using roles to allow users to access/login to a
 specific client
In-Reply-To: <CAJgngAej-dXK6eFqp-oq8+8obkehXBQ+kETo-2v+jDHOpOXM4Q@mail.gmail.com>
References: <1483620706020-2216.post@n6.nabble.com>
	<CAJgngAej-dXK6eFqp-oq8+8obkehXBQ+kETo-2v+jDHOpOXM4Q@mail.gmail.com>
Message-ID: <1483624181259-2218.post@n6.nabble.com>

Thank you ! 

Sorry but i'm new with keycloak 

where i do this check ? 
is it a general setting for the realm or for the client ?

haven't found a section to do this kind of "checks". i tried to add client
-> authorization -> policies / permission but nothing worked for me.





--
View this message in context: http://keycloak-user.88327.x6.nabble.com/using-roles-to-allow-users-to-access-login-to-a-specific-client-tp2216p2218.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From keith.hudson at hudzinga.com  Thu Jan  5 09:28:05 2017
From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com)
Date: Thu, 5 Jan 2017 09:28:05 -0500 (EST)
Subject: [keycloak-user] using roles to allow users to access/login to a
	specific client
In-Reply-To: <1483624181259-2218.post@n6.nabble.com>
References: <1483620706020-2216.post@n6.nabble.com> 
	<CAJgngAej-dXK6eFqp-oq8+8obkehXBQ+kETo-2v+jDHOpOXM4Q@mail.gmail.com> 
	<1483624181259-2218.post@n6.nabble.com>
Message-ID: <1483626485.77744426@apps.rackspace.com>

What is your client framework? 

You should be doing the configuration for roles -> resources in your client project.

-----Original Message-----
From: "Dejab" <marius.wiencke at comsulting.de>
Sent: Thursday, January 5, 2017 8:49am
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] using roles to allow users to access/login to a specific client

Thank you ! 

Sorry but i'm new with keycloak 

where i do this check ? 
is it a general setting for the realm or for the client ?

haven't found a section to do this kind of "checks". i tried to add client
-> authorization -> policies / permission but nothing worked for me.





--
View this message in context: http://keycloak-user.88327.x6.nabble.com/using-roles-to-allow-users-to-access-login-to-a-specific-client-tp2216p2218.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




From deepu.laghuvaram at gmail.com  Thu Jan  5 11:29:39 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Thu, 5 Jan 2017 11:29:39 -0500
Subject: [keycloak-user] External Registration and SSO
Message-ID: <CAFMZCg=TzAiUohFYLcTfer9QeudFu5nYbLjPne_ZoN2Ehu9N1Q@mail.gmail.com>

I have a question related to External Registration and achieving SSO after
registration similar to
http://lists.jboss.org/pipermail/keycloak-user/2015-April/001925.html but
it looks like we cant achieve it with out going to Keycloak login
page/registration page

My flow would be

1. Visit app
2. Click on registration link within app
3. Fill out registration info
4. App calls keycloak webservices to create user and set password
5. User is logged in and SSO is also achieved

I see that the same flow is achieved in Red Hat Registration as well, when
we try to register to RedHat thru link
https://www.redhat.com/wapps/ugc/register.html;jsessionid=VE12s0McKzTHqAZqI6pU+9FN.90526eb3?_flowId=register-flow&_flowExecutionKey=e1s1
(I think this is not on KeyCloak pages and its a registration page with in
app) and after registration the user is logged in and SSO is also achieved.
I couldnt find a way to implement it similarly, could you please help us
with that?

Thanks,
Raghu

From Dana.Danet at Evisions.com  Thu Jan  5 14:18:44 2017
From: Dana.Danet at Evisions.com (Dana Danet)
Date: Thu, 5 Jan 2017 19:18:44 +0000
Subject: [keycloak-user] Create Test Users - IT
Message-ID: <03B39225-DF3E-417C-A223-E03F2926256B@Evisions.com>

There must be something I am missing as I can?t get the Credentials to set when programmatically creating a test user for integration tests to a running Keycloak 2.5.0 instance with a known realm.  The user is created.

When setting a breakpoint in my code I see that my user is created but no credentials are created.  This returns 0 tuples.

select * from credential c where c.user_id = (select u.id from user_entity u where u.username = 'test-user?)


Below is my code:


@Before
public void setup() {
    log.debug("Setting up test harness user.");

    keycloak = KeycloakBuilder.builder()
                              .serverUrl(authServerUrl)
                              .realm(realm)
                              .username(adminUser)
                              .password(adminPassword)
                              .clientId("admin-cli")
                              .resteasyClient(new ResteasyClientBuilder()
                                      .connectionPoolSize(10)
                                      .build()
                              ).build();

    setupTestUser();
}

private void setupTestUser() {
    log.debug("\nSetting up test harness user.");

    /*
      Create the credentials via test config values
     */
    CredentialRepresentation credential = new CredentialRepresentation();
    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(password);
    credential.setTemporary(false);

    /*
      Create the user via test config values
     */
    user = new UserRepresentation();
    user.setUsername(username);
    user.setFirstName("Test");
    user.setLastName("User");
    user.setCredentials(Arrays.asList(credential));
    user.setEnabled(true) ;

    Response result = keycloak.realm(realm).users().create(user);

    final String locationHeader = result.getHeaderString("Location");
    final String userId = locationHeader.replaceAll(".*/(.*)$", "$1");
    user.setId(userId);

    log.debug("\n\nTest Harness UserId  ************** {}\n", userId);
}

@After
public void tearDown() {
    keycloak.realm(realm).users().get(user.getId()).remove();
}


From mstrukel at redhat.com  Thu Jan  5 17:02:17 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 5 Jan 2017 23:02:17 +0100
Subject: [keycloak-user] Create Test Users - IT
In-Reply-To: <03B39225-DF3E-417C-A223-E03F2926256B@Evisions.com>
References: <03B39225-DF3E-417C-A223-E03F2926256B@Evisions.com>
Message-ID: <CA+1OW+ikUtbF_WTjw5gqhh5wR_D6rPTFY1USSZLxz85RALcAWQ@mail.gmail.com>

See:
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008885.html

On Jan 5, 2017 20:25, "Dana Danet" <Dana.Danet at evisions.com> wrote:

> There must be something I am missing as I can?t get the Credentials to set
> when programmatically creating a test user for integration tests to a
> running Keycloak 2.5.0 instance with a known realm.  The user is created.
>
> When setting a breakpoint in my code I see that my user is created but no
> credentials are created.  This returns 0 tuples.
>
> select * from credential c where c.user_id = (select u.id from
> user_entity u where u.username = 'test-user?)
>
>
> Below is my code:
>
>
> @Before
> public void setup() {
>     log.debug("Setting up test harness user.");
>
>     keycloak = KeycloakBuilder.builder()
>                               .serverUrl(authServerUrl)
>                               .realm(realm)
>                               .username(adminUser)
>                               .password(adminPassword)
>                               .clientId("admin-cli")
>                               .resteasyClient(new ResteasyClientBuilder()
>                                       .connectionPoolSize(10)
>                                       .build()
>                               ).build();
>
>     setupTestUser();
> }
>
> private void setupTestUser() {
>     log.debug("\nSetting up test harness user.");
>
>     /*
>       Create the credentials via test config values
>      */
>     CredentialRepresentation credential = new CredentialRepresentation();
>     credential.setType(CredentialRepresentation.PASSWORD);
>     credential.setValue(password);
>     credential.setTemporary(false);
>
>     /*
>       Create the user via test config values
>      */
>     user = new UserRepresentation();
>     user.setUsername(username);
>     user.setFirstName("Test");
>     user.setLastName("User");
>     user.setCredentials(Arrays.asList(credential));
>     user.setEnabled(true) ;
>
>     Response result = keycloak.realm(realm).users().create(user);
>
>     final String locationHeader = result.getHeaderString("Location");
>     final String userId = locationHeader.replaceAll(".*/(.*)$", "$1");
>     user.setId(userId);
>
>     log.debug("\n\nTest Harness UserId  ************** {}\n", userId);
> }
>
> @After
> public void tearDown() {
>     keycloak.realm(realm).users().get(user.getId()).remove();
> }
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Jan  6 01:09:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Jan 2017 07:09:23 +0100
Subject: [keycloak-user] External Registration and SSO
In-Reply-To: <CAFMZCg=TzAiUohFYLcTfer9QeudFu5nYbLjPne_ZoN2Ehu9N1Q@mail.gmail.com>
References: <CAFMZCg=TzAiUohFYLcTfer9QeudFu5nYbLjPne_ZoN2Ehu9N1Q@mail.gmail.com>
Message-ID: <CAJgngAeR8B95OMBv1uv3wO4PSYODm3fBVZkT0NA5TEp61bwLYw@mail.gmail.com>

Not sure how Red Hat IT did the external registration. We don't have direct
support for it at the moment, but it's something we have considered adding.
It's something that needs to be done extremely carefully though as it does
enable an external source to automatically login users.

Added Josh Cain as he may be able to explain how they did it. Josh I'm
curious as well ;)

On 5 January 2017 at 17:29, Deepu Laghuvaram <deepu.laghuvaram at gmail.com>
wrote:

> I have a question related to External Registration and achieving SSO after
> registration similar to
> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001925.html but
> it looks like we cant achieve it with out going to Keycloak login
> page/registration page
>
> My flow would be
>
> 1. Visit app
> 2. Click on registration link within app
> 3. Fill out registration info
> 4. App calls keycloak webservices to create user and set password
> 5. User is logged in and SSO is also achieved
>
> I see that the same flow is achieved in Red Hat Registration as well, when
> we try to register to RedHat thru link
> https://www.redhat.com/wapps/ugc/register.html;jsessionid=
> VE12s0McKzTHqAZqI6pU+9FN.90526eb3?_flowId=register-
> flow&_flowExecutionKey=e1s1
> (I think this is not on KeyCloak pages and its a registration page with in
> app) and after registration the user is logged in and SSO is also achieved.
> I couldnt find a way to implement it similarly, could you please help us
> with that?
>
> Thanks,
> Raghu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan  6 03:03:42 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Jan 2017 09:03:42 +0100
Subject: [keycloak-user] using roles to allow users to access/login to a
 specific client
In-Reply-To: <1483624181259-2218.post@n6.nabble.com>
References: <1483620706020-2216.post@n6.nabble.com>
	<CAJgngAej-dXK6eFqp-oq8+8obkehXBQ+kETo-2v+jDHOpOXM4Q@mail.gmail.com>
	<1483624181259-2218.post@n6.nabble.com>
Message-ID: <CAJgngAcQ+n=GvHkR1kzWGEQR3oinfzAKD1bzFQf1tur+bK=nmg@mail.gmail.com>

I suggest you take a look at documentation and examples then ;)

On 5 January 2017 at 14:49, Dejab <marius.wiencke at comsulting.de> wrote:

> Thank you !
>
> Sorry but i'm new with keycloak
>
> where i do this check ?
> is it a general setting for the realm or for the client ?
>
> haven't found a section to do this kind of "checks". i tried to add client
> -> authorization -> policies / permission but nothing worked for me.
>
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/using-roles-to-allow-users-to-access-login-
> to-a-specific-client-tp2216p2218.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Edgar at info.nl  Fri Jan  6 05:08:36 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Fri, 6 Jan 2017 10:08:36 +0000
Subject: [keycloak-user] How to best deal with changes in the Keycloak realm
 JSON files during upgrades?
Message-ID: <25AB26B1-45DD-4B41-95A1-9FA012E4F793@info.nl>

Hi,

The structure of the Keycloak realm JSON files changes sometimes with new versions of Keycloak. Since we use these realm JSON files to manage all our custom settings in Keycloak (we store them in Git etc) in a fully automated way (continuous delivery) this is quite problematic for us since we need to figure out exactly what has changed. E.g. I think in Keycloak 2.3.0 the structure of the LDAP federations changed considerably. 

How do other people deal with this? Or do people usually not manage their Keycloak settings this way?

What does somewhat surprise me is that even though we did not upgrade our realm JSON files for this particular LDAP federations change our old files could still be imported in Keycloak 2.5.0 fine. I guess Keycloak is backwards compatible to importing the old JSON structure for a few releases? As soon as you export the realm files of course the new structure is used.

cheers

From sthorger at redhat.com  Fri Jan  6 05:37:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Jan 2017 11:37:23 +0100
Subject: [keycloak-user] How to best deal with changes in the Keycloak
 realm JSON files during upgrades?
In-Reply-To: <25AB26B1-45DD-4B41-95A1-9FA012E4F793@info.nl>
References: <25AB26B1-45DD-4B41-95A1-9FA012E4F793@info.nl>
Message-ID: <CAJgngAcd+zkxE94aQ5OHJhisQcYqZNinmJ9rxr0EN+iWQzWheQ@mail.gmail.com>

JSON files are backwards compatible and we actually migrate them on import.
I'd suggest once in a while (yearly? every major release? or something like
that) you import and export again to get a clean non-migrated version
though.

On 6 January 2017 at 11:08, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Hi,
>
> The structure of the Keycloak realm JSON files changes sometimes with new
> versions of Keycloak. Since we use these realm JSON files to manage all our
> custom settings in Keycloak (we store them in Git etc) in a fully automated
> way (continuous delivery) this is quite problematic for us since we need to
> figure out exactly what has changed. E.g. I think in Keycloak 2.3.0 the
> structure of the LDAP federations changed considerably.
>
> How do other people deal with this? Or do people usually not manage their
> Keycloak settings this way?
>
> What does somewhat surprise me is that even though we did not upgrade our
> realm JSON files for this particular LDAP federations change our old files
> could still be imported in Keycloak 2.5.0 fine. I guess Keycloak is
> backwards compatible to importing the old JSON structure for a few
> releases? As soon as you export the realm files of course the new structure
> is used.
>
> cheers
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jitendrachouhan03 at gmail.com  Fri Jan  6 07:42:05 2017
From: jitendrachouhan03 at gmail.com (Jitendra Chouhan)
Date: Fri, 6 Jan 2017 18:12:05 +0530
Subject: [keycloak-user] Unable to reset password of user from
	keycloak-2.5.0 in MS ActiveDirectory
Message-ID: <CADFocSm6KfUAB_rAdEvigc4fa6aA340aBxoAb2yT3vktq3Z9yg@mail.gmail.com>

Password value is *Welcome at 123* that adheres to AD password policies.

We are using MS active directory with keycloak-2.5.0 for storing user
information. We are facing a issue while updating/resetting user password
from keycloak UI getting issue like "*Invalid password: Failed to match
regex pattern(s)*" but if use same password to reset password directly in
AD using ADAM AD tool then able to reset user password. No logs are also
getting logged even enabled DEBUG mode.

Anybody is facing this issue.

Thanks & Regards,
Jitendra Chouhan

From Edgar at info.nl  Fri Jan  6 08:03:39 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Fri, 6 Jan 2017 13:03:39 +0000
Subject: [keycloak-user] How to best deal with changes in the Keycloak
 realm JSON files during upgrades?
In-Reply-To: <CAJgngAcd+zkxE94aQ5OHJhisQcYqZNinmJ9rxr0EN+iWQzWheQ@mail.gmail.com>
References: <25AB26B1-45DD-4B41-95A1-9FA012E4F793@info.nl>,
	<CAJgngAcd+zkxE94aQ5OHJhisQcYqZNinmJ9rxr0EN+iWQzWheQ@mail.gmail.com>
Message-ID: <00376DF3-3114-4202-B86A-0E98F739560E@info.nl>

Thanks Stian! Good to know.

On 6 Jan 2017, at 11:37, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

JSON files are backwards compatible and we actually migrate them on import. I'd suggest once in a while (yearly? every major release? or something like that) you import and export again to get a clean non-migrated version though.

On 6 January 2017 at 11:08, Edgar Vonk - Info.nl<http://Info.nl> <Edgar at info.nl<mailto:Edgar at info.nl>> wrote:
Hi,

The structure of the Keycloak realm JSON files changes sometimes with new versions of Keycloak. Since we use these realm JSON files to manage all our custom settings in Keycloak (we store them in Git etc) in a fully automated way (continuous delivery) this is quite problematic for us since we need to figure out exactly what has changed. E.g. I think in Keycloak 2.3.0 the structure of the LDAP federations changed considerably.

How do other people deal with this? Or do people usually not manage their Keycloak settings this way?

What does somewhat surprise me is that even though we did not upgrade our realm JSON files for this particular LDAP federations change our old files could still be imported in Keycloak 2.5.0 fine. I guess Keycloak is backwards compatible to importing the old JSON structure for a few releases? As soon as you export the realm files of course the new structure is used.

cheers
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Fri Jan  6 08:05:17 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Jan 2017 14:05:17 +0100
Subject: [keycloak-user] Unable to reset password of user from
 keycloak-2.5.0 in MS ActiveDirectory
In-Reply-To: <CADFocSm6KfUAB_rAdEvigc4fa6aA340aBxoAb2yT3vktq3Z9yg@mail.gmail.com>
References: <CADFocSm6KfUAB_rAdEvigc4fa6aA340aBxoAb2yT3vktq3Z9yg@mail.gmail.com>
Message-ID: <CAJgngAceCMQmGWx_=pT8h0V1Ut6M45MkigWr2wMMN1-pA3FXng@mail.gmail.com>

Sounds like you might have a password policy in Keycloak that rejects the
password

On 6 January 2017 at 13:42, Jitendra Chouhan <jitendrachouhan03 at gmail.com>
wrote:

> Password value is *Welcome at 123* that adheres to AD password policies.
>
> We are using MS active directory with keycloak-2.5.0 for storing user
> information. We are facing a issue while updating/resetting user password
> from keycloak UI getting issue like "*Invalid password: Failed to match
> regex pattern(s)*" but if use same password to reset password directly in
> AD using ADAM AD tool then able to reset user password. No logs are also
> getting logged even enabled DEBUG mode.
>
> Anybody is facing this issue.
>
> Thanks & Regards,
> Jitendra Chouhan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From christian.froehlich at agfa.com  Fri Jan  6 09:06:43 2017
From: christian.froehlich at agfa.com (Christian Froehlich)
Date: Fri, 6 Jan 2017 15:06:43 +0100
Subject: [keycloak-user] Could not find class
	org.keycloak.adapters.jaas.BearerTokenLoginModule
Message-ID: <OF4D61530C.90D65966-ONC12580A0.004BB80B-C12580A0.004D8556@agfa.com>

Hello,

I try to use the login module 
"org.keycloak.adapters.jaas.BearerTokenLoginModule" and I just get it 
running when I add the module as ?global module? in my standalone.xml. 
What I did to secure my wildfly in detail:
-> Install the keycloak wildfly adapter to my application server
-> Add the login module to my security domain: 
<login-module code="org.keycloak.adapters.jaas.BearerTokenLoginModule" 
flag="sufficient" module="org.keycloak.keycloak-adapter-core">
<module-option name="keycloak-config-file" 
value="${jboss.server.config.dir}/keycloak.json"/>
</login-module>
When I try to login, the login fails and I see the following log in my 
server.log (see below). I also get the error when I remove the module 
attribute from the login-module element. I only get it running when I 
define the ?org.keycloak.keycloak-adapter-core? module as a global module. 
Do you have any idea what?s going wrong? I normally expect that the 
LoginModule is found without defining it as global module.

DEBUG [org.jboss.security] (default task-10) () PBOX00206: Login failure: 
javax.security.auth.login.LoginException: LoginModule-Klasse kann nicht 
gefunden werden: org.keycloak.adapters.jaas.BearerTokenLoginModule from 
[Module "deployment.orbis-framework.war:main" from Service Module Loader]
        at 
javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
        at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at 
javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at 
javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at 
javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at 
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
        at 
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
        at 
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
        at 
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
        at 
org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
        at 
org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
        at 
io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
        at 
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
        at 
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
        at 
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
        at 
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at 
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
        at 
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
        at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at 
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at 
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
        at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at 
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

Regards and thanks in advance
Christian

From RLewis at carbonite.com  Fri Jan  6 09:23:12 2017
From: RLewis at carbonite.com (Reed Lewis)
Date: Fri, 6 Jan 2017 14:23:12 +0000
Subject: [keycloak-user] Configuring Keycloak to not allow login using the
 built in login when a user is configured using an external IDP
Message-ID: <92369527-F741-4B4D-A721-77702BB61D28@carbonite.com>

We have decided to use Keycloak for our identity services.   The current flow will be as follows:


1.       We will have an external system that creates users.   User will not be created by Keycloak, but instead will be created be an external service which calls the Admin API to add users.

2.       We would like some sort of notification sent to the user by keycloak (if it cannot be done that would be OK) that the user was added

3.       If we add the user, and configure an external IDP account for the user (We will be pulling user records using Microsoft?s Azure AD Oauth2 client), we want to make sure that when the user types their username, it will not allow them to even attempt to login using Keycloak?s login, but instead forces them to go to the external IDP login screen.

We have two workflows for adding users.   The first is to have the user added independent of any sort of external IDP.   This is the case where we need some sort of email that goes to the user with a password or link to validate their account.   The second method is to have the customer?s admin login to the external IDP (we will handle this), and we will pull down a list of all users in their directory and add them to keycloak ourselves.   We will assign a link to the IDP in keycloak.   We would also like a welcome message, but since the external IDP is managing the password, we do not need them to change their password.

Is this possible?

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

From grantmarrow at gmail.com  Fri Jan  6 09:59:11 2017
From: grantmarrow at gmail.com (Grant Marrow)
Date: Fri, 06 Jan 2017 14:59:11 +0000
Subject: [keycloak-user] React Native App using Keycloak
Message-ID: <CAO_iSbnfwGnzxoeJqG5DHV00MyQG-TNnqROPNB4-3sc-JcH0-w@mail.gmail.com>

Hi everyone,

Could anyone point me in the right direction please. I am busy building a
react native mobile application and I would like to use keycloak for user
authentication and authorization. Has anyone else done this before, if yes
could you please give me some tips on how you implemented this?

Thanks in advance.

Regards
Grant

From sts at ono.at  Fri Jan  6 10:17:14 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Fri, 6 Jan 2017 16:17:14 +0100
Subject: [keycloak-user] 2FA via REST API
Message-ID: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>


Hello Folks,

anyone knows how to verify an OTP (TOTP) token against the Keycloak Openid REST API for clients with direct access grants enabled? I cannot seem to find any hints on the correct API endpoints.

I?m trying to get a working freeradius setup for 802.1X/VPN authentication with 2FA enabled. The basic username/password authentication already works.

Best,

Stefan.

--
Stefan Schlesinger 
sts at ono.at


From tsdgcc2087 at outlook.com  Fri Jan  6 10:29:57 2017
From: tsdgcc2087 at outlook.com (Matt H)
Date: Fri, 6 Jan 2017 15:29:57 +0000
Subject: [keycloak-user] Get token for JS UI
In-Reply-To: <DM3PR13MB070172F9C6E84C35A98D2E7097630@DM3PR13MB0701.namprd13.prod.outlook.com>
References: <DM3PR13MB070172F9C6E84C35A98D2E7097630@DM3PR13MB0701.namprd13.prod.outlook.com>
Message-ID: <DM3PR13MB070174A6DEEE0013675972FB97630@DM3PR13MB0701.namprd13.prod.outlook.com>

I have a situation where I need my javascript UI (all client side) to obtain a token from Keycloak.  The token would not be specific to the user but for the UI itself.  Looking at the documentation for the Javascript Adapter, it appears that it only works for getting a token for the user and is a public access type.  Is it possible to get a token for the UI and treat the UI as a confidential client?  It would need to then have a secret key, right?  Is there a good way to store that secret key so that it can't be read by users who just browse the source from their browser?


The reason for doing this is I have another authentication engine that is used to access the UI.  The users would then not have an account in Keycloak.

From steve at LobosStudios.com  Fri Jan  6 13:07:45 2017
From: steve at LobosStudios.com (Steve Sobol - Lobos Studios)
Date: Fri, 6 Jan 2017 10:07:45 -0800
Subject: [keycloak-user] Documentation links broken
Message-ID: <023d01d26847$c8f51f80$5adf5e80$@LobosStudios.com>

Hey guys,

 

New to Keycloak. Loving how easy it is to set up and use. But the
documentation links on your website all seem to be broken.

I can browse to https://www.gitbook.com/@keycloak and find the docs, but
it'd be a little more convenient if I could use the links you've set up.

 

FYI and thanks :)

 

--

Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
Facebook.com/LobosStudios | @LobosStudios

Web Development - Mobile Development - Helpdesk/Tech Support - Computer
Sales & Service

Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories

 

Steve Sobol - CEO, Senior Developer and Server Jockey

steve at LobosStudios.com

 


From sblanc at redhat.com  Fri Jan  6 13:26:00 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 6 Jan 2017 19:26:00 +0100
Subject: [keycloak-user] Documentation links broken
In-Reply-To: <023d01d26847$c8f51f80$5adf5e80$@LobosStudios.com>
References: <023d01d26847$c8f51f80$5adf5e80$@LobosStudios.com>
Message-ID: <CAMZCGg8ehrbRxxCZ7oPNxShfFj2RE8qxXw6T5TyJ2777bx1F0A@mail.gmail.com>

Hi !

On which part of the site are the links broken ? Because the links on
http://www.keycloak.org/documentation.html seems to work.



On Fri, Jan 6, 2017 at 7:07 PM, Steve Sobol - Lobos Studios <
steve at lobosstudios.com> wrote:

> Hey guys,
>
>
>
> New to Keycloak. Loving how easy it is to set up and use. But the
> documentation links on your website all seem to be broken.
>
> I can browse to https://www.gitbook.com/@keycloak and find the docs, but
> it'd be a little more convenient if I could use the links you've set up.
>
>
>
> FYI and thanks :)
>
>
>
> --
>
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
>
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
>
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
>
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
>
> steve at LobosStudios.com
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From steve at LobosStudios.com  Fri Jan  6 14:09:38 2017
From: steve at LobosStudios.com (Steve Sobol - Lobos Studios)
Date: Fri, 6 Jan 2017 11:09:38 -0800
Subject: [keycloak-user] Documentation links broken
In-Reply-To: <CAMZCGg8ehrbRxxCZ7oPNxShfFj2RE8qxXw6T5TyJ2777bx1F0A@mail.gmail.com>
References: <023d01d26847$c8f51f80$5adf5e80$@LobosStudios.com>
	<CAMZCGg8ehrbRxxCZ7oPNxShfFj2RE8qxXw6T5TyJ2777bx1F0A@mail.gmail.com>
Message-ID: <000a01d26850$6dd23210$49769630$@LobosStudios.com>

That is the page! :)



For example: the link to the Server Installation and Configuration Guide


https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.5/

 

leads to a 404 page.

 

Whereas,

 

 <https://www.gitbook.com/book/keycloak/server-installation-and-configuration/> https://www.gitbook.com/book/keycloak/server-installation-and-configuration/

 

works.

 

Thanks

 

--

Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios

Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service

Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

 

Steve Sobol - CEO, Senior Developer and Server Jockey

steve at LobosStudios.com

 

From: Sebastien Blanc [mailto:sblanc at redhat.com] 
Sent: Friday, January 06, 2017 10:26
To: Steve Sobol - Lobos Studios <steve at lobosstudios.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Documentation links broken

 

Hi ! 

On which part of the site are the links broken ? Because the links on http://www.keycloak.org/documentation.html seems to work. 



 

On Fri, Jan 6, 2017 at 7:07 PM, Steve Sobol - Lobos Studios <steve at lobosstudios.com <mailto:steve at lobosstudios.com> > wrote:

Hey guys,



New to Keycloak. Loving how easy it is to set up and use. But the
documentation links on your website all seem to be broken.

I can browse to https://www.gitbook.com/@keycloak and find the docs, but
it'd be a little more convenient if I could use the links you've set up.



FYI and thanks :)



--

Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
Facebook.com/LobosStudios | @LobosStudios

Web Development - Mobile Development - Helpdesk/Tech Support - Computer
Sales & Service

Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories



Steve Sobol - CEO, Senior Developer and Server Jockey

steve at LobosStudios.com <mailto:steve at LobosStudios.com> 



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

 


From thomas.darimont at googlemail.com  Sat Jan  7 08:31:58 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Sat, 7 Jan 2017 14:31:58 +0100
Subject: [keycloak-user] 2FA via REST API
In-Reply-To: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
Message-ID: <CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>

Hello Stefan,

have a look at this example from the mailing list:
http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008419.html

Cheers,
Thomas

2017-01-06 16:17 GMT+01:00 Stefan Schlesinger <sts at ono.at>:

>
> Hello Folks,
>
> anyone knows how to verify an OTP (TOTP) token against the Keycloak Openid
> REST API for clients with direct access grants enabled? I cannot seem to
> find any hints on the correct API endpoints.
>
> I?m trying to get a working freeradius setup for 802.1X/VPN authentication
> with 2FA enabled. The basic username/password authentication already works.
>
> Best,
>
> Stefan.
>
> --
> Stefan Schlesinger
> sts at ono.at
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sts at ono.at  Sun Jan  8 05:48:51 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Sun, 8 Jan 2017 11:48:51 +0100
Subject: [keycloak-user] 2FA via REST API
In-Reply-To: <CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
	<CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
Message-ID: <6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>

Hi Thomas,

I?m trying to use the examples provided in the thread you pointed me at,
but the last call to the validation endpoint gives me a 404.

I also tried to find documentation, but apart from the admin REST API
and the Authorization API[1] (which covers basic usage) I couldn?t find
anything.

My test script:

https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391

Best,

Stefan.

[1] Authorization API - https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.5/topics/service/authorization/authorization-api.html

> On 07 Jan 2017, at 14:31, Thomas Darimont <thomas.darimont at googlemail.com> wrote:
> 
> have a look at this example from the mailing list:
> http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008419.html
> 
> 2017-01-06 16:17 GMT+01:00 Stefan Schlesinger <sts at ono.at>:
>> Anyone knows how to verify an OTP (TOTP) token against the Keycloak Openid REST API for clients with direct access grants enabled?


From philenz at gmail.com  Sun Jan  8 17:09:51 2017
From: philenz at gmail.com (Phil Evans)
Date: Sun, 08 Jan 2017 22:09:51 +0000
Subject: [keycloak-user] Error when upgrading from keycloak 2.1.0.Final
	to 2.5.0.Final
In-Reply-To: <CAJgngAd6mVmz8xDKJjG_0teTUkm8JuW2bY46Zp36cbB8oV1ddg@mail.gmail.com>
References: <CAL-CVk=0w+4OJu0W9LBW4jdJWCigHyRmY=nZh-X5WKKmi06QVQ@mail.gmail.com>
	<CAJgngAff9N5b9HRjt+Z-JeqGYzpaUJekmRznjyVxVUvR4KO2mQ@mail.gmail.com>
	<CAJgngAd6mVmz8xDKJjG_0teTUkm8JuW2bY46Zp36cbB8oV1ddg@mail.gmail.com>
Message-ID: <CAL-CVknj8KMXm8iK6Gyf38bLZjTy7mtAdaH+-zwyBB6HTbCDyw@mail.gmail.com>

Hi Stian,

All working now.

Thanks very much for the help.

Phil


On Wed, Jan 4, 2017 at 7:11 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> Added https://issues.jboss.org/browse/KEYCLOAK-4151 to make sure we
> update the migration guide
>
> On 4 January 2017 at 07:08, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> There's some changes required to standalone.xml that we've forgotten to
> mention in the migration guide:
>
> Replace <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">....</cache-container> with:
>
>             <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">
>                 <local-cache name="realms">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="sessions"/>
>                 <local-cache name="offlineSessions"/>
>                 <local-cache name="loginFailures"/>
>                 <local-cache name="work"/>
>                 <local-cache name="authorization">
>                     <eviction max-entries="100" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="keys">
>                     <eviction max-entries="1000" strategy="LRU"/>
>                     <expiration max-idle="3600000"/>
>                 </local-cache>
>             </cache-container>
>
> On 4 January 2017 at 01:57, Phil Evans <philenz at gmail.com> wrote:
>
> Hi all,
>
> I'm trying to upgrade the version of Keycloak my application is using from
> 2.1.0.Final to 2.5.0.Final.
>
> Unfortunately, when my app starts up I see...
>
> [0m [31m00:35:14,234 ERROR
> [org.jboss.as.controller.management-operation] (Controller Boot
> Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]) - failure description:
> {"WFLYCTL0180: Services with missing/unavailable dependencies" => [
>     "jboss.concurrent.ee.context.config.auth.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.InstanceName is
> missing [jboss.infinispan.keycloak.keys]",
>     "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.ModuleName is missing
> [jboss.infinispan.keycloak.keys]",
>
> "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.Validator is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.InAppClientContainer
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.app.auth.AppName is missing
> [jboss.infinispan.keycloak.keys]",
>
> "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
> is missing [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.app.auth is missing
> [jboss.infinispan.keycloak.keys]",
>     "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
> missing [jboss.infinispan.keycloak.keys]"
> ]}
>  [0m [0m00:35:14,344 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 45) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name
> : "keycloak-server.war")
>  [0m [0m00:35:14,348 INFO  [org.jboss.as.controller] (Controller Boot
> Thread) WFLYCTL0183: Service status report
> WFLYCTL0184:    New missing/unsatisfied dependencies:
>       service jboss.infinispan.keycloak.keys (missing) dependents:
> [service jboss.naming.context.java.app.auth.AppName, service
>
> jboss.deployment.unit."keycloak-server.war".jca.cachedConnectionManagerSetupProcessor,
> service jboss.naming.context.java.module.auth.auth.InAppClientContainer,
> service jboss.naming.context.java.module.auth.auth.ValidatorFactory,
> WFLYCTL0208: ... and 9 more ]
>
>
> What's changed to cause this error I'm not seeing with version
> 2.1.0.Final???
>
> Thanks in advance,
> Phil
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From daduev.ad at gmail.com  Sun Jan  8 17:29:16 2017
From: daduev.ad at gmail.com (Adam Daduev)
Date: Mon, 9 Jan 2017 00:29:16 +0200
Subject: [keycloak-user] Error when session expired and ajax request execute
	in Keycloak?
Message-ID: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>

Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:

XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth??ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.

I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0

From sthorger at redhat.com  Mon Jan  9 02:50:57 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 08:50:57 +0100
Subject: [keycloak-user] Documentation links broken
In-Reply-To: <000a01d26850$6dd23210$49769630$@LobosStudios.com>
References: <023d01d26847$c8f51f80$5adf5e80$@LobosStudios.com>
	<CAMZCGg8ehrbRxxCZ7oPNxShfFj2RE8qxXw6T5TyJ2777bx1F0A@mail.gmail.com>
	<000a01d26850$6dd23210$49769630$@LobosStudios.com>
Message-ID: <CAJgngAfshH7YkFS3DmWBPOXpp-12ugmnUUYkfX6WZdxpuiXQBA@mail.gmail.com>

Looks like tags for 2.5 is missing I'll take a look at it

On 6 January 2017 at 20:09, Steve Sobol - Lobos Studios <
steve at lobosstudios.com> wrote:

> That is the page! :)
>
>
>
> For example: the link to the Server Installation and Configuration Guide
>
>
> https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/v/2.5/
>
>
>
> leads to a 404 page.
>
>
>
> Whereas,
>
>
>
>  <https://www.gitbook.com/book/keycloak/server-installation-
> and-configuration/> https://www.gitbook.com/book/
> keycloak/server-installation-and-configuration/
>
>
>
> works.
>
>
>
> Thanks
>
>
>
> --
>
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
>
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
>
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
>
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
>
> steve at LobosStudios.com
>
>
>
> From: Sebastien Blanc [mailto:sblanc at redhat.com]
> Sent: Friday, January 06, 2017 10:26
> To: Steve Sobol - Lobos Studios <steve at lobosstudios.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Documentation links broken
>
>
>
> Hi !
>
> On which part of the site are the links broken ? Because the links on
> http://www.keycloak.org/documentation.html seems to work.
>
>
>
>
>
> On Fri, Jan 6, 2017 at 7:07 PM, Steve Sobol - Lobos Studios <
> steve at lobosstudios.com <mailto:steve at lobosstudios.com> > wrote:
>
> Hey guys,
>
>
>
> New to Keycloak. Loving how easy it is to set up and use. But the
> documentation links on your website all seem to be broken.
>
> I can browse to https://www.gitbook.com/@keycloak and find the docs, but
> it'd be a little more convenient if I could use the links you've set up.
>
>
>
> FYI and thanks :)
>
>
>
> --
>
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
>
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
>
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
>
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
>
> steve at LobosStudios.com <mailto:steve at LobosStudios.com>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  9 04:44:05 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 10:44:05 +0100
Subject: [keycloak-user] Error when session expired and ajax request
 execute in Keycloak?
In-Reply-To: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
Message-ID: <CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>

Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.

On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:

> Hi, can you help me!
> When session expired and ajax request execute in Keycloak, i have error in
> browser console:
>
> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> realms/azovstal/protocol/openid-connect/auth??ml&state=
> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://localhost:8080' is therefore not allowed access.
>
> I add in Keycloak admin console, in the client setting, Web Origins=
> http://localhost:8080 (or *), and enabled cors in app, but still has error
> in console. I used Keycloak 2.5.0
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  9 04:46:23 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 10:46:23 +0100
Subject: [keycloak-user] Get token for JS UI
In-Reply-To: <DM3PR13MB070174A6DEEE0013675972FB97630@DM3PR13MB0701.namprd13.prod.outlook.com>
References: <DM3PR13MB070172F9C6E84C35A98D2E7097630@DM3PR13MB0701.namprd13.prod.outlook.com>
	<DM3PR13MB070174A6DEEE0013675972FB97630@DM3PR13MB0701.namprd13.prod.outlook.com>
Message-ID: <CAJgngAdTt0kQ8B2o5U9sGgmZFzEaxowP7bZzq0rORxzWT+f21A@mail.gmail.com>

No, of course there isn't. A JS app runs entirely within the users browser.

Can you explain what you're actually trying to achieve? I don't get it.

On 6 January 2017 at 16:29, Matt H <tsdgcc2087 at outlook.com> wrote:

> I have a situation where I need my javascript UI (all client side) to
> obtain a token from Keycloak.  The token would not be specific to the user
> but for the UI itself.  Looking at the documentation for the Javascript
> Adapter, it appears that it only works for getting a token for the user and
> is a public access type.  Is it possible to get a token for the UI and
> treat the UI as a confidential client?  It would need to then have a secret
> key, right?  Is there a good way to store that secret key so that it can't
> be read by users who just browse the source from their browser?
>
>
> The reason for doing this is I have another authentication engine that is
> used to access the UI.  The users would then not have an account in
> Keycloak.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  9 04:49:24 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 10:49:24 +0100
Subject: [keycloak-user] React Native App using Keycloak
In-Reply-To: <CAO_iSbnfwGnzxoeJqG5DHV00MyQG-TNnqROPNB4-3sc-JcH0-w@mail.gmail.com>
References: <CAO_iSbnfwGnzxoeJqG5DHV00MyQG-TNnqROPNB4-3sc-JcH0-w@mail.gmail.com>
Message-ID: <CAJgngAe15QvLHCPWgAeiWYZZgyd_XRr_WnhSb=ZyDbB7-SZW4w@mail.gmail.com>

Our JavaScript adapter has support for Cordova, it sounds like it would be
fairly trivial to add support for React to it simply by using the Cordova
support. You can force keycloak.js to use Cordova mode. That may work or
you may need to add a new "adapter" to the keycloak.js for React. Take a
look at the code specific to Cordova, there's not much.

On 6 January 2017 at 15:59, Grant Marrow <grantmarrow at gmail.com> wrote:

> Hi everyone,
>
> Could anyone point me in the right direction please. I am busy building a
> react native mobile application and I would like to use keycloak for user
> authentication and authorization. Has anyone else done this before, if yes
> could you please give me some tips on how you implemented this?
>
> Thanks in advance.
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Edgar at info.nl  Mon Jan  9 05:36:21 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 9 Jan 2017 10:36:21 +0000
Subject: [keycloak-user] Bug in User Federation pages in Keycloak admin UI?
 Bind credentials are incorrect - test authentication fails
Message-ID: <DFB67977-9DE2-4712-A82E-B145C789B61F@info.nl>

Hi,

I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User Federation pages concerning the Bind Credential fields. The Bind Credential is fine in the Keycloak database (COMPONENT_CONFIG table these days) and everything works fine except the following scenario:

1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider (assuming you have one of course). You already notice that the value of the Bind Credential field has too few characters.
3/ Now click on the ?Test authentication?. This fails with 'Error! LDAP authentication failed.' The issue is that the bind credential is wrong.
4/ However click on ?Synchronize all users? and this works just fine. So the bind credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3

I think the issue is with this admin page. It seems to do something with the bind credentials it gets from the database. Maybe it wants to unhash it or something but it is not hashed in the database at all (just plain text). Which maybe it is the real issue here?

Is this indeed a bug and if so shall I create a bug report for it?

cheers


From sts at ono.at  Mon Jan  9 05:54:12 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Mon, 9 Jan 2017 11:54:12 +0100
Subject: [keycloak-user] 2FA via REST API -> server-spi-private?
In-Reply-To: <6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
	<CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
	<6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>
Message-ID: <3A28916F-EE04-42B4-818C-397572D8BFE0@ono.at>

A colleague of mine pointed me to the following commit, which looks like it moved some things to a "server-spi-private?.

Could this be related?

https://issues.jboss.org/browse/KEYCLOAK-3958
https://github.com/keycloak/keycloak/commit/7e33f4a7d1cbf2b37aa2a6d5b87dfe70d57d0252

Best, Stefan.

> On 08 Jan 2017, at 11:48, Stefan Schlesinger <sts at ono.at> wrote:
> 
> Hi Thomas,
> 
> I?m trying to use the examples provided in the thread you pointed me at,
> but the last call to the validation endpoint gives me a 404.
> 
> I also tried to find documentation, but apart from the admin REST API
> and the Authorization API[1] (which covers basic usage) I couldn?t find
> anything.
> 
> My test script:
> 
> https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391
> 
> Best,
> 
> Stefan.
> 
> [1] Authorization API - https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.5/topics/service/authorization/authorization-api.html
> 
>> On 07 Jan 2017, at 14:31, Thomas Darimont <thomas.darimont at googlemail.com> wrote:
>> 
>> have a look at this example from the mailing list:
>> http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008419.html
>> 
>> 2017-01-06 16:17 GMT+01:00 Stefan Schlesinger <sts at ono.at>:
>>> Anyone knows how to verify an OTP (TOTP) token against the Keycloak Openid REST API for clients with direct access grants enabled?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Mon Jan  9 06:47:44 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 12:47:44 +0100
Subject: [keycloak-user] 2FA via REST API -> server-spi-private?
In-Reply-To: <3A28916F-EE04-42B4-818C-397572D8BFE0@ono.at>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
	<CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
	<6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>
	<3A28916F-EE04-42B4-818C-397572D8BFE0@ono.at>
Message-ID: <CAJgngAcdtfC-3KW_LCi=KcPqYy=DuGJMQMLakUUQn9pSGd_Tnw@mail.gmail.com>

Neither server-private-spi or authorization api hasn't anything to do with
what you are trying to achieve.

You need to use the direct grant api and include otp code has "totp" in the
form data.

On 9 January 2017 at 11:54, Stefan Schlesinger <sts at ono.at> wrote:

> A colleague of mine pointed me to the following commit, which looks like
> it moved some things to a "server-spi-private?.
>
> Could this be related?
>
> https://issues.jboss.org/browse/KEYCLOAK-3958
> https://github.com/keycloak/keycloak/commit/7e33f4a7d1cbf2b37aa2a6d5b87dfe
> 70d57d0252
>
> Best, Stefan.
>
> > On 08 Jan 2017, at 11:48, Stefan Schlesinger <sts at ono.at> wrote:
> >
> > Hi Thomas,
> >
> > I?m trying to use the examples provided in the thread you pointed me at,
> > but the last call to the validation endpoint gives me a 404.
> >
> > I also tried to find documentation, but apart from the admin REST API
> > and the Authorization API[1] (which covers basic usage) I couldn?t find
> > anything.
> >
> > My test script:
> >
> > https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391
> >
> > Best,
> >
> > Stefan.
> >
> > [1] Authorization API - https://keycloak.gitbooks.io/
> authorization-services-guide/content/v/2.5/topics/service/
> authorization/authorization-api.html
> >
> >> On 07 Jan 2017, at 14:31, Thomas Darimont <thomas.darimont at googlemail.
> com> wrote:
> >>
> >> have a look at this example from the mailing list:
> >> http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008419.html
> >>
> >> 2017-01-06 16:17 GMT+01:00 Stefan Schlesinger <sts at ono.at>:
> >>> Anyone knows how to verify an OTP (TOTP) token against the Keycloak
> Openid REST API for clients with direct access grants enabled?
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sts at ono.at  Mon Jan  9 06:54:07 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Mon, 9 Jan 2017 12:54:07 +0100
Subject: [keycloak-user] 2FA via REST API -> server-spi-private?
In-Reply-To: <CAJgngAcdtfC-3KW_LCi=KcPqYy=DuGJMQMLakUUQn9pSGd_Tnw@mail.gmail.com>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
	<CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
	<6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>
	<3A28916F-EE04-42B4-818C-397572D8BFE0@ono.at>
	<CAJgngAcdtfC-3KW_LCi=KcPqYy=DuGJMQMLakUUQn9pSGd_Tnw@mail.gmail.com>
Message-ID: <F668D245-FA1E-46CA-86E4-C204C83C4C5B@ono.at>

Can you give an example where to post the mentioned data? The curl call I?m trying to do, gives me a 404:

curl -v \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \
  $BASE_URL/realms/$REALM/credential-validation

Best, Stefan

> On 09 Jan 2017, at 12:47, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Neither server-private-spi or authorization api hasn't anything to do with what you are trying to achieve.
> 
> You need to use the direct grant api and include otp code has "totp" in the form data.



From sthorger at redhat.com  Mon Jan  9 07:31:42 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 13:31:42 +0100
Subject: [keycloak-user] Bug in User Federation pages in Keycloak admin
 UI? Bind credentials are incorrect - test authentication fails
In-Reply-To: <DFB67977-9DE2-4712-A82E-B145C789B61F@info.nl>
References: <DFB67977-9DE2-4712-A82E-B145C789B61F@info.nl>
Message-ID: <CAJgngAdgKDQZ--4sQ-uujkYWGRuAwzta8OnEPeTfLScEVaU1dw@mail.gmail.com>

Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038

On 9 January 2017 at 11:36, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Hi,
>
> I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User
> Federation pages concerning the Bind Credential fields. The Bind Credential
> is fine in the Keycloak database (COMPONENT_CONFIG table these days) and
> everything works fine except the following scenario:
>
> 1/ Log in to Keycloak admin UI as an admin
> 2/ Go to a User Federation and select an LDAP user federation provider
> (assuming you have one of course). You already notice that the value of the
> Bind Credential field has too few characters.
> 3/ Now click on the ?Test authentication?. This fails with 'Error! LDAP
> authentication failed.' The issue is that the bind credential is wrong.
> 4/ However click on ?Synchronize all users? and this works just fine. So
> the bind credential used here (the one in the database) is just fine.
> 5/ Now enter the correct bind credential in the Bind Credential field
> 6/ Test authentication now works fine
> 7/ Click Save
> 8/ Click Test authentication and it fails again, same as in step 3
>
> I think the issue is with this admin page. It seems to do something with
> the bind credentials it gets from the database. Maybe it wants to unhash it
> or something but it is not hashed in the database at all (just plain text).
> Which maybe it is the real issue here?
>
> Is this indeed a bug and if so shall I create a bug report for it?
>
> cheers
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Jan  9 07:32:40 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 13:32:40 +0100
Subject: [keycloak-user] 2FA via REST API -> server-spi-private?
In-Reply-To: <F668D245-FA1E-46CA-86E4-C204C83C4C5B@ono.at>
References: <7C1E525F-2568-420E-9FCD-53B637CDA0D2@ono.at>
	<CAK-7U1g8zkPmpyRnQ+sKWpoT2ARUqomWDM=pF9TCXoBTGN1aPw@mail.gmail.com>
	<6F06F0D6-4381-43E5-B9FE-C647536C3840@ono.at>
	<3A28916F-EE04-42B4-818C-397572D8BFE0@ono.at>
	<CAJgngAcdtfC-3KW_LCi=KcPqYy=DuGJMQMLakUUQn9pSGd_Tnw@mail.gmail.com>
	<F668D245-FA1E-46CA-86E4-C204C83C4C5B@ono.at>
Message-ID: <CAJgngAcyhji5jW4UcwPgT9ZfeO6d2n6RhjFa2itd22GxgtgG3Q@mail.gmail.com>

Take a look at
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/oidc-generic.html

On 9 January 2017 at 12:54, Stefan Schlesinger <sts at ono.at> wrote:

> Can you give an example where to post the mentioned data? The curl call
> I?m trying to do, gives me a 404:
>
> curl -v \
>   -H "Authorization: Bearer $ACCESS_TOKEN" \
>   -H "Content-Type: application/json" \
>   -d "[{"\""type"\"":"\""totp"\"","\""value"\"":"\""$OTP_CODE"\""}]" \
>   $BASE_URL/realms/$REALM/credential-validation
>
> Best, Stefan
>
> > On 09 Jan 2017, at 12:47, Stian Thorgersen <sthorger at redhat.com> wrote:
> >
> > Neither server-private-spi or authorization api hasn't anything to do
> with what you are trying to achieve.
> >
> > You need to use the direct grant api and include otp code has "totp" in
> the form data.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan  9 07:51:25 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 13:51:25 +0100
Subject: [keycloak-user] Error when session expired and ajax request
 execute in Keycloak?
In-Reply-To: <CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
Message-ID: <CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>

[Adding list back]

A web app redirects the user to a login page if not authenticated, while a
service should return a 401.

It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.

On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:

> Thanks for the answer.
> Yes i have confidential client, i have web application, that asks Keycloak server
> to authenticate a user for them. As I understand, bearer-only is for web
> services clients.
> I probably something do not understand?
>
> 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Looks like your services are configured as confidential clients rather
>> than bearer-only and hence is sending a login request back rather than a
>> 401. You should either swap your service war to be a bearer-only client or
>> use the new autodetect-bearer-only option in adapters if you have both web
>> pages and services in the same war.
>>
>> On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>>
>>> Hi, can you help me!
>>> When session expired and ajax request execute in Keycloak, i have error
>>> in
>>> browser console:
>>>
>>> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> realms/azovstal/protocol/openid-connect/auth??ml&state=
>>> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> Origin 'http://localhost:8080' is therefore not allowed access.
>>>
>>> I add in Keycloak admin console, in the client setting, Web Origins=
>>> http://localhost:8080 (or *), and enabled cors in app, but still has
>>> error
>>> in console. I used Keycloak 2.5.0
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>

From avinash at avinash.com.np  Mon Jan  9 08:19:25 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Mon, 9 Jan 2017 19:04:25 +0545
Subject: [keycloak-user] RBAC : adding permissions to roles
Message-ID: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>

Hello,

I have a very basic question and am curious how to model this via keycloak.

In my application I have some roles. I want to map each role to a set of 
permissions so that based on those permissions i can check if the user 
has access to a specific action/resource in my application server. 
(pretty much how classically RBAC is done)

I am curious if there is a defined pattern/way of modeling such a 
behavior in keycloak, or would the best way to do this would be to 
define and map permissions (to roles) in the application (i.e outside 
keycloak). What is the best practice for such a case?

Regards,
Avinash

From sthorger at redhat.com  Mon Jan  9 08:29:32 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 9 Jan 2017 14:29:32 +0100
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
Message-ID: <CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>

You can either use our authorization services (see
https://keycloak.gitbooks.io/authorization-services-guide/content/) to
manage permissions centrally through Keycloak or you can manage it on your
own within the application.

On 9 January 2017 at 14:19, Avinash Kundaliya <avinash at avinash.com.np>
wrote:

> Hello,
>
> I have a very basic question and am curious how to model this via keycloak.
>
> In my application I have some roles. I want to map each role to a set of
> permissions so that based on those permissions i can check if the user
> has access to a specific action/resource in my application server.
> (pretty much how classically RBAC is done)
>
> I am curious if there is a defined pattern/way of modeling such a
> behavior in keycloak, or would the best way to do this would be to
> define and map permissions (to roles) in the application (i.e outside
> keycloak). What is the best practice for such a case?
>
> Regards,
> Avinash
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Edgar at info.nl  Mon Jan  9 08:38:55 2017
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 9 Jan 2017 13:38:55 +0000
Subject: [keycloak-user] Bug in User Federation pages in Keycloak admin
 UI? Bind credentials are incorrect - test authentication fails
In-Reply-To: <CAJgngAdgKDQZ--4sQ-uujkYWGRuAwzta8OnEPeTfLScEVaU1dw@mail.gmail.com>
References: <DFB67977-9DE2-4712-A82E-B145C789B61F@info.nl>
	<CAJgngAdgKDQZ--4sQ-uujkYWGRuAwzta8OnEPeTfLScEVaU1dw@mail.gmail.com>
Message-ID: <A8F762C6-720A-4F58-9128-C33B72FBFB74@info.nl>

Excellent. Thanks!

But regarding my point on storing the bind credentials, does it make sense that I create a feature request to store these in a hashed form in the Keycloak database instead of plain text?

I guess you would then need to distinguish between normal component config attributes and ?credential? component config attributes or something

cheers


On 9 Jan 2017, at 13:31, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038

On 9 January 2017 at 11:36, Edgar Vonk - Info.nl<http://Info.nl> <Edgar at info.nl<mailto:Edgar at info.nl>> wrote:
Hi,

I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User Federation pages concerning the Bind Credential fields. The Bind Credential is fine in the Keycloak database (COMPONENT_CONFIG table these days) and everything works fine except the following scenario:

1/ Log in to Keycloak admin UI as an admin
2/ Go to a User Federation and select an LDAP user federation provider (assuming you have one of course). You already notice that the value of the Bind Credential field has too few characters.
3/ Now click on the ?Test authentication?. This fails with 'Error! LDAP authentication failed.' The issue is that the bind credential is wrong.
4/ However click on ?Synchronize all users? and this works just fine. So the bind credential used here (the one in the database) is just fine.
5/ Now enter the correct bind credential in the Bind Credential field
6/ Test authentication now works fine
7/ Click Save
8/ Click Test authentication and it fails again, same as in step 3

I think the issue is with this admin page. It seems to do something with the bind credentials it gets from the database. Maybe it wants to unhash it or something but it is not hashed in the database at all (just plain text). Which maybe it is the real issue here?

Is this indeed a bug and if so shall I create a bug report for it?

cheers

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From avinash at avinash.com.np  Mon Jan  9 08:44:30 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Mon, 9 Jan 2017 19:29:30 +0545
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
	<CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
Message-ID: <0a81c76b-cf94-8052-6dd0-bc795ad3b29f@avinash.com.np>

Hi Stian,
Is there an example of how to do this simply, or would one have to 
create scopes (which is like a permission), policies (one for each role) 
and permissions, that would map the role to a scope ?

Also, possibly a related question, does role-type policy also take in 
account roles that a user gets effectively because of a composite role? 
If so, the "Evaluate" page always gives me a Deny. Another approach, If 
i add the scope to each policy, then it still gives me a Deny (I tried 
setting the strategy to Affirmative, still didn't help).

I hope the description isnt abstract, if so I will try to add 
screenshots next time.

Regards,
Avinash


On 1/9/17 19:14, Stian Thorgersen wrote:
> You can either use our authorization services (see 
> https://keycloak.gitbooks.io/authorization-services-guide/content/) to 
> manage permissions centrally through Keycloak or you can manage it on 
> your own within the application.
>
> On 9 January 2017 at 14:19, Avinash Kundaliya <avinash at avinash.com.np 
> <mailto:avinash at avinash.com.np>> wrote:
>
>     Hello,
>
>     I have a very basic question and am curious how to model this via
>     keycloak.
>
>     In my application I have some roles. I want to map each role to a
>     set of
>     permissions so that based on those permissions i can check if the user
>     has access to a specific action/resource in my application server.
>     (pretty much how classically RBAC is done)
>
>     I am curious if there is a defined pattern/way of modeling such a
>     behavior in keycloak, or would the best way to do this would be to
>     define and map permissions (to roles) in the application (i.e outside
>     keycloak). What is the best practice for such a case?
>
>     Regards,
>     Avinash
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From avinash at avinash.com.np  Mon Jan  9 08:45:21 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Mon, 9 Jan 2017 19:30:21 +0545
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
	<CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
Message-ID: <48a92762-eaf7-8c82-ba2b-bbfd3cab0abb@avinash.com.np>

Hi Stian,
Thanks for the prompt response, I have probably read through the guide a 
number of times, Its helpful but it takes a while (and some struggle) to 
probably understand it and implement in practice.

Is there an example of how to do this simply, or would one have to 
create scopes (which is like a permission), policies (one for each role) 
and permissions, that would map the role to a scope ?

Also, possibly a related question, does role-type policy also take in 
account roles that a user gets effectively because of a composite role? 
If so, the "Evaluate" page always gives me a Deny. Another approach, If 
i add the scope to each policy, then it still gives me a Deny (I tried 
setting the strategy to Affirmative, still didn't help).

I hope the description isnt abstract, if so I will try to add 
screenshots next time.

Regards,
Avinash


On 1/9/17 19:14, Stian Thorgersen wrote:
> You can either use our authorization services (see 
> https://keycloak.gitbooks.io/authorization-services-guide/content/) to 
> manage permissions centrally through Keycloak or you can manage it on 
> your own within the application.
>
> On 9 January 2017 at 14:19, Avinash Kundaliya <avinash at avinash.com.np 
> <mailto:avinash at avinash.com.np>> wrote:
>
>     Hello,
>
>     I have a very basic question and am curious how to model this via
>     keycloak.
>
>     In my application I have some roles. I want to map each role to a
>     set of
>     permissions so that based on those permissions i can check if the user
>     has access to a specific action/resource in my application server.
>     (pretty much how classically RBAC is done)
>
>     I am curious if there is a defined pattern/way of modeling such a
>     behavior in keycloak, or would the best way to do this would be to
>     define and map permissions (to roles) in the application (i.e outside
>     keycloak). What is the best practice for such a case?
>
>     Regards,
>     Avinash
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From tsdgcc2087 at outlook.com  Mon Jan  9 09:03:05 2017
From: tsdgcc2087 at outlook.com (Matt H)
Date: Mon, 9 Jan 2017 14:03:05 +0000
Subject: [keycloak-user] Get token for JS UI
In-Reply-To: <CAJgngAdTt0kQ8B2o5U9sGgmZFzEaxowP7bZzq0rORxzWT+f21A@mail.gmail.com>
References: <DM3PR13MB070172F9C6E84C35A98D2E7097630@DM3PR13MB0701.namprd13.prod.outlook.com>
	<DM3PR13MB070174A6DEEE0013675972FB97630@DM3PR13MB0701.namprd13.prod.outlook.com>,
	<CAJgngAdTt0kQ8B2o5U9sGgmZFzEaxowP7bZzq0rORxzWT+f21A@mail.gmail.com>
Message-ID: <DM3PR13MB070147AD1631B4B626ED6AB897640@DM3PR13MB0701.namprd13.prod.outlook.com>

I didn't think there was, but I had to check.


I have a module that I have to use that authenticates a user.  So when a user goes to a UI, they will be required to authenticate with this.  It validates that they are who they are.  From there the UI (pure JS) would call an application that is secured with Keycloak so the request needs a token to access it.  A lot of our application to application calls are set up as clients with confidential access, so the application is what the ticket is for, not the user using the application.  Make sense?

________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Monday, January 9, 2017 3:46 AM
To: Matt H
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get token for JS UI

No, of course there isn't. A JS app runs entirely within the users browser.

Can you explain what you're actually trying to achieve? I don't get it.

On 6 January 2017 at 16:29, Matt H <tsdgcc2087 at outlook.com<mailto:tsdgcc2087 at outlook.com>> wrote:
I have a situation where I need my javascript UI (all client side) to obtain a token from Keycloak.  The token would not be specific to the user but for the UI itself.  Looking at the documentation for the Javascript Adapter, it appears that it only works for getting a token for the user and is a public access type.  Is it possible to get a token for the UI and treat the UI as a confidential client?  It would need to then have a secret key, right?  Is there a good way to store that secret key so that it can't be read by users who just browse the source from their browser?


The reason for doing this is I have another authentication engine that is used to access the UI.  The users would then not have an account in Keycloak.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Mon Jan  9 12:33:40 2017
From: psilva at redhat.com (Pedro Igor)
Date: Mon, 09 Jan 2017 15:33:40 -0200
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <48a92762-eaf7-8c82-ba2b-bbfd3cab0abb@avinash.com.np>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
	<CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
	<48a92762-eaf7-8c82-ba2b-bbfd3cab0abb@avinash.com.np>
Message-ID: <cda8c8be-65e2-4c0b-852a-d9308df4217b@getmailbird.com>

On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Hi Stian,
Thanks for the prompt response, I have probably read through the guide a
number of times, Its helpful but it takes a while (and some struggle) to
probably understand it and implement in practice.

Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Pedro Igor:?You can create a policy for each role or a single one with the roles you want to enforce before accessing a resource/scope. It really depends on your requirements.


Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
Pedro Igor:?I think we are not handling composite roles. But I think you can achieve a similar behavior you create a single policy with all roles that are allowed to access your protected resource.


Role policies also allow you to mark a specific role as "required" so users must be granted with all required roles and any of the "non-required" roles you defined.

If you want to say, for instance, "Roles A and B Can Perform Action C on Resource D", you can just create:

1) Resource D, Scope C and associated Scope C with Resource D
2) Role Policy for Roles A and B (in this case users with any of these roles are granted) or separated policies for each role if you need to (you may want to reuse the role policy for each role to build other permissions or policies)
3) Create a permission that puts together Resource D + Scope C + Policies. Where the latter is basically the role policies you created.

Does that work for you ?

I hope the description isnt abstract, if so I will try to add
screenshots next time.

Regards,
Avinash


On 1/9/17 19:14, Stian Thorgersen wrote:
> You can either use our authorization services (see
> https://keycloak.gitbooks.io/authorization-services-guide/content/) to
> manage permissions centrally through Keycloak or you can manage it on
> your own within the application.
>
> On 9 January 2017 at 14:19, Avinash Kundaliya
> > wrote:
>
> Hello,
>
> I have a very basic question and am curious how to model this via
> keycloak.
>
> In my application I have some roles. I want to map each role to a
> set of
> permissions so that based on those permissions i can check if the user
> has access to a specific action/resource in my application server.
> (pretty much how classically RBAC is done)
>
> I am curious if there is a defined pattern/way of modeling such a
> behavior in keycloak, or would the best way to do this would be to
> define and map permissions (to roles) in the application (i.e outside
> keycloak). What is the best practice for such a case?
>
> Regards,
> Avinash
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Tue Jan 10 00:04:53 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jan 2017 06:04:53 +0100
Subject: [keycloak-user] Bug in User Federation pages in Keycloak admin
 UI? Bind credentials are incorrect - test authentication fails
In-Reply-To: <A8F762C6-720A-4F58-9128-C33B72FBFB74@info.nl>
References: <DFB67977-9DE2-4712-A82E-B145C789B61F@info.nl>
	<CAJgngAdgKDQZ--4sQ-uujkYWGRuAwzta8OnEPeTfLScEVaU1dw@mail.gmail.com>
	<A8F762C6-720A-4F58-9128-C33B72FBFB74@info.nl>
Message-ID: <CAJgngAdDPmK-TYPq1rN-Vv_s42o8ZXZsuxKDXiNH0O+6Jzbo_w@mail.gmail.com>

You can't store the credentials hashed, but they can be encrypted and we
have an issue open already for that (
https://issues.jboss.org/browse/KEYCLOAK-3205).

On 9 January 2017 at 14:38, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:

> Excellent. Thanks!
>
> But regarding my point on storing the bind credentials, does it make sense
> that I create a feature request to store these in a hashed form in the
> Keycloak database instead of plain text?
>
> I guess you would then need to distinguish between normal component config
> attributes and ?credential? component config attributes or something
>
> cheers
>
>
> On 9 Jan 2017, at 13:31, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Already fixed - https://issues.jboss.org/browse/KEYCLOAK-4038
>
> On 9 January 2017 at 11:36, Edgar Vonk - Info.nl <Edgar at info.nl> wrote:
>
>> Hi,
>>
>> I think in Keycloak 2.40 or 2.5.0 a bug was introduced in the User
>> Federation pages concerning the Bind Credential fields. The Bind Credential
>> is fine in the Keycloak database (COMPONENT_CONFIG table these days) and
>> everything works fine except the following scenario:
>>
>> 1/ Log in to Keycloak admin UI as an admin
>> 2/ Go to a User Federation and select an LDAP user federation provider
>> (assuming you have one of course). You already notice that the value of the
>> Bind Credential field has too few characters.
>> 3/ Now click on the ?Test authentication?. This fails with 'Error! LDAP
>> authentication failed.' The issue is that the bind credential is wrong.
>> 4/ However click on ?Synchronize all users? and this works just fine. So
>> the bind credential used here (the one in the database) is just fine.
>> 5/ Now enter the correct bind credential in the Bind Credential field
>> 6/ Test authentication now works fine
>> 7/ Click Save
>> 8/ Click Test authentication and it fails again, same as in step 3
>>
>> I think the issue is with this admin page. It seems to do something with
>> the bind credentials it gets from the database. Maybe it wants to unhash it
>> or something but it is not hashed in the database at all (just plain text).
>> Which maybe it is the real issue here?
>>
>> Is this indeed a bug and if so shall I create a bug report for it?
>>
>> cheers
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From sthorger at redhat.com  Tue Jan 10 00:06:48 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jan 2017 06:06:48 +0100
Subject: [keycloak-user] Get token for JS UI
In-Reply-To: <DM3PR13MB070147AD1631B4B626ED6AB897640@DM3PR13MB0701.namprd13.prod.outlook.com>
References: <DM3PR13MB070172F9C6E84C35A98D2E7097630@DM3PR13MB0701.namprd13.prod.outlook.com>
	<DM3PR13MB070174A6DEEE0013675972FB97630@DM3PR13MB0701.namprd13.prod.outlook.com>
	<CAJgngAdTt0kQ8B2o5U9sGgmZFzEaxowP7bZzq0rORxzWT+f21A@mail.gmail.com>
	<DM3PR13MB070147AD1631B4B626ED6AB897640@DM3PR13MB0701.namprd13.prod.outlook.com>
Message-ID: <CAJgngAcoFTEv4wSQCB=+yHtGNmfwMzN1U3Lu+xjAU2yBpuSBpw@mail.gmail.com>

On 9 January 2017 at 15:03, Matt H <tsdgcc2087 at outlook.com> wrote:

> I didn't think there was, but I had to check.
>
>
> I have a module that I have to use that authenticates a user.  So when a
> user goes to a UI, they will be required to authenticate with this.  It
> validates that they are who they are.  From there the UI (pure JS) would
> call an application that is secured with Keycloak so the request needs a
> token to access it.  A lot of our application to application calls are set
> up as clients with confidential access, so the application is what the
> ticket is for, not the user using the application.  Make sense?
>
Nopes, sorry. I read this a few times and I don't understand it at all.


>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Monday, January 9, 2017 3:46 AM
> *To:* Matt H
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Get token for JS UI
>
> No, of course there isn't. A JS app runs entirely within the users
> browser.
>
> Can you explain what you're actually trying to achieve? I don't get it.
>
> On 6 January 2017 at 16:29, Matt H <tsdgcc2087 at outlook.com> wrote:
>
>> I have a situation where I need my javascript UI (all client side) to
>> obtain a token from Keycloak.  The token would not be specific to the user
>> but for the UI itself.  Looking at the documentation for the Javascript
>> Adapter, it appears that it only works for getting a token for the user and
>> is a public access type.  Is it possible to get a token for the UI and
>> treat the UI as a confidential client?  It would need to then have a secret
>> key, right?  Is there a good way to store that secret key so that it can't
>> be read by users who just browse the source from their browser?
>>
>>
>> The reason for doing this is I have another authentication engine that is
>> used to access the UI.  The users would then not have an account in
>> Keycloak.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From dsbenghe at gmail.com  Tue Jan 10 00:45:36 2017
From: dsbenghe at gmail.com (Dumitru Sbenghe)
Date: Tue, 10 Jan 2017 16:45:36 +1100
Subject: [keycloak-user] Reset OTP
Message-ID: <CAO9T6TKx5h+wzssELXVnuf5SF=RBMfJhfUxRB6_j_08N+sLiwQ@mail.gmail.com>

Hi,

Correct me if I'm wrong but as far as I see the the only way to reset your
OTP is part of the reset password via email - optional feature (or disable
otp for that user in the admin ui) which seems to make the OTP usage as 2sv
heaps less secure than it should be considering that it can be reset
together with the password via email.

>From reading the docs to make a reset OTP via sms for example, an
authentication spi needs to be implemented, isnt it? Any plans to implement
a more secure otp reset as standard feature in KeyCloak?

Thanks,
Dumitru

From sven.thoms at gmail.com  Tue Jan 10 01:11:54 2017
From: sven.thoms at gmail.com (Sven Thoms)
Date: Tue, 10 Jan 2017 07:11:54 +0100
Subject: [keycloak-user] Default identity provider REST endpoint
Message-ID: <CAKZHGMk54dN-QXL_mFFJmbCD0aOgvU5Lt69SxWEOmfidruFyLA@mail.gmail.com>

Is there a REST endpoint for setting the default, already set identity
provider at

Authentication - Authentication Flows - Browser - Identity Provider
Redirector - Default Identity Provider?

I  could not find it under flows or flow executions.

From santosh.haranath at gmail.com  Tue Jan 10 01:31:01 2017
From: santosh.haranath at gmail.com (Santosh Haranath)
Date: Mon, 9 Jan 2017 22:31:01 -0800
Subject: [keycloak-user] Keycloak data stores - Config, User, Realm,
	Session ...
Message-ID: <CADKo6iGVKb9daLWXZ1c=8kk_xkys-vYuEFoVvF3aD56gB1166w@mail.gmail.com>

We are evaluating to use Keycloak for a multi-tenant access management
solution deployed across 2 regions. Red Hat OpenShift Container Platform
version 3.3 is the deployment platform.

We have some data model constraints which requires us to use LDAP store.

- What is Keycloak's configuration store? How is configuration
synchronized? Where is SAML meta data, OAuth Client credentials etc.
stored?

- I have read concerns about Mongo DB data store due to transaction
requirements and possible removal of support from V3. Which SPI requires
transactions? When is Version 3 due ?

- Can we split data store responsibilities as below?

SPI   ->  Data Store Provider
/subsystem=keycloak-server/spi=realm ->  Mongo
/subsystem=keycloak-server/spi=user -> LDAP
/subsystem=keycloak-server/spi=userSessionPersister -> Infinispan
/subsystem=keycloak-server/spi=authorizationPersister -> Infinispan
/subsystem=keycloak-server/spi=userFederatedStorage -> LDAP
/subsystem=keycloak-server/spi=eventsStore -> Mongo


Thanks.

From sthorger at redhat.com  Tue Jan 10 03:17:56 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jan 2017 09:17:56 +0100
Subject: [keycloak-user] Reset OTP
In-Reply-To: <CAO9T6TKx5h+wzssELXVnuf5SF=RBMfJhfUxRB6_j_08N+sLiwQ@mail.gmail.com>
References: <CAO9T6TKx5h+wzssELXVnuf5SF=RBMfJhfUxRB6_j_08N+sLiwQ@mail.gmail.com>
Message-ID: <CAJgngAepEDFZZ6RPUj2rD8yUjKPSQCjkgq00aA+SSS8O0Vq-VA@mail.gmail.com>

We plan to introduce support to have more than one second factor mechanism
associated with an account [1]. This will allow having a primary device as
well as the option to select a backup device.

With the addition of different types of second factor mechanisms like SMS
[2] or backup codes users have a way to authenticate with alternative
mechanisms.

Once this is added there is strictly no need to enable reset OTP via email
and users should have backup mechanisms configured and/or contact admins.

[1] https://issues.jboss.org/browse/KEYCLOAK-1522
[2] https://issues.jboss.org/browse/KEYCLOAK-241

On 10 January 2017 at 06:45, Dumitru Sbenghe <dsbenghe at gmail.com> wrote:

> Hi,
>
> Correct me if I'm wrong but as far as I see the the only way to reset your
> OTP is part of the reset password via email - optional feature (or disable
> otp for that user in the admin ui) which seems to make the OTP usage as 2sv
> heaps less secure than it should be considering that it can be reset
> together with the password via email.
>
> >From reading the docs to make a reset OTP via sms for example, an
> authentication spi needs to be implemented, isnt it? Any plans to implement
> a more secure otp reset as standard feature in KeyCloak?
>
> Thanks,
> Dumitru
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Jan 10 03:59:41 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 10 Jan 2017 09:59:41 +0100
Subject: [keycloak-user] Default identity provider REST endpoint
In-Reply-To: <CAKZHGMk54dN-QXL_mFFJmbCD0aOgvU5Lt69SxWEOmfidruFyLA@mail.gmail.com>
References: <CAKZHGMk54dN-QXL_mFFJmbCD0aOgvU5Lt69SxWEOmfidruFyLA@mail.gmail.com>
Message-ID: <CAJgngAeB8KCbKOfh7hTey=DnOYeeM-7d2-501svd6K5_9ApBPA@mail.gmail.com>

There is, but not it's to straightforward. Take a look at the requests sent
by the admin console and you'll figure it out.

On 10 January 2017 at 07:11, Sven Thoms <sven.thoms at gmail.com> wrote:

> Is there a REST endpoint for setting the default, already set identity
> provider at
>
> Authentication - Authentication Flows - Browser - Identity Provider
> Redirector - Default Identity Provider?
>
> I  could not find it under flows or flow executions.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at merit.unu.edu  Tue Jan 10 04:16:18 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 10 Jan 2017 10:16:18 +0100
Subject: [keycloak-user] h2 for production
Message-ID: <b5045131-b69c-51f9-6522-848389c61603@merit.unu.edu>

Hi,

I understand that it is not recommened to use h2 as your production 
database format. However, reading this:

http://stackoverflow.com/questions/12064030/are-there-any-reasons-why-h2-database-shouldnt-be-used-in-production

and given our situation (small userbase, no heavy use, no cluster / 
replication, no HA, etc, etc) is choosing h2 really a bad idea?

Could we, for example, run into problems with keycloak updates?

MJ

From sven.thoms at gmail.com  Tue Jan 10 04:17:31 2017
From: sven.thoms at gmail.com (Sven Thoms)
Date: Tue, 10 Jan 2017 10:17:31 +0100
Subject: [keycloak-user] Service Account enable by default for clients, how?
Message-ID: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>

Is it possible via a setting to automatically enable clients registered
dynamically via the well-known registration endpoint and registration
access token?  My current approach is to iterate over all clients post -
creation and set serviceaccountsEnabled to true. I need a more prompt and
real-time way

From sblanc at redhat.com  Tue Jan 10 04:31:42 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 10 Jan 2017 10:31:42 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
Message-ID: <CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>

I haven't tried it but when registering the client, in the payload, the
ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
"service-accounts-enabled : true will do the trick ?

On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Is it possible via a setting to automatically enable clients registered
> dynamically via the well-known registration endpoint and registration
> access token?  My current approach is to iterate over all clients post -
> creation and set serviceaccountsEnabled to true. I need a more prompt and
> real-time way
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mosheb at perfectomobile.com  Tue Jan 10 05:21:53 2017
From: mosheb at perfectomobile.com (Moshe Ben-Shoham)
Date: Tue, 10 Jan 2017 10:21:53 +0000
Subject: [keycloak-user] Using email attribute in SAML identity brokering
Message-ID: <71D94666-07F8-464D-9581-BE47817F8416@perfectomobile.com>

Hi,

We have a few clients integrated with Keycloak relam, using email address as the user identifier.

Now we wish to integrate KeyCloak with external IdP using its identity brokering capabilities based on SAML. The problem is, the user identifier in the external IdP is not the email address but some other username. We are able to get the email as an attribute in the SAML assertion coming into KeyCloak, but the missing part is mapping the email attribute to the user identifier in KeyCloak - how do we do that?

Thanks!
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From adam.michalski at aol.com  Tue Jan 10 05:36:37 2017
From: adam.michalski at aol.com (adam.michalski at aol.com)
Date: Tue, 10 Jan 2017 05:36:37 -0500
Subject: [keycloak-user] How to programically get groups/users/users in
 groups with roles from client using keycloak.admin.client.Keycloak, 
Message-ID: <15987f3770b-7030-1b3d@webprd-a54.mail.aol.com>

How to programically get groups/users/users in groups with roles from client using keycloak.admin.client.Keycloak,

From olivier.bruylandt at gmail.com  Tue Jan 10 06:09:31 2017
From: olivier.bruylandt at gmail.com (Olivier Bruylandt)
Date: Tue, 10 Jan 2017 12:09:31 +0100
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
	with HTTPS
In-Reply-To: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
Message-ID: <CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>

Dear,


I get an issue to get the wanted behavior when retrieving the client public
IP.
This is the situation :
(all IP's have been anonymized)



- *infrastructure level*:

----------- Reverse Proxy NGINX ----------------------------------- KeyCloak

RP is listening on ports 80 & 443 (80 is redirected to 443)
There is a public certificate signed by some external CA
Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
Keycloak is set as standalone server on a Wildfly last version




- *Nginx config*


















*server {        listen 443;        server_name ************;
fastcgi_param HTTPS on;        location / {                add_header
X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
 $remote_addr;                add_header X-Forwarded-For $remote_addr;
          add_header X-Forwarded-Proto $scheme;
more_set_headers 'Server: ******';                more_clear_headers
'X-Powered-By';                charset UTF-8;                proxy_cache
  ******_cache;                proxy_pass      https://1.1.1.1:8443/
<https://1.1.1.1:8443/>;        }*












*      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
             ssl_certificate_key /etc/ssl/private/*************.key;
ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
      ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
      add_header X-Frame-Options "DENY";        ssl_ciphers
'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*




- *Keycloak config* :


*        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
*            <buffer-cache name="default"/>*
*            <server name="default-server">*

*                <http-listener
name="default" proxy-address-forwarding="true" socket-binding="http"/>*
*                <https-listener name="https" security-realm="**********"
socket-binding="https"/>*
*                <host name="default-host" alias="localhost">*
*                    <location name="/" handler="welcome-content"/>*
*                </host>*
*            </server>*
*            <servlet-container name="default">*
*                <jsp-config/>*
*                <websockets/>*
*            </servlet-container>*
*            <handlers>*
*                <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>*
*            </handlers>*
*        </subsystem>*







The situation is that everything is working fine and smooth EXCEPT ... the
fact that under sessions (and moreover for all user activities), the user
IP I see is the one of the reverse proxy !!
As I put in red in the KC config, this is what should do the trick to use
the X-Forwarded-For header value to set the client's IP.

15:07:55,104 WARN  [org.keycloak.events] (default task-19)
type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
ipAddress=2.2.2.2, (...)



When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
the SSL connection and the one to KC server is made in HTTP), I got
obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
transport and also a HTTP connection towards the external social identity
providers like Google, FB, etc. ... BUT I got at least the real IP as you
might see hereunder :

15:09:24,068 WARN  [org.keycloak.events] (default task-29)
type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
ipAddress=191.21.133.234, (...)





So the situation is that I will only get the "real" IP of the client only
if it passes through the HTTP listener of KC (that has the parameter
"proxy-address-forwarding") which is not what I want as I want to reach the
HTTPS listener.
I obviously also tried to add the same parameter (*proxy-address-forwarding
= "true"*) in the HTTPS listener configuration but then, standalone.sh
shows an error and refuses to start :


*14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
1.5.1.Final*
*14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
*14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
starting*
*14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085:
Failed to parse configuration*
*    at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
*    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
*    at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
*    at java.lang.Thread.run(Thread.java:745)*
*Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[380,17]*
*Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
enabled, resolve-peer-address, security-realm, verify-client,
enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
ssl-session-cache-size, ssl-session-timeout, max-header-size,
max-post-size, buffer-pipelined-data, max-parameters, max-headers,
max-cookies, allow-encoded-slash, decode-url, url-charset,
always-set-keep-alive, max-buffered-request-size,
record-request-start-time, allow-equals-in-cookie-value,
no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
max-connections, secure'*
*    at
org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*





*requirements* :

- Entire solution has to run with SSL (HTTPS) from end to end



Did someone already faced that situation or does have any clue about this ?
Thank you for reading this post.

Regards,


/Olivier

On 10 January 2017 at 11:52, Olivier Bruylandt <olivier.bruylandt at gmail.com>
wrote:

> Dear,
>
>
> I get an issue to get the wanted behavior when retrieving the client
> public IP.
> This is the situation :
> (all IP's have been anonymized)
>
>
>
> - *infrastructure level*:
>
> ----------- Reverse Proxy NGINX -----------------------------------
> KeyCloak
>
> RP is listening on ports 80 & 443 (80 is redirected to 443)
> There is a public certificate signed by some external CA
> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> Keycloak is set as standalone server on a Wildfly last version
>
>
>
>
> - *Nginx config*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *server {        listen 443;        server_name ************;
> fastcgi_param HTTPS on;        location / {                add_header
> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>           add_header X-Forwarded-Proto $scheme;
> more_set_headers 'Server: ******';                more_clear_headers
> 'X-Powered-By';                charset UTF-8;                proxy_cache
>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> <https://1.1.1.1:8443/>;        }*
>
>
>
>
>
>
>
>
>
>
>
>
> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>              ssl_certificate_key /etc/ssl/private/*************.key;
> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>       add_header X-Frame-Options "DENY";        ssl_ciphers
> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>
>
>
>
> - *Keycloak config* :
>
>
> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> *            <buffer-cache name="default"/>*
> *            <server name="default-server">*
>
> *                <http-listener
> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> *                <https-listener name="https" security-realm="**********"
> socket-binding="https"/>*
> *                <host name="default-host" alias="localhost">*
> *                    <location name="/" handler="welcome-content"/>*
> *                </host>*
> *            </server>*
> *            <servlet-container name="default">*
> *                <jsp-config/>*
> *                <websockets/>*
> *            </servlet-container>*
> *            <handlers>*
> *                <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>*
> *            </handlers>*
> *        </subsystem>*
>
>
>
>
>
>
>
> The situation is that everything is working fine and smooth EXCEPT ... the
> fact that under sessions (and moreover for all user activities), the user
> IP I see is the one of the reverse proxy !!
> As I put in red in the KC config, this is what should do the trick to use
> the X-Forwarded-For header value to set the client's IP.
>
> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> ipAddress=2.2.2.2, (...)
>
>
>
> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
> the SSL connection and the one to KC server is made in HTTP), I got
> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> transport and also a HTTP connection towards the external social identity
> providers like Google, FB, etc. ... BUT I got at least the real IP as you
> might see hereunder :
>
> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> ipAddress=191.21.133.234, (...)
>
>
>
>
>
> So the situation is that I will only get the "real" IP of the client only
> if it passes through the HTTP listener of KC (that has the parameter
> "proxy-address-forwarding") which is not what I want as I want to reach the
> HTTPS listener.
> I obviously also tried to add the same parameter (*proxy-address-forwarding
> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> shows an error and refuses to start :
>
>
> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.5.1.Final*
> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> starting*
> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085:
> Failed to parse configuration*
> *    at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> *    at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
> *    at java.lang.Thread.run(Thread.java:745)*
> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[380,17]*
> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> enabled, resolve-peer-address, security-realm, verify-client,
> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> max-cookies, allow-encoded-slash, decode-url, url-charset,
> always-set-keep-alive, max-buffered-request-size,
> record-request-start-time, allow-equals-in-cookie-value,
> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> max-connections, secure'*
> *    at
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>
>
>
>
>
> *requirements* :
>
> - Entire solution has to run with SSL (HTTPS) from end to end
>
>
>
> Did someone already faced that situation or does have any clue about this ?
> Thank you for reading this post.
>
> Regards,
>
>
> /Olivier
>

From istvan.orban at gmail.com  Tue Jan 10 06:27:57 2017
From: istvan.orban at gmail.com (Istvan Orban)
Date: Tue, 10 Jan 2017 11:27:57 +0000
Subject: [keycloak-user] question on integration in a mixed environment
Message-ID: <CAHW3PUebW4KCgZ7WayYFH=ui1vcuqAM4p=_v5kB2ped0B7MNeg@mail.gmail.com>

I am in the middle of setting up SSO in our infrastructure and I am
wondering if people would more experience could share their learnings.

I already have a reverse-proxy in-front of our system.
We have several legacy java apps running on tomcat
We have SPA apps as well written in JS
We have few APIs that will also need to be protected
I have two ways to set SSO up for us.

set up SSO on the reverse proxy using mod_auth_openidc so our gatekeeper
makes sure that anyone who is hitting our services is already validated.
add a keycloak libs to each individual service
My preference is to set this up on the referse proxy.

Are there any disadvantages / best practices when it comes to this?

For legacy apps I would just use the HTTP headers added by the reverse
proxy to find user details For the new apps I would like to use the
keycloak libs to get user details.

I do not want to go down some routes which is obviously problematic. So Any
tips so that I can save some time are very welcome.

-- 
Kind Regards,

*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I  *

From mstrukel at redhat.com  Tue Jan 10 06:33:31 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 10 Jan 2017 12:33:31 +0100
Subject: [keycloak-user] How to programically get groups/users/users in
 groups with roles from client using keycloak.admin.client.Keycloak, 
In-Reply-To: <15987f3770b-7030-1b3d@webprd-a54.mail.aol.com>
References: <15987f3770b-7030-1b3d@webprd-a54.mail.aol.com>
Message-ID: <CA+1OW+hcmJBccxzcG969X0ukGy-wy-Xqxhb6+Tu6BWHz2d2D+Q@mail.gmail.com>

Take a look at our testsuite. For example:

https://github.com/keycloak/keycloak/blob/2.5.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L837-L915

https://github.com/keycloak/keycloak/blob/2.5.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java#L425-L495



On Tue, Jan 10, 2017 at 11:36 AM, <adam.michalski at aol.com> wrote:

> How to programically get groups/users/users in groups with roles from
> client using keycloak.admin.client.Keycloak,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sts at ono.at  Tue Jan 10 06:45:23 2017
From: sts at ono.at (Stefan Schlesinger)
Date: Tue, 10 Jan 2017 12:45:23 +0100
Subject: [keycloak-user] Optional 2FA
Message-ID: <CA4B7579-67CA-4F87-8111-6922F10187B8@ono.at>

Hi,

is there a way to configure Keycloak, so that 2FA via OTP gets optional for certain clients only?

Best, Stefan.



From mposolda at redhat.com  Tue Jan 10 07:01:44 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Jan 2017 13:01:44 +0100
Subject: [keycloak-user] h2 for production
In-Reply-To: <b5045131-b69c-51f9-6522-848389c61603@merit.unu.edu>
References: <b5045131-b69c-51f9-6522-848389c61603@merit.unu.edu>
Message-ID: <f7e0f40e-55e0-e3f0-c800-14d09f2d4b22@redhat.com>

On 10/01/17 10:16, lists wrote:
> Hi,
>
> I understand that it is not recommened to use h2 as your production
> database format. However, reading this:
>
> http://stackoverflow.com/questions/12064030/are-there-any-reasons-why-h2-database-shouldnt-be-used-in-production
>
> and given our situation (small userbase, no heavy use, no cluster /
> replication, no HA, etc, etc) is choosing h2 really a bad idea?
You can try to do some testing and check if it suits your needs. However 
note that we are not doing any performance/concurrency testing with H2 
and we don't test the migration with it. There can be some concurrency 
issues, which can be seen just in production (eg. parallel login of more 
users etc). Migration should work fine, but again, we are not testing it 
and if something doesn't work, you won't receive any support.

So maybe I would rather ask the opposite question: Is it really big 
issue for you to use some other more proper DB (PostgreSQL, MySQL)?

Marek
>
> Could we, for example, run into problems with keycloak updates?
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lists at merit.unu.edu  Tue Jan 10 07:02:15 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 10 Jan 2017 13:02:15 +0100
Subject: [keycloak-user] active directory | end user password change
Message-ID: <fe69fa4b-a058-cf3a-604f-016b2f7a360c@merit.unu.edu>

Hi,

Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider, 
verified that the MSAD account controls mapper is added.

When an end-user logs into the keycloak account client 
(/auth/realms/ourrealm/account) he/she has the option to change his/her 
password.

However, keycloak says:

> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]

Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password 
policies are not the problem here.

Additionally, I was under the impression that I should be able to logon 
when in MSAD the "user is required to change password on next login", 
and keycloak would require me to change it. However, in that case I'm 
just getting an "Invalid username or password".

I asked about these things before, but was told to test the new 2.5.0, 
because the problem could have been solved already. However, I'm trying 
with 2.5.0, and the behaviour is still there.

Is this functionality working for others using MSAD here? (perhaps 
others with samba4 AD?)

Best regards,
MJ

From adam.hatherly at nhs.net  Tue Jan 10 07:03:35 2017
From: adam.hatherly at nhs.net (HATHERLY, Adam (NHS DIGITAL))
Date: Tue, 10 Jan 2017 12:03:35 +0000
Subject: [keycloak-user] Passing an array of user realm roles in a Token
	Mapper
Message-ID: <d8f020d086c44f01b79f1556e18ce973@NH-SLPEX135.AD1.NHS.NET>

Hi,


I have been using the Token Mappers within a Client to map a set of Keycloak Group Memberships into an attribute in the Token, so the client application can grant appropriate access based on this. The groups are coming through as an array in the token, which works nicely.

I wanted to switch to using a "User Realm Role" mapper instead of "Group Memberships" because I can then set up automatic realm roles based on the identity source, which I can't do with Groups.

My problem is, when I create a new User Realm Role mapper in the Client definition, the only types I can specify for the field are String, long, int or boolean. If I choose String, the list of roles comes through as a comma-separated String rather than an array in the JSON object. I'd rather not update all my clients to parse this - is there any way of getting keycloak to return the roles as an array rather than a string? Is this against the spec, or is there some other limitation I am not aware of that prevents this?


Thanks,

Adam.?



Adam Hatherly
Senior Technical Architect
Central Architecture Service
NHS Digital

adam.hatherly at nhs.net<mailto:adam.hatherly at nhs.net>
0113 397 4164
07920 861 737


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit www.nhsdigital.nhs.uk/nhsmail

********************************************************************************************************************

From avinash at avinash.com.np  Tue Jan 10 07:04:16 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Tue, 10 Jan 2017 17:49:16 +0545
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <cda8c8be-65e2-4c0b-852a-d9308df4217b@getmailbird.com>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
	<CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
	<48a92762-eaf7-8c82-ba2b-bbfd3cab0abb@avinash.com.np>
	<cda8c8be-65e2-4c0b-852a-d9308df4217b@getmailbird.com>
Message-ID: <c01b2610-0925-bebe-9435-4353476b9539@avinash.com.np>

Thanks for thinking through with me. It has been really helpful.

Question Inline


On 1/9/17 23:18, Pedro Igor wrote:
>>
>> On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash at avinash.com.np> 
>> wrote:
>>
>> Hi Stian,
>> Thanks for the prompt response, I have probably read through the guide a
>> number of times, Its helpful but it takes a while (and some struggle) to
>> probably understand it and implement in practice.
>>
>> Is there an example of how to do this simply, or would one have to
>> create scopes (which is like a permission), policies (one for each role)
>> and permissions, that would map the role to a scope ?
> *Pedro Igor:* You can create a policy for each role or a single one 
> with the roles you want to enforce before accessing a resource/scope. 
> It really depends on your requirements.
>>
>>
>> Also, possibly a related question, does role-type policy also take in
>> account roles that a user gets effectively because of a composite role?
>> If so, the "Evaluate" page always gives me a Deny. Another approach, If
>> i add the scope to each policy, then it still gives me a Deny (I tried
>> setting the strategy to Affirmative, still didn't help). 
> *Pedro Igor:* I think we are not handling composite roles. But I think 
> you can achieve a similar behavior you create a single policy with all 
> roles that are allowed to access your protected resource.
>
> Role policies also allow you to mark a specific role as "required" so 
> users must be granted with all required roles and any of the 
> "non-required" roles you defined.
>
> If you want to say, for instance, "Roles A and B Can Perform Action C 
> on Resource D", you can just create:
>
> 1) Resource D, Scope C and associated Scope C with Resource D
> 2) Role Policy for Roles A and B (in this case users with any of these 
> roles are granted) or separated policies for each role if you need to 
> (you may want to reuse the role policy for each role to build other 
> permissions or policies)
> 3) Create a permission that puts together Resource D + Scope C + 
> Policies. Where the latter is basically the role policies you created.
>
> Does that work for you ?
*Avinash:* This definitely makes a lot of sense. I eventually created 
one policy for each role and then created permission per scope and added 
the roles to it. Now, the next step that i want to achieve is to find 
out the scopes that a role can access for a resource. Is there an API 
endpoint or a way to list out the scopes for a role.
So, from above example: For the query "What can Role A do on Resource D" 
it should return "*Action C, ... *"

>>
>> I hope the description isnt abstract, if so I will try to add
>> screenshots next time.
>>
>> Regards,
>> Avinash
>>
>>
>> On 1/9/17 19:14, Stian Thorgersen wrote:
>> > You can either use our authorization services (see
>> > https://keycloak.gitbooks.io/authorization-services-guide/content/) to
>> > manage permissions centrally through Keycloak or you can manage it on
>> > your own within the application.
>> >
>> > On 9 January 2017 at 14:19, Avinash Kundaliya
>> > > wrote:
>> >
>> > Hello,
>> >
>> > I have a very basic question and am curious how to model this via
>> > keycloak.
>> >
>> > In my application I have some roles. I want to map each role to a
>> > set of
>> > permissions so that based on those permissions i can check if the user
>> > has access to a specific action/resource in my application server.
>> > (pretty much how classically RBAC is done)
>> >
>> > I am curious if there is a defined pattern/way of modeling such a
>> > behavior in keycloak, or would the best way to do this would be to
>> > define and map permissions (to roles) in the application (i.e outside
>> > keycloak). What is the best practice for such a case?
>> >
>> > Regards,
>> > Avinash
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Tue Jan 10 07:04:24 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Jan 2017 13:04:24 +0100
Subject: [keycloak-user] Optional 2FA
In-Reply-To: <CA4B7579-67CA-4F87-8111-6922F10187B8@ono.at>
References: <CA4B7579-67CA-4F87-8111-6922F10187B8@ono.at>
Message-ID: <7b2ac5cf-8441-c8c3-1956-fa9934d4eda4@redhat.com>

Yes, we have conditional OTP Authenticator. This allows for example 
enforce OTP just for some users (those which have or doesn't have 
specified roles and/or attributes etc). See docs for more details.

Marek

On 10/01/17 12:45, Stefan Schlesinger wrote:
> Hi,
>
> is there a way to configure Keycloak, so that 2FA via OTP gets optional for certain clients only?
>
> Best, Stefan.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From david_delbecq at trimble.com  Tue Jan 10 07:06:43 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Tue, 10 Jan 2017 12:06:43 +0000
Subject: [keycloak-user] remove permission to a group of users (veto
 keycloak auth)
In-Reply-To: <361405b4-d8fc-8b81-1870-538419eb5063@redhat.com>
References: <CAFtV5ctcC9RwPXyP6vQUwJEgPdr94W0k+7ShvGxW+fbMi+_oPQ@mail.gmail.com>
	<361405b4-d8fc-8b81-1870-538419eb5063@redhat.com>
Message-ID: <CAFtV5ctTj9qxQ0_yJr6EjmiTqQpahQWzYn+77dwxrqbKu0uCAQ@mail.gmail.com>

Indeed that what I finally did. Simple solutions sometimes slip my mind.
Was looking for too complex :)

On Tue, Jan 3, 2017 at 6:24 PM Bill Burke <bburke at redhat.com> wrote:

> You could do it in a servlet filter.
>
>
> On 1/3/17 10:09 AM, David Delbecq wrote:
> > Hello,
> > I'm trying to find out the best way to migrate one of our current
> behaviour
> > to a keycloak based installation.
> >
> > We currently have a many to one relationship between user account and
> > companies. A company can have multiple users in the application. We need
> to
> > be able to disable a complete company on one application. What is the
> best
> > approach to doing this?
> >
> > I tried (and failed) to create an additional required login module in
> > wildfly and have this return false on login() if company has not been
> > enabled in application. It seems that when you come with a bearer token,
> > you don't go into login modules (neither mine nor the keycloak one), you
> > are just immediately recognized by subsystem which then bypass the jaas
> > login modules of keycloak.
> >
> > I can't just disable the users, as they still need to be able to log in
> on
> > our other applications.
> >
> > I was thinking into using Groups in keycloak, one for each
> > company&application combo and add / remove an automatic required role to
> > block access to disabled companies. But it means a double maintenance
> > between keycloak and our internal database to maintain the list of
> > companies.
> >
> > Is there someway to tap in the the wildfly keycloak subsystem to veto
> valid
> > authentications?
> >
> > thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From david_delbecq at trimble.com  Tue Jan 10 07:09:17 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Tue, 10 Jan 2017 12:09:17 +0000
Subject: [keycloak-user] Detect user impersonation
Message-ID: <CAFtV5cv0ec4m3h6s2KW+bbXxf1i5Q8kJ2M2sm_y1DfQRH_xckQ@mail.gmail.com>

Hello,

for audit reason, our application need to be able to make the difference
between "userA" and "userA impersonated by admin xyz". Is there some way
from the client point of view to make a difference between a logged in user
and an admin impersonating that user? Is it possible to add some property
in KeycloakPrincipal to detect it? And possiblity get the name of the admin
doing it?
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From lists at merit.unu.edu  Tue Jan 10 07:09:39 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 10 Jan 2017 13:09:39 +0100
Subject: [keycloak-user] h2 for production
In-Reply-To: <f7e0f40e-55e0-e3f0-c800-14d09f2d4b22@redhat.com>
References: <b5045131-b69c-51f9-6522-848389c61603@merit.unu.edu>
	<f7e0f40e-55e0-e3f0-c800-14d09f2d4b22@redhat.com>
Message-ID: <7625bf48-bcb0-07d4-d3b2-3321890d7f48@merit.unu.edu>

Hi Marek,

On 10-1-2017 13:01, Marek Posolda wrote:
> So maybe I would rather ask the opposite question: Is it really big
> issue for you to use some other more proper DB (PostgreSQL, MySQL)?

I guess not, then. :-)

H2 is just running so easily and beautifully in our testing... plus the 
machine could stay more lightweight without mysql / postgresql.

I'll look into this whole java database connector business then. (having 
to arrange that was also partly what was holding me back)

Thanks for the feedback,
MJ

From hmlnarik at redhat.com  Tue Jan 10 07:11:45 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 10 Jan 2017 13:11:45 +0100
Subject: [keycloak-user] Using email attribute in SAML identity brokering
In-Reply-To: <71D94666-07F8-464D-9581-BE47817F8416@perfectomobile.com>
References: <71D94666-07F8-464D-9581-BE47817F8416@perfectomobile.com>
Message-ID: <CAMvXD=FPT+kVCap5hEq8Z4aqDW0UwWVrLpTcBdmE=Ey5Xo9cew@mail.gmail.com>

Use Username Template Importer mapper, configured in the identity provider
mappers with template ${ATTRIBUTE.attribute-name} (adjust the
attribute-name appropriately).

--Hynek

On Tue, Jan 10, 2017 at 11:21 AM, Moshe Ben-Shoham <
mosheb at perfectomobile.com> wrote:

> Hi,
>
> We have a few clients integrated with Keycloak relam, using email address
> as the user identifier.
>
> Now we wish to integrate KeyCloak with external IdP using its identity
> brokering capabilities based on SAML. The problem is, the user identifier
> in the external IdP is not the email address but some other username. We
> are able to get the email as an attribute in the SAML assertion coming into
> KeyCloak, but the missing part is mapping the email attribute to the user
> identifier in KeyCloak - how do we do that?
>
> Thanks!
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From mposolda at redhat.com  Tue Jan 10 07:16:46 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Jan 2017 13:16:46 +0100
Subject: [keycloak-user] Passing an array of user realm roles in a Token
 Mapper
In-Reply-To: <d8f020d086c44f01b79f1556e18ce973@NH-SLPEX135.AD1.NHS.NET>
References: <d8f020d086c44f01b79f1556e18ce973@NH-SLPEX135.AD1.NHS.NET>
Message-ID: <e30ed6e7-5b0a-c7c8-42c9-16cea6fdc1b6@redhat.com>

I can see that AbstractUserRoleMappingMapper.setClaimis currently using 
Set<String> (not List<String>) and doesn't have any support for 
multivalued though, so yes, currently the UserRealmRoleMappingMapper 
always returns string with the roles divided by comma. You can create 
JIRA for this with steps to reproduce. It seems we will need to add flag 
like "Multivalued" to the protocolMapper configuration as some other 
users may rely on the old behaviour.

Marek

On 10/01/17 13:03, HATHERLY, Adam (NHS DIGITAL) wrote:
> Hi,
>
>
> I have been using the Token Mappers within a Client to map a set of Keycloak Group Memberships into an attribute in the Token, so the client application can grant appropriate access based on this. The groups are coming through as an array in the token, which works nicely.
>
> I wanted to switch to using a "User Realm Role" mapper instead of "Group Memberships" because I can then set up automatic realm roles based on the identity source, which I can't do with Groups.
>
> My problem is, when I create a new User Realm Role mapper in the Client definition, the only types I can specify for the field are String, long, int or boolean. If I choose String, the list of roles comes through as a comma-separated String rather than an array in the JSON object. I'd rather not update all my clients to parse this - is there any way of getting keycloak to return the roles as an array rather than a string? Is this against the spec, or is there some other limitation I am not aware of that prevents this?
>
>
> Thanks,
>
> Adam.?
>
>
>
> Adam Hatherly
> Senior Technical Architect
> Central Architecture Service
> NHS Digital
>
> adam.hatherly at nhs.net<mailto:adam.hatherly at nhs.net>
> 0113 397 4164
> 07920 861 737
>
>
> ********************************************************************************************************************
>
> This message may contain confidential information. If you are not the intended recipient please inform the
> sender that you have received the message in error before deleting it.
> Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
> to do so is strictly prohibited and may be unlawful.
>
> Thank you for your co-operation.
>
> NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
> NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
> NHSmail provides an email address for your career in the NHS and can be accessed anywhere
> For more information and to find out how you can switch, visit www.nhsdigital.nhs.uk/nhsmail
>
> ********************************************************************************************************************
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jan 10 07:38:20 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Jan 2017 13:38:20 +0100
Subject: [keycloak-user] active directory | end user password change
In-Reply-To: <fe69fa4b-a058-cf3a-604f-016b2f7a360c@merit.unu.edu>
References: <fe69fa4b-a058-cf3a-604f-016b2f7a360c@merit.unu.edu>
Message-ID: <52960ef6-eec2-50ec-f0b8-5144c0cf006e@redhat.com>

We don't support and test with samba AD. You can try to enable TRACE or 
DEBUG logging for "org.keycloak.storage.ldap" and see the server.log for 
more details.

However it seems that MSADUserAccountControlStorageMapperjust doesn't 
work OOTB with the Samba AD. You may need to implement your own mapper 
with some changes (for example recently we have contribution from the 
community for the MSAD LDS mapper)

Marek

On 10/01/17 13:02, lists wrote:
> Hi,
>
> Keycloak 2.5.0, added MSAD (samba4) as a writeable federation provider,
> verified that the MSAD account controls mapper is added.
>
> When an end-user logs into the keycloak account client
> (/auth/realms/ourrealm/account) he/she has the option to change his/her
> password.
>
> However, keycloak says:
>
>> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com]
> Note: I used "ABC-def123_*%#" as a password, so I guess MSAD password
> policies are not the problem here.
>
> Additionally, I was under the impression that I should be able to logon
> when in MSAD the "user is required to change password on next login",
> and keycloak would require me to change it. However, in that case I'm
> just getting an "Invalid username or password".
>
> I asked about these things before, but was told to test the new 2.5.0,
> because the problem could have been solved already. However, I'm trying
> with 2.5.0, and the behaviour is still there.
>
> Is this functionality working for others using MSAD here? (perhaps
> others with samba4 AD?)
>
> Best regards,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sumitdas66 at gmail.com  Tue Jan 10 10:26:50 2017
From: sumitdas66 at gmail.com (Sumit Das)
Date: Tue, 10 Jan 2017 20:56:50 +0530
Subject: [keycloak-user] Synchronization Issue on Periodic Full Sync
Message-ID: <CAOYE8NFv1c6w9fAkDupQWyvDaLsNTa3i+=Z9ipcxQTupnq0pNw@mail.gmail.com>

Hi

I have kept the "Periodic Full Sync" on  during creation of an LDAP
federation with an Active Directory instance. When I am creating a new
user, the sync works and I am able to view the same user on the AD
instance. But when I am creating any new role or group, the same is not
reflected on the AD instance. I have refreshed the respective folders on
the AD instance but still I am not able to view the updated Groups and
Roles.

But when I am assigning these roles or groups to any user, and then when
the periodic sync triggers, at that moment I am able to view that
respective Group or Role on the AD instance and the association with the
user is also reflected.

So newly created roles and groups are not reflected on the AD instance but
when associated with a user, the syncing is reflected.

Can you please guide me if I am doing something wrong or is this how the
Keycloak LDAP Federation is supposed to work

-- 

*Sumit Das*
*Mobile No.- +91-9986872466 *

From bburke at redhat.com  Tue Jan 10 10:43:38 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 10 Jan 2017 10:43:38 -0500
Subject: [keycloak-user] Synchronization Issue on Periodic Full Sync
In-Reply-To: <CAOYE8NFv1c6w9fAkDupQWyvDaLsNTa3i+=Z9ipcxQTupnq0pNw@mail.gmail.com>
References: <CAOYE8NFv1c6w9fAkDupQWyvDaLsNTa3i+=Z9ipcxQTupnq0pNw@mail.gmail.com>
Message-ID: <0c3b9233-a327-ff1b-c84f-34af836fb220@redhat.com>

Do you have a role mapper created in ldap config?


On 1/10/17 10:26 AM, Sumit Das wrote:
> Hi
>
> I have kept the "Periodic Full Sync" on  during creation of an LDAP
> federation with an Active Directory instance. When I am creating a new
> user, the sync works and I am able to view the same user on the AD
> instance. But when I am creating any new role or group, the same is not
> reflected on the AD instance. I have refreshed the respective folders on
> the AD instance but still I am not able to view the updated Groups and
> Roles.
>
> But when I am assigning these roles or groups to any user, and then when
> the periodic sync triggers, at that moment I am able to view that
> respective Group or Role on the AD instance and the association with the
> user is also reflected.
>
> So newly created roles and groups are not reflected on the AD instance but
> when associated with a user, the syncing is reflected.
>
> Can you please guide me if I am doing something wrong or is this how the
> Keycloak LDAP Federation is supposed to work
>


From ronyjoy at gmail.com  Tue Jan 10 11:46:40 2017
From: ronyjoy at gmail.com (rony joy)
Date: Tue, 10 Jan 2017 16:46:40 +0000
Subject: [keycloak-user] Customizing error Pages(for example client logo)
Message-ID: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>

Hi All,

We are trying to customize the error pages based on the realm id. We are
able to do the basic modification by extending the error pages in our
custom theme. But in our error pages we wanted the have more realm specific
customization(for example customer logo) by fetching the logo from external
services based on the realm Id.

Currently we don't see a way by looking at the code. Any help is appreciated


Thanks
Rony Joy

From psilva at redhat.com  Tue Jan 10 13:08:16 2017
From: psilva at redhat.com (Pedro Igor)
Date: Tue, 10 Jan 2017 16:08:16 -0200
Subject: [keycloak-user] RBAC : adding permissions to roles
In-Reply-To: <c01b2610-0925-bebe-9435-4353476b9539@avinash.com.np>
References: <73016eed-97b0-a032-a7e1-94d11d5f3ef0@avinash.com.np>
	<CAJgngAcRTFnCgJTb9nHxy7eMg8E15zS17POBgPnYa6a4V1-Xxg@mail.gmail.com>
	<48a92762-eaf7-8c82-ba2b-bbfd3cab0abb@avinash.com.np>
	<cda8c8be-65e2-4c0b-852a-d9308df4217b@getmailbird.com>
	<c01b2610-0925-bebe-9435-4353476b9539@avinash.com.np>
Message-ID: <42072341-1be1-485c-8f09-6d3d74a43646@getmailbird.com>

Policy evaluation is only performed based on an identity represented by a token. The only thing you will get is what an specific user can access as a consequence of the roles granted to the same user.

You can do that via Evaluation Tool though, so you can design and test your policies.
On 1/10/2017 10:04:25 AM, Avinash Kundaliya <avinash at avinash.com.np> wrote:
Thanks for thinking through with me. It has been really helpful.

Question Inline


On 1/9/17 23:18, Pedro Igor wrote:

On 1/9/2017 11:46:02 AM, Avinash Kundaliya <avinash at avinash.com.np> [mailto:avinash at avinash.com.np] wrote:
Hi Stian,
Thanks for the prompt response, I have probably read through the guide a
number of times, Its helpful but it takes a while (and some struggle) to
probably understand it and implement in practice.

Is there an example of how to do this simply, or would one have to
create scopes (which is like a permission), policies (one for each role)
and permissions, that would map the role to a scope ?
Pedro Igor: You can create a policy for each role or a single one with the roles you want to enforce before accessing a resource/scope. It really depends on your requirements.


Also, possibly a related question, does role-type policy also take in
account roles that a user gets effectively because of a composite role?
If so, the "Evaluate" page always gives me a Deny. Another approach, If
i add the scope to each policy, then it still gives me a Deny (I tried
setting the strategy to Affirmative, still didn't help).
Pedro Igor: I think we are not handling composite roles. But I think you can achieve a similar behavior you create a single policy with all roles that are allowed to access your protected resource.


Role policies also allow you to mark a specific role as "required" so users must be granted with all required roles and any of the "non-required" roles you defined.

If you want to say, for instance, "Roles A and B Can Perform Action C on Resource D", you can just create:

1) Resource D, Scope C and associated Scope C with Resource D
2) Role Policy for Roles A and B (in this case users with any of these roles are granted) or separated policies for each role if you need to (you may want to reuse the role policy for each role to build other permissions or policies)
3) Create a permission that puts together Resource D + Scope C + Policies. Where the latter is basically the role policies you created.

Does that work for you ?
Avinash: This definitely makes a lot of sense. I eventually created one policy for each role and then created permission per scope and added the roles to it. Now, the next step that i want to achieve is to find out the scopes that a role can access for a resource. Is there an API endpoint or a way to list out the scopes for a role.
So, from above example: For the query "What can Role A do on Resource D" it should return "Action C, ... "



I hope the description isnt abstract, if so I will try to add
screenshots next time.

Regards,
Avinash


On 1/9/17 19:14, Stian Thorgersen wrote:
> You can either use our authorization services (see
> https://keycloak.gitbooks.io/authorization-services-guide/content/ [https://keycloak.gitbooks.io/authorization-services-guide/content/]) to
> manage permissions centrally through Keycloak or you can manage it on
> your own within the application.
>
> On 9 January 2017 at 14:19, Avinash Kundaliya
> > wrote:
>
> Hello,
>
> I have a very basic question and am curious how to model this via
> keycloak.
>
> In my application I have some roles. I want to map each role to a
> set of
> permissions so that based on those permissions i can check if the user
> has access to a specific action/resource in my application server.
> (pretty much how classically RBAC is done)
>
> I am curious if there is a defined pattern/way of modeling such a
> behavior in keycloak, or would the best way to do this would be to
> define and map permissions (to roles) in the application (i.e outside
> keycloak). What is the best practice for such a case?
>
> Regards,
> Avinash
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
> https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]
>
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user]


From santosh.haranath at gmail.com  Tue Jan 10 15:36:14 2017
From: santosh.haranath at gmail.com (Santosh Haranath)
Date: Tue, 10 Jan 2017 12:36:14 -0800
Subject: [keycloak-user] Session timeout based on AuthN level of assurance
Message-ID: <CADKo6iHTGSdTnVkBfZBR6+txzRJOXxxuL5SUsh48SZqfTJcmjQ@mail.gmail.com>

Does Script Authenticator in Authentication flow provide a way to
manage session timeout as per level of assurance. Example 2 FA is
valid for 20 mins but local LDAP authn is valid for 60 mins.

How can we implement this requirement with keycloak?

Thanks

From santosh.haranath at gmail.com  Tue Jan 10 15:41:23 2017
From: santosh.haranath at gmail.com (Santosh Haranath)
Date: Tue, 10 Jan 2017 12:41:23 -0800
Subject: [keycloak-user] Session timeout based on AuthN level of
	assurance
In-Reply-To: <CADKo6iHTGSdTnVkBfZBR6+txzRJOXxxuL5SUsh48SZqfTJcmjQ@mail.gmail.com>
References: <CADKo6iHTGSdTnVkBfZBR6+txzRJOXxxuL5SUsh48SZqfTJcmjQ@mail.gmail.com>
Message-ID: <CADKo6iGLtnCe8+C9_ZBJjxMPgY46g1miXQuZ3U_9p3WjFeKwxw@mail.gmail.com>

In continuation -

With Step-Up Authentication, applications that allow access to
different types of resources can require users to authenticate with a
stronger authentication mechanism to access sensitive resources.

How can we implement step-up authentication with Keycloak ? Is there
an implementation of Authentication Context Class Reference within
Keycloak?

On Tue, Jan 10, 2017 at 12:36 PM, Santosh Haranath
<santosh.haranath at gmail.com> wrote:
> Does Script Authenticator in Authentication flow provide a way to
> manage session timeout as per level of assurance. Example 2 FA is
> valid for 20 mins but local LDAP authn is valid for 60 mins.
>
> How can we implement this requirement with keycloak?
>
> Thanks

From sven.thoms at gmail.com  Wed Jan 11 02:16:21 2017
From: sven.thoms at gmail.com (Sven Thoms)
Date: Wed, 11 Jan 2017 08:16:21 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
Message-ID: <CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>

Hello Sebastien

Are you talking about the Admin REST endpoint or the registration_endpoint
defined at
/auth/reales/[realmname]/.well-known/openid-configuration?

I am trying to submit a registration request via registration_endpoint and
submit a field enabling the service account.

According to the openid connect dynamic client registration documentation
at openid.net,  the request payload is non-normative, I am just not able to
enable service account that way.

Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:

> I haven't tried it but when registering the client, in the payload, the
> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
> "service-accounts-enabled : true will do the trick ?
>
> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>> Is it possible via a setting to automatically enable clients registered
>> dynamically via the well-known registration endpoint and registration
>> access token?  My current approach is to iterate over all clients post -
>> creation and set serviceaccountsEnabled to true. I need a more prompt and
>> real-time way
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From mosheb at perfectomobile.com  Wed Jan 11 03:00:21 2017
From: mosheb at perfectomobile.com (Moshe Ben-Shoham)
Date: Wed, 11 Jan 2017 08:00:21 +0000
Subject: [keycloak-user] Using email attribute in SAML identity brokering
In-Reply-To: <CAMvXD=FPT+kVCap5hEq8Z4aqDW0UwWVrLpTcBdmE=Ey5Xo9cew@mail.gmail.com>
References: <71D94666-07F8-464D-9581-BE47817F8416@perfectomobile.com>
	<CAMvXD=FPT+kVCap5hEq8Z4aqDW0UwWVrLpTcBdmE=Ey5Xo9cew@mail.gmail.com>
Message-ID: <3AFFBF93-6906-4B7A-A35B-1327A06572C8@perfectomobile.com>

Hi Hynek,

Thanks for your response, it did take us a step forward, but I still struggle with this a bit.

I defined the Template Importer Mapper as you suggested, but I can only make the login work if the user in KeyCloak is pre-linked to the IdP, with ?Provider User ID? that has the value of the SAML_SUBJECT and ?Provider username? has the value of the email address. What I really want is to avoid configuration of KeyCloak with the IdP SAML_SUBJECT at all and just use the email attribute for everything.

Is this possible?

Thanks,
Moshe.


[http://www.perfectomobile.com/sites/all/themes/perfecto/img/perfecto_email_logo.jpg]<http://www.perfectomobile.com/>

Moshe Ben-Shoham
R&D Director, System Architecture
Phone: +972-3-9260-137
Mobile: +972 54 4324480
Email: mosheb at perfectomobile.com



From: Hynek Mlnarik <hmlnarik at redhat.com>
Date: Tuesday, 10 January 2017 at 14:11
To: Moshe Ben-Shoham <mosheb at perfectomobile.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Using email attribute in SAML identity brokering

Use Username Template Importer mapper, configured in the identity provider mappers with template ${ATTRIBUTE.attribute-name} (adjust the attribute-name appropriately).

--Hynek

On Tue, Jan 10, 2017 at 11:21 AM, Moshe Ben-Shoham <mosheb at perfectomobile.com<mailto:mosheb at perfectomobile.com>> wrote:
Hi,

We have a few clients integrated with Keycloak relam, using email address as the user identifier.

Now we wish to integrate KeyCloak with external IdP using its identity brokering capabilities based on SAML. The problem is, the user identifier in the external IdP is not the email address but some other username. We are able to get the email as an attribute in the SAML assertion coming into KeyCloak, but the missing part is mapping the email attribute to the user identifier in KeyCloak - how do we do that?

Thanks!
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Cmosheb%40perfectomobile.com%7C502b00e8bd9545c51e0808d43951e559%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=mAVd%2FBGr1A9yffVDnTosgPRfo6NzkwrrHQ%2BHLxfS2cg%3D&reserved=0>



--

--Hynek
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From sblanc at redhat.com  Wed Jan 11 03:12:28 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 11 Jan 2017 09:12:28 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
Message-ID: <CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>

Yes I was talking about the registration_endpoint , I just did the test
with something like :

curl -X PUT \
    -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
    -H "Content-Type:application/json" \
    -H "Authorization: bearer my_registration_access_token" \
http://localhost:8080/auth/realms/myrealm/clients-registrations/default/testclient

My Service Accounts for this client is then enabled but Keycloak fails to
returns a response for this PUT request. So I'm not able to get the new
registration access token.

Could you try this request and if it fails for you as well I will open a
ticket ?

Seb



On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Hello Sebastien
>
> Are you talking about the Admin REST endpoint or the registration_endpoint
> defined at
> /auth/reales/[realmname]/.well-known/openid-configuration?
>
> I am trying to submit a registration request via registration_endpoint and
> submit a field enabling the service account.
>
> According to the openid connect dynamic client registration documentation
> at openid.net,  the request payload is non-normative, I am just not able
> to enable service account that way.
>
> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>
>> I haven't tried it but when registering the client, in the payload, the
>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>> "service-accounts-enabled : true will do the trick ?
>>
>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>> wrote:
>>
>>> Is it possible via a setting to automatically enable clients registered
>>> dynamically via the well-known registration endpoint and registration
>>> access token?  My current approach is to iterate over all clients post -
>>> creation and set serviceaccountsEnabled to true. I need a more prompt and
>>> real-time way
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>

From eduard.matuszak at worldline.com  Wed Jan 11 04:07:22 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Wed, 11 Jan 2017 09:07:22 +0000
Subject: [keycloak-user] Hot deployment of service providers in Keycloak
	2.5.0 final
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E8B98E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

I am trying to understand and implement the new concept of deploying service providers, but I fail at several points.

What is meant by the "Keycloak deploy/ directory" mentioned in the documentation?

When trying the user-storage-simple example it was possible to hot deploy the jar-file in wildfly's standalone/deployment-dir, but the event-listener-sysout sample fails by class-loading problem ("java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/providers/events/SysoutEventListenerProviderFactory").

So perhaps not all SPI's do provide the new deployment concept?

There is also a mismatch, I think, between the deploy-description in the Readme.md of the event-listener-sysout example (describing the "old" way to deploy) and the documentation in https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html#providers (recommending Keycloak deployer utilizing the enigmatic "Keycloak deploy/ directory").

I was working on Kecloak 2.5.0 Final.

Thanks in advatage for some clarifications.

Eduard Matuszak


From Chris.Brandhorst at topicus.nl  Wed Jan 11 04:21:34 2017
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Wed, 11 Jan 2017 09:21:34 +0000
Subject: [keycloak-user] StaleCodeMessage on IDP Initiated SAML SSO
In-Reply-To: <0E95A449-0E71-4194-9656-21A8281597B8@topicus.nl>
References: <AE9D19E6-701F-482C-9F3E-DDF5FC00F6D5@topicus.nl>
	<CAJgngAfUwMPahN5fZ3GVGGFwHs=RoTzSYAxKbCG-OTk=E2EZrQ@mail.gmail.com>
	<0E95A449-0E71-4194-9656-21A8281597B8@topicus.nl>
Message-ID: <D7656C7A-7021-4C90-AB6F-6C21C64B199C@topicus.nl>

Don?t know if you get notifications on closed issues (I posted one in the JIRA issue), so I?ll also mention it here:

Thanks for the work, sadly on version 2.5.0-Final we still get the StaleCodeMessage. Is a change in the setup required?




On 18 Oct 2016, at 09:09, Chris Brandhorst <Chris.Brandhorst at topicus.nl<mailto:Chris.Brandhorst at topicus.nl>> wrote:

Done, see: https://issues.jboss.org/browse/KEYCLOAK-3731

On 17 Oct 2016, at 17:58, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:

Looks like it might be a bug. Can you create a JIRA please?

On 7 October 2016 at 22:43, Chris Brandhorst <Chris.Brandhorst at topicus.nl<mailto:Chris.Brandhorst at topicus.nl>> wrote:
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can?t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name? field with a name (say ?bbbbb?) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
i always end up with the following logging:

22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN  [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage

Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that?s the whole idea of IDP Initiated SSO, no?

What must I do to get this to work?

Thanks,
Chris Brandhorst

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




From Chris.Brandhorst at topicus.nl  Wed Jan 11 04:59:27 2017
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Wed, 11 Jan 2017 09:59:27 +0000
Subject: [keycloak-user] StaleCodeMessage on IDP Initiated SAML SSO
In-Reply-To: <D7656C7A-7021-4C90-AB6F-6C21C64B199C@topicus.nl>
References: <AE9D19E6-701F-482C-9F3E-DDF5FC00F6D5@topicus.nl>
	<CAJgngAfUwMPahN5fZ3GVGGFwHs=RoTzSYAxKbCG-OTk=E2EZrQ@mail.gmail.com>
	<0E95A449-0E71-4194-9656-21A8281597B8@topicus.nl>
	<D7656C7A-7021-4C90-AB6F-6C21C64B199C@topicus.nl>
Message-ID: <47B5CBCD-EE09-48EB-A06E-B00054BD76C2@topicus.nl>

Excuse us, we just found the updated documentation @ https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/saml/idp-initiated-login.html
All works now, great!


On 11 Jan 2017, at 10:21, Chris Brandhorst <Chris.Brandhorst at topicus.nl<mailto:Chris.Brandhorst at topicus.nl>> wrote:

Don?t know if you get notifications on closed issues (I posted one in the JIRA issue), so I?ll also mention it here:

Thanks for the work, sadly on version 2.5.0-Final we still get the StaleCodeMessage. Is a change in the setup required?




On 18 Oct 2016, at 09:09, Chris Brandhorst <Chris.Brandhorst at topicus.nl<mailto:Chris.Brandhorst at topicus.nl><mailto:Chris.Brandhorst at topicus.nl>> wrote:

Done, see: https://issues.jboss.org/browse/KEYCLOAK-3731

On 17 Oct 2016, at 17:58, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com>> wrote:

Looks like it might be a bug. Can you create a JIRA please?

On 7 October 2016 at 22:43, Chris Brandhorst <Chris.Brandhorst at topicus.nl<mailto:Chris.Brandhorst at topicus.nl><mailto:Chris.Brandhorst at topicus.nl>> wrote:
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can?t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name? field with a name (say ?bbbbb?) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
i always end up with the following logging:

22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN  [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage

Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that?s the whole idea of IDP Initiated SSO, no?

What must I do to get this to work?

Thanks,
Chris Brandhorst

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Wed Jan 11 05:23:16 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Jan 2017 11:23:16 +0100
Subject: [keycloak-user] Keycloak data stores - Config, User, Realm,
 Session ...
In-Reply-To: <CADKo6iGVKb9daLWXZ1c=8kk_xkys-vYuEFoVvF3aD56gB1166w@mail.gmail.com>
References: <CADKo6iGVKb9daLWXZ1c=8kk_xkys-vYuEFoVvF3aD56gB1166w@mail.gmail.com>
Message-ID: <CAJgngAdXVQQ-hx8Q1Zt56rSQe6msOzS9s+h+31J55Np=ufMeWQ@mail.gmail.com>

On 10 January 2017 at 07:31, Santosh Haranath <santosh.haranath at gmail.com>
wrote:

> We are evaluating to use Keycloak for a multi-tenant access management
> solution deployed across 2 regions. Red Hat OpenShift Container Platform
> version 3.3 is the deployment platform.
>
> We have some data model constraints which requires us to use LDAP store.
>
> - What is Keycloak's configuration store? How is configuration
> synchronized? Where is SAML meta data, OAuth Client credentials etc.
> stored?
>

Relational DB or Mongo


>
> - I have read concerns about Mongo DB data store due to transaction
> requirements and possible removal of support from V3. Which SPI requires
> transactions? When is Version 3 due ?
>

Anything that updates more than one document could result in
inconsistencies in Mongo and our current Mongo implementation is broken
into quite a few documents/collections

3 is couple months away


>
> - Can we split data store responsibilities as below?
>
> SPI   ->  Data Store Provider
> /subsystem=keycloak-server/spi=realm ->  Mongo
> /subsystem=keycloak-server/spi=user -> LDAP
> /subsystem=keycloak-server/spi=userSessionPersister -> Infinispan
> /subsystem=keycloak-server/spi=authorizationPersister -> Infinispan
> /subsystem=keycloak-server/spi=userFederatedStorage -> LDAP
> /subsystem=keycloak-server/spi=eventsStore -> Mongo
>

Not quite yet as we still require users synced to KC database, but
https://issues.jboss.org/browse/KEYCLOAK-3964 will allow having users
purely in LDAP


>
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Jan 11 05:23:49 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Jan 2017 11:23:49 +0100
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
	with HTTPS
In-Reply-To: <CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
	<CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
Message-ID: <CAJgngAdEjhGnnp+yS7xdSs3JMru3CqD6+FvrJ2YN2k2q+xSJ6g@mail.gmail.com>

https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html

On 10 January 2017 at 12:09, Olivier Bruylandt <olivier.bruylandt at gmail.com>
wrote:

> Dear,
>
>
> I get an issue to get the wanted behavior when retrieving the client public
> IP.
> This is the situation :
> (all IP's have been anonymized)
>
>
>
> - *infrastructure level*:
>
> ----------- Reverse Proxy NGINX -----------------------------------
> KeyCloak
>
> RP is listening on ports 80 & 443 (80 is redirected to 443)
> There is a public certificate signed by some external CA
> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> Keycloak is set as standalone server on a Wildfly last version
>
>
>
>
> - *Nginx config*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *server {        listen 443;        server_name ************;
> fastcgi_param HTTPS on;        location / {                add_header
> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>           add_header X-Forwarded-Proto $scheme;
> more_set_headers 'Server: ******';                more_clear_headers
> 'X-Powered-By';                charset UTF-8;                proxy_cache
>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> <https://1.1.1.1:8443/>;        }*
>
>
>
>
>
>
>
>
>
>
>
>
> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>              ssl_certificate_key /etc/ssl/private/*************.key;
> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>       add_header X-Frame-Options "DENY";        ssl_ciphers
> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>
>
>
>
> - *Keycloak config* :
>
>
> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> *            <buffer-cache name="default"/>*
> *            <server name="default-server">*
>
> *                <http-listener
> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> *                <https-listener name="https" security-realm="**********"
> socket-binding="https"/>*
> *                <host name="default-host" alias="localhost">*
> *                    <location name="/" handler="welcome-content"/>*
> *                </host>*
> *            </server>*
> *            <servlet-container name="default">*
> *                <jsp-config/>*
> *                <websockets/>*
> *            </servlet-container>*
> *            <handlers>*
> *                <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>*
> *            </handlers>*
> *        </subsystem>*
>
>
>
>
>
>
>
> The situation is that everything is working fine and smooth EXCEPT ... the
> fact that under sessions (and moreover for all user activities), the user
> IP I see is the one of the reverse proxy !!
> As I put in red in the KC config, this is what should do the trick to use
> the X-Forwarded-For header value to set the client's IP.
>
> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> ipAddress=2.2.2.2, (...)
>
>
>
> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
> the SSL connection and the one to KC server is made in HTTP), I got
> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> transport and also a HTTP connection towards the external social identity
> providers like Google, FB, etc. ... BUT I got at least the real IP as you
> might see hereunder :
>
> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> ipAddress=191.21.133.234, (...)
>
>
>
>
>
> So the situation is that I will only get the "real" IP of the client only
> if it passes through the HTTP listener of KC (that has the parameter
> "proxy-address-forwarding") which is not what I want as I want to reach the
> HTTPS listener.
> I obviously also tried to add the same parameter (*proxy-address-forwarding
> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> shows an error and refuses to start :
>
>
> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.5.1.Final*
> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> starting*
> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> Failed to parse configuration*
> *    at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> *    at
> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> *    at java.lang.Thread.run(Thread.java:745)*
> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[380,17]*
> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> enabled, resolve-peer-address, security-realm, verify-client,
> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> max-cookies, allow-encoded-slash, decode-url, url-charset,
> always-set-keep-alive, max-buffered-request-size,
> record-request-start-time, allow-equals-in-cookie-value,
> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> max-connections, secure'*
> *    at
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
>
>
>
>
>
> *requirements* :
>
> - Entire solution has to run with SSL (HTTPS) from end to end
>
>
>
> Did someone already faced that situation or does have any clue about this ?
> Thank you for reading this post.
>
> Regards,
>
>
> /Olivier
>
> On 10 January 2017 at 11:52, Olivier Bruylandt <
> olivier.bruylandt at gmail.com>
> wrote:
>
> > Dear,
> >
> >
> > I get an issue to get the wanted behavior when retrieving the client
> > public IP.
> > This is the situation :
> > (all IP's have been anonymized)
> >
> >
> >
> > - *infrastructure level*:
> >
> > ----------- Reverse Proxy NGINX -----------------------------------
> > KeyCloak
> >
> > RP is listening on ports 80 & 443 (80 is redirected to 443)
> > There is a public certificate signed by some external CA
> > Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> > Keycloak is set as standalone server on a Wildfly last version
> >
> >
> >
> >
> > - *Nginx config*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *server {        listen 443;        server_name ************;
> > fastcgi_param HTTPS on;        location / {                add_header
> > X-Cache-Status $upstream_cache_status;                add_header
> X-Real-IP
> >  $remote_addr;                add_header X-Forwarded-For $remote_addr;
> >           add_header X-Forwarded-Proto $scheme;
> > more_set_headers 'Server: ******';                more_clear_headers
> > 'X-Powered-By';                charset UTF-8;                proxy_cache
> >   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> > <https://1.1.1.1:8443/>;        }*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
> >              ssl_certificate_key /etc/ssl/private/*************.key;
> > ssl_prefer_server_ciphers on;        ssl_dhparam
> /etc/ssl/***********.pem;
> >       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> > ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> > Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
> >       add_header X-Frame-Options "DENY";        ssl_ciphers
> > 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >
> >
> >
> >
> > - *Keycloak config* :
> >
> >
> > *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> > *            <buffer-cache name="default"/>*
> > *            <server name="default-server">*
> >
> > *                <http-listener
> > name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> > *                <https-listener name="https" security-realm="**********"
> > socket-binding="https"/>*
> > *                <host name="default-host" alias="localhost">*
> > *                    <location name="/" handler="welcome-content"/>*
> > *                </host>*
> > *            </server>*
> > *            <servlet-container name="default">*
> > *                <jsp-config/>*
> > *                <websockets/>*
> > *            </servlet-container>*
> > *            <handlers>*
> > *                <file name="welcome-content"
> > path="${jboss.home.dir}/welcome-content"/>*
> > *            </handlers>*
> > *        </subsystem>*
> >
> >
> >
> >
> >
> >
> >
> > The situation is that everything is working fine and smooth EXCEPT ...
> the
> > fact that under sessions (and moreover for all user activities), the user
> > IP I see is the one of the reverse proxy !!
> > As I put in red in the KC config, this is what should do the trick to use
> > the X-Forwarded-For header value to set the client's IP.
> >
> > 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> > type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> > ipAddress=2.2.2.2, (...)
> >
> >
> >
> > When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> > the SSL connection and the one to KC server is made in HTTP), I got
> > obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> > transport and also a HTTP connection towards the external social identity
> > providers like Google, FB, etc. ... BUT I got at least the real IP as you
> > might see hereunder :
> >
> > 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> > type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> > ipAddress=191.21.133.234, (...)
> >
> >
> >
> >
> >
> > So the situation is that I will only get the "real" IP of the client only
> > if it passes through the HTTP listener of KC (that has the parameter
> > "proxy-address-forwarding") which is not what I want as I want to reach
> the
> > HTTPS listener.
> > I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> > = "true"*) in the HTTPS listener configuration but then, standalone.sh
> > shows an error and refuses to start :
> >
> >
> > *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> > 1.5.1.Final*
> > *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> > *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> > thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> > starting*
> > *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0055: Caught exception during boot:
> > org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> > Failed to parse configuration*
> > *    at
> > org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> > *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> > *    at
> > org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> > *    at java.lang.Thread.run(Thread.java:745)*
> > *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> > [row,col]:[380,17]*
> > *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> > encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> > enabled, resolve-peer-address, security-realm, verify-client,
> > enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> > ssl-session-cache-size, ssl-session-timeout, max-header-size,
> > max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> > max-cookies, allow-encoded-slash, decode-url, url-charset,
> > always-set-keep-alive, max-buffered-request-size,
> > record-request-start-time, allow-equals-in-cookie-value,
> > no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> > receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> > max-connections, secure'*
> > *    at
> > org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
> >
> >
> >
> >
> >
> > *requirements* :
> >
> > - Entire solution has to run with SSL (HTTPS) from end to end
> >
> >
> >
> > Did someone already faced that situation or does have any clue about
> this ?
> > Thank you for reading this post.
> >
> > Regards,
> >
> >
> > /Olivier
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From scott.finlay at sixt.com  Wed Jan 11 05:48:14 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Wed, 11 Jan 2017 10:48:14 +0000
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session Max
	is Reached
Message-ID: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>

Hi,

We have an application which creates users in Keycloak using offline tokens. But we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to make requests to it using an access token generated using our offline token. After some investigation we found that there exists a setting in Keycloak called "SSO Session Max" which seems to be an expiration time of the session itself, and after that amount of time, even if the access or refresh tokens are still valid, the session is killed. We found that the amount of time between when we last deployed and the first occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and we tested locally with a short max time and were able to reproduce the problem.

Then we found that when we use the offline token, our code thinks that the refresh token expiration time is 0 (which is to be expected since it's an offline token), and when the session lifetime is reached, it continues to use its "unlimited" refresh token to try to generate new access tokens, and it seems that Keycloak still issues new access tokens using that refresh token even though the session doesn't exist, and these tokens don't work. Since Keycloak continues to issue tokens and since it doesn't tell us anything about the session max time, the code has no idea that the tokens are actually not valid.

We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is reached the session disappears, but the offline session is still there and the "last refresh" time still updates. Inside the token itself we can see that it's still connected to a client session, but we can see no sessions anymore. After looking into the logs of Keycloak we found this error:

16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63) RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users: org.jboss.resteasy.spi.UnauthorizedException: Bearer
        at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
        at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
        at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)

Tracing that through the code of Keycloak we found this which seems to indicate that there must be a valid session associated with tokens:

Starting here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178

Then to here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58

And finally here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731

Is this expected behavior? Are we misunderstanding something or in some way misusing offline tokens?

Regards,
Scott


From lists at merit.unu.edu  Wed Jan 11 06:21:09 2017
From: lists at merit.unu.edu (mj)
Date: Wed, 11 Jan 2017 12:21:09 +0100
Subject: [keycloak-user] active directory | end user password change
In-Reply-To: <52960ef6-eec2-50ec-f0b8-5144c0cf006e@redhat.com>
References: <fe69fa4b-a058-cf3a-604f-016b2f7a360c@merit.unu.edu>
	<52960ef6-eec2-50ec-f0b8-5144c0cf006e@redhat.com>
Message-ID: <8486fa57-40a6-9d0d-cfa7-2cf7050318a6@merit.unu.edu>

Ok, after testing some more, it seems things DO work.

Unexpectedly for us, for password changes for END-USERS to work, the
keycloak AD service account needs "Domain Admins" permissions.

We expected the end-user password change to be done logged on *as* the
end-user himself, with a a delete and an add operation. No need
for Domain Admin access level.

This is what microsoft says on that subject:

> There are two possible ways to modify the unicodePwd attribute. The
> first is similar to a normal "user change password" operation. In
> this case, the modify request must contain both a delete and an add
> operation. The delete operation must contain the current password
> with quotes around it. The add operation must contain the desired new
> password with quotes around it.
>
> The second way to modify this attribute is analogous to an
> administrator resetting a password for a user. In order to do this,
> the client must bind as a user with sufficient permissions to modify
> another user's password. This modify request should contain a single
> replace operation with the new desired password surrounded by quotes.
> If the client has sufficient permissions, this password become the
> new password, regardless of what the old password was.

Anyway: the password change works for us (on samba AD) too. Thanks.

Best regards,
MJ

From sven.thoms at gmail.com  Wed Jan 11 06:42:29 2017
From: sven.thoms at gmail.com (Sven Thoms)
Date: Wed, 11 Jan 2017 12:42:29 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
Message-ID: <CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>

Hello Sebastien


Your PUT to the client registration endpoint made clear to me why I was not
able to set service accounts to enabled in the oidc endpoint request at


https://host/auth/realms/myrealm/clients-registrations/openid-connect


<https://host/auth/realms/myrealm/clients-registrations/openid-connect>

<https://host/auth/realms/myrealm/clients-registrations/openid-connect>As I
see it, it has to do with provider type


oidc vs.


default


with different objects behind it


https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
oidc/OIDCClientRepresentation.java
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
keycloak/OIDCClientRepresentation.java at
1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
? keycloak/keycloak ? GitHub
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services


vs.


https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39
d10143b920/core/src/main/java/org/keycloak/representations/
idm/ClientRepresentation.java
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
? keycloak/keycloak ? GitHub
<https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
github.com
keycloak - Open Source Identity and Access Management For Modern
Applications and Services
After I POST to https://host/auth/realms/myrealm/clients-registrations/
openid-connect a simple


{ "client_name": "aclient", "redirect_uris" : ["https://clienturl/callback"]
}'


and then use the registration access token returned to update / PUT the
client (under clients-registrations/default/...


I get a 500 server error, but the service account is enabled correctly for
that client.


Here is my verbose CURL output


curl -v -X PUT \
>     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
"serviceAccountsEnabled": true }' \
>     -H "Content-Type:application/json" \
>     -H "Authorization: bearer registration_access_token_from_oidc" \
> https://host/auth/realms/myrealm/clients-registrations/
default/dynamic_client_id_returned_from_oidc
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: xxx
* Server certificate: xxx
> PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
HTTP/1.1
> Host: localhost
> User-Agent: curl/7.43.0
> Accept: */*
> Content-Type:application/json
> Authorization: bearer registration_access_token_from_oidc
> Content-Length: 86
>
* upload completely sent off: 86 out of 86 bytes
< HTTP/1.1 500 Internal Server Error
< Connection: keep-alive
< X-Powered-By: Undertow/1
< Server: WildFly/10
< Content-Type: text/html
< Content-Length: 155
< Date: Wed, 11 Jan 2017 11:24:02 GMT
<
* Connection #0 to host localhost left intact
Could not find MessageBodyWriter for response object of type:

org.keycloak.representations.idm.ClientRepresentation of media type:
application/octet-stream

Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:

> Yes I was talking about the registration_endpoint , I just did the test
> with something like :
>
> curl -X PUT \
>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>     -H "Content-Type:application/json" \
>     -H "Authorization: bearer my_registration_access_token" \
> http://localhost:8080/auth/realms/myrealm/clients-registrations/default/
> testclient
>
> My Service Accounts for this client is then enabled but Keycloak fails to
> returns a response for this PUT request. So I'm not able to get the new
> registration access token.
>
> Could you try this request and if it fails for you as well I will open a
> ticket ?
>
> Seb
>
>
>
> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>> Hello Sebastien
>>
>> Are you talking about the Admin REST endpoint or the
>> registration_endpoint defined at
>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>
>> I am trying to submit a registration request via registration_endpoint
>> and submit a field enabling the service account.
>>
>> According to the openid connect dynamic client registration documentation
>> at openid.net,  the request payload is non-normative, I am just not able
>> to enable service account that way.
>>
>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>
>>> I haven't tried it but when registering the client, in the payload, the
>>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>>> "service-accounts-enabled : true will do the trick ?
>>>
>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>> wrote:
>>>
>>>> Is it possible via a setting to automatically enable clients registered
>>>> dynamically via the well-known registration endpoint and registration
>>>> access token?  My current approach is to iterate over all clients post -
>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>> and
>>>> real-time way
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>

From sblanc at redhat.com  Wed Jan 11 06:48:22 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 11 Jan 2017 12:48:22 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
	<CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
Message-ID: <CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>

Thanks ! So we have a bug on the PUT endpoint for the response , let me
open a ticket for that.



On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Hello Sebastien
>
>
> Your PUT to the client registration endpoint made clear to me why I was
> not able to set service accounts to enabled in the oidc endpoint request at
>
>
> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>
>
> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>
> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
> I see it, it has to do with provider type
>
>
> oidc vs.
>
>
> default
>
>
> with different objects behind it
>
>
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
> representations/oidc/OIDCClientRepresentation.java
>
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> ? keycloak/keycloak ? GitHub
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern
> Applications and Services
>
>
> vs.
>
>
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
> representations/idm/ClientRepresentation.java
>
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> ? keycloak/keycloak ? GitHub
> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern
> Applications and Services
> After I POST to https://host/auth/realms/myrealm/clients-registrations/op
> enid-connect a simple
>
>
> { "client_name": "aclient", "redirect_uris" : ["https://clienturl/callback"]
> }'
>
>
> and then use the registration access token returned to update / PUT the
> client (under clients-registrations/default/...
>
>
> I get a 500 server error, but the service account is enabled correctly for
> that client.
>
>
> Here is my verbose CURL output
>
>
> curl -v -X PUT \
> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
> "serviceAccountsEnabled": true }' \
> >     -H "Content-Type:application/json" \
> >     -H "Authorization: bearer registration_access_token_from_oidc" \
> > https://host/auth/realms/myrealm/clients-registrations/def
> ault/dynamic_client_id_returned_from_oidc
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 443 (#0)
> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate: xxx
> * Server certificate: xxx
> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
> HTTP/1.1
> > Host: localhost
> > User-Agent: curl/7.43.0
> > Accept: */*
> > Content-Type:application/json
> > Authorization: bearer registration_access_token_from_oidc
> > Content-Length: 86
> >
> * upload completely sent off: 86 out of 86 bytes
> < HTTP/1.1 500 Internal Server Error
> < Connection: keep-alive
> < X-Powered-By: Undertow/1
> < Server: WildFly/10
> < Content-Type: text/html
> < Content-Length: 155
> < Date: Wed, 11 Jan 2017 11:24:02 GMT
> <
> * Connection #0 to host localhost left intact
> Could not find MessageBodyWriter for response object of type:
>
> org.keycloak.representations.idm.ClientRepresentation of media type:
> application/octet-stream
>
> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>
>> Yes I was talking about the registration_endpoint , I just did the test
>> with something like :
>>
>> curl -X PUT \
>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>     -H "Content-Type:application/json" \
>>     -H "Authorization: bearer my_registration_access_token" \
>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>> ons/default/testclient
>>
>> My Service Accounts for this client is then enabled but Keycloak fails to
>> returns a response for this PUT request. So I'm not able to get the new
>> registration access token.
>>
>> Could you try this request and if it fails for you as well I will open a
>> ticket ?
>>
>> Seb
>>
>>
>>
>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com> wrote:
>>
>>> Hello Sebastien
>>>
>>> Are you talking about the Admin REST endpoint or the
>>> registration_endpoint defined at
>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>
>>> I am trying to submit a registration request via registration_endpoint
>>> and submit a field enabling the service account.
>>>
>>> According to the openid connect dynamic client registration
>>> documentation at openid.net,  the request payload is non-normative, I
>>> am just not able to enable service account that way.
>>>
>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>>
>>>> I haven't tried it but when registering the client, in the payload, the
>>>> ClientRepresentation, there is a serviceAccountsEnabled field , so maybe
>>>> "service-accounts-enabled : true will do the trick ?
>>>>
>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>> wrote:
>>>>
>>>>> Is it possible via a setting to automatically enable clients registered
>>>>> dynamically via the well-known registration endpoint and registration
>>>>> access token?  My current approach is to iterate over all clients post
>>>>> -
>>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>>> and
>>>>> real-time way
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>

From sven.thoms at gmail.com  Wed Jan 11 07:18:53 2017
From: sven.thoms at gmail.com (Sven Thoms)
Date: Wed, 11 Jan 2017 13:18:53 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
	<CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
	<CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>
Message-ID: <CAKZHGMnmwKiUJ13xOBSQ2iHPr4Ct7ThQzDmAAj1qued5gOoHUQ@mail.gmail.com>

Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
could help and learn about Keycloak internals at the same time.

Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:

> Thanks ! So we have a bug on the PUT endpoint for the response , let me
> open a ticket for that.
>
>
>
> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
>> Hello Sebastien
>>
>>
>> Your PUT to the client registration endpoint made clear to me why I was
>> not able to set service accounts to enabled in the oidc endpoint request at
>>
>>
>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>>
>>
>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>>
>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
>> I see it, it has to do with provider type
>>
>>
>> oidc vs.
>>
>>
>> default
>>
>>
>> with different objects behind it
>>
>>
>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> sentations/oidc/OIDCClientRepresentation.java
>>
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> ? keycloak/keycloak ? GitHub
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>> github.com
>> keycloak - Open Source Identity and Access Management For Modern
>> Applications and Services
>>
>>
>> vs.
>>
>>
>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> sentations/idm/ClientRepresentation.java
>>
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> ? keycloak/keycloak ? GitHub
>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>> github.com
>> keycloak - Open Source Identity and Access Management For Modern
>> Applications and Services
>> After I POST to https://host/auth/realms/myrealm/clients-registrations/op
>> enid-connect a simple
>>
>>
>> { "client_name": "aclient", "redirect_uris" : ["
>> https://clienturl/callback"] }'
>>
>>
>> and then use the registration access token returned to update / PUT the
>> client (under clients-registrations/default/...
>>
>>
>> I get a 500 server error, but the service account is enabled correctly
>> for that client.
>>
>>
>> Here is my verbose CURL output
>>
>>
>> curl -v -X PUT \
>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>> "serviceAccountsEnabled": true }' \
>> >     -H "Content-Type:application/json" \
>> >     -H "Authorization: bearer registration_access_token_from_oidc" \
>> > https://host/auth/realms/myrealm/clients-registrations/def
>> ault/dynamic_client_id_returned_from_oidc
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 443 (#0)
>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> * Server certificate: xxx
>> * Server certificate: xxx
>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
>> HTTP/1.1
>> > Host: localhost
>> > User-Agent: curl/7.43.0
>> > Accept: */*
>> > Content-Type:application/json
>> > Authorization: bearer registration_access_token_from_oidc
>> > Content-Length: 86
>> >
>> * upload completely sent off: 86 out of 86 bytes
>> < HTTP/1.1 500 Internal Server Error
>> < Connection: keep-alive
>> < X-Powered-By: Undertow/1
>> < Server: WildFly/10
>> < Content-Type: text/html
>> < Content-Length: 155
>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>> <
>> * Connection #0 to host localhost left intact
>> Could not find MessageBodyWriter for response object of type:
>>
>> org.keycloak.representations.idm.ClientRepresentation of media type:
>> application/octet-stream
>>
>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>
>>> Yes I was talking about the registration_endpoint , I just did the test
>>> with something like :
>>>
>>> curl -X PUT \
>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>>     -H "Content-Type:application/json" \
>>>     -H "Authorization: bearer my_registration_access_token" \
>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>>> ons/default/testclient
>>>
>>> My Service Accounts for this client is then enabled but Keycloak fails
>>> to returns a response for this PUT request. So I'm not able to get the new
>>> registration access token.
>>>
>>> Could you try this request and if it fails for you as well I will open a
>>> ticket ?
>>>
>>> Seb
>>>
>>>
>>>
>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>>> wrote:
>>>
>>>> Hello Sebastien
>>>>
>>>> Are you talking about the Admin REST endpoint or the
>>>> registration_endpoint defined at
>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>>
>>>> I am trying to submit a registration request via registration_endpoint
>>>> and submit a field enabling the service account.
>>>>
>>>> According to the openid connect dynamic client registration
>>>> documentation at openid.net,  the request payload is non-normative, I
>>>> am just not able to enable service account that way.
>>>>
>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>>>> >:
>>>>
>>>>> I haven't tried it but when registering the client, in the payload,
>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field , so
>>>>> maybe "service-accounts-enabled : true will do the trick ?
>>>>>
>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Is it possible via a setting to automatically enable clients
>>>>>> registered
>>>>>> dynamically via the well-known registration endpoint and registration
>>>>>> access token?  My current approach is to iterate over all clients
>>>>>> post -
>>>>>> creation and set serviceaccountsEnabled to true. I need a more prompt
>>>>>> and
>>>>>> real-time way
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>
>

From sblanc at redhat.com  Wed Jan 11 07:27:47 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 11 Jan 2017 13:27:47 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAKZHGMnmwKiUJ13xOBSQ2iHPr4Ct7ThQzDmAAj1qued5gOoHUQ@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
	<CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
	<CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>
	<CAKZHGMnmwKiUJ13xOBSQ2iHPr4Ct7ThQzDmAAj1qued5gOoHUQ@mail.gmail.com>
Message-ID: <CAMZCGg_7p4C5XvYAmVQ40MkGVOBgQtnMVVJFhfNtC5aQFXMTFA@mail.gmail.com>

It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192



On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:

> Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
> could help and learn about Keycloak internals at the same time.
>
> Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>
>> Thanks ! So we have a bug on the PUT endpoint for the response , let me
>> open a ticket for that.
>>
>>
>>
>> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
>> wrote:
>>
>>> Hello Sebastien
>>>
>>>
>>> Your PUT to the client registration endpoint made clear to me why I was
>>> not able to set service accounts to enabled in the oidc endpoint request at
>>>
>>>
>>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>>>
>>>
>>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>
>>>
>>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect>As
>>> I see it, it has to do with provider type
>>>
>>>
>>> oidc vs.
>>>
>>>
>>> default
>>>
>>>
>>> with different objects behind it
>>>
>>>
>>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>>> sentations/oidc/OIDCClientRepresentation.java
>>>
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>>> keycloak/OIDCClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>>> ? keycloak/keycloak ? GitHub
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java>
>>> github.com
>>> keycloak - Open Source Identity and Access Management For Modern
>>> Applications and Services
>>>
>>>
>>> vs.
>>>
>>>
>>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>>> sentations/idm/ClientRepresentation.java
>>>
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>>> ? keycloak/keycloak ? GitHub
>>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java>
>>> github.com
>>> keycloak - Open Source Identity and Access Management For Modern
>>> Applications and Services
>>> After I POST to https://host/auth/realms/my
>>> realm/clients-registrations/openid-connect a simple
>>>
>>>
>>> { "client_name": "aclient", "redirect_uris" : ["
>>> https://clienturl/callback"] }'
>>>
>>>
>>> and then use the registration access token returned to update / PUT the
>>> client (under clients-registrations/default/...
>>>
>>>
>>> I get a 500 server error, but the service account is enabled correctly
>>> for that client.
>>>
>>>
>>> Here is my verbose CURL output
>>>
>>>
>>> curl -v -X PUT \
>>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>>> "serviceAccountsEnabled": true }' \
>>> >     -H "Content-Type:application/json" \
>>> >     -H "Authorization: bearer registration_access_token_from_oidc" \
>>> > https://host/auth/realms/myrealm/clients-registrations/def
>>> ault/dynamic_client_id_returned_from_oidc
>>> *   Trying 127.0.0.1...
>>> * Connected to localhost (127.0.0.1) port 443 (#0)
>>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>> * Server certificate: xxx
>>> * Server certificate: xxx
>>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_client_id_returned_from_oidc
>>> HTTP/1.1
>>> > Host: localhost
>>> > User-Agent: curl/7.43.0
>>> > Accept: */*
>>> > Content-Type:application/json
>>> > Authorization: bearer registration_access_token_from_oidc
>>> > Content-Length: 86
>>> >
>>> * upload completely sent off: 86 out of 86 bytes
>>> < HTTP/1.1 500 Internal Server Error
>>> < Connection: keep-alive
>>> < X-Powered-By: Undertow/1
>>> < Server: WildFly/10
>>> < Content-Type: text/html
>>> < Content-Length: 155
>>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>>> <
>>> * Connection #0 to host localhost left intact
>>> Could not find MessageBodyWriter for response object of type:
>>>
>>> org.keycloak.representations.idm.ClientRepresentation of media type:
>>> application/octet-stream
>>>
>>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com>:
>>>
>>>> Yes I was talking about the registration_endpoint , I just did the test
>>>> with something like :
>>>>
>>>> curl -X PUT \
>>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }' \
>>>>     -H "Content-Type:application/json" \
>>>>     -H "Authorization: bearer my_registration_access_token" \
>>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>>>> ons/default/testclient
>>>>
>>>> My Service Accounts for this client is then enabled but Keycloak fails
>>>> to returns a response for this PUT request. So I'm not able to get the new
>>>> registration access token.
>>>>
>>>> Could you try this request and if it fails for you as well I will open
>>>> a ticket ?
>>>>
>>>> Seb
>>>>
>>>>
>>>>
>>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Sebastien
>>>>>
>>>>> Are you talking about the Admin REST endpoint or the
>>>>> registration_endpoint defined at
>>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>>>>>
>>>>> I am trying to submit a registration request via registration_endpoint
>>>>> and submit a field enabling the service account.
>>>>>
>>>>> According to the openid connect dynamic client registration
>>>>> documentation at openid.net,  the request payload is non-normative, I
>>>>> am just not able to enable service account that way.
>>>>>
>>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>>>>> >:
>>>>>
>>>>>> I haven't tried it but when registering the client, in the payload,
>>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field , so
>>>>>> maybe "service-accounts-enabled : true will do the trick ?
>>>>>>
>>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Is it possible via a setting to automatically enable clients
>>>>>>> registered
>>>>>>> dynamically via the well-known registration endpoint and registration
>>>>>>> access token?  My current approach is to iterate over all clients
>>>>>>> post -
>>>>>>> creation and set serviceaccountsEnabled to true. I need a more
>>>>>>> prompt and
>>>>>>> real-time way
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>

From sthorger at redhat.com  Wed Jan 11 08:03:08 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 11 Jan 2017 14:03:08 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAMZCGg_7p4C5XvYAmVQ40MkGVOBgQtnMVVJFhfNtC5aQFXMTFA@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
	<CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
	<CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>
	<CAKZHGMnmwKiUJ13xOBSQ2iHPr4Ct7ThQzDmAAj1qued5gOoHUQ@mail.gmail.com>
	<CAMZCGg_7p4C5XvYAmVQ40MkGVOBgQtnMVVJFhfNtC5aQFXMTFA@mail.gmail.com>
Message-ID: <CAJgngAcCmstpQqQTXoy0endTbZ_7FpyGN_gOfff5XzkUduc4WQ@mail.gmail.com>

Adding "Accept: application/json" should workaround that issue.

On 11 January 2017 at 13:27, Sebastien Blanc <sblanc at redhat.com> wrote:

> It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192
>
>
>
> On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>
> > Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
> > could help and learn about Keycloak internals at the same time.
> >
> > Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com
> >:
> >
> >> Thanks ! So we have a bug on the PUT endpoint for the response , let me
> >> open a ticket for that.
> >>
> >>
> >>
> >> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
> >> wrote:
> >>
> >>> Hello Sebastien
> >>>
> >>>
> >>> Your PUT to the client registration endpoint made clear to me why I was
> >>> not able to set service accounts to enabled in the oidc endpoint
> request at
> >>>
> >>>
> >>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >>>
> >>>
> >>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >
> >>>
> >>> <https://host/auth/realms/myrealm/clients-registrations/openid-connect
> >As
> >>> I see it, it has to do with provider type
> >>>
> >>>
> >>> oidc vs.
> >>>
> >>>
> >>> default
> >>>
> >>>
> >>> with different objects behind it
> >>>
> >>>
> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
> >>> sentations/oidc/OIDCClientRepresentation.java
> >>>
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> >>> keycloak/OIDCClientRepresentation.java at
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
> >>> ? keycloak/keycloak ? GitHub
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/oidc/OIDCClientRepresentation.java>
> >>> github.com
> >>> keycloak - Open Source Identity and Access Management For Modern
> >>> Applications and Services
> >>>
> >>>
> >>> vs.
> >>>
> >>>
> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
> >>> sentations/idm/ClientRepresentation.java
> >>>
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/idm/ClientRepresentation.java>
> >>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39
> d10143b920
> >>> ? keycloak/keycloak ? GitHub
> >>> <https://github.com/keycloak/keycloak/blob/
> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/core/src/main/java/
> org/keycloak/representations/idm/ClientRepresentation.java>
> >>> github.com
> >>> keycloak - Open Source Identity and Access Management For Modern
> >>> Applications and Services
> >>> After I POST to https://host/auth/realms/my
> >>> realm/clients-registrations/openid-connect a simple
> >>>
> >>>
> >>> { "client_name": "aclient", "redirect_uris" : ["
> >>> https://clienturl/callback"] }'
> >>>
> >>>
> >>> and then use the registration access token returned to update / PUT the
> >>> client (under clients-registrations/default/...
> >>>
> >>>
> >>> I get a 500 server error, but the service account is enabled correctly
> >>> for that client.
> >>>
> >>>
> >>> Here is my verbose CURL output
> >>>
> >>>
> >>> curl -v -X PUT \
> >>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
> >>> "serviceAccountsEnabled": true }' \
> >>> >     -H "Content-Type:application/json" \
> >>> >     -H "Authorization: bearer registration_access_token_from_oidc" \
> >>> > https://host/auth/realms/myrealm/clients-registrations/def
> >>> ault/dynamic_client_id_returned_from_oidc
> >>> *   Trying 127.0.0.1...
> >>> * Connected to localhost (127.0.0.1) port 443 (#0)
> >>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> >>> * Server certificate: xxx
> >>> * Server certificate: xxx
> >>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_
> client_id_returned_from_oidc
> >>> HTTP/1.1
> >>> > Host: localhost
> >>> > User-Agent: curl/7.43.0
> >>> > Accept: */*
> >>> > Content-Type:application/json
> >>> > Authorization: bearer registration_access_token_from_oidc
> >>> > Content-Length: 86
> >>> >
> >>> * upload completely sent off: 86 out of 86 bytes
> >>> < HTTP/1.1 500 Internal Server Error
> >>> < Connection: keep-alive
> >>> < X-Powered-By: Undertow/1
> >>> < Server: WildFly/10
> >>> < Content-Type: text/html
> >>> < Content-Length: 155
> >>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
> >>> <
> >>> * Connection #0 to host localhost left intact
> >>> Could not find MessageBodyWriter for response object of type:
> >>>
> >>> org.keycloak.representations.idm.ClientRepresentation of media type:
> >>> application/octet-stream
> >>>
> >>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
> >:
> >>>
> >>>> Yes I was talking about the registration_endpoint , I just did the
> test
> >>>> with something like :
> >>>>
> >>>> curl -X PUT \
> >>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true }'
> \
> >>>>     -H "Content-Type:application/json" \
> >>>>     -H "Authorization: bearer my_registration_access_token" \
> >>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
> >>>> ons/default/testclient
> >>>>
> >>>> My Service Accounts for this client is then enabled but Keycloak fails
> >>>> to returns a response for this PUT request. So I'm not able to get
> the new
> >>>> registration access token.
> >>>>
> >>>> Could you try this request and if it fails for you as well I will open
> >>>> a ticket ?
> >>>>
> >>>> Seb
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hello Sebastien
> >>>>>
> >>>>> Are you talking about the Admin REST endpoint or the
> >>>>> registration_endpoint defined at
> >>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
> >>>>>
> >>>>> I am trying to submit a registration request via
> registration_endpoint
> >>>>> and submit a field enabling the service account.
> >>>>>
> >>>>> According to the openid connect dynamic client registration
> >>>>> documentation at openid.net,  the request payload is non-normative,
> I
> >>>>> am just not able to enable service account that way.
> >>>>>
> >>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <
> sblanc at redhat.com
> >>>>> >:
> >>>>>
> >>>>>> I haven't tried it but when registering the client, in the payload,
> >>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field ,
> so
> >>>>>> maybe "service-accounts-enabled : true will do the trick ?
> >>>>>>
> >>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Is it possible via a setting to automatically enable clients
> >>>>>>> registered
> >>>>>>> dynamically via the well-known registration endpoint and
> registration
> >>>>>>> access token?  My current approach is to iterate over all clients
> >>>>>>> post -
> >>>>>>> creation and set serviceaccountsEnabled to true. I need a more
> >>>>>>> prompt and
> >>>>>>> real-time way
> >>>>>>> _______________________________________________
> >>>>>>> keycloak-user mailing list
> >>>>>>> keycloak-user at lists.jboss.org
> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Wed Jan 11 08:10:39 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 11 Jan 2017 14:10:39 +0100
Subject: [keycloak-user] Service Account enable by default for clients,
	how?
In-Reply-To: <CAJgngAcCmstpQqQTXoy0endTbZ_7FpyGN_gOfff5XzkUduc4WQ@mail.gmail.com>
References: <CAKZHGM=V2Rk2LbuSrN-BObf=NhTSEVKotiZOKFydkrFkybuE3Q@mail.gmail.com>
	<CAMZCGg_4sOyrskx83VBLm9ExfsCQBq2vNwfoV=BLR_110SiTfg@mail.gmail.com>
	<CAKZHGM=RibYRdAzFMNfuHsWeaYZbDEm9QKxYpJHmNEBpqetFvg@mail.gmail.com>
	<CAMZCGg-E3h_7bhNd0B1BvCZ0pQB4YtSJFhvW6WS39XTyHYYfSA@mail.gmail.com>
	<CAKZHGMmOKTRGwPioZAa1JPx-bXvRinF2J=mDNEeCsaH0rU4+1Q@mail.gmail.com>
	<CAMZCGg8hS_sj-cvuAO=JufxMohM2xFgvCkRknGjRsjMoHi+Shw@mail.gmail.com>
	<CAKZHGMnmwKiUJ13xOBSQ2iHPr4Ct7ThQzDmAAj1qued5gOoHUQ@mail.gmail.com>
	<CAMZCGg_7p4C5XvYAmVQ40MkGVOBgQtnMVVJFhfNtC5aQFXMTFA@mail.gmail.com>
	<CAJgngAcCmstpQqQTXoy0endTbZ_7FpyGN_gOfff5XzkUduc4WQ@mail.gmail.com>
Message-ID: <CAMZCGg_NS-O52pxi_sRkDU5x39pBWb96b5tO36+apZkQYaEo=A@mail.gmail.com>

Indeed ! The workaround works.

On Wed, Jan 11, 2017 at 2:03 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Adding "Accept: application/json" should workaround that issue.
>
> On 11 January 2017 at 13:27, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> It's not on GH but jira : https://issues.jboss.org/browse/KEYCLOAK-4192
>>
>>
>>
>> On Wed, Jan 11, 2017 at 1:18 PM, Sven Thoms <sven.thoms at gmail.com> wrote:
>>
>> > Yes, it appears so. Let me know the Bug URL on github, please.  Glad I
>> > could help and learn about Keycloak internals at the same time.
>> >
>> > Am 11.01.2017 12:48 nachm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>> >:
>> >
>> >> Thanks ! So we have a bug on the PUT endpoint for the response , let me
>> >> open a ticket for that.
>> >>
>> >>
>> >>
>> >> On Wed, Jan 11, 2017 at 12:42 PM, Sven Thoms <sven.thoms at gmail.com>
>> >> wrote:
>> >>
>> >>> Hello Sebastien
>> >>>
>> >>>
>> >>> Your PUT to the client registration endpoint made clear to me why I
>> was
>> >>> not able to set service accounts to enabled in the oidc endpoint
>> request at
>> >>>
>> >>>
>> >>> https://host/auth/realms/myrealm/clients-registrations/openid-connect
>> >>>
>> >>>
>> >>> <https://host/auth/realms/myrealm/clients-registrations/open
>> id-connect>
>> >>>
>> >>> <https://host/auth/realms/myrealm/clients-registrations/open
>> id-connect>As
>> >>> I see it, it has to do with provider type
>> >>>
>> >>>
>> >>> oidc vs.
>> >>>
>> >>>
>> >>> default
>> >>>
>> >>>
>> >>> with different objects behind it
>> >>>
>> >>>
>> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> >>> sentations/oidc/OIDCClientRepresentation.java
>> >>>
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/oidc/OIDCClientRepresentation.java>
>> >>> keycloak/OIDCClientRepresentation.java at
>> 1aeec2a83c6677cd7dcfccb6ba2c39d10143b920
>> >>> ? keycloak/keycloak ? GitHub
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/oidc/OIDCClientRepresentation.java>
>> >>> github.com
>> >>> keycloak - Open Source Identity and Access Management For Modern
>> >>> Applications and Services
>> >>>
>> >>>
>> >>> vs.
>> >>>
>> >>>
>> >>> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7d
>> >>> cfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/repre
>> >>> sentations/idm/ClientRepresentation.java
>> >>>
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/idm/ClientRepresentation.java>
>> >>> keycloak/ClientRepresentation.java at 1aeec2a83c6677cd7dcfccb6ba2c39
>> d10143b920
>> >>> ? keycloak/keycloak ? GitHub
>> >>> <https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7
>> dcfccb6ba2c39d10143b920/core/src/main/java/org/keycloak/
>> representations/idm/ClientRepresentation.java>
>> >>> github.com
>> >>> keycloak - Open Source Identity and Access Management For Modern
>> >>> Applications and Services
>> >>> After I POST to https://host/auth/realms/my
>> >>> realm/clients-registrations/openid-connect a simple
>>
>> >>>
>> >>>
>> >>> { "client_name": "aclient", "redirect_uris" : ["
>> >>> https://clienturl/callback"] }'
>> >>>
>> >>>
>> >>> and then use the registration access token returned to update / PUT
>> the
>> >>> client (under clients-registrations/default/...
>> >>>
>> >>>
>> >>> I get a 500 server error, but the service account is enabled correctly
>> >>> for that client.
>> >>>
>> >>>
>> >>> Here is my verbose CURL output
>> >>>
>> >>>
>> >>> curl -v -X PUT \
>> >>> >     -d '{ "clientId": "dynamic_client_id_returned_from_oidc",
>> >>> "serviceAccountsEnabled": true }' \
>> >>> >     -H "Content-Type:application/json" \
>> >>> >     -H "Authorization: bearer registration_access_token_from_oidc"
>> \
>> >>> > https://host/auth/realms/myrealm/clients-registrations/def
>> >>> ault/dynamic_client_id_returned_from_oidc
>> >>> *   Trying 127.0.0.1...
>> >>> * Connected to localhost (127.0.0.1) port 443 (#0)
>> >>> * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> >>> * Server certificate: xxx
>> >>> * Server certificate: xxx
>> >>> > PUT /auth/realms/myrealm/clients-registrations/default/dynamic_c
>> lient_id_returned_from_oidc
>> >>> HTTP/1.1
>> >>> > Host: localhost
>> >>> > User-Agent: curl/7.43.0
>> >>> > Accept: */*
>> >>> > Content-Type:application/json
>> >>> > Authorization: bearer registration_access_token_from_oidc
>> >>> > Content-Length: 86
>> >>> >
>> >>> * upload completely sent off: 86 out of 86 bytes
>> >>> < HTTP/1.1 500 Internal Server Error
>> >>> < Connection: keep-alive
>> >>> < X-Powered-By: Undertow/1
>> >>> < Server: WildFly/10
>> >>> < Content-Type: text/html
>> >>> < Content-Length: 155
>> >>> < Date: Wed, 11 Jan 2017 11:24:02 GMT
>> >>> <
>> >>> * Connection #0 to host localhost left intact
>> >>> Could not find MessageBodyWriter for response object of type:
>> >>>
>> >>> org.keycloak.representations.idm.ClientRepresentation of media type:
>> >>> application/octet-stream
>> >>>
>> >>> Am 11.01.2017 9:12 vorm. schrieb "Sebastien Blanc" <sblanc at redhat.com
>> >:
>> >>>
>> >>>> Yes I was talking about the registration_endpoint , I just did the
>> test
>> >>>> with something like :
>> >>>>
>> >>>> curl -X PUT \
>> >>>>     -d '{ "clientId": "testclient", "serviceAccountsEnabled": true
>> }' \
>> >>>>     -H "Content-Type:application/json" \
>> >>>>     -H "Authorization: bearer my_registration_access_token" \
>> >>>> http://localhost:8080/auth/realms/myrealm/clients-registrati
>> >>>> ons/default/testclient
>> >>>>
>> >>>> My Service Accounts for this client is then enabled but Keycloak
>> fails
>> >>>> to returns a response for this PUT request. So I'm not able to get
>> the new
>> >>>> registration access token.
>> >>>>
>> >>>> Could you try this request and if it fails for you as well I will
>> open
>> >>>> a ticket ?
>> >>>>
>> >>>> Seb
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Wed, Jan 11, 2017 at 8:16 AM, Sven Thoms <sven.thoms at gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>>> Hello Sebastien
>> >>>>>
>> >>>>> Are you talking about the Admin REST endpoint or the
>> >>>>> registration_endpoint defined at
>> >>>>> /auth/reales/[realmname]/.well-known/openid-configuration?
>> >>>>>
>> >>>>> I am trying to submit a registration request via
>> registration_endpoint
>> >>>>> and submit a field enabling the service account.
>> >>>>>
>> >>>>> According to the openid connect dynamic client registration
>> >>>>> documentation at openid.net,  the request payload is
>> non-normative, I
>> >>>>> am just not able to enable service account that way.
>> >>>>>
>> >>>>> Am 10.01.2017 10:32 vorm. schrieb "Sebastien Blanc" <
>> sblanc at redhat.com
>> >>>>> >:
>> >>>>>
>> >>>>>> I haven't tried it but when registering the client, in the payload,
>> >>>>>> the ClientRepresentation, there is a serviceAccountsEnabled field
>> , so
>> >>>>>> maybe "service-accounts-enabled : true will do the trick ?
>> >>>>>>
>> >>>>>> On Tue, Jan 10, 2017 at 10:17 AM, Sven Thoms <sven.thoms at gmail.com
>> >
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> Is it possible via a setting to automatically enable clients
>> >>>>>>> registered
>> >>>>>>> dynamically via the well-known registration endpoint and
>> registration
>> >>>>>>> access token?  My current approach is to iterate over all clients
>> >>>>>>> post -
>> >>>>>>> creation and set serviceaccountsEnabled to true. I need a more
>> >>>>>>> prompt and
>> >>>>>>> real-time way
>> >>>>>>> _______________________________________________
>> >>>>>>> keycloak-user mailing list
>> >>>>>>> keycloak-user at lists.jboss.org
>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>
>> >>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From fabian.eriksson at gi-de.com  Wed Jan 11 08:28:43 2017
From: fabian.eriksson at gi-de.com (Eriksson Fabian)
Date: Wed, 11 Jan 2017 13:28:43 +0000
Subject: [keycloak-user] Brute force detector extension
In-Reply-To: <CAJgngAczR_OiC2bTvWBgV_zrbYfoZJP=cOuvx9FBym2YTuqpQg@mail.gmail.com>
References: <e9fad9ccc3154e0590db467eb9a5e655@muc1exmbxp1p.accounts.intern>
	<CAJgngAczR_OiC2bTvWBgV_zrbYfoZJP=cOuvx9FBym2YTuqpQg@mail.gmail.com>
Message-ID: <671c4b1db66e4eb8a1a98441e7a13cf9@muc1exmbxp1p.accounts.intern>

Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket?

Best regards
Fabian Eriksson

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: den 2 januari 2017 09:15
To: Eriksson Fabian
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Brute force detector extension

You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though.

I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x.

On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com<mailto:fabian.eriksson at gi-de.com>> wrote:
Hi all!

We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.

Does this sound interesting and could this then be something that we could contribute with to KeyCloak?

Or is there a way to substitute the already existing brute force detector?

Thanks in advance!
Fabian Eriksson
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From tobias.waller at capgemini.com  Wed Jan 11 08:31:30 2017
From: tobias.waller at capgemini.com (Waller, Tobias)
Date: Wed, 11 Jan 2017 13:31:30 +0000
Subject: [keycloak-user] different properties for internal and external
	tokens
Message-ID: <E9E67CAC9CC85C4D86A547E9F005D1D13CADB0A9@DE-CM-MBX23.corp.capgemini.com>

Hi.

We are currently looking into creating a microservice based application and using Keycloak as identity provider. The application will consist of several services which will communicate in a stateless fashion. Tokens will be passed along the call chain (several hops) and evaluated by each service in order to restrict access (bearer-only services). In some cases calls are queued together with the token. So the processes are processed asynchronously and can take quite some time. But they are guaranteed to be processed within a determinable period of time (e.g. 7 days).

Processes are triggered in three different ways:
1. by internal (batch) processes (via client credentials grant)
2. by external legacy applications (via resource owner password credentials grant)
3. by external users via web interface (via implicit grant)

Tokens issued for use case 1 and 2 are held strictly within our datacenter (internal token). Therefore we see no harm in issuing tokens with a sufficient lifespan (e.g. 7days). Tokens issued for use case 3 on the other hand are passed to the browser of the user (external token). In order to avoid potential security breaches and information leakage we want these tokens to fulfill the following properties:
a. have a shorter lifespan
b. do not contain information not needed by the client. Especially, the token should not contain any roles specific to internal backend-services, which could be used to infer information about application architecture.

Our first idea was to allow the user to trigger long running processes was to validate the external token in the api-gateway and exchange the external for an internal token. That is using the external token as authorization grant as described by section 2.1 of RFC7523. While Keycloak supports client authentication via jwt which is also described within the same rfc, this does not seem to be supported right now.

Are there any plans to support the grant_type "urn:ietf:params:oauth:grant-type:jwt-bearer" in the future? How can we implement different properties for internal and external tokens without losing the identity of the user initiating a process or using distributed or sticky sessions with means currently available.

Thank you
Tobias


________________________________

Firma: Capgemini Deutschland GmbH
Aufsichtsratsvorsitzender: Antonio Schnieder ? Gesch?ftsf?hrer: Dr. Michael Schulte (Sprecher) ? Jost F?rster ? Dr. Peter Lempp ? Dr. Volkmar Varnhagen

Amtsgericht Berlin-Charlottenburg, HRB 98814
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From adam.michalski at aol.com  Wed Jan 11 09:10:40 2017
From: adam.michalski at aol.com (adam.michalski at aol.com)
Date: Wed, 11 Jan 2017 09:10:40 -0500
Subject: [keycloak-user] How to programically get groups/users/users in
 groups with roles from client using keycloak.admin.client.Keycloak, 
In-Reply-To: <CA+1OW+hcmJBccxzcG969X0ukGy-wy-Xqxhb6+Tu6BWHz2d2D+Q@mail.gmail.com>
Message-ID: <1598dddce1f-7030-570d@webprd-a54.mail.aol.com>


I can't get user groups like in samples.
Sample code from examples for receiving groups user is member of:


 List<GroupRepresentation> membership = realm.users().get(user.getId()).groups();


My approach:
1. I create keycloak object for admin-cli client in myrealm realm:


	this.keycloak = KeycloakBuilder.builder()
				.serverUrl("http://localhost:18080/auth")
				.realm("myrealm")
				.username("admin")
				.password("admin")
				.clientId("admin-cli")
				.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())
				.build();


2.  When I try to get user:


	//this line works

	final UserResource userr = this.keycloak.realms().realm(this.REALM).users().get(user.getId());	


	//this two doesnt, in both result is javax.ws.rs.NotFoundException: HTTP 404 Not Found


	final UserRepresentation ur = userr.toRepresentation();
	final List<GroupRepresentation> groups = this.getRealm().users().get(user.getId()).groups();


In keycloak from admin-cli I created realm "myrealm" with 2 users and 2 groups
Every user is member of both groups.


What am I missing?



Using

import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.UserRepresentation;


-----Original Message-----
From: Marko Strukelj <mstrukel at redhat.com>
To: adam.michalski <adam.michalski at aol.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Sent: Tue, Jan 10, 2017 12:33 pm
Subject: Re: [keycloak-user] How to programically get groups/users/users in groups with roles from client using keycloak.admin.client.Keycloak,



Take a look at our testsuite. For example:


https://github.com/keycloak/keycloak/blob/2.5.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L837-L915



https://github.com/keycloak/keycloak/blob/2.5.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java#L425-L495









On Tue, Jan 10, 2017 at 11:36 AM,  <adam.michalski at aol.com> wrote:

How to programically get groups/users/users in groups with roles from client using keycloak.admin.client.Keycloak,
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user






From bruno at abstractj.org  Wed Jan 11 13:18:10 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 11 Jan 2017 16:18:10 -0200
Subject: [keycloak-user] Brute force detector extension
In-Reply-To: <671c4b1db66e4eb8a1a98441e7a13cf9@muc1exmbxp1p.accounts.intern>
References: <e9fad9ccc3154e0590db467eb9a5e655@muc1exmbxp1p.accounts.intern>
	<CAJgngAczR_OiC2bTvWBgV_zrbYfoZJP=cOuvx9FBym2YTuqpQg@mail.gmail.com>
	<671c4b1db66e4eb8a1a98441e7a13cf9@muc1exmbxp1p.accounts.intern>
Message-ID: <20170111181810.GC15257@abstractj.org>

I believe the best is to create Jira as a feature request. And later you
can attach your PR to that.

On 2017-01-11, Eriksson Fabian wrote:
> Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket?
>
> Best regards
> Fabian Eriksson
>
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: den 2 januari 2017 09:15
> To: Eriksson Fabian
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Brute force detector extension
>
> You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though.
>
> I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x.
>
> On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com<mailto:fabian.eriksson at gi-de.com>> wrote:
> Hi all!
>
> We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we could contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From bruno at abstractj.org  Wed Jan 11 13:46:41 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 11 Jan 2017 16:46:41 -0200
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
 with HTTPS
In-Reply-To: <CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
	<CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
Message-ID: <20170111184641.GD15257@abstractj.org>

I never tried it with Keycloak, it may or may not work. But you can try to set
on nginx 'set_real_ip_from' with 'real_ip_header'[1].

[1] - http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header

On 2017-01-10, Olivier Bruylandt wrote:
> Dear,
>
>
> I get an issue to get the wanted behavior when retrieving the client public
> IP.
> This is the situation :
> (all IP's have been anonymized)
>
>
>
> - *infrastructure level*:
>
> ----------- Reverse Proxy NGINX ----------------------------------- KeyCloak
>
> RP is listening on ports 80 & 443 (80 is redirected to 443)
> There is a public certificate signed by some external CA
> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> Keycloak is set as standalone server on a Wildfly last version
>
>
>
>
> - *Nginx config*
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *server {        listen 443;        server_name ************;
> fastcgi_param HTTPS on;        location / {                add_header
> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>           add_header X-Forwarded-Proto $scheme;
> more_set_headers 'Server: ******';                more_clear_headers
> 'X-Powered-By';                charset UTF-8;                proxy_cache
>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> <https://1.1.1.1:8443/>;        }*
>
>
>
>
>
>
>
>
>
>
>
>
> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>              ssl_certificate_key /etc/ssl/private/*************.key;
> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>       add_header X-Frame-Options "DENY";        ssl_ciphers
> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>
>
>
>
> - *Keycloak config* :
>
>
> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> *            <buffer-cache name="default"/>*
> *            <server name="default-server">*
>
> *                <http-listener
> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> *                <https-listener name="https" security-realm="**********"
> socket-binding="https"/>*
> *                <host name="default-host" alias="localhost">*
> *                    <location name="/" handler="welcome-content"/>*
> *                </host>*
> *            </server>*
> *            <servlet-container name="default">*
> *                <jsp-config/>*
> *                <websockets/>*
> *            </servlet-container>*
> *            <handlers>*
> *                <file name="welcome-content"
> path="${jboss.home.dir}/welcome-content"/>*
> *            </handlers>*
> *        </subsystem>*
>
>
>
>
>
>
>
> The situation is that everything is working fine and smooth EXCEPT ... the
> fact that under sessions (and moreover for all user activities), the user
> IP I see is the one of the reverse proxy !!
> As I put in red in the KC config, this is what should do the trick to use
> the X-Forwarded-For header value to set the client's IP.
>
> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> ipAddress=2.2.2.2, (...)
>
>
>
> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
> the SSL connection and the one to KC server is made in HTTP), I got
> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> transport and also a HTTP connection towards the external social identity
> providers like Google, FB, etc. ... BUT I got at least the real IP as you
> might see hereunder :
>
> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> ipAddress=191.21.133.234, (...)
>
>
>
>
>
> So the situation is that I will only get the "real" IP of the client only
> if it passes through the HTTP listener of KC (that has the parameter
> "proxy-address-forwarding") which is not what I want as I want to reach the
> HTTPS listener.
> I obviously also tried to add the same parameter (*proxy-address-forwarding
> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> shows an error and refuses to start :
>
>
> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.5.1.Final*
> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> starting*
> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0055: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> Failed to parse configuration*
> *    at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> *    at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
> *    at java.lang.Thread.run(Thread.java:745)*
> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> [row,col]:[380,17]*
> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> enabled, resolve-peer-address, security-realm, verify-client,
> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> max-cookies, allow-encoded-slash, decode-url, url-charset,
> always-set-keep-alive, max-buffered-request-size,
> record-request-start-time, allow-equals-in-cookie-value,
> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> max-connections, secure'*
> *    at
> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>
>
>
>
>
> *requirements* :
>
> - Entire solution has to run with SSL (HTTPS) from end to end
>
>
>
> Did someone already faced that situation or does have any clue about this ?
> Thank you for reading this post.
>
> Regards,
>
>
> /Olivier
>
> On 10 January 2017 at 11:52, Olivier Bruylandt <olivier.bruylandt at gmail.com>
> wrote:
>
> > Dear,
> >
> >
> > I get an issue to get the wanted behavior when retrieving the client
> > public IP.
> > This is the situation :
> > (all IP's have been anonymized)
> >
> >
> >
> > - *infrastructure level*:
> >
> > ----------- Reverse Proxy NGINX -----------------------------------
> > KeyCloak
> >
> > RP is listening on ports 80 & 443 (80 is redirected to 443)
> > There is a public certificate signed by some external CA
> > Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> > Keycloak is set as standalone server on a Wildfly last version
> >
> >
> >
> >
> > - *Nginx config*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *server {        listen 443;        server_name ************;
> > fastcgi_param HTTPS on;        location / {                add_header
> > X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
> >  $remote_addr;                add_header X-Forwarded-For $remote_addr;
> >           add_header X-Forwarded-Proto $scheme;
> > more_set_headers 'Server: ******';                more_clear_headers
> > 'X-Powered-By';                charset UTF-8;                proxy_cache
> >   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> > <https://1.1.1.1:8443/>;        }*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
> >              ssl_certificate_key /etc/ssl/private/*************.key;
> > ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
> >       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> > ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> > Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
> >       add_header X-Frame-Options "DENY";        ssl_ciphers
> > 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >
> >
> >
> >
> > - *Keycloak config* :
> >
> >
> > *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> > *            <buffer-cache name="default"/>*
> > *            <server name="default-server">*
> >
> > *                <http-listener
> > name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> > *                <https-listener name="https" security-realm="**********"
> > socket-binding="https"/>*
> > *                <host name="default-host" alias="localhost">*
> > *                    <location name="/" handler="welcome-content"/>*
> > *                </host>*
> > *            </server>*
> > *            <servlet-container name="default">*
> > *                <jsp-config/>*
> > *                <websockets/>*
> > *            </servlet-container>*
> > *            <handlers>*
> > *                <file name="welcome-content"
> > path="${jboss.home.dir}/welcome-content"/>*
> > *            </handlers>*
> > *        </subsystem>*
> >
> >
> >
> >
> >
> >
> >
> > The situation is that everything is working fine and smooth EXCEPT ... the
> > fact that under sessions (and moreover for all user activities), the user
> > IP I see is the one of the reverse proxy !!
> > As I put in red in the KC config, this is what should do the trick to use
> > the X-Forwarded-For header value to set the client's IP.
> >
> > 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> > type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> > ipAddress=2.2.2.2, (...)
> >
> >
> >
> > When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
> > the SSL connection and the one to KC server is made in HTTP), I got
> > obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> > transport and also a HTTP connection towards the external social identity
> > providers like Google, FB, etc. ... BUT I got at least the real IP as you
> > might see hereunder :
> >
> > 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> > type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> > ipAddress=191.21.133.234, (...)
> >
> >
> >
> >
> >
> > So the situation is that I will only get the "real" IP of the client only
> > if it passes through the HTTP listener of KC (that has the parameter
> > "proxy-address-forwarding") which is not what I want as I want to reach the
> > HTTPS listener.
> > I obviously also tried to add the same parameter (*proxy-address-forwarding
> > = "true"*) in the HTTPS listener configuration but then, standalone.sh
> > shows an error and refuses to start :
> >
> >
> > *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> > 1.5.1.Final*
> > *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
> > *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> > thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> > starting*
> > *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0055: Caught exception during boot:
> > org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085:
> > Failed to parse configuration*
> > *    at
> > org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
> > *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> > *    at
> > org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
> > *    at java.lang.Thread.run(Thread.java:745)*
> > *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> > [row,col]:[380,17]*
> > *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> > encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> > enabled, resolve-peer-address, security-realm, verify-client,
> > enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> > ssl-session-cache-size, ssl-session-timeout, max-header-size,
> > max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> > max-cookies, allow-encoded-slash, decode-url, url-charset,
> > always-set-keep-alive, max-buffered-request-size,
> > record-request-start-time, allow-equals-in-cookie-value,
> > no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
> > receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
> > max-connections, secure'*
> > *    at
> > org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
> >
> >
> >
> >
> >
> > *requirements* :
> >
> > - Entire solution has to run with SSL (HTTPS) from end to end
> >
> >
> >
> > Did someone already faced that situation or does have any clue about this ?
> > Thank you for reading this post.
> >
> > Regards,
> >
> >
> > /Olivier
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From Juan.Cortez at Evisions.com  Wed Jan 11 14:21:31 2017
From: Juan.Cortez at Evisions.com (Juan Cortez)
Date: Wed, 11 Jan 2017 19:21:31 +0000
Subject: [keycloak-user] Setting User Group through Java API Not Working
Message-ID: <B0DC5480-0E7A-4837-9A5D-581FF37A8BD9@Evisions.com>

Hello,

I am trying to create a user through the Java API, but setting the group in my code below is not working. When I go the Keycloak Admin Console after running this code, I can see that the user was successfully created with the rest of the attributes set, but the group is not set. Am I missing a step in my code? The group in my code below already exists before this code is ran.

Keycloak keycloak = Keycloak.getInstance(?http://localhost:8080/auth?, ?myrealm?, ?myadmin?, ?myadminpass?, "admin-cli");
UserRepresentation user = new UserRepresentation();
user.setUsername(?mytestuser?);
user.setFirstName("Test");
user.setLastName("User");
user.setEnabled(true);
user.setGroups(Arrays.asList("mygroup"));

Response result = keycloak.realm(?myrealm?).users().create(user);



From mposolda at redhat.com  Wed Jan 11 16:36:00 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Jan 2017 22:36:00 +0100
Subject: [keycloak-user] active directory | end user password change
In-Reply-To: <8486fa57-40a6-9d0d-cfa7-2cf7050318a6@merit.unu.edu>
References: <fe69fa4b-a058-cf3a-604f-016b2f7a360c@merit.unu.edu>
	<52960ef6-eec2-50ec-f0b8-5144c0cf006e@redhat.com>
	<8486fa57-40a6-9d0d-cfa7-2cf7050318a6@merit.unu.edu>
Message-ID: <f3e8fa9f-ad7f-d45e-1ed9-96c85859235e@redhat.com>

There is JIRA created on that subject 
https://issues.jboss.org/browse/KEYCLOAK-2333 . I hope to look at it for 
this release, but not sure due to other tasks... Thanks for the update.

Marek

On 11/01/17 12:21, mj wrote:
> Ok, after testing some more, it seems things DO work.
>
> Unexpectedly for us, for password changes for END-USERS to work, the
> keycloak AD service account needs "Domain Admins" permissions.
>
> We expected the end-user password change to be done logged on *as* the
> end-user himself, with a a delete and an add operation. No need
> for Domain Admin access level.
>
> This is what microsoft says on that subject:
>
>> There are two possible ways to modify the unicodePwd attribute. The
>> first is similar to a normal "user change password" operation. In
>> this case, the modify request must contain both a delete and an add
>> operation. The delete operation must contain the current password
>> with quotes around it. The add operation must contain the desired new
>> password with quotes around it.
>>
>> The second way to modify this attribute is analogous to an
>> administrator resetting a password for a user. In order to do this,
>> the client must bind as a user with sufficient permissions to modify
>> another user's password. This modify request should contain a single
>> replace operation with the new desired password surrounded by quotes.
>> If the client has sufficient permissions, this password become the
>> new password, regardless of what the old password was.
>
> Anyway: the password change works for us (on samba AD) too. Thanks.
>
> Best regards,
> MJ



From mposolda at redhat.com  Wed Jan 11 16:42:13 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Jan 2017 22:42:13 +0100
Subject: [keycloak-user] Setting User Group through Java API Not Working
In-Reply-To: <B0DC5480-0E7A-4837-9A5D-581FF37A8BD9@Evisions.com>
References: <B0DC5480-0E7A-4837-9A5D-581FF37A8BD9@Evisions.com>
Message-ID: <5addf70f-caad-4c8d-25d0-063841ce96af@redhat.com>

This won't work. There is separate endpoint for manage groups. See the 
examples in our testsiote for example: 
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java#L271

Marek

On 11/01/17 20:21, Juan Cortez wrote:
> Hello,
>
> I am trying to create a user through the Java API, but setting the group in my code below is not working. When I go the Keycloak Admin Console after running this code, I can see that the user was successfully created with the rest of the attributes set, but the group is not set. Am I missing a step in my code? The group in my code below already exists before this code is ran.
>
> Keycloak keycloak = Keycloak.getInstance(?http://localhost:8080/auth?, ?myrealm?, ?myadmin?, ?myadminpass?, "admin-cli");
> UserRepresentation user = new UserRepresentation();
> user.setUsername(?mytestuser?);
> user.setFirstName("Test");
> user.setLastName("User");
> user.setEnabled(true);
> user.setGroups(Arrays.asList("mygroup"));
>
> Response result = keycloak.realm(?myrealm?).users().create(user);
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Wed Jan 11 16:56:02 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Jan 2017 22:56:02 +0100
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session
 Max is Reached
In-Reply-To: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>
References: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>
Message-ID: <b00bf44f-e791-92d6-84d9-0d068412c0e6@redhat.com>

Even after the "SSO Session Max" is reached and the "normal" session is 
expired, you should be still able to see the offline session (in the 
"Offline access" tab in the admin console). And also you should be still 
able to use the offline token to send the refreshToken request and issue 
new accessToken, which can then be used to access REST endpoints.

Note that offline token survives even server restart.

You can try to look at our demo example and try the "offline-access-app" 
application from it.

Marek

On 11/01/17 11:48, Scott Finlay wrote:
> Hi,
>
> We have an application which creates users in Keycloak using offline tokens. But we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to make requests to it using an access token generated using our offline token. After some investigation we found that there exists a setting in Keycloak called "SSO Session Max" which seems to be an expiration time of the session itself, and after that amount of time, even if the access or refresh tokens are still valid, the session is killed. We found that the amount of time between when we last deployed and the first occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and we tested locally with a short max time and were able to reproduce the problem.
>
> Then we found that when we use the offline token, our code thinks that the refresh token expiration time is 0 (which is to be expected since it's an offline token), and when the session lifetime is reached, it continues to use its "unlimited" refresh token to try to generate new access tokens, and it seems that Keycloak still issues new access tokens using that refresh token even though the session doesn't exist, and these tokens don't work. Since Keycloak continues to issue tokens and since it doesn't tell us anything about the session max time, the code has no idea that the tokens are actually not valid.
>
> We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is reached the session disappears, but the offline session is still there and the "last refresh" time still updates. Inside the token itself we can see that it's still connected to a client session, but we can see no sessions anymore. After looking into the logs of Keycloak we found this error:
>
> 16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63) RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users: org.jboss.resteasy.spi.UnauthorizedException: Bearer
>          at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
>          at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>          at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)
>
> Tracing that through the code of Keycloak we found this which seems to indicate that there must be a valid session associated with tokens:
>
> Starting here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178
>
> Then to here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58
>
> And finally here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731
>
> Is this expected behavior? Are we misunderstanding something or in some way misusing offline tokens?
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Juan.Cortez at Evisions.com  Wed Jan 11 17:20:55 2017
From: Juan.Cortez at Evisions.com (Juan Cortez)
Date: Wed, 11 Jan 2017 22:20:55 +0000
Subject: [keycloak-user] Setting User Group through Java API Not Working
In-Reply-To: <5addf70f-caad-4c8d-25d0-063841ce96af@redhat.com>
References: <B0DC5480-0E7A-4837-9A5D-581FF37A8BD9@Evisions.com>
	<5addf70f-caad-4c8d-25d0-063841ce96af@redhat.com>
Message-ID: <EADBB678-CAC8-4900-A4F5-EA2983342DA5@Evisions.com>

Got it to work using this other API call. Thanks for the assistance.

On 1/11/17, 1:42 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

    This won't work. There is separate endpoint for manage groups. See the 
    examples in our testsiote for example: 
    https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java#L271
    
    Marek
    
    On 11/01/17 20:21, Juan Cortez wrote:
    > Hello,
    >
    > I am trying to create a user through the Java API, but setting the group in my code below is not working. When I go the Keycloak Admin Console after running this code, I can see that the user was successfully created with the rest of the attributes set, but the group is not set. Am I missing a step in my code? The group in my code below already exists before this code is ran.
    >
    > Keycloak keycloak = Keycloak.getInstance(?http://localhost:8080/auth?, ?myrealm?, ?myadmin?, ?myadminpass?, "admin-cli");
    > UserRepresentation user = new UserRepresentation();
    > user.setUsername(?mytestuser?);
    > user.setFirstName("Test");
    > user.setLastName("User");
    > user.setEnabled(true);
    > user.setGroups(Arrays.asList("mygroup"));
    >
    > Response result = keycloak.realm(?myrealm?).users().create(user);
    >
    >
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    



From daduev.ad at gmail.com  Thu Jan 12 01:16:56 2017
From: daduev.ad at gmail.com (Adam Daduev)
Date: Thu, 12 Jan 2017 06:16:56 +0000
Subject: [keycloak-user] Fwd: Error when session expired and ajax request
 execute in Keycloak?
In-Reply-To: <CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
Message-ID: <CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>

After login, i get in my app, and for all my ajax request from page to
backing bean, i receive response 401 even if the session is still alive.
If removed autodetect-bearer-only option, all work fine, but going back to
the old error.

XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth??ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.

---------- Forwarded message ---------
From: Adam Daduev <daduev.ad at gmail.com>
Date: ??, 10 ???. 2017 ?. ? 14:08
Subject: Re: [keycloak-user] Error when session expired and ajax request
execute in Keycloak?
To: <stian at redhat.com>


I tried, but does not work.
Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
not started, he not know autodetect-bearer-only option, then, i added via
json, wildfly started and app was deployed.
Secondly, on my ajax request to backing bean, i receive response 401 and
does not happend.
This is my keycloak.json
{
"realm": "azovstal",
"auth-server-url": "http://dc09-apps-06:8090/auth",
"ssl-required": "none",
"resource": "web-test",
"public-client": true,
"use-resource-role-mappings": true,
"autodetect-bearer-only": true
}

??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:

Ok, I try, thanks.

10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com> ???????(?):

In that case take a look at the new autodetect-bearer-only option. You'll
need 2.5.0.Final for that.

On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:

No, I have jsf 2 app with richfaces framework, which deploy on wildfly
10.1.

9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com> ???????(?):

[Adding list back]

A web app redirects the user to a login page if not authenticated, while a
service should return a 401.

It sounds like what you have is a JS application with a service backend. In
Keycloak you should have two separate types of clients for that. The JS
application should be a public client, while the services a bearer-only
client.

On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:

Thanks for the answer.
Yes i have confidential client, i have web application, that asks
Keycloak server
to authenticate a user for them. As I understand, bearer-only is for web
services clients.
I probably something do not understand?

2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

Looks like your services are configured as confidential clients rather than
bearer-only and hence is sending a login request back rather than a 401.
You should either swap your service war to be a bearer-only client or use
the new autodetect-bearer-only option in adapters if you have both web
pages and services in the same war.

On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:

Hi, can you help me!
When session expired and ajax request execute in Keycloak, i have error in
browser console:

XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
realms/azovstal/protocol/openid-connect/auth??ml&state=
60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8080' is therefore not allowed access.

I add in Keycloak admin console, in the client setting, Web Origins=
http://localhost:8080 (or *), and enabled cors in app, but still has error
in console. I used Keycloak 2.5.0
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From scott.finlay at sixt.com  Thu Jan 12 02:44:21 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Thu, 12 Jan 2017 07:44:21 +0000
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session
 Max is Reached
In-Reply-To: <b00bf44f-e791-92d6-84d9-0d068412c0e6@redhat.com>
References: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>,
	<b00bf44f-e791-92d6-84d9-0d068412c0e6@redhat.com>
Message-ID: <AM2PR05MB1057DFA1D7F4F4FE6AECD2F6E7790@AM2PR05MB1057.eurprd05.prod.outlook.com>

Hi Marek,


> Even after the "SSO Session Max" is reached and the "normal" session is

> expired, you should be still able to see the offline session


That's actually kind of the problem. We are able to still use the offline token to refresh

the access token, but that access token doesn't have any active session behind it,

so when we try to register a new identity with it we get a 401 back. How can we make it

so that refreshing also revives the session (or creates a new one)?


Regards,

Scott

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Wednesday, January 11, 2017 10:56:02 PM
To: Scott Finlay; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached

Even after the "SSO Session Max" is reached and the "normal" session is
expired, you should be still able to see the offline session (in the
"Offline access" tab in the admin console). And also you should be still
able to use the offline token to send the refreshToken request and issue
new accessToken, which can then be used to access REST endpoints.

Note that offline token survives even server restart.

You can try to look at our demo example and try the "offline-access-app"
application from it.

Marek

On 11/01/17 11:48, Scott Finlay wrote:
> Hi,
>
> We have an application which creates users in Keycloak using offline tokens. But we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to make requests to it using an access token generated using our offline token. After some investigation we found that there exists a setting in Keycloak called "SSO Session Max" which seems to be an expiration time of the session itself, and after that amount of time, even if the access or refresh tokens are still valid, the session is killed. We found that the amount of time between when we last deployed and the first occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and we tested locally with a short max time and were able to reproduce the problem.
>
> Then we found that when we use the offline token, our code thinks that the refresh token expiration time is 0 (which is to be expected since it's an offline token), and when the session lifetime is reached, it continues to use its "unlimited" refresh token to try to generate new access tokens, and it seems that Keycloak still issues new access tokens using that refresh token even though the session doesn't exist, and these tokens don't work. Since Keycloak continues to issue tokens and since it doesn't tell us anything about the session max time, the code has no idea that the tokens are actually not valid.
>
> We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is reached the session disappears, but the offline session is still there and the "last refresh" time still updates. Inside the token itself we can see that it's still connected to a client session, but we can see no sessions anymore. After looking into the logs of Keycloak we found this error:
>
> 16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63) RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users: org.jboss.resteasy.spi.UnauthorizedException: Bearer
>          at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
>          at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>          at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)
>
> Tracing that through the code of Keycloak we found this which seems to indicate that there must be a valid session associated with tokens:
>
> Starting here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178
>
> Then to here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58
>
> And finally here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731
>
> Is this expected behavior? Are we misunderstanding something or in some way misusing offline tokens?
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Thu Jan 12 03:43:32 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 12 Jan 2017 09:43:32 +0100
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session
 Max is Reached
In-Reply-To: <AM2PR05MB1057DFA1D7F4F4FE6AECD2F6E7790@AM2PR05MB1057.eurprd05.prod.outlook.com>
References: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>
	<b00bf44f-e791-92d6-84d9-0d068412c0e6@redhat.com>
	<AM2PR05MB1057DFA1D7F4F4FE6AECD2F6E7790@AM2PR05MB1057.eurprd05.prod.outlook.com>
Message-ID: <06d48737-1915-c77a-4ada-9b6c6f064458@redhat.com>

On 12/01/17 08:44, Scott Finlay wrote:
>
> Hi Marek,
>
>
> >Even after the "SSO Session Max" is reached and the "normal" session is
>
> >expired, you should be still able to see the offline session
>
>
> That's actually kind of the problem. We are able to still use the 
> offline token to refresh
>
> the access token, but that access token doesn't have any active 
> session behind it,
>
> so when we try to register a new identity with it we get a 401 back. 
> How can we make it
>
> so that refreshing also revives the session (or creates a new one)?
>
Ah, you're trying to use that accessToken to authenticate against our 
admin REST API. I can see this won't work ATM as you pointed as 
AdminRoot.authenticateRealmAdminRequest needs the active userSession.

This accessToken works fine with the REST services, which uses our 
adapter (BearerTokenRequestAuthenticator), but doesn't work for admin 
REST. Can you please create JIRA for this?

Thanks,
Marek
>
>
> Regards,
>
> Scott
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *Sent:* Wednesday, January 11, 2017 10:56:02 PM
> *To:* Scott Finlay; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Offline Tokens Become Useless When SSO 
> Session Max is Reached
> Even after the "SSO Session Max" is reached and the "normal" session is
> expired, you should be still able to see the offline session (in the
> "Offline access" tab in the admin console). And also you should be still
> able to use the offline token to send the refreshToken request and issue
> new accessToken, which can then be used to access REST endpoints.
>
> Note that offline token survives even server restart.
>
> You can try to look at our demo example and try the "offline-access-app"
> application from it.
>
> Marek
>
> On 11/01/17 11:48, Scott Finlay wrote:
> > Hi,
> >
> > We have an application which creates users in Keycloak using offline 
> tokens. But we're having an issue where Keycloak returns a 401 
> (unauthorized) when we would try to make requests to it using an 
> access token generated using our offline token. After some 
> investigation we found that there exists a setting in Keycloak called 
> "SSO Session Max" which seems to be an expiration time of the session 
> itself, and after that amount of time, even if the access or refresh 
> tokens are still valid, the session is killed. We found that the 
> amount of time between when we last deployed and the first occurrence 
> of the unauthorized error was 10 hours (the same as the SSO Session 
> Max), and we tested locally with a short max time and were able to 
> reproduce the problem.
> >
> > Then we found that when we use the offline token, our code thinks 
> that the refresh token expiration time is 0 (which is to be expected 
> since it's an offline token), and when the session lifetime is 
> reached, it continues to use its "unlimited" refresh token to try to 
> generate new access tokens, and it seems that Keycloak still issues 
> new access tokens using that refresh token even though the session 
> doesn't exist, and these tokens don't work. Since Keycloak continues 
> to issue tokens and since it doesn't tell us anything about the 
> session max time, the code has no idea that the tokens are actually 
> not valid.
> >
> > We can see this happening in the Keycloak admin panel as well; when 
> SSO Sesson Max is reached the session disappears, but the offline 
> session is still there and the "last refresh" time still updates. 
> Inside the token itself we can see that it's still connected to a 
> client session, but we can see no sessions anymore. After looking into 
> the logs of Keycloak we found this error:
> >
> > 16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default 
> task-63) RESTEASY002005: Failed executing POST 
> /admin/realms/Myrealm/users: 
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> >          at 
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
> >          at 
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
> >          at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown 
> Source)
> >
> > Tracing that through the code of Keycloak we found this which seems 
> to indicate that there must be a valid session associated with tokens:
> >
> > Starting here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178
> >
> > Then to here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58
> >
> > And finally here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731
> >
> > Is this expected behavior? Are we misunderstanding something or in 
> some way misusing offline tokens?
> >
> > Regards,
> > Scott
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From scott.finlay at sixt.com  Thu Jan 12 04:42:02 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Thu, 12 Jan 2017 09:42:02 +0000
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session
 Max is Reached
In-Reply-To: <06d48737-1915-c77a-4ada-9b6c6f064458@redhat.com>
References: <AM2PR05MB1057579BA7B9F09017020C0DE7660@AM2PR05MB1057.eurprd05.prod.outlook.com>
	<b00bf44f-e791-92d6-84d9-0d068412c0e6@redhat.com>
	<AM2PR05MB1057DFA1D7F4F4FE6AECD2F6E7790@AM2PR05MB1057.eurprd05.prod.outlook.com>,
	<06d48737-1915-c77a-4ada-9b6c6f064458@redhat.com>
Message-ID: <AM2PR05MB1057738D6F5A4B7AFBE1BA51E7790@AM2PR05MB1057.eurprd05.prod.outlook.com>

Hi Marek,


Thanks for the quick feedback. I've opened a Jira ticket here: https://issues.jboss.org/browse/KEYCLOAK-4201


Regards,

Scott

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Thursday, January 12, 2017 9:43:32 AM
To: Scott Finlay; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached

On 12/01/17 08:44, Scott Finlay wrote:

Hi Marek,


> Even after the "SSO Session Max" is reached and the "normal" session is

> expired, you should be still able to see the offline session


That's actually kind of the problem. We are able to still use the offline token to refresh

the access token, but that access token doesn't have any active session behind it,

so when we try to register a new identity with it we get a 401 back. How can we make it

so that refreshing also revives the session (or creates a new one)?

Ah, you're trying to use that accessToken to authenticate against our admin REST API. I can see this won't work ATM as you pointed as AdminRoot.authenticateRealmAdminRequest needs the active userSession.

This accessToken works fine with the REST services, which uses our adapter (BearerTokenRequestAuthenticator), but doesn't work for admin REST. Can you please create JIRA for this?

Thanks,
Marek


Regards,

Scott

________________________________
From: Marek Posolda <mposolda at redhat.com><mailto:mposolda at redhat.com>
Sent: Wednesday, January 11, 2017 10:56:02 PM
To: Scott Finlay; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached

Even after the "SSO Session Max" is reached and the "normal" session is
expired, you should be still able to see the offline session (in the
"Offline access" tab in the admin console). And also you should be still
able to use the offline token to send the refreshToken request and issue
new accessToken, which can then be used to access REST endpoints.

Note that offline token survives even server restart.

You can try to look at our demo example and try the "offline-access-app"
application from it.

Marek

On 11/01/17 11:48, Scott Finlay wrote:
> Hi,
>
> We have an application which creates users in Keycloak using offline tokens. But we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to make requests to it using an access token generated using our offline token. After some investigation we found that there exists a setting in Keycloak called "SSO Session Max" which seems to be an expiration time of the session itself, and after that amount of time, even if the access or refresh tokens are still valid, the session is killed. We found that the amount of time between when we last deployed and the first occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and we tested locally with a short max time and were able to reproduce the problem.
>
> Then we found that when we use the offline token, our code thinks that the refresh token expiration time is 0 (which is to be expected since it's an offline token), and when the session lifetime is reached, it continues to use its "unlimited" refresh token to try to generate new access tokens, and it seems that Keycloak still issues new access tokens using that refresh token even though the session doesn't exist, and these tokens don't work. Since Keycloak continues to issue tokens and since it doesn't tell us anything about the session max time, the code has no idea that the tokens are actually not valid.
>
> We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is reached the session disappears, but the offline session is still there and the "last refresh" time still updates. Inside the token itself we can see that it's still connected to a client session, but we can see no sessions anymore. After looking into the logs of Keycloak we found this error:
>
> 16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63) RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users: org.jboss.resteasy.spi.UnauthorizedException: Bearer
>          at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
>          at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>          at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)
>
> Tracing that through the code of Keycloak we found this which seems to indicate that there must be a valid session associated with tokens:
>
> Starting here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178
>
> Then to here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58
>
> And finally here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731
>
> Is this expected behavior? Are we misunderstanding something or in some way misusing offline tokens?
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From amaeztu at tesicnor.com  Thu Jan 12 06:48:38 2017
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Thu, 12 Jan 2017 12:48:38 +0100
Subject: [keycloak-user] Force token refresh with the Spring Security adapter
Message-ID: <3e910e72-34fd-7ff2-d57a-5a682aa55def@tesicnor.com>

I'm using keycloak in a java client, configured with the Spring Security 
adapter.

I've got a custom mapper in my keycloak configuration, so when the 
access token is refreshed, keycloak accesses an endpoint to retrieve 
some user permissions and they're stored in the token itself. Later on, 
my client application checks the token without having to perform the 
access to the permission endpoint itself (increased performance). 
However, when an admin user changes his own permissions, I would like 
the keycloak adapter to refresh the token after the permissions are 
stored, this way the admin user is not required to have its token 
refreshed or to re-login to load his new permissions.

Is there a way to achieve it? Some kind of operation to refresh current 
session's token?



-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From stuarta at squashedfrog.net  Thu Jan 12 08:09:58 2017
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Thu, 12 Jan 2017 13:09:58 +0000
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
 with HTTPS
In-Reply-To: <20170111184641.GD15257@abstractj.org>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
	<CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
	<20170111184641.GD15257@abstractj.org>
Message-ID: <2d6ccc0c-765e-7dfc-6932-01c2d7e890b0@squashedfrog.net>

Hi,


I set the following headers with nginx and it works just fine.

proxy_set_header    Host            $host;
proxy_set_header    X-Real-IP       $remote_addr;
proxy_set_header    X-Forwarded-For $remote_addr;
proxy_set_header    X-Forwarded-Host $host;
proxy_set_header    X-Forwarded-Server $host;
proxy_set_header    X-Forwarded-Proto $scheme;

it might be because you are trying to use add_header
rather than proxy_set_header.


Regards
Stuart


On 11/01/17 18:46, Bruno Oliveira wrote:
> I never tried it with Keycloak, it may or may not work. But you can try to set
> on nginx 'set_real_ip_from' with 'real_ip_header'[1].
> 
> [1] - http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
> 
> On 2017-01-10, Olivier Bruylandt wrote:
>> Dear,
>>
>>
>> I get an issue to get the wanted behavior when retrieving the client public
>> IP.
>> This is the situation :
>> (all IP's have been anonymized)
>>
>>
>>
>> - *infrastructure level*:
>>
>> ----------- Reverse Proxy NGINX ----------------------------------- KeyCloak
>>
>> RP is listening on ports 80 & 443 (80 is redirected to 443)
>> There is a public certificate signed by some external CA
>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>> Keycloak is set as standalone server on a Wildfly last version
>>
>>
>>
>>
>> - *Nginx config*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *server {        listen 443;        server_name ************;
>> fastcgi_param HTTPS on;        location / {                add_header
>> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>>           add_header X-Forwarded-Proto $scheme;
>> more_set_headers 'Server: ******';                more_clear_headers
>> 'X-Powered-By';                charset UTF-8;                proxy_cache
>>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
>> <https://1.1.1.1:8443/>;        }*
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>>              ssl_certificate_key /etc/ssl/private/*************.key;
>> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
>> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
>> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>>       add_header X-Frame-Options "DENY";        ssl_ciphers
>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>>
>>
>>
>>
>> - *Keycloak config* :
>>
>>
>> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>> *            <buffer-cache name="default"/>*
>> *            <server name="default-server">*
>>
>> *                <http-listener
>> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
>> *                <https-listener name="https" security-realm="**********"
>> socket-binding="https"/>*
>> *                <host name="default-host" alias="localhost">*
>> *                    <location name="/" handler="welcome-content"/>*
>> *                </host>*
>> *            </server>*
>> *            <servlet-container name="default">*
>> *                <jsp-config/>*
>> *                <websockets/>*
>> *            </servlet-container>*
>> *            <handlers>*
>> *                <file name="welcome-content"
>> path="${jboss.home.dir}/welcome-content"/>*
>> *            </handlers>*
>> *        </subsystem>*
>>
>>
>>
>>
>>
>>
>>
>> The situation is that everything is working fine and smooth EXCEPT ... the
>> fact that under sessions (and moreover for all user activities), the user
>> IP I see is the one of the reverse proxy !!
>> As I put in red in the KC config, this is what should do the trick to use
>> the X-Forwarded-For header value to set the client's IP.
>>
>> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
>> ipAddress=2.2.2.2, (...)
>>
>>
>>
>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
>> the SSL connection and the one to KC server is made in HTTP), I got
>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>> transport and also a HTTP connection towards the external social identity
>> providers like Google, FB, etc. ... BUT I got at least the real IP as you
>> might see hereunder :
>>
>> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>> ipAddress=191.21.133.234, (...)
>>
>>
>>
>>
>>
>> So the situation is that I will only get the "real" IP of the client only
>> if it passes through the HTTP listener of KC (that has the parameter
>> "proxy-address-forwarding") which is not what I want as I want to reach the
>> HTTPS listener.
>> I obviously also tried to add the same parameter (*proxy-address-forwarding
>> = "true"*) in the HTTPS listener configuration but then, standalone.sh
>> shows an error and refuses to start :
>>
>>
>> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
>> 1.5.1.Final*
>> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
>> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
>> starting*
>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> WFLYSRV0055: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>> WFLYCTL0085:
>> Failed to parse configuration*
>> *    at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>> *    at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>> *    at java.lang.Thread.run(Thread.java:745)*
>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>> [row,col]:[380,17]*
>> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
>> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
>> enabled, resolve-peer-address, security-realm, verify-client,
>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>> max-cookies, allow-encoded-slash, decode-url, url-charset,
>> always-set-keep-alive, max-buffered-request-size,
>> record-request-start-time, allow-equals-in-cookie-value,
>> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
>> max-connections, secure'*
>> *    at
>> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>>
>>
>>
>>
>>
>> *requirements* :
>>
>> - Entire solution has to run with SSL (HTTPS) from end to end
>>
>>
>>
>> Did someone already faced that situation or does have any clue about this ?
>> Thank you for reading this post.
>>
>> Regards,
>>
>>
>> /Olivier
>>
>> On 10 January 2017 at 11:52, Olivier Bruylandt <olivier.bruylandt at gmail.com>
>> wrote:
>>
>>> Dear,
>>>
>>>
>>> I get an issue to get the wanted behavior when retrieving the client
>>> public IP.
>>> This is the situation :
>>> (all IP's have been anonymized)
>>>
>>>
>>>
>>> - *infrastructure level*:
>>>
>>> ----------- Reverse Proxy NGINX -----------------------------------
>>> KeyCloak
>>>
>>> RP is listening on ports 80 & 443 (80 is redirected to 443)
>>> There is a public certificate signed by some external CA
>>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>>> Keycloak is set as standalone server on a Wildfly last version
>>>
>>>
>>>
>>>
>>> - *Nginx config*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *server {        listen 443;        server_name ************;
>>> fastcgi_param HTTPS on;        location / {                add_header
>>> X-Cache-Status $upstream_cache_status;                add_header X-Real-IP
>>>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
>>>           add_header X-Forwarded-Proto $scheme;
>>> more_set_headers 'Server: ******';                more_clear_headers
>>> 'X-Powered-By';                charset UTF-8;                proxy_cache
>>>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
>>> <https://1.1.1.1:8443/>;        }*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
>>>              ssl_certificate_key /etc/ssl/private/*************.key;
>>> ssl_prefer_server_ciphers on;        ssl_dhparam /etc/ssl/***********.pem;
>>>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
>>> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
>>> Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
>>>       add_header X-Frame-Options "DENY";        ssl_ciphers
>>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>>>
>>>
>>>
>>>
>>> - *Keycloak config* :
>>>
>>>
>>> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>>> *            <buffer-cache name="default"/>*
>>> *            <server name="default-server">*
>>>
>>> *                <http-listener
>>> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
>>> *                <https-listener name="https" security-realm="**********"
>>> socket-binding="https"/>*
>>> *                <host name="default-host" alias="localhost">*
>>> *                    <location name="/" handler="welcome-content"/>*
>>> *                </host>*
>>> *            </server>*
>>> *            <servlet-container name="default">*
>>> *                <jsp-config/>*
>>> *                <websockets/>*
>>> *            </servlet-container>*
>>> *            <handlers>*
>>> *                <file name="welcome-content"
>>> path="${jboss.home.dir}/welcome-content"/>*
>>> *            </handlers>*
>>> *        </subsystem>*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> The situation is that everything is working fine and smooth EXCEPT ... the
>>> fact that under sessions (and moreover for all user activities), the user
>>> IP I see is the one of the reverse proxy !!
>>> As I put in red in the KC config, this is what should do the trick to use
>>> the X-Forwarded-For header value to set the client's IP.
>>>
>>> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
>>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
>>> ipAddress=2.2.2.2, (...)
>>>
>>>
>>>
>>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP terminates
>>> the SSL connection and the one to KC server is made in HTTP), I got
>>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>>> transport and also a HTTP connection towards the external social identity
>>> providers like Google, FB, etc. ... BUT I got at least the real IP as you
>>> might see hereunder :
>>>
>>> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
>>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>>> ipAddress=191.21.133.234, (...)
>>>
>>>
>>>
>>>
>>>
>>> So the situation is that I will only get the "real" IP of the client only
>>> if it passes through the HTTP listener of KC (that has the parameter
>>> "proxy-address-forwarding") which is not what I want as I want to reach the
>>> HTTPS listener.
>>> I obviously also tried to add the same parameter (*proxy-address-forwarding
>>> = "true"*) in the HTTPS listener configuration but then, standalone.sh
>>> shows an error and refuses to start :
>>>
>>>
>>> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
>>> 1.5.1.Final*
>>> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final*
>>> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
>>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
>>> starting*
>>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>> WFLYSRV0055: Caught exception during boot:
>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085:
>>> Failed to parse configuration*
>>> *    at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>>> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>>> *    at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>>> *    at java.lang.Thread.run(Thread.java:745)*
>>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>>> [row,col]:[380,17]*
>>> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
>>> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
>>> enabled, resolve-peer-address, security-realm, verify-client,
>>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>>> max-cookies, allow-encoded-slash, decode-url, url-charset,
>>> always-set-keep-alive, max-buffered-request-size,
>>> record-request-start-time, allow-equals-in-cookie-value,
>>> no-request-timeout, request-parse-timeout, disallowed-methods, tcp-backlog,
>>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout, write-timeout,
>>> max-connections, secure'*
>>> *    at
>>> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>>>
>>>
>>>
>>>
>>>
>>> *requirements* :
>>>
>>> - Entire solution has to run with SSL (HTTPS) from end to end
>>>
>>>
>>>
>>> Did someone already faced that situation or does have any clue about this ?
>>> Thank you for reading this post.
>>>
>>> Regards,
>>>
>>>
>>> /Olivier
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> 
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From hakamairi at gmail.com  Thu Jan 12 08:13:02 2017
From: hakamairi at gmail.com (Blazej Checinski)
Date: Thu, 12 Jan 2017 14:13:02 +0100
Subject: [keycloak-user] keycloak.js - page reloads itself when logged in
Message-ID: <CADRcqj4NCjrOBP6_3699UA26HezuyzMKgYi7qztv2u8hSRefng@mail.gmail.com>

Hi Guys,
Sorry to bring it back again, but I've met the same issue.

Tried the angular2-product example and I get an endless reload loop under
Firefox (each after 5 seconds).

This doesn't happen under Chromium.

My setting is a keycloak server in it's own domain. The adapter js is taken
from the server.
The Web origins is just *.

Any ideas?

Best regards,
Blazej Checinski

From lars.noldan at drillinginfo.com  Thu Jan 12 11:00:17 2017
From: lars.noldan at drillinginfo.com (Lars Noldan)
Date: Thu, 12 Jan 2017 10:00:17 -0600
Subject: [keycloak-user] Consulting
Message-ID: <CAMu7TopOpggz83NrSuhC1cP7PjCSgjvtrj9HCc3dL_zWLRythg@mail.gmail.com>

Do any of you do Keycloak / RedHat SSO Installation consulting, or know of
any companies that do?

From scott.finlay at sixt.com  Thu Jan 12 11:16:25 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Thu, 12 Jan 2017 16:16:25 +0000
Subject: [keycloak-user] Access token appears to be valid even though
 session has expired in the background
Message-ID: <AM2PR05MB1057F585C986CC6284298DEEE7790@AM2PR05MB1057.eurprd05.prod.outlook.com>

Hi,

We're having issues that we receive an access token (using our refresh token)
which appears to be valid for some certain amount of time (based on the expiration
time), but that the session expires in the background some time before that
because SSO Session Max has been reached.

Here's an example experiment:

SSO Session Idle = 2min
SSO Session Max  = 3min
Access Token Lifespan = 1min


0    - create session (with client credentials)
---1m00 access token expires---
1m10 - register user (refresh token)
1m40 - register user
---2m10 access token expires---
2m40 - register user (refresh token)
---3m00 session expires---
3m10 - register user DIED HERE
---3m40 access token expires---
4m00 - register user (with client credentials)

Is there any way to make our expires time for access tokens take the session lifetime into account?
For example, if we request a new access token 10 seconds before SSO Session Max, it should say
that the token is valid for 10 seconds, not for 60 seconds.

Regards,
Scott


From java at neposoft.com  Thu Jan 12 11:18:33 2017
From: java at neposoft.com (java_os)
Date: Thu, 12 Jan 2017 11:18:33 -0500
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 - cors
Message-ID: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>

Hi group
Am using ng with keycloak.js (2.5.0.Final).
When token expires keycloak.js is intercepting token expired and does a
renew call when it fails(see client side stack below).
Anyone has any clue around this behavior?
My app is running on 9443 and KC on 8543 over https - all working fine up
to the point when refresh token kicks in.
Behind the scenes is the cors stuff.
Thanks

keycloak.js:451 POST
https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400 (Bad
Request)

exec @ keycloak.js:451
(anonymous) @ keycloak.js:459

setSuccess @ keycloak.js:773

messageCallback @ keycloak.js:854
:9443/EDIT/#/EDIT/home:1
XMLHttpRequest cannot load
https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://EDIT:9443' is therefore not allowed access. The response
had HTTP status code 400.




From dekela at perfectomobile.com  Thu Jan 12 11:19:09 2017
From: dekela at perfectomobile.com (Dekel Aslan)
Date: Thu, 12 Jan 2017 16:19:09 +0000
Subject: [keycloak-user] Account lock after several attempts
Message-ID: <AM4PR0302MB2627ADA66E3E876BB0B92A4CAB790@AM4PR0302MB2627.eurprd03.prod.outlook.com>

Hi,
I noticed that there is the feature for brute force detection, but it only locks the user for a period of time with no option for admin to unlock.
Is there another mechanism that simply after X attempts locks the user until an admin releases him?

Thanks :)
Dekel.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From deepu.laghuvaram at gmail.com  Thu Jan 12 16:46:18 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Thu, 12 Jan 2017 16:46:18 -0500
Subject: [keycloak-user] Forgot Password Error with Our own
	UserStorageProvider
Message-ID: <CAFMZCg=Ok8i+YfudRtyb93WE7ETAT2QA1NrY+smb=EgkE+OVxA@mail.gmail.com>

I am using my own DB2UserStorageProvider and my Login and Registration are
working as expected but forgot password is not working as expected (When I
remove User Federation then Forgot Password is working as expected).

I am having the flow for Reset Credential as
Choose User         REQUIRED
Send Reset Email    REQUIRED
Reset Password      REQUIRED

I used an existing user in my DB2 database, with which I am able to login
and when I try that user to reset password, I am not receiving any email
and below are the logs

14:40:31,755 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) action: reset-credentials-choose-user
14:40:32,908 INFO  [DB2UserStorageProvider] (default task-14) Inside
getUserByUsername: testmail at gmail.com
14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14) Entity.ID =
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14)
Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) authenticator SUCCESS: reset-credentials-choose-user
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) processFlow
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) check execution: reset-credential-email requirement:
REQUIRED
14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-14) authenticator: reset-credential-email
14:40:32,949 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-14) JtaTransactionWrapper  commit
14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE
14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE ONLY
14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) getUserById:
f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) entity.getID:
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) Entity.ID =
9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: reset-credentials-choose-user
requirement: REQUIRED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is processed
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: reset-credential-email requirement:
REQUIRED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: reset-credential-email
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
*14:40:33,030 WARN  [org.keycloak.events] (default task-13)
type=RESET_PASSWORD_ERROR, realmId=TestRealm, clientId=TestClient,
userId=f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278,
ipAddress=127.0.0.1, error=invalid_email, auth_method=openid-connect,
auth_type=code, redirect_uri=http://localhost:8090/account/account.jsp
<http://localhost:8090/account/account.jsp>,
code_id=857a3ff7-837f-4e8d-8b4d-dabd8b38a89e, username=testmail at gmail.com
<testmail at gmail.com>*
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) reset browser login from authenticator:
reset-credential-email
14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE
14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-13) AUTHENTICATE ONLY
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-cookie requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: auth-cookie
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
14:40:33,030 DEBUG [org.keycloak.services.managers.AuthenticationManager]
(default task-13) Could not find cookie: KEYCLOAK_IDENTITY
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator ATTEMPTED: auth-cookie
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-spnego requirement: DISABLED
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is processed
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: identity-provider-redirector
requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: identity-provider-redirector
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator ATTEMPTED: identity-provider-redirector
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: null requirement: ALTERNATIVE
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) execution is flow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) processFlow
14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) check execution: auth-username-password-form requirement:
REQUIRED
14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) authenticator: auth-username-password-form
14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-13) invoke authenticator.authenticate


It looks like the user is not in context, I am not sure why the user is not
in context as both getUserByUsername and getUserById are successful and
even it says "authenticator SUCCESS: reset-credentials-choose-user".
Could you please help me with this issue, I am using Keycloak 2.3.0 Final.

Thanks,
Deepu

From sthorger at redhat.com  Fri Jan 13 01:18:29 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:18:29 +0100
Subject: [keycloak-user] Hot deployment of service providers in Keycloak
 2.5.0 final
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E8B98E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D723E8B98E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <CAJgngAc6E1Tks63ccF6Z6QxhqUunm25pSv1W+LyW1W2OTQT00A@mail.gmail.com>

On 11 January 2017 at 10:07, Matuszak, Eduard <eduard.matuszak at worldline.com
> wrote:

> Hello
>
> I am trying to understand and implement the new concept of deploying
> service providers, but I fail at several points.
>
> What is meant by the "Keycloak deploy/ directory" mentioned in the
> documentation?
>
> When trying the user-storage-simple example it was possible to hot deploy
> the jar-file in wildfly's standalone/deployment-dir, but the
> event-listener-sysout sample fails by class-loading problem ("java.lang.NoClassDefFoundError:
> Failed to link org/keycloak/examples/providers/events/
> SysoutEventListenerProviderFactory").
>

There's only one deploy directory ;)


>
> So perhaps not all SPI's do provide the new deployment concept?
>
> There is also a mismatch, I think, between the deploy-description in the
> Readme.md of the event-listener-sysout example (describing the "old" way to
> deploy) and the documentation in https://keycloak.gitbooks.io/
> server-developer-guide/content/topics/providers.html#providers
> (recommending Keycloak deployer utilizing the enigmatic "Keycloak deploy/
> directory").
>

Only user storage example has been checked with the new hot deploy method.

I'm pretty sure the issue is that the other SPIs (event listener included)
is in server-spi-private. You'll probably just need to add a
jboss-module-structure.xml with a dependencies on that module and it should
work.


>
> I was working on Kecloak 2.5.0 Final.
>
> Thanks in advatage for some clarifications.
>
> Eduard Matuszak
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 01:25:42 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:25:42 +0100
Subject: [keycloak-user] Detect user impersonation
In-Reply-To: <CAFtV5cv0ec4m3h6s2KW+bbXxf1i5Q8kJ2M2sm_y1DfQRH_xckQ@mail.gmail.com>
References: <CAFtV5cv0ec4m3h6s2KW+bbXxf1i5Q8kJ2M2sm_y1DfQRH_xckQ@mail.gmail.com>
Message-ID: <CAJgngAeCeutuM13jWiuNLiKg=grR2tW41w-_4xZzz05S=avGig@mail.gmail.com>

Surprisingly enough, no it's not possible at the moment. The assumption
that was made was that impersonation was not something the app should care
about. Can you audit this on the Keycloak server side instead? The login
event has details that shows it's impersonated including the impersonator.

Feel free to create a feature request for this.

On 10 January 2017 at 13:09, David Delbecq <david_delbecq at trimble.com>
wrote:

> Hello,
>
> for audit reason, our application need to be able to make the difference
> between "userA" and "userA impersonated by admin xyz". Is there some way
> from the client point of view to make a difference between a logged in user
> and an admin impersonating that user? Is it possible to add some property
> in KeycloakPrincipal to detect it? And possiblity get the name of the admin
> doing it?
> --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 01:28:21 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:28:21 +0100
Subject: [keycloak-user] Customizing error Pages(for example client logo)
In-Reply-To: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>
References: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>
Message-ID: <CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>

You'd have to do it based on realm name rather than realm id. It would be a
simple fix to make realm id available though so you can create a JIRA for
that and even include a PR if you want.

On 10 January 2017 at 17:46, rony joy <ronyjoy at gmail.com> wrote:

> Hi All,
>
> We are trying to customize the error pages based on the realm id. We are
> able to do the basic modification by extending the error pages in our
> custom theme. But in our error pages we wanted the have more realm specific
> customization(for example customer logo) by fetching the logo from external
> services based on the realm Id.
>
> Currently we don't see a way by looking at the code. Any help is
> appreciated
>
>
> Thanks
> Rony Joy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 01:30:38 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:30:38 +0100
Subject: [keycloak-user] keycloak.js - page reloads itself when logged in
In-Reply-To: <CADRcqj4NCjrOBP6_3699UA26HezuyzMKgYi7qztv2u8hSRefng@mail.gmail.com>
References: <CADRcqj4NCjrOBP6_3699UA26HezuyzMKgYi7qztv2u8hSRefng@mail.gmail.com>
Message-ID: <CAJgngAcFPEebcJLTNjgPz92bUqbnyTVPpABnEbnxaxDCYoomSg@mail.gmail.com>

I've got no clue about the Angular2 example, but with Angular this can
happen if sso login is required and it fails for some reason and can also
happen if Angular bootstrapping happens at the same time as Keycloak (by
using ng-app rather than having manual bootstrapping of Angular).

The Angular2 example is community contributed at the moment, but we are
expecting to have something maintained by us in the nearish feature. We may
even have a proper Angular2 adapter.

On 12 January 2017 at 14:13, Blazej Checinski <hakamairi at gmail.com> wrote:

> Hi Guys,
> Sorry to bring it back again, but I've met the same issue.
>
> Tried the angular2-product example and I get an endless reload loop under
> Firefox (each after 5 seconds).
>
> This doesn't happen under Chromium.
>
> My setting is a keycloak server in it's own domain. The adapter js is taken
> from the server.
> The Web origins is just *.
>
> Any ideas?
>
> Best regards,
> Blazej Checinski
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 01:31:28 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:31:28 +0100
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 -
	cors
In-Reply-To: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
References: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
Message-ID: <CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>

Did you setup proper web origins and redirect URIs for your app?

On 12 January 2017 at 17:18, java_os <java at neposoft.com> wrote:

> Hi group
> Am using ng with keycloak.js (2.5.0.Final).
> When token expires keycloak.js is intercepting token expired and does a
> renew call when it fails(see client side stack below).
> Anyone has any clue around this behavior?
> My app is running on 9443 and KC on 8543 over https - all working fine up
> to the point when refresh token kicks in.
> Behind the scenes is the cors stuff.
> Thanks
>
> keycloak.js:451 POST
> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400 (Bad
> Request)
>
> exec @ keycloak.js:451
> (anonymous) @ keycloak.js:459
>
> setSuccess @ keycloak.js:773
>
> messageCallback @ keycloak.js:854
> :9443/EDIT/#/EDIT/home:1
> XMLHttpRequest cannot load
> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'https://EDIT:9443' is therefore not allowed access. The response
> had HTTP status code 400.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 01:32:40 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 07:32:40 +0100
Subject: [keycloak-user] Session timeout based on AuthN level of
	assurance
In-Reply-To: <CADKo6iGLtnCe8+C9_ZBJjxMPgY46g1miXQuZ3U_9p3WjFeKwxw@mail.gmail.com>
References: <CADKo6iHTGSdTnVkBfZBR6+txzRJOXxxuL5SUsh48SZqfTJcmjQ@mail.gmail.com>
	<CADKo6iGLtnCe8+C9_ZBJjxMPgY46g1miXQuZ3U_9p3WjFeKwxw@mail.gmail.com>
Message-ID: <CAJgngAc2or5SyCVLztAwLyr2Ea5nZPwODfkPOqDV7-99SAO++w@mail.gmail.com>

We don't have support for step-up authentication at the moment. It's on our
radar though.

You may be able to do something with custom authenticator, but probably not
with the script authenticator.

On 10 January 2017 at 21:41, Santosh Haranath <santosh.haranath at gmail.com>
wrote:

> In continuation -
>
> With Step-Up Authentication, applications that allow access to
> different types of resources can require users to authenticate with a
> stronger authentication mechanism to access sensitive resources.
>
> How can we implement step-up authentication with Keycloak ? Is there
> an implementation of Authentication Context Class Reference within
> Keycloak?
>
> On Tue, Jan 10, 2017 at 12:36 PM, Santosh Haranath
> <santosh.haranath at gmail.com> wrote:
> > Does Script Authenticator in Authentication flow provide a way to
> > manage session timeout as per level of assurance. Example 2 FA is
> > valid for 20 mins but local LDAP authn is valid for 60 mins.
> >
> > How can we implement this requirement with keycloak?
> >
> > Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ronyjoy at gmail.com  Fri Jan 13 01:51:34 2017
From: ronyjoy at gmail.com (rony joy)
Date: Fri, 13 Jan 2017 06:51:34 +0000
Subject: [keycloak-user] Customizing error Pages(for example client logo)
In-Reply-To: <CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>
References: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>
	<CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>
Message-ID: <CACCBH8Pr+=QL74zH+WAFvKsnX4Vjpj0KZqDhD8WGVDBo_3w4BQ@mail.gmail.com>

Thanks a lot.. we will create a Jira issue

Rony Joy

On Fri, Jan 13, 2017 at 12:28 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

You'd have to do it based on realm name rather than realm id. It would be a
simple fix to make realm id available though so you can create a JIRA for
that and even include a PR if you want.

On 10 January 2017 at 17:46, rony joy <ronyjoy at gmail.com> wrote:

Hi All,





We are trying to customize the error pages based on the realm id. We are


able to do the basic modification by extending the error pages in our


custom theme. But in our error pages we wanted the have more realm specific


customization(for example customer logo) by fetching the logo from external


services based on the realm Id.





Currently we don't see a way by looking at the code. Any help is appreciated








Thanks


Rony Joy


_______________________________________________


keycloak-user mailing list


keycloak-user at lists.jboss.org


https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Jan 13 02:16:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:16:46 +0100
Subject: [keycloak-user] different properties for internal and external
	tokens
In-Reply-To: <E9E67CAC9CC85C4D86A547E9F005D1D13CADB0A9@DE-CM-MBX23.corp.capgemini.com>
References: <E9E67CAC9CC85C4D86A547E9F005D1D13CADB0A9@DE-CM-MBX23.corp.capgemini.com>
Message-ID: <CAJgngAc5qALB9dW02726NY79q4u_nt+=hAushXC_ry4QmvApXg@mail.gmail.com>

We don't have any immediate plans to add support for this, but it is a
fully valid use-case and a common one as well. I think there's two parts to
this one:

* Ability to exchange tokens - what you are suggesting seems the way to go,
but I haven't looked if there are alternative approaches
* Ability to have different token timeouts

Feel free to create a JIRA feature request and we'll look into it when we
can, but if you or someone else are able to contribute something that would
be even better.

On 11 January 2017 at 14:31, Waller, Tobias <tobias.waller at capgemini.com>
wrote:

> Hi.
>
> We are currently looking into creating a microservice based application
> and using Keycloak as identity provider. The application will consist of
> several services which will communicate in a stateless fashion. Tokens will
> be passed along the call chain (several hops) and evaluated by each service
> in order to restrict access (bearer-only services). In some cases calls are
> queued together with the token. So the processes are processed
> asynchronously and can take quite some time. But they are guaranteed to be
> processed within a determinable period of time (e.g. 7 days).
>
> Processes are triggered in three different ways:
> 1. by internal (batch) processes (via client credentials grant)
> 2. by external legacy applications (via resource owner password
> credentials grant)
> 3. by external users via web interface (via implicit grant)
>
> Tokens issued for use case 1 and 2 are held strictly within our datacenter
> (internal token). Therefore we see no harm in issuing tokens with a
> sufficient lifespan (e.g. 7days). Tokens issued for use case 3 on the other
> hand are passed to the browser of the user (external token). In order to
> avoid potential security breaches and information leakage we want these
> tokens to fulfill the following properties:
> a. have a shorter lifespan
> b. do not contain information not needed by the client. Especially, the
> token should not contain any roles specific to internal backend-services,
> which could be used to infer information about application architecture.
>
> Our first idea was to allow the user to trigger long running processes was
> to validate the external token in the api-gateway and exchange the external
> for an internal token. That is using the external token as authorization
> grant as described by section 2.1 of RFC7523. While Keycloak supports
> client authentication via jwt which is also described within the same rfc,
> this does not seem to be supported right now.
>
> Are there any plans to support the grant_type "urn:ietf:params:oauth:grant-type:jwt-bearer"
> in the future? How can we implement different properties for internal and
> external tokens without losing the identity of the user initiating a
> process or using distributed or sticky sessions with means currently
> available.
>
> Thank you
> Tobias
>
>
> ________________________________
>
> Firma: Capgemini Deutschland GmbH
> Aufsichtsratsvorsitzender: Antonio Schnieder ? Gesch?ftsf?hrer: Dr.
> Michael Schulte (Sprecher) ? Jost F?rster ? Dr. Peter Lempp ? Dr. Volkmar
> Varnhagen
>
> Amtsgericht Berlin-Charlottenburg, HRB 98814
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Jan 13 02:30:16 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:30:16 +0100
Subject: [keycloak-user] Brute force detector extension
In-Reply-To: <20170111181810.GC15257@abstractj.org>
References: <e9fad9ccc3154e0590db467eb9a5e655@muc1exmbxp1p.accounts.intern>
	<CAJgngAczR_OiC2bTvWBgV_zrbYfoZJP=cOuvx9FBym2YTuqpQg@mail.gmail.com>
	<671c4b1db66e4eb8a1a98441e7a13cf9@muc1exmbxp1p.accounts.intern>
	<20170111181810.GC15257@abstractj.org>
Message-ID: <CAJgngAeM0puj4Pvtddumc-oQedNDJjH6UFuC_qB+0=fGf48fag@mail.gmail.com>

+1 You've already explained it on the mailing list and we've commented so
it safe to continue with a PR without worrying that we'll reject your work

On 11 January 2017 at 19:18, Bruno Oliveira <bruno at abstractj.org> wrote:

> I believe the best is to create Jira as a feature request. And later you
> can attach your PR to that.
>
> On 2017-01-11, Eriksson Fabian wrote:
> > Do you want me to create a new feature request through the dev mailing
> list or could I immediately create a Jira-ticket?
> >
> > Best regards
> > Fabian Eriksson
> >
> > From: Stian Thorgersen [mailto:sthorger at redhat.com]
> > Sent: den 2 januari 2017 09:15
> > To: Eriksson Fabian
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Brute force detector extension
> >
> > You can implement a custom provider for the brute force protection that
> would do what you want. It wouldn't be configurable through the admin
> console though.
> >
> > I don't see why we couldn't add it as an option to the built-in provider
> though so if you are happy to send a PR for it including tests we could
> accept it into 3.x.
> >
> > On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com
> <mailto:fabian.eriksson at gi-de.com>> wrote:
> > Hi all!
> >
> > We would like to have ability to configure the brute force detector so
> it can disable a user account after X failed attempts completely and not
> only lock him/her out for a period of time (setting the lockout-time to a
> few years is not enough). In the end we would like the admins of KeyCloak
> to be able to set a timed lockout-period or set a permanent one for
> different realms. I guess this would also require the detector to reset the
> failed-login-attempts count on a successful login.
> >
> > Does this sound interesting and could this then be something that we
> could contribute with to KeyCloak?
> >
> > Or is there a way to substitute the already existing brute force
> detector?
> >
> > Thanks in advance!
> > Fabian Eriksson
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From sthorger at redhat.com  Fri Jan 13 02:34:36 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:34:36 +0100
Subject: [keycloak-user] Fwd: Error when session expired and ajax
 request execute in Keycloak?
In-Reply-To: <CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
	<CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
Message-ID: <CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>

Might be that it's expecting a token in the ajax request rather than
checking for a session, not 100% sure though. RichFaces won't work unless
we can support securing the requests from the session.

Can you create a JIRA bug for this please? If you can attach a simple
example we can build and deploy to reproduce the issue that would be
extremely helpful and we would be able to look at it sooner.

On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:

> After login, i get in my app, and for all my ajax request from page to
> backing bean, i receive response 401 even if the session is still alive.
> If removed autodetect-bearer-only option, all work fine, but going back to
> the old error.
>
> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> realms/azovstal/protocol/openid-connect/auth??ml&state=
> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://localhost:8080' is therefore not allowed access.
>
> ---------- Forwarded message ---------
> From: Adam Daduev <daduev.ad at gmail.com>
> Date: ??, 10 ???. 2017 ?. ? 14:08
> Subject: Re: [keycloak-user] Error when session expired and ajax request
> execute in Keycloak?
> To: <stian at redhat.com>
>
>
> I tried, but does not work.
> Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
> not started, he not know autodetect-bearer-only option, then, i added via
> json, wildfly started and app was deployed.
> Secondly, on my ajax request to backing bean, i receive response 401 and
> does not happend.
> This is my keycloak.json
> {
> "realm": "azovstal",
> "auth-server-url": "http://dc09-apps-06:8090/auth",
> "ssl-required": "none",
> "resource": "web-test",
> "public-client": true,
> "use-resource-role-mappings": true,
> "autodetect-bearer-only": true
> }
>
> ??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:
>
> Ok, I try, thanks.
>
> 10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com>
> ???????(?):
>
> In that case take a look at the new autodetect-bearer-only option. You'll
> need 2.5.0.Final for that.
>
> On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>
> No, I have jsf 2 app with richfaces framework, which deploy on wildfly
> 10.1.
>
> 9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com>
> ???????(?):
>
> [Adding list back]
>
> A web app redirects the user to a login page if not authenticated, while a
> service should return a 401.
>
> It sounds like what you have is a JS application with a service backend. In
> Keycloak you should have two separate types of clients for that. The JS
> application should be a public client, while the services a bearer-only
> client.
>
> On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>
> Thanks for the answer.
> Yes i have confidential client, i have web application, that asks
> Keycloak server
> to authenticate a user for them. As I understand, bearer-only is for web
> services clients.
> I probably something do not understand?
>
> 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
> Looks like your services are configured as confidential clients rather than
> bearer-only and hence is sending a login request back rather than a 401.
> You should either swap your service war to be a bearer-only client or use
> the new autodetect-bearer-only option in adapters if you have both web
> pages and services in the same war.
>
> On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>
> Hi, can you help me!
> When session expired and ajax request execute in Keycloak, i have error in
> browser console:
>
> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> realms/azovstal/protocol/openid-connect/auth??ml&state=
> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://localhost:8080' is therefore not allowed access.
>
> I add in Keycloak admin console, in the client setting, Web Origins=
> http://localhost:8080 (or *), and enabled cors in app, but still has error
> in console. I used Keycloak 2.5.0
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 02:35:48 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:35:48 +0100
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
	with HTTPS
In-Reply-To: <2d6ccc0c-765e-7dfc-6932-01c2d7e890b0@squashedfrog.net>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
	<CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
	<20170111184641.GD15257@abstractj.org>
	<2d6ccc0c-765e-7dfc-6932-01c2d7e890b0@squashedfrog.net>
Message-ID: <CAJgngAe-pQHDFjVdoKbTNBHOFCPPZS5y=MX9+m+R0qEigw4F9Q@mail.gmail.com>

FIY I don't think Keycloak (WildFly) looks at X-Real-IP, but rather it'll
use X-Forwarded-For

On 12 January 2017 at 14:09, Stuart Auchterlonie <stuarta at squashedfrog.net>
wrote:

> Hi,
>
>
> I set the following headers with nginx and it works just fine.
>
> proxy_set_header    Host            $host;
> proxy_set_header    X-Real-IP       $remote_addr;
> proxy_set_header    X-Forwarded-For $remote_addr;
> proxy_set_header    X-Forwarded-Host $host;
> proxy_set_header    X-Forwarded-Server $host;
> proxy_set_header    X-Forwarded-Proto $scheme;
>
> it might be because you are trying to use add_header
> rather than proxy_set_header.
>
>
> Regards
> Stuart
>
>
> On 11/01/17 18:46, Bruno Oliveira wrote:
> > I never tried it with Keycloak, it may or may not work. But you can try
> to set
> > on nginx 'set_real_ip_from' with 'real_ip_header'[1].
> >
> > [1] - http://nginx.org/en/docs/http/ngx_http_realip_module.html#
> real_ip_header
> >
> > On 2017-01-10, Olivier Bruylandt wrote:
> >> Dear,
> >>
> >>
> >> I get an issue to get the wanted behavior when retrieving the client
> public
> >> IP.
> >> This is the situation :
> >> (all IP's have been anonymized)
> >>
> >>
> >>
> >> - *infrastructure level*:
> >>
> >> ----------- Reverse Proxy NGINX -----------------------------------
> KeyCloak
> >>
> >> RP is listening on ports 80 & 443 (80 is redirected to 443)
> >> There is a public certificate signed by some external CA
> >> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> >> Keycloak is set as standalone server on a Wildfly last version
> >>
> >>
> >>
> >>
> >> - *Nginx config*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> *server {        listen 443;        server_name ************;
> >> fastcgi_param HTTPS on;        location / {                add_header
> >> X-Cache-Status $upstream_cache_status;                add_header
> X-Real-IP
> >>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
> >>           add_header X-Forwarded-Proto $scheme;
> >> more_set_headers 'Server: ******';                more_clear_headers
> >> 'X-Powered-By';                charset UTF-8;                proxy_cache
> >>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> >> <https://1.1.1.1:8443/>;        }*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
> >>              ssl_certificate_key /etc/ssl/private/*************.key;
> >> ssl_prefer_server_ciphers on;        ssl_dhparam
> /etc/ssl/***********.pem;
> >>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> >> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> >> Strict-Transport-Security "max-age=63072000; includeSubdomains;
> preload";
> >>       add_header X-Frame-Options "DENY";        ssl_ciphers
> >> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >>
> >>
> >>
> >>
> >> - *Keycloak config* :
> >>
> >>
> >> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> >> *            <buffer-cache name="default"/>*
> >> *            <server name="default-server">*
> >>
> >> *                <http-listener
> >> name="default" proxy-address-forwarding="true" socket-binding="http"/>*
> >> *                <https-listener name="https"
> security-realm="**********"
> >> socket-binding="https"/>*
> >> *                <host name="default-host" alias="localhost">*
> >> *                    <location name="/" handler="welcome-content"/>*
> >> *                </host>*
> >> *            </server>*
> >> *            <servlet-container name="default">*
> >> *                <jsp-config/>*
> >> *                <websockets/>*
> >> *            </servlet-container>*
> >> *            <handlers>*
> >> *                <file name="welcome-content"
> >> path="${jboss.home.dir}/welcome-content"/>*
> >> *            </handlers>*
> >> *        </subsystem>*
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> The situation is that everything is working fine and smooth EXCEPT ...
> the
> >> fact that under sessions (and moreover for all user activities), the
> user
> >> IP I see is the one of the reverse proxy !!
> >> As I put in red in the KC config, this is what should do the trick to
> use
> >> the X-Forwarded-For header value to set the client's IP.
> >>
> >> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> >> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> >> ipAddress=2.2.2.2, (...)
> >>
> >>
> >>
> >> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> >> the SSL connection and the one to KC server is made in HTTP), I got
> >> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> >> transport and also a HTTP connection towards the external social
> identity
> >> providers like Google, FB, etc. ... BUT I got at least the real IP as
> you
> >> might see hereunder :
> >>
> >> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> >> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> >> ipAddress=191.21.133.234, (...)
> >>
> >>
> >>
> >>
> >>
> >> So the situation is that I will only get the "real" IP of the client
> only
> >> if it passes through the HTTP listener of KC (that has the parameter
> >> "proxy-address-forwarding") which is not what I want as I want to reach
> the
> >> HTTPS listener.
> >> I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> >> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> >> shows an error and refuses to start :
> >>
> >>
> >> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> >> 1.5.1.Final*
> >> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version
> 1.2.6.Final*
> >> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> >> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> >> starting*
> >> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> >> WFLYSRV0055: Caught exception during boot:
> >> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> >> WFLYCTL0085:
> >> Failed to parse configuration*
> >> *    at
> >> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> >> *    at org.jboss.as.server.ServerService.boot(ServerService.java:356)*
> >> *    at
> >> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> >> *    at java.lang.Thread.run(Thread.java:745)*
> >> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> >> [row,col]:[380,17]*
> >> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> >> encountered. Valid attributes are: 'socket-binding, worker, buffer-pool,
> >> enabled, resolve-peer-address, security-realm, verify-client,
> >> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> >> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> >> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> >> max-cookies, allow-encoded-slash, decode-url, url-charset,
> >> always-set-keep-alive, max-buffered-request-size,
> >> record-request-start-time, allow-equals-in-cookie-value,
> >> no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> >> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
> write-timeout,
> >> max-connections, secure'*
> >> *    at
> >> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
> >>
> >>
> >>
> >>
> >>
> >> *requirements* :
> >>
> >> - Entire solution has to run with SSL (HTTPS) from end to end
> >>
> >>
> >>
> >> Did someone already faced that situation or does have any clue about
> this ?
> >> Thank you for reading this post.
> >>
> >> Regards,
> >>
> >>
> >> /Olivier
> >>
> >> On 10 January 2017 at 11:52, Olivier Bruylandt <
> olivier.bruylandt at gmail.com>
> >> wrote:
> >>
> >>> Dear,
> >>>
> >>>
> >>> I get an issue to get the wanted behavior when retrieving the client
> >>> public IP.
> >>> This is the situation :
> >>> (all IP's have been anonymized)
> >>>
> >>>
> >>>
> >>> - *infrastructure level*:
> >>>
> >>> ----------- Reverse Proxy NGINX -----------------------------------
> >>> KeyCloak
> >>>
> >>> RP is listening on ports 80 & 443 (80 is redirected to 443)
> >>> There is a public certificate signed by some external CA
> >>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
> >>> Keycloak is set as standalone server on a Wildfly last version
> >>>
> >>>
> >>>
> >>>
> >>> - *Nginx config*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> *server {        listen 443;        server_name ************;
> >>> fastcgi_param HTTPS on;        location / {                add_header
> >>> X-Cache-Status $upstream_cache_status;                add_header
> X-Real-IP
> >>>  $remote_addr;                add_header X-Forwarded-For $remote_addr;
> >>>           add_header X-Forwarded-Proto $scheme;
> >>> more_set_headers 'Server: ******';                more_clear_headers
> >>> 'X-Powered-By';                charset UTF-8;
> proxy_cache
> >>>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
> >>> <https://1.1.1.1:8443/>;        }*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> *      ssl on;        ssl_certificate /etc/ssl/private/**********.crt;
> >>>              ssl_certificate_key /etc/ssl/private/*************.key;
> >>> ssl_prefer_server_ciphers on;        ssl_dhparam
> /etc/ssl/***********.pem;
> >>>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
> >>> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
> >>> Strict-Transport-Security "max-age=63072000; includeSubdomains;
> preload";
> >>>       add_header X-Frame-Options "DENY";        ssl_ciphers
> >>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
> >>>
> >>>
> >>>
> >>>
> >>> - *Keycloak config* :
> >>>
> >>>
> >>> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
> >>> *            <buffer-cache name="default"/>*
> >>> *            <server name="default-server">*
> >>>
> >>> *                <http-listener
> >>> name="default" proxy-address-forwarding="true"
> socket-binding="http"/>*
> >>> *                <https-listener name="https"
> security-realm="**********"
> >>> socket-binding="https"/>*
> >>> *                <host name="default-host" alias="localhost">*
> >>> *                    <location name="/" handler="welcome-content"/>*
> >>> *                </host>*
> >>> *            </server>*
> >>> *            <servlet-container name="default">*
> >>> *                <jsp-config/>*
> >>> *                <websockets/>*
> >>> *            </servlet-container>*
> >>> *            <handlers>*
> >>> *                <file name="welcome-content"
> >>> path="${jboss.home.dir}/welcome-content"/>*
> >>> *            </handlers>*
> >>> *        </subsystem>*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> The situation is that everything is working fine and smooth EXCEPT ...
> the
> >>> fact that under sessions (and moreover for all user activities), the
> user
> >>> IP I see is the one of the reverse proxy !!
> >>> As I put in red in the KC config, this is what should do the trick to
> use
> >>> the X-Forwarded-For header value to set the client's IP.
> >>>
> >>> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
> >>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
> >>> ipAddress=2.2.2.2, (...)
> >>>
> >>>
> >>>
> >>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
> terminates
> >>> the SSL connection and the one to KC server is made in HTTP), I got
> >>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
> >>> transport and also a HTTP connection towards the external social
> identity
> >>> providers like Google, FB, etc. ... BUT I got at least the real IP as
> you
> >>> might see hereunder :
> >>>
> >>> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
> >>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
> >>> ipAddress=191.21.133.234, (...)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> So the situation is that I will only get the "real" IP of the client
> only
> >>> if it passes through the HTTP listener of KC (that has the parameter
> >>> "proxy-address-forwarding") which is not what I want as I want to
> reach the
> >>> HTTPS listener.
> >>> I obviously also tried to add the same parameter
> (*proxy-address-forwarding
> >>> = "true"*) in the HTTPS listener configuration but then, standalone.sh
> >>> shows an error and refuses to start :
> >>>
> >>>
> >>> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
> >>> 1.5.1.Final*
> >>> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version
> 1.2.6.Final*
> >>> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service
> >>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core 2.0.10.Final)
> >>> starting*
> >>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
> >>> WFLYSRV0055: Caught exception during boot:
> >>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
> WFLYCTL0085:
> >>> Failed to parse configuration*
> >>> *    at
> >>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(
> XmlConfigurationPersister.java:131)*
> >>> *    at org.jboss.as.server.ServerService.boot(
> ServerService.java:356)*
> >>> *    at
> >>> org.jboss.as.controller.AbstractControllerService$1.
> run(AbstractControllerService.java:299)*
> >>> *    at java.lang.Thread.run(Thread.java:745)*
> >>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
> >>> [row,col]:[380,17]*
> >>> *Message: WFLYCTL0376: Unexpected attribute 'proxy-address-forwarding'
> >>> encountered. Valid attributes are: 'socket-binding, worker,
> buffer-pool,
> >>> enabled, resolve-peer-address, security-realm, verify-client,
> >>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
> >>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
> >>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
> >>> max-cookies, allow-encoded-slash, decode-url, url-charset,
> >>> always-set-keep-alive, max-buffered-request-size,
> >>> record-request-start-time, allow-equals-in-cookie-value,
> >>> no-request-timeout, request-parse-timeout, disallowed-methods,
> tcp-backlog,
> >>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
> write-timeout,
> >>> max-connections, secure'*
> >>> *    at
> >>> org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(
> ParseUtils.java:128)*
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> *requirements* :
> >>>
> >>> - Entire solution has to run with SSL (HTTPS) from end to end
> >>>
> >>>
> >>>
> >>> Did someone already faced that situation or does have any clue about
> this ?
> >>> Thank you for reading this post.
> >>>
> >>> Regards,
> >>>
> >>>
> >>> /Olivier
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 02:37:24 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:37:24 +0100
Subject: [keycloak-user] Consulting
In-Reply-To: <CAMu7TopOpggz83NrSuhC1cP7PjCSgjvtrj9HCc3dL_zWLRythg@mail.gmail.com>
References: <CAMu7TopOpggz83NrSuhC1cP7PjCSgjvtrj9HCc3dL_zWLRythg@mail.gmail.com>
Message-ID: <CAJgngAc00W+fEkKe5MKMkbmETinETyzy_-ymfWMc3odq-+OBhA@mail.gmail.com>

Have you contacted Red Hat sales? If you already have support raise a
ticket with your questions and our support team should be able to help you.

On 12 January 2017 at 17:00, Lars Noldan <lars.noldan at drillinginfo.com>
wrote:

> Do any of you do Keycloak / RedHat SSO Installation consulting, or know of
> any companies that do?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 02:40:24 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:40:24 +0100
Subject: [keycloak-user] Access token appears to be valid even though
 session has expired in the background
In-Reply-To: <AM2PR05MB1057F585C986CC6284298DEEE7790@AM2PR05MB1057.eurprd05.prod.outlook.com>
References: <AM2PR05MB1057F585C986CC6284298DEEE7790@AM2PR05MB1057.eurprd05.prod.outlook.com>
Message-ID: <CAJgngAccpsDOUO=DObug4KWMk=xF1vLPuby5r98N-XXKUpW5qA@mail.gmail.com>

I'd say that's a bug and the access token timeout should take into account
the SSO session max. I wouldn't say it's a high priority though. Access
token timeout is typically minutes while SSO session max is usually
hours/days. Further, there's many other situations where an access token is
not strictly valid even though you can still use it (user/admin remotely
logs out, user is disabled, etc..). If you really really need to be
absolutely sure that an access token times out then reduce it's lifespan
and/or consider invoking the token introspection endpoint to verify it.

On 12 January 2017 at 17:16, Scott Finlay <scott.finlay at sixt.com> wrote:

> Hi,
>
> We're having issues that we receive an access token (using our refresh
> token)
> which appears to be valid for some certain amount of time (based on the
> expiration
> time), but that the session expires in the background some time before that
> because SSO Session Max has been reached.
>
> Here's an example experiment:
>
> SSO Session Idle = 2min
> SSO Session Max  = 3min
> Access Token Lifespan = 1min
>
>
> 0    - create session (with client credentials)
> ---1m00 access token expires---
> 1m10 - register user (refresh token)
> 1m40 - register user
> ---2m10 access token expires---
> 2m40 - register user (refresh token)
> ---3m00 session expires---
> 3m10 - register user DIED HERE
> ---3m40 access token expires---
> 4m00 - register user (with client credentials)
>
> Is there any way to make our expires time for access tokens take the
> session lifetime into account?
> For example, if we request a new access token 10 seconds before SSO
> Session Max, it should say
> that the token is valid for 10 seconds, not for 60 seconds.
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Jan 13 02:42:04 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Jan 2017 08:42:04 +0100
Subject: [keycloak-user] Account lock after several attempts
In-Reply-To: <AM4PR0302MB2627ADA66E3E876BB0B92A4CAB790@AM4PR0302MB2627.eurprd03.prod.outlook.com>
References: <AM4PR0302MB2627ADA66E3E876BB0B92A4CAB790@AM4PR0302MB2627.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAcwfNLuqz+CwBO_zGHt6YWMx63qGYPnGo6iSLmEq2Ti6A@mail.gmail.com>

Admin can unlock through the admin console. You can also set failure reset
time to a large number. It's not possible at the moment to permanently
block the account, but there's another user that wants that who is working
on a PR for it.

On 12 January 2017 at 17:19, Dekel Aslan <dekela at perfectomobile.com> wrote:

> Hi,
> I noticed that there is the feature for brute force detection, but it only
> locks the user for a period of time with no option for admin to unlock.
> Is there another mechanism that simply after X attempts locks the user
> until an admin releases him?
>
> Thanks :)
> Dekel.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From daduev.ad at gmail.com  Fri Jan 13 03:53:51 2017
From: daduev.ad at gmail.com (Adam Daduev)
Date: Fri, 13 Jan 2017 08:53:51 +0000
Subject: [keycloak-user] Fwd: Error when session expired and ajax
 request execute in Keycloak?
In-Reply-To: <CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>
References: <CACKoP8G2P4H6DbZYRqHxwkjrOdAq2fZRBV=NMH_1rZiaHS4uSg@mail.gmail.com>
	<CAJgngAcisHp070x=AwM760RduUKrpF1JiEGydtW0CVQeQLk_pQ@mail.gmail.com>
	<CACKoP8FbAW84DM6okG5nxS8Ezo8UsW4BvssZ_KoD-ZE6fdE0PA@mail.gmail.com>
	<CAJgngAdAWMeBzG94V_8dV8Ctc-c2Xy68f1TFaH469-AQY9agaQ@mail.gmail.com>
	<C1600CB0-94FF-42A5-9D7D-C993574F1382@gmail.com>
	<CAJgngAd4=f=TzxmCByGTXOOt9zU21Qk7+vg3RRGuoR8Z4j7_iQ@mail.gmail.com>
	<EDA7044E-3E25-428D-877A-536FB5565F99@gmail.com>
	<CACKoP8HHXYcHA2-HuMrJxncZOS0ne7hPkuk+_gB3JhLDKnrMNg@mail.gmail.com>
	<CACKoP8F+W+=x6gCCcQN3nnnggrErsm6Er0S3NUx=yY15Tkn+hQ@mail.gmail.com>
	<CACKoP8HvXJzXkbp2_u6fJGddHox6vEWzz5nxMWeKcOfwhnWF2w@mail.gmail.com>
	<CAJgngAevhgT4_ZLS6BDgENiF8yTgGPVVHKqzc=eHNjCPOtOb6w@mail.gmail.com>
Message-ID: <CACKoP8HE4nqNCC=PvVqX0C87WDE8iwv9BrrODeG9iQmAHmnb7w@mail.gmail.com>

I created JIRA bug, and add simple example.
https://issues.jboss.org/browse/KEYCLOAK-4214


??, 13 ???. 2017 ?. ? 9:34, Stian Thorgersen <sthorger at redhat.com>:

> Might be that it's expecting a token in the ajax request rather than
> checking for a session, not 100% sure though. RichFaces won't work unless
> we can support securing the requests from the session.
>
> Can you create a JIRA bug for this please? If you can attach a simple
> example we can build and deploy to reproduce the issue that would be
> extremely helpful and we would be able to look at it sooner.
>
> On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
>
> After login, i get in my app, and for all my ajax request from page to
> backing bean, i receive response 401 even if the session is still alive.
> If removed autodetect-bearer-only option, all work fine, but going back to
> the old error.
>
> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> realms/azovstal/protocol/openid-connect/auth??ml&state=
> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://localhost:8080' is therefore not allowed access.
>
> ---------- Forwarded message ---------
> From: Adam Daduev <daduev.ad at gmail.com>
> Date: ??, 10 ???. 2017 ?. ? 14:08
> Subject: Re: [keycloak-user] Error when session expired and ajax request
> execute in Keycloak?
> To: <stian at redhat.com>
>
>
> I tried, but does not work.
> Firstly, i add autodetect-bearer-only option via adapter subsystem, wildfly
> not started, he not know autodetect-bearer-only option, then, i added via
> json, wildfly started and app was deployed.
> Secondly, on my ajax request to backing bean, i receive response 401 and
> does not happend.
> This is my keycloak.json
> {
> "realm": "azovstal",
> "auth-server-url": "http://dc09-apps-06:8090/auth",
> "ssl-required": "none",
> "resource": "web-test",
> "public-client": true,
> "use-resource-role-mappings": true,
> "autodetect-bearer-only": true
> }
>
> ??, 10 ???. 2017 ?. ? 10:19, <daduev.ad at gmail.com>:
>
> Ok, I try, thanks.
>
> 10 ???. 2017 ?., ? 07:07, Stian Thorgersen <sthorger at redhat.com>
> ???????(?):
>
> In that case take a look at the new autodetect-bearer-only option. You'll
> need 2.5.0.Final for that.
>
> On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>
> No, I have jsf 2 app with richfaces framework, which deploy on wildfly
> 10.1.
>
> 9 ???. 2017 ?., ? 14:51, Stian Thorgersen <sthorger at redhat.com>
> ???????(?):
>
> [Adding list back]
>
> A web app redirects the user to a login page if not authenticated, while a
> service should return a 401.
>
> It sounds like what you have is a JS application with a service backend. In
> Keycloak you should have two separate types of clients for that. The JS
> application should be a public client, while the services a bearer-only
> client.
>
> On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>
> Thanks for the answer.
> Yes i have confidential client, i have web application, that asks
> Keycloak server
> to authenticate a user for them. As I understand, bearer-only is for web
> services clients.
> I probably something do not understand?
>
> 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>
> Looks like your services are configured as confidential clients rather than
> bearer-only and hence is sending a login request back rather than a 401.
> You should either swap your service war to be a bearer-only client or use
> the new autodetect-bearer-only option in adapters if you have both web
> pages and services in the same war.
>
> On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>
> Hi, can you help me!
> When session expired and ajax request execute in Keycloak, i have error in
> browser console:
>
> XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> realms/azovstal/protocol/openid-connect/auth??ml&state=
> 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin 'http://localhost:8080' is therefore not allowed access.
>
> I add in Keycloak admin console, in the client setting, Web Origins=
> http://localhost:8080 (or *), and enabled cors in app, but still has error
> in console. I used Keycloak 2.5.0
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From stuarta at squashedfrog.net  Fri Jan 13 03:56:00 2017
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Fri, 13 Jan 2017 08:56:00 +0000
Subject: [keycloak-user] Getting the client-IP behind a reverse proxy
 with HTTPS
In-Reply-To: <CAJgngAe-pQHDFjVdoKbTNBHOFCPPZS5y=MX9+m+R0qEigw4F9Q@mail.gmail.com>
References: <CAC4SeXS_AeO6m8Wbg=sjrmgvg2B7cc6BqJprgst+sTPxnA-nNw@mail.gmail.com>
	<CAC4SeXR8GDoDyAV9W9OQoBaZNkP8vvwrUhddsU+ghDpwOPQJLA@mail.gmail.com>
	<20170111184641.GD15257@abstractj.org>
	<2d6ccc0c-765e-7dfc-6932-01c2d7e890b0@squashedfrog.net>
	<CAJgngAe-pQHDFjVdoKbTNBHOFCPPZS5y=MX9+m+R0qEigw4F9Q@mail.gmail.com>
Message-ID: <c60af37d-d22c-e99d-d5cf-55523e0929e1@squashedfrog.net>

On 13/01/17 07:35, Stian Thorgersen wrote:
> FIY I don't think Keycloak (WildFly) looks at X-Real-IP, but rather
> it'll use X-Forwarded-For

Most things use X-Forwarded-For, this is just my standard proxy
config snippet which I use for everything

I would try without it to start with and see how you get on.


Regards
Stuart


> 
> On 12 January 2017 at 14:09, Stuart Auchterlonie
> <stuarta at squashedfrog.net <mailto:stuarta at squashedfrog.net>> wrote:
> 
>     Hi,
> 
> 
>     I set the following headers with nginx and it works just fine.
> 
>     proxy_set_header    Host            $host;
>     proxy_set_header    X-Real-IP       $remote_addr;
>     proxy_set_header    X-Forwarded-For $remote_addr;
>     proxy_set_header    X-Forwarded-Host $host;
>     proxy_set_header    X-Forwarded-Server $host;
>     proxy_set_header    X-Forwarded-Proto $scheme;
> 
>     it might be because you are trying to use add_header
>     rather than proxy_set_header.
> 
> 
>     Regards
>     Stuart
> 
> 
>     On 11/01/17 18:46, Bruno Oliveira wrote:
>     > I never tried it with Keycloak, it may or may not work. But you
>     can try to set
>     > on nginx 'set_real_ip_from' with 'real_ip_header'[1].
>     >
>     > [1] -
>     http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
>     <http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header>
>     >
>     > On 2017-01-10, Olivier Bruylandt wrote:
>     >> Dear,
>     >>
>     >>
>     >> I get an issue to get the wanted behavior when retrieving the
>     client public
>     >> IP.
>     >> This is the situation :
>     >> (all IP's have been anonymized)
>     >>
>     >>
>     >>
>     >> - *infrastructure level*:
>     >>
>     >> ----------- Reverse Proxy NGINX
>     ----------------------------------- KeyCloak
>     >>
>     >> RP is listening on ports 80 & 443 (80 is redirected to 443)
>     >> There is a public certificate signed by some external CA
>     >> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>     >> Keycloak is set as standalone server on a Wildfly last version
>     >>
>     >>
>     >>
>     >>
>     >> - *Nginx config*
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> *server {        listen 443;        server_name ************;
>     >> fastcgi_param HTTPS on;        location / {                add_header
>     >> X-Cache-Status $upstream_cache_status;                add_header
>     X-Real-IP
>     >>  $remote_addr;                add_header X-Forwarded-For
>     $remote_addr;
>     >>           add_header X-Forwarded-Proto $scheme;
>     >> more_set_headers 'Server: ******';                more_clear_headers
>     >> 'X-Powered-By';                charset UTF-8;               
>     proxy_cache
>     >>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
>     >> <https://1.1.1.1:8443/>;        }*
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> *      ssl on;        ssl_certificate
>     /etc/ssl/private/**********.crt;
>     >>              ssl_certificate_key /etc/ssl/private/*************.key;
>     >> ssl_prefer_server_ciphers on;        ssl_dhparam
>     /etc/ssl/***********.pem;
>     >>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
>     >> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
>     >> Strict-Transport-Security "max-age=63072000; includeSubdomains;
>     preload";
>     >>       add_header X-Frame-Options "DENY";        ssl_ciphers
>     >> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>     >>
>     >>
>     >>
>     >>
>     >> - *Keycloak config* :
>     >>
>     >>
>     >> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>     >> *            <buffer-cache name="default"/>*
>     >> *            <server name="default-server">*
>     >>
>     >> *                <http-listener
>     >> name="default" proxy-address-forwarding="true"
>     socket-binding="http"/>*
>     >> *                <https-listener name="https"
>     security-realm="**********"
>     >> socket-binding="https"/>*
>     >> *                <host name="default-host" alias="localhost">*
>     >> *                    <location name="/" handler="welcome-content"/>*
>     >> *                </host>*
>     >> *            </server>*
>     >> *            <servlet-container name="default">*
>     >> *                <jsp-config/>*
>     >> *                <websockets/>*
>     >> *            </servlet-container>*
>     >> *            <handlers>*
>     >> *                <file name="welcome-content"
>     >> path="${jboss.home.dir}/welcome-content"/>*
>     >> *            </handlers>*
>     >> *        </subsystem>*
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> The situation is that everything is working fine and smooth
>     EXCEPT ... the
>     >> fact that under sessions (and moreover for all user activities),
>     the user
>     >> IP I see is the one of the reverse proxy !!
>     >> As I put in red in the KC config, this is what should do the
>     trick to use
>     >> the X-Forwarded-For header value to set the client's IP.
>     >>
>     >> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
>     >> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account, userId=null,
>     >> ipAddress=2.2.2.2, (...)
>     >>
>     >>
>     >>
>     >> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
>     terminates
>     >> the SSL connection and the one to KC server is made in HTTP), I got
>     >> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>     >> transport and also a HTTP connection towards the external social
>     identity
>     >> providers like Google, FB, etc. ... BUT I got at least the real
>     IP as you
>     >> might see hereunder :
>     >>
>     >> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
>     >> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>     >> ipAddress=191.21.133.234, (...)
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> So the situation is that I will only get the "real" IP of the
>     client only
>     >> if it passes through the HTTP listener of KC (that has the parameter
>     >> "proxy-address-forwarding") which is not what I want as I want to
>     reach the
>     >> HTTPS listener.
>     >> I obviously also tried to add the same parameter
>     (*proxy-address-forwarding
>     >> = "true"*) in the HTTPS listener configuration but then,
>     standalone.sh
>     >> shows an error and refuses to start :
>     >>
>     >>
>     >> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
>     >> 1.5.1.Final*
>     >> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version
>     1.2.6.Final*
>     >> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as>
>     <http://org.jboss.as/>] (MSC service
>     >> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core
>     2.0.10.Final)
>     >> starting*
>     >> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>     >> WFLYSRV0055: Caught exception during boot:
>     >>
>     org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>     >> WFLYCTL0085:
>     >> Failed to parse configuration*
>     >> *    at
>     >>
>     org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>     >> *    at
>     org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>     >> *    at
>     >>
>     org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>     >> *    at java.lang.Thread.run(Thread.java:745)*
>     >> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>     >> [row,col]:[380,17]*
>     >> *Message: WFLYCTL0376: Unexpected attribute
>     'proxy-address-forwarding'
>     >> encountered. Valid attributes are: 'socket-binding, worker,
>     buffer-pool,
>     >> enabled, resolve-peer-address, security-realm, verify-client,
>     >> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>     >> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>     >> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>     >> max-cookies, allow-encoded-slash, decode-url, url-charset,
>     >> always-set-keep-alive, max-buffered-request-size,
>     >> record-request-start-time, allow-equals-in-cookie-value,
>     >> no-request-timeout, request-parse-timeout, disallowed-methods,
>     tcp-backlog,
>     >> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
>     write-timeout,
>     >> max-connections, secure'*
>     >> *    at
>     >>
>     org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>     >>
>     >>
>     >>
>     >>
>     >>
>     >> *requirements* :
>     >>
>     >> - Entire solution has to run with SSL (HTTPS) from end to end
>     >>
>     >>
>     >>
>     >> Did someone already faced that situation or does have any clue
>     about this ?
>     >> Thank you for reading this post.
>     >>
>     >> Regards,
>     >>
>     >>
>     >> /Olivier
>     >>
>     >> On 10 January 2017 at 11:52, Olivier Bruylandt
>     <olivier.bruylandt at gmail.com <mailto:olivier.bruylandt at gmail.com>>
>     >> wrote:
>     >>
>     >>> Dear,
>     >>>
>     >>>
>     >>> I get an issue to get the wanted behavior when retrieving the client
>     >>> public IP.
>     >>> This is the situation :
>     >>> (all IP's have been anonymized)
>     >>>
>     >>>
>     >>>
>     >>> - *infrastructure level*:
>     >>>
>     >>> ----------- Reverse Proxy NGINX -----------------------------------
>     >>> KeyCloak
>     >>>
>     >>> RP is listening on ports 80 & 443 (80 is redirected to 443)
>     >>> There is a public certificate signed by some external CA
>     >>> Nginx redirects to the 8443 (https) of KC (HTTP runs on 8080)
>     >>> Keycloak is set as standalone server on a Wildfly last version
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> - *Nginx config*
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> *server {        listen 443;        server_name ************;
>     >>> fastcgi_param HTTPS on;        location / {               
>     add_header
>     >>> X-Cache-Status $upstream_cache_status;                add_header
>     X-Real-IP
>     >>>  $remote_addr;                add_header X-Forwarded-For
>     $remote_addr;
>     >>>           add_header X-Forwarded-Proto $scheme;
>     >>> more_set_headers 'Server: ******';                more_clear_headers
>     >>> 'X-Powered-By';                charset UTF-8;               
>     proxy_cache
>     >>>   ******_cache;                proxy_pass      https://1.1.1.1:8443/
>     >>> <https://1.1.1.1:8443/>;        }*
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> *      ssl on;        ssl_certificate
>     /etc/ssl/private/**********.crt;
>     >>>              ssl_certificate_key /etc/ssl/private/*************.key;
>     >>> ssl_prefer_server_ciphers on;        ssl_dhparam
>     /etc/ssl/***********.pem;
>     >>>       ssl_protocols TLSv1.1 TLSv1.2;        ssl_stapling on;
>     >>> ssl_session_cache builtin:1000 shared:SSL:10m;        add_header
>     >>> Strict-Transport-Security "max-age=63072000; includeSubdomains;
>     preload";
>     >>>       add_header X-Frame-Options "DENY";        ssl_ciphers
>     >>> 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';*
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> - *Keycloak config* :
>     >>>
>     >>>
>     >>> *        <subsystem xmlns="urn:jboss:domain:undertow:3.0">*
>     >>> *            <buffer-cache name="default"/>*
>     >>> *            <server name="default-server">*
>     >>>
>     >>> *                <http-listener
>     >>> name="default" proxy-address-forwarding="true"
>     socket-binding="http"/>*
>     >>> *                <https-listener name="https"
>     security-realm="**********"
>     >>> socket-binding="https"/>*
>     >>> *                <host name="default-host" alias="localhost">*
>     >>> *                    <location name="/" handler="welcome-content"/>*
>     >>> *                </host>*
>     >>> *            </server>*
>     >>> *            <servlet-container name="default">*
>     >>> *                <jsp-config/>*
>     >>> *                <websockets/>*
>     >>> *            </servlet-container>*
>     >>> *            <handlers>*
>     >>> *                <file name="welcome-content"
>     >>> path="${jboss.home.dir}/welcome-content"/>*
>     >>> *            </handlers>*
>     >>> *        </subsystem>*
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> The situation is that everything is working fine and smooth
>     EXCEPT ... the
>     >>> fact that under sessions (and moreover for all user activities),
>     the user
>     >>> IP I see is the one of the reverse proxy !!
>     >>> As I put in red in the KC config, this is what should do the
>     trick to use
>     >>> the X-Forwarded-For header value to set the client's IP.
>     >>>
>     >>> 15:07:55,104 WARN  [org.keycloak.events] (default task-19)
>     >>> type=REFRESH_TOKEN_ERROR, realmId=***, clientId=account,
>     userId=null,
>     >>> ipAddress=2.2.2.2, (...)
>     >>>
>     >>>
>     >>>
>     >>> When I tried to reach KC on the 8080 (HTTP) listener (so the RP
>     terminates
>     >>> the SSL connection and the one to KC server is made in HTTP), I got
>     >>> obviously a whole bunch of warnings and errors due to HTTP -> HTTPS
>     >>> transport and also a HTTP connection towards the external social
>     identity
>     >>> providers like Google, FB, etc. ... BUT I got at least the real
>     IP as you
>     >>> might see hereunder :
>     >>>
>     >>> 15:09:24,068 WARN  [org.keycloak.events] (default task-29)
>     >>> type=LOGIN_ERROR, realmId=*****, clientId=account, userId=null,
>     >>> ipAddress=191.21.133.234, (...)
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> So the situation is that I will only get the "real" IP of the
>     client only
>     >>> if it passes through the HTTP listener of KC (that has the parameter
>     >>> "proxy-address-forwarding") which is not what I want as I want
>     to reach the
>     >>> HTTPS listener.
>     >>> I obviously also tried to add the same parameter
>     (*proxy-address-forwarding
>     >>> = "true"*) in the HTTPS listener configuration but then,
>     standalone.sh
>     >>> shows an error and refuses to start :
>     >>>
>     >>>
>     >>> *14:24:30,621 INFO  [org.jboss.modules] (main) JBoss Modules version
>     >>> 1.5.1.Final*
>     >>> *14:24:30,821 INFO  [org.jboss.msc] (main) JBoss MSC version
>     1.2.6.Final*
>     >>> *14:24:30,888 INFO  [org.jboss.as <http://org.jboss.as>
>     <http://org.jboss.as/>] (MSC service
>     >>> thread 1-2) WFLYSRV0049: Keycloak 2.5.0.CR1 (WildFly Core
>     2.0.10.Final)
>     >>> starting*
>     >>> *14:24:31,597 ERROR [org.jboss.as.server] (Controller Boot Thread)
>     >>> WFLYSRV0055: Caught exception during boot:
>     >>>
>     org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>     WFLYCTL0085:
>     >>> Failed to parse configuration*
>     >>> *    at
>     >>>
>     org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)*
>     >>> *    at
>     org.jboss.as.server.ServerService.boot(ServerService.java:356)*
>     >>> *    at
>     >>>
>     org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)*
>     >>> *    at java.lang.Thread.run(Thread.java:745)*
>     >>> *Caused by: javax.xml.stream.XMLStreamException: ParseError at
>     >>> [row,col]:[380,17]*
>     >>> *Message: WFLYCTL0376: Unexpected attribute
>     'proxy-address-forwarding'
>     >>> encountered. Valid attributes are: 'socket-binding, worker,
>     buffer-pool,
>     >>> enabled, resolve-peer-address, security-realm, verify-client,
>     >>> enabled-cipher-suites, enabled-protocols, enable-http2, enable-spdy,
>     >>> ssl-session-cache-size, ssl-session-timeout, max-header-size,
>     >>> max-post-size, buffer-pipelined-data, max-parameters, max-headers,
>     >>> max-cookies, allow-encoded-slash, decode-url, url-charset,
>     >>> always-set-keep-alive, max-buffered-request-size,
>     >>> record-request-start-time, allow-equals-in-cookie-value,
>     >>> no-request-timeout, request-parse-timeout, disallowed-methods,
>     tcp-backlog,
>     >>> receive-buffer, send-buffer, tcp-keep-alive, read-timeout,
>     write-timeout,
>     >>> max-connections, secure'*
>     >>> *    at
>     >>>
>     org.jboss.as.controller.parsing.ParseUtils.unexpectedAttribute(ParseUtils.java:128)*
>     >>>
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> *requirements* :
>     >>>
>     >>> - Entire solution has to run with SSL (HTTPS) from end to end
>     >>>
>     >>>
>     >>>
>     >>> Did someone already faced that situation or does have any clue
>     about this ?
>     >>> Thank you for reading this post.
>     >>>
>     >>> Regards,
>     >>>
>     >>>
>     >>> /Olivier
>     >>>
>     >> _______________________________________________
>     >> keycloak-user mailing list
>     >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >
>     > --
>     >
>     > abstractj
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >
> 
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 


From haimv at perfectomobile.com  Fri Jan 13 05:00:12 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Fri, 13 Jan 2017 10:00:12 +0000
Subject: [keycloak-user] Red Hat SSO support feedback
Message-ID: <HE1PR0301MB257049BCF29CB4372AA0F6A9D2780@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi all,

We are considering to use the Red Hat SSO support, so if you have any experience working with them we would appreciate if you could share it (you can reply to me or to the group).


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From eduard.matuszak at worldline.com  Fri Jan 13 09:05:18 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Fri, 13 Jan 2017 14:05:18 +0000
Subject: [keycloak-user] Hot deployment of service providers in Keycloak
 2.5.0 final
In-Reply-To: <CAJgngAc6E1Tks63ccF6Z6QxhqUunm25pSv1W+LyW1W2OTQT00A@mail.gmail.com>
References: <61D077C6283D454FAFD06F6AC4AB74D723E8B98E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
	<CAJgngAc6E1Tks63ccF6Z6QxhqUunm25pSv1W+LyW1W2OTQT00A@mail.gmail.com>
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E8C15D@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Thanks for the hints!

For my jar-deployment I accordingly added a MANIFEST.MF-entry
Dependencies: org.keycloak.keycloak-server-spi-private
and hot deployment of my provider works fine now.

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Friday, January 13, 2017 7:18 AM
To: Matuszak, Eduard
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Hot deployment of service providers in Keycloak 2.5.0 final



On 11 January 2017 at 10:07, Matuszak, Eduard <eduard.matuszak at worldline.com<mailto:eduard.matuszak at worldline.com>> wrote:
Hello

I am trying to understand and implement the new concept of deploying service providers, but I fail at several points.

What is meant by the "Keycloak deploy/ directory" mentioned in the documentation?

When trying the user-storage-simple example it was possible to hot deploy the jar-file in wildfly's standalone/deployment-dir, but the event-listener-sysout sample fails by class-loading problem ("java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/providers/events/SysoutEventListenerProviderFactory").

There's only one deploy directory ;)


So perhaps not all SPI's do provide the new deployment concept?

There is also a mismatch, I think, between the deploy-description in the Readme.md of the event-listener-sysout example (describing the "old" way to deploy) and the documentation in https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html#providers (recommending Keycloak deployer utilizing the enigmatic "Keycloak deploy/ directory").

Only user storage example has been checked with the new hot deploy method.

I'm pretty sure the issue is that the other SPIs (event listener included) is in server-spi-private. You'll probably just need to add a jboss-module-structure.xml with a dependencies on that module and it should work.


I was working on Kecloak 2.5.0 Final.

Thanks in advatage for some clarifications.

Eduard Matuszak

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Michael.E.Brown at dell.com  Fri Jan 13 09:54:54 2017
From: Michael.E.Brown at dell.com (Michael.E.Brown at dell.com)
Date: Fri, 13 Jan 2017 14:54:54 +0000
Subject: [keycloak-user] Design question for thousands of resource servers
Message-ID: <94300952802546ceb2960fb849663bd6@ausx13mps334.AMER.DELL.COM>

I'm wrestling with a design problem that I could use some help on.

I have a console application that users will log into with OIDC. That console application manages (potentially thousands) of devices. Each device individually has a web-ui that a user can log into with OIDC.

I've pretty much finished the design for individual logins to the console and the individual devices, using Client Roles to enumerate permissions on the console and device, and creating groups that give users access to the roles on the devices they should have permissions to. I've set up a Client Role mapper that adds a "{device|console}_permissions": ["perm1", "perm2", "perm3"... ] to the ID Token. The console or device then uses the ID Token to create a session with the appropriate permissions.

The individual devices also have REST endpoints which the console will access. This is where I am running into a problem. I need a solution for the console to act as a Client and get Access Tokens for each of the individual devices.

There are three access modes where the console uses the device REST apis:
- In the context of a user that is present and logged into the console
- On behalf of a user who may or may not be presently logged in (Think scheduled tasks)
- As part of the infrastructure, outside a user context

How can I set up the solution so that the console can get Access Tokens from keycloak for each of these use cases, and how does each device verify the token? I don't think it will scale to have the initial console login Access Token contain all of the permissions for every device. Additionally, I'm worried about the effects if one device is compromised, it seems that the access token could be then used to make requests on any of the other connected servers. But I am at a loss to find another way to accomplish this.

--
Michael




From david_delbecq at trimble.com  Fri Jan 13 10:30:17 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Fri, 13 Jan 2017 15:30:17 +0000
Subject: [keycloak-user] Detect user impersonation
In-Reply-To: <CAJgngAeCeutuM13jWiuNLiKg=grR2tW41w-_4xZzz05S=avGig@mail.gmail.com>
References: <CAFtV5cv0ec4m3h6s2KW+bbXxf1i5Q8kJ2M2sm_y1DfQRH_xckQ@mail.gmail.com>
	<CAJgngAeCeutuM13jWiuNLiKg=grR2tW41w-_4xZzz05S=avGig@mail.gmail.com>
Message-ID: <CAFtV5ctMjqBu6Lpu1SKYD31-UXZEB3357R--hBXiPDMvPwSTzQ@mail.gmail.com>

Well, the server event is quite limited. There is no way to distinguish the
operations done by admin from the operations done by user, if both are
using the application at the same time. Unless the Keycloak principal
contain some magic session key I can match later with event audit.

What's the procedure to create Feature request? Just fill a bug?

On Fri, Jan 13, 2017 at 7:25 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Surprisingly enough, no it's not possible at the moment. The assumption
> that was made was that impersonation was not something the app should care
> about. Can you audit this on the Keycloak server side instead? The login
> event has details that shows it's impersonated including the impersonator.
>
> Feel free to create a feature request for this.
>
> On 10 January 2017 at 13:09, David Delbecq <david_delbecq at trimble.com>
> wrote:
>
> Hello,
>
> for audit reason, our application need to be able to make the difference
> between "userA" and "userA impersonated by admin xyz". Is there some way
> from the client point of view to make a difference between a logged in user
> and an admin impersonating that user? Is it possible to add some property
> in KeycloakPrincipal to detect it? And possiblity get the name of the admin
> doing it?
>
> --
> <http://www.trimble.com/>
>
>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From ronyjoy at gmail.com  Fri Jan 13 13:23:29 2017
From: ronyjoy at gmail.com (rony joy)
Date: Fri, 13 Jan 2017 18:23:29 +0000
Subject: [keycloak-user] Customizing error Pages(for example client logo)
In-Reply-To: <CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>
References: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>
	<CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>
Message-ID: <CACCBH8OW_uoHx1AAfgab-mb6ect0NJaPMQSaTt2GTJRxUTDaLw@mail.gmail.com>

When we thought about it more, I guess we need more than just the realm
name in the error pages. Because we are depending on customization service
to get the images/styles. Inorder to call the customization service we
require the URL and certain other parameters.
In order to make it more generic can we have custom error handler? or
something in those line?

Regards
Rony Joy

On Fri, Jan 13, 2017 at 12:28 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> You'd have to do it based on realm name rather than realm id. It would be
> a simple fix to make realm id available though so you can create a JIRA for
> that and even include a PR if you want.
>
> On 10 January 2017 at 17:46, rony joy <ronyjoy at gmail.com> wrote:
>
> Hi All,
>
> We are trying to customize the error pages based on the realm id. We are
> able to do the basic modification by extending the error pages in our
> custom theme. But in our error pages we wanted the have more realm specific
> customization(for example customer logo) by fetching the logo from external
> services based on the realm Id.
>
> Currently we don't see a way by looking at the code. Any help is
> appreciated
>
>
> Thanks
>
> Rony Joy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From deepu.laghuvaram at gmail.com  Fri Jan 13 15:27:47 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Fri, 13 Jan 2017 15:27:47 -0500
Subject: [keycloak-user] Is Brute Force Detection Extensible or can be
	Customized?
Message-ID: <CAFMZCgnK+rE-bXHoDyNozVmpxAOAKDtgO8vGXCfheXj4ApG07Q@mail.gmail.com>

Our current functionality is that if the user provides wrong password for 5
times or more then we want to display on the login page itself that the
user is locked out and they have to reset the password (User is Locked
until they reset password) I am trying to achieve the same functionality in
KeyCloak. Is it possible?

And as of now the failed login attempts count is in our Database and I want
to make Brute Force Detection to be based on the failed login attempts from
my database and update the failed login attempts to my DB, basically
combining Brute Force Detection and Custom UserStorageProvider to achieve
both the functionalities?


Thanks,
Deepu

From java at neposoft.com  Fri Jan 13 19:58:25 2017
From: java at neposoft.com (java_os)
Date: Fri, 13 Jan 2017 19:58:25 -0500
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 -
 cors
In-Reply-To: <CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>
References: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
	<CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>
Message-ID: <d664f67ec718014d20d9d3b012d362a1.squirrel@neposoft.com>

Yes, set origins to *. also the app works well: ng-kc broker-idp-redirects
back to my app. As said no issues on regular workflow of the app. even
logout works fine. it's only when token expires am getting this error.
more clues?
What you mean by proper setup of web origin? whats proper. Thout if set to
* would do it.
thx
> Did you setup proper web origins and redirect URIs for your app?
>
> On 12 January 2017 at 17:18, java_os <java at neposoft.com> wrote:
>
>> Hi group
>> Am using ng with keycloak.js (2.5.0.Final).
>> When token expires keycloak.js is intercepting token expired and does a
>> renew call when it fails(see client side stack below).
>> Anyone has any clue around this behavior?
>> My app is running on 9443 and KC on 8543 over https - all working fine
>> up
>> to the point when refresh token kicks in.
>> Behind the scenes is the cors stuff.
>> Thanks
>>
>> keycloak.js:451 POST
>> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400
>> (Bad
>> Request)
>>
>> exec @ keycloak.js:451
>> (anonymous) @ keycloak.js:459
>>
>> setSuccess @ keycloak.js:773
>>
>> messageCallback @ keycloak.js:854
>> :9443/EDIT/#/EDIT/home:1
>> XMLHttpRequest cannot load
>> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
>> 'Access-Control-Allow-Origin' header is present on the requested
>> resource.
>> Origin 'https://EDIT:9443' is therefore not allowed access. The response
>> had HTTP status code 400.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>



From avinash at avinash.com.np  Sun Jan 15 00:27:16 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Sun, 15 Jan 2017 11:12:16 +0545
Subject: [keycloak-user] using in production
Message-ID: <55a4b9e8-d46e-c37e-d127-d323daa1f480@avinash.com.np>

Hello,

After a lot of going to and fro, we are about to make a conclusion if we 
want to use keycloak in production. We are a little worried about 
updating keycloak and how does one receive/keep track of security 
updates. Because of the nature of keycloak, security is of paramount. It 
would be helpful if the community can help as how they update keycloak 
and keep track of security updates.

Regards,
Avinash


From haimv at perfectomobile.com  Sun Jan 15 04:17:03 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Sun, 15 Jan 2017 09:17:03 +0000
Subject: [keycloak-user] Red Hat SSO supported version
Message-ID: <HE1PR0301MB25700E5FEF9C7FAD0A416A87D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi,

Currently we are using keycloak 1.9.3, could we get support for that version ? or we will have to upgrade ? if so to which version ?


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From sblanc at redhat.com  Sun Jan 15 05:10:07 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sun, 15 Jan 2017 11:10:07 +0100
Subject: [keycloak-user] Red Hat SSO supported version
In-Reply-To: <HE1PR0301MB25700E5FEF9C7FAD0A416A87D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB25700E5FEF9C7FAD0A416A87D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAMZCGg9JFNgmD5d5u7k8Xj7dJPzgVXOz3yyL20AKOQOpTN4G5A@mail.gmail.com>

Hi,
RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
Seb


On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com>
wrote:

> Hi,
>
> Currently we are using keycloak 1.9.3, could we get support for that
> version ? or we will have to upgrade ? if so to which version ?
>
>
> Thanks,
> Haim.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From haimv at perfectomobile.com  Sun Jan 15 05:20:24 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Sun, 15 Jan 2017 10:20:24 +0000
Subject: [keycloak-user] Red Hat SSO supported version
Message-ID: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>

Can you please advise what is the difference between RH-SSO 7.0 and KC 1.9.8 ?

The support will be valid for both ? Or only for the RH-SSO ?


Haim.


-------- Original message --------
From: Sebastien Blanc <sblanc at redhat.com>
Date: 1/15/17 12:10 (GMT+02:00)
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Red Hat SSO supported version

Hi,
RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
Seb


On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

Currently we are using keycloak 1.9.3, could we get support for that version ? or we will have to upgrade ? if so to which version ?


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Cccbfade18e184c3f2e3808d43d2eb014%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=Bc5kneJcSG9pv7A10ksDpFvWVKsaUnwHlwtV25jhhPQ%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From sblanc at redhat.com  Sun Jan 15 05:27:45 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sun, 15 Jan 2017 11:27:45 +0100
Subject: [keycloak-user] Red Hat SSO supported version
In-Reply-To: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>
References: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>
Message-ID: <CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>

Featurewise there is no difference , the codebase of RHSSO 7.0 is the one
from kc 1.9.8.
RHSSO is the productized version and is the one needed to have support.

On Sun, Jan 15, 2017 at 11:20 AM, Haim Vana <haimv at perfectomobile.com>
wrote:

> Can you please advise what is the difference between RH-SSO 7.0 and KC
> 1.9.8 ?
>
> The support will be valid for both ? Or only for the RH-SSO ?
>
>
> Haim.
>
>
> -------- Original message --------
> From: Sebastien Blanc <sblanc at redhat.com>
> Date: 1/15/17 12:10 (GMT+02:00)
> To: Haim Vana <haimv at perfectomobile.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Red Hat SSO supported version
>
> Hi,
> RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
> Seb
>
>
> On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com>
> wrote:
>
>> Hi,
>>
>> Currently we are using keycloak 1.9.3, could we get support for that
>> version ? or we will have to upgrade ? if so to which version ?
>>
>>
>> Thanks,
>> Haim.
>>
>> The information contained in this message is proprietary to the sender,
>> protected from disclosure, and may be privileged. The information is
>> intended to be conveyed only to the designated recipient(s) of the message.
>> If the reader of this message is not the intended recipient, you are hereby
>> notified that any dissemination, use, distribution or copying of this
>> communication is strictly prohibited and may be unlawful. If you have
>> received this communication in error, please notify us immediately by
>> replying to the message and deleting it from your computer. Thank you.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Cccbfade18e184c3f2e3808d43d2eb014%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=Bc5kneJcSG9pv7A10ksDpFvWVKsaUnwHlwtV25jhhPQ%3D&reserved=0>
>>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>

From haimv at perfectomobile.com  Sun Jan 15 06:37:19 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Sun, 15 Jan 2017 11:37:19 +0000
Subject: [keycloak-user] Red Hat SSO supported version
In-Reply-To: <CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>
References: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>
	<CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>
Message-ID: <HE1PR0301MB2570A5471B7C247A8D0C4FA2D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Great ? thanks.


Haim.

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: Sunday, January 15, 2017 12:28 PM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Red Hat SSO supported version

Featurewise there is no difference , the codebase of RHSSO 7.0 is the one from kc 1.9.8.
RHSSO is the productized version and is the one needed to have support.

On Sun, Jan 15, 2017 at 11:20 AM, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Can you please advise what is the difference between RH-SSO 7.0 and KC 1.9.8 ?

The support will be valid for both ? Or only for the RH-SSO ?


Haim.


-------- Original message --------
From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
Date: 1/15/17 12:10 (GMT+02:00)
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Red Hat SSO supported version

Hi,
RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
Seb

On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

Currently we are using keycloak 1.9.3, could we get support for that version ? or we will have to upgrade ? if so to which version ?


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Cccbfade18e184c3f2e3808d43d2eb014%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=Bc5kneJcSG9pv7A10ksDpFvWVKsaUnwHlwtV25jhhPQ%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From dekela at perfectomobile.com  Sun Jan 15 07:42:50 2017
From: dekela at perfectomobile.com (Dekel Aslan)
Date: Sun, 15 Jan 2017 12:42:50 +0000
Subject: [keycloak-user] forgot password from rest api?
Message-ID: <AM4PR0302MB26271314D0B46BD40F44FA4EAB7A0@AM4PR0302MB2627.eurprd03.prod.outlook.com>

Hi,
I'm trying to find how to update the forgot password flag through the api (http://www.keycloak.org/docs/rest-api/ ), but I can't find it.
Isn't the RealmRepresentation object suppose to have it?

Thanks,
Dekel.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From dr.vahid.dehghan at gmail.com  Mon Jan 16 01:37:12 2017
From: dr.vahid.dehghan at gmail.com (TheAzariturk .)
Date: Mon, 16 Jan 2017 10:07:12 +0330
Subject: [keycloak-user] about resource not found
Message-ID: <CAJ=KcDj3ewcoUBiirx=x-Ch1pXeeH7MoSz-AXzArJkcHYMk7Uw@mail.gmail.com>



From dr.vahid.dehghan at gmail.com  Mon Jan 16 01:42:07 2017
From: dr.vahid.dehghan at gmail.com (TheAzariturk .)
Date: Mon, 16 Jan 2017 10:12:07 +0330
Subject: [keycloak-user] about resource not found
Message-ID: <CAJ=KcDgzUwZhEbbssY3j6YaJ3115JZsrvVX3v2PS9N0SBDkfSw@mail.gmail.com>

hi
i used LDAP for connection to active directory, and result being
succesfull, but after 3 days working when i clicked on user identity or
User Federation link message has trrown that "

We could not find the resource you are looking for. Please make sure the
URL you entered is correct.
<http://10.255.145.16:8079/auth/admin/master/console/#/>"
befor i get this error in 2.4.0 final version i googled problem and i
understand that must upgrade to version 2.5.0, unfortunality at this
version currently i got this error


please help

From sthorger at redhat.com  Mon Jan 16 03:17:15 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jan 2017 09:17:15 +0100
Subject: [keycloak-user] Red Hat SSO supported version
In-Reply-To: <HE1PR0301MB2570A5471B7C247A8D0C4FA2D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>
	<CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>
	<HE1PR0301MB2570A5471B7C247A8D0C4FA2D27A0@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <CAJgngAfL6BNWtA+PkgH8UEFJsU3aZaHVaug3ULJOVj7h0i_c=g@mail.gmail.com>

There are some features that are not supported in RH-SSO. For example Mongo
and a few adapters (Tomcat, Jetty).

On 15 January 2017 at 12:37, Haim Vana <haimv at perfectomobile.com> wrote:

> Great ? thanks.
>
>
> Haim.
>
> From: Sebastien Blanc [mailto:sblanc at redhat.com]
> Sent: Sunday, January 15, 2017 12:28 PM
> To: Haim Vana <haimv at perfectomobile.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Red Hat SSO supported version
>
> Featurewise there is no difference , the codebase of RHSSO 7.0 is the one
> from kc 1.9.8.
> RHSSO is the productized version and is the one needed to have support.
>
> On Sun, Jan 15, 2017 at 11:20 AM, Haim Vana <haimv at perfectomobile.com<
> mailto:haimv at perfectomobile.com>> wrote:
> Can you please advise what is the difference between RH-SSO 7.0 and KC
> 1.9.8 ?
>
> The support will be valid for both ? Or only for the RH-SSO ?
>
>
> Haim.
>
>
> -------- Original message --------
> From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
> Date: 1/15/17 12:10 (GMT+02:00)
> To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Red Hat SSO supported version
>
> Hi,
> RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
> Seb
>
> On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com<
> mailto:haimv at perfectomobile.com>> wrote:
> Hi,
>
> Currently we are using keycloak 1.9.3, could we get support for that
> version ? or we will have to upgrade ? if so to which version ?
>
>
> Thanks,
> Haim.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user<
> https://emea01.safelinks.protection.outlook.com/?url=
> https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%
> 2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%
> 7Cccbfade18e184c3f2e3808d43d2eb014%7Cceb4c662d6994e7da0bd272619a4
> 6977%7C1&sdata=Bc5kneJcSG9pv7A10ksDpFvWVKsaUnwHlwtV25jhhPQ%3D&reserved=0>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Jan 16 03:18:40 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Jan 2017 09:18:40 +0100
Subject: [keycloak-user] Detect user impersonation
In-Reply-To: <CAFtV5ctMjqBu6Lpu1SKYD31-UXZEB3357R--hBXiPDMvPwSTzQ@mail.gmail.com>
References: <CAFtV5cv0ec4m3h6s2KW+bbXxf1i5Q8kJ2M2sm_y1DfQRH_xckQ@mail.gmail.com>
	<CAJgngAeCeutuM13jWiuNLiKg=grR2tW41w-_4xZzz05S=avGig@mail.gmail.com>
	<CAFtV5ctMjqBu6Lpu1SKYD31-UXZEB3357R--hBXiPDMvPwSTzQ@mail.gmail.com>
Message-ID: <CAJgngAfvqXDptU0JZ5CKFXCi-9oP6Rz2dVST43n6RiRq2MuhRg@mail.gmail.com>

There is a server event created when the admin impersonates the user. This
does indeed have a session key (no magic though), which all other events
for the session has (app login to same session, logout, etc..)./

On 13 January 2017 at 16:30, David Delbecq <david_delbecq at trimble.com>
wrote:

> Well, the server event is quite limited. There is no way to distinguish
> the operations done by admin from the operations done by user, if both are
> using the application at the same time. Unless the Keycloak principal
> contain some magic session key I can match later with event audit.
>
> What's the procedure to create Feature request? Just fill a bug?
>
> On Fri, Jan 13, 2017 at 7:25 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Surprisingly enough, no it's not possible at the moment. The assumption
>> that was made was that impersonation was not something the app should care
>> about. Can you audit this on the Keycloak server side instead? The login
>> event has details that shows it's impersonated including the impersonator.
>>
>> Feel free to create a feature request for this.
>>
>> On 10 January 2017 at 13:09, David Delbecq <david_delbecq at trimble.com>
>> wrote:
>>
>> Hello,
>>
>> for audit reason, our application need to be able to make the difference
>> between "userA" and "userA impersonated by admin xyz". Is there some way
>> from the client point of view to make a difference between a logged in
>> user
>> and an admin impersonating that user? Is it possible to add some property
>> in KeycloakPrincipal to detect it? And possiblity get the name of the
>> admin
>> doing it?
>>
>> --
>> <http://www.trimble.com/>
>>
>>
>> David Delbecq
>> Software engineer, Transport & Logistics
>> Geldenaaksebaan 329, 1st floor | 3001 Leuven
>>
>> +32 16 391 121 <+32%2016%20391%20121> Direct
>> david.delbecq at trimbletl.com
>> <http://www.trimbletl.com/>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
>
>

From adam.michalski at aol.com  Mon Jan 16 04:08:54 2017
From: adam.michalski at aol.com (adam.michalski at aol.com)
Date: Mon, 16 Jan 2017 04:08:54 -0500
Subject: [keycloak-user] User groups empty attributes from GET
 /admin/realms/{realm}/users/{id}/groups (no api description)
Message-ID: <159a68951d7-1cee-109d8@webprd-m66.mail.aol.com>

Api docs for:
GET /admin/realms/{realm}/users/{id}/groups


returns list of GroupRepresentation array with empty attributes.

In other rest returning this list there is description: only name and ids are returned but not in this one. 

How to get list of groups with attributes with single request?





From bruno at abstractj.org  Mon Jan 16 04:29:51 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 16 Jan 2017 07:29:51 -0200
Subject: [keycloak-user] Is Brute Force Detection Extensible or can be
 Customized?
In-Reply-To: <CAFMZCgnK+rE-bXHoDyNozVmpxAOAKDtgO8vGXCfheXj4ApG07Q@mail.gmail.com>
References: <CAFMZCgnK+rE-bXHoDyNozVmpxAOAKDtgO8vGXCfheXj4ApG07Q@mail.gmail.com>
Message-ID: <20170116092951.GA23989@abstractj.org>

On 2017-01-13, Deepu Laghuvaram wrote:
> Our current functionality is that if the user provides wrong password for 5
> times or more then we want to display on the login page itself that the
> user is locked out and they have to reset the password (User is Locked
> until they reset password) I am trying to achieve the same functionality in
> KeyCloak. Is it possible?

I don't think it's possible today. By doing that you would be creating a
loophole for login. If you displaythat user is locked out,
attackers could verify that such user exists. See User enumeration
details[1].

>
> And as of now the failed login attempts count is in our Database and I want
> to make Brute Force Detection to be based on the failed login attempts from
> my database and update the failed login attempts to my DB, basically
> combining Brute Force Detection and Custom UserStorageProvider to achieve
> both the functionalities?

I never tried that and not sure if it's possible. But store failed
attempts into the database, depending on the volume of your requests,
can be a bit slow.


[1] - https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
>
>
> Thanks,
> Deepu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From fabian.eriksson at gi-de.com  Mon Jan 16 11:28:53 2017
From: fabian.eriksson at gi-de.com (Eriksson Fabian)
Date: Mon, 16 Jan 2017 16:28:53 +0000
Subject: [keycloak-user] Testing/Integration testing
Message-ID: <9af23e7a94a940a4b34617d6cf59430e@muc1exmbxp1p.accounts.intern>

Hello!

I am currently implementing this feature described below. The feature is not really relevant for this question but I thought I could include it. 

I was wondering, before I make a PR, should I include integration tests even for the UI (the console module, which from what I can tell is not run with Travis)? And is there a way of testing a single arquillian integration test in an IDE (for the console module)? 

I don't know if this is the right forum to ask these questions but I thought I'll give it a try

Thanks in advance
Fabian Eriksson

-----Original Message-----
From: Bruno Oliveira [mailto:bruno at abstractj.org] 
Sent: den 11 januari 2017 19:18
To: Eriksson Fabian
Cc: stian at redhat.com; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Brute force detector extension

I believe the best is to create Jira as a feature request. And later you can attach your PR to that.

On 2017-01-11, Eriksson Fabian wrote:
> Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket?
>
> Best regards
> Fabian Eriksson
>
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: den 2 januari 2017 09:15
> To: Eriksson Fabian
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Brute force detector extension
>
> You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though.
>
> I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x.
>
> On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com<mailto:fabian.eriksson at gi-de.com>> wrote:
> Hi all!
>
> We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.
>
> Does this sound interesting and could this then be something that we could contribute with to KeyCloak?
>
> Or is there a way to substitute the already existing brute force detector?
>
> Thanks in advance!
> Fabian Eriksson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj


From deepu.laghuvaram at gmail.com  Mon Jan 16 13:46:50 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Mon, 16 Jan 2017 13:46:50 -0500
Subject: [keycloak-user] Forgot Password Error with Our own
	UserStorageProvider
In-Reply-To: <CAFMZCg=Ok8i+YfudRtyb93WE7ETAT2QA1NrY+smb=EgkE+OVxA@mail.gmail.com>
References: <CAFMZCg=Ok8i+YfudRtyb93WE7ETAT2QA1NrY+smb=EgkE+OVxA@mail.gmail.com>
Message-ID: <CAFMZCgm76dKZNecaNo=SuvkN64aHoO8cnhs5+FqdSP9y9nsvAw@mail.gmail.com>

What I observed is that if a user is registered with KeyCloak then I am not
getting any issue in Forgot Password, but if the user is an existing one in
my database and not registered thru KeyCloak, then I am getting this issue.
It would be of great help if you can help me with this.

On Thu, Jan 12, 2017 at 4:46 PM, Deepu Laghuvaram <
deepu.laghuvaram at gmail.com> wrote:

> I am using my own DB2UserStorageProvider and my Login and Registration are
> working as expected but forgot password is not working as expected (When I
> remove User Federation then Forgot Password is working as expected).
>
> I am having the flow for Reset Credential as
> Choose User         REQUIRED
> Send Reset Email    REQUIRED
> Reset Password      REQUIRED
>
> I used an existing user in my DB2 database, with which I am able to login
> and when I try that user to reset password, I am not receiving any email
> and below are the logs
>
> 14:40:31,755 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-14) action: reset-credentials-choose-user
> 14:40:32,908 INFO  [DB2UserStorageProvider] (default task-14) Inside
> getUserByUsername: testmail at gmail.com
> 14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14) Entity.ID =
> 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
> 14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14)
> Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-14) authenticator SUCCESS: reset-credentials-choose-user
> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-14) processFlow
> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-14) check execution: reset-credential-email requirement:
> REQUIRED
> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-14) authenticator: reset-credential-email
> 14:40:32,949 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
> (default task-14) JtaTransactionWrapper  commit
> 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-13) AUTHENTICATE
> 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-13) AUTHENTICATE ONLY
> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) getUserById:
> f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-
> 4e63-b113-7061bd3f0278
> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
> entity.getID: 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) Entity.ID =
> 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
> Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) processFlow
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: reset-credentials-choose-user
> requirement: REQUIRED
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) execution is processed
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: reset-credential-email requirement:
> REQUIRED
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator: reset-credential-email
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) invoke authenticator.authenticate
> *14:40:33,030 WARN  [org.keycloak.events] (default task-13)
> type=RESET_PASSWORD_ERROR, realmId=TestRealm, clientId=TestClient,
> userId=f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278,
> ipAddress=127.0.0.1, error=invalid_email, auth_method=openid-connect,
> auth_type=code, redirect_uri=http://localhost:8090/account/account.jsp
> <http://localhost:8090/account/account.jsp>,
> code_id=857a3ff7-837f-4e8d-8b4d-dabd8b38a89e, username=testmail at gmail.com
> <testmail at gmail.com>*
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) reset browser login from authenticator:
> reset-credential-email
> 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-13) AUTHENTICATE
> 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
> (default task-13) AUTHENTICATE ONLY
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) processFlow
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: auth-cookie requirement: ALTERNATIVE
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator: auth-cookie
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) invoke authenticator.authenticate
> 14:40:33,030 DEBUG [org.keycloak.services.managers.AuthenticationManager]
> (default task-13) Could not find cookie: KEYCLOAK_IDENTITY
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator ATTEMPTED: auth-cookie
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: auth-spnego requirement: DISABLED
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) execution is processed
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: identity-provider-redirector
> requirement: ALTERNATIVE
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator: identity-provider-redirector
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) invoke authenticator.authenticate
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator ATTEMPTED: identity-provider-redirector
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: null requirement: ALTERNATIVE
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) execution is flow
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) processFlow
> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) check execution: auth-username-password-form requirement:
> REQUIRED
> 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) authenticator: auth-username-password-form
> 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
> (default task-13) invoke authenticator.authenticate
>
>
> It looks like the user is not in context, I am not sure why the user is
> not in context as both getUserByUsername and getUserById are successful and
> even it says "authenticator SUCCESS: reset-credentials-choose-user".
> Could you please help me with this issue, I am using Keycloak 2.3.0 Final.
>
> Thanks,
> Deepu
>
>
>

From mr.jari.kuusisto at gmail.com  Mon Jan 16 14:23:27 2017
From: mr.jari.kuusisto at gmail.com (Jari Kuusisto)
Date: Mon, 16 Jan 2017 21:23:27 +0200
Subject: [keycloak-user] Keycloak OIDC Id Token
In-Reply-To: <CAO-Urqthe6yRnnsLkBniAPjhZhvqAP25rUjknATjVC65oMF+ow@mail.gmail.com>
References: <CAO-Urqthe6yRnnsLkBniAPjhZhvqAP25rUjknATjVC65oMF+ow@mail.gmail.com>
Message-ID: <CAO-Urqu6zj3jjBpnoQBtW0apz+w2=tWLarUUvf-sqmBZ7254YA@mail.gmail.com>

Hello there. I have a web application (war) deployed on Wildfly and it is
protected by Keycloak. I am using Java/Wildfly adapter (not "keycloak.js)",
and there is a KC client that uses Standard flow (OIDC): it is configured
to use Access Type "public". The setup works just fine. But is it possible
to retrieve and access the Id Token (JWT) from the client-side i.e.
end-user browser in this case? Or is it available on server-side as a
http-only cookie value? I planned to keep then JWT token short-lived and
use it for secondary login on another website based on the claims in it,
for example " 'login': 'allowed' " for "john.smith at example.com".

I also have configured protocol mappers for the client so that certain
roles should be included i.e. mapped in the Id Token, but I can not see
them there. Any ideas what could be wrong? KC version is 2.2.1.Final and WF
version is 10. Thanks!

From mposolda at redhat.com  Mon Jan 16 15:10:25 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 16 Jan 2017 21:10:25 +0100
Subject: [keycloak-user] Keycloak OIDC Id Token
In-Reply-To: <CAO-Urqu6zj3jjBpnoQBtW0apz+w2=tWLarUUvf-sqmBZ7254YA@mail.gmail.com>
References: <CAO-Urqthe6yRnnsLkBniAPjhZhvqAP25rUjknATjVC65oMF+ow@mail.gmail.com>
	<CAO-Urqu6zj3jjBpnoQBtW0apz+w2=tWLarUUvf-sqmBZ7254YA@mail.gmail.com>
Message-ID: <1c1508df-656b-bd17-4613-18e59ed580cf@redhat.com>

On 16/01/17 20:23, Jari Kuusisto wrote:
> Hello there. I have a web application (war) deployed on Wildfly and it is
> protected by Keycloak. I am using Java/Wildfly adapter (not "keycloak.js)",
> and there is a KC client that uses Standard flow (OIDC): it is configured
> to use Access Type "public". The setup works just fine. But is it possible
> to retrieve and access the Id Token (JWT) from the client-side i.e.
> end-user browser in this case? Or is it available on server-side as a
> http-only cookie value? I planned to keep then JWT token short-lived and
> use it for secondary login on another website based on the claims in it,
> for example " 'login': 'allowed' " for "john.smith at example.com".
There is adapter option "expose-token", which allows to see the token on 
the browser side. See docs for more details - 
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html
>
> I also have configured protocol mappers for the client so that certain
> roles should be included i.e. mapped in the Id Token, but I can not see
> them there. Any ideas what could be wrong? KC version is 2.2.1.Final and WF
> version is 10. Thanks!
Depends how exactly you configured your protocol mappers and which 
mappers you used. Also do your client have required scopes for roles of 
other clients? You can also try to upgrade to latest release and see if 
that helps.

Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 16 15:13:29 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 16 Jan 2017 21:13:29 +0100
Subject: [keycloak-user] Testing/Integration testing
In-Reply-To: <9af23e7a94a940a4b34617d6cf59430e@muc1exmbxp1p.accounts.intern>
References: <9af23e7a94a940a4b34617d6cf59430e@muc1exmbxp1p.accounts.intern>
Message-ID: <2c261626-a63a-1a3a-48a9-e7f4d4fb9075@redhat.com>

You can take a look at the module "testsuite/integration-arquillian" and 
the tests inside there. You're right that admin console tests are not 
executed by travis by default, but we have lots of tests for invoking 
admin REST endpoints (which is defacto what admin-console invokes under 
the covers).

You can take a look at some existing tests. For example BruteForceTest .

Marek

On 16/01/17 17:28, Eriksson Fabian wrote:
> Hello!
>
> I am currently implementing this feature described below. The feature is not really relevant for this question but I thought I could include it.
>
> I was wondering, before I make a PR, should I include integration tests even for the UI (the console module, which from what I can tell is not run with Travis)? And is there a way of testing a single arquillian integration test in an IDE (for the console module)?
>
> I don't know if this is the right forum to ask these questions but I thought I'll give it a try
>
> Thanks in advance
> Fabian Eriksson
>
> -----Original Message-----
> From: Bruno Oliveira [mailto:bruno at abstractj.org]
> Sent: den 11 januari 2017 19:18
> To: Eriksson Fabian
> Cc: stian at redhat.com; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Brute force detector extension
>
> I believe the best is to create Jira as a feature request. And later you can attach your PR to that.
>
> On 2017-01-11, Eriksson Fabian wrote:
>> Do you want me to create a new feature request through the dev mailing list or could I immediately create a Jira-ticket?
>>
>> Best regards
>> Fabian Eriksson
>>
>> From: Stian Thorgersen [mailto:sthorger at redhat.com]
>> Sent: den 2 januari 2017 09:15
>> To: Eriksson Fabian
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Brute force detector extension
>>
>> You can implement a custom provider for the brute force protection that would do what you want. It wouldn't be configurable through the admin console though.
>>
>> I don't see why we couldn't add it as an option to the built-in provider though so if you are happy to send a PR for it including tests we could accept it into 3.x.
>>
>> On 21 December 2016 at 11:24, Eriksson Fabian <fabian.eriksson at gi-de.com<mailto:fabian.eriksson at gi-de.com>> wrote:
>> Hi all!
>>
>> We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login.
>>
>> Does this sound interesting and could this then be something that we could contribute with to KeyCloak?
>>
>> Or is there a way to substitute the already existing brute force detector?
>>
>> Thanks in advance!
>> Fabian Eriksson
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
>
> abstractj
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 16 15:18:27 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 16 Jan 2017 21:18:27 +0100
Subject: [keycloak-user] User groups empty attributes from GET
 /admin/realms/{realm}/users/{id}/groups (no api description)
In-Reply-To: <159a68951d7-1cee-109d8@webprd-m66.mail.aol.com>
References: <159a68951d7-1cee-109d8@webprd-m66.mail.aol.com>
Message-ID: <fbfb36a2-9df0-16a3-1e35-b7214163096d@redhat.com>

AFAIK this may not be possible. I think you would need separate requests 
to download groups with their attributes. You can take a look at the 
admin REST endpoints invoked by admin console (use some browser plugin 
to see which REST requests are invoked by it).

Alternatively, if you really want single REST request to download all 
user's groups including attributes, you can try to implement your own 
REST endpoint. See our docs and examples (under "providers") for how to 
implement your own REST endpoint where you can return anything you want.

Marek

On 16/01/17 10:08, adam.michalski at aol.com wrote:
> Api docs for:
> GET /admin/realms/{realm}/users/{id}/groups
>
>
> returns list of GroupRepresentation array with empty attributes.
>
> In other rest returning this list there is description: only name and ids are returned but not in this one.
>
> How to get list of groups with attributes with single request?
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 16 15:20:03 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 16 Jan 2017 21:20:03 +0100
Subject: [keycloak-user] about resource not found
In-Reply-To: <CAJ=KcDgzUwZhEbbssY3j6YaJ3115JZsrvVX3v2PS9N0SBDkfSw@mail.gmail.com>
References: <CAJ=KcDgzUwZhEbbssY3j6YaJ3115JZsrvVX3v2PS9N0SBDkfSw@mail.gmail.com>
Message-ID: <556b035d-adb8-1f10-6a88-8262d33cd8e2@redhat.com>

Does it always happen after 3 days of server running? Couldn't it be 
network problem (slow/unavailable connection to the LDAP server).

Marek

On 16/01/17 07:42, TheAzariturk . wrote:
> hi
> i used LDAP for connection to active directory, and result being
> succesfull, but after 3 days working when i clicked on user identity or
> User Federation link message has trrown that "
>
> We could not find the resource you are looking for. Please make sure the
> URL you entered is correct.
> <http://10.255.145.16:8079/auth/admin/master/console/#/>"
> befor i get this error in 2.4.0 final version i googled problem and i
> understand that must upgrade to version 2.5.0, unfortunality at this
> version currently i got this error
>
>
> please help
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 16 15:25:47 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 16 Jan 2017 21:25:47 +0100
Subject: [keycloak-user] forgot password from rest api?
In-Reply-To: <AM4PR0302MB26271314D0B46BD40F44FA4EAB7A0@AM4PR0302MB2627.eurprd03.prod.outlook.com>
References: <AM4PR0302MB26271314D0B46BD40F44FA4EAB7A0@AM4PR0302MB2627.eurprd03.prod.outlook.com>
Message-ID: <5ae8a13d-7997-98e3-219f-db520bfc895c@redhat.com>

On 15/01/17 13:42, Dekel Aslan wrote:
> Hi,
> I'm trying to find how to update the forgot password flag through the api (http://www.keycloak.org/docs/rest-api/ ), but I can't find it.
> Isn't the RealmRepresentation object suppose to have it?
yes, it is the "resetPasswordAllowed" flag though. The best is to see 
what admin-console invokes as it is just using admin REST API under the 
hood (see some browser plugin which HTTP requests it invokes).

Marek
>
> Thanks,
> Dekel.
>
> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From deepu.laghuvaram at gmail.com  Mon Jan 16 21:15:48 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Mon, 16 Jan 2017 21:15:48 -0500
Subject: [keycloak-user] Forgot Password Error with Our own
	UserStorageProvider
In-Reply-To: <CAFMZCgm76dKZNecaNo=SuvkN64aHoO8cnhs5+FqdSP9y9nsvAw@mail.gmail.com>
References: <CAFMZCg=Ok8i+YfudRtyb93WE7ETAT2QA1NrY+smb=EgkE+OVxA@mail.gmail.com>
	<CAFMZCgm76dKZNecaNo=SuvkN64aHoO8cnhs5+FqdSP9y9nsvAw@mail.gmail.com>
Message-ID: <CAFMZCgmYyzJpizkPMdm2Pj=sYvq-r3qEWUYkvEPQtaK0ootbtg@mail.gmail.com>

I couldn't figure out the issue but when I moved from 2.3.0 Final to 2.5.0
Final the issue is not replicable and looks like its fixed.

On Mon, Jan 16, 2017 at 1:46 PM, Deepu Laghuvaram <
deepu.laghuvaram at gmail.com> wrote:

> What I observed is that if a user is registered with KeyCloak then I am
> not getting any issue in Forgot Password, but if the user is an existing
> one in my database and not registered thru KeyCloak, then I am getting this
> issue. It would be of great help if you can help me with this.
>
> On Thu, Jan 12, 2017 at 4:46 PM, Deepu Laghuvaram <
> deepu.laghuvaram at gmail.com> wrote:
>
>> I am using my own DB2UserStorageProvider and my Login and Registration
>> are working as expected but forgot password is not working as expected
>> (When I remove User Federation then Forgot Password is working as
>> expected).
>>
>> I am having the flow for Reset Credential as
>> Choose User         REQUIRED
>> Send Reset Email    REQUIRED
>> Reset Password      REQUIRED
>>
>> I used an existing user in my DB2 database, with which I am able to login
>> and when I try that user to reset password, I am not receiving any email
>> and below are the logs
>>
>> 14:40:31,755 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-14) action: reset-credentials-choose-user
>> 14:40:32,908 INFO  [DB2UserStorageProvider] (default task-14) Inside
>> getUserByUsername: testmail at gmail.com
>> 14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14) Entity.ID =
>> 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
>> 14:40:32,914 INFO  [DB2UserStorageProvider] (default task-14)
>> Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
>> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-14) authenticator SUCCESS: reset-credentials-choose-user
>> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-14) processFlow
>> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-14) check execution: reset-credential-email requirement:
>> REQUIRED
>> 14:40:32,942 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-14) authenticator: reset-credential-email
>> 14:40:32,949 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
>> (default task-14) JtaTransactionWrapper  commit
>> 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>> (default task-13) AUTHENTICATE
>> 14:40:32,957 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>> (default task-13) AUTHENTICATE ONLY
>> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
>> getUserById: f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-
>> b113-7061bd3f0278
>> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
>> entity.getID: 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
>> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13) Entity.ID =
>> 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
>> 14:40:33,008 INFO  [DB2UserStorageProvider] (default task-13)
>> Entity.setUsername = 9bcff1bd-2ac9-4e63-b113-7061bd3f0278
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) processFlow
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: reset-credentials-choose-user
>> requirement: REQUIRED
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) execution is processed
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: reset-credential-email requirement:
>> REQUIRED
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator: reset-credential-email
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) invoke authenticator.authenticate
>> *14:40:33,030 WARN  [org.keycloak.events] (default task-13)
>> type=RESET_PASSWORD_ERROR, realmId=TestRealm, clientId=TestClient,
>> userId=f:c3f5f5ce-6954-4e2f-82e7-1055df749be9:9bcff1bd-2ac9-4e63-b113-7061bd3f0278,
>> ipAddress=127.0.0.1, error=invalid_email, auth_method=openid-connect,
>> auth_type=code, redirect_uri=http://localhost:8090/account/account.jsp
>> <http://localhost:8090/account/account.jsp>,
>> code_id=857a3ff7-837f-4e8d-8b4d-dabd8b38a89e, username=testmail at gmail.com
>> <testmail at gmail.com>*
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) reset browser login from authenticator:
>> reset-credential-email
>> 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>> (default task-13) AUTHENTICATE
>> 14:40:33,030 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
>> (default task-13) AUTHENTICATE ONLY
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) processFlow
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: auth-cookie requirement: ALTERNATIVE
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator: auth-cookie
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) invoke authenticator.authenticate
>> 14:40:33,030 DEBUG [org.keycloak.services.managers.AuthenticationManager]
>> (default task-13) Could not find cookie: KEYCLOAK_IDENTITY
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator ATTEMPTED: auth-cookie
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: auth-spnego requirement: DISABLED
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) execution is processed
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: identity-provider-redirector
>> requirement: ALTERNATIVE
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator: identity-provider-redirector
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) invoke authenticator.authenticate
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator ATTEMPTED: identity-provider-redirector
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: null requirement: ALTERNATIVE
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) execution is flow
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) processFlow
>> 14:40:33,030 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) check execution: auth-username-password-form requirement:
>> REQUIRED
>> 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) authenticator: auth-username-password-form
>> 14:40:33,031 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
>> (default task-13) invoke authenticator.authenticate
>>
>>
>> It looks like the user is not in context, I am not sure why the user is
>> not in context as both getUserByUsername and getUserById are successful and
>> even it says "authenticator SUCCESS: reset-credentials-choose-user".
>> Could you please help me with this issue, I am using Keycloak 2.3.0 Final.
>>
>> Thanks,
>> Deepu
>>
>>
>>
>

From deepu.laghuvaram at gmail.com  Mon Jan 16 21:26:55 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Mon, 16 Jan 2017 21:26:55 -0500
Subject: [keycloak-user] Is Brute Force Detection Extensible or can be
	Customized?
In-Reply-To: <20170116092951.GA23989@abstractj.org>
References: <CAFMZCgnK+rE-bXHoDyNozVmpxAOAKDtgO8vGXCfheXj4ApG07Q@mail.gmail.com>
	<20170116092951.GA23989@abstractj.org>
Message-ID: <CAFMZCgk-x6vcp8p5qo7eCZK1GS_3VxNnh0hCGFTLiuYzpDu0Fg@mail.gmail.com>

I do agree with you on both the points, but in our current functionality we
display as such for locked user and I think we do show that user is
existing in registration as well. And we want to continue using it.
Appreciated if any solution is available.

And coming to storing failed login attempts in database, its solving two
issues, one is we would be following current approach itself (where we
store them in database) and second is the failed login attempts would not
be lost on server restarts. As per this
<http://lists.jboss.org/pipermail/keycloak-user/2015-December/004000.html>,
"You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart." But I dont know
how to increase the number of owners for cache and as per me I thought
persisting the attempts would be the better solution.

Thanks,
Raghu



On Mon, Jan 16, 2017 at 4:29 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> On 2017-01-13, Deepu Laghuvaram wrote:
> > Our current functionality is that if the user provides wrong password
> for 5
> > times or more then we want to display on the login page itself that the
> > user is locked out and they have to reset the password (User is Locked
> > until they reset password) I am trying to achieve the same functionality
> in
> > KeyCloak. Is it possible?
>
> I don't think it's possible today. By doing that you would be creating a
> loophole for login. If you displaythat user is locked out,
> attackers could verify that such user exists. See User enumeration
> details[1].
>
> >
> > And as of now the failed login attempts count is in our Database and I
> want
> > to make Brute Force Detection to be based on the failed login attempts
> from
> > my database and update the failed login attempts to my DB, basically
> > combining Brute Force Detection and Custom UserStorageProvider to achieve
> > both the functionalities?
>
> I never tried that and not sure if it's possible. But store failed
> attempts into the database, depending on the volume of your requests,
> can be a bit slow.
>
>
> [1] - https://www.owasp.org/index.php/Testing_for_User_
> Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
> >
> >
> > Thanks,
> > Deepu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From liam.maruff at gmail.com  Mon Jan 16 21:59:18 2017
From: liam.maruff at gmail.com (Liam Maruff)
Date: Tue, 17 Jan 2017 12:59:18 +1000
Subject: [keycloak-user] Synchoronising TOTP with LDAP
Message-ID: <CADh+9Zyemk6vK03P7z=nRtHW0Vi+H2Eku6bFbLxNU2f-vGM8-w@mail.gmail.com>

My organisation is transitioning from a legacy authentication mechanism to
OpenID Connect using Keycloak. The current system stores TOTP data in an
LDAP store under a field named ssoTotpValue.

Is it possible for us to allow users to continue using their existing TOTP
configuration by mapping the ssoTotpValue from the existing LDAP store into
Keycloak? If not, how what other mechanism are available for us to
accomplish this goal?

Regards,

Liam M

From sthorger at redhat.com  Tue Jan 17 04:23:47 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jan 2017 10:23:47 +0100
Subject: [keycloak-user] using in production
In-Reply-To: <55a4b9e8-d46e-c37e-d127-d323daa1f480@avinash.com.np>
References: <55a4b9e8-d46e-c37e-d127-d323daa1f480@avinash.com.np>
Message-ID: <CAJgngAdAeOiZo7T=H7SHS+rJ8+Mp=5TfeOLcfr2DkocPLZLP9Q@mail.gmail.com>

I would recommend getting the supported version instead. See
https://access.redhat.com/products/red-hat-single-sign-on for more details.

On 15 January 2017 at 06:27, Avinash Kundaliya <avinash at avinash.com.np>
wrote:

> Hello,
>
> After a lot of going to and fro, we are about to make a conclusion if we
> want to use keycloak in production. We are a little worried about
> updating keycloak and how does one receive/keep track of security
> updates. Because of the nature of keycloak, security is of paramount. It
> would be helpful if the community can help as how they update keycloak
> and keep track of security updates.
>
> Regards,
> Avinash
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From christian.froehlich at agfa.com  Tue Jan 17 05:37:17 2017
From: christian.froehlich at agfa.com (Christian Froehlich)
Date: Tue, 17 Jan 2017 11:37:17 +0100
Subject: [keycloak-user] example: authenticator-required-action-example
Message-ID: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>

Hi,

I read the documentation of the Authentication SPI  and I  tried to get 
the example running like it is described in the README.md file but I got 
the following error when I deploy it to my local keycloak server:
-----------------------------------
[ERROR] Failed to execute goal 
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) 
on project authenticator-required-action-example: Failed to execute goal 
deploy: {"WFLYC
TL0062: Composite operation failed and was rolled back. Steps that 
failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => 
{"jboss.deployment.unit.\"authenticator-required-action-
example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in 
service 
jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: 
WFLYSRV0153: Failed to process ph
ase POST_MODULE of deployment 
\"authenticator-required-action-example.jar\"
[ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link 
org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory 
(Module \"deployment.authenticator-required-action-exam
ple.jar:main\" from Service Module Loader): 
org/keycloak/authentication/RequiredActionFactory"}}}}
-----------------------------------

What I did:
Download and unzip the current version of keycloak 2.5.0.Final and start 
the server
checkout the master branch of the keycloak repo, navigate to the 
corresponding sub directory of the example
execute mvn clean install wildfly:deploy like it is described in the 
README.md of the artifact

I also tried to get it running with the git revision that is tagged with 
"2.5.0.Final", but with the same error. 

Do I miss something? Any help is welcome!

Kind Regards and thanks in advance
Christian

From sthorger at redhat.com  Tue Jan 17 06:08:25 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 17 Jan 2017 12:08:25 +0100
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 -
	cors
In-Reply-To: <d664f67ec718014d20d9d3b012d362a1.squirrel@neposoft.com>
References: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
	<CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>
	<d664f67ec718014d20d9d3b012d362a1.squirrel@neposoft.com>
Message-ID: <CAJgngAe=NZ=bmX4YZ_FA57HE5gbZGP_L81bxq9Mk+Gzw=w2ckw@mail.gmail.com>

Strange - it's the same endpoint that is called for code->token and token
refresh, so can't see why one would work and not the other.

On 14 January 2017 at 01:58, java_os <java at neposoft.com> wrote:

> Yes, set origins to *. also the app works well: ng-kc broker-idp-redirects
> back to my app. As said no issues on regular workflow of the app. even
> logout works fine. it's only when token expires am getting this error.
> more clues?
> What you mean by proper setup of web origin? whats proper. Thout if set to
> * would do it.
> thx
> > Did you setup proper web origins and redirect URIs for your app?
> >
> > On 12 January 2017 at 17:18, java_os <java at neposoft.com> wrote:
> >
> >> Hi group
> >> Am using ng with keycloak.js (2.5.0.Final).
> >> When token expires keycloak.js is intercepting token expired and does a
> >> renew call when it fails(see client side stack below).
> >> Anyone has any clue around this behavior?
> >> My app is running on 9443 and KC on 8543 over https - all working fine
> >> up
> >> to the point when refresh token kicks in.
> >> Behind the scenes is the cors stuff.
> >> Thanks
> >>
> >> keycloak.js:451 POST
> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400
> >> (Bad
> >> Request)
> >>
> >> exec @ keycloak.js:451
> >> (anonymous) @ keycloak.js:459
> >>
> >> setSuccess @ keycloak.js:773
> >>
> >> messageCallback @ keycloak.js:854
> >> :9443/EDIT/#/EDIT/home:1
> >> XMLHttpRequest cannot load
> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
> >> 'Access-Control-Allow-Origin' header is present on the requested
> >> resource.
> >> Origin 'https://EDIT:9443' is therefore not allowed access. The
> response
> >> had HTTP status code 400.
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
>
>
>

From mselvi78 at gmail.com  Tue Jan 17 08:03:36 2017
From: mselvi78 at gmail.com (Metehan Selvi)
Date: Tue, 17 Jan 2017 14:03:36 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <CADyKGVHORjZWbsG6LSHVaaTCXegSrwy5dZEYPJuQaJn8humZ_g@mail.gmail.com>

Hello,
I have got a Problem with Keycloak 2.5.0 Final on Wildfly with an war
deployed on a Tomcat 7 and registered
org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve and generated
keycloak-saml.xml from AARealm ( just a name)
After navigating to the Ressource , I got a correct redirect with
SAML-AuthnRequest to Wildfly with Keycloak.
I can login with a user successful, a correct SAML-Response is created, but
then I got a *loop *on requests
on the same ressource on Wildfly (!),
so there is no outcome till I close the window again.

What's wrong?
- Are the Redirects wrong?
- Why are the cookies expiring again? (see below)




Here are the details:
- AA.war is deployed on tomcat with port 8280 , inside there is just an
jsp-Page
- Keycloak runs on 8080
- A RealmAA is created with Client registration and SAML Protocol on
Keycloak
- Valid Redirect URIs is http://localhost:8280/AA/*
- Base URL is http://localhost:8280/AA
- no other URLs are registered
- loop on requests go on
http://localhost:8080/auth/realms/AARealm/login-actions/authenticate?code=
<changing_every_time> HTTP/1.1
- Output on Wildfly is (again and again, the loop!)
2017-01-13 20:31:23,645 WARN  [org.keycloak.events] (default task-45)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE
2017-01-13 20:31:23,645 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-45) AUTHENTICATE ONLY
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) processFlow
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-cookie requirement: ALTERNATIVE
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) invoke authenticator.authenticate
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) authenticator SUCCESS: auth-cookie
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: auth-spnego requirement: DISABLED
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) execution is processed
2017-01-13 20:31:23,646 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: identity-provider-redirector
requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) check execution: null requirement: ALTERNATIVE
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-45) Skip alternative execution
2017-01-13 20:31:23,647 DEBUG [org.keycloak.protocol.oidc.TokenManager]
(default task-45) Using full scope for client
2017-01-13 20:31:23,647 DEBUG [org.keycloak.events] (default task-45)
type=LOGIN, realmId=AARealm, clientId=AA,
userId=1b24603d-c9e8-4317-995a-b42b0f91bae1,
ipAddress=127.0.0.1, auth_method=saml, consent=no_consent_required,
code_id=7ed8cc51-6c7e-4ffc-8d2a-261b9f03559d, username=user
2017-01-13 20:31:23,647 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Create login cookie - name: KEYCLOAK_IDENTITY, path:
/auth/realms/AARealm, max-age: -1
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring remember me cookie
2017-01-13 20:31:23,648 DEBUG
[org.keycloak.services.managers.AuthenticationManager]
(default task-45) Expiring cookie: KEYCLOAK_REMEMBER_ME path:
/auth/realms/AARealm
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper  commit
2017-01-13 20:31:23,672 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-45) JtaTransactionWrapper end
2017-01-13 20:31:23,815 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) new JtaTransactionWrapper
2017-01-13 20:31:23,816 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-46) was existing? false
2017-01-13 20:31:23,818 WARN  [org.keycloak.events] (default task-46)
type=LOGIN_ERROR, realmId=AARealm, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE
2017-01-13 20:31:23,819 DEBUG
[org.keycloak.authentication.AuthenticationProcessor]
(default task-46) AUTHENTICATE ONLY


If I register http://localhost:8280/AA/saml as "Master SAML Processing URL"
on Keycloak, then I got a 403 Forbidden.

Thanks in advance
Metehan Selvi

From eduard.matuszak at worldline.com  Tue Jan 17 08:04:14 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 17 Jan 2017 13:04:14 +0000
Subject: [keycloak-user] example: authenticator-required-action-example
In-Reply-To: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
References: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E956E9@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hi,
Seems to be the same problem as described (and solved) in attached mail. So try to include in server-spi-private.package depency.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Christian Froehlich
Sent: Tuesday, January 17, 2017 11:37 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] example: authenticator-required-action-example

Hi,

I read the documentation of the Authentication SPI  and I  tried to get the example running like it is described in the README.md file but I got the following error when I deploy it to my local keycloak server:
-----------------------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) on project authenticator-required-action-example: Failed to execute goal
deploy: {"WFLYC
TL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"authenticator-required-action-
example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service
jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: 
WFLYSRV0153: Failed to process ph
ase POST_MODULE of deployment
\"authenticator-required-action-example.jar\"
[ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
(Module \"deployment.authenticator-required-action-exam
ple.jar:main\" from Service Module Loader): 
org/keycloak/authentication/RequiredActionFactory"}}}}
-----------------------------------

What I did:
Download and unzip the current version of keycloak 2.5.0.Final and start 
the server
checkout the master branch of the keycloak repo, navigate to the 
corresponding sub directory of the example
execute mvn clean install wildfly:deploy like it is described in the 
README.md of the artifact

I also tried to get it running with the git revision that is tagged with 
"2.5.0.Final", but with the same error. 

Do I miss something? Any help is welcome!

Kind Regards and thanks in advance
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From bruno at abstractj.org  Tue Jan 17 08:09:30 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 17 Jan 2017 11:09:30 -0200
Subject: [keycloak-user] example: authenticator-required-action-example
In-Reply-To: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
References: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
Message-ID: <CAM5SUC7-xjKRXW0cQNoMQYv5=Oyi8QxpA9EviENBa5KMWSHvcA@mail.gmail.com>

I believe your issue is related to this Jira:
https://issues.jboss.org/browse/KEYCLOAK-4221

On Tue, Jan 17, 2017 at 8:37 AM, Christian Froehlich
<christian.froehlich at agfa.com> wrote:
> Hi,
>
> I read the documentation of the Authentication SPI  and I  tried to get
> the example running like it is described in the README.md file but I got
> the following error when I deploy it to my local keycloak server:
> -----------------------------------
> [ERROR] Failed to execute goal
> org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli)
> on project authenticator-required-action-example: Failed to execute goal
> deploy: {"WFLYC
> TL0062: Composite operation failed and was rolled back. Steps that
> failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
> {"jboss.deployment.unit.\"authenticator-required-action-
> example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in
> service
> jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE:
> WFLYSRV0153: Failed to process ph
> ase POST_MODULE of deployment
> \"authenticator-required-action-example.jar\"
> [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link
> org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
> (Module \"deployment.authenticator-required-action-exam
> ple.jar:main\" from Service Module Loader):
> org/keycloak/authentication/RequiredActionFactory"}}}}
> -----------------------------------
>
> What I did:
> Download and unzip the current version of keycloak 2.5.0.Final and start
> the server
> checkout the master branch of the keycloak repo, navigate to the
> corresponding sub directory of the example
> execute mvn clean install wildfly:deploy like it is described in the
> README.md of the artifact
>
> I also tried to get it running with the git revision that is tagged with
> "2.5.0.Final", but with the same error.
>
> Do I miss something? Any help is welcome!
>
> Kind Regards and thanks in advance
> Christian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From christian.froehlich at agfa.com  Tue Jan 17 09:33:47 2017
From: christian.froehlich at agfa.com (Christian Froehlich)
Date: Tue, 17 Jan 2017 15:33:47 +0100
Subject: [keycloak-user] Antwort: RE: example:
	authenticator-required-action-example
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E956E9@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
	<61D077C6283D454FAFD06F6AC4AB74D723E956E9@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <OFF8187898.017917C3-ONC12580AB.004FF193-C12580AB.004FFFA2@agfa.com>

ok, thanks a lot! I'll give it a try.



Von:    "Matuszak, Eduard" <eduard.matuszak at worldline.com>
An:     Christian Froehlich/AWPWB/AGFA at AGFA, 
"keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Datum:  17.01.2017 14:04
Betreff:        RE: [keycloak-user] example: 
authenticator-required-action-example



Hi,
Seems to be the same problem as described (and solved) in attached mail. 
So try to include in server-spi-private.package depency.


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [
mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Christian 
Froehlich
Sent: Tuesday, January 17, 2017 11:37 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] example: authenticator-required-action-example

Hi,

I read the documentation of the Authentication SPI  and I  tried to get 
the example running like it is described in the README.md file but I got 
the following error when I deploy it to my local keycloak server:
-----------------------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli) 
on project authenticator-required-action-example: Failed to execute goal
deploy: {"WFLYC
TL0062: Composite operation failed and was rolled back. Steps that 
failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"authenticator-required-action-
example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in 
service
jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE: 

WFLYSRV0153: Failed to process ph
ase POST_MODULE of deployment
\"authenticator-required-action-example.jar\"
[ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link 
org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
(Module \"deployment.authenticator-required-action-exam
ple.jar:main\" from Service Module Loader): 
org/keycloak/authentication/RequiredActionFactory"}}}}
-----------------------------------

What I did:
Download and unzip the current version of keycloak 2.5.0.Final and start 
the server
checkout the master branch of the keycloak repo, navigate to the 
corresponding sub directory of the example
execute mvn clean install wildfly:deploy like it is described in the 
README.md of the artifact

I also tried to get it running with the git revision that is tagged with 
"2.5.0.Final", but with the same error. 

Do I miss something? Any help is welcome!

Kind Regards and thanks in advance
Christian
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

----- Nachricht von Stian Thorgersen <sthorger at redhat.com> auf Fri, 13 Jan 
2017 06:18:29 +0000 -----
An:
"Matuszak, Eduard" <eduard.matuszak at worldline.com>
Kopie:
"keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Betreff:
Re: [keycloak-user] Hot deployment of service providers in Keycloak 2.5.0 
final


On 11 January 2017 at 10:07, Matuszak, Eduard <
eduard.matuszak at worldline.com> wrote:
Hello

I am trying to understand and implement the new concept of deploying 
service providers, but I fail at several points.

What is meant by the "Keycloak deploy/ directory" mentioned in the 
documentation?

When trying the user-storage-simple example it was possible to hot deploy 
the jar-file in wildfly's standalone/deployment-dir, but the 
event-listener-sysout sample fails by class-loading problem 
("java.lang.NoClassDefFoundError: Failed to link 
org/keycloak/examples/providers/events/SysoutEventListenerProviderFactory").

There's only one deploy directory ;)
 

So perhaps not all SPI's do provide the new deployment concept?

There is also a mismatch, I think, between the deploy-description in the 
Readme.md of the event-listener-sysout example (describing the "old" way 
to deploy) and the documentation in 
https://keycloak.gitbooks.io/server-developer-guide/content/topics/providers.html#providers 
(recommending Keycloak deployer utilizing the enigmatic "Keycloak deploy/ 
directory").

Only user storage example has been checked with the new hot deploy method. 


I'm pretty sure the issue is that the other SPIs (event listener included) 
is in server-spi-private. You'll probably just need to add a 
jboss-module-structure.xml with a dependencies on that module and it 
should work.
 

I was working on Kecloak 2.5.0 Final.

Thanks in advatage for some clarifications.

Eduard Matuszak

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From christian.froehlich at agfa.com  Tue Jan 17 09:41:57 2017
From: christian.froehlich at agfa.com (Christian Froehlich)
Date: Tue, 17 Jan 2017 15:41:57 +0100
Subject: [keycloak-user] Antwort: Re: example:
	authenticator-required-action-example
In-Reply-To: <CAM5SUC7-xjKRXW0cQNoMQYv5=Oyi8QxpA9EviENBa5KMWSHvcA@mail.gmail.com>
References: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
	<CAM5SUC7-xjKRXW0cQNoMQYv5=Oyi8QxpA9EviENBa5KMWSHvcA@mail.gmail.com>
Message-ID: <OF918796E7.19553DDD-ONC12580AB.00500B93-C12580AB.0050BECB@agfa.com>

ok, thanks!
I must definitely get better in searching within the jira issues! Sorry 
for any inconveniences :-/



Von:    Bruno Oliveira <bruno at abstractj.org>
An:     Christian Froehlich/AWPWB/AGFA at AGFA
Kopie:  keycloak-user <keycloak-user at lists.jboss.org>
Datum:  17.01.2017 14:10
Betreff:        Re: [keycloak-user] example: 
authenticator-required-action-example



I believe your issue is related to this Jira:
https://issues.jboss.org/browse/KEYCLOAK-4221

On Tue, Jan 17, 2017 at 8:37 AM, Christian Froehlich
<christian.froehlich at agfa.com> wrote:
> Hi,
>
> I read the documentation of the Authentication SPI  and I  tried to get
> the example running like it is described in the README.md file but I got
> the following error when I deploy it to my local keycloak server:
> -----------------------------------
> [ERROR] Failed to execute goal
> org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy 
(default-cli)
> on project authenticator-required-action-example: Failed to execute goal
> deploy: {"WFLYC
> TL0062: Composite operation failed and was rolled back. Steps that
> failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
> {"jboss.deployment.unit.\"authenticator-required-action-
> example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in
> service
> 
jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE:
> WFLYSRV0153: Failed to process ph
> ase POST_MODULE of deployment
> \"authenticator-required-action-example.jar\"
> [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link
> org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
> (Module \"deployment.authenticator-required-action-exam
> ple.jar:main\" from Service Module Loader):
> org/keycloak/authentication/RequiredActionFactory"}}}}
> -----------------------------------
>
> What I did:
> Download and unzip the current version of keycloak 2.5.0.Final and start
> the server
> checkout the master branch of the keycloak repo, navigate to the
> corresponding sub directory of the example
> execute mvn clean install wildfly:deploy like it is described in the
> README.md of the artifact
>
> I also tried to get it running with the git revision that is tagged with
> "2.5.0.Final", but with the same error.
>
> Do I miss something? Any help is welcome!
>
> Kind Regards and thanks in advance
> Christian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


From bruno at abstractj.org  Tue Jan 17 09:49:17 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 17 Jan 2017 12:49:17 -0200
Subject: [keycloak-user] example: authenticator-required-action-example
In-Reply-To: <OF918796E7.19553DDD-ONC12580AB.00500B93-C12580AB.0050BECB@agfa.com>
References: <OF7E2D1723.DD8DFCBE-ONC12580AB.0038876F-C12580AB.003A5863@agfa.com>
	<CAM5SUC7-xjKRXW0cQNoMQYv5=Oyi8QxpA9EviENBa5KMWSHvcA@mail.gmail.com>
	<OF918796E7.19553DDD-ONC12580AB.00500B93-C12580AB.0050BECB@agfa.com>
Message-ID: <CAM5SUC7sgF9zJ9MdRK_p2m2Lxi_Nc8CGkiJV+Auakv6V3xkE8w@mail.gmail.com>

Relax, no big deal my friend.

On Tue, Jan 17, 2017 at 12:41 PM, Christian Froehlich
<christian.froehlich at agfa.com> wrote:
> ok, thanks!
> I must definitely get better in searching within the jira issues! Sorry for
> any inconveniences :-/
>
>
>
> Von:        Bruno Oliveira <bruno at abstractj.org>
> An:        Christian Froehlich/AWPWB/AGFA at AGFA
> Kopie:        keycloak-user <keycloak-user at lists.jboss.org>
> Datum:        17.01.2017 14:10
> Betreff:        Re: [keycloak-user] example:
> authenticator-required-action-example
> ________________________________
>
>
>
> I believe your issue is related to this Jira:
> https://issues.jboss.org/browse/KEYCLOAK-4221
>
> On Tue, Jan 17, 2017 at 8:37 AM, Christian Froehlich
> <christian.froehlich at agfa.com> wrote:
>> Hi,
>>
>> I read the documentation of the Authentication SPI  and I  tried to get
>> the example running like it is described in the README.md file but I got
>> the following error when I deploy it to my local keycloak server:
>> -----------------------------------
>> [ERROR] Failed to execute goal
>> org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Beta1:deploy (default-cli)
>> on project authenticator-required-action-example: Failed to execute goal
>> deploy: {"WFLYC
>> TL0062: Composite operation failed and was rolled back. Steps that
>> failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
>> {"jboss.deployment.unit.\"authenticator-required-action-
>> example.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in
>> service
>>
>> jboss.deployment.unit.\"authenticator-required-action-example.jar\".POST_MODULE:
>> WFLYSRV0153: Failed to process ph
>> ase POST_MODULE of deployment
>> \"authenticator-required-action-example.jar\"
>> [ERROR] Caused by: java.lang.NoClassDefFoundError: Failed to link
>> org/keycloak/examples/authenticator/SecretQuestionRequiredActionFactory
>> (Module \"deployment.authenticator-required-action-exam
>> ple.jar:main\" from Service Module Loader):
>> org/keycloak/authentication/RequiredActionFactory"}}}}
>> -----------------------------------
>>
>> What I did:
>> Download and unzip the current version of keycloak 2.5.0.Final and start
>> the server
>> checkout the master branch of the keycloak repo, navigate to the
>> corresponding sub directory of the example
>> execute mvn clean install wildfly:deploy like it is described in the
>> README.md of the artifact
>>
>> I also tried to get it running with the git revision that is tagged with
>> "2.5.0.Final", but with the same error.
>>
>> Do I miss something? Any help is welcome!
>>
>> Kind Regards and thanks in advance
>> Christian
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> - abstractj
>



-- 
- abstractj

From mathakam at gmail.com  Tue Jan 17 10:32:01 2017
From: mathakam at gmail.com (Marcin Wilk)
Date: Tue, 17 Jan 2017 16:32:01 +0100
Subject: [keycloak-user] Keycloak and WildFly authorization
Message-ID: <CAOyqcOqv-jtR4n9z2sfEtfgHmJeKpMitfiXJzAp0KGxG+JdfVg@mail.gmail.com>

I need to use wildfly as a stateless REST provider (no sticky sessions) so
I configured keycloak wildfly adapter to use cookie as a token store. User
roles in keycloak servers are imported from LDAP (LDAPProvider) and it is a
common situation that a single user belongs to multiple ldap groups (say
30+). Many of these groups decide about users authorization to specific
application functionality so they can't be simply filtered at keycloak
server level. On the other hand passing so many roles (mapped from ldap
groups) in the cookie (KEYCLOAK_ADAPTER_STATE cookie) causes the cookie to
be over 4096 bytes big and exceeds popular browsers' cookie size limit. The
cookie is simply discarded in such situation.
Hance I thought that using keycloak adapter to authentication only and
passing authorization to ldapextended login module at wildfly for
authorization could be a circumvention. However I doubt if such an idea
would work as it doesn't look like there is a fall back from keycloak
adapter to other authorization methoda on wildfly.
I would appreciate any piece of information if such a configuration is
available without redeveloping keycloak adapter or writting my own login
module for wildfly.
Thanks in advance for help.

From eduard.matuszak at worldline.com  Tue Jan 17 10:57:07 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 17 Jan 2017 15:57:07 +0000
Subject: [keycloak-user] user storage provider (non-importing strategy) -
 examples causing Nullpointer-Exceptions
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E957CB@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

I am struggling to make the user storage provider examples run in Keycloak 2.5.0 Final: Taking the "old" imported strategy runs fine, but whether the user-storage-simple (readonly) nor the user-storage-jpa example succeeds to build up a complete login, crashing with Nullpointer-Exceptions. Perhaps you have a hint or can confirm that the examples are not running because of Keycloak's behaviour being solved in future?

Thanks in advance for any comment, Eduard Matuszak


For completion, the source code is attached




.. and these are the stack-traces:

user-storage-simple (readonly)
---------------------------------------
16:35:44,569 ERROR [org.keycloak.keys.FailsafeHmacKeyProvider] (default task-39) No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported.
16:35:44,569 WARN  [org.keycloak.keys.FailsafeHmacKeyProvider] (default task-39) Keys expired, re-generated kid=dbeb665e-c67f-4041-a2ac-4dfe6375d1e8
16:35:53,626 WARN  [org.keycloak.services] (default task-45) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
        at org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:86)
        at org.keycloak.credential.PasswordCredentialProvider.onCache(PasswordCredentialProvider.java:215)
        at org.keycloak.credential.UserCredentialStoreManager.onCache(UserCredentialStoreManager.java:302)
        at org.keycloak.models.cache.infinispan.UserCacheSession.onCache(UserCacheSession.java:409)
        at org.keycloak.models.cache.infinispan.UserCacheSession.cacheUser(UserCacheSession.java:369)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserAdapter(UserCacheSession.java:280)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:258)
        at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:205)
        at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:133)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
        at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
        at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
..


user-storage-jpa (adapted version)
-------------------------------------------
16:38:36,780 INFO  [org.ccp.provider.ccp_augmented_file.CcpAugmentedFileUserStorageProvider] (default task-45) getUserByUsername: adm_eduard
16:38:36,781 WARN  [org.keycloak.services] (default task-45) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
        at org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage.getFirstAttribute(AbstractUserAdapterFederatedStorage.java:359)
        at org.ccp.provider.ccp_augmented_file.UserAdapter.getFirstAttribute(UserAdapter.java:112)
        at org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage.getCreatedTimestamp(AbstractUserAdapterFederatedStorage.java:324)
        at org.keycloak.models.cache.infinispan.entities.CachedUser.<init>(CachedUser.java:55)
        at org.keycloak.models.cache.infinispan.UserCacheSession.cacheUser(UserCacheSession.java:342)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserAdapter(UserCacheSession.java:280)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:258)
        at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:205)
        at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:133)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
        at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
        at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
        at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
..



From max.catarino at rps.com.br  Tue Jan 17 12:58:30 2017
From: max.catarino at rps.com.br (max.catarino at rps.com.br)
Date: Tue, 17 Jan 2017 15:58:30 -0200
Subject: [keycloak-user] It's possible to generate an offline token using
	only CURL?
Message-ID: <0f7b6d5c6059329508476dd7feb69188@rps.com.br>

 

It's possible to generate an offline token using only CURL?
Someone have an example? 

Best regards, 

Maximiliano Catarino 
 

From sthorger at redhat.com  Wed Jan 18 02:26:03 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Jan 2017 08:26:03 +0100
Subject: [keycloak-user] It's possible to generate an offline token
 using only CURL?
In-Reply-To: <0f7b6d5c6059329508476dd7feb69188@rps.com.br>
References: <0f7b6d5c6059329508476dd7feb69188@rps.com.br>
Message-ID: <CAJgngAe9R=qC_DX4hb8-V9kPVuq-UEtTQ+5y6viyksacZqE4=w@mail.gmail.com>

Yes, take a look at direct grant example in the securing apps and clients
example. Add scope=offline to the request.

On 17 January 2017 at 18:58, <max.catarino at rps.com.br> wrote:

>
>
> It's possible to generate an offline token using only CURL?
> Someone have an example?
>
> Best regards,
>
> Maximiliano Catarino
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Jan 18 02:32:35 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 18 Jan 2017 08:32:35 +0100
Subject: [keycloak-user] Customizing error Pages(for example client logo)
In-Reply-To: <CACCBH8OW_uoHx1AAfgab-mb6ect0NJaPMQSaTt2GTJRxUTDaLw@mail.gmail.com>
References: <CACCBH8PW128y7aGWuCZvTWLMWP8N8qJUsKaYrsUCtJK3FQUV9w@mail.gmail.com>
	<CAJgngAd_STNOT-7T7unSV_cvukAKhM+rb3YED06iX2L-bye=zw@mail.gmail.com>
	<CACCBH8OW_uoHx1AAfgab-mb6ect0NJaPMQSaTt2GTJRxUTDaLw@mail.gmail.com>
Message-ID: <CAJgngAcLT=h4BdEZaBeDTTK2xsiGt=FA3LqGqUfB4DkX0XFBAg@mail.gmail.com>

You'll have to explain what you want in more detail. I doubt we'd add it
though.

Why don't you make your customization service expose the correct
images/styles based on the realm name/id?

On 13 January 2017 at 19:23, rony joy <ronyjoy at gmail.com> wrote:

> When we thought about it more, I guess we need more than just the realm
> name in the error pages. Because we are depending on customization service
> to get the images/styles. Inorder to call the customization service we
> require the URL and certain other parameters.
> In order to make it more generic can we have custom error handler? or
> something in those line?
>
> Regards
> Rony Joy
>
> On Fri, Jan 13, 2017 at 12:28 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> You'd have to do it based on realm name rather than realm id. It would be
>> a simple fix to make realm id available though so you can create a JIRA for
>> that and even include a PR if you want.
>>
>> On 10 January 2017 at 17:46, rony joy <ronyjoy at gmail.com> wrote:
>>
>> Hi All,
>>
>> We are trying to customize the error pages based on the realm id. We are
>> able to do the basic modification by extending the error pages in our
>> custom theme. But in our error pages we wanted the have more realm
>> specific
>> customization(for example customer logo) by fetching the logo from
>> external
>> services based on the realm Id.
>>
>> Currently we don't see a way by looking at the code. Any help is
>> appreciated
>>
>>
>> Thanks
>>
>> Rony Joy
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>

From dekela at perfectomobile.com  Wed Jan 18 08:41:00 2017
From: dekela at perfectomobile.com (Dekel Aslan)
Date: Wed, 18 Jan 2017 13:41:00 +0000
Subject: [keycloak-user] HashAlgorithm
Message-ID: <AM4PR0302MB26272B05097C05C6C40F7EEFAB7F0@AM4PR0302MB2627.eurprd03.prod.outlook.com>

Hi,
In your password policy docs you state "See the Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how to plug in your own algorithm". Server dev guide does not have that information, where is it?

On another note, I'm not familiar with ratings of hashing algorithms, what is a preferred one?

Thanks,
Dekel.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From cristi.cioriia at gmail.com  Wed Jan 18 09:53:32 2017
From: cristi.cioriia at gmail.com (Cristi Cioriia)
Date: Wed, 18 Jan 2017 16:53:32 +0200
Subject: [keycloak-user] AuthenticationManager send back access_denied error
 when it should send server_error
Message-ID: <CAMAhWCRn3TUjNh3T-d=QVH+d=QrGqrkO8J9Wy-qUy_qziPUV2Q@mail.gmail.com>

Hi guys,

The AuthenticationManager class handles failed required action by sending
an access_denied error message back to the client application, instead of a
server error, if the required actions detects that it cannot display the
required action page and marks the context as failed.

The use case I have is the following:

1) I have created and configured a required action that calls an external
service to retrieve some data. If that service fails, then I cannot display
the required action page to the user, so I call

context.failure().

2) Now, when the AuthenticationManager.executionActions method is called to
display the required action page, it detects that the status of the
required action context is FAILURE (line 641), so it doesn't display the
required action page, but instead it calls at line 647 the oidc protocol
like this:

Response response = protocol.sendError(context.getClientSession(),
Error.CONSENT_DENIED);

This creates a response for the client application with
error=access_denied, but in my opinion it should be wih server_error,
because the user didn't even have the chance to grant consent.

Isn't this how it should happen? I noticed that the server_error is not
returned to the client at all, as is only the default branch of a switch,
and it can't be reached at all, as the Error enum does not have a mapping
for it.

Looking forward for an answer.

Greetings,
Cristi

From guydavis.ca at gmail.com  Wed Jan 18 11:33:06 2017
From: guydavis.ca at gmail.com (Guy Davis)
Date: Wed, 18 Jan 2017 09:33:06 -0700
Subject: [keycloak-user] Anyone using nginx-jwt proxy instead of Keycloak
	Proxy?
Message-ID: <CAAgmn1rXxRVeo+JhU1ye7ZVLbeo4JmZVgmUtDo2VJRUp+oiu+w@mail.gmail.com>

Good day,

I am looking to secure legacy web services behind a security proxy.  Our
current services are reversed proxied by Nginx out front.  I've been able
to put the Keycloak Proxy
<https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/proxy.html>
in front of Nginx to add security, however our architects are asking if we
can use the nginx-jwt <https://github.com/auth0/nginx-jwt> module in Nginx
to replace the redirection feature of Keycloak Proxy.  Their goal is to
have only one proxy (Nginx) out front, not a chain of two (Keycloak Proxy
to Nginx to backend services).

Anyone able to get this or another plugin module working?  Perhaps in
HAProxy instead of Nginx?

Thanks much,
Guy

From jcain at redhat.com  Wed Jan 18 12:35:53 2017
From: jcain at redhat.com (Josh Cain)
Date: Wed, 18 Jan 2017 11:35:53 -0600
Subject: [keycloak-user] Tracing back-channel logout requests/responses
Message-ID: <1484760953.11052.1.camel@redhat.com>

Hi all,

I'd like to be able to generate errors on failed back-channel logout
requests/responses as well as analyze and enumerate back-channel logout
requests/responses that are sent.

Does Keycloak provide a way to do this?  I poked through the source
some and couldn't find anything.  There was an old issue[0] that dealt
with some failure cases around back-channel logout, but that's about
all I could see with a cursory search.

If not supported, would you be open to a PR that hooks logout event
details into the existing EventListener architecture?

[0] https://issues.jboss.org/browse/KEYCLOAK-782

-- 
Josh Cain | Software Applications Engineer
Identity and Access Management
Red Hat
+1 256-452-0150


From kurrent93 at gmail.com  Wed Jan 18 15:01:54 2017
From: kurrent93 at gmail.com (Anton)
Date: Wed, 18 Jan 2017 21:01:54 +0100
Subject: [keycloak-user] Keycloak - multiple registration pages,
	each with own role?
Message-ID: <CAD44pJCqdU8K-cQKa8hny7OdY4DFOMBHJdz1U1sUX8z5MYNTsw@mail.gmail.com>

Hello

Is it possible to create additional keycloak registration pages, with
custom themes, and each with a role?

Im familiar with the OOTB registration page that comes with Keycloak, that
is described on
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/user-registration.html
.

Is it possible to have more than one registration page, each with their own
associated role?

For example, /registration/artist.html registers a user with an "artist"
role and /registration/user.html registers a user with the "user" role.

Thanks and regards

From bruno at abstractj.org  Wed Jan 18 21:04:59 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 19 Jan 2017 00:04:59 -0200
Subject: [keycloak-user] HashAlgorithm
In-Reply-To: <AM4PR0302MB26272B05097C05C6C40F7EEFAB7F0@AM4PR0302MB2627.eurprd03.prod.outlook.com>
References: <AM4PR0302MB26272B05097C05C6C40F7EEFAB7F0@AM4PR0302MB2627.eurprd03.prod.outlook.com>
Message-ID: <20170119020459.GA8436@abstractj.org>

Hi Dekel, I'm confuse about what you're trying to achieve. Would you
like to plug your own password policy?

If you don't know which hash
algorithm to use and you still would like to have your custom password
policy, I suggest to use the same used on Keycloak, PBKDF2.

On 2017-01-18, Dekel Aslan wrote:
> Hi,
> In your password policy docs you state "See the Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how to plug in your own algorithm". Server dev guide does not have that information, where is it?
>
> On another note, I'm not familiar with ratings of hashing algorithms, what is a preferred one?
>
> Thanks,
> Dekel.
>
> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From sthorger at redhat.com  Thu Jan 19 00:43:46 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 19 Jan 2017 06:43:46 +0100
Subject: [keycloak-user] Keycloak - multiple registration pages,
 each with own role?
In-Reply-To: <CAD44pJCqdU8K-cQKa8hny7OdY4DFOMBHJdz1U1sUX8z5MYNTsw@mail.gmail.com>
References: <CAD44pJCqdU8K-cQKa8hny7OdY4DFOMBHJdz1U1sUX8z5MYNTsw@mail.gmail.com>
Message-ID: <CAJgngAe5F1+cj5yCaNg3pdKg3Ns1=b1Ng51unLLRSaUQFB8P6g@mail.gmail.com>

It's not directly possible, but you may be able to do it with a custom
registration flow and using a query parameter for the different
registration page. Not sure about custom theme though as the themes don't
have access to query params.

On 18 January 2017 at 21:01, Anton <kurrent93 at gmail.com> wrote:

> Hello
>
> Is it possible to create additional keycloak registration pages, with
> custom themes, and each with a role?
>
> Im familiar with the OOTB registration page that comes with Keycloak, that
> is described on
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/users/user-registration.html
> .
>
> Is it possible to have more than one registration page, each with their own
> associated role?
>
> For example, /registration/artist.html registers a user with an "artist"
> role and /registration/user.html registers a user with the "user" role.
>
> Thanks and regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From abhi.raghav007 at gmail.com  Thu Jan 19 00:56:30 2017
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Thu, 19 Jan 2017 11:26:30 +0530
Subject: [keycloak-user] User Group in the response header by proxy
Message-ID: <CAJmz6ftq=Lz7doMBEJB91bce0iq6BP3FFL02ttmBEWet4x5wnw@mail.gmail.com>

Hi,

I am maintaining a legacy application where i can not install keycloak
adapter. This is secured behind the keycloak proxy.

Keycloak proxy inject some identity headers by default keycloak_subject,
name, username, email and access token.
My requirement is such that that i need role and group should also be going
as part of injected headers. I know for the fact that this information
exists in the access token itself but then i need to add a depency/plugin
on application side to parse the token info and get the roles/groups.

Is there a way on the proxy side, i can add these two headers which can
also be sent along with the identity headers. Secondly, is it a good
approach or breaking the secured design patter.

*- Best Regards*
   Abhishek Raghav

From eduard.matuszak at worldline.com  Thu Jan 19 05:36:58 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Thu, 19 Jan 2017 10:36:58 +0000
Subject: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed as
 war file: CDI does not work
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

It is not possible for me, to bring CDI (@Inject) to work in a user storage provider application (Keycloak 2.5.0), deployed as a war-file. The required beans.xml is placed correctly in the war-file and passed by Weld during deployment, but all injected objects are null.

Is this a known (and possibly perforced) behaviour,  a (minor) bug or simply due to a missing trick?

Thanks in advance for a feedback, Eduard Matuszak



From bburke at redhat.com  Thu Jan 19 10:01:14 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 19 Jan 2017 10:01:14 -0500
Subject: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed
 as war file: CDI does not work
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <32a669a4-ef51-7e3b-8a71-9b3ae47de178@redhat.com>

How exactly are you implementing it?  Can you point me to some example 
code?  Remember, UserStorageProviderFactory *MUST* be a POJO.  I haven't 
done CDI in years, but I believe it would work similarly to the EJB 
example, except you'd look up the CDI bean manager and allocate your 
provider through the bean manager.


On 1/19/17 5:36 AM, Matuszak, Eduard wrote:
> Hello
>
> It is not possible for me, to bring CDI (@Inject) to work in a user storage provider application (Keycloak 2.5.0), deployed as a war-file. The required beans.xml is placed correctly in the war-file and passed by Weld during deployment, but all injected objects are null.
>
> Is this a known (and possibly perforced) behaviour,  a (minor) bug or simply due to a missing trick?
>
> Thanks in advance for a feedback, Eduard Matuszak
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From adrian.verhagen at gmail.com  Thu Jan 19 10:30:04 2017
From: adrian.verhagen at gmail.com (Adrian Verhagen)
Date: Thu, 19 Jan 2017 10:30:04 -0500
Subject: [keycloak-user] Changing password & existing sessions (via forgot
	password email)
Message-ID: <CALAS3m_EpQwdhn1=VNkggZMtLBhgB03VY0R=5OLUSRVx5suUWw@mail.gmail.com>

It appears that refresh tokens are not expired when the password is reset
via the password reset email. This seems to work when resetting the
password from the account self-maintenance console, but not the recovery
email.

I'm imagining a case where, if I've been told by an administrator to reset
my password (because the account/password was compromised) and I have not
used the service in some time and so change my password using the "Forgot
Password" email, I would assume my password has been changed and my account
now secured. I wouldn't know that I needed to change it again from the
self-maintenance console in order to clear out logged in sessions.

I'm wondering what everyone else thinks about this.

From mitya at cargosoft.ru  Thu Jan 19 12:23:59 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Thu, 19 Jan 2017 20:23:59 +0300
Subject: [keycloak-user] Stateful per-realm objects
Message-ID: <1484846639.4634.1.camel@cargosoft.ru>

Hi,

A new login protocol endpoint instance is created each time per-
request?(o.k.protocol.LoginProtocolFactory::createProtocolEndpoint). I
need all the instances to have access to a shared, per-realm stateful
object.
(Background: I'm implementing OpenID 2.0 for Keycloak using openid4java
library. There, the central concept is ServerManager, a per-endpoint
singleton that stores cryptographic associations and other shared
data.)

Just wondering if there's already similar mechanism in Keycloak. It
shouldn't be that hard to implement a singleton registry, but it'd
prefer not to reinvent the wheel.

Thanks!
Dmitry

From haimv at perfectomobile.com  Thu Jan 19 15:27:12 2017
From: haimv at perfectomobile.com (Haim Vana)
Date: Thu, 19 Jan 2017 20:27:12 +0000
Subject: [keycloak-user] Red Hat SSO supported version
In-Reply-To: <CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>
References: <uu0uucj36p71d3uu05vxe4xd.1484475735172@email.android.com>
	<CAMZCGg-zpzgB05sX-bDK7zP_65YPwmmrXocYVRsm7rkr2VDiyQ@mail.gmail.com>
Message-ID: <HE1PR0301MB25704409D5F30F3590F6B10ED27E0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi,

Do you also know by any chance if it is also supported when deployed in docker on top of AWS EC2 cluster ?


Thanks,
Haim.

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: Sunday, January 15, 2017 12:28 PM
To: Haim Vana <haimv at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Red Hat SSO supported version

Featurewise there is no difference , the codebase of RHSSO 7.0 is the one from kc 1.9.8.
RHSSO is the productized version and is the one needed to have support.

On Sun, Jan 15, 2017 at 11:20 AM, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Can you please advise what is the difference between RH-SSO 7.0 and KC 1.9.8 ?

The support will be valid for both ? Or only for the RH-SSO ?


Haim.


-------- Original message --------
From: Sebastien Blanc <sblanc at redhat.com<mailto:sblanc at redhat.com>>
Date: 1/15/17 12:10 (GMT+02:00)
To: Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Red Hat SSO supported version

Hi,
RH-SSO 7.0 is based on KC 1.9.8 , so yes , you will have to upgrade.
Seb

On Sun, Jan 15, 2017 at 10:17 AM, Haim Vana <haimv at perfectomobile.com<mailto:haimv at perfectomobile.com>> wrote:
Hi,

Currently we are using keycloak 1.9.3, could we get support for that version ? or we will have to upgrade ? if so to which version ?


Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7Cccbfade18e184c3f2e3808d43d2eb014%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=Bc5kneJcSG9pv7A10ksDpFvWVKsaUnwHlwtV25jhhPQ%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From known.michael at gmail.com  Fri Jan 20 00:06:27 2017
From: known.michael at gmail.com (Known Michael)
Date: Fri, 20 Jan 2017 07:06:27 +0200
Subject: [keycloak-user] The best way to get the action of the login form
Message-ID: <CANbmfvgt-zTBvm4XDGJo-kzWoHyUjNmAYX7Gcm6=xiSZq7thyA@mail.gmail.com>

Hey,

We start to create automation tests of our keycloak integration.

We have discovered that the action URL of the login form (the submit URL)
is generated each time.

Therefore we need to parse the login response to get the action from the
login from.

Can you suggest the better way to get the action of the login form?

If not: do you think the way of the action generation can be changed
significantly in the near future and all our test will fail?

From pulgupta at redhat.com  Fri Jan 20 02:19:02 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 20 Jan 2017 12:49:02 +0530
Subject: [keycloak-user] Logout in cluster environments
Message-ID: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>

Hi All,

I am running multiple applications deployed on a Jboss cluster with
infinispan used as a cache and for distributed sessions.
I verified and can see that session replication is working for a normal
application where I can see the same session on all the servers in the
cluster and hence the application is working fine without session
stickiness.

However when I am trying to use any Keycloak SAML client based application
it is only working if the request is going to a particular box in the
cluster. On all the other boxes we are getting errors.
>From this behavior I am concluding that somehow for Keycloak based
applications sessions are not getting replicated.
Both these applications has <distributable /> tag in them so I am not sure
why it is showing different behaviour.

I know we can fix this by just enabling session stickiness but we want the
sessions to be replicated as well.
This is because we want to make our set up more resilient. Also in case of
logout when Keycloak is sending a back channel logout request it amy send
it to any server in the cluster.
If the sessions are not properly replicated then the logout will fail as
the session will remain preserved on some other server in the cluster.

Can someone please suggest me something what to try.

-- 
Thanks,
Pulkit

From mposolda at redhat.com  Fri Jan 20 03:12:44 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Jan 2017 09:12:44 +0100
Subject: [keycloak-user] Tracing back-channel logout requests/responses
In-Reply-To: <1484760953.11052.1.camel@redhat.com>
References: <1484760953.11052.1.camel@redhat.com>
Message-ID: <0f629008-f979-6f29-d912-8cb365adb779@redhat.com>

Yes, you're right that we don't have anything besides the WARNING in 
server.log. Better tracking (at least through events) will be good. It 
will be good if event will contain all the clients, which successfully 
logged-out similarly like clients, which failed to logout.

Marek

On 18/01/17 18:35, Josh Cain wrote:
> Hi all,
>
> I'd like to be able to generate errors on failed back-channel logout
> requests/responses as well as analyze and enumerate back-channel logout
> requests/responses that are sent.
>
> Does Keycloak provide a way to do this?  I poked through the source
> some and couldn't find anything.  There was an old issue[0] that dealt
> with some failure cases around back-channel logout, but that's about
> all I could see with a cursory search.
>
> If not supported, would you be open to a PR that hooks logout event
> details into the existing EventListener architecture?
>
> [0] https://issues.jboss.org/browse/KEYCLOAK-782
>


From mposolda at redhat.com  Fri Jan 20 03:17:32 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Jan 2017 09:17:32 +0100
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
Message-ID: <2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>

This is supposed to work for Keycloak OIDC clients and some docs is here 
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/application-clustering.html 
.

I don't know about Keycloak SAML clients. Is it an alternative for you 
to try OIDC instead of SAML?

Marek

On 20/01/17 08:19, Pulkit Gupta wrote:
> Hi All,
>
> I am running multiple applications deployed on a Jboss cluster with
> infinispan used as a cache and for distributed sessions.
> I verified and can see that session replication is working for a normal
> application where I can see the same session on all the servers in the
> cluster and hence the application is working fine without session
> stickiness.
>
> However when I am trying to use any Keycloak SAML client based application
> it is only working if the request is going to a particular box in the
> cluster. On all the other boxes we are getting errors.
> >From this behavior I am concluding that somehow for Keycloak based
> applications sessions are not getting replicated.
> Both these applications has <distributable /> tag in them so I am not sure
> why it is showing different behaviour.
>
> I know we can fix this by just enabling session stickiness but we want the
> sessions to be replicated as well.
> This is because we want to make our set up more resilient. Also in case of
> logout when Keycloak is sending a back channel logout request it amy send
> it to any server in the cluster.
> If the sessions are not properly replicated then the logout will fail as
> the session will remain preserved on some other server in the cluster.
>
> Can someone please suggest me something what to try.
>


From mposolda at redhat.com  Fri Jan 20 03:23:21 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Jan 2017 09:23:21 +0100
Subject: [keycloak-user] The best way to get the action of the login form
In-Reply-To: <CANbmfvgt-zTBvm4XDGJo-kzWoHyUjNmAYX7Gcm6=xiSZq7thyA@mail.gmail.com>
References: <CANbmfvgt-zTBvm4XDGJo-kzWoHyUjNmAYX7Gcm6=xiSZq7thyA@mail.gmail.com>
Message-ID: <3aa5357d-a196-9c73-ae84-6f37c07adbc5@redhat.com>

On 20/01/17 06:06, Known Michael wrote:
> Hey,
>
> We start to create automation tests of our keycloak integration.
We already have some automated tests and we use selenium. See our 
testsuite for more details (testsuite/integration-arquillian in the 
Keycloak codebase) . Maybe you can take a look for the inspiration?
>
> We have discovered that the action URL of the login form (the submit URL)
> is generated each time.
>
> Therefore we need to parse the login response to get the action from the
> login from.
>
> Can you suggest the better way to get the action of the login form?
>
> If not: do you think the way of the action generation can be changed
> significantly in the near future and all our test will fail?
In theory, that is possible as it is an implementation detail of 
Keycloak. Rely on something like selenium, which will just call 
"submitButton.click" instead of manually creating POST requests etc is 
always less fragile. So I would rather go this way if it is possible for 
you.

Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Jan 20 03:28:34 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 20 Jan 2017 09:28:34 +0100
Subject: [keycloak-user] Stateful per-realm objects
In-Reply-To: <1484846639.4634.1.camel@cargosoft.ru>
References: <1484846639.4634.1.camel@cargosoft.ru>
Message-ID: <d3390d44-4b82-8169-b7e5-d4307f7806ba@redhat.com>

LoginProtocolFactory is shared per KEycloakSessionFactory and defacto it 
is something like singleton. So yu can have that object (or per-realm 
Map of those objects) in your LoginProtocolFactory implementation? Then 
during each request, you will just pass the particular object to your 
LoginProtocol or ProtocolEndpoint impl?

Marek

On 19/01/17 18:23, Dmitry Telegin wrote:
> Hi,
>
> A new login protocol endpoint instance is created each time per-
> request (o.k.protocol.LoginProtocolFactory::createProtocolEndpoint). I
> need all the instances to have access to a shared, per-realm stateful
> object.
> (Background: I'm implementing OpenID 2.0 for Keycloak using openid4java
> library. There, the central concept is ServerManager, a per-endpoint
> singleton that stores cryptographic associations and other shared
> data.)
>
> Just wondering if there's already similar mechanism in Keycloak. It
> shouldn't be that hard to implement a singleton registry, but it'd
> prefer not to reinvent the wheel.
>
> Thanks!
> Dmitry
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From deepu.laghuvaram at gmail.com  Fri Jan 20 11:05:25 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Fri, 20 Jan 2017 11:05:25 -0500
Subject: [keycloak-user] How to find the device type on the Keycloak
	Authentication Pages?
Message-ID: <CAFMZCgkbhgvptbq_Q7ghJf2fXDRUaetLGA3Xtf44L2mSAAzL8w@mail.gmail.com>

My application is having different styles for Mobile view and Desktop view,
where some of them are responsive and some of them are not, so we are
trying to implement different styles on Login, Registration and Forgot
password pages, what is the best way to fetch the device type on these
pages?


Thanks,
Deepu

From deepu.laghuvaram at gmail.com  Fri Jan 20 11:24:57 2017
From: deepu.laghuvaram at gmail.com (Deepu Laghuvaram)
Date: Fri, 20 Jan 2017 11:24:57 -0500
Subject: [keycloak-user] Issues in integrating UserStorageProvider with
	Hazelcast
Message-ID: <CAFMZCgnd6hXGxygf3Yrj_s55hLNd6bFqX6QF8AatASGq2UCTqA@mail.gmail.com>

I am trying to integrate Hazelcast in my UserStorageProvider and I am
getting the error as below,
5:01:35,028 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 51) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NoClassDefFoundError: sun/misc/Unsafe
at com.hazelcast.nio.UnsafeHelper.findUnsafe(UnsafeHelper.java:176)
at com.hazelcast.nio.UnsafeHelper.findUnsafeIfAllowed(UnsafeHelper.java:149)
at com.hazelcast.nio.UnsafeHelper.<clinit>(UnsafeHelper.java:78)
at com.hazelcast.util.counters.SwCounter.newSwCounter(SwCounter.java:66)
at com.hazelcast.util.counters.SwCounter.newSwCounter(SwCounter.java:56)
at
com.hazelcast.spi.impl.operationservice.impl.InvocationRegistry.<init>(InvocationRegistry.java:72)
at
com.hazelcast.spi.impl.operationservice.impl.OperationServiceImpl.<init>(OperationServiceImpl.java:147)
at com.hazelcast.spi.impl.NodeEngineImpl.<init>(NodeEngineImpl.java:104)
at com.hazelcast.instance.Node.<init>(Node.java:177)
at
com.hazelcast.instance.HazelcastInstanceImpl.<init>(HazelcastInstanceImpl.java:125)
at
com.hazelcast.instance.HazelcastInstanceFactory.constructHazelcastInstance(HazelcastInstanceFactory.java:160)
at
com.hazelcast.instance.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:143)
at
com.hazelcast.instance.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:111)
at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java:58)
at
com.lb.storage.hazelcast.HazelcastInstanceProvide.getInstance(HazelcastInstanceProvide.java:10)
at
com.lb.storage.user.DB2UserStorageProvider.<clinit>(DB2UserStorageProvider.java:61)
at
com.lb.storage.user.DB2UserStorageProviderFactory.create(DB2UserStorageProviderFactory.java:32)
at
com.lb.storage.user.DB2UserStorageProviderFactory.create(DB2UserStorageProviderFactory.java:24)
at
org.keycloak.storage.UserStorageManager.getStorageProviderInstance(UserStorageManager.java:80)
at
org.keycloak.storage.UserStorageManager.getStorageProviders(UserStorageManager.java:96)
at
org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:369)
at
org.keycloak.models.cache.infinispan.UserCacheSession.getUsersCount(UserCacheSession.java:580)
at
org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:155)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: java.lang.ClassNotFoundException: sun.misc.Unsafe
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 48 more


I have added module.xml in location
keycloak-2.5.0.Final/modules/system/layers/base/io/netty/main. Not sure if
thats the correct location.

in my module.xml I have added as

<module name="sun.jdk">
<imports>
<include path="sun/misc/Unsafe" />
</imports>

Still I am getting same error. Please help with this.


Thanks,
Deepu

From pulgupta at redhat.com  Fri Jan 20 11:27:54 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 20 Jan 2017 21:57:54 +0530
Subject: [keycloak-user] Kaycloak SAML and clustering
Message-ID: <CAApADD2KGSoSZ0mMJEYj6bUEbCeL=+Q-giN5NLiYKChb-Lafcg@mail.gmail.com>

Hi All,

I was not able to find any documentation around this and hence wanted to
check it here.

Does the keycloak SAML client adapter for JBoss supports clustering.
We are running in a cluster environment with session replication working
absolutely fine.

All the apps not using the SAML adapter are working fine but not the ones
using the adapter. Does any one has seen such issue earlier.
-- 
Thanks,
Pulkit
AMS

From pulgupta at redhat.com  Fri Jan 20 11:29:23 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 20 Jan 2017 21:59:23 +0530
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
Message-ID: <CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>

We can't really move to OIDC as we have already used SAML for a number of
apps.
Is clustering not supported by SAML client adapters for Jboss?

Regards,
Pulkit


On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com> wrote:

> This is supposed to work for Keycloak OIDC clients and some docs is here
> https://keycloak.gitbooks.io/securing-client-applications-gu
> ide/content/topics/oidc/java/application-clustering.html .
>
> I don't know about Keycloak SAML clients. Is it an alternative for you to
> try OIDC instead of SAML?
>
> Marek
>
> On 20/01/17 08:19, Pulkit Gupta wrote:
>
>> Hi All,
>>
>> I am running multiple applications deployed on a Jboss cluster with
>> infinispan used as a cache and for distributed sessions.
>> I verified and can see that session replication is working for a normal
>> application where I can see the same session on all the servers in the
>> cluster and hence the application is working fine without session
>> stickiness.
>>
>> However when I am trying to use any Keycloak SAML client based application
>> it is only working if the request is going to a particular box in the
>> cluster. On all the other boxes we are getting errors.
>> >From this behavior I am concluding that somehow for Keycloak based
>> applications sessions are not getting replicated.
>> Both these applications has <distributable /> tag in them so I am not sure
>> why it is showing different behaviour.
>>
>> I know we can fix this by just enabling session stickiness but we want the
>> sessions to be replicated as well.
>> This is because we want to make our set up more resilient. Also in case of
>> logout when Keycloak is sending a back channel logout request it amy send
>> it to any server in the cluster.
>> If the sessions are not properly replicated then the logout will fail as
>> the session will remain preserved on some other server in the cluster.
>>
>> Can someone please suggest me something what to try.
>>
>>
>


-- 
Thanks,
Pulkit
AMS

From brian at excelwithbusiness.com  Sat Jan 21 04:04:38 2017
From: brian at excelwithbusiness.com (Brian Thai)
Date: Sat, 21 Jan 2017 01:04:38 -0800
Subject: [keycloak-user] Fwd: SAML HTTP-Redirect Logout Configuration
In-Reply-To: <CADEg9983ytoUB-tpTiGdZzzab8PSKX6=ed36fZGTjVP0Fx-nLg@mail.gmail.com>
References: <CADEg9983ytoUB-tpTiGdZzzab8PSKX6=ed36fZGTjVP0Fx-nLg@mail.gmail.com>
Message-ID: <CADEg998Ap-rT_gdWnd2NPd2F=WPGAWD1jZcJqxw_-kspwuqzdg@mail.gmail.com>

On 21 January 2017 at 01:00, Brian Thai <brian at excelwithbusiness.com> wrote:

> Hi,
>
> The php SAML libraries that I am using are HTTP-Redirect binding only for
> the single logout service. I have tried a few different configurations but
> I seem to be missing something. If I do not configure a HTTP-Post binding
> for the SLS, I get "KC-SERVICES0051: Failed to logout client, continuing:
> java.lang.NullPointerException". If I do have HTTP-Post configured, it is
> not a valid endpoint in my api using the php SAML library. Can Keycloak
> support HTTP-Redirect binding for logout? If so, do you know where I can
> get a working configuration to see what I am missing?
>
> Thanks!
> -Brian
>

From bburke at redhat.com  Sat Jan 21 16:09:28 2017
From: bburke at redhat.com (Bill Burke)
Date: Sat, 21 Jan 2017 16:09:28 -0500
Subject: [keycloak-user] Issues in integrating UserStorageProvider with
 Hazelcast
In-Reply-To: <CAFMZCgnd6hXGxygf3Yrj_s55hLNd6bFqX6QF8AatASGq2UCTqA@mail.gmail.com>
References: <CAFMZCgnd6hXGxygf3Yrj_s55hLNd6bFqX6QF8AatASGq2UCTqA@mail.gmail.com>
Message-ID: <06c5f569-1c02-42b5-e0af-6db95ccd68ee@redhat.com>

You'll have to create a jboss-deployment-structure.xml file in META-INF 
of your deployment and import "sun.jdk" module.  This is a related post

http://stackoverflow.com/questions/31535350/wildfly-8-2-classnotfoundexception-sun-misc-unsafe-from-module-io-nettymain-w


On 1/20/17 11:24 AM, Deepu Laghuvaram wrote:
> I am trying to integrate Hazelcast in my UserStorageProvider and I am
> getting the error as below,
> 5:01:35,028 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 51) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
> public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ... 6 more
> Caused by: java.lang.NoClassDefFoundError: sun/misc/Unsafe
> at com.hazelcast.nio.UnsafeHelper.findUnsafe(UnsafeHelper.java:176)
> at com.hazelcast.nio.UnsafeHelper.findUnsafeIfAllowed(UnsafeHelper.java:149)
> at com.hazelcast.nio.UnsafeHelper.<clinit>(UnsafeHelper.java:78)
> at com.hazelcast.util.counters.SwCounter.newSwCounter(SwCounter.java:66)
> at com.hazelcast.util.counters.SwCounter.newSwCounter(SwCounter.java:56)
> at
> com.hazelcast.spi.impl.operationservice.impl.InvocationRegistry.<init>(InvocationRegistry.java:72)
> at
> com.hazelcast.spi.impl.operationservice.impl.OperationServiceImpl.<init>(OperationServiceImpl.java:147)
> at com.hazelcast.spi.impl.NodeEngineImpl.<init>(NodeEngineImpl.java:104)
> at com.hazelcast.instance.Node.<init>(Node.java:177)
> at
> com.hazelcast.instance.HazelcastInstanceImpl.<init>(HazelcastInstanceImpl.java:125)
> at
> com.hazelcast.instance.HazelcastInstanceFactory.constructHazelcastInstance(HazelcastInstanceFactory.java:160)
> at
> com.hazelcast.instance.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:143)
> at
> com.hazelcast.instance.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:111)
> at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java:58)
> at
> com.lb.storage.hazelcast.HazelcastInstanceProvide.getInstance(HazelcastInstanceProvide.java:10)
> at
> com.lb.storage.user.DB2UserStorageProvider.<clinit>(DB2UserStorageProvider.java:61)
> at
> com.lb.storage.user.DB2UserStorageProviderFactory.create(DB2UserStorageProviderFactory.java:32)
> at
> com.lb.storage.user.DB2UserStorageProviderFactory.create(DB2UserStorageProviderFactory.java:24)
> at
> org.keycloak.storage.UserStorageManager.getStorageProviderInstance(UserStorageManager.java:80)
> at
> org.keycloak.storage.UserStorageManager.getStorageProviders(UserStorageManager.java:96)
> at
> org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:369)
> at
> org.keycloak.models.cache.infinispan.UserCacheSession.getUsersCount(UserCacheSession.java:580)
> at
> org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55)
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:155)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> ... 19 more
> Caused by: java.lang.ClassNotFoundException: sun.misc.Unsafe
> at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> ... 48 more
>
>
> I have added module.xml in location
> keycloak-2.5.0.Final/modules/system/layers/base/io/netty/main. Not sure if
> thats the correct location.
>
> in my module.xml I have added as
>
> <module name="sun.jdk">
> <imports>
> <include path="sun/misc/Unsafe" />
> </imports>
>
> Still I am getting same error. Please help with this.
>
>
> Thanks,
> Deepu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From martin.johansson at metrical.se  Mon Jan 23 03:28:34 2017
From: martin.johansson at metrical.se (Martin Johansson)
Date: Mon, 23 Jan 2017 08:28:34 +0000
Subject: [keycloak-user] StackOverflowError when logging in to AdminConsole
	after upgrading to 2.5.0.Final
Message-ID: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>

Hi,

We?re using the keycloak-postgres docker container. After upgrading to from
2.4.0.Final to 2.5.0.Final, we?re unable to login to the administration
console. When we log in, the exception in the end of this mail appears. Any
help on understanding why this happens would be much appreciated.

BR,
Martin

11:01:32,434 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
Keycloak 2.5.0.Final (WildFly Core 2.0.10.Final) started in 12203ms -
Started 427 of 801 services (542 services are lazy, passive or on-demand)
11:02:11,949 ERROR [io.undertow.request] (default task-51) UT005023:
Exception handling request to
/auth/realms/master/login-actions/authenticate:
org.jboss.resteasy.spi.UnhandledException: java.lang.StackOverflowError
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.StackOverflowError
at
org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:135)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:182)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at
org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
at
org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
at
org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
-- 
Martin Johansson
Metrical AB
+46 73-338 91 18
martin.johansson at metrical.se | LinkedIn
<http://www.linkedin.com/in/workwithmartinjohansson>

From mposolda at redhat.com  Mon Jan 23 03:34:58 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Jan 2017 09:34:58 +0100
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
	<CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
Message-ID: <1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>

I don't see anything in our documentation for Keycloak SAML adapter. Not 
sure if we support clustering or not. Maybe someone else knows.

But I think that if you have <distributable /> in your applications and 
it still doesn't work, then feel free to create JIRA.

Marek

On 20/01/17 17:29, Pulkit Gupta wrote:
> We can't really move to OIDC as we have already used SAML for a number 
> of apps.
> Is clustering not supported by SAML client adapters for Jboss?
>
> Regards,
> Pulkit
>
>
> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     This is supposed to work for Keycloak OIDC clients and some docs
>     is here
>     https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/application-clustering.html
>     <https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/application-clustering.html>
>     .
>
>     I don't know about Keycloak SAML clients. Is it an alternative for
>     you to try OIDC instead of SAML?
>
>     Marek
>
>     On 20/01/17 08:19, Pulkit Gupta wrote:
>
>         Hi All,
>
>         I am running multiple applications deployed on a Jboss cluster
>         with
>         infinispan used as a cache and for distributed sessions.
>         I verified and can see that session replication is working for
>         a normal
>         application where I can see the same session on all the
>         servers in the
>         cluster and hence the application is working fine without session
>         stickiness.
>
>         However when I am trying to use any Keycloak SAML client based
>         application
>         it is only working if the request is going to a particular box
>         in the
>         cluster. On all the other boxes we are getting errors.
>         >From this behavior I am concluding that somehow for Keycloak
>         based
>         applications sessions are not getting replicated.
>         Both these applications has <distributable /> tag in them so I
>         am not sure
>         why it is showing different behaviour.
>
>         I know we can fix this by just enabling session stickiness but
>         we want the
>         sessions to be replicated as well.
>         This is because we want to make our set up more resilient.
>         Also in case of
>         logout when Keycloak is sending a back channel logout request
>         it amy send
>         it to any server in the cluster.
>         If the sessions are not properly replicated then the logout
>         will fail as
>         the session will remain preserved on some other server in the
>         cluster.
>
>         Can someone please suggest me something what to try.
>
>
>
>
>
> -- 
> Thanks,
> Pulkit
> AMS



From madaras_adrian at yahoo.com  Mon Jan 23 04:19:35 2017
From: madaras_adrian at yahoo.com (Adrian Madaras)
Date: Mon, 23 Jan 2017 09:19:35 +0000 (UTC)
Subject: [keycloak-user] LDAP Attribute to Keycloak Role
In-Reply-To: <1381825158.1790222.1485163027320@mail.yahoo.com>
References: <1381825158.1790222.1485163027320.ref@mail.yahoo.com>
	<1381825158.1790222.1485163027320@mail.yahoo.com>
Message-ID: <1848322927.1774374.1485163175326@mail.yahoo.com>




 Hi everybody,
I am trying to map a user attribute named 'sRoles' from LDAP to Roles in Keycloak.Is this possible? I could not find any reference regarding this online and I think it's a subject that a lot of people would be interested in.
Thanks in advance,
Adrian


   

From bruno at abstractj.org  Mon Jan 23 06:31:56 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 23 Jan 2017 09:31:56 -0200
Subject: [keycloak-user] StackOverflowError when logging in to
 AdminConsole after upgrading to 2.5.0.Final
In-Reply-To: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>
References: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>
Message-ID: <20170123113156.GA31909@abstractj.org>

Do you have the exact steps to reproduce it? I can try it here.

On 2017-01-23, Martin Johansson wrote:
> Hi,
>
> We?re using the keycloak-postgres docker container. After upgrading to from
> 2.4.0.Final to 2.5.0.Final, we?re unable to login to the administration
> console. When we log in, the exception in the end of this mail appears. Any
> help on understanding why this happens would be much appreciated.
>
> BR,
> Martin
>
> 11:01:32,434 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 2.5.0.Final (WildFly Core 2.0.10.Final) started in 12203ms -
> Started 427 of 801 services (542 services are lazy, passive or on-demand)
> 11:02:11,949 ERROR [io.undertow.request] (default task-51) UT005023:
> Exception handling request to
> /auth/realms/master/login-actions/authenticate:
> org.jboss.resteasy.spi.UnhandledException: java.lang.StackOverflowError
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.StackOverflowError
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:135)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:182)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> at
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> at
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> at
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> at
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> at
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> --
> Martin Johansson
> Metrical AB
> +46 73-338 91 18
> martin.johansson at metrical.se | LinkedIn
> <http://www.linkedin.com/in/workwithmartinjohansson>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From martin.johansson at metrical.se  Mon Jan 23 08:32:39 2017
From: martin.johansson at metrical.se (Martin Johansson)
Date: Mon, 23 Jan 2017 13:32:39 +0000
Subject: [keycloak-user] StackOverflowError when logging in to
 AdminConsole after upgrading to 2.5.0.Final
In-Reply-To: <20170123113156.GA31909@abstractj.org>
References: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>
	<20170123113156.GA31909@abstractj.org>
Message-ID: <CADn3RNXg=JngpDjqK-N4Q5gD7W0bnfOcdVf1spH39MTvNea2QA@mail.gmail.com>

Hi,

Thanks for the reply.

The only thing I did was to start a newly built Docker container with a
change from:

FROM jboss/keycloak-postgres:2.4.0.Final

to:

FROM jboss/keycloak-postgres:2.5.0.Final

When I upgraded from 2.3.0.Final to 2.4.0.Final, doing the same thing,
everything worked like a charm.

I started the container in DEBUG mode, the (rather long) logs can be found
here: https://gist.github.com/anonymous/09af29c5205de0480221903ee0fee611

I successfully downgraded to 2.4.0 again and then I could log in again.
However, I got this error in the log:
12:58:11,541 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
Keycloak 2.4.0.Final (WildFly Core 2.0.10.Final) started in 14235ms -
Started 427 of 801 services (542 services are lazy, passive or on-demand)
12:59:42,079 ERROR [org.keycloak.keys.DefaultKeyManager] (default task-42)
Failed to load provider 1b1b5650-0093-453b-9d6e-ef26cb28b05e:
java.lang.NullPointerException
at
org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
at
org.keycloak.keys.DefaultKeyManager.getActiveKey(DefaultKeyManager.java:51)
at
org.keycloak.protocol.RestartLoginCookie.encode(RestartLoginCookie.java:117)
at
org.keycloak.protocol.RestartLoginCookie.setRestartCookie(RestartLoginCookie.java:140)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:119)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

If you know where I should dig deeper, please let me know.

BR,
Martin

On Mon, Jan 23, 2017 at 12:32 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Do you have the exact steps to reproduce it? I can try it here.
>
> On 2017-01-23, Martin Johansson wrote:
> > Hi,
> >
> > We?re using the keycloak-postgres docker container. After upgrading to
> from
> > 2.4.0.Final to 2.5.0.Final, we?re unable to login to the administration
> > console. When we log in, the exception in the end of this mail appears.
> Any
> > help on understanding why this happens would be much appreciated.
> >
> > BR,
> > Martin
> >
> > 11:01:32,434 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> > Keycloak 2.5.0.Final (WildFly Core 2.0.10.Final) started in 12203ms -
> > Started 427 of 801 services (542 services are lazy, passive or on-demand)
> > 11:02:11,949 ERROR [io.undertow.request] (default task-51) UT005023:
> > Exception handling request to
> > /auth/realms/master/login-actions/authenticate:
> > org.jboss.resteasy.spi.UnhandledException: java.lang.StackOverflowError
> > at
> >
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> > at
> >
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > at
> >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > at
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> > at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > at
> >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > at
> >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > at
> >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > at
> >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> > at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:745)
> > Caused by: java.lang.StackOverflowError
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:135)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:182)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > at
> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
> > at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
> > at
> >
> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
> > at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
> > at
> >
> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
> > at
> >
> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
> > at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
> > at
> >
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
> > at java.util.stream.<

-- 
Martin Johansson
Metrical AB
+46 73-338 91 18
martin.johansson at metrical.se | LinkedIn
<http://www.linkedin.com/in/workwithmartinjohansson>

From mposolda at redhat.com  Mon Jan 23 10:15:41 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 23 Jan 2017 16:15:41 +0100
Subject: [keycloak-user] StackOverflowError when logging in to
 AdminConsole after upgrading to 2.5.0.Final
In-Reply-To: <CADn3RNXg=JngpDjqK-N4Q5gD7W0bnfOcdVf1spH39MTvNea2QA@mail.gmail.com>
References: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>
	<20170123113156.GA31909@abstractj.org>
	<CADn3RNXg=JngpDjqK-N4Q5gD7W0bnfOcdVf1spH39MTvNea2QA@mail.gmail.com>
Message-ID: <dde5ec5c-28b7-34ae-4be5-cf036c81943b@redhat.com>

I've just reproduced the StackOverFlowError . Created JIRA 
https://issues.jboss.org/browse/KEYCLOAK-4274 and I will try to look at it.

It seems that you have recursion in your roles (See the KEYCLOAK-4274 
for more details), which is what causes this error. It is the regression 
introduced in 2.5.0 though :(

Marek

On 23/01/17 14:32, Martin Johansson wrote:
> Hi,
>
> Thanks for the reply.
>
> The only thing I did was to start a newly built Docker container with a
> change from:
>
> FROM jboss/keycloak-postgres:2.4.0.Final
>
> to:
>
> FROM jboss/keycloak-postgres:2.5.0.Final
>
> When I upgraded from 2.3.0.Final to 2.4.0.Final, doing the same thing,
> everything worked like a charm.
>
> I started the container in DEBUG mode, the (rather long) logs can be found
> here: https://gist.github.com/anonymous/09af29c5205de0480221903ee0fee611
>
> I successfully downgraded to 2.4.0 again and then I could log in again.
> However, I got this error in the log:
> 12:58:11,541 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 2.4.0.Final (WildFly Core 2.0.10.Final) started in 14235ms -
> Started 427 of 801 services (542 services are lazy, passive or on-demand)
> 12:59:42,079 ERROR [org.keycloak.keys.DefaultKeyManager] (default task-42)
> Failed to load provider 1b1b5650-0093-453b-9d6e-ef26cb28b05e:
> java.lang.NullPointerException
> at
> org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
> at
> org.keycloak.keys.DefaultKeyManager.getActiveKey(DefaultKeyManager.java:51)
> at
> org.keycloak.protocol.RestartLoginCookie.encode(RestartLoginCookie.java:117)
> at
> org.keycloak.protocol.RestartLoginCookie.setRestartCookie(RestartLoginCookie.java:140)
> at
> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:119)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> If you know where I should dig deeper, please let me know.
>
> BR,
> Martin
>
> On Mon, Jan 23, 2017 at 12:32 PM Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Do you have the exact steps to reproduce it? I can try it here.
>>
>> On 2017-01-23, Martin Johansson wrote:
>>> Hi,
>>>
>>> We?re using the keycloak-postgres docker container. After upgrading to
>> from
>>> 2.4.0.Final to 2.5.0.Final, we?re unable to login to the administration
>>> console. When we log in, the exception in the end of this mail appears.
>> Any
>>> help on understanding why this happens would be much appreciated.
>>>
>>> BR,
>>> Martin
>>>
>>> 11:01:32,434 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
>>> Keycloak 2.5.0.Final (WildFly Core 2.0.10.Final) started in 12203ms -
>>> Started 427 of 801 services (542 services are lazy, passive or on-demand)
>>> 11:02:11,949 ERROR [io.undertow.request] (default task-51) UT005023:
>>> Exception handling request to
>>> /auth/realms/master/login-actions/authenticate:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.StackOverflowError
>>> at
>>>
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>> at
>>>
>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>> at
>>>
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>> at
>>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>> at
>>>
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>> at
>>>
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>> at
>>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> at
>>>
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>> at
>>>
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> at
>>>
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>> at
>>>
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> at
>>>
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>> at
>>>
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> at
>>>
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> at
>>>
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>>
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> at
>>>
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> at
>>>
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>>
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> at
>>>
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> at
>>>
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> at
>>>
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> at
>>>
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> at
>>>
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> at
>>>
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>>
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> at
>>>
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>>
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> at
>>>
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>> at
>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> at
>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.lang.StackOverflowError
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:135)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:182)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>> at
>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>> at
>>>
>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>> at
>>>
>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>> at
>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>> at
>>>
>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>> at
>>>
>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>> at
>>>
>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>> at java.util.stream.<



From pschiffe at redhat.com  Mon Jan 23 13:29:58 2017
From: pschiffe at redhat.com (Peter Schiffer)
Date: Mon, 23 Jan 2017 19:29:58 +0100
Subject: [keycloak-user] do not import users when brokering
Message-ID: <CA+cv5A6NW9J+=XVSG9c--b9f4rE__m8apU=9tKuQYv4-UtK1dQ@mail.gmail.com>

Hello all,

I'm working on some POC with keycloak and OpenShift [1] and I'm wondering -
is it possible to configure Keycloak in a way, that it won't create new
users in local database when acting as a broker? For example, in this case
[2], I want to be able to login as `user` from saml broker, but without
creating the new user in saml-authentication-broker. Is it possible?

Thanks,

peter

[1] https://github.com/pschiffe/keycloak-demo
[2] https://github.com/keycloak/keycloak/tree/master/examples/
broker/saml-broker-authentication

From java at neposoft.com  Mon Jan 23 15:15:45 2017
From: java at neposoft.com (java_os)
Date: Mon, 23 Jan 2017 15:15:45 -0500
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 -
 cors
In-Reply-To: <CAJgngAe=NZ=bmX4YZ_FA57HE5gbZGP_L81bxq9Mk+Gzw=w2ckw@mail.gmail.com>
References: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
	<CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>
	<d664f67ec718014d20d9d3b012d362a1.squirrel@neposoft.com>
	<CAJgngAe=NZ=bmX4YZ_FA57HE5gbZGP_L81bxq9Mk+Gzw=w2ckw@mail.gmail.com>
Message-ID: <871ace3709c7ea9f3628aa985fc02ca0.squirrel@neposoft.com>

I still believe this is a bug in 2.5.0.Final
The flow is client using keycloak.js - and as far am concern it runs fine
until the point where token expires at which point the re-new process goes
into 400 origins. Would be easy for you guys to re-create this on your
end.
thx

> Strange - it's the same endpoint that is called for code->token and token
> refresh, so can't see why one would work and not the other.
>
> On 14 January 2017 at 01:58, java_os <java at neposoft.com> wrote:
>
>> Yes, set origins to *. also the app works well: ng-kc
>> broker-idp-redirects
>> back to my app. As said no issues on regular workflow of the app. even
>> logout works fine. it's only when token expires am getting this error.
>> more clues?
>> What you mean by proper setup of web origin? whats proper. Thout if set
>> to
>> * would do it.
>> thx
>> > Did you setup proper web origins and redirect URIs for your app?
>> >
>> > On 12 January 2017 at 17:18, java_os <java at neposoft.com> wrote:
>> >
>> >> Hi group
>> >> Am using ng with keycloak.js (2.5.0.Final).
>> >> When token expires keycloak.js is intercepting token expired and does
>> a
>> >> renew call when it fails(see client side stack below).
>> >> Anyone has any clue around this behavior?
>> >> My app is running on 9443 and KC on 8543 over https - all working
>> fine
>> >> up
>> >> to the point when refresh token kicks in.
>> >> Behind the scenes is the cors stuff.
>> >> Thanks
>> >>
>> >> keycloak.js:451 POST
>> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400
>> >> (Bad
>> >> Request)
>> >>
>> >> exec @ keycloak.js:451
>> >> (anonymous) @ keycloak.js:459
>> >>
>> >> setSuccess @ keycloak.js:773
>> >>
>> >> messageCallback @ keycloak.js:854
>> >> :9443/EDIT/#/EDIT/home:1
>> >> XMLHttpRequest cannot load
>> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
>> >> 'Access-Control-Allow-Origin' header is present on the requested
>> >> resource.
>> >> Origin 'https://EDIT:9443' is therefore not allowed access. The
>> response
>> >> had HTTP status code 400.
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>>
>>
>>
>



From ushanas at gmail.com  Mon Jan 23 21:51:25 2017
From: ushanas at gmail.com (Ushanas Shastri)
Date: Tue, 24 Jan 2017 08:21:25 +0530
Subject: [keycloak-user] Policies seem to go corrupt, version 2.5.0
In-Reply-To: <CAB+XyjSTw-7xAhUQjhkhm19SSD7Zt+CSbb=Ym7w=xaAmBVCjog@mail.gmail.com>
References: <CAB+XyjSUV9+FTZxaEOq+4y=AujOgSTCneeLjYTzJ2mriWg09yw@mail.gmail.com>
	<CAB+XyjR7ZRVVCHdd3TzRq-q8vY16_yz5JM_t7AunGUxfToO3mQ@mail.gmail.com>
	<CAB+XyjRd1K1QfN-Rd=ngB7FVxBY-6v7Pagca80aABjF4EVDTtQ@mail.gmail.com>
	<CAB+XyjQ8nKBK6LriaUu_NwX6pXWHYi93R4verOHqECdR-zTm-A@mail.gmail.com>
	<CAB+XyjSTw-7xAhUQjhkhm19SSD7Zt+CSbb=Ym7w=xaAmBVCjog@mail.gmail.com>
Message-ID: <CAB+XyjQasJFhaW=rabsKrR5+aZrbYNdcE3dOEt091Dhy16-Ffg@mail.gmail.com>

Hello,

I've created scope based permissions tied to role based policies.  Any new
permission or policy we create,  all looks right, but we find random
instances of policies that deny authorization,  and when we want to
investigate,  we can't even see the details of the policy.  It shows up in
the list,  but clicking on it takes us to a resource nor found page.
Any ideas on what may be happening here?

Regards, Ushanas.

From Michael.Jacobs at nuance.com  Mon Jan 23 22:26:00 2017
From: Michael.Jacobs at nuance.com (Jacobs, Michael)
Date: Tue, 24 Jan 2017 03:26:00 +0000
Subject: [keycloak-user] [EXTERNAL] Re:  Cross-Site Replication
In-Reply-To: <CAJgngAfF75zB+hdZ=T+GAS1eyMaJwVMdpC5Vrv1-hg1BT-nsog@mail.gmail.com>
References: <BN6PR05MB296482EA3F606A6EF657C5DDF89C0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAf7r1WwA7eswTGwnqhsOSY3B-SN2mX+BPK00QW5cXB5=w@mail.gmail.com>
	<d575a39b-95ba-3c2e-2348-d306fca2d19c@redhat.com>
	<BN6PR05MB29645C5DFDF943C08CB28984F86E0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAfF75zB+hdZ=T+GAS1eyMaJwVMdpC5Vrv1-hg1BT-nsog@mail.gmail.com>
Message-ID: <BN6PR05MB29640CC2E475EC0B46B7117CF8750@BN6PR05MB2964.namprd05.prod.outlook.com>

Thanks, we were able to get this working.  However we are interested in avoiding JDG.   If we disable the user and realm caches, can we just have 2 independent clusters each pointing at a database that that replicates via multi-master?

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, January 03, 2017 9:48 PM
To: Jacobs, Michael <Michael.Jacobs at nuance.com>
Cc: Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
Subject: Re: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication

Yes, db replication is still required

On 3 January 2017 at 18:21, Jacobs, Michael <Michael.Jacobs at nuance.com<mailto:Michael.Jacobs at nuance.com>> wrote:
Thanks for posting this, I will model it out.  I assume this solution still requires DB replication to keep the underlying persisted data in sync.  All that is replicating is the invalidation messages to keep the in-memory caches in sync, correct?

MJ

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com<mailto:mposolda at redhat.com>]
Sent: Monday, December 19, 2016 1:23 AM
To: stian at redhat.com<mailto:stian at redhat.com>; Jacobs, Michael <Michael.Jacobs at nuance.com<mailto:Michael.Jacobs at nuance.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication

On 19/12/16 09:49, Stian Thorgersen wrote:
> We don't currently support cross-DC replication very well and it is
> something we are looking at improving in 2017. We're tackling this in
> stages:
>
> 1. Dealing with invalidation caches cross-DC - this is already
> resolved and is done by using external Infinispan/JDG to replicate
> invalidation messages cross-DC. I don't think we have documentation on
> how to set this up yet though.
I've added some notes for the basic setup https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_BCytxjKNDdnlCrw-RNT-I&e=
. This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of all the limitations related to sessions (points 2,3,4) .

Marek
> 2. Support with sessions affinity to a specific DC - as long as all
> requests for a session is made to the same cluster everything should work
> already. This is simpler to setup for SAML than for OIDC due to OIDC
> backchannel requests from both browser and applications for the same session
> 3. Support session replication - this requires a fair bit of rework on how
> we do sessions, including during authentication flows, as currently there
> is to much updates to a session to fully replicate these cross DCs
> 4. Support without session affinity - allow requests to go to any DC for
> any session
>
> On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com<mailto:Michael.Jacobs at nuance.com>>
> wrote:
>
>> Greetings,
>>
>> I am looking at setting up Cross-site replication for multiple Keycloak
>> clusters, possibly using DB replication.  I found this question asked back
>> in May 2016, with no reply.
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e=
>>
>> Does anyone know the best way to set this up?
>>
>>
>> MJ
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=



From sthorger at redhat.com  Tue Jan 24 02:41:37 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jan 2017 08:41:37 +0100
Subject: [keycloak-user] [EXTERNAL] Re:  Cross-Site Replication
In-Reply-To: <BN6PR05MB29640CC2E475EC0B46B7117CF8750@BN6PR05MB2964.namprd05.prod.outlook.com>
References: <BN6PR05MB296482EA3F606A6EF657C5DDF89C0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAf7r1WwA7eswTGwnqhsOSY3B-SN2mX+BPK00QW5cXB5=w@mail.gmail.com>
	<d575a39b-95ba-3c2e-2348-d306fca2d19c@redhat.com>
	<BN6PR05MB29645C5DFDF943C08CB28984F86E0@BN6PR05MB2964.namprd05.prod.outlook.com>
	<CAJgngAfF75zB+hdZ=T+GAS1eyMaJwVMdpC5Vrv1-hg1BT-nsog@mail.gmail.com>
	<BN6PR05MB29640CC2E475EC0B46B7117CF8750@BN6PR05MB2964.namprd05.prod.outlook.com>
Message-ID: <CAJgngAcP_wnkQTZ_BpqiwRsbCBtVovYGEGoEoDOhhSA9oXVHxg@mail.gmail.com>

If you disable caches and can have sticky sessions (at least to a specific
DC so session replication isn't needed) then yes. However, you won't be
able to handle much load at all and response times will be bad.

On 24 January 2017 at 04:26, Jacobs, Michael <Michael.Jacobs at nuance.com>
wrote:

> Thanks, we were able to get this working.  However we are interested in
> avoiding JDG.   If we disable the user and realm caches, can we just have 2
> independent clusters each pointing at a database that that replicates via
> multi-master?
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, January 03, 2017 9:48 PM
> *To:* Jacobs, Michael <Michael.Jacobs at nuance.com>
> *Cc:* Marek Posolda <mposolda at redhat.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication
>
>
>
> Yes, db replication is still required
>
>
>
> On 3 January 2017 at 18:21, Jacobs, Michael <Michael.Jacobs at nuance.com>
> wrote:
>
> Thanks for posting this, I will model it out.  I assume this solution
> still requires DB replication to keep the underlying persisted data in
> sync.  All that is replicating is the invalidation messages to keep the
> in-memory caches in sync, correct?
>
> MJ
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Monday, December 19, 2016 1:23 AM
> To: stian at redhat.com; Jacobs, Michael <Michael.Jacobs at nuance.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication
>
> On 19/12/16 09:49, Stian Thorgersen wrote:
> > We don't currently support cross-DC replication very well and it is
> > something we are looking at improving in 2017. We're tackling this in
> > stages:
> >
> > 1. Dealing with invalidation caches cross-DC - this is already
> > resolved and is done by using external Infinispan/JDG to replicate
> > invalidation messages cross-DC. I don't think we have documentation on
> > how to set this up yet though.
> I've added some notes for the basic setup https://urldefense.proofpoint.
> com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_
> master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu-
> DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m=
> 50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_
> BCytxjKNDdnlCrw-RNT-I&e=
> . This is the setup for 1 external JDG server and with 2 Keycloak nodes,
> which are not in the cluster, but they both talk to the JDG server. Feel
> free to check it, just be aware of all the limitations related to sessions
> (points 2,3,4) .
>
> Marek
> > 2. Support with sessions affinity to a specific DC - as long as all
> > requests for a session is made to the same cluster everything should work
> > already. This is simpler to setup for SAML than for OIDC due to OIDC
> > backchannel requests from both browser and applications for the same
> session
> > 3. Support session replication - this requires a fair bit of rework on
> how
> > we do sessions, including during authentication flows, as currently there
> > is to much updates to a session to fully replicate these cross DCs
> > 4. Support without session affinity - allow requests to go to any DC for
> > any session
> >
> > On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com
> >
> > wrote:
> >
> >> Greetings,
> >>
> >> I am looking at setting up Cross-site replication for multiple Keycloak
> >> clusters, possibly using DB replication.  I found this question asked
> back
> >> in May 2016, with no reply.
> >>
> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e=
> >>
> >> Does anyone know the best way to set this up?
> >>
> >>
> >> MJ
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c=
> djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_
> ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=
> pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=
>
>
>

From sthorger at redhat.com  Tue Jan 24 02:46:10 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jan 2017 08:46:10 +0100
Subject: [keycloak-user] keycloak.js - token refresh- Bad request 400 -
	cors
In-Reply-To: <871ace3709c7ea9f3628aa985fc02ca0.squirrel@neposoft.com>
References: <41eb49c149d01bfe3b5b3b89f4e85052.squirrel@neposoft.com>
	<CAJgngAchQCBw3j7_k8SzaNHbUcGGG8JLE6BAyLD-3PkdKstqVQ@mail.gmail.com>
	<d664f67ec718014d20d9d3b012d362a1.squirrel@neposoft.com>
	<CAJgngAe=NZ=bmX4YZ_FA57HE5gbZGP_L81bxq9Mk+Gzw=w2ckw@mail.gmail.com>
	<871ace3709c7ea9f3628aa985fc02ca0.squirrel@neposoft.com>
Message-ID: <CAJgngAeyedpqVNhXZMZ-uEtD38LUDzd6KjQwcDWprdwtM08m-Q@mail.gmail.com>

Works fine here and I can't reproduce it. Refreshing tokens works like a
charm and I've got apps running on different port to KC like you do. I
believe this is quite likely an issue at your end as we do have quite a lot
of folks using keycloak.js and no one else have complained about this.

You'll need to give us steps to reproduce or at least more details to go on.

On 23 January 2017 at 21:15, java_os <java at neposoft.com> wrote:

> I still believe this is a bug in 2.5.0.Final
> The flow is client using keycloak.js - and as far am concern it runs fine
> until the point where token expires at which point the re-new process goes
> into 400 origins. Would be easy for you guys to re-create this on your
> end.
> thx
>
> > Strange - it's the same endpoint that is called for code->token and token
> > refresh, so can't see why one would work and not the other.
> >
> > On 14 January 2017 at 01:58, java_os <java at neposoft.com> wrote:
> >
> >> Yes, set origins to *. also the app works well: ng-kc
> >> broker-idp-redirects
> >> back to my app. As said no issues on regular workflow of the app. even
> >> logout works fine. it's only when token expires am getting this error.
> >> more clues?
> >> What you mean by proper setup of web origin? whats proper. Thout if set
> >> to
> >> * would do it.
> >> thx
> >> > Did you setup proper web origins and redirect URIs for your app?
> >> >
> >> > On 12 January 2017 at 17:18, java_os <java at neposoft.com> wrote:
> >> >
> >> >> Hi group
> >> >> Am using ng with keycloak.js (2.5.0.Final).
> >> >> When token expires keycloak.js is intercepting token expired and does
> >> a
> >> >> renew call when it fails(see client side stack below).
> >> >> Anyone has any clue around this behavior?
> >> >> My app is running on 9443 and KC on 8543 over https - all working
> >> fine
> >> >> up
> >> >> to the point when refresh token kicks in.
> >> >> Behind the scenes is the cors stuff.
> >> >> Thanks
> >> >>
> >> >> keycloak.js:451 POST
> >> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token 400
> >> >> (Bad
> >> >> Request)
> >> >>
> >> >> exec @ keycloak.js:451
> >> >> (anonymous) @ keycloak.js:459
> >> >>
> >> >> setSuccess @ keycloak.js:773
> >> >>
> >> >> messageCallback @ keycloak.js:854
> >> >> :9443/EDIT/#/EDIT/home:1
> >> >> XMLHttpRequest cannot load
> >> >> https://EDIT:8543/auth/realms/EDIT/protocol/openid-connect/token. No
> >> >> 'Access-Control-Allow-Origin' header is present on the requested
> >> >> resource.
> >> >> Origin 'https://EDIT:9443' is therefore not allowed access. The
> >> response
> >> >> had HTTP status code 400.
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> keycloak-user mailing list
> >> >> keycloak-user at lists.jboss.org
> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >>
> >> >
> >>
> >>
> >>
> >
>
>
>

From sthorger at redhat.com  Tue Jan 24 02:48:15 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jan 2017 08:48:15 +0100
Subject: [keycloak-user] do not import users when brokering
In-Reply-To: <CA+cv5A6NW9J+=XVSG9c--b9f4rE__m8apU=9tKuQYv4-UtK1dQ@mail.gmail.com>
References: <CA+cv5A6NW9J+=XVSG9c--b9f4rE__m8apU=9tKuQYv4-UtK1dQ@mail.gmail.com>
Message-ID: <CAJgngAe=J414CxFo=TgH_irBZ2UN2_5X7wLt11PiLtcGEnxfdQ@mail.gmail.com>

It's not currently possible, but it is something we may add at some point.

On 23 January 2017 at 19:29, Peter Schiffer <pschiffe at redhat.com> wrote:

> Hello all,
>
> I'm working on some POC with keycloak and OpenShift [1] and I'm wondering -
> is it possible to configure Keycloak in a way, that it won't create new
> users in local database when acting as a broker? For example, in this case
> [2], I want to be able to login as `user` from saml broker, but without
> creating the new user in saml-authentication-broker. Is it possible?
>
> Thanks,
>
> peter
>
> [1] https://github.com/pschiffe/keycloak-demo
> [2] https://github.com/keycloak/keycloak/tree/master/examples/
> broker/saml-broker-authentication
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Jan 24 02:50:15 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Jan 2017 08:50:15 +0100
Subject: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed
 as war file: CDI does not work
In-Reply-To: <32a669a4-ef51-7e3b-8a71-9b3ae47de178@redhat.com>
References: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
	<32a669a4-ef51-7e3b-8a71-9b3ae47de178@redhat.com>
Message-ID: <CAJgngAcbd249TRT_95bpfu8cXWwRL=Z3AZWpxztdi3sE1iUPxg@mail.gmail.com>

I'm pretty sure CDI just won't work. When we invoke the provider from
Keycloak it doesn't setup the CDI context as it's not a managed request to
the deployment so the necessary CDI filters and such are not invoked.

On 19 January 2017 at 16:01, Bill Burke <bburke at redhat.com> wrote:

> How exactly are you implementing it?  Can you point me to some example
> code?  Remember, UserStorageProviderFactory *MUST* be a POJO.  I haven't
> done CDI in years, but I believe it would work similarly to the EJB
> example, except you'd look up the CDI bean manager and allocate your
> provider through the bean manager.
>
>
> On 1/19/17 5:36 AM, Matuszak, Eduard wrote:
> > Hello
> >
> > It is not possible for me, to bring CDI (@Inject) to work in a user
> storage provider application (Keycloak 2.5.0), deployed as a war-file. The
> required beans.xml is placed correctly in the war-file and passed by Weld
> during deployment, but all injected objects are null.
> >
> > Is this a known (and possibly perforced) behaviour,  a (minor) bug or
> simply due to a missing trick?
> >
> > Thanks in advance for a feedback, Eduard Matuszak
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Jan 24 04:08:22 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 10:08:22 +0100
Subject: [keycloak-user] StackOverflowError when logging in to
 AdminConsole after upgrading to 2.5.0.Final
In-Reply-To: <dde5ec5c-28b7-34ae-4be5-cf036c81943b@redhat.com>
References: <CADn3RNVmqjtctrfzOcFBV0U7i1i-5p-vxhr_hOF5yHB+rHMvZQ@mail.gmail.com>
	<20170123113156.GA31909@abstractj.org>
	<CADn3RNXg=JngpDjqK-N4Q5gD7W0bnfOcdVf1spH39MTvNea2QA@mail.gmail.com>
	<dde5ec5c-28b7-34ae-4be5-cf036c81943b@redhat.com>
Message-ID: <2141ad92-b81f-165d-2ecb-935377051ef5@redhat.com>

StackOverflowError fixed in latest master and will be available in 2.5.1 
release. Thanks for reporting this!

Marek

On 23/01/17 16:15, Marek Posolda wrote:
> I've just reproduced the StackOverFlowError . Created JIRA
> https://issues.jboss.org/browse/KEYCLOAK-4274 and I will try to look at it.
>
> It seems that you have recursion in your roles (See the KEYCLOAK-4274
> for more details), which is what causes this error. It is the regression
> introduced in 2.5.0 though :(
>
> Marek
>
> On 23/01/17 14:32, Martin Johansson wrote:
>> Hi,
>>
>> Thanks for the reply.
>>
>> The only thing I did was to start a newly built Docker container with a
>> change from:
>>
>> FROM jboss/keycloak-postgres:2.4.0.Final
>>
>> to:
>>
>> FROM jboss/keycloak-postgres:2.5.0.Final
>>
>> When I upgraded from 2.3.0.Final to 2.4.0.Final, doing the same thing,
>> everything worked like a charm.
>>
>> I started the container in DEBUG mode, the (rather long) logs can be found
>> here: https://gist.github.com/anonymous/09af29c5205de0480221903ee0fee611
>>
>> I successfully downgraded to 2.4.0 again and then I could log in again.
>> However, I got this error in the log:
>> 12:58:11,541 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
>> Keycloak 2.4.0.Final (WildFly Core 2.0.10.Final) started in 14235ms -
>> Started 427 of 801 services (542 services are lazy, passive or on-demand)
>> 12:59:42,079 ERROR [org.keycloak.keys.DefaultKeyManager] (default task-42)
>> Failed to load provider 1b1b5650-0093-453b-9d6e-ef26cb28b05e:
>> java.lang.NullPointerException
>> at
>> org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
>> at
>> org.keycloak.keys.DefaultKeyManager.getActiveKey(DefaultKeyManager.java:51)
>> at
>> org.keycloak.protocol.RestartLoginCookie.encode(RestartLoginCookie.java:117)
>> at
>> org.keycloak.protocol.RestartLoginCookie.setRestartCookie(RestartLoginCookie.java:140)
>> at
>> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:119)
>> at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
>> at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> If you know where I should dig deeper, please let me know.
>>
>> BR,
>> Martin
>>
>> On Mon, Jan 23, 2017 at 12:32 PM Bruno Oliveira <bruno at abstractj.org> wrote:
>>
>>> Do you have the exact steps to reproduce it? I can try it here.
>>>
>>> On 2017-01-23, Martin Johansson wrote:
>>>> Hi,
>>>>
>>>> We?re using the keycloak-postgres docker container. After upgrading to
>>> from
>>>> 2.4.0.Final to 2.5.0.Final, we?re unable to login to the administration
>>>> console. When we log in, the exception in the end of this mail appears.
>>> Any
>>>> help on understanding why this happens would be much appreciated.
>>>>
>>>> BR,
>>>> Martin
>>>>
>>>> 11:01:32,434 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
>>>> Keycloak 2.5.0.Final (WildFly Core 2.0.10.Final) started in 12203ms -
>>>> Started 427 of 801 services (542 services are lazy, passive or on-demand)
>>>> 11:02:11,949 ERROR [io.undertow.request] (default task-51) UT005023:
>>>> Exception handling request to
>>>> /auth/realms/master/login-actions/authenticate:
>>>> org.jboss.resteasy.spi.UnhandledException: java.lang.StackOverflowError
>>>> at
>>>>
>>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>> at
>>>>
>>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>> at
>>>>
>>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>>> at
>>>>
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>>> at
>>>>
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>> at
>>>>
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>> at
>>>>
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> at
>>>>
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> at
>>>>
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> at
>>>>
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> at
>>>>
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> at
>>>>
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> at
>>>>
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at
>>>>
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> at
>>>>
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> at
>>>>
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> at
>>>>
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> at
>>>>
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>> at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>> at
>>>>
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
>>>>
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: java.lang.StackOverflowError
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:135)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:182)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
>>>> at
>>> java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:185)
>>>> at
>>>>
>>> org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:179)
>>>> at
>>>>
>>> org.keycloak.models.utils.KeycloakModelUtils.lambda$searchFor$0(KeycloakModelUtils.java:184)
>>>> at
>>> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
>>>> at java.util.HashMap$KeySpliterator.tryAdvance(HashMap.java:1569)
>>>> at
>>>>
>>> java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
>>>> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
>>>> at
>>>>
>>> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
>>>> at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
>>>> at java.util.stream.<
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From alexander.chriztopher at gmail.com  Tue Jan 24 05:05:36 2017
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 24 Jan 2017 11:05:36 +0100
Subject: [keycloak-user] Brokering with OIDC and Direct Access Grant
Message-ID: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>

Hello,

Am looking for the flow to get an access token with OIDC and 2 Keycloak
instances (A and B).

User is Known by instance B and gets an access token from instance B then
needs to access an API protected with instance A.

What would be the best way to do it ?

Thanks for any help.

From mposolda at redhat.com  Tue Jan 24 05:16:34 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 11:16:34 +0100
Subject: [keycloak-user] LDAP Attribute to Keycloak Role
In-Reply-To: <1848322927.1774374.1485163175326@mail.yahoo.com>
References: <1381825158.1790222.1485163027320.ref@mail.yahoo.com>
	<1381825158.1790222.1485163027320@mail.yahoo.com>
	<1848322927.1774374.1485163175326@mail.yahoo.com>
Message-ID: <d98b4d89-fa70-0a7b-6578-65f6e862df7b@redhat.com>

It seems that attribute "sRoles" is your own extension to the LDAP 
schema. Is it correct? As I can't see anything like that in the standard 
LDAP schema.

We currently don't have what you mentioned OOTB though. Not sure if we 
should add that OOTB as it seems you're the only one requesting this so 
far. One thing, which our roleMapper supports is, that roles can be 
retrieved from the "memberOf" attribute on the user record. This is LDAP 
standard.

For example LDAP user record has something like this:

memberOf: CN=realmRole1,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test
memberOf: CN=realmRole2,OU=RealmRoles,O=keycloak,DC=foodomain,DC=test

and based on that, we assign him roles "role1" and "role2" on Keycloak 
side. This is used when you select "User Roles Retrieve Strategy" of 
role mapper to "GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE".

But note that implementation has attribute name hardcoded to "memberOf" 
and also it must contain the fullDN of particular role, not just the 
name. Feel free to create your own implementation. You can take a look 
at RoleLDAPStorageMapper and UserRolesRetrieveStrategy java classes for 
the inspiration. Maybe you can override from RoleLDAPStorageMapper though.

Marek

On 23/01/17 10:19, Adrian Madaras wrote:
>
>
>   Hi everybody,
> I am trying to map a user attribute named 'sRoles' from LDAP to Roles in Keycloak.Is this possible? I could not find any reference regarding this online and I think it's a subject that a lot of people would be interested in.
> Thanks in advance,
> Adrian
>
>
>     
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jan 24 05:25:06 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 11:25:06 +0100
Subject: [keycloak-user] Brokering with OIDC and Direct Access Grant
In-Reply-To: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>
References: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>
Message-ID: <4614053e-f0b2-fc4d-ceae-cd77254d16df@redhat.com>

I assume that Keycloak instances A and B are not in cluster? If you can 
put them in cluster, you will have this supported OOTB.

Also did you see our multitenancy feature and multi-tenant example? This 
allows that application (API) is protected by both instance A or B. So 
based on the token from the request, you will see if you should use 
keycloak A or B to validate token.

Marek

On 24/01/17 11:05, Alexander Chriztopher wrote:
> Hello,
>
> Am looking for the flow to get an access token with OIDC and 2 Keycloak
> instances (A and B).
>
> User is Known by instance B and gets an access token from instance B then
> needs to access an API protected with instance A.
>
> What would be the best way to do it ?
>
> Thanks for any help.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jan 24 05:34:51 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 11:34:51 +0100
Subject: [keycloak-user] AuthenticationManager send back access_denied
 error when it should send server_error
In-Reply-To: <CAMAhWCRn3TUjNh3T-d=QVH+d=QrGqrkO8J9Wy-qUy_qziPUV2Q@mail.gmail.com>
References: <CAMAhWCRn3TUjNh3T-d=QVH+d=QrGqrkO8J9Wy-qUy_qziPUV2Q@mail.gmail.com>
Message-ID: <67d0f1a3-4e86-b975-025c-fde0fdee37e1@redhat.com>

I think you can create JIRA for your usecase and set the component 
"Authenticator" and fix version "3.0.0.CR1" for that JIRA.

AFAIK we are going to improve Authentication SPI (and requiredAction SPI 
is treated as the part of it), so this can be done as part of that though.

Marek


On 18/01/17 15:53, Cristi Cioriia wrote:
> Hi guys,
>
> The AuthenticationManager class handles failed required action by sending
> an access_denied error message back to the client application, instead of a
> server error, if the required actions detects that it cannot display the
> required action page and marks the context as failed.
>
> The use case I have is the following:
>
> 1) I have created and configured a required action that calls an external
> service to retrieve some data. If that service fails, then I cannot display
> the required action page to the user, so I call
>
> context.failure().
>
> 2) Now, when the AuthenticationManager.executionActions method is called to
> display the required action page, it detects that the status of the
> required action context is FAILURE (line 641), so it doesn't display the
> required action page, but instead it calls at line 647 the oidc protocol
> like this:
>
> Response response = protocol.sendError(context.getClientSession(),
> Error.CONSENT_DENIED);
>
> This creates a response for the client application with
> error=access_denied, but in my opinion it should be wih server_error,
> because the user didn't even have the chance to grant consent.
>
> Isn't this how it should happen? I noticed that the server_error is not
> returned to the client at all, as is only the default branch of a switch,
> and it can't be reached at all, as the Error enum does not have a mapping
> for it.
>
> Looking forward for an answer.
>
> Greetings,
> Cristi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lists at merit.unu.edu  Tue Jan 24 04:30:20 2017
From: lists at merit.unu.edu (mj)
Date: Tue, 24 Jan 2017 10:30:20 +0100
Subject: [keycloak-user] another small enhancement request for MSAD password
	mapper
Message-ID: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>

Hi,

In the microsoft management tools there is a checkbox: "user must change 
password at next logon". If I check that box, keycloak 2.5 gives us a 
logon failure.

Perhaps it would be only a rather small change, to map that MSAD 
checkbox ("Pwd-Last-Set" = 0) to the equivalent in  keycloak: 
"credentials" / "temporary" switch. So the next time a user is asked to 
change his/her password.

More MS info here:
https://msdn.microsoft.com/en-us/library/ms679430

And, and thanks very much very much for the recent fix of issue 2333, on 
MSAD password policies! Much appreciated! :-)

MJ

From mposolda at redhat.com  Tue Jan 24 05:37:01 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 11:37:01 +0100
Subject: [keycloak-user] AuthenticationManager send back access_denied
 error when it should send server_error
In-Reply-To: <67d0f1a3-4e86-b975-025c-fde0fdee37e1@redhat.com>
References: <CAMAhWCRn3TUjNh3T-d=QVH+d=QrGqrkO8J9Wy-qUy_qziPUV2Q@mail.gmail.com>
	<67d0f1a3-4e86-b975-025c-fde0fdee37e1@redhat.com>
Message-ID: <f502a29e-57f4-26f2-6248-e5020e33478e@redhat.com>

Well, sorry...  I wonder if you can handle this by call:

context.challenge(response)

instead of: context.failure()

It seems that then you can send any response you want. So you can also 
redirect to your application with any error query parameters you want?

Marek


On 24/01/17 11:34, Marek Posolda wrote:
> I think you can create JIRA for your usecase and set the component 
> "Authenticator" and fix version "3.0.0.CR1" for that JIRA.
>
> AFAIK we are going to improve Authentication SPI (and requiredAction 
> SPI is treated as the part of it), so this can be done as part of that 
> though.
>
> Marek
>
>
> On 18/01/17 15:53, Cristi Cioriia wrote:
>> Hi guys,
>>
>> The AuthenticationManager class handles failed required action by 
>> sending
>> an access_denied error message back to the client application, 
>> instead of a
>> server error, if the required actions detects that it cannot display the
>> required action page and marks the context as failed.
>>
>> The use case I have is the following:
>>
>> 1) I have created and configured a required action that calls an 
>> external
>> service to retrieve some data. If that service fails, then I cannot 
>> display
>> the required action page to the user, so I call
>>
>> context.failure().
>>
>> 2) Now, when the AuthenticationManager.executionActions method is 
>> called to
>> display the required action page, it detects that the status of the
>> required action context is FAILURE (line 641), so it doesn't display the
>> required action page, but instead it calls at line 647 the oidc protocol
>> like this:
>>
>> Response response = protocol.sendError(context.getClientSession(),
>> Error.CONSENT_DENIED);
>>
>> This creates a response for the client application with
>> error=access_denied, but in my opinion it should be wih server_error,
>> because the user didn't even have the chance to grant consent.
>>
>> Isn't this how it should happen? I noticed that the server_error is not
>> returned to the client at all, as is only the default branch of a 
>> switch,
>> and it can't be reached at all, as the Error enum does not have a 
>> mapping
>> for it.
>>
>> Looking forward for an answer.
>>
>> Greetings,
>> Cristi
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From mposolda at redhat.com  Tue Jan 24 05:47:18 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 11:47:18 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
Message-ID: <590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>

Hmm... I think this should be already working?

I've just tested the usecase:
- Keycloak with configured writable MSAD and with "MSAD Account 
controls" mapper available
- User "john" from LDAP authenticated in Keycloak successfully
- Then I changed in the LDAP the "john" user record the value of 
"pwdLastSet" attribute to 0
- Then login again as "john" in Keycloak. I am asked to change my 
password. After this change is user authenticated successfully and also 
his LDAP record has "pwdLastSet" updated back to the current time.

I am testing with latest master though.

Can you doublecheck this scenario on your side? Are you using latest 
Keycloak master?

Marek


On 24/01/17 10:30, mj wrote:
> Hi,
>
> In the microsoft management tools there is a checkbox: "user must change
> password at next logon". If I check that box, keycloak 2.5 gives us a
> logon failure.
>
> Perhaps it would be only a rather small change, to map that MSAD
> checkbox ("Pwd-Last-Set" = 0) to the equivalent in  keycloak:
> "credentials" / "temporary" switch. So the next time a user is asked to
> change his/her password.
>
> More MS info here:
> https://msdn.microsoft.com/en-us/library/ms679430
>
> And, and thanks very much very much for the recent fix of issue 2333, on
> MSAD password policies! Much appreciated! :-)
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jan 24 06:42:35 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 12:42:35 +0100
Subject: [keycloak-user] Synchoronising TOTP with LDAP
In-Reply-To: <CADh+9Zyemk6vK03P7z=nRtHW0Vi+H2Eku6bFbLxNU2f-vGM8-w@mail.gmail.com>
References: <CADh+9Zyemk6vK03P7z=nRtHW0Vi+H2Eku6bFbLxNU2f-vGM8-w@mail.gmail.com>
Message-ID: <01cb2ac8-5980-434c-d5a1-b4769a1c526c@redhat.com>

It seems that ssoTotpValue is the custom LDAP attribute specific to your 
LDAP schema? Does it contain the TOTP secret of particular user?

What you can do is, that you configure the UserAttribute LDAP mapper for 
your LDAP provider for the attribute ssoTotpValue. Then you will see 
that "ssoTotpValue" will be in user attributes of particular user in 
Keycloak. So that would be the first step.

Once that is working, it seems that you will need to add your own 
implementation of credential storage for OTP. It seems that adding your 
own UserCredentialStore implementation won't work for LDAP users ATM, 
but you can likely add your own CredentialProvider for TOTP credentials. 
You can create subclass of OTPCredentialProvider and override some 
methods (like onCache for instance, where you can add your own 
CredentialModel retrieved from the ssoTotpValue attribute of particular 
user).

Other alternative is to create your own OTPAuthenticator if you don't 
manage to have the CredentialProvider working.

Marek

On 17/01/17 03:59, Liam Maruff wrote:
> My organisation is transitioning from a legacy authentication mechanism to
> OpenID Connect using Keycloak. The current system stores TOTP data in an
> LDAP store under a field named ssoTotpValue.
>
> Is it possible for us to allow users to continue using their existing TOTP
> configuration by mapping the ssoTotpValue from the existing LDAP store into
> Keycloak? If not, how what other mechanism are available for us to
> accomplish this goal?
>
> Regards,
>
> Liam M
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jan 24 06:49:47 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 24 Jan 2017 12:49:47 +0100
Subject: [keycloak-user] Brokering with OIDC and Direct Access Grant
In-Reply-To: <CAJfT+OpFgOC7t=H8N=PrD8m_zDDtUrOQ9SQG_fqHMLion70rBQ@mail.gmail.com>
References: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>
	<4614053e-f0b2-fc4d-ceae-cd77254d16df@redhat.com>
	<CAJfT+OpFgOC7t=H8N=PrD8m_zDDtUrOQ9SQG_fqHMLion70rBQ@mail.gmail.com>
Message-ID: <458013b0-60fc-b1dd-640b-daec38046b16@redhat.com>

We have support for identity brokering, but not sure if that helps with 
your usecase. As if I understand correctly, you have token for B and you 
want to access API protected by A with the B-token, right?

If you don't want to use multitenancy for some reason, I think you may 
have to validate token by yourself and your application side instead of 
using our adapters. As even if A and B use the same publicKey for token 
verification, the issuer in the B-Token will be different though, so our 
adapter (which verifies the issuer) will fail.

Also you can implement your own directGrant authenticator in the 
Keycloak-A, which will allow you to authenticate with the b-token (sent 
to it in some parameter) and then return you back the a-token, which you 
can then validate. Defacto exchange b-token for a-token. See 
Authentication SPI docs for more details.

Marek

On 24/01/17 12:14, Alexander Chriztopher wrote:
> Actually, we dont' want our API to know the B instance.
>
> Is there any other solution (am thinking about brokering between A and 
> B and creating a client for instance B in instance A etc.) ?
>
> And yes, A and B are not in a cluster for organisation matters.
>
> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I assume that Keycloak instances A and B are not in cluster? If
>     you can put them in cluster, you will have this supported OOTB.
>
>     Also did you see our multitenancy feature and multi-tenant
>     example? This allows that application (API) is protected by both
>     instance A or B. So based on the token from the request, you will
>     see if you should use keycloak A or B to validate token.
>
>     Marek
>
>
>     On 24/01/17 11:05, Alexander Chriztopher wrote:
>
>         Hello,
>
>         Am looking for the flow to get an access token with OIDC and 2
>         Keycloak
>         instances (A and B).
>
>         User is Known by instance B and gets an access token from
>         instance B then
>         needs to access an API protected with instance A.
>
>         What would be the best way to do it ?
>
>         Thanks for any help.
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>


From pschiffe at redhat.com  Tue Jan 24 07:49:04 2017
From: pschiffe at redhat.com (Peter Schiffer)
Date: Tue, 24 Jan 2017 13:49:04 +0100
Subject: [keycloak-user] do not import users when brokering
In-Reply-To: <CAJgngAe=J414CxFo=TgH_irBZ2UN2_5X7wLt11PiLtcGEnxfdQ@mail.gmail.com>
References: <CA+cv5A6NW9J+=XVSG9c--b9f4rE__m8apU=9tKuQYv4-UtK1dQ@mail.gmail.com>
	<CAJgngAe=J414CxFo=TgH_irBZ2UN2_5X7wLt11PiLtcGEnxfdQ@mail.gmail.com>
Message-ID: <CA+cv5A5eNP7RP79acrSpmmmTPOyNe80gHB9iE0vC2qBYiUW2NA@mail.gmail.com>

Thanks Stian, is this RFE tracked somewhere? Should I create an issue in
JIRA? This feature is important for us from scalability point of view; when
all the data are available in remote idp, we don't want to maintain another
"cache like" database.

Thanks,

peter

On Tue, Jan 24, 2017 at 8:48 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> It's not currently possible, but it is something we may add at some point.
>
> On 23 January 2017 at 19:29, Peter Schiffer <pschiffe at redhat.com> wrote:
>
>> Hello all,
>>
>> I'm working on some POC with keycloak and OpenShift [1] and I'm wondering
>> -
>> is it possible to configure Keycloak in a way, that it won't create new
>> users in local database when acting as a broker? For example, in this case
>> [2], I want to be able to login as `user` from saml broker, but without
>> creating the new user in saml-authentication-broker. Is it possible?
>>
>> Thanks,
>>
>> peter
>>
>> [1] https://github.com/pschiffe/keycloak-demo
>> [2] https://github.com/keycloak/keycloak/tree/master/examples/
>> broker/saml-broker-authentication
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From diegodiez.ddr at gmail.com  Tue Jan 24 07:58:12 2017
From: diegodiez.ddr at gmail.com (Diego Diez)
Date: Tue, 24 Jan 2017 13:58:12 +0100
Subject: [keycloak-user] Prevent token expiring when using
	spring-security-adapter
Message-ID: <CAGsgRRXAn+Ry8c+ytdUxaUtSvLTevp5D=e4D5SAk153j=a5m8Q@mail.gmail.com>

Hi all,

I have two applications configured with the spring-security-adapter.
What I need to accomplish is to prevent the token expiration to be able to
jump from one app to the other  without introduce again my credentials in
the keycloak server.
Since both applications only communicate with the keycloak server in the
login and logout (once logged in, the application only checks if there is
an Authentication object in the session) , the token could be expired if I
go to the application 2 after a while navigating the application 1.

For example:

Keycloak config:

   - access token idle timeout 45 minutes.

Http session config:

   - Timeout 30 minutes.


   1. Log in app1
   2. Introduce user/pass in keycloak and create http session with
   Authentication object in app1
   3. Navigate and do stuff for 1 hour
      - At this moment, I have an http session with a logged in user while
      the keycloak session has been invalidated due to the idle timeout
   4. Go to app2
   5. Keycloak requires again user/pass because the token is expired.

Am I missing something? I need to refresh the access token before it is
expired in the keycloak server (step 3) but I could find a way.

Thanks in advance,
Diego.

From psilva at redhat.com  Tue Jan 24 08:21:33 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 24 Jan 2017 11:21:33 -0200
Subject: [keycloak-user] Policies seem to go corrupt, version 2.5.0
In-Reply-To: <CAB+XyjTbdvY5=Zoy1NAng-ecFRSQ+8fxuQUhVnV2juuJ0DBZOQ@mail.gmail.com>
References: <CAB+XyjSUV9+FTZxaEOq+4y=AujOgSTCneeLjYTzJ2mriWg09yw@mail.gmail.com>
	<CAB+XyjR7ZRVVCHdd3TzRq-q8vY16_yz5JM_t7AunGUxfToO3mQ@mail.gmail.com>
	<CAB+XyjRd1K1QfN-Rd=ngB7FVxBY-6v7Pagca80aABjF4EVDTtQ@mail.gmail.com>
	<CAB+XyjQ8nKBK6LriaUu_NwX6pXWHYi93R4verOHqECdR-zTm-A@mail.gmail.com>
	<CAB+XyjSTw-7xAhUQjhkhm19SSD7Zt+CSbb=Ym7w=xaAmBVCjog@mail.gmail.com>
	<CAB+XyjQasJFhaW=rabsKrR5+aZrbYNdcE3dOEt091Dhy16-Ffg@mail.gmail.com>
	<CAJrcDBcmVaSaBM3exXAVTnr5R7pckjeHtTTwniPC+KY0RMwy2w@mail.gmail.com>
	<CAB+XyjTbdvY5=Zoy1NAng-ecFRSQ+8fxuQUhVnV2juuJ0DBZOQ@mail.gmail.com>
Message-ID: <CAJrcDBcrx1kghB1q0VGCsc1Orn-zdxCa6cXm5hwoDH7Zg1Lrzg@mail.gmail.com>

I see. I'm going to check what is happening. Can't understand why it works
after re-creating the policies.

So, you were using which version before migrating to 2.5.0 ? Did you also
try a build from upstream ?

On Tue, Jan 24, 2017 at 11:04 AM, Ushanas Shastri <ushanas at gmail.com> wrote:

> Hello Pedro,
>
> Policies created by us stop working.  For example,  without any change the
> Evaluation API shows Deny,  and we can't investigate why,  as the  policy
> results in Resource not found.
>
> Interestingly,  while the Evaluation API  in the administration console
> says denied,  the protected application gets a permit when using the
> Authorization API.
>
> We then recreate the policies,  permissions and all is good again.
>
> Regards, Ushanas.
>
>
> On 24-Jan-2017 5:05 PM, "Pedro Igor Silva" <psilva at redhat.com> wrote:
>
> HI Ushanas, recently we made a specific change to update policies types
> from "drools" to "rules". But that was in 2.5.1, so I think it is not case.
>
> Can you elaborate more what are those random instances of policies ? Are
> they being created somehow but not by you ?
>
> Regarding the resource not found, I think I have fixed this with this PR
> https://github.com/keycloak/keycloak/pull/3766/. It should be available
> on 2.5.1.
>
> Thanks.
>
> On Tue, Jan 24, 2017 at 12:51 AM, Ushanas Shastri <ushanas at gmail.com>
> wrote:
>
>> Hello,
>>
>> I've created scope based permissions tied to role based policies.  Any new
>> permission or policy we create,  all looks right, but we find random
>> instances of policies that deny authorization,  and when we want to
>> investigate,  we can't even see the details of the policy.  It shows up in
>> the list,  but clicking on it takes us to a resource nor found page.
>> Any ideas on what may be happening here?
>>
>> Regards, Ushanas.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From ushanas at gmail.com  Tue Jan 24 08:43:14 2017
From: ushanas at gmail.com (Ushanas Shastri)
Date: Tue, 24 Jan 2017 19:13:14 +0530
Subject: [keycloak-user] Policies seem to go corrupt, version 2.5.0
In-Reply-To: <CAJrcDBcrx1kghB1q0VGCsc1Orn-zdxCa6cXm5hwoDH7Zg1Lrzg@mail.gmail.com>
References: <CAB+XyjSUV9+FTZxaEOq+4y=AujOgSTCneeLjYTzJ2mriWg09yw@mail.gmail.com>
	<CAB+XyjR7ZRVVCHdd3TzRq-q8vY16_yz5JM_t7AunGUxfToO3mQ@mail.gmail.com>
	<CAB+XyjRd1K1QfN-Rd=ngB7FVxBY-6v7Pagca80aABjF4EVDTtQ@mail.gmail.com>
	<CAB+XyjQ8nKBK6LriaUu_NwX6pXWHYi93R4verOHqECdR-zTm-A@mail.gmail.com>
	<CAB+XyjSTw-7xAhUQjhkhm19SSD7Zt+CSbb=Ym7w=xaAmBVCjog@mail.gmail.com>
	<CAB+XyjQasJFhaW=rabsKrR5+aZrbYNdcE3dOEt091Dhy16-Ffg@mail.gmail.com>
	<CAJrcDBcmVaSaBM3exXAVTnr5R7pckjeHtTTwniPC+KY0RMwy2w@mail.gmail.com>
	<CAB+XyjTbdvY5=Zoy1NAng-ecFRSQ+8fxuQUhVnV2juuJ0DBZOQ@mail.gmail.com>
	<CAJrcDBcrx1kghB1q0VGCsc1Orn-zdxCa6cXm5hwoDH7Zg1Lrzg@mail.gmail.com>
Message-ID: <CAB+XyjTvHqsQ1ZM06m3z+ajYcNqKK8_Go4kznL2BMP3Z2HSD8w@mail.gmail.com>

Hello,

We didn't migrate,  we did a fresh install.  I'm checking if we copied
standalone.xml from an older  version,  but I doubt it.

Haven't yet taken the upstream version. We've had difficulties making a
build,  and are looking into it.

Thank you,
Regards, Ushanas.



On 24-Jan-2017 6:51 PM, "Pedro Igor Silva" <psilva at redhat.com> wrote:

> I see. I'm going to check what is happening. Can't understand why it works
> after re-creating the policies.
>
> So, you were using which version before migrating to 2.5.0 ? Did you also
> try a build from upstream ?
>
> On Tue, Jan 24, 2017 at 11:04 AM, Ushanas Shastri <ushanas at gmail.com>
> wrote:
>
>> Hello Pedro,
>>
>> Policies created by us stop working.  For example,  without any change
>> the Evaluation API shows Deny,  and we can't investigate why,  as the
>>  policy results in Resource not found.
>>
>> Interestingly,  while the Evaluation API  in the administration console
>> says denied,  the protected application gets a permit when using the
>> Authorization API.
>>
>> We then recreate the policies,  permissions and all is good again.
>>
>> Regards, Ushanas.
>>
>>
>> On 24-Jan-2017 5:05 PM, "Pedro Igor Silva" <psilva at redhat.com> wrote:
>>
>> HI Ushanas, recently we made a specific change to update policies types
>> from "drools" to "rules". But that was in 2.5.1, so I think it is not case.
>>
>> Can you elaborate more what are those random instances of policies ? Are
>> they being created somehow but not by you ?
>>
>> Regarding the resource not found, I think I have fixed this with this PR
>> https://github.com/keycloak/keycloak/pull/3766/. It should be available
>> on 2.5.1.
>>
>> Thanks.
>>
>> On Tue, Jan 24, 2017 at 12:51 AM, Ushanas Shastri <ushanas at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I've created scope based permissions tied to role based policies.  Any
>>> new
>>> permission or policy we create,  all looks right, but we find random
>>> instances of policies that deny authorization,  and when we want to
>>> investigate,  we can't even see the details of the policy.  It shows up
>>> in
>>> the list,  but clicking on it takes us to a resource nor found page.
>>> Any ideas on what may be happening here?
>>>
>>> Regards, Ushanas.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>

From santosh.haranath at gmail.com  Tue Jan 24 09:50:12 2017
From: santosh.haranath at gmail.com (santosh.haranath at gmail.com)
Date: Tue, 24 Jan 2017 06:50:12 -0800
Subject: [keycloak-user] AngularJS or react App for login
Message-ID: <48F4E47B-9A20-48CF-AF68-E49ECB4AE96A@gmail.com>

Can we use an angularJS  or React based application to render login pages?
 I have noticed administration APIs but did not see authentication APIs to build upon.

- Santosh

From zeus.arias at beeva.com  Tue Jan 24 10:20:04 2017
From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA)
Date: Tue, 24 Jan 2017 16:20:04 +0100
Subject: [keycloak-user] CORS setup
In-Reply-To: <CAM5SUC4EJNLkCxkMo-ARs+GvLeZ4ZpFp=uCHaUxqn10JHLusYw@mail.gmail.com>
References: <CAFZkFaNmdGAB_WpOBFHDiRB_3Av5iNx6ekQdhf6K17gNB6qyGA@mail.gmail.com>
	<CAM5SUC4EJNLkCxkMo-ARs+GvLeZ4ZpFp=uCHaUxqn10JHLusYw@mail.gmail.com>
Message-ID: <CAFZkFaOcUwZDWJPpAyYcSa8n3ARU9TEEmXV0wdLkErLgB7Z7GQ@mail.gmail.com>

Sorry, it does not work.

You can write here the steps for a configuration correct

My client configuration is:

___________________________________________________________________________________
Client ID: app
Name: app
Description:
Enabled: ON
Consent Required: OFF
Client Protocol: openid-connect
Client Template:
Access Type: public

Standard Flow: ON
Implicit Flow: ON
Direct Access Grants: OFF
Authorization: OFF
Root URL: https://localhost:8080/sso/login
Base URL
Admin URL
Web Origins: https://localhost:8080
https://*:8080
https://*

_______________________________________________________________________________

My keycloak.json

{
  "realm": "REALM",
  "realm-public-key": "KEY",
  "auth-server-url": "https://example:8443/auth",
  "ssl-required": "all",
  "enable-cors" : true,
  "cors-max-age" : 10000,
  "cors-allowed-methods" : "POST, PUT, DELETE, GET, HEAD",
  "cors-allowed-headers" : "Access-Control-Allow-Origin, Origin, Accept,
X-Requested-With, Content-Type, Access-Control-Request-Method,
Access-Control-Request-Headers",
  "resource": "app",
  "public-client": true,
  "principal-attribute": "preferred_username"
}



2016-12-02 11:25 GMT+01:00 Bruno Oliveira <bruno at abstractj.org>:

> Yes, take a look at the examples https://github.com/
> keycloak/keycloak/tree/master/examples/cors.
>
> On Fri, Dec 2, 2016 at 8:20 AM Zeus Arias Lucero | BEEVA <
> zeus.arias at beeva.com> wrote:
>
>> Hi,
>>
>> Is it possible to configure cors? Which are the steps?
>>
>> My config client is (json):
>>
>> {
>>   "realm": "name",
>>   "realm-public-key": "...",
>>   "auth-server-url": "https://example:8443/auth",
>>   "ssl-required": "all",
>>   "resource": "name",
>>   "enable-cors": true,
>>   "cors-allowed-methods": "GET, HEAD, OPTIONS",
>>   "cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type,
>> Access-Control-Request-Method, Access-Control-Request-Headersl",
>>   "credentials": {
>>     "secret": "...."
>>   },
>>   "principal-attribute": "preferred_username"
>> }
>>
>>
>> And error the application is:
>>
>> XMLHttpRequest cannot load
>> https://keycloak_url:8443/auth/realms/name/protocol/open
>> ?gin&state=1%2token&login=true&scope=openid.
>> No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'https://url_app' is therefore not allowed access.
>>
>> The Keycloak Response Header is:
>>
>> Cache-Control:no-store, must-revalidate, max-age=0
>> Connection:keep-alive
>> Content-Length:5257
>> Content-Security-Policy:frame-src 'self'
>> Content-Type:text/html;charset=utf-8
>> Date:Fri, 02 Dec 2016 09:37:15 GMT
>> Server:WildFly/10
>> Set-Cookie:KC_RESTART=COOKIE; Version=1; Path=/auth/realms/name; Secure;
>> HttpOnly
>> X-Content-Type-Options:nosniff
>> X-Frame-Options:SAMEORIGIN
>> X-Powered-By:Undertow/1
>>
>> Do I have to modify the file standalone.xml?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From roger.turnau at pwc.com  Tue Jan 24 10:59:03 2017
From: roger.turnau at pwc.com (Roger Turnau (US - Advisory))
Date: Tue, 24 Jan 2017 10:59:03 -0500
Subject: [keycloak-user] AngularJS or react App for login
In-Reply-To: <48F4E47B-9A20-48CF-AF68-E49ECB4AE96A@gmail.com>
References: <48F4E47B-9A20-48CF-AF68-E49ECB4AE96A@gmail.com>
Message-ID: <CAM96OPtxOE6oYPnUw4Fies74QciLnD=3nuNK-9WpnQ4SwizEbw@mail.gmail.com>

Santosh,

Is there some reason you can't simply use a new theme to style the existing
login pages to match your application? I'm building an AngularJS app to
work with Keycloak, and that is what my team is doing.

I'm not sure what you gain by rewriting the existing functionality. If it's
a question of integrating Keycloak with your Angular app, I'd be happy to
share with you how we do it.

Roger Turnau

On Tue, Jan 24, 2017 at 9:50 AM, <santosh.haranath at gmail.com> wrote:

> Can we use an angularJS  or React based application to render login pages?
>  I have noticed administration APIs but did not see authentication APIs to
> build upon.
>
> - Santosh
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
*Roger Turnau*

PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau at pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us

Save energy. Save a tree. Save the printing for something really important.

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

From santosh.haranath at gmail.com  Tue Jan 24 14:30:58 2017
From: santosh.haranath at gmail.com (Santosh Haranath)
Date: Tue, 24 Jan 2017 11:30:58 -0800
Subject: [keycloak-user] MariaDB / MySQL / Postgres-BDR / Postgres-XL
Message-ID: <CADKo6iHEtnte__EcOSPZTeyMTVE7H__qGeKynOs6Eu3UhbmgWA@mail.gmail.com>

Any database of choice for multi-site deployment? Our initial research
points towards Postgres. For MMR, Postgres has two choices
Postgres-BDR and Postgres-XL. Any experience with these technologies
to build multi-site session replicated access mgmt infrastructure.

Thanks.

From shmuein+keycloak-dev at gmail.com  Tue Jan 24 17:05:28 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Tue, 24 Jan 2017 16:05:28 -0600
Subject: [keycloak-user] IDP Logout for SPs which don't support SAML Logout
Message-ID: <CACEM6k8Lg_krwMHvRkRB6tyHhUcef=Ft7pqt1K19ELzD0A5oFw@mail.gmail.com>

Hi all,

We are using KeyCloak as IDP to support SAML authentication for different
SPs. Some of the SPs don't support SAML logout (such as Salesforce). They
only support setting up a GET Logout URL provided by the Identity
Provider.

https://success.salesforce.com/ideaView?id=08730000000DjseAAC

I came across this bug reported in Jira, which suggests to use OpenID
Connect protocol to logout as a workaround.
https://issues.jboss.org/browse/KEYCLOAK-3476  I tried that approach  but
it didn't work for me.

I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under
Salesforce SP and provided
https://mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com
as
logout URL in Salesforce. But when I tried to logout from Salesforce, it
failed for me with following exception.

2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1)
RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
RESTEASY003210: Could not find resource for full path: ht
//
mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com
    at
org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114)
    at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
    at
org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)


   1. Am I missing something here?
   2. Also is there any plan to add a generic logout URL (as suggested in
   KEYCLOAK-3476) which can be used for such SPs.

Regards,
Muein

From pulgupta at redhat.com  Wed Jan 25 03:29:18 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Wed, 25 Jan 2017 13:59:18 +0530
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
	<CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
	<1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>
Message-ID: <CAApADD2mym+sSij4bV62xr6nkiypm3UmOhJFcxxTQ3usHUa_uQ@mail.gmail.com>

Thanks Marek,

I worked more around this and now the sessions are getting replicated
across the cluster for our applications.

However still I can see that when we logout we are able to login back
without entering the credentials.
This happens most of the times but a few times we are logged out correctly.

I am not sure why the logout is not ending the user session and why we are
able to visit the protected resource without re authenticating.
Can you please suggest something where can I look.

Regards,
Pulkit



On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I don't see anything in our documentation for Keycloak SAML adapter. Not
> sure if we support clustering or not. Maybe someone else knows.
>
> But I think that if you have <distributable /> in your applications and it
> still doesn't work, then feel free to create JIRA.
>
> Marek
>
> On 20/01/17 17:29, Pulkit Gupta wrote:
>
> We can't really move to OIDC as we have already used SAML for a number of
> apps.
> Is clustering not supported by SAML client adapters for Jboss?
>
> Regards,
> Pulkit
>
>
> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> This is supposed to work for Keycloak OIDC clients and some docs is here
>> https://keycloak.gitbooks.io/securing-client-applications-gu
>> ide/content/topics/oidc/java/application-clustering.html .
>>
>> I don't know about Keycloak SAML clients. Is it an alternative for you to
>> try OIDC instead of SAML?
>>
>> Marek
>>
>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>
>>> Hi All,
>>>
>>> I am running multiple applications deployed on a Jboss cluster with
>>> infinispan used as a cache and for distributed sessions.
>>> I verified and can see that session replication is working for a normal
>>> application where I can see the same session on all the servers in the
>>> cluster and hence the application is working fine without session
>>> stickiness.
>>>
>>> However when I am trying to use any Keycloak SAML client based
>>> application
>>> it is only working if the request is going to a particular box in the
>>> cluster. On all the other boxes we are getting errors.
>>> >From this behavior I am concluding that somehow for Keycloak based
>>> applications sessions are not getting replicated.
>>> Both these applications has <distributable /> tag in them so I am not
>>> sure
>>> why it is showing different behaviour.
>>>
>>> I know we can fix this by just enabling session stickiness but we want
>>> the
>>> sessions to be replicated as well.
>>> This is because we want to make our set up more resilient. Also in case
>>> of
>>> logout when Keycloak is sending a back channel logout request it amy send
>>> it to any server in the cluster.
>>> If the sessions are not properly replicated then the logout will fail as
>>> the session will remain preserved on some other server in the cluster.
>>>
>>> Can someone please suggest me something what to try.
>>>
>>>
>>
>
>
> --
> Thanks,
> Pulkit
> AMS
>
>
>


-- 
Thanks,
Pulkit
AMS

From pulgupta at redhat.com  Wed Jan 25 05:08:19 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Wed, 25 Jan 2017 15:38:19 +0530
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <CAApADD2mym+sSij4bV62xr6nkiypm3UmOhJFcxxTQ3usHUa_uQ@mail.gmail.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
	<CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
	<1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>
	<CAApADD2mym+sSij4bV62xr6nkiypm3UmOhJFcxxTQ3usHUa_uQ@mail.gmail.com>
Message-ID: <CAApADD1HPy3+OepHgOHf04Kkp7EC1+D=LNmWdzq5Ectzsw1orw@mail.gmail.com>

Hi Marek,

In continuation to the previous mail I can see that the SAML assertion is
getting deleted but the individual sessions within different applications
are getting maintained.
And thus the user is able to login back to the applications which he was
using.
But if he is opening a new application for the first time and as there is
no existing session and SAML assertion is already deleted he is correctly
asked to enter his credentials.
I think this will be helpful for you to pin point the issue.

Regards,
Pulkit

On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Thanks Marek,
>
> I worked more around this and now the sessions are getting replicated
> across the cluster for our applications.
>
> However still I can see that when we logout we are able to login back
> without entering the credentials.
> This happens most of the times but a few times we are logged out correctly.
>
> I am not sure why the logout is not ending the user session and why we are
> able to visit the protected resource without re authenticating.
> Can you please suggest something where can I look.
>
> Regards,
> Pulkit
>
>
>
> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I don't see anything in our documentation for Keycloak SAML adapter. Not
>> sure if we support clustering or not. Maybe someone else knows.
>>
>> But I think that if you have <distributable /> in your applications and
>> it still doesn't work, then feel free to create JIRA.
>>
>> Marek
>>
>> On 20/01/17 17:29, Pulkit Gupta wrote:
>>
>> We can't really move to OIDC as we have already used SAML for a number of
>> apps.
>> Is clustering not supported by SAML client adapters for Jboss?
>>
>> Regards,
>> Pulkit
>>
>>
>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> This is supposed to work for Keycloak OIDC clients and some docs is here
>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>> ide/content/topics/oidc/java/application-clustering.html .
>>>
>>> I don't know about Keycloak SAML clients. Is it an alternative for you
>>> to try OIDC instead of SAML?
>>>
>>> Marek
>>>
>>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am running multiple applications deployed on a Jboss cluster with
>>>> infinispan used as a cache and for distributed sessions.
>>>> I verified and can see that session replication is working for a normal
>>>> application where I can see the same session on all the servers in the
>>>> cluster and hence the application is working fine without session
>>>> stickiness.
>>>>
>>>> However when I am trying to use any Keycloak SAML client based
>>>> application
>>>> it is only working if the request is going to a particular box in the
>>>> cluster. On all the other boxes we are getting errors.
>>>> >From this behavior I am concluding that somehow for Keycloak based
>>>> applications sessions are not getting replicated.
>>>> Both these applications has <distributable /> tag in them so I am not
>>>> sure
>>>> why it is showing different behaviour.
>>>>
>>>> I know we can fix this by just enabling session stickiness but we want
>>>> the
>>>> sessions to be replicated as well.
>>>> This is because we want to make our set up more resilient. Also in case
>>>> of
>>>> logout when Keycloak is sending a back channel logout request it amy
>>>> send
>>>> it to any server in the cluster.
>>>> If the sessions are not properly replicated then the logout will fail as
>>>> the session will remain preserved on some other server in the cluster.
>>>>
>>>> Can someone please suggest me something what to try.
>>>>
>>>>
>>>
>>
>>
>> --
>> Thanks,
>> Pulkit
>> AMS
>>
>>
>>
>
>
> --
> Thanks,
> Pulkit
> AMS
>



-- 
Thanks,
Pulkit
AMS

From brian at excelwithbusiness.com  Wed Jan 25 05:22:32 2017
From: brian at excelwithbusiness.com (Brian Thai)
Date: Wed, 25 Jan 2017 02:22:32 -0800
Subject: [keycloak-user] HTTP-Redirect binding for SAML
Message-ID: <CADEg99_gk-7Eg1sjjD7qPrtonRY_v0mLFeE8--7xjsRUq+CgjQ@mail.gmail.com>

Hi,

The php SAML libraries that I am using are HTTP-Redirect binding only for
the single logout service. I have tried a few different configurations but
I seem to be missing something with by 2.5.0-Final configuration. If I do
not configure a HTTP-Post binding for the SLS, I get the error
"KC-SERVICES0051: Failed to logout client, continuing:
java.lang.NullPointerException". Can Keycloak support HTTP-Redirect binding
for SAML logout? If so, do you know where I can get a working configuration
to see what I am missing?

Thanks!
- Brian

From hmlnarik at redhat.com  Wed Jan 25 05:46:15 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 25 Jan 2017 11:46:15 +0100
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <CAApADD1HPy3+OepHgOHf04Kkp7EC1+D=LNmWdzq5Ectzsw1orw@mail.gmail.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
	<CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
	<1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>
	<CAApADD2mym+sSij4bV62xr6nkiypm3UmOhJFcxxTQ3usHUa_uQ@mail.gmail.com>
	<CAApADD1HPy3+OepHgOHf04Kkp7EC1+D=LNmWdzq5Ectzsw1orw@mail.gmail.com>
Message-ID: <CAMvXD=Ht-=D3WiTDGo7nGjFrAbY0NXTGaZaTi9G=p2ZFR_96jQ@mail.gmail.com>

There's quite a lot of useful information in this thread. Could you
please file a JIRA issue with a reference to this thread?

Thank you

--Hynek

On Wed, Jan 25, 2017 at 11:08 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> Hi Marek,
>
> In continuation to the previous mail I can see that the SAML assertion is
> getting deleted but the individual sessions within different applications
> are getting maintained.
> And thus the user is able to login back to the applications which he was
> using.
> But if he is opening a new application for the first time and as there is
> no existing session and SAML assertion is already deleted he is correctly
> asked to enter his credentials.
> I think this will be helpful for you to pin point the issue.
>
> Regards,
> Pulkit
>
> On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:
>
>> Thanks Marek,
>>
>> I worked more around this and now the sessions are getting replicated
>> across the cluster for our applications.
>>
>> However still I can see that when we logout we are able to login back
>> without entering the credentials.
>> This happens most of the times but a few times we are logged out correctly.
>>
>> I am not sure why the logout is not ending the user session and why we are
>> able to visit the protected resource without re authenticating.
>> Can you please suggest something where can I look.
>>
>> Regards,
>> Pulkit
>>
>>
>>
>> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I don't see anything in our documentation for Keycloak SAML adapter. Not
>>> sure if we support clustering or not. Maybe someone else knows.
>>>
>>> But I think that if you have <distributable /> in your applications and
>>> it still doesn't work, then feel free to create JIRA.
>>>
>>> Marek
>>>
>>> On 20/01/17 17:29, Pulkit Gupta wrote:
>>>
>>> We can't really move to OIDC as we have already used SAML for a number of
>>> apps.
>>> Is clustering not supported by SAML client adapters for Jboss?
>>>
>>> Regards,
>>> Pulkit
>>>
>>>
>>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>> This is supposed to work for Keycloak OIDC clients and some docs is here
>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>> ide/content/topics/oidc/java/application-clustering.html .
>>>>
>>>> I don't know about Keycloak SAML clients. Is it an alternative for you
>>>> to try OIDC instead of SAML?
>>>>
>>>> Marek
>>>>
>>>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am running multiple applications deployed on a Jboss cluster with
>>>>> infinispan used as a cache and for distributed sessions.
>>>>> I verified and can see that session replication is working for a normal
>>>>> application where I can see the same session on all the servers in the
>>>>> cluster and hence the application is working fine without session
>>>>> stickiness.
>>>>>
>>>>> However when I am trying to use any Keycloak SAML client based
>>>>> application
>>>>> it is only working if the request is going to a particular box in the
>>>>> cluster. On all the other boxes we are getting errors.
>>>>> >From this behavior I am concluding that somehow for Keycloak based
>>>>> applications sessions are not getting replicated.
>>>>> Both these applications has <distributable /> tag in them so I am not
>>>>> sure
>>>>> why it is showing different behaviour.
>>>>>
>>>>> I know we can fix this by just enabling session stickiness but we want
>>>>> the
>>>>> sessions to be replicated as well.
>>>>> This is because we want to make our set up more resilient. Also in case
>>>>> of
>>>>> logout when Keycloak is sending a back channel logout request it amy
>>>>> send
>>>>> it to any server in the cluster.
>>>>> If the sessions are not properly replicated then the logout will fail as
>>>>> the session will remain preserved on some other server in the cluster.
>>>>>
>>>>> Can someone please suggest me something what to try.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Pulkit
>>> AMS
>>>
>>>
>>>
>>
>>
>> --
>> Thanks,
>> Pulkit
>> AMS
>>
>
>
>
> --
> Thanks,
> Pulkit
> AMS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From dekela at perfectomobile.com  Wed Jan 25 08:39:48 2017
From: dekela at perfectomobile.com (Dekel Aslan)
Date: Wed, 25 Jan 2017 13:39:48 +0000
Subject: [keycloak-user] Authentication from spring security without
	redirection
Message-ID: <AM4PR0302MB2627E80ECE04436A5060A0E1AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>

Hi,
I'm looking for a way of exposing REST services with Keycloak authentication.

Does Keycloak have a bean that handles authentication for spring security without filter / redirection?

Further details: I use spring security adapter, but I can't use it for http calls because it redirects to Keycloak login page.
I want to get the user credentials and invoke Keycloak service in the server (with REST "/token"), but then I won't have an authentication object as the processing filter creates.

Thanks,
Dekel.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From david_delbecq at trimble.com  Wed Jan 25 09:09:59 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Wed, 25 Jan 2017 14:09:59 +0000
Subject: [keycloak-user] Client setup recommandation
Message-ID: <CAFtV5cvS08LuEyr+U8r8rt1tvgDF74mca7CnKK-JL_RLAb6dgg@mail.gmail.com>

Hello,

we have a javascript web application we are migrating to keycloak. I am not
sue what are the recommandations on setting up configuration for that
client with the following requirement:

Once user triggers the "login" and gets keycloak authenticated, we should
get a bearer token to use later on REST services.
The user should not be requested again to login, unless he logs out. Even
if he closes his browser. So we need a way to keep or replace token on a
regular basis. Is there some keycloak REST service we can poll on a regular
basis for this?
Sometimes the user goes "off grid" (no network communication) for several
hours. How can we ensure we still keep logged in?

My first idea was to just increase the SSO timeout and token validity to 30
days. But it seems like a bad idea from my reading of keycloak
documentation. So i tried to use an offline token instead, but it seems the
implicit flow doesn't allow you to get an offline token. All token i get
after login are marked as expiring within 15 minutes.

What's the recommended way to get long lived refresh token, using implicit
flow?
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From sblanc at redhat.com  Wed Jan 25 09:24:08 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 25 Jan 2017 15:24:08 +0100
Subject: [keycloak-user] Authentication from spring security without
	redirection
In-Reply-To: <AM4PR0302MB2627E80ECE04436A5060A0E1AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
References: <AM4PR0302MB2627E80ECE04436A5060A0E1AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
Message-ID: <CAMZCGg8T3NYY6mfgkAvhZF6o5H7xkNjTfO+O-OWd1CMU5GF2AQ@mail.gmail.com>

Hi,

Not sure I understand, have you set bearer-only for your Spring REST
service ? With this you should not have a redirection and it should just
check for a token on the header of the request.


On Wed, Jan 25, 2017 at 2:39 PM, Dekel Aslan <dekela at perfectomobile.com>
wrote:

> Hi,
> I'm looking for a way of exposing REST services with Keycloak
> authentication.
>
> Does Keycloak have a bean that handles authentication for spring security
> without filter / redirection?
>
> Further details: I use spring security adapter, but I can't use it for
> http calls because it redirects to Keycloak login page.
> I want to get the user credentials and invoke Keycloak service in the
> server (with REST "/token"), but then I won't have an authentication object
> as the processing filter creates.
>
> Thanks,
> Dekel.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dekela at perfectomobile.com  Wed Jan 25 09:35:39 2017
From: dekela at perfectomobile.com (Dekel Aslan)
Date: Wed, 25 Jan 2017 14:35:39 +0000
Subject: [keycloak-user] Authentication from spring security without
 redirection
In-Reply-To: <CAMZCGg8T3NYY6mfgkAvhZF6o5H7xkNjTfO+O-OWd1CMU5GF2AQ@mail.gmail.com>
References: <AM4PR0302MB2627E80ECE04436A5060A0E1AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
	<CAMZCGg8T3NYY6mfgkAvhZF6o5H7xkNjTfO+O-OWd1CMU5GF2AQ@mail.gmail.com>
Message-ID: <AM4PR0302MB262778CF848EE02498489620AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>

We have an app which up until now receives the credentials. We want to keep it that way (for backward compatability), but instead of authenticating with our db, authenticate with Keycloak.

In the solution you?re proposing (not sure it suits us but let?s assume), will the user have to call another service to receive the token, and then send it to us in the header?
How will he know when to refresh it?

Dekel.

From: Sebastien Blanc [mailto:sblanc at redhat.com]
Sent: Wednesday, January 25, 2017 4:24 PM
To: Dekel Aslan <dekela at perfectomobile.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authentication from spring security without redirection

Hi,

Not sure I understand, have you set bearer-only for your Spring REST service ? With this you should not have a redirection and it should just check for a token on the header of the request.

On Wed, Jan 25, 2017 at 2:39 PM, Dekel Aslan <dekela at perfectomobile.com<mailto:dekela at perfectomobile.com>> wrote:
Hi,
I'm looking for a way of exposing REST services with Keycloak authentication.

Does Keycloak have a bean that handles authentication for spring security without filter / redirection?

Further details: I use spring security adapter, but I can't use it for http calls because it redirects to Keycloak login page.
I want to get the user credentials and invoke Keycloak service in the server (with REST "/token"), but then I won't have an authentication object as the processing filter creates.

Thanks,
Dekel.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Cdekela%40perfectomobile.com%7C997ac55060904b03064d08d4452dd439%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=7VWVBj69tlvOE%2FNEzi2TfEKIzp51RS8v%2Fi%2B8YGjrBII%3D&reserved=0>

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From sblanc at redhat.com  Wed Jan 25 09:53:06 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 25 Jan 2017 15:53:06 +0100
Subject: [keycloak-user] Authentication from spring security without
	redirection
In-Reply-To: <AM4PR0302MB262778CF848EE02498489620AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
References: <AM4PR0302MB2627E80ECE04436A5060A0E1AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
	<CAMZCGg8T3NYY6mfgkAvhZF6o5H7xkNjTfO+O-OWd1CMU5GF2AQ@mail.gmail.com>
	<AM4PR0302MB262778CF848EE02498489620AB740@AM4PR0302MB2627.eurprd03.prod.outlook.com>
Message-ID: <CAMZCGg_eioGUsfcfrKBdj8iEezwX+QyHMFKmxcXbqxnbPttREA@mail.gmail.com>

On Wed, Jan 25, 2017 at 3:35 PM, Dekel Aslan <dekela at perfectomobile.com>
wrote:

> We have an app which up until now receives the credentials. We want to
> keep it that way (for backward compatability), but instead of
> authenticating with our db, authenticate with Keycloak.
>
>
>
> In the solution you?re proposing (not sure it suits us but let?s assume),
> will the user have to call another service to receive the token, and then
> send it to us in the header?
>
Yes, for instance it could be a web app using the keycloak.js library that
handles the login and then it sends the token in the header, look at our
examples.

> How will he know when to refresh it?
>
That is the responsability of the app that requested the token (in this
case, the web app, again if you look at our angular example you can see how
it handles the token refresh)

>
>
> Dekel.
>
>
>
> *From:* Sebastien Blanc [mailto:sblanc at redhat.com]
> *Sent:* Wednesday, January 25, 2017 4:24 PM
> *To:* Dekel Aslan <dekela at perfectomobile.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Authentication from spring security
> without redirection
>
>
>
> Hi,
>
>
> Not sure I understand, have you set bearer-only for your Spring REST
> service ? With this you should not have a redirection and it should just
> check for a token on the header of the request.
>
>
>
> On Wed, Jan 25, 2017 at 2:39 PM, Dekel Aslan <dekela at perfectomobile.com>
> wrote:
>
> Hi,
> I'm looking for a way of exposing REST services with Keycloak
> authentication.
>
> Does Keycloak have a bean that handles authentication for spring security
> without filter / redirection?
>
> Further details: I use spring security adapter, but I can't use it for
> http calls because it redirects to Keycloak login page.
> I want to get the user credentials and invoke Keycloak service in the
> server (with REST "/token"), but then I won't have an authentication object
> as the processing filter creates.
>
> Thanks,
> Dekel.
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Cdekela%40perfectomobile.com%7C997ac55060904b03064d08d4452dd439%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=7VWVBj69tlvOE%2FNEzi2TfEKIzp51RS8v%2Fi%2B8YGjrBII%3D&reserved=0>
>
>
> The information contained in this message is proprietary to the sender,
> protected from disclosure, and may be privileged. The information is
> intended to be conveyed only to the designated recipient(s) of the message.
> If the reader of this message is not the intended recipient, you are hereby
> notified that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please notify us immediately by
> replying to the message and deleting it from your computer. Thank you.
>

From cristi.cioriia at gmail.com  Wed Jan 25 10:17:38 2017
From: cristi.cioriia at gmail.com (Cristi Cioriia)
Date: Wed, 25 Jan 2017 17:17:38 +0200
Subject: [keycloak-user] AuthenticationManager send back access_denied
 error when it should send server_error
In-Reply-To: <f502a29e-57f4-26f2-6248-e5020e33478e@redhat.com>
References: <CAMAhWCRn3TUjNh3T-d=QVH+d=QrGqrkO8J9Wy-qUy_qziPUV2Q@mail.gmail.com>
	<67d0f1a3-4e86-b975-025c-fde0fdee37e1@redhat.com>
	<f502a29e-57f4-26f2-6248-e5020e33478e@redhat.com>
Message-ID: <CAMAhWCSRkKZ-r7vTdFcmz62bDZRYxV=t2PWpNfsyf1AkhxoheQ@mail.gmail.com>

Hi,

I think I could, if in order to create that response I would copy-paste the
sendError method of the OIDCLoginProtocol and replace the
translateError(error) call with "server_error". Doing this copy-paste isn't
the best practice in my opinion, but it should be a good work-around.

Thanks for the suggestion.

Greetings,
Cristi

On Tue, Jan 24, 2017 at 12:37 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Well, sorry...  I wonder if you can handle this by call:
>
> context.challenge(response)
>
> instead of: context.failure()
>
> It seems that then you can send any response you want. So you can also
> redirect to your application with any error query parameters you want?
>
> Marek
>
>
>
> On 24/01/17 11:34, Marek Posolda wrote:
>
>> I think you can create JIRA for your usecase and set the component
>> "Authenticator" and fix version "3.0.0.CR1" for that JIRA.
>>
>> AFAIK we are going to improve Authentication SPI (and requiredAction SPI
>> is treated as the part of it), so this can be done as part of that though.
>>
>> Marek
>>
>>
>> On 18/01/17 15:53, Cristi Cioriia wrote:
>>
>>> Hi guys,
>>>
>>> The AuthenticationManager class handles failed required action by sending
>>> an access_denied error message back to the client application, instead
>>> of a
>>> server error, if the required actions detects that it cannot display the
>>> required action page and marks the context as failed.
>>>
>>> The use case I have is the following:
>>>
>>> 1) I have created and configured a required action that calls an external
>>> service to retrieve some data. If that service fails, then I cannot
>>> display
>>> the required action page to the user, so I call
>>>
>>> context.failure().
>>>
>>> 2) Now, when the AuthenticationManager.executionActions method is
>>> called to
>>> display the required action page, it detects that the status of the
>>> required action context is FAILURE (line 641), so it doesn't display the
>>> required action page, but instead it calls at line 647 the oidc protocol
>>> like this:
>>>
>>> Response response = protocol.sendError(context.getClientSession(),
>>> Error.CONSENT_DENIED);
>>>
>>> This creates a response for the client application with
>>> error=access_denied, but in my opinion it should be wih server_error,
>>> because the user didn't even have the chance to grant consent.
>>>
>>> Isn't this how it should happen? I noticed that the server_error is not
>>> returned to the client at all, as is only the default branch of a switch,
>>> and it can't be reached at all, as the Error enum does not have a mapping
>>> for it.
>>>
>>> Looking forward for an answer.
>>>
>>> Greetings,
>>> Cristi
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>

From emilien.bondu at gmail.com  Wed Jan 25 11:06:12 2017
From: emilien.bondu at gmail.com (ebondu)
Date: Wed, 25 Jan 2017 09:06:12 -0700 (MST)
Subject: [keycloak-user] How to configure KeycloakAuthorization on
 Angular2 Application
In-Reply-To: <5825CCCD.90300@redhat.com>
References: <CAAdSQ6gAif7toJtDqFzeQ8HTt9DHtkuVXuBb+jXV6C9JR+x3aw@mail.gmail.com>
	<5825CCCD.90300@redhat.com>
Message-ID: <1485360372610-2463.post@n6.nabble.com>

Hi,
I am also working on a Angular2/Ionic2 app based on Keycloak for authz. A
first draft of migration from the native keycloak.js to a Typescript lib is
available here https://github.com/ebondu/angular2-keycloak.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-How-to-configure-KeycloakAuthorization-on-Angular2-Application-tp1509p2463.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From avinash at avinash.com.np  Wed Jan 25 13:04:18 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Wed, 25 Jan 2017 18:04:18 +0000
Subject: [keycloak-user] Build token parameters over an API
Message-ID: <CAPFwKyjRPYN0B=JnHCr3dEWiSab81oQ-h91DQtYJbaBVqPjqJQ@mail.gmail.com>

Hello,
I have been thinking If it's possible to create a custom mapper that could
call an API and add some parameters (or sub parameters) to the JWT Token
that is generated?
If yes, are there any examples how to do so and what data is available to
the mapper? ( the user? Requested scope? ...)

Regards,
Avinash

From sstark at redhat.com  Wed Jan 25 13:39:15 2017
From: sstark at redhat.com (Scott Stark)
Date: Wed, 25 Jan 2017 13:39:15 -0500 (EST)
Subject: [keycloak-user] JWT discussion on microprofile.io list
In-Reply-To: <655061769.12927379.1485369509688.JavaMail.zimbra@redhat.com>
Message-ID: <369370968.12927433.1485369555309.JavaMail.zimbra@redhat.com>

Hey guys, can someone who is going to be involved with the JSR 375: JavaTM EE Security API effort comment on the use of the JSON Web Token (JWT) https://tools.ietf.org/html/rfc7519 as a means of propagating an authenticated subject and workflow roles. 

There is a discussion about this that is in early stages over on the Microprofile.io google group:
https://groups.google.com/forum/#!topic/microprofile/gakCq7kSBsY

The last comment I made that you could critique was:

"
I think the minimum starting use case is that a user has a workflow that involves 2 or more micro services. They are using an IdP to produce a JWT that has a subject and workflow associated roles.

What they need is the ability to configure the micro services to:
1. accept that JWT is valid. This goes to defining acceptable signatures and encryption. A default implementation of a javax.security.auth.message.module.ServerAuthModule that illustrates this would be needed for a compatibility test.
2. Some security configuration definition that allows for the mapping of the subject and workflow roles into the security domains of the containers hosting the micro services.

It seems like the aud(iences) field of the token could be used for the purpose of the roles:
aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
"

From pulgupta at redhat.com  Wed Jan 25 15:25:47 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Thu, 26 Jan 2017 01:55:47 +0530
Subject: [keycloak-user] Logout in cluster environments
In-Reply-To: <CAMvXD=Ht-=D3WiTDGo7nGjFrAbY0NXTGaZaTi9G=p2ZFR_96jQ@mail.gmail.com>
References: <CAApADD1f4sUKng8Lnc_fBQ+2VhZc0LAHQTFA9qkdyHMCj-zbQQ@mail.gmail.com>
	<2616fafe-5f4b-8c2d-b78d-68250252f95f@redhat.com>
	<CAApADD2mABcKL1S_fORVFXw_ivLa6_3gvmHAj+CDgcGO7KTRJA@mail.gmail.com>
	<1466d573-9ff2-288f-b531-fd4d0d22530b@redhat.com>
	<CAApADD2mym+sSij4bV62xr6nkiypm3UmOhJFcxxTQ3usHUa_uQ@mail.gmail.com>
	<CAApADD1HPy3+OepHgOHf04Kkp7EC1+D=LNmWdzq5Ectzsw1orw@mail.gmail.com>
	<CAMvXD=Ht-=D3WiTDGo7nGjFrAbY0NXTGaZaTi9G=p2ZFR_96jQ@mail.gmail.com>
Message-ID: <CAApADD3FWeSP2oZrQXB4ba9=N795WfvSh5wPDzkn0e6O0Ayt-g@mail.gmail.com>

Hi Hynek,

I have created a JIRA for the issue.
https://issues.jboss.org/browse/KEYCLOAK-4288

I have tried to summarize the complete conservation in the JIRA.

Regards,
Pulkit


On Wed, Jan 25, 2017 at 4:16 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> There's quite a lot of useful information in this thread. Could you
> please file a JIRA issue with a reference to this thread?
>
> Thank you
>
> --Hynek
>
> On Wed, Jan 25, 2017 at 11:08 AM, Pulkit Gupta <pulgupta at redhat.com>
> wrote:
> > Hi Marek,
> >
> > In continuation to the previous mail I can see that the SAML assertion is
> > getting deleted but the individual sessions within different applications
> > are getting maintained.
> > And thus the user is able to login back to the applications which he was
> > using.
> > But if he is opening a new application for the first time and as there is
> > no existing session and SAML assertion is already deleted he is correctly
> > asked to enter his credentials.
> > I think this will be helpful for you to pin point the issue.
> >
> > Regards,
> > Pulkit
> >
> > On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com>
> wrote:
> >
> >> Thanks Marek,
> >>
> >> I worked more around this and now the sessions are getting replicated
> >> across the cluster for our applications.
> >>
> >> However still I can see that when we logout we are able to login back
> >> without entering the credentials.
> >> This happens most of the times but a few times we are logged out
> correctly.
> >>
> >> I am not sure why the logout is not ending the user session and why we
> are
> >> able to visit the protected resource without re authenticating.
> >> Can you please suggest something where can I look.
> >>
> >> Regards,
> >> Pulkit
> >>
> >>
> >>
> >> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
> >> wrote:
> >>
> >>> I don't see anything in our documentation for Keycloak SAML adapter.
> Not
> >>> sure if we support clustering or not. Maybe someone else knows.
> >>>
> >>> But I think that if you have <distributable /> in your applications and
> >>> it still doesn't work, then feel free to create JIRA.
> >>>
> >>> Marek
> >>>
> >>> On 20/01/17 17:29, Pulkit Gupta wrote:
> >>>
> >>> We can't really move to OIDC as we have already used SAML for a number
> of
> >>> apps.
> >>> Is clustering not supported by SAML client adapters for Jboss?
> >>>
> >>> Regards,
> >>> Pulkit
> >>>
> >>>
> >>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
> >>> wrote:
> >>>
> >>>> This is supposed to work for Keycloak OIDC clients and some docs is
> here
> >>>> https://keycloak.gitbooks.io/securing-client-applications-gu
> >>>> ide/content/topics/oidc/java/application-clustering.html .
> >>>>
> >>>> I don't know about Keycloak SAML clients. Is it an alternative for you
> >>>> to try OIDC instead of SAML?
> >>>>
> >>>> Marek
> >>>>
> >>>> On 20/01/17 08:19, Pulkit Gupta wrote:
> >>>>
> >>>>> Hi All,
> >>>>>
> >>>>> I am running multiple applications deployed on a Jboss cluster with
> >>>>> infinispan used as a cache and for distributed sessions.
> >>>>> I verified and can see that session replication is working for a
> normal
> >>>>> application where I can see the same session on all the servers in
> the
> >>>>> cluster and hence the application is working fine without session
> >>>>> stickiness.
> >>>>>
> >>>>> However when I am trying to use any Keycloak SAML client based
> >>>>> application
> >>>>> it is only working if the request is going to a particular box in the
> >>>>> cluster. On all the other boxes we are getting errors.
> >>>>> >From this behavior I am concluding that somehow for Keycloak based
> >>>>> applications sessions are not getting replicated.
> >>>>> Both these applications has <distributable /> tag in them so I am not
> >>>>> sure
> >>>>> why it is showing different behaviour.
> >>>>>
> >>>>> I know we can fix this by just enabling session stickiness but we
> want
> >>>>> the
> >>>>> sessions to be replicated as well.
> >>>>> This is because we want to make our set up more resilient. Also in
> case
> >>>>> of
> >>>>> logout when Keycloak is sending a back channel logout request it amy
> >>>>> send
> >>>>> it to any server in the cluster.
> >>>>> If the sessions are not properly replicated then the logout will
> fail as
> >>>>> the session will remain preserved on some other server in the
> cluster.
> >>>>>
> >>>>> Can someone please suggest me something what to try.
> >>>>>
> >>>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Thanks,
> >>> Pulkit
> >>> AMS
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Thanks,
> >> Pulkit
> >> AMS
> >>
> >
> >
> >
> > --
> > Thanks,
> > Pulkit
> > AMS
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>



-- 
Thanks,
Pulkit
AMS

From known.michael at gmail.com  Thu Jan 26 02:31:27 2017
From: known.michael at gmail.com (Known Michael)
Date: Thu, 26 Jan 2017 09:31:27 +0200
Subject: [keycloak-user] The best way to get the action of the login form
In-Reply-To: <3aa5357d-a196-9c73-ae84-6f37c07adbc5@redhat.com>
References: <CANbmfvgt-zTBvm4XDGJo-kzWoHyUjNmAYX7Gcm6=xiSZq7thyA@mail.gmail.com>
	<3aa5357d-a196-9c73-ae84-6f37c07adbc5@redhat.com>
Message-ID: <CANbmfvhNFXvvU=YVWVb0ReL1wXXUp-AUcoJYUNFzAR4dJ6gNYA@mail.gmail.com>

Hey Marek,
I have found a lot of tests there.
Can you point me to some test that accesses to OIDC server and performs
OIDC protocol.

Michael


On Fri, Jan 20, 2017 at 10:23 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 20/01/17 06:06, Known Michael wrote:
>
>> Hey,
>>
>> We start to create automation tests of our keycloak integration.
>>
> We already have some automated tests and we use selenium. See our
> testsuite for more details (testsuite/integration-arquillian in the
> Keycloak codebase) . Maybe you can take a look for the inspiration?
>
>>
>> We have discovered that the action URL of the login form (the submit URL)
>> is generated each time.
>>
>> Therefore we need to parse the login response to get the action from the
>> login from.
>>
>> Can you suggest the better way to get the action of the login form?
>>
>> If not: do you think the way of the action generation can be changed
>> significantly in the near future and all our test will fail?
>>
> In theory, that is possible as it is an implementation detail of Keycloak.
> Rely on something like selenium, which will just call "submitButton.click"
> instead of manually creating POST requests etc is always less fragile. So I
> would rather go this way if it is possible for you.
>
> Marek
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From mposolda at redhat.com  Thu Jan 26 03:15:14 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 26 Jan 2017 09:15:14 +0100
Subject: [keycloak-user] The best way to get the action of the login form
In-Reply-To: <CANbmfvhNFXvvU=YVWVb0ReL1wXXUp-AUcoJYUNFzAR4dJ6gNYA@mail.gmail.com>
References: <CANbmfvgt-zTBvm4XDGJo-kzWoHyUjNmAYX7Gcm6=xiSZq7thyA@mail.gmail.com>
	<3aa5357d-a196-9c73-ae84-6f37c07adbc5@redhat.com>
	<CANbmfvhNFXvvU=YVWVb0ReL1wXXUp-AUcoJYUNFzAR4dJ6gNYA@mail.gmail.com>
Message-ID: <47c4b271-2906-c1f8-6320-ff141ee17558@redhat.com>

Yes, for example LoginTest for testing the authentication.  Then for 
example AccessTokenTest, which also adds the scenarios for exchange 
code-to-token after authentication is successfully finished. Finally 
adapter tests like UndertowDemoServletsAdapterTest (and it's 
superclass), which tests full integration with the 3rd party scenarios. 
Note that all tests starts with preparing the environment (import realm 
with JSON and configure it, deploy apps in case of adapter tests). If 
you run your test against already prepared pre-configured environment, 
you don't need to care about that.

Marek

On 26/01/17 08:31, Known Michael wrote:
> Hey Marek,
> I have found a lot of tests there.
> Can you point me to some test that accesses to OIDC server and 
> performs OIDC protocol.
>
> Michael
>
>
> On Fri, Jan 20, 2017 at 10:23 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 20/01/17 06:06, Known Michael wrote:
>
>         Hey,
>
>         We start to create automation tests of our keycloak integration.
>
>     We already have some automated tests and we use selenium. See our
>     testsuite for more details (testsuite/integration-arquillian in
>     the Keycloak codebase) . Maybe you can take a look for the
>     inspiration?
>
>
>         We have discovered that the action URL of the login form (the
>         submit URL)
>         is generated each time.
>
>         Therefore we need to parse the login response to get the
>         action from the
>         login from.
>
>         Can you suggest the better way to get the action of the login
>         form?
>
>         If not: do you think the way of the action generation can be
>         changed
>         significantly in the near future and all our test will fail?
>
>     In theory, that is possible as it is an implementation detail of
>     Keycloak. Rely on something like selenium, which will just call
>     "submitButton.click" instead of manually creating POST requests
>     etc is always less fragile. So I would rather go this way if it is
>     possible for you.
>
>     Marek
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>


From sthorger at redhat.com  Thu Jan 26 03:18:34 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 26 Jan 2017 09:18:34 +0100
Subject: [keycloak-user] Keycloak 2.5.1.Final Released
Message-ID: <CAJgngAegqADyC1jZ_jHAu6xD40YMYFa+YRZoOP618+XQMfqPFA@mail.gmail.com>

We've just released Keycloak 2.5.1.Final! There are no new features to brag
about this time, but we did fix a good amount of issues so I recommend
everyone to upgrade. This release will also be the basis for the next Red
Hat Single-Sign On
<https://access.redhat.com/products/red-hat-single-sign-on> release.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>. Before you upgrade refer to the migration
guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/MigrationFromOlderVersions.html>
.

From christian.froehlich at agfa.com  Thu Jan 26 03:31:23 2017
From: christian.froehlich at agfa.com (Christian Froehlich)
Date: Thu, 26 Jan 2017 09:31:23 +0100
Subject: [keycloak-user] web origins of clients and using wildcards
Message-ID: <OF03E22667.9C1EEECC-ONC12580B4.002901DE-C12580B4.002ED1EB@agfa.com>

Hi,

the tool tip of Web Origins at the client administration ui says: "...To 
permit all origins add '*'.", but it doesn't work. It seems that wildcards 
in web origins does not work at all. Using wildcards would be great in our 
development sides where we often works with ips instead of real dns names. 
So currently we have to add a set of web origins with the possible ips 
like https://192.168.99.100, https://192.168.99.101,...
Is it a bug or just a wrong tool tip or am I completely wrong with my 
assumption?

Regards Christian

From mposolda at redhat.com  Thu Jan 26 03:35:36 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 26 Jan 2017 09:35:36 +0100
Subject: [keycloak-user] Brokering with OIDC and Direct Access Grant
In-Reply-To: <CAJfT+Or+zFcQv8gdetG3y2oa1mxjVWzzSeWePDQgFBibrFzckw@mail.gmail.com>
References: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>
	<4614053e-f0b2-fc4d-ceae-cd77254d16df@redhat.com>
	<CAJfT+OpFgOC7t=H8N=PrD8m_zDDtUrOQ9SQG_fqHMLion70rBQ@mail.gmail.com>
	<458013b0-60fc-b1dd-640b-daec38046b16@redhat.com>
	<CAJfT+Or+zFcQv8gdetG3y2oa1mxjVWzzSeWePDQgFBibrFzckw@mail.gmail.com>
Message-ID: <624b81b5-18ab-3758-e684-687592afd141@redhat.com>

We don't have brokering for directGrant flow though. You would need to 
code authenticator by yourself.

Maybe I would do something like the authenticator where you can send the 
parameters like for example 
"grant_type=password&client_id=your-client&external_idp=true&external_username=john-from-kc-b&external_password=johnspassword"
You will create new directGrant flow and you will put your authenticator 
to it. Your authenticator will then do something like:
- Check if there is "external_idp=true" parameter. If not, then just 
passthrough to other authenticators in the chain to do classic 
directGrant login against "local" Keycloak server (like default 
directGrant flow do)
- Then check the parameters external_username and external_passsword to 
login against your Keycloak B (Assuming you know where Keycloak B is and 
what is the desired clientId of Keycloak B to authenticate against it)
- If authentication against Keycloak B successful, you will successfully 
finish the authenticator, so your client will receive the accessToken 
from Keycloak A, which can be used to access your API.

You can take a look at existing Authentication SPI docs and examples and 
at the existing implementations of DirectGrant authenticators for the 
inspiration (ValidateUsername, ValidatePassword, ValidateOTP)

Marek


On 24/01/17 15:13, Alexander Chriztopher wrote:
> What i need at the end is to be able to call an API protected by 
> Keycloak A with a user Known by Keycloak B.
>
> In another way what we want is to do is brokering but with Direct 
> Access Grant and not in the browser as it is described here in the 
> Keycloak documentation here : 
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/overview.html. 
> What would be the Direct Access Grant flow to achieve the same thing ?
>
> On Tue, Jan 24, 2017 at 12:49 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     We have support for identity brokering, but not sure if that helps
>     with your usecase. As if I understand correctly, you have token
>     for B and you want to access API protected by A with the B-token,
>     right?
>
>     If you don't want to use multitenancy for some reason, I think you
>     may have to validate token by yourself and your application side
>     instead of using our adapters. As even if A and B use the same
>     publicKey for token verification, the issuer in the B-Token will
>     be different though, so our adapter (which verifies the issuer)
>     will fail.
>
>     Also you can implement your own directGrant authenticator in the
>     Keycloak-A, which will allow you to authenticate with the b-token
>     (sent to it in some parameter) and then return you back the
>     a-token, which you can then validate. Defacto exchange b-token for
>     a-token. See Authentication SPI docs for more details.
>
>     Marek
>
>
>     On 24/01/17 12:14, Alexander Chriztopher wrote:
>>     Actually, we dont' want our API to know the B instance.
>>
>>     Is there any other solution (am thinking about brokering between
>>     A and B and creating a client for instance B in instance A etc.) ?
>>
>>     And yes, A and B are not in a cluster for organisation matters.
>>
>>     On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         I assume that Keycloak instances A and B are not in cluster?
>>         If you can put them in cluster, you will have this supported
>>         OOTB.
>>
>>         Also did you see our multitenancy feature and multi-tenant
>>         example? This allows that application (API) is protected by
>>         both instance A or B. So based on the token from the request,
>>         you will see if you should use keycloak A or B to validate token.
>>
>>         Marek
>>
>>
>>         On 24/01/17 11:05, Alexander Chriztopher wrote:
>>
>>             Hello,
>>
>>             Am looking for the flow to get an access token with OIDC
>>             and 2 Keycloak
>>             instances (A and B).
>>
>>             User is Known by instance B and gets an access token from
>>             instance B then
>>             needs to access an API protected with instance A.
>>
>>             What would be the best way to do it ?
>>
>>             Thanks for any help.
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>
>
>


From lists at merit.unu.edu  Thu Jan 26 05:08:04 2017
From: lists at merit.unu.edu (mj)
Date: Thu, 26 Jan 2017 11:08:04 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
Message-ID: <373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>

Hi Marek,

On 01/24/2017 11:47 AM, Marek Posolda wrote:
> Can you doublecheck this scenario on your side? Are you using latest
> Keycloak master?

So I double checked. We are using 2.5.0, NOT latest master, but it does 
NOT work:

As soon as I check "user must change password on next logon", the MSAD 
attribute pwdLastSet changes to 0. (that is correct, confirmed with an ldif)

However, keycloak tells me: invalid username or password. Removing the 
checkbox sets pwdLastSet to -1, and the logon succeeds again.

Searching through jira, I don't see an explanation for the difference in 
behaviour between 2.5.0 and 2.5.1. If I can find some time, I'll try 
installing 2.5.1, to see if it works there...

MJ

From mposolda at redhat.com  Thu Jan 26 05:47:14 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 26 Jan 2017 11:47:14 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
Message-ID: <59423d06-b531-9dc5-badd-765b12430713@redhat.com>

On 26/01/17 11:08, mj wrote:
> Hi Marek,
>
> On 01/24/2017 11:47 AM, Marek Posolda wrote:
>> Can you doublecheck this scenario on your side? Are you using latest
>> Keycloak master?
>
> So I double checked. We are using 2.5.0, NOT latest master, but it 
> does NOT work:
>
> As soon as I check "user must change password on next logon", the MSAD 
> attribute pwdLastSet changes to 0. (that is correct, confirmed with an 
> ldif)
>
> However, keycloak tells me: invalid username or password. Removing the 
> checkbox sets pwdLastSet to -1, and the logon succeeds again.
>
> Searching through jira, I don't see an explanation for the difference 
> in behaviour between 2.5.0 and 2.5.1. If I can find some time, I'll 
> try installing 2.5.1, to see if it works there...
There were some changes for the KEYCLOAK-2333 and KEYCLOAK-4069, which 
were related to this. If upgrade to 2.5.1 won't help for you, then could 
you enable DEBUG logging for the "org.keycloak.storage.ldap" in 
standalone.xml and attach your log?

Thanks,
Marek
>
> MJ



From eduard.matuszak at worldline.com  Thu Jan 26 06:36:29 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Thu, 26 Jan 2017 11:36:29 +0000
Subject: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed
 as war file: CDI does not work
In-Reply-To: <CAJgngAcbd249TRT_95bpfu8cXWwRL=Z3AZWpxztdi3sE1iUPxg@mail.gmail.com>
References: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
	<32a669a4-ef51-7e3b-8a71-9b3ae47de178@redhat.com>
	<CAJgngAcbd249TRT_95bpfu8cXWwRL=Z3AZWpxztdi3sE1iUPxg@mail.gmail.com>
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E9DDF5@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello
In any case, it seems not to be a trivial task. I adhered to Bill's suggestions and additionally did some expirimental attempts but without success.
It's not a critical topic for me as I can live and work without CDI. Anyhow thanks for your comments.
Eduard

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Tuesday, January 24, 2017 8:50 AM
To: Bill Burke
Cc: keycloak-user
Subject: Re: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed as war file: CDI does not work

I'm pretty sure CDI just won't work. When we invoke the provider from Keycloak it doesn't setup the CDI context as it's not a managed request to the deployment so the necessary CDI filters and such are not invoked.

On 19 January 2017 at 16:01, Bill Burke <bburke at redhat.com> wrote:

> How exactly are you implementing it?  Can you point me to some example 
> code?  Remember, UserStorageProviderFactory *MUST* be a POJO.  I 
> haven't done CDI in years, but I believe it would work similarly to 
> the EJB example, except you'd look up the CDI bean manager and 
> allocate your provider through the bean manager.
>
>
> On 1/19/17 5:36 AM, Matuszak, Eduard wrote:
> > Hello
> >
> > It is not possible for me, to bring CDI (@Inject) to work in a user
> storage provider application (Keycloak 2.5.0), deployed as a war-file. 
> The required beans.xml is placed correctly in the war-file and passed 
> by Weld during deployment, but all injected objects are null.
> >
> > Is this a known (and possibly perforced) behaviour,  a (minor) bug 
> > or
> simply due to a missing trick?
> >
> > Thanks in advance for a feedback, Eduard Matuszak
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Christian.FREIMUELLER at frequentis.com  Thu Jan 26 09:12:45 2017
From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian)
Date: Thu, 26 Jan 2017 14:12:45 +0000
Subject: [keycloak-user] Authentication via client certificate
Message-ID: <B4432718210BAA4E8B0AA36A1620F2EFF29E528E@vie197nt>

Dear all,

I've a hopefully short question regarding authentication in Keycloak.

Is there an already built in mechanism to authenticate against Keycloak via client certificate?

If yes, how can I configure it?
Are there any examples in the showcase regarding client certificates?

If no, how can I implement and configure it?

-          I guess implementing the Authentication SPI and register it in Keycloak as an alternative flow?

Best regards,
Christian

From david_delbecq at trimble.com  Thu Jan 26 10:32:11 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Thu, 26 Jan 2017 15:32:11 +0000
Subject: [keycloak-user] Exception on realm import
Message-ID: <CAFtV5csvfwLX8ZrWsqgWbq5KoFj-_zR31k-gEv+y-9ugk4-L8A@mail.gmail.com>

Hello,

I tried to use the import feature to import preconfigured client & roles
from dev environment to production, but I get an exception during the
import. I got to the realm -> import, select file, realm to import, check
import client and check import client roles, set to overwrite. I get an
error "*Error!* javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement"


Any workaround / suggestion? It seems related to a client role named
"authenticated" but not sure it's not just failing on first client role of
file.

Here is server stacktrace:

 2017-01-26 15:29:29,718 WARN
 [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) SQL
Error: 23505, SQLState: 23505
2017-01-26 15:29:29,718 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-31) Unique
index or primary key violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON
PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */
null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated',
null, null, null, null)"; SQL statement:
insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE,
DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?,
?, ?, ?, ?, ?, ?, ?) [23505-173]
2017-01-26 15:29:29,719 INFO
 [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default
task-31) HHH000010: On release of batch it still contained JDBC statements
2017-01-26 15:29:29,719 ERROR [org.keycloak.services] (default task-31)
KC-SERVICES0038: Error importing roles:
org.keycloak.models.ModelDuplicateException:
javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:57)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
at com.sun.proxy.$Proxy61.flush(Unknown Source)
at
org.keycloak.models.jpa.JpaRealmProvider.addClientRole(JpaRealmProvider.java:231)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole(RealmCacheSession.java:703)
at org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:636)
at
org.keycloak.models.utils.RepresentationToModel.importRoles(RepresentationToModel.java:437)
at
org.keycloak.partialimport.RolesPartialImport.doImport(RolesPartialImport.java:98)
at
org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:77)
at
org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.persistence.PersistenceException:
org.hibernate.exception.ConstraintViolationException: could not execute
statement
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303)
at sun.reflect.GeneratedMethodAccessor342.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
... 57 more
Caused by: org.hibernate.exception.ConstraintViolationException: could not
execute statement
at
org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112)
at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
at
org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
at
org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886)
at
org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386)
at
org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434)
at
org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
at
org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300)
... 61 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
violation: "UK_J3RWUVD56ONTGSUHOGM184WW2-2_INDEX_A ON
PUBLIC.KEYCLOAK_ROLE(NAME, CLIENT_REALM_CONSTRAINT) VALUES ( /* key:280 */
null, '36da85fb-076c-4403-aafc-b2226cf69bcb', null, null, 'authenticated',
null, null, null, null)"; SQL statement:
insert into KEYCLOAK_ROLE (CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE,
DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID) values (?, ?,
?, ?, ?, ?, ?, ?, ?) [23505-173]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:331)
at org.h2.message.DbException.get(DbException.java:171)
at org.h2.message.DbException.get(DbException.java:148)
at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:101)
at org.h2.index.PageBtree.find(PageBtree.java:121)
at org.h2.index.PageBtreeLeaf.addRow(PageBtreeLeaf.java:148)
at org.h2.index.PageBtreeLeaf.addRowTry(PageBtreeLeaf.java:101)
at org.h2.index.PageBtreeNode.addRowTry(PageBtreeNode.java:201)
at org.h2.index.PageBtreeIndex.addRow(PageBtreeIndex.java:95)
at org.h2.index.PageBtreeIndex.add(PageBtreeIndex.java:86)
at org.h2.table.RegularTable.addRow(RegularTable.java:125)
at org.h2.command.dml.Insert.insertRows(Insert.java:127)
at org.h2.command.dml.Insert.update(Insert.java:86)
at org.h2.command.CommandContainer.update(CommandContainer.java:79)
at org.h2.command.Command.executeUpdate(Command.java:235)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:154)
at
org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:140)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
... 71 more



-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From bburke at redhat.com  Thu Jan 26 10:42:41 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 26 Jan 2017 10:42:41 -0500
Subject: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed
 as war file: CDI does not work
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E9DDF5@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D723E96B77@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
	<32a669a4-ef51-7e3b-8a71-9b3ae47de178@redhat.com>
	<CAJgngAcbd249TRT_95bpfu8cXWwRL=Z3AZWpxztdi3sE1iUPxg@mail.gmail.com>
	<61D077C6283D454FAFD06F6AC4AB74D723E9DDF5@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <88e1fe0b-0eb8-42ba-3f5a-c3efe7277dfc@redhat.com>

Something we'll have to look into.  Maybe something you'd be interested 
in persuing? :)

On 1/26/17 6:36 AM, Matuszak, Eduard wrote:
> Hello
> In any case, it seems not to be a trivial task. I adhered to Bill's suggestions and additionally did some expirimental attempts but without success.
> It's not a critical topic for me as I can live and work without CDI. Anyhow thanks for your comments.
> Eduard
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
> Sent: Tuesday, January 24, 2017 8:50 AM
> To: Bill Burke
> Cc: keycloak-user
> Subject: Re: [keycloak-user] user storage provider (Keycloak 2.5.0) deployed as war file: CDI does not work
>
> I'm pretty sure CDI just won't work. When we invoke the provider from Keycloak it doesn't setup the CDI context as it's not a managed request to the deployment so the necessary CDI filters and such are not invoked.
>
> On 19 January 2017 at 16:01, Bill Burke <bburke at redhat.com> wrote:
>
>> How exactly are you implementing it?  Can you point me to some example
>> code?  Remember, UserStorageProviderFactory *MUST* be a POJO.  I
>> haven't done CDI in years, but I believe it would work similarly to
>> the EJB example, except you'd look up the CDI bean manager and
>> allocate your provider through the bean manager.
>>
>>
>> On 1/19/17 5:36 AM, Matuszak, Eduard wrote:
>>> Hello
>>>
>>> It is not possible for me, to bring CDI (@Inject) to work in a user
>> storage provider application (Keycloak 2.5.0), deployed as a war-file.
>> The required beans.xml is placed correctly in the war-file and passed
>> by Weld during deployment, but all injected objects are null.
>>> Is this a known (and possibly perforced) behaviour,  a (minor) bug
>>> or
>> simply due to a missing trick?
>>> Thanks in advance for a feedback, Eduard Matuszak
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From fabian.eriksson at gi-de.com  Thu Jan 26 10:48:40 2017
From: fabian.eriksson at gi-de.com (Eriksson Fabian)
Date: Thu, 26 Jan 2017 15:48:40 +0000
Subject: [keycloak-user] Response CORS Headers
Message-ID: <a79217f7d86541eb9a497306221546bc@muc1exmbxp1p.accounts.intern>

Hello!

We are currently facing a problem with CORS-headers and the theme cache settings found in standalone/configuration/standalone.xml. We have two applications using the same realm, when logging in to the first application we first call the /auth/realms/${realm-name}/.well-known/openid-configuration to find OIDC configuration and the browser first does an options request and the response is showing the correct access-control-allow-origin header and the header is cached for as long as the staticMaxAge is set to. But when we try to login to the second application the response headers that was cached is used and we get the wrong access-control-allow-origin header (still pointing to the first application URL).

Our question is; can we configure only this endpoint (.../.well-known/openid-configuration) to have a no-cache header but leave the rest of the application cached?

BR
Fabian Eriksson

From istvan.orban at gmail.com  Thu Jan 26 14:00:26 2017
From: istvan.orban at gmail.com (Istvan Orban)
Date: Thu, 26 Jan 2017 19:00:26 +0000
Subject: [keycloak-user] user storage ldap or keycloak
Message-ID: <CAHW3PUd1TF_8oMoC6fmbpcciq5C-D83uVR_OxFBm=Jt8MZo=vA@mail.gmail.com>

Dear Keycloak users.

I am very new to keycloak and I really like it. it is great.

I am currently migrating a legacy app ( using it's own user management ) to
support SSO.

I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.

My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?

Any risk with this at all?

ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.



-- 
Kind Regards,

*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I  *

From mposolda at redhat.com  Thu Jan 26 14:01:52 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 26 Jan 2017 20:01:52 +0100
Subject: [keycloak-user] Brokering with OIDC and Direct Access Grant
In-Reply-To: <CAJfT+Opqp+7tDutfejmSRQE=Zv9pbQvJT_oqFxPjax2bk8YxnA@mail.gmail.com>
References: <CAJfT+Oo4z4aa+jEa9VJ44HZ7T41auaKozsJKO12O6jNNOv4MoA@mail.gmail.com>
	<4614053e-f0b2-fc4d-ceae-cd77254d16df@redhat.com>
	<CAJfT+OpFgOC7t=H8N=PrD8m_zDDtUrOQ9SQG_fqHMLion70rBQ@mail.gmail.com>
	<458013b0-60fc-b1dd-640b-daec38046b16@redhat.com>
	<CAJfT+Or+zFcQv8gdetG3y2oa1mxjVWzzSeWePDQgFBibrFzckw@mail.gmail.com>
	<624b81b5-18ab-3758-e684-687592afd141@redhat.com>
	<CAJfT+Opqp+7tDutfejmSRQE=Zv9pbQvJT_oqFxPjax2bk8YxnA@mail.gmail.com>
Message-ID: <e56e411b-f0d7-198b-d7ca-35ece8525956@redhat.com>

Not OOTB. You can create JIRA though (or search if JIRA already exists) 
for better OOTB brokering support with the directGrant. But I guess we 
are not going to add that in the near future unless there is bigger 
demand for it...

Other option is, that for AngularJS you can use keycloak.js adapter. We 
have examples for that in the example distribution. We have also support 
for themes, so you can customize login page.

Marek

On 26/01/17 18:58, Alexander Chriztopher wrote:
> Thanks for all the tips Marek.
>
> Does this mean that for any Single Page Application where we do not 
> want to take the user outside of the single application page to a 
> login page there are no solutions with Keycloak when brokering ? 
> Actually, this is our real use case. Our SPA (Angular JS) is 
> configured with Keycloak A and we want users known by Keycloak B to be 
> able to authenticate on our app but we don't want them to lose the 
> context of the app by redirecting there navigator to another page.
>
> On Thu, Jan 26, 2017 at 9:35 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     We don't have brokering for directGrant flow though. You would
>     need to code authenticator by yourself.
>
>     Maybe I would do something like the authenticator where you can
>     send the parameters like for example
>     "grant_type=password&client_id=your-client&external_idp=true&external_username=john-from-kc-b&external_password=johnspassword"
>     You will create new directGrant flow and you will put your
>     authenticator to it. Your authenticator will then do something like:
>     - Check if there is "external_idp=true" parameter. If not, then
>     just passthrough to other authenticators in the chain to do
>     classic directGrant login against "local" Keycloak server (like
>     default directGrant flow do)
>     - Then check the parameters external_username and
>     external_passsword to login against your Keycloak B (Assuming you
>     know where Keycloak B is and what is the desired clientId of
>     Keycloak B to authenticate against it)
>     - If authentication against Keycloak B successful, you will
>     successfully finish the authenticator, so your client will receive
>     the accessToken from Keycloak A, which can be used to access your API.
>
>     You can take a look at existing Authentication SPI docs and
>     examples and at the existing implementations of DirectGrant
>     authenticators for the inspiration (ValidateUsername,
>     ValidatePassword, ValidateOTP)
>
>     Marek
>
>
>     On 24/01/17 15:13, Alexander Chriztopher wrote:
>>     What i need at the end is to be able to call an API protected by
>>     Keycloak A with a user Known by Keycloak B.
>>
>>     In another way what we want is to do is brokering but with Direct
>>     Access Grant and not in the browser as it is described here in
>>     the Keycloak documentation here :
>>     https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/overview.html
>>     <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/overview.html>.
>>     What would be the Direct Access Grant flow to achieve the same
>>     thing ?
>>
>>     On Tue, Jan 24, 2017 at 12:49 PM, Marek Posolda
>>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>         We have support for identity brokering, but not sure if that
>>         helps with your usecase. As if I understand correctly, you
>>         have token for B and you want to access API protected by A
>>         with the B-token, right?
>>
>>         If you don't want to use multitenancy for some reason, I
>>         think you may have to validate token by yourself and your
>>         application side instead of using our adapters. As even if A
>>         and B use the same publicKey for token verification, the
>>         issuer in the B-Token will be different though, so our
>>         adapter (which verifies the issuer) will fail.
>>
>>         Also you can implement your own directGrant authenticator in
>>         the Keycloak-A, which will allow you to authenticate with the
>>         b-token (sent to it in some parameter) and then return you
>>         back the a-token, which you can then validate. Defacto
>>         exchange b-token for a-token. See Authentication SPI docs for
>>         more details.
>>
>>         Marek
>>
>>
>>         On 24/01/17 12:14, Alexander Chriztopher wrote:
>>>         Actually, we dont' want our API to know the B instance.
>>>
>>>         Is there any other solution (am thinking about brokering
>>>         between A and B and creating a client for instance B in
>>>         instance A etc.) ?
>>>
>>>         And yes, A and B are not in a cluster for organisation matters.
>>>
>>>         On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda
>>>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>>
>>>             I assume that Keycloak instances A and B are not in
>>>             cluster? If you can put them in cluster, you will have
>>>             this supported OOTB.
>>>
>>>             Also did you see our multitenancy feature and
>>>             multi-tenant example? This allows that application (API)
>>>             is protected by both instance A or B. So based on the
>>>             token from the request, you will see if you should use
>>>             keycloak A or B to validate token.
>>>
>>>             Marek
>>>
>>>
>>>             On 24/01/17 11:05, Alexander Chriztopher wrote:
>>>
>>>                 Hello,
>>>
>>>                 Am looking for the flow to get an access token with
>>>                 OIDC and 2 Keycloak
>>>                 instances (A and B).
>>>
>>>                 User is Known by instance B and gets an access token
>>>                 from instance B then
>>>                 needs to access an API protected with instance A.
>>>
>>>                 What would be the best way to do it ?
>>>
>>>                 Thanks for any help.
>>>                 _______________________________________________
>>>                 keycloak-user mailing list
>>>                 keycloak-user at lists.jboss.org
>>>                 <mailto:keycloak-user at lists.jboss.org>
>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>>
>>>
>>
>>
>
>


From bburke at redhat.com  Thu Jan 26 14:14:36 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 26 Jan 2017 14:14:36 -0500
Subject: [keycloak-user] user storage ldap or keycloak
In-Reply-To: <CAHW3PUd1TF_8oMoC6fmbpcciq5C-D83uVR_OxFBm=Jt8MZo=vA@mail.gmail.com>
References: <CAHW3PUd1TF_8oMoC6fmbpcciq5C-D83uVR_OxFBm=Jt8MZo=vA@mail.gmail.com>
Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9@redhat.com>

Keycloak can handle responsibilities of a main user store and I would 
recommend you do that.  The few customers that I've seen take your 
approach struggled a bit with tuning LDAP to get it to perform well.  
With Keycloak only store, there's just one less moving part you have to 
worry about, tune, and debug.

The disadvantage is that you'll have to migrate from Keycloak DB to LDAP 
or something if you ever want to ditch Keycloak.

Another option: using the User Storage SPI you do have the option to 
retain your legacy user store.


On 1/26/17 2:00 PM, Istvan Orban wrote:
> Dear Keycloak users.
>
> I am very new to keycloak and I really like it. it is great.
>
> I am currently migrating a legacy app ( using it's own user management ) to
> support SSO.
>
> I have set-up keycloak with openid connect and it works very well. At this
> point we need to decide
> if we will use keycloak as our main user store or we will set-up an LDAP.
>
> My question is that. Is keycloak designed in a way that it can fullfil all
> the responsibilities of the main user store?
>
> Any risk with this at all?
>
> ps: our userbase is small and at this point I am not sure if we want to add
> ldap just for this.
>
>
>


From shmuein+keycloak-dev at gmail.com  Thu Jan 26 15:33:27 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Thu, 26 Jan 2017 14:33:27 -0600
Subject: [keycloak-user] [keycloak-dev] Keycloak 2.5.1.Final Released
In-Reply-To: <CAJgngAegqADyC1jZ_jHAu6xD40YMYFa+YRZoOP618+XQMfqPFA@mail.gmail.com>
References: <CAJgngAegqADyC1jZ_jHAu6xD40YMYFa+YRZoOP618+XQMfqPFA@mail.gmail.com>
Message-ID: <CACEM6k8NwJX4LaRf3Rs3=WuahCSDvXDqkniAcxdWWwBoJxOXDw@mail.gmail.com>

Hi Stian,

Did we upload the KeyCloak 2.5.1 artifacts on maven repo? I was trying to
upgrade to this version but it seems artificats are missing on maven repo.

https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.keycloak%22%20AND%20a%3A%22keycloak-server-spi%22

Regards,
Muein

On Thu, Jan 26, 2017 at 2:18 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We've just released Keycloak 2.5.1.Final! There are no new features to brag
> about this time, but we did fix a good amount of issues so I recommend
> everyone to upgrade. This release will also be the basis for the next Red
> Hat Single-Sign On
> <https://access.redhat.com/products/red-hat-single-sign-on> release.
>
> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>. Before you upgrade refer to the
> migration
> guide
> <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/
> MigrationFromOlderVersions.html>
> .
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From shmuein+keycloak-dev at gmail.com  Thu Jan 26 17:21:49 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Thu, 26 Jan 2017 16:21:49 -0600
Subject: [keycloak-user] IDP Logout for SPs which don't support SAML
	Logout
In-Reply-To: <CACEM6k8Lg_krwMHvRkRB6tyHhUcef=Ft7pqt1K19ELzD0A5oFw@mail.gmail.com>
References: <CACEM6k8Lg_krwMHvRkRB6tyHhUcef=Ft7pqt1K19ELzD0A5oFw@mail.gmail.com>
Message-ID: <CACEM6k-tLc+YNy0FcC_vuvmXzQQ+ASSrV5f2ey1MpeGphHfB_w@mail.gmail.com>

A quick reminder to my query.

Regards,
Muein

On Tue, Jan 24, 2017 at 4:05 PM, Muein Muzamil <
shmuein+keycloak-dev at gmail.com> wrote:

> Hi all,
>
> We are using KeyCloak as IDP to support SAML authentication for different
> SPs. Some of the SPs don't support SAML logout (such as Salesforce). They
> only support setting up a GET Logout URL provided by the Identity
> Provider.
>
> https://success.salesforce.com/ideaView?id=08730000000DjseAAC
>
> I came across this bug reported in Jira, which suggests to use OpenID
> Connect protocol to logout as a workaround. https://issues.
> jboss.org/browse/KEYCLOAK-3476  I tried that approach  but it didn't work
> for me.
>
> I have added https://muein2-dev-ed.my.salesforce.com as a valid URI under
> Salesforce SP and provided https://mueinidp.gemalto.com:
> 9443/auth/realms/O4ZR9N2V6U/protocol/openid-connect?
> redirect_uri=https%3A%2F%2Fmuein2-dev-ed.my.salesforce.com as logout URL
> in Salesforce. But when I tried to logout from Salesforce, it failed for me
> with following exception.
>
> 2:32,165 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1)
> RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException:
> RESTEASY003210: Could not find resource for full path: ht
> //mueinidp.gemalto.com:9443/auth/realms/O4ZR9N2V6U/
> protocol/openid-connect?redirect_uri=https%3A%2F%
> 2Fmuein2-dev-ed.my.salesforce.com
>     at org.jboss.resteasy.core.registry.SegmentNode.match(
> SegmentNode.java:114)
>     at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
>     at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(
> LocatorRegistry.java:79)
>
>
>    1. Am I missing something here?
>    2. Also is there any plan to add a generic logout URL (as suggested in
>    KEYCLOAK-3476) which can be used for such SPs.
>
> Regards,
> Muein
>

From shmuein+keycloak-dev at gmail.com  Thu Jan 26 18:21:43 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Thu, 26 Jan 2017 17:21:43 -0600
Subject: [keycloak-user] SAML AuthnContext
Message-ID: <CACEM6k_7C7+SyU0SpTD77yoRJQ2K=j4nG4O-=6wY-M1Q8yDdDA@mail.gmail.com>

Hi all,

We are trying to configure OpenAM as SAML client with KeyCloak, as part of
SAML request it sends PasswordProtectedTransport AuthnContext (as shown
below) and it expects this back as part of SAML response.

<samlp:RequestedAuthnContext
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact">
        <saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>


Currently, KeyCloak always returns unspecified as AuthnContext, is there
any way to return back AuthnContext what KeyCloak received in the request?
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>

Regards,
Muein

From bruno at abstractj.org  Thu Jan 26 21:15:19 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 27 Jan 2017 00:15:19 -0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 2.5.1.Final Released
In-Reply-To: <CACEM6k8NwJX4LaRf3Rs3=WuahCSDvXDqkniAcxdWWwBoJxOXDw@mail.gmail.com>
References: <CAJgngAegqADyC1jZ_jHAu6xD40YMYFa+YRZoOP618+XQMfqPFA@mail.gmail.com>
	<CACEM6k8NwJX4LaRf3Rs3=WuahCSDvXDqkniAcxdWWwBoJxOXDw@mail.gmail.com>
Message-ID: <CAM5SUC6vqiaqp2jKC5Utb6y=bVu32YOea-KhC2jNRL_H9cQLYQ@mail.gmail.com>

Certainly yes, but I believe it takes 24 h to be updated on Maven central.

On Thu, Jan 26, 2017 at 6:33 PM, Muein Muzamil
<shmuein+keycloak-dev at gmail.com> wrote:
> Hi Stian,
>
> Did we upload the KeyCloak 2.5.1 artifacts on maven repo? I was trying to
> upgrade to this version but it seems artificats are missing on maven repo.
>
> https://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.keycloak%22%20AND%20a%3A%22keycloak-server-spi%22
>
> Regards,
> Muein
>
> On Thu, Jan 26, 2017 at 2:18 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We've just released Keycloak 2.5.1.Final! There are no new features to brag
>> about this time, but we did fix a good amount of issues so I recommend
>> everyone to upgrade. This release will also be the basis for the next Red
>> Hat Single-Sign On
>> <https://access.redhat.com/products/red-hat-single-sign-on> release.
>>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>. Before you upgrade refer to the
>> migration
>> guide
>> <https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/
>> MigrationFromOlderVersions.html>
>> .
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 
- abstractj

From jason at naidmincloud.com  Thu Jan 26 23:52:23 2017
From: jason at naidmincloud.com (Jason B)
Date: Thu, 26 Jan 2017 20:52:23 -0800
Subject: [keycloak-user] OAuth token introspection
Message-ID: <CAKdu_brKgzrcjb8aYCAs7cX3jCYmkUrZbtOC-YzkUVcVvP5SaQ@mail.gmail.com>

Hi,

I am trying to understand the OAuth 2.0 capabilities of Keycloak server and
I have a few questions with respective to the implementation of OAuth
introspection spec.

This is how a sample introspection response looking like

{
  "jti": "7e0a2c4b-9725-432b-a0fd-594f21686108",
  "exp": 1485492229,
  "nbf": 0,
  "iat": 1485491929,
  "iss": "http://localhost:8080/auth/realms/nkadali",
  "aud": "proxy",
  "sub": "e89175d5-94fd-453a-8abb-9953d59d04cf",
  "typ": "Bearer",
  "azp": "proxy",
  "auth_time": 1485487408,
  "session_state": "c05ea410-6f0a-458d-9b2c-debafba732b7",
  "name": "",
  "preferred_username": "jason",
  "acr": "0",
  "client_session": "5d761332-97eb-404d-8624-3de4eca967cd",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "client_id": "proxy",
  "username": "jason",
  "active": true
}


I have two question based on this response.

   1. According to the OAuth OAuth 2.0 Token Introspection (
   https://tools.ietf.org/html/rfc7662) the json response body may contain
   "token_type" member. But why keycloak representing "token_type" as "typ"?
   Is there any specific reason?
   2. I don't see any "scope" attribute in the response body even though I
   supplied scope parameter while requesting for the access token. Any idea on
   how to get scopes associated with the supplied access token?


Thanks!

From istvan.orban at gmail.com  Fri Jan 27 02:48:48 2017
From: istvan.orban at gmail.com (Istvan Orban)
Date: Fri, 27 Jan 2017 07:48:48 +0000
Subject: [keycloak-user] user storage ldap or keycloak
Message-ID: <CAHW3PUfxDDFY_4=ZHAw_qqganCPiqt6gH1dn+enbXiQAi6QVeQ@mail.gmail.com>

Thanks for this. I am glad to hear it. it can be our central user store.

I am wondering about one single question. Suppose down the line we want to
upgrade to LDAP sometime in the future. Of course we can export the user
data but the passwords are hashed.

Will be able to import users into an LDAP store without having to reset
every single user's password ?

Thanks a lot!

------------------------------
>
> Message: 4
> Date: Thu, 26 Jan 2017 14:14:36 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] user storage ldap or keycloak
> To: keycloak-user at lists.jboss.org
> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Keycloak can handle responsibilities of a main user store and I would
> recommend you do that.  The few customers that I've seen take your
> approach struggled a bit with tuning LDAP to get it to perform well.
> With Keycloak only store, there's just one less moving part you have to
> worry about, tune, and debug.
>
> The disadvantage is that you'll have to migrate from Keycloak DB to LDAP
> or something if you ever want to ditch Keycloak.
>
> Another option: using the User Storage SPI you do have the option to
> retain your legacy user store.
>
>
> On 1/26/17 2:00 PM, Istvan Orban wrote:
> > Dear Keycloak users.
> >
> > I am very new to keycloak and I really like it. it is great.
> >
> > I am currently migrating a legacy app ( using it's own user management
> ) to
> > support SSO.
> >
> > I have set-up keycloak with openid connect and it works very well. At
> this
> > point we need to decide
> > if we will use keycloak as our main user store or we will set-up an LDAP
> .
> >
> > My question is that. Is keycloak designed in a way that it can fullfil
> all
> > the responsibilities of the main user store?
> >
> > Any risk with this at all?
> >
> > ps: our userbase is small and at this point I am not sure if we want to
> add
> > ldap just for this.
> >
> >
> >
>




-- 
Kind Regards,

*----------------------------------------------------------------------------------------------------------------*
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I  *

From lists at merit.unu.edu  Fri Jan 27 04:09:31 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 27 Jan 2017 10:09:31 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <59423d06-b531-9dc5-badd-765b12430713@redhat.com>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
Message-ID: <3188c63e-a875-6d20-9c03-f75d585494b1@merit.unu.edu>

Hi Marek,

On 01/26/2017 11:47 AM, Marek Posolda wrote:
> There were some changes for the KEYCLOAK-2333 and KEYCLOAK-4069,
> which were related to this. If upgrade to 2.5.1 won't help for you,
> then could you enable DEBUG logging for the
> "org.keycloak.storage.ldap" in standalone.xml and attach your log?

Tested with 2.5.1,a and the behaviour remains. Debug log tells me:

> 2017-01-27 09:49:22,664 DEBUG
> [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager]
> (default task-10) Authentication failed for DN
> [CN=username,CN=Users,DC=samba,DC=company,DC=com]:
> javax.naming.AuthenticationException: [LDAP: error code 49 - Simple
> Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE]

Could you tell me the domain functional level of your AD environment?

I have the feeling that the  behaviour might be different between
different functional levels.

MJ

From lists at merit.unu.edu  Fri Jan 27 04:58:58 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 27 Jan 2017 10:58:58 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <59423d06-b531-9dc5-badd-765b12430713@redhat.com>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
Message-ID: <b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>

Hi Marek,

So, I found out a bit more. It seems that there is a difference between 
samba, and a real AD.

The Errorcode is the same (49), but the additional information is NOT 
exactly the same. Please compare:

Samba4:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
         additional info: Simple Bind Failed: NT_STATUS_PASSWORD_MUST_CHANGE

MSAD
Enter LDAP Password: 
 

ldap_bind: Invalid credentials (49)
         additional info: 80090308: LdapErr: DSID-0C0903A9, comment: 
AcceptSecurityContext error, data 773, v1db1

There is a samba bugreport about this here:
https://bugzilla.samba.org/show_bug.cgi?id=9048

However, if keycloak would rely only on the Errorcode 49, password would 
work with _both_ samba and MSAD.

Would it be possible to change keycloak like that?

MJ

From lists at merit.unu.edu  Fri Jan 27 05:21:51 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 27 Jan 2017 11:21:51 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
	<b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
Message-ID: <9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>



On 01/27/2017 10:58 AM, mj wrote:
> However, if keycloak would rely only on the Errorcode 49, password would
> work with _both_ samba and MSAD.
>
> Would it be possible to change keycloak like that?

Ah no. It seems that 49 is actually a whole range of logon failures, 
including

- expired
- disabled
- user not found

Hmm. :-(

From mposolda at redhat.com  Fri Jan 27 06:52:05 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 27 Jan 2017 12:52:05 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
	<b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
	<9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>
Message-ID: <39195464-798a-3c33-35a7-6a038c68df81@redhat.com>

On 27/01/17 11:21, mj wrote:
>
> On 01/27/2017 10:58 AM, mj wrote:
>> However, if keycloak would rely only on the Errorcode 49, password would
>> work with _both_ samba and MSAD.
>>
>> Would it be possible to change keycloak like that?
> Ah no. It seems that 49 is actually a whole range of logon failures,
> including
>
> - expired
> - disabled
> - user not found
>
> Hmm. :-(
Yes, exactly. That's not sufficient...

Actually we don't test and officially support Samba AD, just the MSAD. 
We may add that in the future though as there are more people asking for 
that, but each LDAP vendor adds some overhead for testing etc...

So for now, you would need to add your own implementation of LDAP 
mapper. I guess it can be subclass of 
MSADUserAccountControlStorageMapper with some overriden methods (like 
onAuthenticationFailure with the specific logic for parsing Samba AD 
error, which is different than MSAD + maybe some more).

You can send PR to contribute the mapper for Samba AD if you manage to 
have it working. Ideally also with the writable scenarios like 
passwordUpdate, disable user in KC will disable him in AD etc.

Marek

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bburke at redhat.com  Fri Jan 27 09:25:44 2017
From: bburke at redhat.com (Bill Burke)
Date: Fri, 27 Jan 2017 09:25:44 -0500
Subject: [keycloak-user] user storage ldap or keycloak
In-Reply-To: <CAHW3PUfxDDFY_4=ZHAw_qqganCPiqt6gH1dn+enbXiQAi6QVeQ@mail.gmail.com>
References: <CAHW3PUfxDDFY_4=ZHAw_qqganCPiqt6gH1dn+enbXiQAi6QVeQ@mail.gmail.com>
Message-ID: <76c6d220-1ad9-55f8-84e6-4926237e62b6@redhat.com>

I have no idea on the passwords.  It is a standard algorithm we use.  
But you could might be able to a) use keycloak stored passwords, b) 
require password update, c) store new passwords in LDAP as they are 
updated and entered.


On 1/27/17 2:48 AM, Istvan Orban wrote:
> Thanks for this. I am glad to hear it. it can be our central user store.
>
> I am wondering about one single question. Suppose down the line we want to
> upgrade to LDAP sometime in the future. Of course we can export the user
> data but the passwords are hashed.
>
> Will be able to import users into an LDAP store without having to reset
> every single user's password ?
>
> Thanks a lot!
>
> ------------------------------
>> Message: 4
>> Date: Thu, 26 Jan 2017 14:14:36 -0500
>> From: Bill Burke <bburke at redhat.com>
>> Subject: Re: [keycloak-user] user storage ldap or keycloak
>> To: keycloak-user at lists.jboss.org
>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>
>> Keycloak can handle responsibilities of a main user store and I would
>> recommend you do that.  The few customers that I've seen take your
>> approach struggled a bit with tuning LDAP to get it to perform well.
>> With Keycloak only store, there's just one less moving part you have to
>> worry about, tune, and debug.
>>
>> The disadvantage is that you'll have to migrate from Keycloak DB to LDAP
>> or something if you ever want to ditch Keycloak.
>>
>> Another option: using the User Storage SPI you do have the option to
>> retain your legacy user store.
>>
>>
>> On 1/26/17 2:00 PM, Istvan Orban wrote:
>>> Dear Keycloak users.
>>>
>>> I am very new to keycloak and I really like it. it is great.
>>>
>>> I am currently migrating a legacy app ( using it's own user management
>> ) to
>>> support SSO.
>>>
>>> I have set-up keycloak with openid connect and it works very well. At
>> this
>>> point we need to decide
>>> if we will use keycloak as our main user store or we will set-up an LDAP
>> .
>>> My question is that. Is keycloak designed in a way that it can fullfil
>> all
>>> the responsibilities of the main user store?
>>>
>>> Any risk with this at all?
>>>
>>> ps: our userbase is small and at this point I am not sure if we want to
>> add
>>> ldap just for this.
>>>
>>>
>>>
>
>
>


From schwartzbj17 at gmail.com  Fri Jan 27 11:38:17 2017
From: schwartzbj17 at gmail.com (Brian Schwartz)
Date: Fri, 27 Jan 2017 10:38:17 -0600
Subject: [keycloak-user] Angular 2 with Webpack
Message-ID: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>

Has anyone created an angular 2 application that's bundled with Webpack and
protected by keycloak?
How do I include the required dependencies and use them?

Thanks

From RLewis at carbonite.com  Fri Jan 27 12:48:54 2017
From: RLewis at carbonite.com (Reed Lewis)
Date: Fri, 27 Jan 2017 17:48:54 +0000
Subject: [keycloak-user] External Username, Password,
 Email... dataset with Keycloak
In-Reply-To: <395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com>
References: <B657EA5E-8FC0-4FB2-BE36-C9F578180A07@carbonite.com>
	<CAK-7U1g0jmSYAz-_iho+av_m1q+2OzCoAH1sw4jDDU=v4J2qGw@mail.gmail.com>
	<1CEE7822-377C-43CA-96A9-4D4F6D8D5143@smartling.com>
	<E814C5A3-BC05-41D4-AAEA-C79A6920DF08@carbonite.com>
	<395F59EF-63B3-49CA-9842-D8CF5A62ADD0@smartling.com>
Message-ID: <0D5EE78E-BD21-421C-8E1C-B01434014084@carbonite.com>

Scott,
   We are using your keycloak migration provider from here: https://github.com/Smartling/keycloak-user-migration-provider

But the issue it seems is that version 2.50 and above of Keycloak has removed the AP that was being used.   Is there any way to easily migrate the code to use whatever Keycloak provides now?

Thank you,

Reed Lewis

From: Scott Rossillo <srossillo at smartling.com>
Date: Wednesday, January 27, 2016 at 1:02 PM
To: Reed Lewis <RLewis at carbonite.com>
Cc: Thomas Darimont <thomas.darimont at googlemail.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak

I think that?s a more general question about user account merging so maybe one of the core devs can chime in. However, I just want to clarify, you don?t want to query the federation provider at all when a user signs in with external IDP, right? In that case, you could modify the findByUsername() method to not create a user if the login is with a IDP.  I?m not sure if it still exists in 1.7+ but the username used to be created as idp.email at provider.com<mailto:idp.email at provider.com> where the IDP is the username prefix.

Does that make sense / sufficiently address the use case?

~ Scott
On Jan 27, 2016, at 12:34 PM, Reed Lewis <RLewis at carbonite.com<mailto:RLewis at carbonite.com>> wrote:

This is working for me now.  I created a service that listens on a port and implements the GET, HEAD and POST requests that are being made.

The one issue now is that integration with other Identity providers does not work now since it still calls my server with the username from the external provider.    How can I tell Keycloak that when a user comes from an external Identity provider not to check the user Federation provider?

Thank you,

Reed Lewis

From: Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>>
Date: Friday, January 15, 2016 at 4:42 PM
To: Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>>, Reed Lewis <RLewis at carbonite.com<mailto:RLewis at carbonite.com>>
Cc: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] External Username, Password, Email... dataset with Keycloak

We just put up and blog post[0] and some sample code[1] on how to do this type of migration.

[0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
[1]: https://github.com/Smartling/keycloak-user-migration-provider


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[atest News + Events]<https://app.sigstr.com/uc/55e5d41c6533390d03580000>
[owered by Sigstr]<http://www.sigstr.com/>

On Jan 15, 2016, at 11:06 AM, Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>> wrote:

Hello Reed,

as you already wrote, you can write a federation provider that queries your
backend service via REST for user data.
Within the federation provider you can then import the user data
returned from the REST call.

This would work as follows - within the method:
  org.keycloak.models.UserFederationProvider.getUserByUsername(RealmModel, String)
you call your backend REST service.

As a next step you create a new user with the given username
  UserModel keycloakUser = session.userStorage().addUser(realm, username);

Then you copy all the user data from your backend into Keycloak's UserModel.

After that your backend user has a corresponding representation in Keycloak
with a reference to this federation provider (id) via the "userModel.federationLink" property.

The federation link will also be shown in the user page in the keycloak admin console.
As long as the federation link is in place keycloak will ask the federation provider
for the latest user data. Once you decide to cut the link to the federation provider you can
simply do userModel.setFederationLink(null). You could basically cut (or rather omit) the federation
 link right after you added the user to Keycloak.

Keycloak has no link information after that anymore and it will only use the user data stored
in the Keycloak database for that particular user.

You also have the option to do that for all your users via:
  org.keycloak.models.UserFederationProviderFactory.syncAllUsers(KeycloakSessionFactory, String, UserFederationProviderModel)
or just use on demand per User when he / she want's to login for the first time.

Cheers,
Thomas

2016-01-15 16:16 GMT+01:00 Reed Lewis <RLewis at carbonite.com<mailto:RLewis at carbonite.com>>:
Hi,
   We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call.   I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data ?live? in KeyCloak and never refer to the external datasource again once the account is ?migrated? into KeyCloak.


Can this be done with some modification of federation?

We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.

Thank you,

Reed Lewis



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From dev.ebondu at gmail.com  Fri Jan 27 14:13:12 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Fri, 27 Jan 2017 12:13:12 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
Message-ID: <1485544392592-2495.post@n6.nabble.com>

Hi,

You should have a look here  angular2-keycloak
<https://github.com/ebondu/angular2-keycloak>  . This is a still a draft but
I am working on it and you should be able to use it with webapack.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2495.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From ssilvert at redhat.com  Fri Jan 27 14:26:10 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 27 Jan 2017 14:26:10 -0500
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485544392592-2495.post@n6.nabble.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
Message-ID: <b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>

On 1/27/2017 2:13 PM, ebondu wrote:
> Hi,
>
> You should have a look here  angular2-keycloak
> <https://github.com/ebondu/angular2-keycloak>  . This is a still a draft but
> I am working on it and you should be able to use it with webapack.
Yes, and if you do please report back and let us know what you think.  
I've been planning to do a Keycloak/TypeScript adapter and I was 
thrilled to see this effort.

That being said, I don't understand why the plain javascript adapter 
wouldn't work with WebPack.  We already have an Angular 2 demo app that 
uses it.  What is it about WebPack that makes the javascript adapter 
hard to use?
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2495.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From lists at merit.unu.edu  Fri Jan 27 15:15:03 2017
From: lists at merit.unu.edu (mj)
Date: Fri, 27 Jan 2017 21:15:03 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <39195464-798a-3c33-35a7-6a038c68df81@redhat.com>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
	<b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
	<9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>
	<39195464-798a-3c33-35a7-6a038c68df81@redhat.com>
Message-ID: <06fd2c77-e170-a9fc-d0b9-01d9bfe95e5f@merit.unu.edu>

Hi Marek, list,

> Actually we don't test and officially support Samba AD, just the MSAD.
Yeah I know. And (usually, so far) everything that works with MSAD works 
also with samba4, this is actually the first time we are running into a 
compatibility issue like this.

> You can send PR to contribute the mapper for Samba AD if you manage to
> have it working. Ideally also with the writable scenarios like
> passwordUpdate, disable user in KC will disable him in AD etc.
All those things should normally work exactly as they do with MSAD.

Andrew Bartlett (core samba dev) pointed me to the following file:
https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java
written by you.

I was thinking (being no programmer at all!!!) that I could simple edit 
a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead of the 
MSAD output.

That would give me a MSADUserAccountControlStorageMapper 'version' 
targetted for samba4, as for the rest no changes should be required at all.

However...in my keycloak install, I cannot find the file 
MSADUserAccountControlStorageMapper.java, so I guess that bright idea is 
also not an option.

It seems such a waist of energy to create a complete subclass of 
MSADUserAccountControlStorageMapper, given that the only difference is 
to look for "NT_STATUS_PWD_MUST_CHANGE"....

Any place I could edit, to change that in an installed keycloak?

MJ

From mposolda at redhat.com  Fri Jan 27 15:25:39 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 27 Jan 2017 21:25:39 +0100
Subject: [keycloak-user] user storage ldap or keycloak
In-Reply-To: <76c6d220-1ad9-55f8-84e6-4926237e62b6@redhat.com>
References: <CAHW3PUfxDDFY_4=ZHAw_qqganCPiqt6gH1dn+enbXiQAi6QVeQ@mail.gmail.com>
	<76c6d220-1ad9-55f8-84e6-4926237e62b6@redhat.com>
Message-ID: <a8a74f90-9778-0eca-8cf7-3e7b453a7728@redhat.com>

Bill, do we have OOTB support for the usecase, when you have just local 
Keycloak users. Then at some point you want to add LDAP (or any other 
provider) and then sync existing Keycloak users to that StorageProvider? 
I guess not?

Marek


On 27/01/17 15:25, Bill Burke wrote:
> I have no idea on the passwords.  It is a standard algorithm we use.
> But you could might be able to a) use keycloak stored passwords, b)
> require password update, c) store new passwords in LDAP as they are
> updated and entered.
>
>
> On 1/27/17 2:48 AM, Istvan Orban wrote:
>> Thanks for this. I am glad to hear it. it can be our central user store.
>>
>> I am wondering about one single question. Suppose down the line we want to
>> upgrade to LDAP sometime in the future. Of course we can export the user
>> data but the passwords are hashed.
>>
>> Will be able to import users into an LDAP store without having to reset
>> every single user's password ?
>>
>> Thanks a lot!
>>
>> ------------------------------
>>> Message: 4
>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
>>> From: Bill Burke <bburke at redhat.com>
>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
>>> To: keycloak-user at lists.jboss.org
>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
>>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>>
>>> Keycloak can handle responsibilities of a main user store and I would
>>> recommend you do that.  The few customers that I've seen take your
>>> approach struggled a bit with tuning LDAP to get it to perform well.
>>> With Keycloak only store, there's just one less moving part you have to
>>> worry about, tune, and debug.
>>>
>>> The disadvantage is that you'll have to migrate from Keycloak DB to LDAP
>>> or something if you ever want to ditch Keycloak.
>>>
>>> Another option: using the User Storage SPI you do have the option to
>>> retain your legacy user store.
>>>
>>>
>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
>>>> Dear Keycloak users.
>>>>
>>>> I am very new to keycloak and I really like it. it is great.
>>>>
>>>> I am currently migrating a legacy app ( using it's own user management
>>> ) to
>>>> support SSO.
>>>>
>>>> I have set-up keycloak with openid connect and it works very well. At
>>> this
>>>> point we need to decide
>>>> if we will use keycloak as our main user store or we will set-up an LDAP
>>> .
>>>> My question is that. Is keycloak designed in a way that it can fullfil
>>> all
>>>> the responsibilities of the main user store?
>>>>
>>>> Any risk with this at all?
>>>>
>>>> ps: our userbase is small and at this point I am not sure if we want to
>>> add
>>>> ldap just for this.
>>>>
>>>>
>>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From schwartzbj17 at gmail.com  Fri Jan 27 15:49:55 2017
From: schwartzbj17 at gmail.com (Brian Schwartz)
Date: Fri, 27 Jan 2017 14:49:55 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
Message-ID: <CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>

Yes we have been trying to use ebondu's code and cannot get it to work.  I
will let my colleague reply with the details.


On Jan 27, 2017 1:29 PM, "Stan Silvert" <ssilvert at redhat.com> wrote:

> On 1/27/2017 2:13 PM, ebondu wrote:
> > Hi,
> >
> > You should have a look here  angular2-keycloak
> > <https://github.com/ebondu/angular2-keycloak>  . This is a still a
> draft but
> > I am working on it and you should be able to use it with webapack.
> Yes, and if you do please report back and let us know what you think.
> I've been planning to do a Keycloak/TypeScript adapter and I was
> thrilled to see this effort.
>
> That being said, I don't understand why the plain javascript adapter
> wouldn't work with WebPack.  We already have an Angular 2 demo app that
> uses it.  What is it about WebPack that makes the javascript adapter
> hard to use?
> >
> >
> >
> > --
> > View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2495.html
> > Sent from the keycloak-user mailing list archive at Nabble.com.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dev.ebondu at gmail.com  Fri Jan 27 17:19:17 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Fri, 27 Jan 2017 15:19:17 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
Message-ID: <1485555557374-2500.post@n6.nabble.com>

Brian,

Let me know if you have any debug/error trace. For now I focused on the
migration from JS to Typescript, so the configuration/use may be tricky.
However as I can use it in a webpack based angular2 app the lib should fit
your need.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2500.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From bburke at redhat.com  Fri Jan 27 19:14:47 2017
From: bburke at redhat.com (Bill Burke)
Date: Fri, 27 Jan 2017 19:14:47 -0500
Subject: [keycloak-user] user storage ldap or keycloak
In-Reply-To: <a8a74f90-9778-0eca-8cf7-3e7b453a7728@redhat.com>
References: <CAHW3PUfxDDFY_4=ZHAw_qqganCPiqt6gH1dn+enbXiQAi6QVeQ@mail.gmail.com>
	<76c6d220-1ad9-55f8-84e6-4926237e62b6@redhat.com>
	<a8a74f90-9778-0eca-8cf7-3e7b453a7728@redhat.com>
Message-ID: <ae08ac3f-a547-8e45-c6d5-c6d14c8b9d91@redhat.com>

Users have to be linked to sync.


On 1/27/17 3:25 PM, Marek Posolda wrote:
> Bill, do we have OOTB support for the usecase, when you have just 
> local Keycloak users. Then at some point you want to add LDAP (or any 
> other provider) and then sync existing Keycloak users to that 
> StorageProvider? I guess not?
>
> Marek
>
>
> On 27/01/17 15:25, Bill Burke wrote:
>> I have no idea on the passwords.  It is a standard algorithm we use.
>> But you could might be able to a) use keycloak stored passwords, b)
>> require password update, c) store new passwords in LDAP as they are
>> updated and entered.
>>
>>
>> On 1/27/17 2:48 AM, Istvan Orban wrote:
>>> Thanks for this. I am glad to hear it. it can be our central user 
>>> store.
>>>
>>> I am wondering about one single question. Suppose down the line we 
>>> want to
>>> upgrade to LDAP sometime in the future. Of course we can export the 
>>> user
>>> data but the passwords are hashed.
>>>
>>> Will be able to import users into an LDAP store without having to reset
>>> every single user's password ?
>>>
>>> Thanks a lot!
>>>
>>> ------------------------------
>>>> Message: 4
>>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
>>>> From: Bill Burke <bburke at redhat.com>
>>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
>>>> To: keycloak-user at lists.jboss.org
>>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
>>>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>>>
>>>> Keycloak can handle responsibilities of a main user store and I would
>>>> recommend you do that.  The few customers that I've seen take your
>>>> approach struggled a bit with tuning LDAP to get it to perform well.
>>>> With Keycloak only store, there's just one less moving part you 
>>>> have to
>>>> worry about, tune, and debug.
>>>>
>>>> The disadvantage is that you'll have to migrate from Keycloak DB to 
>>>> LDAP
>>>> or something if you ever want to ditch Keycloak.
>>>>
>>>> Another option: using the User Storage SPI you do have the option to
>>>> retain your legacy user store.
>>>>
>>>>
>>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
>>>>> Dear Keycloak users.
>>>>>
>>>>> I am very new to keycloak and I really like it. it is great.
>>>>>
>>>>> I am currently migrating a legacy app ( using it's own user 
>>>>> management
>>>> ) to
>>>>> support SSO.
>>>>>
>>>>> I have set-up keycloak with openid connect and it works very well. At
>>>> this
>>>>> point we need to decide
>>>>> if we will use keycloak as our main user store or we will set-up 
>>>>> an LDAP
>>>> .
>>>>> My question is that. Is keycloak designed in a way that it can 
>>>>> fullfil
>>>> all
>>>>> the responsibilities of the main user store?
>>>>>
>>>>> Any risk with this at all?
>>>>>
>>>>> ps: our userbase is small and at this point I am not sure if we 
>>>>> want to
>>>> add
>>>>> ldap just for this.
>>>>>
>>>>>
>>>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From mposolda at redhat.com  Mon Jan 30 03:07:04 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 30 Jan 2017 09:07:04 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <06fd2c77-e170-a9fc-d0b9-01d9bfe95e5f@merit.unu.edu>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
	<b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
	<9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>
	<39195464-798a-3c33-35a7-6a038c68df81@redhat.com>
	<06fd2c77-e170-a9fc-d0b9-01d9bfe95e5f@merit.unu.edu>
Message-ID: <5054816e-2f70-01c7-bebc-ca865b1683a5@redhat.com>

On 27/01/17 21:15, mj wrote:
> Hi Marek, list,
>
>> Actually we don't test and officially support Samba AD, just the MSAD.
> Yeah I know. And (usually, so far) everything that works with MSAD 
> works also with samba4, this is actually the first time we are running 
> into a compatibility issue like this.
>
>> You can send PR to contribute the mapper for Samba AD if you manage to
>> have it working. Ideally also with the writable scenarios like
>> passwordUpdate, disable user in KC will disable him in AD etc.
> All those things should normally work exactly as they do with MSAD.
>
> Andrew Bartlett (core samba dev) pointed me to the following file:
> https://github.com/keycloak/keycloak/blob/b2d1a1a17fc8f665f4ba83d62e3c22d4dfa0048a/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java 
>
> written by you.
>
> I was thinking (being no programmer at all!!!) that I could simple 
> edit a line slightly, to watch for "NT_STATUS_PWD_MUST_CHANGE" instead 
> of the MSAD output.
>
> That would give me a MSADUserAccountControlStorageMapper 'version' 
> targetted for samba4, as for the rest no changes should be required at 
> all.
>
> However...in my keycloak install, I cannot find the file 
> MSADUserAccountControlStorageMapper.java, so I guess that bright idea 
> is also not an option.
The java files are not inside the server distribution. Java works in a 
way, that Java files (sources) are compiled to the class files and then 
packed in JAR archives. There is no easy way to change the source of the 
existing class inside the archive and rewrite something directly.
>
> It seems such a waist of energy to create a complete subclass of 
> MSADUserAccountControlStorageMapper, given that the only difference is 
> to look for "NT_STATUS_PWD_MUST_CHANGE"....
>
> Any place I could edit, to change that in an installed keycloak?
Well, if logic is really the same, the Samba4 specific subclass doesn't 
need to have everything forked (copy/pasted). It can just override one 
single method (onAuthenticationFailure). That's one of the benefits of 
inheritance. So the way to go is really to create separate mapper for 
Samba4 and deploy it as a Keycloak provider.

You can take a look at Server Developer Guide [1] and "provider" 
examples in our example distribution. Unfortunately it requires to have 
some programmer and Java knowledge, so not sure if helpful for you. 
However I don't have anything better ATM, sorry... Our position is to 
not add more supported LDAP servers, like Samba4, by ourselves. So 
Samba4 would need to be community contribution (from you or someone 
else). Also we will need to rely on community for additional maintenance 
and testing.

[1] https://keycloak.gitbooks.io/server-developer-guide/content/

Marek


>
> MJ



From avinash at avinash.com.np  Mon Jan 30 03:24:40 2017
From: avinash at avinash.com.np (Avinash Kundaliya)
Date: Mon, 30 Jan 2017 14:09:40 +0545
Subject: [keycloak-user] Build token parameters over an API
In-Reply-To: <CAPFwKyjRPYN0B=JnHCr3dEWiSab81oQ-h91DQtYJbaBVqPjqJQ@mail.gmail.com>
References: <CAPFwKyjRPYN0B=JnHCr3dEWiSab81oQ-h91DQtYJbaBVqPjqJQ@mail.gmail.com>
Message-ID: <81101295-52db-6a51-65f6-2b1e0211e7b6@avinash.com.np>

I realized after reading through past conversations that what i need is 
a protocol mapper but now i am struggling to get one working. Here's 
what i am doing right now:

1) created a class that implements the ProtocolMapper interface
2) created a jar with that class and package (i'm not sure what the 
META-INF/services folder should contain, any pointers for tha?)
3) put the jar in the providers folder (as the readme in the folder says)

Is there a jar that i can use for inspiration or as a base? Any help or 
pointers would be apprecited.

Regards,
Avinash


On 1/25/17 23:49, Avinash Kundaliya wrote:
> Hello, I have been thinking If it's possible to create a custom mapper 
> that could call an API and add some parameters (or sub parameters) to 
> the JWT Token that is generated? If yes, are there any examples how to 
> do so and what data is available to the mapper? ( the user? Requested 
> scope? ...) Regards, Avinash


From mposolda at redhat.com  Mon Jan 30 03:55:32 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 30 Jan 2017 09:55:32 +0100
Subject: [keycloak-user] Build token parameters over an API
In-Reply-To: <81101295-52db-6a51-65f6-2b1e0211e7b6@avinash.com.np>
References: <CAPFwKyjRPYN0B=JnHCr3dEWiSab81oQ-h91DQtYJbaBVqPjqJQ@mail.gmail.com>
	<81101295-52db-6a51-65f6-2b1e0211e7b6@avinash.com.np>
Message-ID: <4c4d95d7-8971-8626-d20f-70cbac8d33fd@redhat.com>

We have bunch of examples in the distribution. Not for the 
protocolMapper though, but still, it is probably useful for the 
inspiration. See folder "provider" in the examples dist.

Also note that for the protocolMapper, you would likely need to 
implement some other interfaces besides just the protocolMapper 
interface. For example OIDCAccessTokenMapper (if you use OIDC protocol) 
etc. See the builtin Keycloak implementations for more details.

Marek

On 30/01/17 09:24, Avinash Kundaliya wrote:
> I realized after reading through past conversations that what i need is
> a protocol mapper but now i am struggling to get one working. Here's
> what i am doing right now:
>
> 1) created a class that implements the ProtocolMapper interface
> 2) created a jar with that class and package (i'm not sure what the
> META-INF/services folder should contain, any pointers for tha?)
> 3) put the jar in the providers folder (as the readme in the folder says)
>
> Is there a jar that i can use for inspiration or as a base? Any help or
> pointers would be apprecited.
>
> Regards,
> Avinash
>
>
> On 1/25/17 23:49, Avinash Kundaliya wrote:
>> Hello, I have been thinking If it's possible to create a custom mapper
>> that could call an API and add some parameters (or sub parameters) to
>> the JWT Token that is generated? If yes, are there any examples how to
>> do so and what data is available to the mapper? ( the user? Requested
>> scope? ...) Regards, Avinash
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mark.pardijs at topicus.nl  Mon Jan 30 04:09:33 2017
From: mark.pardijs at topicus.nl (Mark Pardijs)
Date: Mon, 30 Jan 2017 09:09:33 +0000
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
Message-ID: <25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>

Hi,

Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here. 

We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.

This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.

My two questions concerning this approach:


 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo element.
 2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?

Hope to hear your thoughts on this!

Mark


From hmlnarik at redhat.com  Mon Jan 30 04:13:05 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 30 Jan 2017 10:13:05 +0100
Subject: [keycloak-user] SAML AuthnContext
In-Reply-To: <CACEM6k_7C7+SyU0SpTD77yoRJQ2K=j4nG4O-=6wY-M1Q8yDdDA@mail.gmail.com>
References: <CACEM6k_7C7+SyU0SpTD77yoRJQ2K=j4nG4O-=6wY-M1Q8yDdDA@mail.gmail.com>
Message-ID: <2c76addc-16c9-7f18-a4e3-acc3342867e6@redhat.com>

Keycloak always returns urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified AuthnContextClassRef unless AuthnStatement inclusion is disabled. If you need to handle authncontext properly, please open a JIRA feature request.

--Hynek

On 01/27/2017 12:21 AM, Muein Muzamil wrote:
> Hi all,
>
> We are trying to configure OpenAM as SAML client with KeyCloak, as part of
> SAML request it sends PasswordProtectedTransport AuthnContext (as shown
> below) and it expects this back as part of SAML response.
>
> <samlp:RequestedAuthnContext
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Comparison="exact">
>         <saml:AuthnContextClassRef
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
> </samlp:RequestedAuthnContext>
>
>
> Currently, KeyCloak always returns unspecified as AuthnContext, is there
> any way to return back AuthnContext what KeyCloak received in the request?
> <saml:AuthnContext>
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> </saml:AuthnContext>
>
> Regards,
> Muein
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From istvan.orban at gmail.com  Mon Jan 30 04:26:18 2017
From: istvan.orban at gmail.com (Istvan Orban)
Date: Mon, 30 Jan 2017 09:26:18 +0000
Subject: [keycloak-user] user storage ldap or keycloak
Message-ID: <CAHW3PUexfA25BcLtXzkWoYS5sVpKdGNNd=Ai--SsKRarR5jZTw@mail.gmail.com>

Thanks for the info.

Is it possible then to do the following

1, several users are created in keycloak during 1 or 2 year period let's
say 4000
3, existing users are exported from keycloak
4, users are imported into ldap
5, later down the line an ldap federation is added which is connected to
the new ldap
6, what sort of SPI do I need to write in order to link the existing
keycloak users to the ldap federation provider ?

is this possible ?

thanks a lot !


3, link the user from Java code somehow so that it


> Date: Fri, 27 Jan 2017 19:14:47 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] user storage ldap or keycloak
> To: Marek Posolda <mposolda at redhat.com>, keycloak-user at lists.jboss.org
> Message-ID: <ae08ac3f-a547-8e45-c6d5-c6d14c8b9d91 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> > Users have to be linked to sync.
>
>
> On 1/27/17 3:25 PM, Marek Posolda wrote:
> > Bill, do we have OOTB support for the usecase, when you have just
> > local Keycloak users. Then at some point you want to add LDAP (or any
> > other provider) and then sync existing Keycloak users to that
> > StorageProvider? I guess not?
> >
> > Marek
> >
> >
> > On 27/01/17 15:25, Bill Burke wrote:
> >> I have no idea on the passwords.  It is a standard algorithm we use.
> >> But you could might be able to a) use keycloak stored passwords, b)
> >> require password update, c) store new passwords in LDAP as they are
> >> updated and entered.
> >>
> >>
> >> On 1/27/17 2:48 AM, Istvan Orban wrote:
> >>> Thanks for this. I am glad to hear it. it can be our central user
> >>> store.
> >>>
> >>> I am wondering about one single question. Suppose down the line we
> >>> want to
> >>> upgrade to LDAP sometime in the future. Of course we can export the
> >>> user
> >>> data but the passwords are hashed.
> >>>
> >>> Will be able to import users into an LDAP store without having to reset
> >>> every single user's password ?
> >>>
> >>> Thanks a lot!
> >>>
> >>> ------------------------------
> >>>> Message: 4
> >>>> Date: Thu, 26 Jan 2017 14:14:36 -0500
> >>>> From: Bill Burke <bburke at redhat.com>
> >>>> Subject: Re: [keycloak-user] user storage ldap or keycloak
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Message-ID: <1424da64-3570-39ba-8200-1e3fb95716f9 at redhat.com>
> >>>> Content-Type: text/plain; charset=windows-1252; format=flowed
> >>>>
> >>>> Keycloak can handle responsibilities of a main user store and I would
> >>>> recommend you do that.  The few customers that I've seen take your
> >>>> approach struggled a bit with tuning LDAP to get it to perform well.
> >>>> With Keycloak only store, there's just one less moving part you
> >>>> have to
> >>>> worry about, tune, and debug.
> >>>>
> >>>> The disadvantage is that you'll have to migrate from Keycloak DB to
> >>>> LDAP
> >>>> or something if you ever want to ditch Keycloak.
> >>>>
> >>>> Another option: using the User Storage SPI you do have the option to
> >>>> retain your legacy user store.
> >>>>
> >>>>
> >>>> On 1/26/17 2:00 PM, Istvan Orban wrote:
> >>>>> Dear Keycloak users.
> >>>>>
> >>>>> I am very new to keycloak and I really like it. it is great.
> >>>>>
> >>>>> I am currently migrating a legacy app ( using it's own user
> >>>>> management
> >>>> ) to
> >>>>> support SSO.
> >>>>>
> >>>>> I have set-up keycloak with openid connect and it works very well. At
> >>>> this
> >>>>> point we need to decide
> >>>>> if we will use keycloak as our main user store or we will set-up
> >>>>> an LDAP
> >>>> .
> >>>>> My question is that. Is keycloak designed in a way that it can
> >>>>> fullfil
> >>>> all
> >>>>> the responsibilities of the main user store?
> >>>>>
> >>>>> Any risk with this at all?
> >>>>>
> >>>>> ps: our userbase is small and at this point I am not sure if we
> >>>>> want to
> >>>> add
> >>>>> ldap just for this.
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>

From hmlnarik at redhat.com  Mon Jan 30 04:42:20 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 30 Jan 2017 10:42:20 +0100
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
Message-ID: <82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>

Hi,

Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.

Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.

--Hynek

On 01/30/2017 10:09 AM, Mark Pardijs wrote:
> Hi,
>
> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
>
> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
>
> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.
>
> My two questions concerning this approach:
>
>
>  1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo
>
>  2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?


From mark.pardijs at topicus.nl  Mon Jan 30 04:55:18 2017
From: mark.pardijs at topicus.nl (Mark Pardijs)
Date: Mon, 30 Jan 2017 09:55:18 +0000
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
Message-ID: <CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>

Hi,

Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:

public Key getKey(String kid) {
    if (this.keys.size() == 1) {
        return this.keys.iterator().next();
    } else {
        return null;
    }
}

And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.

So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?

Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:

Hi,

Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.

Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.

--Hynek

On 01/30/2017 10:09 AM, Mark Pardijs wrote:
Hi,

Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.

We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.

This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.

My two questions concerning this approach:


1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo

2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?


From thomas.darimont at googlemail.com  Mon Jan 30 05:29:51 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 30 Jan 2017 11:29:51 +0100
Subject: [keycloak-user] Return 503 (Service Unvailable) instead of 404
 (File Not found) during keycloak server restarts
Message-ID: <CAK-7U1jdbBLTK+oG599TtZnmYp-L9Rj_oE2=msbidsZMQUXW6Q@mail.gmail.com>

Hello group,

the undertow servlet-container is started pretty early during the startup
of the
wildfly application server. However the initialization of the keycloak
server
application might take a while to complete. Within this period requests
that are
sent to the keycloak endpoints result in responses with HTTP Status Code
404.

Is it possible to configure undertow to return a HTTP Status Code 503
(Service Unvailable)
until the keycloak application startup has completed?

This would ease configuring load-balancers and to avoid showing a 404
to users during server restarts.

Cheers,
Thomas

From tech at psynd.net  Mon Jan 30 05:58:02 2017
From: tech at psynd.net (Tech)
Date: Mon, 30 Jan 2017 11:58:02 +0100
Subject: [keycloak-user] Missing federation-provider since version 2.5.0
In-Reply-To: <7b2bee57-3d5a-a9b1-b1aa-97be1a81465d@psynd.net>
References: <7b2bee57-3d5a-a9b1-b1aa-97be1a81465d@psynd.net>
Message-ID: <e4e290c2-c778-6b83-c068-d08b273e915c@psynd.net>

Dear experts,

from version 2.5.0 we noticed the lack in the examples of:

keycloak-examples-2.4.0.Final/providers/federation-provide

Will this integrated back from version 2.6.0?

Thanks!



From hmlnarik at redhat.com  Mon Jan 30 06:09:55 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 30 Jan 2017 12:09:55 +0100
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
	<CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
Message-ID: <f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>

Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine.

--Hynek

On 01/30/2017 10:55 AM, Mark Pardijs wrote:
> Hi,
>
> Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
> Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:
>
> public Key getKey(String kid) {
>     if (this.keys.size() == 1) {
>         return this.keys.iterator().next();
>     } else {
>         return null;
>     }
> }
>
> And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.
>
> So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?
>
> Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:
>
> Hi,
>
> Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.
>
> Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.
>
> --Hynek
>
> On 01/30/2017 10:09 AM, Mark Pardijs wrote:
> Hi,
>
> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
>
> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
>
> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.
>
> My two questions concerning this approach:
>
>
> 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo
>
> 2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From david_delbecq at trimble.com  Mon Jan 30 06:15:42 2017
From: david_delbecq at trimble.com (David Delbecq)
Date: Mon, 30 Jan 2017 11:15:42 +0000
Subject: [keycloak-user] Return 503 (Service Unvailable) instead of 404
 (File Not found) during keycloak server restarts
In-Reply-To: <CAK-7U1jdbBLTK+oG599TtZnmYp-L9Rj_oE2=msbidsZMQUXW6Q@mail.gmail.com>
References: <CAK-7U1jdbBLTK+oG599TtZnmYp-L9Rj_oE2=msbidsZMQUXW6Q@mail.gmail.com>
Message-ID: <CAFtV5cus3sb_rq=6TuV5fonbGYToMvbjVEXpCepqRt4ZF8dOtw@mail.gmail.com>

According to this documentation
https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/configuration-guide/appendix-a-reference-material
there should be a default-response-code in tehe host config. But i couldn't
find it in wildfly undertow subsystem. Maybe the best would be to deploy a
ROOT.war which map /auth/* requests to 503 response ?

On Mon, Jan 30, 2017 at 11:31 AM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:

> Hello group,
>
> the undertow servlet-container is started pretty early during the startup
> of the
> wildfly application server. However the initialization of the keycloak
> server
> application might take a while to complete. Within this period requests
> that are
> sent to the keycloak endpoints result in responses with HTTP Status Code
> 404.
>
> Is it possible to configure undertow to return a HTTP Status Code 503
> (Service Unvailable)
> until the keycloak application startup has completed?
>
> This would ease configuring load-balancers and to avoid showing a 404
> to users during server restarts.
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>

From mark.pardijs at topicus.nl  Mon Jan 30 06:54:34 2017
From: mark.pardijs at topicus.nl (Mark Pardijs)
Date: Mon, 30 Jan 2017 11:54:34 +0000
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
	<CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
	<f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>
Message-ID: <AC846829-7B10-4265-ADF6-D7013C836F12@topicus.nl>

Ah OK, I see what you mean, so the idea is, when no key is found using the key hint all keys are checked. But what if I do provide a KeyName hint in the SAML, then I still see a mismatch between the code and the Keycloak admin frontend, the code is returning the first key regardless which key id is provided, but in the frontend, no key id?s can be specified, just a comma seperated list. Can you clarify this?

Op 30 jan. 2017, om 12:09 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:

Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine.

--Hynek

On 01/30/2017 10:55 AM, Mark Pardijs wrote:
Hi,

Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:

public Key getKey(String kid) {
   if (this.keys.size() == 1) {
       return this.keys.iterator().next();
   } else {
       return null;
   }
}

And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.

So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?

Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com><mailto:hmlnarik at redhat.com>> het volgende geschreven:

Hi,

Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.

Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.

--Hynek

On 01/30/2017 10:09 AM, Mark Pardijs wrote:
Hi,

Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.

We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.

This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.

My two questions concerning this approach:


1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo

2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From lists at merit.unu.edu  Mon Jan 30 06:56:29 2017
From: lists at merit.unu.edu (lists)
Date: Mon, 30 Jan 2017 12:56:29 +0100
Subject: [keycloak-user] another small enhancement request for MSAD
 password mapper
In-Reply-To: <5054816e-2f70-01c7-bebc-ca865b1683a5@redhat.com>
References: <28e63b85-7224-f518-1202-43507e6b492a@merit.unu.edu>
	<590c2297-2917-4a85-f15b-b2d902b43130@redhat.com>
	<373a98d6-c2c5-3444-d119-80e6a1208eab@merit.unu.edu>
	<59423d06-b531-9dc5-badd-765b12430713@redhat.com>
	<b27c1f34-ff46-b32f-b065-2df3aa6c0dfa@merit.unu.edu>
	<9e361e28-9ff6-7ce8-9c7d-8d10639eb251@merit.unu.edu>
	<39195464-798a-3c33-35a7-6a038c68df81@redhat.com>
	<06fd2c77-e170-a9fc-d0b9-01d9bfe95e5f@merit.unu.edu>
	<5054816e-2f70-01c7-bebc-ca865b1683a5@redhat.com>
Message-ID: <6fd9375c-1e58-30d3-a14b-0ae5c9c2bee1@merit.unu.edu>

Hi Marek,

On 30-1-2017 9:07, Marek Posolda wrote:
> programmer and Java knowledge, so not sure if helpful for you. However I
> don't have anything better ATM, sorry... Our position is to not add more
> supported LDAP servers, like Samba4, by ourselves. So Samba4 would need
> to be community contribution (from you or someone else). Also we will
> need to rely on community for additional maintenance and testing.

I completely understand your position. Even Andrew Bartlett stated 
similar on the samba mailinglist:

> I think this is a Samba fix.  If they want to support old Samba,
> watching for NT_STATUS_PWD_MUST_CHANGE would also work.

Best regards,
MJ

From adam.michalski at aol.com  Mon Jan 30 07:13:05 2017
From: adam.michalski at aol.com (adam.michalski at aol.com)
Date: Mon, 30 Jan 2017 07:13:05 -0500
Subject: [keycloak-user] keycloak.js updateToken does not validate refresh
 token expiration date
Message-ID: <159ef4afb04-4f98-1195c@webprd-m66.mail.aol.com>

keycloak.js updateToken does not validate refresh token expiration date

in example https://github.com/keycloak/keycloak/blob/master/examples/demo-template/angular2-product-app/src/main/webapp/app/keycloak.service.ts

when i call getToken() method after refresh token expires i get console.info('[KEYCLOAK] Refreshing token: token expired'); from keycloak.js:400 
with /auth/realms/InfiniteBirEUmowy/protocol/openid-connect/token 400 (Bad Request) [KEYCLOAK] Failed to refresh token
 
I need to check if refresh token does not expired and if it is call KeycloakService.auth.authz.login();

Why this token refresh expiration check is not handled by updateToken inside keycloak.js updateToken()?

From hmlnarik at redhat.com  Mon Jan 30 07:39:09 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 30 Jan 2017 13:39:09 +0100
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <AC846829-7B10-4265-ADF6-D7013C836F12@topicus.nl>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
	<CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
	<f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>
	<AC846829-7B10-4265-ADF6-D7013C836F12@topicus.nl>
Message-ID: <b66841b7-12f9-0951-4058-8db906a6f3ef@redhat.com>

Keys specified in admin console are checked regardless of key ID. This applies just the same to the case when there is only a single key.

On 01/30/2017 12:54 PM, Mark Pardijs wrote:
> Ah OK, I see what you mean, so the idea is, when no key is found using the key hint all keys are checked. But what if I do provide a KeyName hint in the SAML, then I still see a mismatch between the code and the Keycloak admin frontend, the code is returning the first key regardless which key id is provided, but in the frontend, no key id?s can be specified, just a comma seperated list. Can you clarify this?
>
> Op 30 jan. 2017, om 12:09 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:
>
> Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine.
>
> --Hynek
>
> On 01/30/2017 10:55 AM, Mark Pardijs wrote:
> Hi,
>
> Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
> Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:
>
> public Key getKey(String kid) {
>    if (this.keys.size() == 1) {
>        return this.keys.iterator().next();
>    } else {
>        return null;
>    }
> }
>
> And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.
>
> So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?
>
> Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com><mailto:hmlnarik at redhat.com>> het volgende geschreven:
>
> Hi,
>
> Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.
>
> Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.
>
> --Hynek
>
> On 01/30/2017 10:09 AM, Mark Pardijs wrote:
> Hi,
>
> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
>
> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
>
> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.
>
> My two questions concerning this approach:
>
>
> 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo
>
> 2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Mon Jan 30 09:21:11 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 30 Jan 2017 09:21:11 -0500
Subject: [keycloak-user] Missing federation-provider since version 2.5.0
In-Reply-To: <e4e290c2-c778-6b83-c068-d08b273e915c@psynd.net>
References: <7b2bee57-3d5a-a9b1-b1aa-97be1a81465d@psynd.net>
	<e4e290c2-c778-6b83-c068-d08b273e915c@psynd.net>
Message-ID: <f3d8fa7c-f77c-3bab-c60d-9a179ad1ec58@redhat.com>

No.  This SPI has been rewritten:

https://keycloak.gitbooks.io/server-developer-guide/content/topics/user-storage.html


On 1/30/17 5:58 AM, Tech wrote:
> Dear experts,
>
> from version 2.5.0 we noticed the lack in the examples of:
>
> keycloak-examples-2.4.0.Final/providers/federation-provide
>
> Will this integrated back from version 2.6.0?
>
> Thanks!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From segatto at esteco.com  Mon Jan 30 09:34:35 2017
From: segatto at esteco.com (Alessandro Segatto)
Date: Mon, 30 Jan 2017 15:34:35 +0100
Subject: [keycloak-user] Conflict with LastPass Chrome Extension
Message-ID: <CALTKsRpWupgm+zYK6FdbwKixeR8VUXpKV1qEFdzvG0_aBiQAGA@mail.gmail.com>

Hi,
we found a conflict between LastPass chrome extension (version 4.1.38) and
Keycloak js adapter (version 2.5). LastPass is sending a message to login
status iframe, which crashes while trying to parse it! I think LastPass
caused the issue with his last update , but i think you should also be
interested in solving this lack of robustness. If you agree, I can open an
issue o Jira.
I made an attempt also with angular2-product-app , but i run into a similar
issue (LastPass and Keycloak messaging one the other, then crashing)

Thanks,
Alessandro Segatto
-- 

Ing. Alessandro Segatto
Software Engineer
Research and Development

*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com

Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.

From scope022 at gmail.com  Mon Jan 30 10:07:45 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Mon, 30 Jan 2017 09:07:45 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485555557374-2500.post@n6.nabble.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
Message-ID: <CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>

I will get both of you a error trace.

I had sometime this weekend to fiddle with some barebones
angular2-webpack/systemjs projects using Ebondu's lib and could not get it
running with either bundlers.

@Ebondu, were there some additional installation steps you used to get your
lib up and running?  I attempted to map your lib in systemjs because I was
getting 404 during bundling, but it only lead to systemjs not being able to
identify any of the keycloak.*.js modules.

I will admit, not extremely proficient in systemjs but I wanted to try and
get something working so I could figure out how to port it into webpack.

@Stan Today, I'm going to be trying Keycloak's demo again using webpack.  I
will say that when I tried last Friday I would get json.parse errors within
keycloak.js.  We were seeing the request response returning straight html
which makes sense why the error was occuring.  I'll let you know if I have
any updates on that today.

Thanks for your help.

-other Brian





On Fri, Jan 27, 2017 at 4:19 PM, ebondu <dev.ebondu at gmail.com> wrote:

> Brian,
>
> Let me know if you have any debug/error trace. For now I focused on the
> migration from JS to Typescript, so the configuration/use may be tricky.
> However as I can use it in a webpack based angular2 app the lib should fit
> your need.
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2500.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Brian ?chofield

From A.Giordano at klopotek.it  Mon Jan 30 10:35:50 2017
From: A.Giordano at klopotek.it (Giordano, Antonio)
Date: Mon, 30 Jan 2017 15:35:50 +0000
Subject: [keycloak-user] keycloak user store provider and modules logic
Message-ID: <0a5bf9e94a9049fa835cdb0448aa2bd9@Taylor.core.klopotek.local>

Hi all,

We are moving from keycloak 1.7 to 2.5.1 and we have some troubles in the deployment of a jar relative to our user storage provider.

In the old version we deploy all jars and properties with jboss modules logic but in new version there is a specific folder "providers" where we have to deploy our user storage provider.

Unfortunately seems that our jar can't use resources loaded in modules section of wildfly (other jars or props) and needs all resources in his package.

My question is: which is the correct way in 2.5.1 to deploy a keycloak provider that use resources defined in wildfly classpath via modules logic?

Thanks for your help

agi

From serhiimorunov at gmail.com  Mon Jan 30 10:56:18 2017
From: serhiimorunov at gmail.com (Serhii Morunov)
Date: Mon, 30 Jan 2017 17:56:18 +0200
Subject: [keycloak-user] Email Templates
Message-ID: <CAJbp0Q2L+axG24imLcr2kohS1UNHS5JEE35RnMXQK4=SHJ0inw@mail.gmail.com>

Hello. I meet some issue with using keycloack Admin API and client. When im
trying to send email-verification email via /send-verify-email i recieving
template for "Update user account". Is it known issue or i doing something
wrong? Im trying with Keycloak 2.5.1.Final server version.
Best Regards,
Serhii

From dev.ebondu at gmail.com  Mon Jan 30 11:28:14 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Mon, 30 Jan 2017 09:28:14 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
Message-ID: <1485793694866-2523.post@n6.nabble.com>

Hi Brian,

I just updated the lib to version 0.3.0 so you may have to update you app.

On my side, to try the lib I followed these steps :
- creation of a new app following  angular2-webpack#installing
<https://github.com/preboot/angular2-webpack#installing>  
- adding the lib to the app with the npm command "npm install
@ebondu/angular2-keycloak --save"
- changing the "app.module.ts" file as explained in  readme
<https://github.com/ebondu/angular2-keycloak#usage>  
- *adding a valid keycloak.json in the /src/public folder* (this point is
missing in the readme)
- adapting the "home.component.ts" file as explained in the readme to inject
Keycloak class and initialize it.

When I go to the home page, I am redirected to the KC server.

Here is the modified "home.component.ts" content :

import { Component, OnInit } from '@angular/core';
import { Keycloak } from '@ebondu/angular2-keycloak';

@Component({
  selector: 'my-home',
  templateUrl: './home.component.html',
  styleUrls: ['./home.component.scss']
})
export class HomeComponent implements OnInit {

  constructor(private keycloak: Keycloak) {
    // Do stuff
  }

  ngOnInit() {
    console.log('Hello Home');
    this.keycloak.init({onLoad:'login-required'});
  }

}



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2523.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From scope022 at gmail.com  Mon Jan 30 11:43:12 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Mon, 30 Jan 2017 10:43:12 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485793694866-2523.post@n6.nabble.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
Message-ID: <CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>

@Ebondu, thanks for the update, I will give it a go ASAP.

-Brian

On Mon, Jan 30, 2017 at 10:28 AM, ebondu <dev.ebondu at gmail.com> wrote:

> Hi Brian,
>
> I just updated the lib to version 0.3.0 so you may have to update you app.
>
> On my side, to try the lib I followed these steps :
> - creation of a new app following  angular2-webpack#installing
> <https://github.com/preboot/angular2-webpack#installing>
> - adding the lib to the app with the npm command "npm install
> @ebondu/angular2-keycloak --save"
> - changing the "app.module.ts" file as explained in  readme
> <https://github.com/ebondu/angular2-keycloak#usage>
> - *adding a valid keycloak.json in the /src/public folder* (this point is
> missing in the readme)
> - adapting the "home.component.ts" file as explained in the readme to
> inject
> Keycloak class and initialize it.
>
> When I go to the home page, I am redirected to the KC server.
>
> Here is the modified "home.component.ts" content :
>
> import { Component, OnInit } from '@angular/core';
> import { Keycloak } from '@ebondu/angular2-keycloak';
>
> @Component({
>   selector: 'my-home',
>   templateUrl: './home.component.html',
>   styleUrls: ['./home.component.scss']
> })
> export class HomeComponent implements OnInit {
>
>   constructor(private keycloak: Keycloak) {
>     // Do stuff
>   }
>
>   ngOnInit() {
>     console.log('Hello Home');
>     this.keycloak.init({onLoad:'login-required'});
>   }
>
> }
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2523.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Brian ?chofield

From scope022 at gmail.com  Mon Jan 30 13:56:50 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Mon, 30 Jan 2017 12:56:50 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
Message-ID: <CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>

I made the modifications to my project based off your recommendations.

Here's the stacktrace I'm getting with the latest update:

*TypeError: Cannot read property 'charAt' of undefined*
*    at Function.Keycloak.getRealmUrl (eval at <anonymous>
(http://localhost:3000/app.js:1210:2
<http://localhost:3000/app.js:1210:2>), <anonymous>:200:37)*
*    at Function.Keycloak.createLoginUrl (eval at <anonymous>
(http://localhost:3000/app.js:1210:2
<http://localhost:3000/app.js:1210:2>), <anonymous>:153:30)*
*    at DefaultAdapter.login (eval at <anonymous>
(http://localhost:3000/app.js:1216:2
<http://localhost:3000/app.js:1216:2>), <anonymous>:7:65)*
*    at Function.Keycloak.login (eval at <anonymous>
(http://localhost:3000/app.js:1210:2
<http://localhost:3000/app.js:1210:2>), <anonymous>:32:35)*
    at AppComponent.login (eval at <anonymous> (
http://localhost:3000/app.js:1186:2), <anonymous>:40:38)
    at AppComponent.ngOnInit (eval at <anonymous> (
http://localhost:3000/app.js:1186:2), <anonymous>:35:14)
    at Wrapper_AppComponent.ngDoCheck
(/AppModule/AppComponent/wrapper.ngfactory.js:22:53)
    at
CompiledTemplate.proxyViewClass.View_AppComponent_Host0.detectChangesInternal
(/AppModule/AppComponent/host.ngfactory.js:28:26)
    at CompiledTemplate.proxyViewClass.AppView.detectChanges (eval at
<anonymous> (http://localhost:3000/vendor.js:24:2), <anonymous>:12738:18)
    at CompiledTemplate.proxyViewClass.DebugAppView.detectChanges (eval at
<anonymous> (http://localhost:3000/vendor.js:24:2), <anonymous>:12885:48)
    at ViewRef_.detectChanges (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:9907:24)
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8797:71)
    at Array.forEach (native)
    at ApplicationRef_.tick (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8797:29)
    at ApplicationRef_._loadComponent (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8772:18)
    at ApplicationRef_.bootstrap (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8760:18)
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8581:93)
    at Array.forEach (native)
    at PlatformRef_._moduleDoBootstrap (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8581:46)
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8533:31)
    at ZoneDelegate.invoke (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:242:26)
    at Object.onInvoke (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4427:41)
    at ZoneDelegate.invoke (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:241:32)
    at Zone.run (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:113:43)
    at eval (eval at <anonymous> (http://localhost:3000/polyfills.js:2252:2),
<anonymous>:535:57)
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:275:35)
    at Object.onInvokeTask (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4418:41)
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:274:40)
    at Zone.runTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:151:47)
    at drainMicroTaskQueue (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:433:35)

From thomas.darimont at googlemail.com  Mon Jan 30 14:05:10 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 30 Jan 2017 20:05:10 +0100
Subject: [keycloak-user] Return 503 (Service Unvailable) instead of 404
 (File Not found) during keycloak server restarts
In-Reply-To: <CAFtV5cus3sb_rq=6TuV5fonbGYToMvbjVEXpCepqRt4ZF8dOtw@mail.gmail.com>
References: <CAK-7U1jdbBLTK+oG599TtZnmYp-L9Rj_oE2=msbidsZMQUXW6Q@mail.gmail.com>
	<CAFtV5cus3sb_rq=6TuV5fonbGYToMvbjVEXpCepqRt4ZF8dOtw@mail.gmail.com>
Message-ID: <CAK-7U1iOE-FyUMPY4g2ppDHv9s_HwvFUCnwghdoCwxOsqnxcfQ@mail.gmail.com>

Hello,

thanks for the hint David - my current approach uses a custom undertow
HttpHandler for detecting the deployment status of a module.
https://github.com/thomasdarimont/undertow-extensions

Cheers,
Thomas

2017-01-30 12:15 GMT+01:00 David Delbecq <david_delbecq at trimble.com>:

> According to this documentation
> https://access.redhat.com/documentation/en/red-hat-
> jboss-enterprise-application-platform/7.0/paged/
> configuration-guide/appendix-a-reference-material
> there should be a default-response-code in tehe host config. But i couldn't
> find it in wildfly undertow subsystem. Maybe the best would be to deploy a
> ROOT.war which map /auth/* requests to 503 response ?
>
> On Mon, Jan 30, 2017 at 11:31 AM Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
> > Hello group,
> >
> > the undertow servlet-container is started pretty early during the startup
> > of the
> > wildfly application server. However the initialization of the keycloak
> > server
> > application might take a while to complete. Within this period requests
> > that are
> > sent to the keycloak endpoints result in responses with HTTP Status Code
> > 404.
> >
> > Is it possible to configure undertow to return a HTTP Status Code 503
> > (Service Unvailable)
> > until the keycloak application startup has completed?
> >
> > This would ease configuring load-balancers and to avoid showing a 404
> > to users during server restarts.
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> --
> <http://www.trimble.com/>
> David Delbecq
> Software engineer, Transport & Logistics
> Geldenaaksebaan 329, 1st floor | 3001 Leuven
> +32 16 391 121 <+32%2016%20391%20121> Direct
> david.delbecq at trimbletl.com
> <http://www.trimbletl.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dev.ebondu at gmail.com  Mon Jan 30 14:18:19 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Mon, 30 Jan 2017 12:18:19 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
Message-ID: <1485803899381-2527.post@n6.nabble.com>

It seems the realm field url is not loaded correctly from your keycloak.json.
Can you check the realm field from your keycloak.json or share it? If the
file is OK, check if it is accessible from your browser at
http://localhost:8080/keycloak.json



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2527.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From mailamitarora at gmail.com  Mon Jan 30 15:00:26 2017
From: mailamitarora at gmail.com (Amit Arora)
Date: Mon, 30 Jan 2017 15:00:26 -0500
Subject: [keycloak-user] UserFederationProvider
Message-ID: <CALjsZZdA0OXn2KeMG=esYsS5iL2dx6d7JS8F0f7Ub97BwwvZSA@mail.gmail.com>

Hi,

I was using UserFederationProvider in 2.2.0 , now i can not find this class
in 2.5.1 .. what is the equivalent to it. I have my code written based on
this,

Thanks
Amit

From scope022 at gmail.com  Mon Jan 30 15:09:23 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Mon, 30 Jan 2017 14:09:23 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485803899381-2527.post@n6.nabble.com>
References: <CAFQrzZAdKAWgdfXgFB7ZD=x-C1WCXZ4uE=SKTNVzPYF6dc9EFg@mail.gmail.com>
	<1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
Message-ID: <CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>

All I can say right now is errors and more errors :(

The charAt issue was coming from the login function, I have removed that
for now.  What I'm seeing in console is as shown below (sorry for the long
trace).

Do note that I am getting console out that says 'initializing Keycloak
method' however it's seems that the request for the keycloak.json is
returning html.

Any ideas?


initializing Keycloak method
VM1237:3521 EXCEPTION: Unexpected token < in JSON at position 0
ErrorHandler.handleError @ VM1237:3521
next @ VM1237:8529
schedulerFn @ VM1237:4138
SafeSubscriber.__tryOrUnsub @ VM1242:223
SafeSubscriber.next @ VM1242:172
Subscriber._next @ VM1242:125
Subscriber.next @ VM1242:89
Subject.next @ VM1238:55
EventEmitter.emit @ VM1237:4124
NgZone.triggerError @ VM1237:4487
onHandleError @ VM1237:4448
ZoneDelegate.handleError @ VM1217:246
Zone.runTask @ VM1217:154
ZoneTask.invoke @ VM1217:345
VM1237:3526 ORIGINAL STACKTRACE:
ErrorHandler.handleError @ VM1237:3526
next @ VM1237:8529
schedulerFn @ VM1237:4138
SafeSubscriber.__tryOrUnsub @ VM1242:223
SafeSubscriber.next @ VM1242:172
Subscriber._next @ VM1242:125
Subscriber.next @ VM1242:89
Subject.next @ VM1238:55
EventEmitter.emit @ VM1237:4124
NgZone.triggerError @ VM1237:4487
onHandleError @ VM1237:4448
ZoneDelegate.handleError @ VM1217:246
Zone.runTask @ VM1217:154
ZoneTask.invoke @ VM1217:345
VM1237:3527 SyntaxError: Unexpected token < in JSON at position 0
    at JSON.parse (<anonymous>)
    at Response.Body.json (eval at <anonymous> (
http://localhost:3000/vendor.js:145:2), <anonymous>:777:29)
    at MapSubscriber.eval [as project] (eval at <anonymous> (
http://localhost:3000/app.js:1210:2), <anonymous>:424:75)
    at MapSubscriber._next (eval at <anonymous> (
http://localhost:3000/vendor.js:496:2), <anonymous>:77:35)
    at MapSubscriber.Subscriber.next (eval at <anonymous> (
http://localhost:3000/vendor.js:54:2), <anonymous>:89:18)
    at XMLHttpRequest.onLoad (eval at <anonymous> (
http://localhost:3000/vendor.js:145:2), <anonymous>:1180:42)
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:275:35)
    at Object.onInvokeTask (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4418:41)
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:274:40)
    at Zone.runTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:151:47)
    at XMLHttpRequest.ZoneTask.invoke (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:345:33)
  -------------   Elapsed: 75 ms; At: Mon Jan 30 2017 14:04:39 GMT-0600
(CST)   -------------
    at getStacktraceWithUncaughtError (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:33:12) [angular]
    at new LongStackTrace (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:27:22) [angular]
    at Object.onScheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:83:18) [angular]
    at ZoneDelegate.scheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:252:49) [angular]
    at Zone.scheduleEventTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:171:39) [angular]
    at zoneAwareAddListener (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:1226:14) [angular]
    at XMLHttpRequest.addEventListener (eval at createNamedFn (eval at
<anonymous> (http://localhost:3000/polyfills.js:2252:2)), <anonymous>:3:43)
[angular]
    at Observable.eval [as _subscribe] (eval at <anonymous> (
http://localhost:3000/vendor.js:145:2), <anonymous>:1227:22) [angular]
    at Observable.subscribe (eval at <anonymous> (
http://localhost:3000/vendor.js:36:2), <anonymous>:45:27) [angular]
    at MapOperator.call (eval at <anonymous> (
http://localhost:3000/vendor.js:496:2), <anonymous>:54:23) [angular]
    at Observable.subscribe (eval at <anonymous> (
http://localhost:3000/vendor.js:36:2), <anonymous>:42:22) [angular]
    at Observable.eval [as _subscribe] (eval at <anonymous> (
http://localhost:3000/app.js:1210:2), <anonymous>:424:86) [angular]
    at Observable.subscribe (eval at <anonymous> (
http://localhost:3000/vendor.js:36:2), <anonymous>:45:27) [angular]
    at Keycloak.init (eval at <anonymous> (
http://localhost:3000/app.js:1210:2), <anonymous>:405:44) [angular]
    at AppComponent.ngOnInit (eval at <anonymous> (
http://localhost:3000/app.js:1186:2), <anonymous>:34:23) [angular]
    at Wrapper_AppComponent.ngDoCheck
(/AppModule/AppComponent/wrapper.ngfactory.js:22:53) [angular]
    at
CompiledTemplate.proxyViewClass.View_AppComponent_Host0.detectChangesInternal
(/AppModule/AppComponent/host.ngfactory.js:28:26) [angular]
    at CompiledTemplate.proxyViewClass.AppView.detectChanges (eval at
<anonymous> (http://localhost:3000/vendor.js:24:2), <anonymous>:12738:18)
[angular]
    at CompiledTemplate.proxyViewClass.DebugAppView.detectChanges (eval at
<anonymous> (http://localhost:3000/vendor.js:24:2), <anonymous>:12885:48)
[angular]
    at ViewRef_.detectChanges (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:9907:24) [angular]
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8797:71) [angular]
    at Array.forEach (native) [angular]
    at ApplicationRef_.tick (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8797:29) [angular]
    at ApplicationRef_._loadComponent (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8772:18) [angular]
    at ApplicationRef_.bootstrap (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8760:18) [angular]
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8581:93) [angular]
    at Array.forEach (native) [angular]
    at PlatformRef_._moduleDoBootstrap (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8581:46) [angular]
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8533:31) [angular]
    at Object.onInvoke (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4427:41) [angular]
    at Zone.run (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:113:43) [angular =>
angular]
    at eval (eval at <anonymous> (http://localhost:3000/polyfills.js:2252:2),
<anonymous>:535:57) [angular]
    at Object.onInvokeTask (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4418:41) [angular]
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:274:40) [angular]
    at Zone.runTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:151:47) [<root> =>
angular]
    at drainMicroTaskQueue (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:433:35) [<root>]
  -------------   Elapsed: 114 ms; At: Mon Jan 30 2017 14:04:38 GMT-0600
(CST)   -------------
    at getStacktraceWithUncaughtError (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:33:12) [angular]
    at new LongStackTrace (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:27:22) [angular]
    at Object.onScheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:83:18) [angular]
    at ZoneDelegate.scheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:252:49) [angular]
    at Zone.scheduleMicroTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:165:39) [angular]
    at scheduleResolveOrReject (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:533:14) [angular]
    at resolvePromise (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:496:21) [angular]
    at eval (eval at <anonymous> (http://localhost:3000/polyfills.js:2252:2),
<anonymous>:535:17) [angular]
    at Object.onInvokeTask (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4418:41) [angular]
    at ZoneDelegate.invokeTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:274:40) [angular]
    at Zone.runTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:151:47) [<root> =>
angular]
    at drainMicroTaskQueue (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:433:35) [<root>]
  -------------   Elapsed: 7 ms; At: Mon Jan 30 2017 14:04:38 GMT-0600
(CST)   -------------
    at getStacktraceWithUncaughtError (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:33:12) [angular]
    at new LongStackTrace (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:27:22) [angular]
    at Object.onScheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2258:2), <anonymous>:83:18) [angular]
    at ZoneDelegate.scheduleTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:252:49) [angular]
    at Zone.scheduleMicroTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:165:39) [angular]
    at scheduleResolveOrReject (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:533:14) [angular]
    at ZoneAwarePromise.then (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:622:17) [angular]
    at new ApplicationInitStatus (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:3791:64) [angular]
    at AppModuleInjector.createInternal
(/AppModule/module.ngfactory.js:323:36) [angular]
    at AppModuleInjector.NgModuleInjector.create (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8979:80) [angular]
    at NgModuleFactory.create (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8953:22) [angular]
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8523:65) [angular]
    at Object.onInvoke (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:4427:41) [angular]
    at Zone.run (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:113:43) [<root> =>
angular]
    at NgZone.run (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:4296:66) [<root>]
    at PlatformRef_._bootstrapModuleFactoryWithZone (eval at <anonymous> (
http://localhost:3000/vendor.js:24:2), <anonymous>:8521:27) [<root>]
    at eval (eval at <anonymous> (http://localhost:3000/vendor.js:24:2),
<anonymous>:8572:63) [<root>]
    at Zone.run (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:113:43) [<root> =>
<root>]
    at eval (eval at <anonymous> (http://localhost:3000/polyfills.js:2252:2),
<anonymous>:535:57) [<root>]
    at Zone.runTask (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:151:47) [<root> =>
<root>]
    at drainMicroTaskQueue (eval at <anonymous> (
http://localhost:3000/polyfills.js:2252:2), <anonymous>:433:35) [<root>]

On Mon, Jan 30, 2017 at 1:18 PM, ebondu <dev.ebondu at gmail.com> wrote:

> It seems the realm field url is not loaded correctly from your
> keycloak.json.
> Can you check the realm field from your keycloak.json or share it? If the
> file is OK, check if it is accessible from your browser at
> http://localhost:8080/keycloak.json
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2527.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Brian ?chofield

From dev.ebondu at gmail.com  Mon Jan 30 15:30:28 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Mon, 30 Jan 2017 13:30:28 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
References: <1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
Message-ID: <1485808228624-2530.post@n6.nabble.com>

The keycloak.json looks to no be accessible from your browser, place it
correctly in your project to make it accessible (my-app/src/public/ in my
example)

 
Brian Schofield wrote
> Do note that I am getting console out that says 'initializing Keycloak
> method' however it's seems that the request for the keycloak.json is
> returning html.

Can you share the html result for the request to keycloak.json to confirm it
is a 404 error page?




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2530.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From mailamitarora at gmail.com  Mon Jan 30 15:36:20 2017
From: mailamitarora at gmail.com (Amit Arora)
Date: Mon, 30 Jan 2017 15:36:20 -0500
Subject: [keycloak-user] Authenticator implementation
Message-ID: <CALjsZZdZHBwgduAXrJFXO8LF0tZzZYPBKoc868FNU3KVsYaHCw@mail.gmail.com>

I was implementing Authenticator in 2.2.0 version , in 2.5.1 it is not
working , it is not recognising the class
org.keycloak.authentication.Authenticator;

What needs to be done in this version

Amit

From scope022 at gmail.com  Mon Jan 30 15:53:13 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Mon, 30 Jan 2017 14:53:13 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485808228624-2530.post@n6.nabble.com>
References: <1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
Message-ID: <CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>

We figured out the issue.  Yes, the keycloak.json file was not in the
appropriate directory.

Webpack was not moving my static files into my distribution directory.

We are currently getting prompt to login.  I've got a few more use cases I
need to develop using keycloak, I will let you know if anything else pops
up.

-Brian

On Mon, Jan 30, 2017 at 2:30 PM, ebondu <dev.ebondu at gmail.com> wrote:

> The keycloak.json looks to no be accessible from your browser, place it
> correctly in your project to make it accessible (my-app/src/public/ in my
> example)
>
>
> Brian Schofield wrote
> > Do note that I am getting console out that says 'initializing Keycloak
> > method' however it's seems that the request for the keycloak.json is
> > returning html.
>
> Can you share the html result for the request to keycloak.json to confirm
> it
> is a 404 error page?
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2530.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Brian ?chofield

From asrafalianwarali.shaikh at gi-de.com  Mon Jan 30 23:04:11 2017
From: asrafalianwarali.shaikh at gi-de.com (Shaikh Asrafali Anwarali)
Date: Tue, 31 Jan 2017 04:04:11 +0000
Subject: [keycloak-user] implementing new password policy
Message-ID: <d97db99daa614895b7735a41a5b6fd32@DEL1EXMBXP2P.accounts.intern>

Hi ,

Hope you are doing well.
I am currently trying to implement new password policy, is there any kind of documentation or guide available which helps in implementation.
Or any example.

Thanks in advance.

Regards,
Asraf Shaikh

From sthorger at redhat.com  Tue Jan 31 02:59:56 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 31 Jan 2017 08:59:56 +0100
Subject: [keycloak-user] Conflict with LastPass Chrome Extension
In-Reply-To: <CALTKsRpWupgm+zYK6FdbwKixeR8VUXpKV1qEFdzvG0_aBiQAGA@mail.gmail.com>
References: <CALTKsRpWupgm+zYK6FdbwKixeR8VUXpKV1qEFdzvG0_aBiQAGA@mail.gmail.com>
Message-ID: <CAJgngAeytiPQTGuDrY588PW+hEwThS8z9PRcY+RBaPA+YJDp+w@mail.gmail.com>

This is clearly a bug in LastPass, but there are similar bugs in other
extensions, so we should guard against it. We used to do that, but seems
that was lost when we recently redid this stuff. Feel free to create a bug
report for it.

On 30 January 2017 at 15:34, Alessandro Segatto <segatto at esteco.com> wrote:

> Hi,
> we found a conflict between LastPass chrome extension (version 4.1.38) and
> Keycloak js adapter (version 2.5). LastPass is sending a message to login
> status iframe, which crashes while trying to parse it! I think LastPass
> caused the issue with his last update , but i think you should also be
> interested in solving this lack of robustness. If you agree, I can open an
> issue o Jira.
> I made an attempt also with angular2-product-app , but i run into a similar
> issue (LastPass and Keycloak messaging one the other, then crashing)
>
> Thanks,
> Alessandro Segatto
> --
>
> Ing. Alessandro Segatto
> Software Engineer
> Research and Development
>
> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
> Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
>
> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
> this message contains confidential information intended only for the use of
> the addressee. If you are not the addressee, and have received this message
> by mistake, please delete it and immediately notify us. You may not copy or
> disseminate this message to anyone. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Jan 31 03:07:07 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 31 Jan 2017 09:07:07 +0100
Subject: [keycloak-user] web origins of clients and using wildcards
In-Reply-To: <OF03E22667.9C1EEECC-ONC12580B4.002901DE-C12580B4.002ED1EB@agfa.com>
References: <OF03E22667.9C1EEECC-ONC12580B4.002901DE-C12580B4.002ED1EB@agfa.com>
Message-ID: <CAJgngAdbAr3X-izbVhEfqYJG8XQG8wFtUd3_8xygwND40p-jOg@mail.gmail.com>

'*' as value for web origin works just fine here so I can't reproduce your
issue. What version? If you're not on the latest release try upgrading

On 26 January 2017 at 09:31, Christian Froehlich <
christian.froehlich at agfa.com> wrote:

> Hi,
>
> the tool tip of Web Origins at the client administration ui says: "...To
> permit all origins add '*'.", but it doesn't work. It seems that wildcards
> in web origins does not work at all. Using wildcards would be great in our
> development sides where we often works with ips instead of real dns names.
> So currently we have to add a set of web origins with the possible ips
> like https://192.168.99.100, https://192.168.99.101,...
> Is it a bug or just a wrong tool tip or am I completely wrong with my
> assumption?
>
> Regards Christian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mark.pardijs at topicus.nl  Tue Jan 31 03:43:00 2017
From: mark.pardijs at topicus.nl (Mark Pardijs)
Date: Tue, 31 Jan 2017 08:43:00 +0000
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <b66841b7-12f9-0951-4058-8db906a6f3ef@redhat.com>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
	<CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
	<f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>
	<AC846829-7B10-4265-ADF6-D7013C836F12@topicus.nl>
	<b66841b7-12f9-0951-4058-8db906a6f3ef@redhat.com>
Message-ID: <C92A84A9-FA21-43F9-86DF-69961FD23587@topicus.nl>

Yep, that?s what I mean ;) That still leaves me curious why the XmlSignatureUtil is looking up the keyName when in the end this keyName is never used...

> Op 30 jan. 2017, om 13:39 heeft Hynek Mlnarik <hmlnarik at redhat.com> het volgende geschreven:
> 
> Keys specified in admin console are checked regardless of key ID. This applies just the same to the case when there is only a single key.
> 
> On 01/30/2017 12:54 PM, Mark Pardijs wrote:
>> Ah OK, I see what you mean, so the idea is, when no key is found using the key hint all keys are checked. But what if I do provide a KeyName hint in the SAML, then I still see a mismatch between the code and the Keycloak admin frontend, the code is returning the first key regardless which key id is provided, but in the frontend, no key id?s can be specified, just a comma seperated list. Can you clarify this?
>> 
>> Op 30 jan. 2017, om 12:09 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:
>> 
>> Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine.
>> 
>> --Hynek
>> 
>> On 01/30/2017 10:55 AM, Mark Pardijs wrote:
>> Hi,
>> 
>> Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
>> Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:
>> 
>> public Key getKey(String kid) {
>>   if (this.keys.size() == 1) {
>>       return this.keys.iterator().next();
>>   } else {
>>       return null;
>>   }
>> }
>> 
>> And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.
>> 
>> So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?
>> 
>> Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com><mailto:hmlnarik at redhat.com>> het volgende geschreven:
>> 
>> Hi,
>> 
>> Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.
>> 
>> Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.
>> 
>> --Hynek
>> 
>> On 01/30/2017 10:09 AM, Mark Pardijs wrote:
>> Hi,
>> 
>> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
>> 
>> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
>> 
>> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.
>> 
>> My two questions concerning this approach:
>> 
>> 
>> 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo
>> 
>> 2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 



From bruno at abstractj.org  Tue Jan 31 04:15:24 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 31 Jan 2017 07:15:24 -0200
Subject: [keycloak-user] Authenticator implementation
In-Reply-To: <CALjsZZdZHBwgduAXrJFXO8LF0tZzZYPBKoc868FNU3KVsYaHCw@mail.gmail.com>
References: <CALjsZZdZHBwgduAXrJFXO8LF0tZzZYPBKoc868FNU3KVsYaHCw@mail.gmail.com>
Message-ID: <20170131091524.GA14372@abstractj.org>


A lot of things changed since 2.2.0. I suggest to double check our examples[1]
and see if you have the same dependencies.


[1] - https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator

On 2017-01-30, Amit Arora wrote:
> I was implementing Authenticator in 2.2.0 version , in 2.5.1 it is not
> working , it is not recognising the class
> org.keycloak.authentication.Authenticator;
>
> What needs to be done in this version
>
> Amit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From bruno at abstractj.org  Tue Jan 31 04:18:42 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 31 Jan 2017 07:18:42 -0200
Subject: [keycloak-user] UserFederationProvider
In-Reply-To: <CALjsZZdA0OXn2KeMG=esYsS5iL2dx6d7JS8F0f7Ub97BwwvZSA@mail.gmail.com>
References: <CALjsZZdA0OXn2KeMG=esYsS5iL2dx6d7JS8F0f7Ub97BwwvZSA@mail.gmail.com>
Message-ID: <20170131091842.GB14372@abstractj.org>

Please, look at the examples. I believe there's some dependency missing
at your project.

On 2017-01-30, Amit Arora wrote:
> Hi,
>
> I was using UserFederationProvider in 2.2.0 , now i can not find this class
> in 2.5.1 .. what is the equivalent to it. I have my code written based on
> this,
>
> Thanks
> Amit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From niko at n-k.de  Tue Jan 31 05:40:09 2017
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 31 Jan 2017 11:40:09 +0100
Subject: [keycloak-user] UserFederationProvider
In-Reply-To: <20170131091842.GB14372@abstractj.org>
References: <CALjsZZdA0OXn2KeMG=esYsS5iL2dx6d7JS8F0f7Ub97BwwvZSA@mail.gmail.com>
	<20170131091842.GB14372@abstractj.org>
Message-ID: <1D2861EC-CBED-4C30-B9EA-80C6636FF146@n-k.de>

UserFederationProvider was deprecated in 2.3.0 and if I?m right, removed in 2.5.0
You now have to use the UserStorage SPI, there is an example?

User Storage SPI works slightly different, but IMO much better!
Most of federation code can be re-used though.

- Niko


> Am 31.01.2017 um 10:18 schrieb Bruno Oliveira <bruno at abstractj.org>:
> 
> Please, look at the examples. I believe there's some dependency missing
> at your project.
> 
> On 2017-01-30, Amit Arora wrote:
>> Hi,
>> 
>> I was using UserFederationProvider in 2.2.0 , now i can not find this class
>> in 2.5.1 .. what is the equivalent to it. I have my code written based on
>> this,
>> 
>> Thanks
>> Amit
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> --
> 
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From niko at n-k.de  Tue Jan 31 05:46:46 2017
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 31 Jan 2017 11:46:46 +0100
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
References: <1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
	<CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
Message-ID: <FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>

I didn?t have the time to dive really into it, but what I observed so long:

- keycloak-js with React.js and plain JavaScript, bundled with Webpack 1 works like a charm.
- keycloak-js with Angular 2 and TypeScript, bundled with Webpack 2 results in errors.

So, the cause might be Webpack 2 or TypeScript?.
(I think it?s Typescript)

My quick solution was to add keycloak-js with standard <script> tag in index.html.
Other integration was to follow the example https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app <https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app>
Works.

- Niko


> Am 30.01.2017 um 21:53 schrieb Brian Schofield <scope022 at gmail.com>:
> 
> We figured out the issue.  Yes, the keycloak.json file was not in the
> appropriate directory.
> 
> Webpack was not moving my static files into my distribution directory.
> 
> We are currently getting prompt to login.  I've got a few more use cases I
> need to develop using keycloak, I will let you know if anything else pops
> up.
> 
> -Brian
> 
> On Mon, Jan 30, 2017 at 2:30 PM, ebondu <dev.ebondu at gmail.com> wrote:
> 
>> The keycloak.json looks to no be accessible from your browser, place it
>> correctly in your project to make it accessible (my-app/src/public/ in my
>> example)
>> 
>> 
>> Brian Schofield wrote
>>> Do note that I am getting console out that says 'initializing Keycloak
>>> method' however it's seems that the request for the keycloak.json is
>>> returning html.
>> 
>> Can you share the html result for the request to keycloak.json to confirm
>> it
>> is a 404 error page?
>> 
>> 
>> 
>> 
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2530.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> 
> 
> -- 
> Brian ?chofield
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From segatto at esteco.com  Tue Jan 31 08:26:02 2017
From: segatto at esteco.com (Alessandro Segatto)
Date: Tue, 31 Jan 2017 14:26:02 +0100
Subject: [keycloak-user] Conflict with LastPass Chrome Extension
In-Reply-To: <CAJgngAeytiPQTGuDrY588PW+hEwThS8z9PRcY+RBaPA+YJDp+w@mail.gmail.com>
References: <CALTKsRpWupgm+zYK6FdbwKixeR8VUXpKV1qEFdzvG0_aBiQAGA@mail.gmail.com>
	<CAJgngAeytiPQTGuDrY588PW+hEwThS8z9PRcY+RBaPA+YJDp+w@mail.gmail.com>
Message-ID: <CALTKsRorDLjuHyde8psN71qRnqZaBXk2+yN5Bw=2Uc3Ceixrdg@mail.gmail.com>

Thanks, i've opened the issue.

 https://issues.jboss.org/browse/KEYCLOAK-4338

Will you fix in 2.5.x of we have to wait for 3.x ? I currently solved the
possible issue disabling the iframe ...

On Tue, Jan 31, 2017 at 8:59 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> This is clearly a bug in LastPass, but there are similar bugs in other
> extensions, so we should guard against it. We used to do that, but seems
> that was lost when we recently redid this stuff. Feel free to create a bug
> report for it.
>
> On 30 January 2017 at 15:34, Alessandro Segatto <segatto at esteco.com>
> wrote:
>
>> Hi,
>> we found a conflict between LastPass chrome extension (version 4.1.38) and
>> Keycloak js adapter (version 2.5). LastPass is sending a message to login
>> status iframe, which crashes while trying to parse it! I think LastPass
>> caused the issue with his last update , but i think you should also be
>> interested in solving this lack of robustness. If you agree, I can open an
>> issue o Jira.
>> I made an attempt also with angular2-product-app , but i run into a
>> similar
>> issue (LastPass and Keycloak messaging one the other, then crashing)
>>
>> Thanks,
>> Alessandro Segatto
>> --
>>
>> Ing. Alessandro Segatto
>> Software Engineer
>> Research and Development
>>
>> *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
>> Phone: +39 040 3755548 <+39%20040%20375%205548> - Fax: +39 040 3755549
>> <+39%20040%20375%205549> | www.esteco.com
>>
>> Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
>> this message contains confidential information intended only for the use
>> of
>> the addressee. If you are not the addressee, and have received this
>> message
>> by mistake, please delete it and immediately notify us. You may not copy
>> or
>> disseminate this message to anyone. Thank you.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 

Ing. Alessandro Segatto
Software Engineer
Research and Development

*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com

Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.

From bburke at redhat.com  Tue Jan 31 09:01:32 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 31 Jan 2017 09:01:32 -0500
Subject: [keycloak-user] UserFederationProvider
In-Reply-To: <1D2861EC-CBED-4C30-B9EA-80C6636FF146@n-k.de>
References: <CALjsZZdA0OXn2KeMG=esYsS5iL2dx6d7JS8F0f7Ub97BwwvZSA@mail.gmail.com>
	<20170131091842.GB14372@abstractj.org>
	<1D2861EC-CBED-4C30-B9EA-80C6636FF146@n-k.de>
Message-ID: <f5f3b368-f8aa-5061-6c97-ac25e573d764@redhat.com>

https://keycloak.gitbooks.io/server-developer-guide/content/topics/user-storage.html

As Niko said, similar but hopefully better.


On 1/31/17 5:40 AM, Niko K?bler wrote:
> UserFederationProvider was deprecated in 2.3.0 and if I?m right, removed in 2.5.0
> You now have to use the UserStorage SPI, there is an example?
>
> User Storage SPI works slightly different, but IMO much better!
> Most of federation code can be re-used though.
>
> - Niko
>
>
>> Am 31.01.2017 um 10:18 schrieb Bruno Oliveira <bruno at abstractj.org>:
>>
>> Please, look at the examples. I believe there's some dependency missing
>> at your project.
>>
>> On 2017-01-30, Amit Arora wrote:
>>> Hi,
>>>
>>> I was using UserFederationProvider in 2.2.0 , now i can not find this class
>>> in 2.5.1 .. what is the equivalent to it. I have my code written based on
>>> this,
>>>
>>> Thanks
>>> Amit
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> --
>>
>> abstractj
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From hmlnarik at redhat.com  Tue Jan 31 09:05:17 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 31 Jan 2017 15:05:17 +0100
Subject: [keycloak-user] Validation of IdP SAML signatures using KeyInfo
In-Reply-To: <C92A84A9-FA21-43F9-86DF-69961FD23587@topicus.nl>
References: <8646658B-0433-41A6-B335-81B6A3E5A558@topicus.nl>
	<25DF7C02-075A-4577-847F-995CD4ED472E@topicus.nl>
	<82384497-ffb5-9d4b-8f04-d11d6567c08b@redhat.com>
	<CA66FDD2-7468-4492-9A60-CA4490F0EE73@topicus.nl>
	<f1d36afc-85fe-643f-5a97-277b58ebc894@redhat.com>
	<AC846829-7B10-4265-ADF6-D7013C836F12@topicus.nl>
	<b66841b7-12f9-0951-4058-8db906a6f3ef@redhat.com>
	<C92A84A9-FA21-43F9-86DF-69961FD23587@topicus.nl>
Message-ID: <CAMvXD=EBg+KYg3nCLO-xnjE3E5HMguwy75iCGEQLGkMyumPGhw@mail.gmail.com>

That's because with Keycloak on both server and client side, key ID
can be used to look up the particular signing key without attempting
to validate using other irrelevant keys, see [1, Optimize REDIRECT
signing key lookup option] and [2].

[1] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/client-saml.html
[2] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.5/topics/saml/java/general-config/idp_keys_subelement.html.

On Tue, Jan 31, 2017 at 9:43 AM, Mark Pardijs <mark.pardijs at topicus.nl> wrote:
> Yep, that?s what I mean ;) That still leaves me curious why the XmlSignatureUtil is looking up the keyName when in the end this keyName is never used...
>
>> Op 30 jan. 2017, om 13:39 heeft Hynek Mlnarik <hmlnarik at redhat.com> het volgende geschreven:
>>
>> Keys specified in admin console are checked regardless of key ID. This applies just the same to the case when there is only a single key.
>>
>> On 01/30/2017 12:54 PM, Mark Pardijs wrote:
>>> Ah OK, I see what you mean, so the idea is, when no key is found using the key hint all keys are checked. But what if I do provide a KeyName hint in the SAML, then I still see a mismatch between the code and the Keycloak admin frontend, the code is returning the first key regardless which key id is provided, but in the frontend, no key id?s can be specified, just a comma seperated list. Can you clarify this?
>>>
>>> Op 30 jan. 2017, om 12:09 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com>> het volgende geschreven:
>>>
>>> Thanks for the report. Fix for item 1 is on the way [1]. Item 2 - validation - goes enumerating all available keys if getKey() returns null so that part should work fine.
>>>
>>> --Hynek
>>>
>>> On 01/30/2017 10:55 AM, Mark Pardijs wrote:
>>> Hi,
>>>
>>> Ad 1: Just created the issue: https://issues.jboss.org/browse/KEYCLOAK-4329
>>> Ad 2: Multiple keys can be provided to the HardcodedKeyLocator, but  I see the following code for checking a specific key:
>>>
>>> public Key getKey(String kid) {
>>>   if (this.keys.size() == 1) {
>>>       return this.keys.iterator().next();
>>>   } else {
>>>       return null;
>>>   }
>>> }
>>>
>>> And the XMLSignatureUtil is using locator.getKey(keyName) for looking up the keys.
>>>
>>> So even if I would provide a KeyName in my SAML, it would return the first configured SAML certificate right?
>>>
>>> Op 30 jan. 2017, om 10:42 heeft Hynek Mlnarik <hmlnarik at redhat.com<mailto:hmlnarik at redhat.com><mailto:hmlnarik at redhat.com>> het volgende geschreven:
>>>
>>> Hi,
>>>
>>> Ad 1: Could you file a JIRA with more details (NPE stacktrace, Keycloak version) for this? Keycloak handles cases where KeyName is not present by checking all available keys.
>>>
>>> Ad 2: HardcodedKeyLocator works with a collection of keys so it matches multiple keys configuration. Maybe the cause of this question is related to Item 1, let's resolve that issue first.
>>>
>>> --Hynek
>>>
>>> On 01/30/2017 10:09 AM, Mark Pardijs wrote:
>>> Hi,
>>>
>>> Originally posted at the keycloak-dev list, Hynek Mlnarik asked me to post this here.
>>>
>>> We use a SAML IdP which is configured in Keycloak as federated IdP, and I?ve a question concerning the validation of SAML signatures. In Keycloaks Identity provider config page, the validating X509 Certificates can be configured, with description ?The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).? but in the code, I see that for checking the signatures a ?HardcodedKeyLocator" is used, which does not use the keyName provided in the SAML but always returns the first configured certificate. See org.keycloak.broker.saml.SAMLEndpoint.Binding#getIDPKeyLocator which returns a HardcodedKeyLocator for details.
>>>
>>> This code is recently added to solve https://issues.jboss.org/browse/KEYCLOAK-1881, see commit https://github.com/keycloak/keycloak/commit/70a8255eae0af64628f07326df1c73d86c1b9fd2.
>>>
>>> My two questions concerning this approach:
>>>
>>>
>>> 1.  Keycloak is currently expecting a <KeyInfo> element with a <KeyName> in the  incoming SAML message, while this is not a required element in the SAML specs. Are there plans to check the signature against the configured X509 certificates without having to provide a KeyInfo element? Currently I?m facing a NullPointer exception when sending a SAMLResponse without KeyInfo
>>>
>>> 2.  What?s the idea behind the HardcodedKeyLocator, it doesn?t seem to match with the multiple keys configuration option in Keycloaks frontend. Is this a preliminary approach which should be extended?
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


From scope022 at gmail.com  Tue Jan 31 09:57:13 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Tue, 31 Jan 2017 08:57:13 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>
References: <1485544392592-2495.post@n6.nabble.com>
	<b00d7d1b-23f0-9946-1f5a-0c4890156d49@redhat.com>
	<CAFQrzZCvHAyjYf2v0GryPVVvo0Zv1CyK0Pm9vT30Q88NNZowMA@mail.gmail.com>
	<1485555557374-2500.post@n6.nabble.com>
	<CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
	<CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
	<FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>
Message-ID: <CAO7ZPi_m=t+YGPC-bjsc9TWxeqY-Py1vw0Nwau+d=9kWthj-ZQ@mail.gmail.com>

@Niko
I found it to be webpack being the primary issue.

In general webpack is exact definition of a bundler, in order for something
to get included in the bundle either
A: you need to have the appropriate loader
B: you need to have the appropriate plugin

If you're using webpack to build a distribution directory for your bundle
then you need to move your static assets into that distribution directory
as well because you don't want the name of your static assets to be changed
into some hash based bundle format.  Keycloak.js is looking for the exact
name keycloak.json, if you let it go through the bundling process by
requiring or importing keycloak.json then the output format in your bundle
will likely be something like this keycloak.[hash].*

For me I had to get keycloak.json to copy into the dist directory on
build.  The easiest way I found was to include the copy webpack plugin.
Here's my quick instructions to get it running:

*Within your package.json:*
npm install copy-webpack-plugin --savedev

*Within your webpack.config:*
    new CopyWebpackPlugin([{
      from: 'keycloak.json',
      to: 'keycloak.json'
    }])


Result on build: Moves keycloak.json renames to keycloak.json adds to dist
directory.

If you have any questions let me know.

On Tue, Jan 31, 2017 at 4:46 AM, Niko K?bler <niko at n-k.de> wrote:

> I didn?t have the time to dive really into it, but what I observed so long:
>
> - keycloak-js with React.js and plain JavaScript, bundled with Webpack 1
> works like a charm.
> - keycloak-js with Angular 2 and TypeScript, bundled with Webpack 2
> results in errors.
>
> So, the cause might be Webpack 2 or TypeScript?.
> (I think it?s Typescript)
>
> My quick solution was to add keycloak-js with standard <script> tag in
> index.html.
> Other integration was to follow the example https://github.com/
> keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app
> Works.
>
> - Niko
>
>
> Am 30.01.2017 um 21:53 schrieb Brian Schofield <scope022 at gmail.com>:
>
> We figured out the issue.  Yes, the keycloak.json file was not in the
> appropriate directory.
>
> Webpack was not moving my static files into my distribution directory.
>
> We are currently getting prompt to login.  I've got a few more use cases I
> need to develop using keycloak, I will let you know if anything else pops
> up.
>
> -Brian
>
> On Mon, Jan 30, 2017 at 2:30 PM, ebondu <dev.ebondu at gmail.com> wrote:
>
> The keycloak.json looks to no be accessible from your browser, place it
> correctly in your project to make it accessible (my-app/src/public/ in my
> example)
>
>
> Brian Schofield wrote
>
> Do note that I am getting console out that says 'initializing Keycloak
> method' however it's seems that the request for the keycloak.json is
> returning html.
>
>
> Can you share the html result for the request to keycloak.json to confirm
> it
> is a 404 error page?
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2530.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
> Brian ?chofield
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Brian ?chofield

From dev.ebondu at gmail.com  Tue Jan 31 10:32:14 2017
From: dev.ebondu at gmail.com (ebondu)
Date: Tue, 31 Jan 2017 08:32:14 -0700 (MST)
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi_m=t+YGPC-bjsc9TWxeqY-Py1vw0Nwau+d=9kWthj-ZQ@mail.gmail.com>
References: <CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
	<CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
	<FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>
	<CAO7ZPi_m=t+YGPC-bjsc9TWxeqY-Py1vw0Nwau+d=9kWthj-ZQ@mail.gmail.com>
Message-ID: <1485876734180-2545.post@n6.nabble.com>

Hi,

Just to clarify, "keycloak.js" and "keycloak.json" files have differents
purposes. The first one is the official Javascript adapater lib and the
second one is your keycloak client configuration & realm settings file.
The native Typescript lib is supposed to *replace* the original Javascript
lib so you don't need to import bundle keycloak.js in your index.html (or to
add it to your bundle).

@Niko, 
Here is the webpack config I used for assets: 

new CopyWebpackPlugin([{
     from: root('src/public')
}])





--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2545.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From scope022 at gmail.com  Tue Jan 31 11:51:49 2017
From: scope022 at gmail.com (Brian Schofield)
Date: Tue, 31 Jan 2017 10:51:49 -0600
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <1485876734180-2545.post@n6.nabble.com>
References: <CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
	<CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
	<FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>
	<CAO7ZPi_m=t+YGPC-bjsc9TWxeqY-Py1vw0Nwau+d=9kWthj-ZQ@mail.gmail.com>
	<1485876734180-2545.post@n6.nabble.com>
Message-ID: <CAO7ZPi_ChkuU9JtmLO7LYxEPhzYEXHWreUc+Pab8RT_g1uSbXA@mail.gmail.com>

@ebondu
Are you not using HtmlWebpackPlugin or CommonChunksPlugin?
I only ask because I would be hesitant to use CopyWebpackPlugin to copy an
entire directory especially when you can have webpack inject all your
bundles into your index page and allow webpack to configure and build your
distribution directory.

On Tue, Jan 31, 2017 at 9:32 AM, ebondu <dev.ebondu at gmail.com> wrote:

> Hi,
>
> Just to clarify, "keycloak.js" and "keycloak.json" files have differents
> purposes. The first one is the official Javascript adapater lib and the
> second one is your keycloak client configuration & realm settings file.
> The native Typescript lib is supposed to *replace* the original Javascript
> lib so you don't need to import bundle keycloak.js in your index.html (or
> to
> add it to your bundle).
>
> @Niko,
> Here is the webpack config I used for assets:
>
> new CopyWebpackPlugin([{
>      from: root('src/public')
> }])
>
>
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2545.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Brian ?chofield

From niko at n-k.de  Tue Jan 31 14:47:25 2017
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 31 Jan 2017 20:47:25 +0100
Subject: [keycloak-user] Angular 2 with Webpack
In-Reply-To: <CAO7ZPi_ChkuU9JtmLO7LYxEPhzYEXHWreUc+Pab8RT_g1uSbXA@mail.gmail.com>
References: <CAO7ZPi8fi9HK2MqVJ8UoAE44-SbEdiLNxX3hz8jEm4Pti4k0cA@mail.gmail.com>
	<1485793694866-2523.post@n6.nabble.com>
	<CAO7ZPi8V+1Ufa5Q5WHOzNVpb-DCrzM30Qq84asSV0C_du78TuA@mail.gmail.com>
	<CAO7ZPi82iW2BU9C-owtDGgR1xXiTx5D3vLTBLrdY_G-dk3eQ7g@mail.gmail.com>
	<1485803899381-2527.post@n6.nabble.com>
	<CAO7ZPi8TkF+VrN_KhHHfW+g5_Rdgn=hK4BxVxrSKxXrv1fRNvg@mail.gmail.com>
	<1485808228624-2530.post@n6.nabble.com>
	<CAO7ZPi_0TchWK=6eMM5mSyWsSx0Md34-R6MCNJuCHoB90=fyoQ@mail.gmail.com>
	<FACD996F-E638-4C77-9C0D-7E3DF3D3448F@n-k.de>
	<CAO7ZPi_m=t+YGPC-bjsc9TWxeqY-Py1vw0Nwau+d=9kWthj-ZQ@mail.gmail.com>
	<1485876734180-2545.post@n6.nabble.com>
	<CAO7ZPi_ChkuU9JtmLO7LYxEPhzYEXHWreUc+Pab8RT_g1uSbXA@mail.gmail.com>
Message-ID: <0E093F6E-110C-494E-990C-8ACB834BFEAD@n-k.de>

Brian, ebondu,

I?m not having problems with static resources or keycloak.json.
This is all fine for me (and additionally I get my ?keycloak.json? from a service somewhere else - works).

My troubles are packing the bundle with Webpack if the keycloak-js module is referenced.
And this is, as I mentioned, happening with Webpack2 and Typescript. With Webpack1 and JavaScript everything is fine.

- Niko


> Am 31.01.2017 um 17:51 schrieb Brian Schofield <scope022 at gmail.com>:
> 
> @ebondu
> Are you not using HtmlWebpackPlugin or CommonChunksPlugin?
> I only ask because I would be hesitant to use CopyWebpackPlugin to copy an
> entire directory especially when you can have webpack inject all your
> bundles into your index page and allow webpack to configure and build your
> distribution directory.
> 
> On Tue, Jan 31, 2017 at 9:32 AM, ebondu <dev.ebondu at gmail.com> wrote:
> 
>> Hi,
>> 
>> Just to clarify, "keycloak.js" and "keycloak.json" files have differents
>> purposes. The first one is the official Javascript adapater lib and the
>> second one is your keycloak client configuration & realm settings file.
>> The native Typescript lib is supposed to *replace* the original Javascript
>> lib so you don't need to import bundle keycloak.js in your index.html (or
>> to
>> add it to your bundle).
>> 
>> @Niko,
>> Here is the webpack config I used for assets:
>> 
>> new CopyWebpackPlugin([{
>>     from: root('src/public')
>> }])
>> 
>> 
>> 
>> 
>> 
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/keycloak-user-Angular-2-with-Webpack-tp2493p2545.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> 
> 
> -- 
> Brian ?chofield
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user