From akaya at expedia.com Wed Mar 1 01:04:31 2017 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 1 Mar 2017 06:04:31 +0000 Subject: [keycloak-user] Configuring keycloak with JSON instead of UI Message-ID: I have been experimenting with import/exports more. Essentially my end goal is, I want to get the JSON of the changes that I have done on UI so that I can import it to other Keycloak instances in other environments. For instance I can do my changes on test environment and then just import them to production environment, without manually doing these changes through UI. In terms of exporting it seems like only command line option exists. In terms of importing, there is an import via UI and import via command line. Command line import doesn?t really work if the realm already exists. You can opt in to overwrite existing realm; but that actually removes the entire realm with the users; where the old users are not retrieved back. Importing via UI, seems like this can be done with two options, first one is via create realm; which works perfectly fine. However, if I have an existing realm, and I want to overwrite some changes, then it only works for clients, IDPs, realm roles and client roles. For instance, if I were to enable brute force detection, there is no way to import this setting to an existing realm. So this is basically what I want to accomplish. I want to be able to copy changed UI configurations to another keycloak instance, so that I would avoid manual UI configurations. Next thing I will be trying is to see if this endpoint for updating configuration works: http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_top_level_information_of_the_realm Otherwise, I do not really see any other way to get that changed. Thanks, Sarp On 2/15/2017 1:06 AM, Sarp Kaya wrote: > Hello, > > I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment. > My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable: > > > 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch. If I recall, if you remove an id, a new one will be created. However, sometimes an id is used to refer to other things in the data structure so you have to be careful (Again, going from memory here. Test early and often). > > 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all. > > My question is, what is the best practice to configure keycloak in multiple environments? This can get incredibly complex due to dependencies between entities. But if you keep it simple enough the current import facilities can suffice. The best answer I can give is that it just depends on what you are trying to do. From mposolda at redhat.com Wed Mar 1 05:05:05 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 1 Mar 2017 11:05:05 +0100 Subject: [keycloak-user] Configuring keycloak with JSON instead of UI In-Reply-To: References: Message-ID: <680e5280-32c8-3d80-5063-96599824ed0d@redhat.com> On 01/03/17 07:04, Sarp Kaya wrote: > I have been experimenting with import/exports more. > Essentially my end goal is, I want to get the JSON of the changes that I have done on UI so that I can import it to other Keycloak instances in other environments. For instance I can do my changes on test environment and then just import them to production environment, without manually doing these changes through UI. > > In terms of exporting it seems like only command line option exists. In terms of importing, there is an import via UI and import via command line. > > Command line import doesn?t really work if the realm already exists. You can opt in to overwrite existing realm; but that actually removes the entire realm with the users; where the old users are not retrieved back. > > Importing via UI, seems like this can be done with two options, first one is via create realm; which works perfectly fine. > > However, if I have an existing realm, and I want to overwrite some changes, then it only works for clients, IDPs, realm roles and client roles. For instance, if I were to enable brute force detection, there is no way to import this setting to an existing realm. > > So this is basically what I want to accomplish. I want to be able to copy changed UI configurations to another keycloak instance, so that I would avoid manual UI configurations. > > Next thing I will be trying is to see if this endpoint for updating configuration works: > http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_top_level_information_of_the_realm Yes, that should work. You can load the realm JSON from the old server and then use the update endpoint you mentioned and import the realm configuration to the new server. You can create JIRA to request updating realm configurations via export/import without deleting existing users. But not sure when we fix that (if you not send PR by yourself :). So doing it via REST is likely better option. Marek > > Otherwise, I do not really see any other way to get that changed. > Thanks, > Sarp > > On 2/15/2017 1:06 AM, Sarp Kaya wrote: >> Hello, >> >> I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment. >> My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable: >> >> >> 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch. > If I recall, if you remove an id, a new one will be created. However, > sometimes an id is used to refer to other things in the data structure > so you have to be careful (Again, going from memory here. Test early > and often). >> 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all. >> >> My question is, what is the best practice to configure keycloak in multiple environments? > This can get incredibly complex due to dependencies between entities. > But if you keep it simple enough the current import facilities can suffice. > > The best answer I can give is that it just depends on what you are > trying to do. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ansarihaseb at gmail.com Wed Mar 1 05:14:28 2017 From: ansarihaseb at gmail.com (Haseb Ansari) Date: Wed, 1 Mar 2017 11:14:28 +0100 Subject: [keycloak-user] Custom social identity provider in Keycloak 2.5.1 Message-ID: Hello Keycloak users, As everyone know keycloak provider with many social IDP providers login method such as facebook, google, twiiter, etc. But in my case, I have to integrate a custom social IDP in keycloak. Can anyone help me as to how can I start with the implementation of Custom Social IDP in keycloak. Thanks in advance !!!! Regards, Haseb From sts at ono.at Wed Mar 1 06:12:58 2017 From: sts at ono.at (Stefan Schlesinger) Date: Wed, 1 Mar 2017 12:12:58 +0100 Subject: [keycloak-user] Directs Grants API & OTP In-Reply-To: <704bf2f7-0bf7-4b4e-f151-3022a32a1d22@redhat.com> References: <301556EB-7C48-443E-8647-432C0836AE86@ono.at> <704bf2f7-0bf7-4b4e-f151-3022a32a1d22@redhat.com> Message-ID: Hi Marek, if I can follow you correctly, you are talking about configuring the OTP challenge as an optional action during the authentication process of the Direct Grants API flow. This doesn?t help me with avoiding to unnecessarily prompt the user for a 2FA token, because it was never configured. My Setup: [Keycloak] - [Radius] - [NAS (VPN Gateway)] - [Client (VPN Client)] IMO my Radius server, which is talking via the OpenID Connect Direct Grants API to Keycloak, needs to determine whether a given user has a configured OTP device, so I can decide in my Radius module whether to send an additional Access-Challenge request to the NAS, which will trigger a 2FA input dialog at the VPN client. Radius is a session based protocol. A session consists of multiple corresponding requests and responses between the Radius server the NAS, the flow is like this: Client -> NAS: Login via Username=foo, Password=bar NAS -> Radius: Access-Request (Username=foo, User-Password=bar) Now I?d need to find out whether the user needs to be challenged via 2FA. In case it was configured, we continue like this: Radius -> NAS: Access-Challenge (Please provide OTP token.) NAS -> Client: Please provide OTP Token. Client -> NAS: TOTP=12345 NAS -> Radius: Access-Request (Username=foo, User-Password=12345) Radius -> Keycloak: username=foo&password&totp=12345 Keycloak -> Radius: 200 or 401 Radius -> NAS: Access-Accept or Access-Reject Best, Stefan. > On 23 Feb 2017, at 13:55, Marek Posolda wrote: > > Hmm.. I am looking at class ValidateOTP and there is initial call to check whether OTP is > configured for the user. Once you have this authenticator OPTIONAL, it should work. > Do you have this OPTIONAL? Are you using this or other authenticator? > > Marek > > On 23/02/17 11:54, Stefan Schlesinger wrote: >> Hello, >> >> I?m using the Direct Grants API as authentication backend for our Radius server. >> >> Currently I?m unable to determine whether an user already has an OTP token configured or not, >> and thus our Radius server always prompts the user with an Access-Challenge dialog. >> >> Users who haven?t configured an OTP token yet won?t be able to login, or in case I can work >> around this issue, will at least be presented with a question for an OTP token, which they >> are not aware of. >> >> Is there a way how I could improve this? Eg. an API call, which authenticated OpenIDC >> clients can trigger? >> >> Best, >> >> Stefan. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ssilvert at redhat.com Wed Mar 1 08:51:42 2017 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 1 Mar 2017 08:51:42 -0500 Subject: [keycloak-user] Configuring keycloak with JSON instead of UI In-Reply-To: References: Message-ID: So it sounds like you want to add realm settings to the UI-based partial import? Is it really that time consuming to do it manually? On 3/1/2017 1:04 AM, Sarp Kaya wrote: > I have been experimenting with import/exports more. > Essentially my end goal is, I want to get the JSON of the changes that I have done on UI so that I can import it to other Keycloak instances in other environments. For instance I can do my changes on test environment and then just import them to production environment, without manually doing these changes through UI. > > In terms of exporting it seems like only command line option exists. In terms of importing, there is an import via UI and import via command line. > > Command line import doesn?t really work if the realm already exists. You can opt in to overwrite existing realm; but that actually removes the entire realm with the users; where the old users are not retrieved back. > > Importing via UI, seems like this can be done with two options, first one is via create realm; which works perfectly fine. > > However, if I have an existing realm, and I want to overwrite some changes, then it only works for clients, IDPs, realm roles and client roles. For instance, if I were to enable brute force detection, there is no way to import this setting to an existing realm. > > So this is basically what I want to accomplish. I want to be able to copy changed UI configurations to another keycloak instance, so that I would avoid manual UI configurations. > > Next thing I will be trying is to see if this endpoint for updating configuration works: > http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_top_level_information_of_the_realm > > Otherwise, I do not really see any other way to get that changed. > Thanks, > Sarp > > On 2/15/2017 1:06 AM, Sarp Kaya wrote: >> Hello, >> >> I?m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I?m guessing this is useful for back-ups or duplicating the entire environment. >> My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable: >> >> >> 1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch. > If I recall, if you remove an id, a new one will be created. However, > sometimes an id is used to refer to other things in the data structure > so you have to be careful (Again, going from memory here. Test early > and often). >> 2) During the import, it?s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all. >> >> My question is, what is the best practice to configure keycloak in multiple environments? > This can get incredibly complex due to dependencies between entities. > But if you keep it simple enough the current import facilities can suffice. > > The best answer I can give is that it just depends on what you are > trying to do. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jay at kpibench.com Wed Mar 1 10:24:05 2017 From: jay at kpibench.com (Patrick Brunmayr) Date: Wed, 1 Mar 2017 16:24:05 +0100 Subject: [keycloak-user] Get rid of /auth/realms/ Message-ID: Hello How can i disable access to this kind of URls ? http://localhost:8080/*auth/realms/master* There is a always a JSON output. I dont want anyone to see this ? How can i disable that ? Thank you From robert.discussions at gmail.com Wed Mar 1 10:42:50 2017 From: robert.discussions at gmail.com (Robert .) Date: Wed, 1 Mar 2017 16:42:50 +0100 Subject: [keycloak-user] kid and x5t jwt header Message-ID: Hi, A (.net) application has stored multiple certificates. It wants to choose the appropriate certificate to validate the signature in the received jwt. Regarding this I have the following questions. What exactly is the key ID (kid) header in the jwt? Is it possible to use this to find the right certificate. Is it possible to add a x.509 certificate thumbprint (x5t) header in the jwt created by keycloak? Is there a feature request for this? Could I implement this myself via some extension mechanism? Or do I need to add it in the core source code and submit it to be included in the keycloak product? Regards, Robert From plunkett_mcgurk at accelerite.com Wed Mar 1 11:47:40 2017 From: plunkett_mcgurk at accelerite.com (Plunkett McGurk) Date: Wed, 1 Mar 2017 16:47:40 +0000 Subject: [keycloak-user] SSO Session Idle and Keycloak-js Message-ID: Hi Guys, I have an Angular2 application utilising the Keycloak Javascript (v2.3.0) adapter. The application uses the 'login-required' on load option and the session status iframe is enabled. However I have noticed a potential problem regarding the function of SSO Session Idle. According to the documentation both the token and session are invalidated when either the SSO Session Idle time or SSO Session Max values have been reached. If the SSO Session Max value is reached the user is automatically redirected to the Login screen however if the idle time is reached (idle time set to 5mins, Session max set to 30 mins) no redirect happens and any subsequent attempt to access keycloak results in the following error because of the expired token POST http://sso.keycloak-server.com/auth/realms/iot/protocol/openid-connect/token 400 (Bad Request) {"error":"invalid_grant","error_description":"Refresh token expired"} So is the lack of redirect to login expected behavior when the SSO Session Idle time has been exceeded? Thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. From kevin.thorpe at p-i.net Wed Mar 1 12:13:04 2017 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 1 Mar 2017 17:13:04 +0000 Subject: [keycloak-user] Get rid of /auth/realms/ In-Reply-To: References: Message-ID: I think there was some talk of disabling or restricting realms. However, for customers we front Keycloak with Nginx as a reverse proxy and filter the master realm there so it is only available inside our network. Kevin Thorpe *VP Enterprise Platform* w: www.p-i.net p: *+44 (0)20 3005 6750 <+44%2020%203005%206750>* a: 7th Floor, 52 Grosvenor Gardens, London SW1W 0AU _________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited On 1 March 2017 at 15:24, Patrick Brunmayr wrote: > Hello > > How can i disable access to this kind of URls ? > > http://localhost:8080/*auth/realms/master* > > There is a always a JSON output. I dont want anyone to see this ? How can i > disable that ? > > Thank you > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From akaplan at findyr.com Wed Mar 1 12:55:05 2017 From: akaplan at findyr.com (Adam Kaplan) Date: Wed, 1 Mar 2017 12:55:05 -0500 Subject: [keycloak-user] Proposal: More Secure PassowrdHashProviders Message-ID: My company has a client whose security prerequisites require us to store passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking to migrate our user management functions to Keycloak, and I noticed that hashing with SHA-1 is only provider out of the box. I propose adding the following providers (and will be happy to contribute!), using the hash functions available in the Java 8 runtime environment: 1. PBKDF2WithHmacSHA224 2. PBKDF2WithHmacSHA256 3. PBKDF2WithHmacSHA384 4. PBKDF2WithHmacSHA512 I also propose marking the current Pbkdf2PasswordHashProvider as deprecated, now that a real SHA-1 hash collision has been published by Google Security. -- *Adam Kaplan* Senior Engineer findyr m 914.924.5186 | e akaplan at findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 From john.d.ament at gmail.com Wed Mar 1 13:28:00 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 01 Mar 2017 18:28:00 +0000 Subject: [keycloak-user] Proposal: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: I deal with similarly concerned customer bases. I would be happy to see some of these algorithms added. +1 On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: > My company has a client whose security prerequisites require us to store > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're looking > to migrate our user management functions to Keycloak, and I noticed that > hashing with SHA-1 is only provider out of the box. > > I propose adding the following providers (and will be happy to > contribute!), using the hash functions available in the Java 8 runtime > environment: > > 1. PBKDF2WithHmacSHA224 > 2. PBKDF2WithHmacSHA256 > 3. PBKDF2WithHmacSHA384 > 4. PBKDF2WithHmacSHA512 > > I also propose marking the current Pbkdf2PasswordHashProvider as > deprecated, now that a real SHA-1 hash collision has been published by > Google Security. > > -- > *Adam Kaplan* > Senior Engineer > findyr > m 914.924.5186 <(914)%20924-5186> > | e > akaplan at findyr.com > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Wed Mar 1 14:20:09 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 1 Mar 2017 20:20:09 +0100 Subject: [keycloak-user] kid and x5t jwt header In-Reply-To: References: Message-ID: Hello Robert, yes, you can use the kid to identify the public key from the keys / or certs endpoints that can be used to verify the signature of the JWT token. "Certs Endpoint": http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs This endpoint shows all keys without any authentication. "Keys Endpoint": http://localhost:8081/auth/admin/realms/$REALM/keys This is the internal admin REST resource which also provides access to the keys. Note that you need at least one realm role to access this endpoint. "Realm Endpoint": http://localhost:8081/auth/realms/$REALM This seems to only show the currently active public key. The following example shows 3 ways to retrieve the realm public key and verify a JWT token: https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde Cheers, Thomas 2017-03-01 16:42 GMT+01:00 Robert . : > Hi, > A (.net) application has stored multiple certificates. It wants to choose > the appropriate certificate to validate the signature in the received jwt. > Regarding this I have the following questions. > > What exactly is the key ID (kid) header in the jwt? Is it possible to use > this to find the right certificate. > > Is it possible to add a x.509 certificate thumbprint (x5t) header in the > jwt created by keycloak? Is there a feature request for this? Could I > implement this myself via some extension mechanism? > Or do I need to add it in the core source code and submit it to be included > in the keycloak product? > > Regards, > Robert > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Wed Mar 1 17:07:10 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 01 Mar 2017 22:07:10 +0000 Subject: [keycloak-user] Performance Testing keycloak In-Reply-To: References: Message-ID: This is a tool that would be useful, however its extremely hard to understand to be honest. I don't see anywhere in here that I'm configuring the users that the gatling test actually uses to login to system. Are you pre-filling that? I also have some concerns that the API signatures are different enough that the JSON isn't correct over the wire. John On Tue, Feb 28, 2017 at 2:58 PM Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello John, > > you could have a look at the gatling based benchmark here: > https://github.com/rvansa/keycloak-benchmark > I seems that it uses a cookie based auth. > > Cheers, > Thomas > > 2017-02-28 17:49 GMT+01:00 John D. Ament : > > Hi, > > I wanted to put together some basic perf tests of keycloak. I'm logging in > as an admin and doing some basic create user operations. > > I wrote a simple gatling script to do this work. One issue I'm seeing is > that gatling is grabbing the bearer header in the request. I was > wondering, do I need to send the bearer or can keycloak rely on the cookie > alone? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From iwetta.sowa at gmail.com Wed Mar 1 17:24:53 2017 From: iwetta.sowa at gmail.com (Iwetta Sowa) Date: Wed, 1 Mar 2017 23:24:53 +0100 Subject: [keycloak-user] knowing the url triggered the authentication process Message-ID: Hi, According to the url triggered the authentication process I need hide or show some elements on my login page. I found some variables like ${url.loginUrl}, ${client.baseUrl}, ${url.loginResetCredentialsUrl} ${url.loginAction} but none of them display the url triggered authentication process but only current url. Are there some way to check the url tirggers the authentication process ? Thank you for your help, Best regards, Iwetta From DLustig at carbonite.com Wed Mar 1 17:47:28 2017 From: DLustig at carbonite.com (David Lustig) Date: Wed, 1 Mar 2017 22:47:28 +0000 Subject: [keycloak-user] JAX-WS 2.2 on Keycloak 2.5.1 Message-ID: Hello, There are a number of WCF/SOAP services hosted on separate servers that I need to contact from with within a custom Authenticator in Keycloak 2.5.1. For this task, I have generated SOAP service clients using JAX-WS 2.2 and deployed them with my custom authenticator. Whenever a user hits the authenticator during his login process, though, he gets the following error: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: javax/xml/ws/Service The authenticator's module.xml file has the following dependencies listed: I would have thought the javax.xml.ws.api dependency would have addressed the issue. Do you know how I can go about loading JAX-WS 2.2 web service clients in Keycloak 2.5.1, or if I should be using a different framework for SOAP calls (I've already tried Axis2, which had its own issues)? Thank you for your help, David Lustig From adam.keily at adelaide.edu.au Wed Mar 1 18:23:53 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Wed, 1 Mar 2017 23:23:53 +0000 Subject: [keycloak-user] SAML Custom Attribute NameID Message-ID: Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a SAML2 client? The format will be username but I want to use a custom attribute and not the username of the user. I've tried various mapping configurations but they just get sent as attributes alongside the subject nameid. Thanks From bruno at abstractj.org Thu Mar 2 04:39:44 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 02 Mar 2017 09:39:44 +0000 Subject: [keycloak-user] Proposal: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: Hi Adam and John, I understand your concern. Although, collisions are not practical for key derivation functions. There's a long discussion about this subject here[1]. Anyways, you can file a Jira as a feature request. If you feel like you would like to attach a PR, better. [1] - http://comments.gmane.org/gmane.comp.security.phc/973 On Wed, Mar 1, 2017 at 3:33 PM John D. Ament wrote: > I deal with similarly concerned customer bases. I would be happy to see > some of these algorithms added. +1 > > On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: > > > My company has a client whose security prerequisites require us to store > > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're > looking > > to migrate our user management functions to Keycloak, and I noticed that > > hashing with SHA-1 is only provider out of the box. > > > > I propose adding the following providers (and will be happy to > > contribute!), using the hash functions available in the Java 8 runtime > > environment: > > > > 1. PBKDF2WithHmacSHA224 > > 2. PBKDF2WithHmacSHA256 > > 3. PBKDF2WithHmacSHA384 > > 4. PBKDF2WithHmacSHA512 > > > > I also propose marking the current Pbkdf2PasswordHashProvider as > > deprecated, now that a real SHA-1 hash collision has been published by > > Google Security. > > > > -- > > *Adam Kaplan* > > Senior Engineer > > findyr > > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> <(914)%20924-5186> <(914)%20924-5186>> | e > > akaplan at findyr.com > > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at zyres.com Thu Mar 2 04:42:48 2017 From: dt at zyres.com (Danny Trunk) Date: Thu, 2 Mar 2017 10:42:48 +0100 Subject: [keycloak-user] ClassNotFoundException: Custom UserStorageProvider Message-ID: Hello, I've implemented a custom User Storage Provider to connect to a configurable (external) database through Hibernate/JDBC: public class MyUserStorageProviderFactory implements UserStorageProviderFactory { // ... public MyUserStorageProvider create(KeycloakSession session, ComponentModel model) { logger.info(">>>>>> Creating factory"); PersistenceConfig config = new PersistenceConfig(model.getConfig()); entityManagerFactory = new HibernatePersistenceProvider().createContainerEntityManagerFactory(getPersistenceUnitInfo(), config.asProperties()); entityManager = entityManagerFactory.createEntityManager(); return new MyUserStorageProvider(entityManager, session, model); } // ... } In src/main/resources/META-INF I've placed a file named jboss-deployment-structure.xml: Although there's a dependency for org.postgresql I'm getting a ClassNotFoundException when trying to authenticate: WARN [org.keycloak.services] (default task-6) KC-SERVICES0013: Failed authentication: org.hibernate.service.spi.ServiceException: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment] ... Caused by: org.hibernate.boot.registry.classloading.spi.ClassLoadingException: Unable to load class [org.postgresql.Driver] ... Caused by: java.lang.ClassNotFoundException: Could not load requested class : org.postgresql.Driver PostgreSQL is deployed as module as described here: https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/database/jdbc.html From mposolda at redhat.com Thu Mar 2 05:02:36 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 2 Mar 2017 11:02:36 +0100 Subject: [keycloak-user] ClassNotFoundException: Custom UserStorageProvider In-Reply-To: References: Message-ID: Hi, it seems that it is Hibernate, which is not able to find your classes. I guess that you are trying to configure JDBC URL, user and password directly in persistence.xml and that's maybe an issue. I suggest to rather configure the datasource in standalone.xml and then use the property "jta-data-source" in your persistence.xml pointing to that. Besides classloading issues, another advantage is, that you will automatically have connection-pooling, connection liveness checks (optional) etc. See our example "providers/user-storage-jpa" for inspiration, which is doing the same. Marek On 02/03/17 10:42, Danny Trunk wrote: > Hello, > > I've implemented a custom User Storage Provider to connect to a > configurable (external) database through Hibernate/JDBC: > > public class MyUserStorageProviderFactory implements > UserStorageProviderFactory { > // ... > public MyUserStorageProvider create(KeycloakSession session, > ComponentModel model) { > logger.info(">>>>>> Creating factory"); > PersistenceConfig config = new > PersistenceConfig(model.getConfig()); > entityManagerFactory = new > HibernatePersistenceProvider().createContainerEntityManagerFactory(getPersistenceUnitInfo(), > config.asProperties()); > entityManager = entityManagerFactory.createEntityManager(); > return new MyUserStorageProvider(entityManager, session, model); > } > // ... > } > > In src/main/resources/META-INF I've placed a file named > jboss-deployment-structure.xml: > > > > > > > > > > > > > > Although there's a dependency for org.postgresql I'm getting a > ClassNotFoundException when trying to authenticate: > WARN [org.keycloak.services] (default task-6) KC-SERVICES0013: Failed > authentication: org.hibernate.service.spi.ServiceException: Unable to > create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment] > ... > Caused by: > org.hibernate.boot.registry.classloading.spi.ClassLoadingException: > Unable to load class [org.postgresql.Driver] > ... > Caused by: java.lang.ClassNotFoundException: Could not load requested > class : org.postgresql.Driver > > PostgreSQL is deployed as module as described here: > https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/database/jdbc.html > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From aciuprin at mpi-bremen.de Thu Mar 2 05:12:55 2017 From: aciuprin at mpi-bremen.de (=?utf-8?Q?Andreea_Ciuprina?=) Date: Thu, 2 Mar 2017 11:12:55 +0100 Subject: [keycloak-user] Keycloak onLoad option In-Reply-To: References: Message-ID: No, I am not using Angular CLI Dev.? I am using the React for my frontend application and Spring Boot for my backend application. -----Original message----- From: Kevin Marsden? Sent: Tuesday 28th February 2017 19:45 To: Andreea Ciuprina ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak onLoad option Are you by any chance running on the Angular CLI Dev server,port 4200 ? On Tue, Feb 28, 2017 at 8:27 PM Andreea Ciuprina > wrote: Hello! I am running into the following issue when using the Keycloak JavaScript adapter?in order to connect our React frontend client with the Keycloak server. The following code, where the onLoad option is set to "login-required" causes the webpage to refresh every 10 seconds, after logging in: const SEC_UPDATE_TOKEN = 30; const kc: Keycloak.KeycloakInstance = Keycloak("/keycloak.json"); kc.init({onLoad: "login-required"}).success((authenticated: boolean) => { ? ? if (authenticated) { ? ? ? kc.updateToken(SEC_UPDATE_TOKEN).success(() => { ? ? ? ? ? loadData(); ? ? ? }).error(() => { ? ? ? ? ? alert("Failed to refresh token"); ? ? ? }); ? ? } ? ? else { ? ? // show possibly other page here... ? ? kc.login(); ? ? } }).error(() => { ? ? alert("failed to initialize"); }); If I replace the?onLoad option to "check-sso", the problem dissapears.? Reading the documentation, i.e. this part:? login-required will authenticate the client if the user is logged-in to Keycloak or display the login page if not. check-sso will only authenticate the client if the user is already logged-in, if the user is not logged-in the browser will be redirected back to the application and remain unauthenticated. was not very clear for me, regarding to the behaviour that I am observing in my case. Could you please explain me the difference between "login-required" and "check-sso" and why using one of them instead of the other in my case causes the unwanted, constant page refresh? Thank you! Best regards,? Andreea _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at zyres.com Thu Mar 2 05:30:52 2017 From: dt at zyres.com (Danny Trunk) Date: Thu, 2 Mar 2017 11:30:52 +0100 Subject: [keycloak-user] ClassNotFoundException: Custom UserStorageProvider In-Reply-To: References: Message-ID: <046b953a-ec11-d170-108d-9d8bf6cf7f67@zyres.com> I'm using the HibernatePersistenceProvider to create an EntityManagerFactory in order to configure url, username, password, ... as ProviderConfigProperty. This way I can omit the persistence.xml file and configure the connection properties in the admin console, which is better than editing XML files on the server to add datasources. Before I already tried the user-storage-jpa example and failed at using another datasource in the provider than keycloak internally uses. Keycloak should use it's own local datasource and the user storage provider should use another, external postgres db. Am 02.03.2017 um 11:02 schrieb Marek Posolda: > Hi, > > it seems that it is Hibernate, which is not able to find your classes. > I guess that you are trying to configure JDBC URL, user and password > directly in persistence.xml and that's maybe an issue. > > I suggest to rather configure the datasource in standalone.xml and > then use the property "jta-data-source" in your persistence.xml > pointing to that. Besides classloading issues, another advantage is, > that you will automatically have connection-pooling, connection > liveness checks (optional) etc. See our example > "providers/user-storage-jpa" for inspiration, which is doing the same. > > Marek > > On 02/03/17 10:42, Danny Trunk wrote: >> Hello, >> >> I've implemented a custom User Storage Provider to connect to a >> configurable (external) database through Hibernate/JDBC: >> >> public class MyUserStorageProviderFactory implements >> UserStorageProviderFactory { >> // ... >> public MyUserStorageProvider create(KeycloakSession session, >> ComponentModel model) { >> logger.info(">>>>>> Creating factory"); >> PersistenceConfig config = new >> PersistenceConfig(model.getConfig()); >> entityManagerFactory = new >> HibernatePersistenceProvider().createContainerEntityManagerFactory(getPersistenceUnitInfo(), >> config.asProperties()); >> entityManager = entityManagerFactory.createEntityManager(); >> return new MyUserStorageProvider(entityManager, session, model); >> } >> // ... >> } >> >> In src/main/resources/META-INF I've placed a file named >> jboss-deployment-structure.xml: >> >> >> >> >> >> >> >> >> >> >> >> >> >> Although there's a dependency for org.postgresql I'm getting a >> ClassNotFoundException when trying to authenticate: >> WARN [org.keycloak.services] (default task-6) KC-SERVICES0013: Failed >> authentication: org.hibernate.service.spi.ServiceException: Unable to >> create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment] >> ... >> Caused by: >> org.hibernate.boot.registry.classloading.spi.ClassLoadingException: >> Unable to load class [org.postgresql.Driver] >> ... >> Caused by: java.lang.ClassNotFoundException: Could not load requested >> class : org.postgresql.Driver >> >> PostgreSQL is deployed as module as described here: >> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/database/jdbc.html >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Thu Mar 2 09:17:50 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 2 Mar 2017 09:17:50 -0500 Subject: [keycloak-user] ClassNotFoundException: Custom UserStorageProvider In-Reply-To: References: Message-ID: <7cb8c6c1-766a-7ba6-7d5a-d0e95ad9dee2@redhat.com> its very difficult trying to hand code JPA. There's a lot of dependencies you have to manually import through jboss-deployment-structure.xml and/or module.xml files. This is the reason I wrote a Keycloak deployer. https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa https://keycloak.gitbooks.io/documentation/server_development/topics/user-storage/packaging.html https://keycloak.gitbooks.io/documentation/server_development/topics/user-storage/javaee.html On 3/2/17 5:02 AM, Marek Posolda wrote: > Hi, > > it seems that it is Hibernate, which is not able to find your classes. I > guess that you are trying to configure JDBC URL, user and password > directly in persistence.xml and that's maybe an issue. > > I suggest to rather configure the datasource in standalone.xml and then > use the property "jta-data-source" in your persistence.xml pointing to > that. Besides classloading issues, another advantage is, that you will > automatically have connection-pooling, connection liveness checks > (optional) etc. See our example "providers/user-storage-jpa" for > inspiration, which is doing the same. > > Marek > > On 02/03/17 10:42, Danny Trunk wrote: >> Hello, >> >> I've implemented a custom User Storage Provider to connect to a >> configurable (external) database through Hibernate/JDBC: >> >> public class MyUserStorageProviderFactory implements >> UserStorageProviderFactory { >> // ... >> public MyUserStorageProvider create(KeycloakSession session, >> ComponentModel model) { >> logger.info(">>>>>> Creating factory"); >> PersistenceConfig config = new >> PersistenceConfig(model.getConfig()); >> entityManagerFactory = new >> HibernatePersistenceProvider().createContainerEntityManagerFactory(getPersistenceUnitInfo(), >> config.asProperties()); >> entityManager = entityManagerFactory.createEntityManager(); >> return new MyUserStorageProvider(entityManager, session, model); >> } >> // ... >> } >> >> In src/main/resources/META-INF I've placed a file named >> jboss-deployment-structure.xml: >> >> >> >> >> >> >> >> >> >> >> >> >> >> Although there's a dependency for org.postgresql I'm getting a >> ClassNotFoundException when trying to authenticate: >> WARN [org.keycloak.services] (default task-6) KC-SERVICES0013: Failed >> authentication: org.hibernate.service.spi.ServiceException: Unable to >> create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment] >> ... >> Caused by: >> org.hibernate.boot.registry.classloading.spi.ClassLoadingException: >> Unable to load class [org.postgresql.Driver] >> ... >> Caused by: java.lang.ClassNotFoundException: Could not load requested >> class : org.postgresql.Driver >> >> PostgreSQL is deployed as module as described here: >> https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/database/jdbc.html >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From akaplan at findyr.com Thu Mar 2 09:28:41 2017 From: akaplan at findyr.com (Adam Kaplan) Date: Thu, 2 Mar 2017 09:28:41 -0500 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders Message-ID: This is now in the jboss JIRA: https://issues.jboss.org/browse/KEYCLOAK-4523 I intend to work on it over the next week or two and submit a PR. On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira wrote: > Hi Adam and John, I understand your concern. Although, collisions are not > practical for key derivation functions. There's a long discussion about > this subject here[1]. > > Anyways, you can file a Jira as a feature request. If you feel like you > would like to attach a PR, better. > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > wrote: > >> I deal with similarly concerned customer bases. I would be happy to see >> some of these algorithms added. +1 >> >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: >> >> > My company has a client whose security prerequisites require us to store >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're >> looking >> > to migrate our user management functions to Keycloak, and I noticed that >> > hashing with SHA-1 is only provider out of the box. >> > >> > I propose adding the following providers (and will be happy to >> > contribute!), using the hash functions available in the Java 8 runtime >> > environment: >> > >> > 1. PBKDF2WithHmacSHA224 >> > 2. PBKDF2WithHmacSHA256 >> > 3. PBKDF2WithHmacSHA384 >> > 4. PBKDF2WithHmacSHA512 >> > >> > I also propose marking the current Pbkdf2PasswordHashProvider as >> > deprecated, now that a real SHA-1 hash collision has been published by >> > Google Security. >> > >> > -- >> > *Adam Kaplan* >> > Senior Engineer >> > findyr >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> > <(914)%20924-5186> <(914)%20924-5186>> | e >> > akaplan at findyr.com >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- *Adam Kaplan* Senior Engineer findyr m 914.924.5186 | e akaplan at findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 From robert.discussions at gmail.com Thu Mar 2 10:36:22 2017 From: robert.discussions at gmail.com (Robert .) Date: Thu, 2 Mar 2017 16:36:22 +0100 Subject: [keycloak-user] kid and x5t jwt header In-Reply-To: References: Message-ID: Hi, We need a way to find the correct certificate without using a keycloak rest endpoint. One of the certificates comes from keycloak, but others do not. All of the certificates are stored at the REST service application. If there was a x5t header, we could find the correct certificate using the fingerprint. On 1 March 2017 at 20:20, Thomas Darimont wrote: > Hello Robert, > > yes, you can use the kid to identify the public key from the keys / or > certs endpoints > that can be used to verify the signature of the JWT token. > > "Certs Endpoint": > http://localhost:8081/auth/realms/$REALM/protocol/openid-connect/certs > This endpoint shows all keys without any authentication. > > "Keys Endpoint": > http://localhost:8081/auth/admin/realms/$REALM/keys > This is the internal admin REST resource which also provides access to the > keys. > Note that you need at least one realm role to access this endpoint. > > "Realm Endpoint": > http://localhost:8081/auth/realms/$REALM > This seems to only show the currently active public key. > > The following example shows 3 ways to retrieve the realm public key and > verify a JWT token: > https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde > > Cheers, > Thomas > > > 2017-03-01 16:42 GMT+01:00 Robert . : > >> Hi, >> A (.net) application has stored multiple certificates. It wants to choose >> the appropriate certificate to validate the signature in the received jwt. >> Regarding this I have the following questions. >> >> What exactly is the key ID (kid) header in the jwt? Is it possible to use >> this to find the right certificate. >> >> Is it possible to add a x.509 certificate thumbprint (x5t) header in the >> jwt created by keycloak? Is there a feature request for this? Could I >> implement this myself via some extension mechanism? >> Or do I need to add it in the core source code and submit it to be >> included >> in the keycloak product? >> >> Regards, >> Robert >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From shmuein+keycloak-dev at gmail.com Thu Mar 2 10:41:58 2017 From: shmuein+keycloak-dev at gmail.com (Muein Muzamil) Date: Thu, 2 Mar 2017 09:41:58 -0600 Subject: [keycloak-user] SAML Custom Attribute NameID In-Reply-To: References: Message-ID: Hi, Currently, KeyCloak doesn't support this feature. We end up implementing a custom protocol mapper to support this feature. It is something like this. public class SAMLLoginResponseMapperExtension extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper { ................... public ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { // if the attributeName is configured, read the value from the user // model String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE); if (StringUtils.isNotBlank(attributeName)) { UserModel user = userSession.getUser(); if (StringUtils.indexOfAny(attributeName, new String[] { "firstName", "lastName", "username" }) != -1) { attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName); } else { attributeValue = KeycloakModelUtils.resolveFirstAttribute(user, attributeName); } } for (RTChoiceType rtChoiceType : response.getAssertions()) { NameIDType nameIDType = (NameIDType) rtChoiceType.getAssertion().getSubject().getSubType().getBaseID(); nameIDType.setValue(attributeValue); } return response; } .................. } Regards, Muein On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily wrote: > Can anyone direct me on how to configure a custom attribute as the > SubjectNameID for a SAML2 client? The format will be username but I want to > use a custom attribute and not the username of the user. > > I've tried various mapping configurations but they just get sent as > attributes alongside the subject nameid. > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From quasiben at gmail.com Thu Mar 2 17:09:36 2017 From: quasiben at gmail.com (Benjamin Zaitlen) Date: Thu, 2 Mar 2017 17:09:36 -0500 Subject: [keycloak-user] Client Deleting Bug? Message-ID: Hi All, I'm new to both keycloak and this mailing list. I may be doing something incorrect in my work flow but I think i found a bug around cilent deletion. I filed a bug here: https://issues.jboss.org/browse/KEYCLOAK-4525 The short of it is that when I delete a client with active sessions and offline_tokens I get `Internal Server Errors` when visiting: https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ and going to the session and/or application tabs generates: `Internal Server Errors` I would've expected that when deleting the client tokens and sessions would have automagically been cleaned up as well? Anyways, if I am doing something wrong please let me know and I'll close the issue. Thank you, --Ben Note: in the bug filed I posted logs from the server. From adam.keily at adelaide.edu.au Thu Mar 2 17:16:23 2017 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 2 Mar 2017 22:16:23 +0000 Subject: [keycloak-user] SAML Custom Attribute NameID In-Reply-To: References: Message-ID: Thanks Muein. I?ll investigate using the custom mapper as you describe. Much appreciated. Adam From: shmuein at gmail.com [mailto:shmuein at gmail.com] On Behalf Of Muein Muzamil Sent: Friday, 3 March 2017 2:12 AM To: Adam Keily Cc: keycloak-user Subject: Re: [keycloak-user] SAML Custom Attribute NameID Hi, Currently, KeyCloak doesn't support this feature. We end up implementing a custom protocol mapper to support this feature. It is something like this. public class SAMLLoginResponseMapperExtension extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper { ................... public ResponseType transformLoginResponse(ResponseType response, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionModel clientSession) { // if the attributeName is configured, read the value from the user // model String attributeName = mappingModel.getConfig().get(NAME_ID_USER_ATTRIBUTE); if (StringUtils.isNotBlank(attributeName)) { UserModel user = userSession.getUser(); if (StringUtils.indexOfAny(attributeName, new String[] { "firstName", "lastName", "username" }) != -1) { attributeValue = ProtocolMapperUtils.getUserModelValue(user, attributeName); } else { attributeValue = KeycloakModelUtils.resolveFirstAttribute(user, attributeName); } } for (RTChoiceType rtChoiceType : response.getAssertions()) { NameIDType nameIDType = (NameIDType) rtChoiceType.getAssertion().getSubject().getSubType().getBaseID(); nameIDType.setValue(attributeValue); } return response; } .................. } Regards, Muein On Wed, Mar 1, 2017 at 5:23 PM, Adam Keily > wrote: Can anyone direct me on how to configure a custom attribute as the SubjectNameID for a SAML2 client? The format will be username but I want to use a custom attribute and not the username of the user. I've tried various mapping configurations but they just get sent as attributes alongside the subject nameid. Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From campbellg at teds.com Thu Mar 2 17:45:57 2017 From: campbellg at teds.com (Glenn Campbell) Date: Thu, 2 Mar 2017 17:45:57 -0500 Subject: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS Message-ID: What is the correct way to set up identity brokering from Keycloak to ADFS? I?m new to ADFS so I suspect I?ve configured something incorrectly there. Here?s what I?ve done so far: 1) Installed ADFS. 2) Opened ADFS Management. 3) Walked through the ADFS Configuration Wizard. At one point in the process it asked which certificate I wanted to use. I didn?t have one so I went into IIS Manager and created a self-signed certificate. Then I came back to the ADFS Configuration Wizard and selected the newly created certificate. At the end of the process there was a list of configuration items that had been performed and they all had green checkmarks by them. Clicked Close. 4) At this point ADFS Management said I needed to configure a Trusted Relying Party so I went to Keycloak to start setting up that side of things. 5) Since the certificate used by ADFS is self-signed I exported it from IIS and imported it into the Wildfly jssecerts where Keycloak is running and restarted Wildfly/Keycloak. 6) Saved the ADFS FederationMetadata.xml via the url https:///FederationMetadata/2007-06/FederationMetadata.xml 7) In Keycloak admin console, on the Identity Providers page I chose ?Add provider? SAML v2.0? 8) Entered an alias for the new IdP then in ?Import from file -> Select File? I chose the FederationMetadata.xml that I acquired from the ADFS server. 9) Saved the IdP configuration. 10) Went to the Export tab of the newly created IdP and downloaded the xml config file. 11) At this point I went back to ADFS Management and followed the steps to create a Trusted Relying Party, choosing to import data about the relying party from the xml file exported from Keycloak. 12) For the rest of the Relying Party configuration I accepted the defaults. When I go to the url for my application I?m redirected to the Keycloak login screen where I select the Identity Provider I configured. I get a security certificate warning since the certificate from the server is self-signed but I choose to continue despite the warning. Then I get an error page saying there was a problem accessing the site. I don?t get the ADFS page where I would enter my login credentials. I don?t know if it matters but my application and Keycloak currently use http rather than https. Any help would be greatly appreciated. Thanks in advance, Glenn From hmlnarik at redhat.com Fri Mar 3 03:34:08 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 3 Mar 2017 09:34:08 +0100 Subject: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS In-Reply-To: References: Message-ID: Actually https matters, ADFS had been rejecting any SAML communication with keycloak for me until https was enabled. Also for ADFS, there is a special settings for KeyInfo element that needs to be set to CERT_SUBJECT in SAML Signature Key Name option of SAML Identity Provider settings [1]. [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/saml.html On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell wrote: > What is the correct way to set up identity brokering from Keycloak to ADFS? > I?m new to ADFS so I suspect I?ve configured something incorrectly there. > > Here?s what I?ve done so far: > > 1) Installed ADFS. > 2) Opened ADFS Management. > 3) Walked through the ADFS Configuration Wizard. > At one point in the process it asked which certificate I wanted to use. I > didn?t have one so I went into IIS Manager and created a self-signed > certificate. Then I came back to the ADFS Configuration Wizard and selected > the newly created certificate. > At the end of the process there was a list of configuration items that had > been performed and they all had green checkmarks by them. > Clicked Close. > > 4) At this point ADFS Management said I needed to configure a Trusted > Relying Party so I went to Keycloak to start setting up that side of things. > 5) Since the certificate used by ADFS is self-signed I exported it from IIS > and imported it into the Wildfly jssecerts where Keycloak is running and > restarted Wildfly/Keycloak. > 6) Saved the ADFS FederationMetadata.xml via the url https:// server>/FederationMetadata/2007-06/FederationMetadata.xml > 7) In Keycloak admin console, on the Identity Providers page I chose ?Add > provider? SAML v2.0? > 8) Entered an alias for the new IdP then in ?Import from file -> Select > File? I chose the FederationMetadata.xml that I acquired from the ADFS > server. > 9) Saved the IdP configuration. > 10) Went to the Export tab of the newly created IdP and downloaded the xml > config file. > > 11) At this point I went back to ADFS Management and followed the steps to > create a Trusted Relying Party, choosing to import data about the relying > party from the xml file exported from Keycloak. > 12) For the rest of the Relying Party configuration I accepted the defaults. > > When I go to the url for my application I?m redirected to the Keycloak > login screen where I select the Identity Provider I configured. I get a > security certificate warning since the certificate from the server is > self-signed but I choose to continue despite the warning. Then I get an > error page saying there was a problem accessing the site. I don?t get the > ADFS page where I would enter my login credentials. > > I don?t know if it matters but my application and Keycloak currently use > http rather than https. > > Any help would be greatly appreciated. > Thanks in advance, > Glenn > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From avinash at avinash.com.np Fri Mar 3 04:28:14 2017 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Fri, 3 Mar 2017 15:13:14 +0545 Subject: [keycloak-user] client application updating user roles Message-ID: I was thinking what is the best way for a client application to update the roles of a user. is it possible to do it via the service account ? -- --- Avinash Kundaliya avinash at avinash.com.np http://avinash.com.np From mposolda at redhat.com Fri Mar 3 09:08:59 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Mar 2017 15:08:59 +0100 Subject: [keycloak-user] Client Deleting Bug? In-Reply-To: References: Message-ID: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> You're not doing anything wrong. It is a bug. Thanks for reporting it. Marek On 02/03/17 23:09, Benjamin Zaitlen wrote: > Hi All, > > I'm new to both keycloak and this mailing list. I may be doing something > incorrect in my work flow but I think i found a bug around cilent > deletion. I filed a bug here: https://issues.jboss.org/browse/KEYCLOAK-4525 > > The short of it is that when I delete a client with active sessions and > offline_tokens I get `Internal Server Errors` when visiting: > https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ and > going to the session and/or application tabs generates: `Internal Server > Errors` > > I would've expected that when deleting the client tokens and sessions would > have automagically been cleaned up as well? > > Anyways, if I am doing something wrong please let me know and I'll close > the issue. > > Thank you, > --Ben > > Note: in the bug filed I posted logs from the server. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Mar 3 09:11:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Mar 2017 15:11:56 +0100 Subject: [keycloak-user] client application updating user roles In-Reply-To: References: Message-ID: <6665ce29-9b7d-e463-e79f-3b96933752e0@redhat.com> Use our admin REST API. If your application is Java based, then use our admin client. It has possibility to authenticate as a user or service account, both should work. Just note that your user or service account must have appropriate permissions to edit users. Marek On 03/03/17 10:28, Avinash Kundaliya wrote: > I was thinking what is the best way for a client application to update the > roles of a user. > is it possible to do it via the service account ? > From quasiben at gmail.com Fri Mar 3 09:20:11 2017 From: quasiben at gmail.com (Benjamin Zaitlen) Date: Fri, 3 Mar 2017 09:20:11 -0500 Subject: [keycloak-user] Client Deleting Bug? In-Reply-To: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> References: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> Message-ID: HI Marek, Thanks for confirming! Is there an estimate for when 3.0.0 will be released ? --Ben On Fri, Mar 3, 2017 at 9:08 AM, Marek Posolda wrote: > You're not doing anything wrong. It is a bug. Thanks for reporting it. > > Marek > > > On 02/03/17 23:09, Benjamin Zaitlen wrote: > >> Hi All, >> >> I'm new to both keycloak and this mailing list. I may be doing something >> incorrect in my work flow but I think i found a bug around cilent >> deletion. I filed a bug here: https://issues.jboss.org/brows >> e/KEYCLOAK-4525 >> >> The short of it is that when I delete a client with active sessions and >> offline_tokens I get `Internal Server Errors` when visiting: >> https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ and >> going to the session and/or application tabs generates: `Internal Server >> Errors` >> >> I would've expected that when deleting the client tokens and sessions >> would >> have automagically been cleaned up as well? >> >> Anyways, if I am doing something wrong please let me know and I'll close >> the issue. >> >> Thank you, >> --Ben >> >> Note: in the bug filed I posted logs from the server. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From nowis1337 at gmail.com Fri Mar 3 10:13:42 2017 From: nowis1337 at gmail.com (nowis1337 at gmail.com) Date: Fri, 3 Mar 2017 16:13:42 +0100 Subject: [keycloak-user] Custom SAML request parameters Message-ID: Hello, I've got a custom authentication flow (based on Authentication SPI) which uses additional OIDC parameter - login_hint - passed in the request (as described in Parameters Forwarding in Keycloak docs). It's working great, but I also want to connect some clients to the same realm using SAML protocol. The problem is it will be using the same authentication flow and I want to retrieve the same information as passed in login_hint parameter in requests from OIDC client. The question is: Do Keycloak predicts something like custom parameters added to SAML endpoints? If not, what is the best way i could achieve that and get that information from client request in my authentication flow? kind regards, Bartosz From stephane.granger at gmail.com Fri Mar 3 10:30:54 2017 From: stephane.granger at gmail.com (Stephane Granger) Date: Fri, 3 Mar 2017 10:30:54 -0500 Subject: [keycloak-user] Admin web site not working with Safari browser on OS X since 2.5.4 Message-ID: Not sure if it's a Safari bug or a Keycloak problem but since I updated to 2.5.4 I can't use Safari any more. The web site displays but it's as if there is a thread that refresh the page every 10 seconds making it unusable. This behaviour was observed on 2 computers. MacOS version 10.12.3 Safari 10.0.3 From gerbermichi at me.com Fri Mar 3 10:53:32 2017 From: gerbermichi at me.com (Michael Gerber) Date: Fri, 03 Mar 2017 16:53:32 +0100 Subject: [keycloak-user] Keycloak WildFly Swarm Server Message-ID: <006B8836-18A2-4DCC-90D5-D2070EFF7325@me.com> Hi all, I would like to use Keycloak as a microservice SSO solution on OpenShift. The Red Hat SSO uses way to much CPU and RAM, therefore, I would like to use the WildFly Swarm Server instead. Is there any way to set an admin user during the first initialization? Otherwise, I am going to import a realm with a pre defined user. Thanks, Michael From pablomoneylesh at gmail.com Fri Mar 3 11:09:34 2017 From: pablomoneylesh at gmail.com (Pavel Bezdienezhnykh) Date: Fri, 3 Mar 2017 17:09:34 +0100 Subject: [keycloak-user] Custom Authenticator development Message-ID: Hi All. I try to develop custom authentication module for Keycloak server. According to requirements I need to validate not only login/password but one more attribute - siteId, which indicates the country domain of the application. I implemented factory and *SiteIdAuthenticator extends **UsernamePasswordForm* In my *action *method I check all needed credential and if it's OK, I create new user account. (Or if user already exists, just fetch its account and add it to AuthenticationFlowContext ) validateUserAndPassword(AuthenticationFlowContext context, MultivaluedMap inputData) { ... UserModel userById = context.getSession().userLocalStorage().getUserById(userId, context.getRealm()); if(userById == null) { logger.info("add new user:" + userId); UserModel userModel = context.getSession().userLocalStorage().addUser(context.getRealm(), userId, userName, true, false); context.setUser(userModel); } else { logger.info("user exists:" + userId); context.setUser(userById); } ... } My question is - Do I really have to add new user account to user storage? Because in Keycloak version 2.5.1 there is a posibiliti of non-importing user fedration. So maybe it is somehow possible to implement custom Authenticator without creating new user account in Keycloaks storage? Thanks in advice, Pavel From mposolda at redhat.com Fri Mar 3 11:34:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Mar 2017 17:34:56 +0100 Subject: [keycloak-user] Client Deleting Bug? In-Reply-To: References: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> Message-ID: <035c0b44-3431-1868-3092-449de7b7ad1a@redhat.com> Maybe somewhen in March. No promise :) Marek On 03/03/17 15:20, Benjamin Zaitlen wrote: > HI Marek, > > Thanks for confirming! Is there an estimate for when 3.0.0 will be > released ? > > --Ben > > On Fri, Mar 3, 2017 at 9:08 AM, Marek Posolda > wrote: > > You're not doing anything wrong. It is a bug. Thanks for reporting it. > > Marek > > > On 02/03/17 23:09, Benjamin Zaitlen wrote: > > Hi All, > > I'm new to both keycloak and this mailing list. I may be > doing something > incorrect in my work flow but I think i found a bug around cilent > deletion. I filed a bug here: > https://issues.jboss.org/browse/KEYCLOAK-4525 > > > The short of it is that when I delete a client with active > sessions and > offline_tokens I get `Internal Server Errors` when visiting: > https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ > > and > going to the session and/or application tabs generates: > `Internal Server > Errors` > > I would've expected that when deleting the client tokens and > sessions would > have automagically been cleaned up as well? > > Anyways, if I am doing something wrong please let me know and > I'll close > the issue. > > Thank you, > --Ben > > Note: in the bug filed I posted logs from the server. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From mposolda at redhat.com Fri Mar 3 11:36:28 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Mar 2017 17:36:28 +0100 Subject: [keycloak-user] Client Deleting Bug? In-Reply-To: <035c0b44-3431-1868-3092-449de7b7ad1a@redhat.com> References: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> <035c0b44-3431-1868-3092-449de7b7ad1a@redhat.com> Message-ID: Also no promise we will fix that in 3.0.0.CR1 as there are bunch of other tasks.. Feel free to send PR. Marek On 03/03/17 17:34, Marek Posolda wrote: > Maybe somewhen in March. No promise :) > > Marek > > On 03/03/17 15:20, Benjamin Zaitlen wrote: >> HI Marek, >> >> Thanks for confirming! Is there an estimate for when 3.0.0 will be >> released ? >> >> --Ben >> >> On Fri, Mar 3, 2017 at 9:08 AM, Marek Posolda > > wrote: >> >> You're not doing anything wrong. It is a bug. Thanks for >> reporting it. >> >> Marek >> >> >> On 02/03/17 23:09, Benjamin Zaitlen wrote: >> >> Hi All, >> >> I'm new to both keycloak and this mailing list. I may be >> doing something >> incorrect in my work flow but I think i found a bug around cilent >> deletion. I filed a bug here: >> https://issues.jboss.org/browse/KEYCLOAK-4525 >> >> >> The short of it is that when I delete a client with active >> sessions and >> offline_tokens I get `Internal Server Errors` when visiting: >> https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ >> >> and >> going to the session and/or application tabs generates: >> `Internal Server >> Errors` >> >> I would've expected that when deleting the client tokens and >> sessions would >> have automagically been cleaned up as well? >> >> Anyways, if I am doing something wrong please let me know and >> I'll close >> the issue. >> >> Thank you, >> --Ben >> >> Note: in the bug filed I posted logs from the server. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > From quasiben at gmail.com Fri Mar 3 11:39:30 2017 From: quasiben at gmail.com (Benjamin Zaitlen) Date: Fri, 3 Mar 2017 11:39:30 -0500 Subject: [keycloak-user] Client Deleting Bug? In-Reply-To: References: <8b2cc834-d003-3935-a2d8-7edb105708fd@redhat.com> <035c0b44-3431-1868-3092-449de7b7ad1a@redhat.com> Message-ID: Of course :) On Fri, Mar 3, 2017 at 11:36 AM, Marek Posolda wrote: > Also no promise we will fix that in 3.0.0.CR1 as there are bunch of other > tasks.. Feel free to send PR. > > Marek > > > On 03/03/17 17:34, Marek Posolda wrote: > > Maybe somewhen in March. No promise :) > > Marek > > On 03/03/17 15:20, Benjamin Zaitlen wrote: > > HI Marek, > > Thanks for confirming! Is there an estimate for when 3.0.0 will be > released ? > > --Ben > > On Fri, Mar 3, 2017 at 9:08 AM, Marek Posolda wrote: > >> You're not doing anything wrong. It is a bug. Thanks for reporting it. >> >> Marek >> >> >> On 02/03/17 23:09, Benjamin Zaitlen wrote: >> >>> Hi All, >>> >>> I'm new to both keycloak and this mailing list. I may be doing something >>> incorrect in my work flow but I think i found a bug around cilent >>> deletion. I filed a bug here: https://issues.jboss.org/brows >>> e/KEYCLOAK-4525 >>> >>> The short of it is that when I delete a client with active sessions and >>> offline_tokens I get `Internal Server Errors` when visiting: >>> https://auth.anaconda.example.com:9080/auth/realms/MY_REALM/account/ and >>> going to the session and/or application tabs generates: `Internal Server >>> Errors` >>> >>> I would've expected that when deleting the client tokens and sessions >>> would >>> have automagically been cleaned up as well? >>> >>> Anyways, if I am doing something wrong please let me know and I'll close >>> the issue. >>> >>> Thank you, >>> --Ben >>> >>> Note: in the bug filed I posted logs from the server. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > > From skm.8896 at gmail.com Fri Mar 3 13:04:10 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Fri, 3 Mar 2017 23:34:10 +0530 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters Message-ID: Hello all, I have a REST API in express node js. I want to secure it with keycloak bearer auth only. So, a keycloak token would be recieved in the Authorization header of the GET request to the REST API. I have to verify the token with keycloak without using any adapters. Please help me out in the process. Thanks in advance Saransh From sblanc at redhat.com Fri Mar 3 13:36:21 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 3 Mar 2017 19:36:21 +0100 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar wrote: > Hello all, > > I have a REST API in express node js. > I want to secure it with keycloak bearer auth only. > So, a keycloak token would be recieved in the Authorization header of the > GET request to the REST API. > I have to verify the token with keycloak *without using any adapters.* > Please help me out in the process. > Are you not allowed to add any extra packages ? Just lookup the source code of the nodejs kc adapter and paste it into your app ;) > > > Thanks in advance > Saransh > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From campbellg at teds.com Fri Mar 3 15:49:09 2017 From: campbellg at teds.com (Glenn Campbell) Date: Fri, 3 Mar 2017 15:49:09 -0500 Subject: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS In-Reply-To: References: Message-ID: Thank you for your suggestions. Making those changes seems to have solved that problem. I don't think I would have ever figured that out on my own. Now I'm on to the next problem. When I enter the login credentials on the SAML IdP login page I get an error in Keycloak and the log file has a "Could not process response from SAML identity provider" error message with a root cause of "No assertion from response". Do you have any suggestions on what I need to do to fix this problem? On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik wrote: > Actually https matters, ADFS had been rejecting any SAML communication > with keycloak for me until https was enabled. Also for ADFS, there is > a special settings for KeyInfo element that needs to be set to > CERT_SUBJECT in SAML Signature Key Name option of SAML Identity > Provider settings [1]. > > [1] https://keycloak.gitbooks.io/documentation/server_admin/ > topics/identity-broker/saml.html > > On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell > wrote: > > What is the correct way to set up identity brokering from Keycloak to > ADFS? > > I?m new to ADFS so I suspect I?ve configured something incorrectly there. > > > > Here?s what I?ve done so far: > > > > 1) Installed ADFS. > > 2) Opened ADFS Management. > > 3) Walked through the ADFS Configuration Wizard. > > At one point in the process it asked which certificate I wanted to use. I > > didn?t have one so I went into IIS Manager and created a self-signed > > certificate. Then I came back to the ADFS Configuration Wizard and > selected > > the newly created certificate. > > At the end of the process there was a list of configuration items that > had > > been performed and they all had green checkmarks by them. > > Clicked Close. > > > > 4) At this point ADFS Management said I needed to configure a Trusted > > Relying Party so I went to Keycloak to start setting up that side of > things. > > 5) Since the certificate used by ADFS is self-signed I exported it from > IIS > > and imported it into the Wildfly jssecerts where Keycloak is running and > > restarted Wildfly/Keycloak. > > 6) Saved the ADFS FederationMetadata.xml via the url https:// > server>/FederationMetadata/2007-06/FederationMetadata.xml > > 7) In Keycloak admin console, on the Identity Providers page I chose ?Add > > provider? SAML v2.0? > > 8) Entered an alias for the new IdP then in ?Import from file -> Select > > File? I chose the FederationMetadata.xml that I acquired from the ADFS > > server. > > 9) Saved the IdP configuration. > > 10) Went to the Export tab of the newly created IdP and downloaded the > xml > > config file. > > > > 11) At this point I went back to ADFS Management and followed the steps > to > > create a Trusted Relying Party, choosing to import data about the relying > > party from the xml file exported from Keycloak. > > 12) For the rest of the Relying Party configuration I accepted the > defaults. > > > > When I go to the url for my application I?m redirected to the Keycloak > > login screen where I select the Identity Provider I configured. I get a > > security certificate warning since the certificate from the server is > > self-signed but I choose to continue despite the warning. Then I get an > > error page saying there was a problem accessing the site. I don?t get the > > ADFS page where I would enter my login credentials. > > > > I don?t know if it matters but my application and Keycloak currently use > > http rather than https. > > > > Any help would be greatly appreciated. > > Thanks in advance, > > Glenn > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > From sblanc at redhat.com Fri Mar 3 16:47:53 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 03 Mar 2017 21:47:53 +0000 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Well the adapter works with bearer only , what is the error that you are getting ? Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a ?crit : > Hii Sebastien, > > Actually, the node js kc adapter is not working with bearer auth only. > So, I need to verify the access token myself with keycloak in node js > without using node js adapter or any other adapters. > Please help me out in this way. > > Thanks in advance. > Saransh > > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc > wrote: > > > > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar wrote: > > Hello all, > > I have a REST API in express node js. > I want to secure it with keycloak bearer auth only. > So, a keycloak token would be recieved in the Authorization header of the > GET request to the REST API. > I have to verify the token with keycloak *without using any adapters.* > Please help me out in the process. > > Are you not allowed to add any extra packages ? Just lookup the source > code of the nodejs kc adapter and paste it into your app ;) > > > > Thanks in advance > Saransh > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From bruno at abstractj.org Fri Mar 3 18:11:15 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 03 Mar 2017 23:11:15 +0000 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Last time I checked, the adapter works with bearer only. If you provide the steps to reproduce, version of keycloak server, adapter version and the error. That would help ;) On Fri, Mar 3, 2017, 8:05 PM Sebastien Blanc wrote: > Well the adapter works with bearer only , what is the error that you are > getting ? > Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a ?crit : > > > Hii Sebastien, > > > > Actually, the node js kc adapter is not working with bearer auth only. > > So, I need to verify the access token myself with keycloak in node js > > without using node js adapter or any other adapters. > > Please help me out in this way. > > > > Thanks in advance. > > Saransh > > > > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc > > wrote: > > > > > > > > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar > wrote: > > > > Hello all, > > > > I have a REST API in express node js. > > I want to secure it with keycloak bearer auth only. > > So, a keycloak token would be recieved in the Authorization header of the > > GET request to the REST API. > > I have to verify the token with keycloak *without using any adapters.* > > Please help me out in the process. > > > > Are you not allowed to add any extra packages ? Just lookup the source > > code of the nodejs kc adapter and paste it into your app ;) > > > > > > > > Thanks in advance > > Saransh > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From macmike at gmail.com Fri Mar 3 20:14:24 2017 From: macmike at gmail.com (Michael Olshansky) Date: Fri, 3 Mar 2017 17:14:24 -0800 Subject: [keycloak-user] KeyCloak access tokens not being cached Message-ID: I have set up a keycloak cluster and generate tokens via /auth/realms/master/protocol/openid-connect/token. The problem is that an access token can only be used to perform subsequent requests on the SAME SERVER that issued the token. Attempts to make a request (e.g., /auth/admin/realms/master) on another server in the cluster results in a response of "Bearer" and an error in that server's log. Shouldn't the access tokens be available across the cluster? As a side node, the refresh tokens DO appear to be cached, so caching does appear to be working on some level. As a second question: What data is stored in the session and authentication caches? How does this relate to the access and refresh tokens? From ryan at brodkinca.com Fri Mar 3 22:22:16 2017 From: ryan at brodkinca.com (Ryan Brodkin) Date: Sat, 04 Mar 2017 03:22:16 +0000 Subject: [keycloak-user] Empty Group Membership Message-ID: Hey guys, I have a new install of Keycloak federated to OpenDJ that is working 98% as expected, but I have one major issue: I can't see the groups on the user in Keycloak. TRUTHS... On LDAP I can see the members in the groups. On LDAP I can query isMemberOf to retrieve the members of a group. This data is all correctly federated to and from Keycloak. In Keycloak I can see the members in a group. BUT the "Group Membership" section for each user is empty. Has anyone seen this before? If so, how did you overcome this problem? -- Brodkin CyberArts http://brodkinca.com | 310.220.0590 DESIGN. DEVELOPMENT. CONSULTING. Information contained in this email or any attachment may be of a confidential nature which should not be disclosed to, copied or used by anyone other than the addressee. If you receive this email in error, please delete the email from your computer. Do not post anything in this email to any online forum without express permission of the sender. No pixels were harmed in the making of this disclaimer. From shane.boulden at gmail.com Sat Mar 4 01:03:29 2017 From: shane.boulden at gmail.com (Shane Boulden) Date: Sat, 4 Mar 2017 17:03:29 +1100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: Is Discourse an option? https://www.discourse.org/ On Wed, Mar 1, 2017 at 1:43 AM, Sebastien Blanc wrote: > One really annoying point that I just encountered is the "reputation" > points system. Answering a question doesn't require reputation but if you > want to comment on a answer you must at least have 50 points of reputation, > this is pretty frustrating. > > On Fri, Feb 24, 2017 at 1:04 PM, Stian Thorgersen > wrote: > > > We're considering dropping the Keycloak user mailing list and moving to > > Stack Overflow instead. > > > > Thoughts? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From skm.8896 at gmail.com Sat Mar 4 02:07:30 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Sat, 4 Mar 2017 12:37:30 +0530 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Hello Sebastien, Bruno Thanks for replying. :) Keycloak server: 2.5.1 keycloak-connect: 2.5.3 (node js adapter) Rest API on express node js which is to be secured:- var express = require('express');var router = express.Router();var app = express();var Keycloak = require('keycloak-connect');var keycloak =new Keycloak(); app.use( keycloak.middleware( { logout: '/logout', admin: '/',} )); router.get('/users',keycloak.protect(),function(req, res, next) { res.send('Reached here'); }); The response is : Error 403 Forbidden. Note: I have also included the package.json in the root folder. Thanks in advance On Sat, Mar 4, 2017 at 4:41 AM, Bruno Oliveira wrote: > Last time I checked, the adapter works with bearer only. If you provide > the steps to reproduce, version of keycloak server, adapter version and the > error. That would help ;) > > On Fri, Mar 3, 2017, 8:05 PM Sebastien Blanc wrote: > >> Well the adapter works with bearer only , what is the error that you are >> getting ? >> Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a ?crit : >> >> > Hii Sebastien, >> > >> > Actually, the node js kc adapter is not working with bearer auth only. >> > So, I need to verify the access token myself with keycloak in node js >> > without using node js adapter or any other adapters. >> > Please help me out in this way. >> > >> > Thanks in advance. >> > Saransh >> > >> > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc >> > wrote: >> > >> > >> > >> > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar >> wrote: >> > >> > Hello all, >> > >> > I have a REST API in express node js. >> > I want to secure it with keycloak bearer auth only. >> > So, a keycloak token would be recieved in the Authorization header of >> the >> > GET request to the REST API. >> > I have to verify the token with keycloak *without using any adapters.* >> > Please help me out in the process. >> > >> > Are you not allowed to add any extra packages ? Just lookup the source >> > code of the nodejs kc adapter and paste it into your app ;) >> > >> > >> > >> > Thanks in advance >> > Saransh >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sblanc at redhat.com Sat Mar 4 02:16:56 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Sat, 4 Mar 2017 08:16:56 +0100 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Can you also show us your keycloak.json and show how you pass from the frontend the token to the nodejs service ? On Sat, Mar 4, 2017 at 8:07 AM, Saransh Kumar wrote: > Hello Sebastien, Bruno > > > Thanks for replying. :) > > Keycloak server: 2.5.1 > keycloak-connect: 2.5.3 (node js adapter) > > Rest API on express node js which is to be secured:- > > var express = require('express');var router = express.Router();var app = express();var Keycloak = require('keycloak-connect');var keycloak =new Keycloak(); > > app.use( keycloak.middleware( { > logout: '/logout', > admin: '/',} )); > > router.get('/users',keycloak.protect(),function(req, res, next) { > > res.send('Reached here'); > > }); > > > The response is : Error 403 Forbidden. > > Note: I have also included the package.json in the root folder. > > > Thanks in advance > > > On Sat, Mar 4, 2017 at 4:41 AM, Bruno Oliveira > wrote: > >> Last time I checked, the adapter works with bearer only. If you provide >> the steps to reproduce, version of keycloak server, adapter version and the >> error. That would help ;) >> >> On Fri, Mar 3, 2017, 8:05 PM Sebastien Blanc wrote: >> >>> Well the adapter works with bearer only , what is the error that you are >>> getting ? >>> Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a ?crit >>> : >>> >>> > Hii Sebastien, >>> > >>> > Actually, the node js kc adapter is not working with bearer auth only. >>> > So, I need to verify the access token myself with keycloak in node js >>> > without using node js adapter or any other adapters. >>> > Please help me out in this way. >>> > >>> > Thanks in advance. >>> > Saransh >>> > >>> > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc >>> > wrote: >>> > >>> > >>> > >>> > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar >>> wrote: >>> > >>> > Hello all, >>> > >>> > I have a REST API in express node js. >>> > I want to secure it with keycloak bearer auth only. >>> > So, a keycloak token would be recieved in the Authorization header of >>> the >>> > GET request to the REST API. >>> > I have to verify the token with keycloak *without using any adapters.* >>> > Please help me out in the process. >>> > >>> > Are you not allowed to add any extra packages ? Just lookup the source >>> > code of the nodejs kc adapter and paste it into your app ;) >>> > >>> > >>> > >>> > Thanks in advance >>> > Saransh >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From skm.8896 at gmail.com Sat Mar 4 02:57:34 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Sat, 4 Mar 2017 13:27:34 +0530 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Hello all, *Front end * function loadData() { var url = 'http://localhost:3000/users'; var req = new XMLHttpRequest(); req.open('GET', url, true); req.setRequestHeader('Accept', 'application/json'); req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); req.onreadystatechange = function () { if (req.readyState == 4) { if (req.status == 200) { console.log('Success'); } else if (req.status == 403) { console.log('Forbidden'); } }} req.send(); } And I have downloaded keycloak.json from the Installation tab in Clients section from the keycloak admin console. At present I dont have that keycloak.json file to show you. Regards Saransh On Sat, Mar 4, 2017 at 12:46 PM, Sebastien Blanc wrote: > Can you also show us your keycloak.json and show how you pass from the > frontend the token to the nodejs service ? > > > On Sat, Mar 4, 2017 at 8:07 AM, Saransh Kumar wrote: > >> Hello Sebastien, Bruno >> >> >> Thanks for replying. :) >> >> Keycloak server: 2.5.1 >> keycloak-connect: 2.5.3 (node js adapter) >> >> Rest API on express node js which is to be secured:- >> >> var express = require('express');var router = express.Router();var app = express();var Keycloak = require('keycloak-connect');var keycloak =new Keycloak(); >> >> app.use( keycloak.middleware( { >> logout: '/logout', >> admin: '/',} )); >> >> router.get('/users',keycloak.protect(),function(req, res, next) { >> >> res.send('Reached here'); >> >> }); >> >> >> The response is : Error 403 Forbidden. >> >> Note: I have also included the package.json in the root folder. >> >> >> Thanks in advance >> >> >> On Sat, Mar 4, 2017 at 4:41 AM, Bruno Oliveira >> wrote: >> >>> Last time I checked, the adapter works with bearer only. If you provide >>> the steps to reproduce, version of keycloak server, adapter version and the >>> error. That would help ;) >>> >>> On Fri, Mar 3, 2017, 8:05 PM Sebastien Blanc wrote: >>> >>>> Well the adapter works with bearer only , what is the error that you are >>>> getting ? >>>> Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a >>>> ?crit : >>>> >>>> > Hii Sebastien, >>>> > >>>> > Actually, the node js kc adapter is not working with bearer auth only. >>>> > So, I need to verify the access token myself with keycloak in node js >>>> > without using node js adapter or any other adapters. >>>> > Please help me out in this way. >>>> > >>>> > Thanks in advance. >>>> > Saransh >>>> > >>>> > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc >>>> > wrote: >>>> > >>>> > >>>> > >>>> > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar >>>> wrote: >>>> > >>>> > Hello all, >>>> > >>>> > I have a REST API in express node js. >>>> > I want to secure it with keycloak bearer auth only. >>>> > So, a keycloak token would be recieved in the Authorization header of >>>> the >>>> > GET request to the REST API. >>>> > I have to verify the token with keycloak *without using any adapters.* >>>> > Please help me out in the process. >>>> > >>>> > Are you not allowed to add any extra packages ? Just lookup the source >>>> > code of the nodejs kc adapter and paste it into your app ;) >>>> > >>>> > >>>> > >>>> > Thanks in advance >>>> > Saransh >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> > From ryan at brodkinca.com Sat Mar 4 04:02:47 2017 From: ryan at brodkinca.com (Ryan Brodkin) Date: Sat, 04 Mar 2017 09:02:47 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: I know you guys already use JIRA... Is Confluence an option? They have a built-in Q&A module that can be used for community support. On Fri, Mar 3, 2017 at 10:04 PM Shane Boulden wrote: > Is Discourse an option? > > https://www.discourse.org/ > > On Wed, Mar 1, 2017 at 1:43 AM, Sebastien Blanc wrote: > > > One really annoying point that I just encountered is the "reputation" > > points system. Answering a question doesn't require reputation but if you > > want to comment on a answer you must at least have 50 points of > reputation, > > this is pretty frustrating. > > > > On Fri, Feb 24, 2017 at 1:04 PM, Stian Thorgersen > > wrote: > > > > > We're considering dropping the Keycloak user mailing list and moving to > > > Stack Overflow instead. > > > > > > Thoughts? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Brodkin CyberArts http://brodkinca.com | 310.220.0590 DESIGN. DEVELOPMENT. CONSULTING. Information contained in this email or any attachment may be of a confidential nature which should not be disclosed to, copied or used by anyone other than the addressee. If you receive this email in error, please delete the email from your computer. Do not post anything in this email to any online forum without express permission of the sender. No pixels were harmed in the making of this disclaimer. From ushanas at gmail.com Sun Mar 5 09:19:02 2017 From: ushanas at gmail.com (Ushanas Shastri) Date: Sun, 5 Mar 2017 19:49:02 +0530 Subject: [keycloak-user] Session Hijacking Message-ID: Hello, One of the applications we have protected using KeyCloak 2.2.1 Final is undergoing a security test, One of the issues reported is Session Hijacking. A quick internet search leads to KeyCloak issue 3692 related to Session Hijacking, but I cannot view this, so cant find out if this was an issue that has been fixed in subsequent versions. Can someone confirm if this is the case? If not, what measures can be taken for prevention of session hijacking? Regards, Ushanas. From bruno at abstractj.org Sun Mar 5 11:28:26 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Sun, 05 Mar 2017 16:28:26 +0000 Subject: [keycloak-user] Session Hijacking In-Reply-To: References: Message-ID: Yes, it was fixed since 2.3.0.CR1 On Sun, Mar 5, 2017, 11:31 AM Ushanas Shastri wrote: > Hello, > > One of the applications we have protected using KeyCloak 2.2.1 Final is > undergoing a security test, One of the issues reported is Session > Hijacking. > > A quick internet search leads to KeyCloak issue 3692 related to Session > Hijacking, but I cannot view this, so cant find out if this was an issue > that has been fixed in subsequent versions. > > Can someone confirm if this is the case? If not, what measures can be taken > for prevention of session hijacking? > > Regards, Ushanas. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ansarihaseb at gmail.com Sun Mar 5 12:28:22 2017 From: ansarihaseb at gmail.com (Haseb Ansari) Date: Sun, 05 Mar 2017 17:28:22 +0000 Subject: [keycloak-user] How to add Custom static HTML files to Keycloak server unlike Theme templates (.ftl)? Message-ID: Hello Keycloakers, I have gone through the documentation of customizing themes in Keycloak and it is very well documented. But as of my use case I want to customize or rather add a new HTML file to '/themes/base/admin/resources/partials/' directory. I don't know what would be the procedure of doing so and would request for any documentation list or so. Thanking You!!!! Kind Regards, Haseb From skm.8896 at gmail.com Mon Mar 6 02:08:39 2017 From: skm.8896 at gmail.com (Saransh Kumar) Date: Mon, 6 Mar 2017 12:38:39 +0530 Subject: [keycloak-user] Authenticate a REST API with keycloak in express node js without using adapters In-Reply-To: References: Message-ID: Hi, Here, is the package.json file you needed to check:- { "realm": "myRealm", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiJdI7R5quMER/p6Sou1/Z4Liw0+LvLZmQt5ytOhfpEe0OP7RXx+7yHa9wGsJvhWu8o8/b5CZsRCLmLxuvX0S1yI7+Lum6VfYSIyWX+mk2pUvZBz+N9SzJx1oMwGJnMG8lKNKi6BP1hNmm3DdtjH5FI5xeWE4GleJFitYsKMlXytXLB3DXaLNaeUfuvanh7oYcCSkywyc1kYGrmrHxUsV94kh5qLdMLZRhWiuI0q2X51uGl4ikzijL8yUp1RPDCHAjjgVbl82RTPHQcD37pwcMARnCL5qCzw8rcuGd9Bt5q5+H72BVir+T3ozEnGPCvgbvYMLcCow3M6j5A+zWDSA2wIDAQAB", "bearer-only": true, "auth-server-url": "https://liveiam.myApp.cloud/auth", "ssl-required": "external", "resource": "csnr-api" } Now, please help me. Thanks in advance. Saransh On Sat, Mar 4, 2017 at 1:27 PM, Saransh Kumar wrote: > Hello all, > > *Front end * > > function loadData() { > > var url = 'http://localhost:3000/users'; > var req = new XMLHttpRequest(); > req.open('GET', url, true); > req.setRequestHeader('Accept', 'application/json'); > req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); > > req.onreadystatechange = function () { > if (req.readyState == 4) { > if (req.status == 200) { > console.log('Success'); > } else if (req.status == 403) { > console.log('Forbidden'); > } > }} > > req.send(); } > > And I have downloaded keycloak.json from the Installation tab in Clients section from the keycloak admin console. > At present I dont have that keycloak.json file to show you. > > > Regards > Saransh > > > On Sat, Mar 4, 2017 at 12:46 PM, Sebastien Blanc > wrote: > >> Can you also show us your keycloak.json and show how you pass from the >> frontend the token to the nodejs service ? >> >> >> On Sat, Mar 4, 2017 at 8:07 AM, Saransh Kumar wrote: >> >>> Hello Sebastien, Bruno >>> >>> >>> Thanks for replying. :) >>> >>> Keycloak server: 2.5.1 >>> keycloak-connect: 2.5.3 (node js adapter) >>> >>> Rest API on express node js which is to be secured:- >>> >>> var express = require('express');var router = express.Router();var app = express();var Keycloak = require('keycloak-connect');var keycloak =new Keycloak(); >>> >>> app.use( keycloak.middleware( { >>> logout: '/logout', >>> admin: '/',} )); >>> >>> router.get('/users',keycloak.protect(),function(req, res, next) { >>> >>> res.send('Reached here'); >>> >>> }); >>> >>> >>> The response is : Error 403 Forbidden. >>> >>> Note: I have also included the package.json in the root folder. >>> >>> >>> Thanks in advance >>> >>> >>> On Sat, Mar 4, 2017 at 4:41 AM, Bruno Oliveira >>> wrote: >>> >>>> Last time I checked, the adapter works with bearer only. If you provide >>>> the steps to reproduce, version of keycloak server, adapter version and the >>>> error. That would help ;) >>>> >>>> On Fri, Mar 3, 2017, 8:05 PM Sebastien Blanc wrote: >>>> >>>>> Well the adapter works with bearer only , what is the error that you >>>>> are >>>>> getting ? >>>>> Le ven. 3 mars 2017 ? 21:26, Saransh Kumar a >>>>> ?crit : >>>>> >>>>> > Hii Sebastien, >>>>> > >>>>> > Actually, the node js kc adapter is not working with bearer auth >>>>> only. >>>>> > So, I need to verify the access token myself with keycloak in node js >>>>> > without using node js adapter or any other adapters. >>>>> > Please help me out in this way. >>>>> > >>>>> > Thanks in advance. >>>>> > Saransh >>>>> > >>>>> > On Sat, Mar 4, 2017 at 12:06 AM, Sebastien Blanc >>>>> > wrote: >>>>> > >>>>> > >>>>> > >>>>> > On Fri, Mar 3, 2017 at 7:04 PM, Saransh Kumar >>>>> wrote: >>>>> > >>>>> > Hello all, >>>>> > >>>>> > I have a REST API in express node js. >>>>> > I want to secure it with keycloak bearer auth only. >>>>> > So, a keycloak token would be recieved in the Authorization header >>>>> of the >>>>> > GET request to the REST API. >>>>> > I have to verify the token with keycloak *without using any >>>>> adapters.* >>>>> > Please help me out in the process. >>>>> > >>>>> > Are you not allowed to add any extra packages ? Just lookup the >>>>> source >>>>> > code of the nodejs kc adapter and paste it into your app ;) >>>>> > >>>>> > >>>>> > >>>>> > Thanks in advance >>>>> > Saransh >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >> > From rodel.talampas at helixleisure.com Mon Mar 6 04:21:39 2017 From: rodel.talampas at helixleisure.com (Rodel Talampas) Date: Mon, 6 Mar 2017 09:21:39 +0000 Subject: [keycloak-user] Update Email Settings for Realms Message-ID: Hi, I have this piece of code to update the Realms' Email Settings coming from master. It seems correct but it doesn't update the above. What am I Doing wrong? @Override public void updateEmailFromMaster(String realmName) { RealmModel masterRealm = session.realms().getRealmByName("master"); RealmModel realm = session.realms().getRealmByName(realmName); realm.setSmtpConfig(masterRealm.getSmtpConfig()); RealmRepresentation rep = ModelToRepresentation.toRepresentation(realm, false); RepresentationToModel.updateRealm(rep, realm, session); } Thanks and regards, Rodel From Vincent.Sluijter at crv4all.com Mon Mar 6 05:37:41 2017 From: Vincent.Sluijter at crv4all.com (Vincent Sluijter) Date: Mon, 6 Mar 2017 10:37:41 +0000 Subject: [keycloak-user] Keycloak reset password, password manager browsers and this is not a login form References: Message-ID: <1488796658.22808.42.camel@crv4all.com> Hello, When we use the user password reset form Keycloak in version 1.9.5 (currently in our system) and version 2.5.4 (latest) the password manager of the browser tries to update to the latest password change. The problem is that it tries to store ?this is not a login form? as the credentials instead of the users changed password. Is this intended behavior? Or is this a bug by the latest browsers? The problem is that our users have updated their password and stored their account with the credentials ?this is not a login form?. Because of this they get a error while trying to login with auto filled credentials. Any suggestion on how to fix this problem? Tested and reproduced in Firefox (51.0.1) and Google Chrome (56.0.2924.87) Included are two screenshots of the problem. Kind regards, Bram Arts This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050. From sthorger at redhat.com Mon Mar 6 06:22:18 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 12:22:18 +0100 Subject: [keycloak-user] Licensing on Keycloak Documentation Repo In-Reply-To: References: Message-ID: https://issues.jboss.org/browse/KEYCLOAK-4530 We need to pick a license though On 24 February 2017 at 13:39, Bruno Oliveira wrote: > Could you please file a Jira to track this issue? > > On Fri, Feb 24, 2017 at 9:24 AM John D. Ament > wrote: > > > Hi > > > > I was wondering, I'm assuming that the repo was recently split, can a > > license file be added to it? > > > > https://github.com/keycloak/keycloak-documentation > > > > Right now its ambiguous, I'm assuming its either inheriting the parent > > Apache license or you're using some CC license. > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Mar 6 06:23:52 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 12:23:52 +0100 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: The core contributors on Keycloak simply can't afford to monitor two separate places. So it's going to be one or the other. On 24 February 2017 at 14:49, John D. Ament wrote: > The difference is that its every question. In addition to SO, would we > also look at SF for the infrastructure/deployment side? What about having > questions on security.stackexchange since this is a very security oriented > project? > > To be honest, my dislike for it is not the "let's use stackoverflow" its > the "let's drop the mailing lists" part. > > Anyways, I just posted a question on SO. I'll look to see if it gets > answered ;-) > > John > > > On Fri, Feb 24, 2017 at 7:39 AM Stian Thorgersen > wrote: > >> Isn't the mailing list also a noisy mess of questions? I've never used >> Stack Overflow much myself except when it pops up in Google searches. To me >> it feels like a mailing list, but with the additional extra of being >> searchable, votes, you can easily link to answers on it and quite important >> if there's a duplicate question you can just point to the previous answered >> question. >> >> On 24 February 2017 at 13:24, John D. Ament >> wrote: >> >> Oh? Then my opinion, SO is a noisy mess of questions. I used to use it >> regularly, not so much lately. I think you would lose value IMHO moving to >> only SO. >> >> John >> >> On Fri, Feb 24, 2017 at 7:21 AM Stian Thorgersen >> wrote: >> >> I think it's reasonable easy to move the volume. We'll just stop >> responding to the user mailing list and direct folks to SO. >> >> I primarily looking for feedback on mailing list vs Stack Overflow at >> this point though. >> >> On 24 February 2017 at 13:15, John D. Ament >> wrote: >> >> Just took a quick look at the SO traffic for keycloak. >> >> It seems like the ML is higher volume than SO. You may want to start by >> adding links to SO tags from keycloak.org and see if it picks up. >> >> My 0.02. >> >> On Fri, Feb 24, 2017 at 7:05 AM Stian Thorgersen >> wrote: >> >> We're considering dropping the Keycloak user mailing list and moving to >> Stack Overflow instead. >> >> Thoughts? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> From sthorger at redhat.com Mon Mar 6 06:37:36 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 12:37:36 +0100 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: 4 new providers is surely a bit overkill? Isn't 256 and 512 more than sufficient? On 2 March 2017 at 15:28, Adam Kaplan wrote: > This is now in the jboss JIRA: https://issues.jboss.org/ > browse/KEYCLOAK-4523 > > I intend to work on it over the next week or two and submit a PR. > > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira > wrote: > > > Hi Adam and John, I understand your concern. Although, collisions are not > > practical for key derivation functions. There's a long discussion about > > this subject here[1]. > > > > Anyways, you can file a Jira as a feature request. If you feel like you > > would like to attach a PR, better. > > > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > > wrote: > > > >> I deal with similarly concerned customer bases. I would be happy to see > >> some of these algorithms added. +1 > >> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: > >> > >> > My company has a client whose security prerequisites require us to > store > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're > >> looking > >> > to migrate our user management functions to Keycloak, and I noticed > that > >> > hashing with SHA-1 is only provider out of the box. > >> > > >> > I propose adding the following providers (and will be happy to > >> > contribute!), using the hash functions available in the Java 8 runtime > >> > environment: > >> > > >> > 1. PBKDF2WithHmacSHA224 > >> > 2. PBKDF2WithHmacSHA256 > >> > 3. PBKDF2WithHmacSHA384 > >> > 4. PBKDF2WithHmacSHA512 > >> > > >> > I also propose marking the current Pbkdf2PasswordHashProvider as > >> > deprecated, now that a real SHA-1 hash collision has been published by > >> > Google Security. > >> > > >> > -- > >> > *Adam Kaplan* > >> > Senior Engineer > >> > findyr > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> >> <(914)%20924-5186> <(914)%20924-5186>> | e > >> > akaplan at findyr.com > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > -- > *Adam Kaplan* > Senior Engineer > findyr > m 914.924.5186 | e akaplan at findyr.com > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Mar 6 06:38:34 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 12:38:34 +0100 Subject: [keycloak-user] Keycloak WildFly Swarm Server In-Reply-To: <006B8836-18A2-4DCC-90D5-D2070EFF7325@me.com> References: <006B8836-18A2-4DCC-90D5-D2070EFF7325@me.com> Message-ID: You'd have to ask on the WildFly Swarm forums or mailing list. On 3 March 2017 at 16:53, Michael Gerber wrote: > Hi all, > > I would like to use Keycloak as a microservice SSO solution on OpenShift. > > The Red Hat SSO uses way to much CPU and RAM, therefore, I would like to > use the WildFly Swarm Server instead. > > Is there any way to set an admin user during the first initialization? > > Otherwise, I am going to import a realm with a pre defined user. > > Thanks, > Michael > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Mon Mar 6 06:46:06 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 06 Mar 2017 11:46:06 +0000 Subject: [keycloak-user] Licensing on Keycloak Documentation Repo In-Reply-To: References: Message-ID: Sorry, I had raised https://issues.jboss.org/browse/KEYCLOAK-4506 Basically, this blocks me proposing some doc fixes to you, which I want to do. On Mon, Mar 6, 2017 at 6:22 AM Stian Thorgersen wrote: > https://issues.jboss.org/browse/KEYCLOAK-4530 > > We need to pick a license though > > On 24 February 2017 at 13:39, Bruno Oliveira wrote: > > Could you please file a Jira to track this issue? > > On Fri, Feb 24, 2017 at 9:24 AM John D. Ament > wrote: > > > Hi > > > > I was wondering, I'm assuming that the repo was recently split, can a > > license file be added to it? > > > > https://github.com/keycloak/keycloak-documentation > > > > Right now its ambiguous, I'm assuming its either inheriting the parent > > Apache license or you're using some CC license. > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bruno at abstractj.org Mon Mar 6 07:08:15 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 06 Mar 2017 12:08:15 +0000 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen wrote: > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than > sufficient? > +1 > > On 2 March 2017 at 15:28, Adam Kaplan wrote: > > This is now in the jboss JIRA: > https://issues.jboss.org/browse/KEYCLOAK-4523 > > I intend to work on it over the next week or two and submit a PR. > > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira > wrote: > > > Hi Adam and John, I understand your concern. Although, collisions are not > > practical for key derivation functions. There's a long discussion about > > this subject here[1]. > > > > Anyways, you can file a Jira as a feature request. If you feel like you > > would like to attach a PR, better. > > > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > > wrote: > > > >> I deal with similarly concerned customer bases. I would be happy to see > >> some of these algorithms added. +1 > >> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: > >> > >> > My company has a client whose security prerequisites require us to > store > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). We're > >> looking > >> > to migrate our user management functions to Keycloak, and I noticed > that > >> > hashing with SHA-1 is only provider out of the box. > >> > > >> > I propose adding the following providers (and will be happy to > >> > contribute!), using the hash functions available in the Java 8 runtime > >> > environment: > >> > > >> > 1. PBKDF2WithHmacSHA224 > >> > 2. PBKDF2WithHmacSHA256 > >> > 3. PBKDF2WithHmacSHA384 > >> > 4. PBKDF2WithHmacSHA512 > >> > > >> > I also propose marking the current Pbkdf2PasswordHashProvider as > >> > deprecated, now that a real SHA-1 hash collision has been published by > >> > Google Security. > >> > > >> > -- > >> > *Adam Kaplan* > >> > Senior Engineer > >> > findyr > > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> >> <(914)%20924-5186> <(914)%20924-5186>> | e > > > >> > akaplan at findyr.com > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > -- > > > *Adam Kaplan* > Senior Engineer > findyr > > m 914.924.5186 | e akaplan at findyr.com > > > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From stuarta at squashedfrog.net Mon Mar 6 08:01:48 2017 From: stuarta at squashedfrog.net (Stuart Auchterlonie) Date: Mon, 6 Mar 2017 13:01:48 +0000 Subject: [keycloak-user] Stack Overflow In-Reply-To: References: Message-ID: <7dd277c0-d595-302d-7b96-e88b0e7db785@squashedfrog.net> On 24/02/17 12:04, Stian Thorgersen wrote: > We're considering dropping the Keycloak user mailing list and moving to > Stack Overflow instead. > > Thoughts? I rarely find anything on Stack Overflow that is of any use, i've normally made it at least as far, if not further than most of the threads I can find on there. Personally i find it annoying and hate it. I much prefer mailing lists, as it's easy to follow what issues people are encountering. Regards Stuart From sagarahire at arvindinternet.com Mon Mar 6 08:05:25 2017 From: sagarahire at arvindinternet.com (Sagar Ahire) Date: Mon, 6 Mar 2017 18:35:25 +0530 Subject: [keycloak-user] [HELP] Unable To Deploy Authenticator-Requirement-Action-Example In-Reply-To: References: Message-ID: Thanks , I wanted to try this on version 2.4.0 only. It worked for me by adding the module as provider in standalone.xml and used jboss-cli to add the module. regards, -Sagar On Tue, Feb 21, 2017 at 2:55 PM, Bruno Oliveira wrote: > Why don't you try the latest Keycloak? At first glance it seems some > environment misconfiguration, but I'd try with the latest released version. > What do you see at the server logs? Which version of Wildfly? But first, > please try to upgrade. > > On Tue, Feb 7, 2017 at 11:23 AM Sagar Ahire > wrote: > >> Hello, >> >> In Keycloak 2.4.0 I tried to deploy authenticator requirement action >> example (keycloak-2.4.0.Final/examples/providers/authenticator) using the >> following command: >> $ mvn clean install wildfly:deploy >> >> Getting: >> [ERROR] Failed to execute goal >> org.wildfly.plugins:wildfly-maven-plugin:1.0.1.Final:deploy (default-cli) >> on project authenticator-required-action-example: Deployment failed and >> was >> rolled back. -> [Help 1] >> >> -PFA for server log. >> >> I also tried to copy authentication-requirement-action-example.jar into >> standalone/deployment/providers directory but didn't work. >> >> Can someone please help with this? >> >> >> regards, >> -Sagar >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From john.d.ament at gmail.com Mon Mar 6 08:47:12 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 06 Mar 2017 13:47:12 +0000 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active Message-ID: Hi, I have a use case where I need to reauthenticate a client, even if their session is active. I can use the Keycloak javascript adapter on the client side, if needed, and was wondering if this is something built in? I was also expecting to leverage either the OIDC or SAML adapter on the server side. Can that work, regardless or server side adapter? John From sagarahire at arvindinternet.com Mon Mar 6 08:48:41 2017 From: sagarahire at arvindinternet.com (Sagar Ahire) Date: Mon, 6 Mar 2017 19:18:41 +0530 Subject: [keycloak-user] Unable To Use Refresh Token Message-ID: Hello, I've deployed keyclock 2.4.0 in a kubernetes environment. While refreshing the access token I'm getting following response. {'error': 'invalid_grant', 'error_description': 'Client session not active'}. Here is what I did: Step1: First, I generated three access tokens and refresh tokens (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access tokens. I got the access tokens successfully for all three requests. (Successful scenario) Step2: I restarted some of the pods from the keyclock cluster, I tried to refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) again, using rf1 I could refresh the access token but using rf2,rf3 I got the response mentioned above ('client session not active'). I made sure rf2 and rf3 are not expired. I'm unable to use refresh token even though it is not expired. I suspect session created on one pod is not properly shared between all the members of a cluster and I'm loosing the session if one of my pod is restarted or goes down. Can someone please suggest any solution for this? Any help would be greatly appreciated. regards, -Sagar From azenk at umn.edu Mon Mar 6 09:01:47 2017 From: azenk at umn.edu (Andrew Zenk) Date: Mon, 6 Mar 2017 08:01:47 -0600 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: Have you increased the owner count for the various caches to something greater than 1? On Mar 6, 2017 7:56 AM, "Sagar Ahire" wrote: > Hello, > > I've deployed keyclock 2.4.0 in a kubernetes environment. While refreshing > the access token I'm getting following response. > {'error': 'invalid_grant', 'error_description': 'Client session not > active'}. > > Here is what I did: > Step1: First, I generated three access tokens and refresh tokens > (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access > tokens. I got the access tokens successfully for all three requests. > (Successful scenario) > > Step2: I restarted some of the pods from the keyclock cluster, I tried to > refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) again, > using rf1 I could refresh the access token but using rf2,rf3 I got the > response mentioned above ('client session not active'). I made sure rf2 and > rf3 are not expired. > > I'm unable to use refresh token even though it is not expired. I suspect > session created on one pod is not properly shared between all the members > of a cluster and I'm loosing the session if one of my pod is restarted or > goes down. > > Can someone please suggest any solution for this? Any help would be greatly > appreciated. > > > > > regards, > -Sagar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jeftenunes at hotmail.com Mon Mar 6 09:04:03 2017 From: jeftenunes at hotmail.com (=?iso-8859-1?Q?J=E9fte_Santos?=) Date: Mon, 6 Mar 2017 14:04:03 +0000 Subject: [keycloak-user] Admin REST API to List users which are related to a given role. Message-ID: Hello! I'm trying to get all users related to a given role and I'm iterating over all users and requesting their role-mappings, what may be cause performance problems in the future. Is there a way to request the users related to a given role using only the admin REST API? From jdennis at redhat.com Mon Mar 6 09:05:48 2017 From: jdennis at redhat.com (John Dennis) Date: Mon, 6 Mar 2017 09:05:48 -0500 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: Message-ID: On 03/06/2017 08:47 AM, John D. Ament wrote: > Hi, > > I have a use case where I need to reauthenticate a client, even if their > session is active. I can use the Keycloak javascript adapter on the client > side, if needed, and was wondering if this is something built in? I was > also expecting to leverage either the OIDC or SAML adapter on the server > side. Can that work, regardless or server side adapter? In SAML you set ForceAuthn=True in the AuthnRequest. -- John From john.d.ament at gmail.com Mon Mar 6 09:14:39 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 06 Mar 2017 14:14:39 +0000 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: Message-ID: On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: > On 03/06/2017 08:47 AM, John D. Ament wrote: > > Hi, > > > > I have a use case where I need to reauthenticate a client, even if their > > session is active. I can use the Keycloak javascript adapter on the > client > > side, if needed, and was wondering if this is something built in? I was > > also expecting to leverage either the OIDC or SAML adapter on the server > > side. Can that work, regardless or server side adapter? > > In SAML you set ForceAuthn=True in the AuthnRequest. > > This is not SAML specific. > > -- > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Mar 6 09:33:51 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 15:33:51 +0100 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: Message-ID: OIDC has prompt=login and max_age params for it. Pretty sure we don't support either at the moment though. On 6 March 2017 at 15:14, John D. Ament wrote: > On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: > > > On 03/06/2017 08:47 AM, John D. Ament wrote: > > > Hi, > > > > > > I have a use case where I need to reauthenticate a client, even if > their > > > session is active. I can use the Keycloak javascript adapter on the > > client > > > side, if needed, and was wondering if this is something built in? I > was > > > also expecting to leverage either the OIDC or SAML adapter on the > server > > > side. Can that work, regardless or server side adapter? > > > > In SAML you set ForceAuthn=True in the AuthnRequest. > > > > > This is not SAML specific. > > > > > > -- > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Mon Mar 6 09:41:38 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 6 Mar 2017 09:41:38 -0500 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: Message-ID: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> We support prompt=login. On 3/6/17 9:33 AM, Stian Thorgersen wrote: > OIDC has prompt=login and max_age params for it. Pretty sure we don't > support either at the moment though. > > On 6 March 2017 at 15:14, John D. Ament wrote: > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: >> >>> On 03/06/2017 08:47 AM, John D. Ament wrote: >>>> Hi, >>>> >>>> I have a use case where I need to reauthenticate a client, even if >> their >>>> session is active. I can use the Keycloak javascript adapter on the >>> client >>>> side, if needed, and was wondering if this is something built in? I >> was >>>> also expecting to leverage either the OIDC or SAML adapter on the >> server >>>> side. Can that work, regardless or server side adapter? >>> In SAML you set ForceAuthn=True in the AuthnRequest. >>> >>> >> This is not SAML specific. >> >> >>> -- >>> John >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Mar 6 09:55:15 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 6 Mar 2017 15:55:15 +0100 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: As we have prompt=login (I also spotted auth_time in the token) it would be really easy to add max_age that would actually be more useful than prompt=login IMO. On 6 March 2017 at 15:41, Bill Burke wrote: > We support prompt=login. > > > On 3/6/17 9:33 AM, Stian Thorgersen wrote: > > OIDC has prompt=login and max_age params for it. Pretty sure we don't > > support either at the moment though. > > > > On 6 March 2017 at 15:14, John D. Ament wrote: > > > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: > >> > >>> On 03/06/2017 08:47 AM, John D. Ament wrote: > >>>> Hi, > >>>> > >>>> I have a use case where I need to reauthenticate a client, even if > >> their > >>>> session is active. I can use the Keycloak javascript adapter on the > >>> client > >>>> side, if needed, and was wondering if this is something built in? I > >> was > >>>> also expecting to leverage either the OIDC or SAML adapter on the > >> server > >>>> side. Can that work, regardless or server side adapter? > >>> In SAML you set ForceAuthn=True in the AuthnRequest. > >>> > >>> > >> This is not SAML specific. > >> > >> > >>> -- > >>> John > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Mar 6 10:04:35 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 6 Mar 2017 12:04:35 -0300 Subject: [keycloak-user] Authorization: Javascript policy In-Reply-To: References: Message-ID: Hi Ori, We are using Nashorn as script engine. So you should be able to java.net.URL to query remote endpoints. However, the types available from a JS policy are only those defined by the dependencies here ${KEYCLOAK_SERVER_DIR}/modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/jboss-deployment-structure.xml. Probably something we can improve in order to provide a better way to define custom dependencies for JS policies. On Mon, Feb 27, 2017 at 1:00 PM, Ori Doolman wrote: > Hi, > How rich can the Javascript policy be? > Is it limited to only specific interface ($evaluation), or can I use any > Javascript package/code I want ? > Specifically, I need to have a mapping table between a token claim (user > attribute) to a list-of-IDs. > Can I query another server using HTTP request within a policy code? > Or can I query the user database from the policy code? > Or can I pre-load the mapping table into PDP memory and query it from > policy code? > > Thanks, > Ori. > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Mar 6 10:06:15 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 6 Mar 2017 12:06:15 -0300 Subject: [keycloak-user] Anonymous access to scoped resources In-Reply-To: <1488199926055-2929.post@n6.nabble.com> References: <1488199926055-2929.post@n6.nabble.com> Message-ID: Hi, Isn't a option to change your security-constraint settings in web.xml and avoid the adapter to intercept requests to public resources ? On Mon, Feb 27, 2017 at 9:52 AM, ebondu wrote: > Hi all, > > I am using Keycloak filters to secure a spring REST API and I need to > provide an anonymous access to a subset of resources having a given scope > (like 'urn:scope:read:public'). To me, anonymous means a unauthenticated > user without access token. > I defined a dedicted security chain to bybass the authentication filter but > the authorization filter is expecting an access token to grant requests, so > I can't use it. > > Do I need to implement my own filter only based on the protection API to > retrieve and check scopes of requested resources or is there a better way > to > grant access to resources for anonymous users ? > > Thanks. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Anonymous-access-to-scoped-resources-tp2929.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Mon Mar 6 10:09:29 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 06 Mar 2017 15:09:29 +0000 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: At least for my use case, the max_age is moot. Its not by session, but by And just to be clear - if I'm sending an OIDC request from my client to keycloak, and the realm is based on SAML, and that realm is ForceAuthn enabled, then it would reprompt in the IDP (if that's how everything's configured) I'm assuming at that point, I would send a Bearer header and parse on the backend with a JAX-RS adapter? On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen wrote: > As we have prompt=login (I also spotted auth_time in the token) it would be > really easy to add max_age that would actually be more useful than > prompt=login IMO. > > On 6 March 2017 at 15:41, Bill Burke wrote: > > > We support prompt=login. > > > > > > On 3/6/17 9:33 AM, Stian Thorgersen wrote: > > > OIDC has prompt=login and max_age params for it. Pretty sure we don't > > > support either at the moment though. > > > > > > On 6 March 2017 at 15:14, John D. Ament > wrote: > > > > > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis > wrote: > > >> > > >>> On 03/06/2017 08:47 AM, John D. Ament wrote: > > >>>> Hi, > > >>>> > > >>>> I have a use case where I need to reauthenticate a client, even if > > >> their > > >>>> session is active. I can use the Keycloak javascript adapter on the > > >>> client > > >>>> side, if needed, and was wondering if this is something built in? I > > >> was > > >>>> also expecting to leverage either the OIDC or SAML adapter on the > > >> server > > >>>> side. Can that work, regardless or server side adapter? > > >>> In SAML you set ForceAuthn=True in the AuthnRequest. > > >>> > > >>> > > >> This is not SAML specific. > > >> > > >> > > >>> -- > > >>> John > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Mon Mar 6 10:11:49 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 6 Mar 2017 10:11:49 -0500 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: prompt=login is just as useful. It allows applications to require re-authentication in order to perform a specific action in the app. On 3/6/17 9:55 AM, Stian Thorgersen wrote: > As we have prompt=login (I also spotted auth_time in the token) it > would be really easy to add max_age that would actually be more useful > than prompt=login IMO. > > On 6 March 2017 at 15:41, Bill Burke > wrote: > > We support prompt=login. > > > On 3/6/17 9:33 AM, Stian Thorgersen wrote: > > OIDC has prompt=login and max_age params for it. Pretty sure we > don't > > support either at the moment though. > > > > On 6 March 2017 at 15:14, John D. Ament > wrote: > > > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis > wrote: > >> > >>> On 03/06/2017 08:47 AM, John D. Ament wrote: > >>>> Hi, > >>>> > >>>> I have a use case where I need to reauthenticate a client, > even if > >> their > >>>> session is active. I can use the Keycloak javascript adapter > on the > >>> client > >>>> side, if needed, and was wondering if this is something built > in? I > >> was > >>>> also expecting to leverage either the OIDC or SAML adapter on the > >> server > >>>> side. Can that work, regardless or server side adapter? > >>> In SAML you set ForceAuthn=True in the AuthnRequest. > >>> > >>> > >> This is not SAML specific. > >> > >> > >>> -- > >>> John > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bburke at redhat.com Mon Mar 6 10:18:10 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 6 Mar 2017 10:18:10 -0500 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: Don't know what you're talking about John.... A realm isn't SAML or OIDC based. The protocol is the choice of each individual client application. Keycloak allows a mix of SAML and OIDC client applications in the same SSO login session. In a brokering situation a child IDP acts as a client to the parent IDP and must use one of the protocols that the parent IDP supports. On 3/6/17 10:09 AM, John D. Ament wrote: > At least for my use case, the max_age is moot. Its not by session, > but by > > And just to be clear - if I'm sending an OIDC request from my client > to keycloak, and the realm is based on SAML, and that realm is > ForceAuthn enabled, then it would reprompt in the IDP (if that's how > everything's configured) > > I'm assuming at that point, I would send a Bearer header and parse on > the backend with a JAX-RS adapter? > > On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen > wrote: > > As we have prompt=login (I also spotted auth_time in the token) it > would be > really easy to add max_age that would actually be more useful than > prompt=login IMO. > > On 6 March 2017 at 15:41, Bill Burke > wrote: > > > We support prompt=login. > > > > > > On 3/6/17 9:33 AM, Stian Thorgersen wrote: > > > OIDC has prompt=login and max_age params for it. Pretty sure > we don't > > > support either at the moment though. > > > > > > On 6 March 2017 at 15:14, John D. Ament > > wrote: > > > > > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis > > wrote: > > >> > > >>> On 03/06/2017 08:47 AM, John D. Ament wrote: > > >>>> Hi, > > >>>> > > >>>> I have a use case where I need to reauthenticate a client, > even if > > >> their > > >>>> session is active. I can use the Keycloak javascript > adapter on the > > >>> client > > >>>> side, if needed, and was wondering if this is something > built in? I > > >> was > > >>>> also expecting to leverage either the OIDC or SAML adapter > on the > > >> server > > >>>> side. Can that work, regardless or server side adapter? > > >>> In SAML you set ForceAuthn=True in the AuthnRequest. > > >>> > > >>> > > >> This is not SAML specific. > > >> > > >> > > >>> -- > > >>> John > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Mar 6 10:18:45 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 6 Mar 2017 12:18:45 -0300 Subject: [keycloak-user] Additional attributes for an authorization request In-Reply-To: References: Message-ID: Hi Ori, Maybe you can use the type or uri attribute for this purpose with a JS policy ? If you define a value from where you can determine the hierarchy using one of this fields, it could work ... Like we discussed, best thing is either support custom atttributes along authz request or support custom attributes for resources. I have included that in the roadmap, plan is to start pushing more things to AuthZ in KC 3.0. On Tue, Feb 21, 2017 at 8:15 AM, Ori Doolman wrote: > Hi, > > Another requirement I have in my application is that a single > authenticated user is allowed to access many albums (hierarchy of albums, > actually) and one album can be accessed by multiple users. Many-to-many > relationship. > Now I have a problem because I cannot use the same policy and also I > cannot have a custom attribute per user with the list of allowed albums > (list can become very long). > > What should be the approach in that case ? > > The policy I want to have is that all the albums a user can access belong > to the same hierarchy (root ID is the same). Maybe this can be used to > simplify the solution. > > Thanks, > Ori. > > > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Ori Doolman > Sent: ??? ? 15 ?????? 2017 13:56 > To: Pedro Igor Silva > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Additional attributes for an authorization > request > > Pedro, > Thank you for all the helpful information. > We?ll try that. > Ori. > > > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: ??? ? 14 ?????? 2017 18:43 > To: Ori Doolman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Additional attributes for an authorization > request > > On Tue, Feb 14, 2017 at 10:10 AM, Ori Doolman mailto:Ori.Doolman at amdocs.com>> wrote: > Hi Pedro, > > This is great, and will work for all album APIs of the format /album/{id}. > I wonder if the $permission.resource takes its value from the > policy-enforcer path or from the URL of the API call at runtime? I suppose > the latter and I suppose it is always the full URL path from the http > request. > > Yes, from the latter. > > > In our resource server I have also APIs with additional path level similar > to: > > /album/{albumId}/picture/{picId} > > For this API, I still want to check that user is allowed to access the > album. > How would such an API be forced to match same policy of the album? > > Should I configure the following path in policy-enforcer: > "path" : "/album/{id}/*? > > and have a more sophisticated policy rule based on the runtime value > $permission.resource which now becomes ?/album/17/picture/12? (for > example) and truncate the string to ?/album/17? and perform the condition > on it as the album resource? > > Or is there a better method? > > I think you don't actually need that wildcard at the end, so this should > work: > > "path" : "/album/{id}? > > When checking paths with a pattern, the enforcer queries the server for a > resource with the runtime path. For instance, if your pattern is > /album/{id} and client is trying to access /album/1/picture/2, the enforcer > will query the server for a resource with an URI that matches > /album/1/picture/2. > > In case of that PhotoZ App (which is using UMA protocol), the enforcer is > going to return to the client a permission ticket for the resource > previously resolved. Then when the client finally send an authorization > request to KC, KC is going to evaluate all permissions for the resource. > Giving you as a result a final token with past permissions plus new ones > (if granted). This is how UMA flow works, basically .... > > However, I know our enforcer is very limited in respect to patterns within > patterns. That is something we need to improve .... > > > Thanks, > Ori. > > > > > From: Pedro Igor Silva [mailto:psilva at redhat.com >] > Sent: ??? ? 14 ?????? 2017 12:54 > > To: Ori Doolman > > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Additional attributes for an authorization > request > > On Tue, Feb 14, 2017 at 6:57 AM, Ori Doolman mailto:Ori.Doolman at amdocs.com>> wrote: > Hi Pedro, > > Thank you for the answer. > There is still one thing I fail to understand around point (3) where you > wrote: ?to resolve a specific resource instance?. > > > In the photoz application code, when an album is created, an associated > resource is created that is owned by the user that created the album > > ResourceRepresentation albumResource = new > ResourceRepresentation(album.getName(), scopes, "/album/" + > album.getId(), "http://photoz.com/album"); > > It matches on the PEP policy-enforcer configuration: > > { > "name" : "Album Resource", > "path" : "/album/{id}", > "methods" : [ > { > "method": "DELETE", > "scopes" : ["urn:photoz.com:scopes:album:delete"] > }, > { > "method": "GET", > "scopes" : ["urn:photoz.com:scopes:album:view"] > } > ] > }, > > Which matches the PDP typed resource configuration: > > { > "name": "Album Resource", > "uri": "/album/*", > "type": "http://photoz.com/album", > "scopes": [ > { > "name": "urn:photoz.com:scopes:album:view" > }, > { > "name": "urn:photoz.com:scopes:album:delete" > }, > { > "name": "urn:photoz.com:scopes:album:create" > } > ] > }, > > Which ends up with the rule: > > rule "Authorize Resource Owner" > dialect "mvel" > when > $evaluation : Evaluation( > $identity: context.identity, > $permission: permission, > $permission.resource != null && $permission.resource.owner. > equals($identity.id) > ) > then > $evaluation.grant(); > end > > > > So the "magic" lies with the typed resource uri "/album/*". > This is what making it to match also the path in the policy enforcer (and > the actual url in runtime of the rest API). > > Exactly. One of the main points here is that you can map any path in your > application to a resource, so you don't necessarily need to set URIs to > your resources as long as you provide a configuration like above. > > > The demo creates many album resources, one for each new album created. > But when it is evaluating the policy, how does $permission.resource > references to the proper album resource each time and not just to the typed > ?Album Resource? resource? > This is the part I failed to understand. > Does the $permission.resource value at runtime actually becomes > "/album/17" (for example)? > > Yes. > > > > Regards, > Ori. > > > > > From: Pedro Igor Silva [mailto:psilva at redhat.com >] > Sent: ??? ? 13 ?????? 2017 14:09 > To: Ori Doolman > > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Additional attributes for an authorization > request > > On Thu, Feb 9, 2017 at 2:11 PM, Ori Doolman mailto:Ori.Doolman at amdocs.com>> wrote: > Hi Pedro Igor, > You wrote: > You can't pass additional attributes along with an authorization request. > However, that is something we want to support on future versions. > > I have some questions about that: > > 1. Which future version will support that? Any plan for it at the > moment? > > Sorry, but can't give you any dates. There are quite a few things in authz > services roadmap, but right now we have some time and resource constraints > that are blocking us to follow a plan/roadmap. > > > 2. Until it is supported, what would be the best practice > recommendation to authorize resources such as account numbers? > > For example: The REST API (resource) I want to protect in the resource > server is /api/getAccountDetails/{accountNum}. How should I configure > the policy/permissions/resources/scopes in the PDP and how should I > utilize the PEP (I'm using Java adapter for JBOSS Fuse)? > > It seems this one is already supported. I would suggest you to take a look > at the PhotoZ example about how to protect individual resources. There you > will find: > > 1) How to create resources from your resource server using the Protection > API using the Java AuthZ Client API. > 2) How "typed" resources work, where you define permissions to a generic > resources and these permissions are also applied to resources with the same > type. > 3) How to configure "policy-enforcer" to handle paths with a pattern in > order to resolve a specific resource instance (e.g.: the account details in > your example). Something like that: > > { > "name" : "Album Resource", > "path" : "/album/{id}", > "methods" : [ > { > "method": "DELETE", > "scopes" : ["urn:photoz.com:scopes:album:delete"] > }, > { > "method": "GET", > "scopes" : ["urn:photoz.com:scopes:album:view"] > } > ] > } > > > > Thank you, > Ori. > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, you may review at > http://www.amdocs.com/email_disclaimer.asp > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, you may review at > http://www.amdocs.com/email_disclaimer.asp > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > From john.d.ament at gmail.com Mon Mar 6 10:20:24 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Mon, 06 Mar 2017 15:20:24 +0000 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: Bill, In my use case, a realm ~~ a tenant, and typically a realm will only have one identity source. So sorry yeah i just cross the two. But basically, all the clients will be OIDC based, but there will be SAML based IDPs in the mix. John On Mon, Mar 6, 2017 at 10:18 AM Bill Burke wrote: > Don't know what you're talking about John.... > > A realm isn't SAML or OIDC based. The protocol is the choice of each > individual client application. Keycloak allows a mix of SAML and OIDC > client applications in the same SSO login session. In a brokering > situation a child IDP acts as a client to the parent IDP and must use one > of the protocols that the parent IDP supports. > > > > On 3/6/17 10:09 AM, John D. Ament wrote: > > At least for my use case, the max_age is moot. Its not by session, but > by > > And just to be clear - if I'm sending an OIDC request from my client to > keycloak, and the realm is based on SAML, and that realm is ForceAuthn > enabled, then it would reprompt in the IDP (if that's how everything's > configured) > > I'm assuming at that point, I would send a Bearer header and parse on the > backend with a JAX-RS adapter? > > On Mon, Mar 6, 2017 at 10:04 AM Stian Thorgersen > wrote: > > As we have prompt=login (I also spotted auth_time in the token) it would be > really easy to add max_age that would actually be more useful than > prompt=login IMO. > > On 6 March 2017 at 15:41, Bill Burke wrote: > > > We support prompt=login. > > > > > > On 3/6/17 9:33 AM, Stian Thorgersen wrote: > > > OIDC has prompt=login and max_age params for it. Pretty sure we don't > > > support either at the moment though. > > > > > > On 6 March 2017 at 15:14, John D. Ament > wrote: > > > > > >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis > wrote: > > >> > > >>> On 03/06/2017 08:47 AM, John D. Ament wrote: > > >>>> Hi, > > >>>> > > >>>> I have a use case where I need to reauthenticate a client, even if > > >> their > > >>>> session is active. I can use the Keycloak javascript adapter on the > > >>> client > > >>>> side, if needed, and was wondering if this is something built in? I > > >> was > > >>>> also expecting to leverage either the OIDC or SAML adapter on the > > >> server > > >>>> side. Can that work, regardless or server side adapter? > > >>> In SAML you set ForceAuthn=True in the AuthnRequest. > > >>> > > >>> > > >> This is not SAML specific. > > >> > > >> > > >>> -- > > >>> John > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From jason at naidmincloud.com Mon Mar 6 12:05:09 2017 From: jason at naidmincloud.com (Jason B) Date: Mon, 6 Mar 2017 22:35:09 +0530 Subject: [keycloak-user] Revoking an OAuth Token Message-ID: Hi, I am wondering how can we revoke an issued OAuth access token/refresh token in Keycloak ? What is the request will look like and what is the end point we need to invoke? Also, I see there is a RFC for OAuth token revocation ( https://tools.ietf.org/html/rfc7009) process, but I am assuming this is not yet implemented in Keycloak. Are there any plans for implementing this RFC in future? Please let me know. Thanks! From dev.ebondu at gmail.com Mon Mar 6 13:34:19 2017 From: dev.ebondu at gmail.com (ebondu) Date: Mon, 6 Mar 2017 11:34:19 -0700 (MST) Subject: [keycloak-user] Anonymous access to scoped resources In-Reply-To: References: <1488199926055-2929.post@n6.nabble.com> Message-ID: <1488825259142-3042.post@n6.nabble.com> Hi and thanks for your reply, Serving public resources is not a problem here, I can either change the web.xml or change the Spring security chain to serve public resources. But what I need is to provide a public access to a set of KC protected resources (the decision to authorize the public access to resources have to be done by the KC server with the "anonymous policy"). To illustrate, here is the corresponding use case : - An admin can create some images with an set of scopes for restricted CRUD operations and optionnally a "public" scope to allow a public access (read only) to some images - An user can create some private images with an set of scopes for restricted the CRUD operation and without public access. - A service is in charge of CRUD operations on all images (the service is protected by KC Spring filters to manage auth/authz). - A public web pages have to show the public images created by the admin. As it is a public page, images must to be accessible without an access token, so I can use the CRUD service. Consequently, I need another dedicated service that can serve images with the "public" scope only. My first idea was to secure this service with the same authz Spring filter only but as it depends on the auth filter, I can't do it (the auth filter create the security context from the passed access token). => A new spring filter asking directly permissions to access to the "public" scope + an "anonymous" policy on the KC side seems to be the only solution here ? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resources-tp2929p3042.html Sent from the keycloak-user mailing list archive at Nabble.com. From psilva at redhat.com Mon Mar 6 17:22:32 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 6 Mar 2017 19:22:32 -0300 Subject: [keycloak-user] Anonymous access to scoped resources In-Reply-To: <1488825259142-3042.post@n6.nabble.com> References: <1488199926055-2929.post@n6.nabble.com> <1488825259142-3042.post@n6.nabble.com> Message-ID: I see. Recently, we added a DISABLED enforcement mode to adapter config [1]. But I think your use case requires something different ... If I understood your use case correctly, you don't want to change deployment descriptors (web.xml or spring security chain) to mark those resources as public because the decision if a resource is public or not is dynamic, determined by a permission associated with the anonymous policy. Am I correct ? So users can decide whether a resource + scope can be accessed without forcing authentication ? I think you are right about your proposal. A new filter before KC filter kicks in should do the trick, specially if you have a specific endpoint from where those public resources are served. Regards. Pedro Igor [1] https://issues.jboss.org/browse/KEYCLOAK-3830 On Mon, Mar 6, 2017 at 3:34 PM, ebondu wrote: > Hi and thanks for your reply, > > Serving public resources is not a problem here, I can either change the > web.xml or change the Spring security chain to serve public resources. But > what I need is to provide a public access to a set of KC protected > resources > (the decision to authorize the public access to resources have to be done > by > the KC server with the "anonymous policy"). > > To illustrate, here is the corresponding use case : > > - An admin can create some images with an set of scopes for restricted CRUD > operations and optionnally a "public" scope to allow a public access (read > only) to some images > - An user can create some private images with an set of scopes for > restricted the CRUD operation and without public access. > - A service is in charge of CRUD operations on all images (the service is > protected by KC Spring filters to manage auth/authz). > - A public web pages have to show the public images created by the admin. > As > it is a public page, images must to be accessible without an access token, > so I can use the CRUD service. Consequently, I need another dedicated > service that can serve images with the "public" scope only. > > My first idea was to secure this service with the same authz Spring filter > only but as it depends on the auth filter, I can't do it (the auth filter > create the security context from the passed access token). > > => A new spring filter asking directly permissions to access to the > "public" > scope + an "anonymous" policy on the KC side seems to be the only solution > here ? > > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Anonymous-access-to-scoped-resources-tp2929p3042.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From p.g.richardson at phantomjinx.co.uk Mon Mar 6 17:41:05 2017 From: p.g.richardson at phantomjinx.co.uk (phantomjinx) Date: Mon, 6 Mar 2017 22:41:05 +0000 Subject: [keycloak-user] Connecting Wildfly Adapter with Javascript Message-ID: Hey, I am looking into implementing keycloak integration with our application. The application: * java-based providing a rest interface using RestEasy * deployed to wildfly as a war archive * contains a web.xml detailing the security constraints, eg. runs over https only * has used BASIC authentication * has provided the swagger-ui interface for documentation and debugging of the REST operations Switching to keycloak has meant: * adding configuration to the keycloak xml element in wildfly's standalone.xml file * separation of the main application and its swagger documentation into 2 separate wars. This was to ensure ** the main application uses a bearer-only client implementation (no login page) ** the swagger page uses a public client implementation (login page displays and redirects back to the swagger api) Since the application is going to be released and distributed, the keycloak server-auth-url cannot be assumed anywhere in the configuration. The use of the wildfly xml configuration has meant that instructions can be provided to end-users to configure their own keycloak installations and specify the correct auth url appropriately. However, I am now faced with a problem. The swagger webpage redirects correctly to the keycloak login page, authenticates correctly and displays accordingly. However, its internal urls, eg. swagger.json, cannot be loaded from wildfly since these urls are not provided with the page's token. How do I provide the token from the main page to the swagger.json (so as to load the REST API documentation) and to each REST API operation when I want to "try it out"? As the swagger page is javascript, the keycloak adapter is available for use and I have prototyped using this. Yet the Keycloak object constructor requires a minimum of config, either directly or from a keycloak.json file. This config mandates the specifying of a keycloak server-auth-url, which is not appropriate to our situation. Therefore, is it possible to extract the token used to successfully login from the keycloak login page from the metadata available in the loaded swagger page? I have found that 'state' and 'code' are being passed as parameters to the logged-in swagger page. However, it seems this page is refreshed and the request that includes these parameters is replaced with the original url so impossible to glean them from the window.location. In summary: * Can the token or auth url be passed from the login page provided either to the javascript adapter or made available directly as a global variable? * Can the javascript adapter keycloak instance be initialised without needing to specify a server-auth-url with the expectation that the init method would simple call 'check-sso' and extract a token? * Is there even a way to serve a keycloak.json file, free-standing, in a wildfly instance that could at least be configured by end-users on installation of our application? If someone is able to shed light on any part of this rather protracted problem, I would be most grateful. Thanks and regards Paul -- Paul Richardson * p.g.richardson at phantomjinx.co.uk * p.g.richardson at redhat.com * pgrichardson at linux.com From sthorger at redhat.com Tue Mar 7 03:13:59 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 7 Mar 2017 09:13:59 +0100 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: True, I was focusing just on require re-auth every X min. I reckon we should add max_age and use it for the admin console with a sensible/configurable timeout. On 6 March 2017 at 16:11, Bill Burke wrote: > prompt=login is just as useful. It allows applications to require > re-authentication in order to perform a specific action in the app. > > On 3/6/17 9:55 AM, Stian Thorgersen wrote: > > As we have prompt=login (I also spotted auth_time in the token) it would > be really easy to add max_age that would actually be more useful than > prompt=login IMO. > > On 6 March 2017 at 15:41, Bill Burke wrote: > >> We support prompt=login. >> >> >> On 3/6/17 9:33 AM, Stian Thorgersen wrote: >> > OIDC has prompt=login and max_age params for it. Pretty sure we don't >> > support either at the moment though. >> > >> > On 6 March 2017 at 15:14, John D. Ament wrote: >> > >> >> On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: >> >> >> >>> On 03/06/2017 08:47 AM, John D. Ament wrote: >> >>>> Hi, >> >>>> >> >>>> I have a use case where I need to reauthenticate a client, even if >> >> their >> >>>> session is active. I can use the Keycloak javascript adapter on the >> >>> client >> >>>> side, if needed, and was wondering if this is something built in? I >> >> was >> >>>> also expecting to leverage either the OIDC or SAML adapter on the >> >> server >> >>>> side. Can that work, regardless or server side adapter? >> >>> In SAML you set ForceAuthn=True in the AuthnRequest. >> >>> >> >>> >> >> This is not SAML specific. >> >> >> >> >> >>> -- >> >>> John >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From sthorger at redhat.com Tue Mar 7 03:15:08 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 7 Mar 2017 09:15:08 +0100 Subject: [keycloak-user] Revoking an OAuth Token In-Reply-To: References: Message-ID: You can revoke the session, but not individual tokens. I doubt we'd add revocation for individual tokens as that would require much more state maintained on the server side. On 6 March 2017 at 18:05, Jason B wrote: > Hi, > > I am wondering how can we revoke an issued OAuth access token/refresh token > in Keycloak ? What is the request will look like and what is the end point > we need to invoke? > > Also, I see there is a RFC for OAuth token revocation ( > https://tools.ietf.org/html/rfc7009) process, but I am assuming this is > not > yet implemented in Keycloak. Are there any plans for implementing this RFC > in future? Please let me know. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dev.ebondu at gmail.com Tue Mar 7 04:24:31 2017 From: dev.ebondu at gmail.com (ebondu) Date: Tue, 7 Mar 2017 02:24:31 -0700 (MST) Subject: [keycloak-user] Anonymous access to scoped resources In-Reply-To: References: <1488199926055-2929.post@n6.nabble.com> <1488825259142-3042.post@n6.nabble.com> Message-ID: <1488878671806-3047.post@n6.nabble.com> Hi, Pedro Igor Silva wrote > If I understood your use case correctly, you don't want to change > deployment descriptors (web.xml or spring security chain) to mark those > resources as public because the decision if a resource is public or not is > dynamic, determined by a permission associated with the anonymous policy. > Am I correct ? So users can decide whether a resource + scope can be > accessed without forcing authentication ? Yes, exactly. As you said, I have a specific endpoint to serve these "public" resources, so I will create the filter. The code will be inspired from the existing filter but I can't reuse it out of the box. I can share it if you think it is valuable for the community. Regards, Emilien -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Anonymous-access-to-scoped-resources-tp2929p3047.html Sent from the keycloak-user mailing list archive at Nabble.com. From hmlnarik at redhat.com Tue Mar 7 04:58:52 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 7 Mar 2017 10:58:52 +0100 Subject: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS In-Reply-To: References: Message-ID: <1f4095c5-f3f9-bc72-eccd-24aad7191a15@redhat.com> What is your Keycloak and ADFS versions? What are the responses you receive from ADFS? Please enable logging of SAML messages to see them (see [1] how to do that). A wild guess: does setting the "NameID Policy Format" [2] to "Windows Domain Qualified Name" help? --Hynek [1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedCommentId=13336560&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13336560 [2] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/identity-broker/saml.html On 03/03/2017 09:49 PM, Glenn Campbell wrote: > Thank you for your suggestions. Making those changes seems to have solved that problem. I don't think I would have ever figured that out on my own. > > Now I'm on to the next problem. When I enter the login credentials on the SAML IdP login page I get an error in Keycloak and the log file has a "Could not process response from SAML identity provider" error message with a root cause of "No assertion from response". > > Do you have any suggestions on what I need to do to fix this problem? > > On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik > wrote: > > Actually https matters, ADFS had been rejecting any SAML communication > with keycloak for me until https was enabled. Also for ADFS, there is > a special settings for KeyInfo element that needs to be set to > CERT_SUBJECT in SAML Signature Key Name option of SAML Identity > Provider settings [1]. > > [1] https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/saml.html > > On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell > wrote: > > What is the correct way to set up identity brokering from Keycloak to ADFS? > > I?m new to ADFS so I suspect I?ve configured something incorrectly there. > > > > Here?s what I?ve done so far: > > > > 1) Installed ADFS. > > 2) Opened ADFS Management. > > 3) Walked through the ADFS Configuration Wizard. > > At one point in the process it asked which certificate I wanted to use. I > > didn?t have one so I went into IIS Manager and created a self-signed > > certificate. Then I came back to the ADFS Configuration Wizard and selected > > the newly created certificate. > > At the end of the process there was a list of configuration items that had > > been performed and they all had green checkmarks by them. > > Clicked Close. > > > > 4) At this point ADFS Management said I needed to configure a Trusted > > Relying Party so I went to Keycloak to start setting up that side of things. > > 5) Since the certificate used by ADFS is self-signed I exported it from IIS > > and imported it into the Wildfly jssecerts where Keycloak is running and > > restarted Wildfly/Keycloak. > > 6) Saved the ADFS FederationMetadata.xml via the url https:// > server>/FederationMetadata/2007-06/FederationMetadata.xml > > 7) In Keycloak admin console, on the Identity Providers page I chose ?Add > > provider? SAML v2.0? > > 8) Entered an alias for the new IdP then in ?Import from file -> Select > > File? I chose the FederationMetadata.xml that I acquired from the ADFS > > server. > > 9) Saved the IdP configuration. > > 10) Went to the Export tab of the newly created IdP and downloaded the xml > > config file. > > > > 11) At this point I went back to ADFS Management and followed the steps to > > create a Trusted Relying Party, choosing to import data about the relying > > party from the xml file exported from Keycloak. > > 12) For the rest of the Relying Party configuration I accepted the defaults. > > > > When I go to the url for my application I?m redirected to the Keycloak > > login screen where I select the Identity Provider I configured. I get a > > security certificate warning since the certificate from the server is > > self-signed but I choose to continue despite the warning. Then I get an > > error page saying there was a problem accessing the site. I don?t get the > > ADFS page where I would enter my login credentials. > > > > I don?t know if it matters but my application and Keycloak currently use > > http rather than https. > > > > Any help would be greatly appreciated. > > Thanks in advance, > > Glenn > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > > From moon3854 at gmail.com Tue Mar 7 06:33:34 2017 From: moon3854 at gmail.com (Dmitry Korchemkin) Date: Tue, 7 Mar 2017 14:33:34 +0300 Subject: [keycloak-user] Logout in broker mode doesn't propagate session's termination Message-ID: I was testing single logout in broker mode and came around this logical, but not exactly desirable behaviour, when session on the broker and session on the external idp states are not linked between the idp's. My setup is broker saml example provided with keycloak, but instead of an actual application i log in to the broker using "/account" url. Should be all the same, since it's just another web-app, protected by this realm. The behaviour is as follows: If i kill a session on the external keycloak idp, the user is not logged out. I assume since local session is alive and well the token is not being revoked. If i kill a session on the broker keycloak, upon hitting f5 user is redirected to the broker login page, but when i press external idp login button, he's logged right back with no credentials asked. I guess since the session between 2 idp's is still up, broker thinks this user is already authenticated. I tested both oidc and saml, tried different backchannel/frontchannel toggles in the UI of both broker and external IDP, but this had no visible effect. Can you please clarify if the behaviour observed is expected and normal, or did i miss some configuration steps? From sagarahire at arvindinternet.com Tue Mar 7 08:52:02 2017 From: sagarahire at arvindinternet.com (Sagar Ahire) Date: Tue, 7 Mar 2017 19:22:02 +0530 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: I'm using the standard keycloak 2.4.0 docker image, I modified the standalone.xml in docker file. I've increased owners count to 4. following are the tags I changed in *standalone.xml*. But still facing the same issue. Is standalone.xml the correct file I need to change? or I'm missing something here. regards, -Sagar On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk wrote: > Have you increased the owner count for the various caches to something > greater than 1? > > On Mar 6, 2017 7:56 AM, "Sagar Ahire" > wrote: > >> Hello, >> >> I've deployed keyclock 2.4.0 in a kubernetes environment. While refreshing >> the access token I'm getting following response. >> {'error': 'invalid_grant', 'error_description': 'Client session not >> active'}. >> >> Here is what I did: >> Step1: First, I generated three access tokens and refresh tokens >> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access >> tokens. I got the access tokens successfully for all three requests. >> (Successful scenario) >> >> Step2: I restarted some of the pods from the keyclock cluster, I tried to >> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) >> again, >> using rf1 I could refresh the access token but using rf2,rf3 I got the >> response mentioned above ('client session not active'). I made sure rf2 >> and >> rf3 are not expired. >> >> I'm unable to use refresh token even though it is not expired. I suspect >> session created on one pod is not properly shared between all the members >> of a cluster and I'm loosing the session if one of my pod is restarted or >> goes down. >> >> Can someone please suggest any solution for this? Any help would be >> greatly >> appreciated. >> >> >> >> >> regards, >> -Sagar >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From bburke at redhat.com Tue Mar 7 08:57:04 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 7 Mar 2017 08:57:04 -0500 Subject: [keycloak-user] Logout in broker mode doesn't propagate session's termination In-Reply-To: References: Message-ID: How exactly are you killing sessions? Through the admin console? Can you specify exactly what operations you are performing. For SAML and OIDC there is a logout URL you have to specify. There's also a "Backchannel Logout" supported switch that has to be true. On 3/7/17 6:33 AM, Dmitry Korchemkin wrote: > I was testing single logout in broker mode and came around this logical, > but not exactly desirable behaviour, when session on the broker and session > on the external idp states are not linked between the idp's. > > My setup is broker saml example provided with keycloak, but instead of an > actual application i log in to the broker using "/account" url. Should be > all the same, since it's just another web-app, protected by this realm. > > The behaviour is as follows: > If i kill a session on the external keycloak idp, the user is not logged > out. I assume since local session is alive and well the token is not being > revoked. > > If i kill a session on the broker keycloak, upon hitting f5 user is > redirected to the broker login page, but when i press external idp login > button, he's logged right back with no credentials asked. I guess since the > session between 2 idp's is still up, broker thinks this user is already > authenticated. > > I tested both oidc and saml, tried different backchannel/frontchannel > toggles in the UI of both broker and external IDP, but this had no visible > effect. > > Can you please clarify if the behaviour observed is expected and normal, or > did i miss some configuration steps? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From terence.namusonge at gmail.com Tue Mar 7 09:16:00 2017 From: terence.namusonge at gmail.com (teroz) Date: Tue, 07 Mar 2017 14:16:00 +0000 Subject: [keycloak-user] No way to use First Broker Login without enabling Create User If Unique Message-ID: Hi there is there a way to pre-create users and have these users able to link these existing acounts google accounts without also being forced to allow any random google user from being able to create an account? Seems thats How First Broker Login works. Any attempt to disable the "Create User If Unique" step makes the flow unusable with always the same error *WARN [org.keycloak.events] (default task-94) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=example, clientId=js-console, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, identity_provider=google, auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1:8080/js-console/ , identity_provider_identity=......* From hmlnarik at redhat.com Tue Mar 7 09:20:37 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 7 Mar 2017 15:20:37 +0100 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: Depending on your setup, you should be using either standalone-ha.xml or standalone-full-ha.xml to run in cluster. --Hynek On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire wrote: > I'm using the standard keycloak 2.4.0 docker image, I modified the > standalone.xml in docker file. I've increased owners count to 4. following > are the tags I changed in *standalone.xml*. > > > > > > But still facing the same issue. Is standalone.xml the correct file I need > to change? or I'm missing something here. > > > regards, > -Sagar > > On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk wrote: > >> Have you increased the owner count for the various caches to something >> greater than 1? >> >> On Mar 6, 2017 7:56 AM, "Sagar Ahire" >> wrote: >> >>> Hello, >>> >>> I've deployed keyclock 2.4.0 in a kubernetes environment. While refreshing >>> the access token I'm getting following response. >>> {'error': 'invalid_grant', 'error_description': 'Client session not >>> active'}. >>> >>> Here is what I did: >>> Step1: First, I generated three access tokens and refresh tokens >>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access >>> tokens. I got the access tokens successfully for all three requests. >>> (Successful scenario) >>> >>> Step2: I restarted some of the pods from the keyclock cluster, I tried to >>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) >>> again, >>> using rf1 I could refresh the access token but using rf2,rf3 I got the >>> response mentioned above ('client session not active'). I made sure rf2 >>> and >>> rf3 are not expired. >>> >>> I'm unable to use refresh token even though it is not expired. I suspect >>> session created on one pod is not properly shared between all the members >>> of a cluster and I'm loosing the session if one of my pod is restarted or >>> goes down. >>> >>> Can someone please suggest any solution for this? Any help would be >>> greatly >>> appreciated. >>> >>> >>> >>> >>> regards, >>> -Sagar >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From mposolda at redhat.com Tue Mar 7 11:03:24 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 7 Mar 2017 17:03:24 +0100 Subject: [keycloak-user] No way to use First Broker Login without enabling Create User If Unique In-Reply-To: References: Message-ID: Someone else asked recently for it. I think that JIRA already exists. Feel free to create new JIRA if you are not able to find the existing one. Yes, currently the builtin CreateUserIfUnique authenticator does 2 things: - Check if brokered user already exists in Keycloak DB. If no, then create new user - If it exists, then set some info into the current clientSession about the existing user The other authenticators in the chain assume that there is the info about duplicated user in clientSession already. There should be some more flexibility here (either possibility to configure CreateUserIfUnique authenticator to never create new users, or let the existing authenticators to find-out by themselves if duplicated user here or not). You can also send PR for it or as a workaround, replace the CreateUserIfUnique authenticator with your own authenticator impl, which won't allow to register new users. Btv. There is also possibility that Keycloak users can link brokers in account management console. Marek On 07/03/17 15:16, teroz wrote: > Hi there > is there a way to pre-create users and have these users able to link these > existing acounts google accounts without also being forced to allow any > random google user from being able to create an account? > Seems thats How First Broker Login works. Any attempt to disable the > "Create User If Unique" step makes the flow unusable with always the same > error > > *WARN [org.keycloak.events] (default task-94) > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=example, > clientId=js-console, userId=null, ipAddress=127.0.0.1, > error=invalid_user_credentials, identity_provider=google, > auth_method=openid-connect, auth_type=code, > redirect_uri=http://127.0.0.1:8080/js-console/ > , identity_provider_identity=......* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Mar 7 11:12:04 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 7 Mar 2017 17:12:04 +0100 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> Message-ID: <6dce0672-d1a8-20e7-2000-691bb92f5155@redhat.com> +1 We already have support for max_age on the server including some support in keycloak.js . That was recommended for OIDC certification. Seems that the only missing part will be the support in the admin console itself. Marek On 07/03/17 09:13, Stian Thorgersen wrote: > True, I was focusing just on require re-auth every X min. I reckon we > should add max_age and use it for the admin console with a > sensible/configurable timeout. > > On 6 March 2017 at 16:11, Bill Burke wrote: > >> prompt=login is just as useful. It allows applications to require >> re-authentication in order to perform a specific action in the app. >> >> On 3/6/17 9:55 AM, Stian Thorgersen wrote: >> >> As we have prompt=login (I also spotted auth_time in the token) it would >> be really easy to add max_age that would actually be more useful than >> prompt=login IMO. >> >> On 6 March 2017 at 15:41, Bill Burke wrote: >> >>> We support prompt=login. >>> >>> >>> On 3/6/17 9:33 AM, Stian Thorgersen wrote: >>>> OIDC has prompt=login and max_age params for it. Pretty sure we don't >>>> support either at the moment though. >>>> >>>> On 6 March 2017 at 15:14, John D. Ament wrote: >>>> >>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis wrote: >>>>> >>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have a use case where I need to reauthenticate a client, even if >>>>> their >>>>>>> session is active. I can use the Keycloak javascript adapter on the >>>>>> client >>>>>>> side, if needed, and was wondering if this is something built in? I >>>>> was >>>>>>> also expecting to leverage either the OIDC or SAML adapter on the >>>>> server >>>>>>> side. Can that work, regardless or server side adapter? >>>>>> In SAML you set ForceAuthn=True in the AuthnRequest. >>>>>> >>>>>> >>>>> This is not SAML specific. >>>>> >>>>> >>>>>> -- >>>>>> John >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vikrantsingh at kpmg.com Tue Mar 7 12:07:46 2017 From: vikrantsingh at kpmg.com (Singh, Vikrant) Date: Tue, 7 Mar 2017 17:07:46 +0000 Subject: [keycloak-user] Using external infinispan for DB operations cache Message-ID: Hi, I am using an external infinispan in replicated clustered mode as distributed cache with keycloak for HA failover scenarios. Keycloak out of box have two kind of caches, one DB operations cache and other session related cache. I would like to know what is best practice related to using an external infinispan for DB operations related cache and is this DB cache is actually the keycloak hibernate cache. ????? Thanks, Vikrant ********************************************************************** KPMG (in India) allows reasonable personal use of the e-mail system. Views and opinions expressed in these communications do not necessarily represent those of KPMG (in India). ******************************************************************************************************* DISCLAIMER The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to postmaster1 at kpmg.com, then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it. KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. KPMG, an Indian partnership and a member firm of KPMG International Cooperative ("KPMG International"), a Swiss entity that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International Cooperative (?KPMG International?) provides no services to clients. Each member firm of KPMG International Cooperative (?KPMG International?) is a legally distinct and separate entity and each describes itself as such. ******************************************************************************************************* From max.catarino at rps.com.br Tue Mar 7 13:47:03 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Tue, 7 Mar 2017 11:47:03 -0700 (MST) Subject: [keycloak-user] Credential Representation TOTP example Message-ID: <1488912423671-3057.post@n6.nabble.com> I'm trying to add a TOTP for an user with Admin Client API. Someone has an CredentialRepresentation setup for TOTP? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-example-tp3057.html Sent from the keycloak-user mailing list archive at Nabble.com. From alexander.chriztopher at gmail.com Wed Mar 8 04:15:27 2017 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Wed, 8 Mar 2017 10:15:27 +0100 Subject: [keycloak-user] Session timeout settings on a per application basis Message-ID: Hi, We would like to know whether this is now available or not ? I have found the following thread that was sent in 12/2014 : http://lists.jboss.org/pipermail/keycloak-user/2014-December/001295.html Thanks for your answers. From sthorger at redhat.com Wed Mar 8 06:10:59 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 8 Mar 2017 12:10:59 +0100 Subject: [keycloak-user] Session timeout settings on a per application basis In-Reply-To: References: Message-ID: Session timeouts are for the SSO session and it wouldn't make any sense to have them on a per-application basis. What's your actual use-case? On 8 March 2017 at 10:15, Alexander Chriztopher < alexander.chriztopher at gmail.com> wrote: > Hi, > > We would like to know whether this is now available or not ? > > I have found the following thread that was sent in 12/2014 : > http://lists.jboss.org/pipermail/keycloak-user/2014-December/001295.html > > Thanks for your answers. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From john.d.ament at gmail.com Wed Mar 8 07:54:15 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 08 Mar 2017 12:54:15 +0000 Subject: [keycloak-user] Forcing reauthentication from a client, even when session is active In-Reply-To: <6dce0672-d1a8-20e7-2000-691bb92f5155@redhat.com> References: <25e2fa13-a783-1cff-c2ea-3e22c38197e9@redhat.com> <6dce0672-d1a8-20e7-2000-691bb92f5155@redhat.com> Message-ID: So one question though - and its my lack of familiarity with Keycloak. If I'm using the javascript adapter, do I have to use the OIDC connector on the server side? Or would I have two clients (one backend and one frontend)? I still have the need to support IDP initiated, and can spin up a backend to handle that without an issue, but this forcing re-authentication is basically client side, and always represents an SP initiated action (regardless of SAML or OIDC). John On Tue, Mar 7, 2017 at 11:33 AM Marek Posolda wrote: > +1 > > We already have support for max_age on the server including some support > in keycloak.js . That was recommended for OIDC certification. Seems that > the only missing part will be the support in the admin console itself. > > Marek > > On 07/03/17 09:13, Stian Thorgersen wrote: > > True, I was focusing just on require re-auth every X min. I reckon we > > should add max_age and use it for the admin console with a > > sensible/configurable timeout. > > > > On 6 March 2017 at 16:11, Bill Burke wrote: > > > >> prompt=login is just as useful. It allows applications to require > >> re-authentication in order to perform a specific action in the app. > >> > >> On 3/6/17 9:55 AM, Stian Thorgersen wrote: > >> > >> As we have prompt=login (I also spotted auth_time in the token) it would > >> be really easy to add max_age that would actually be more useful than > >> prompt=login IMO. > >> > >> On 6 March 2017 at 15:41, Bill Burke wrote: > >> > >>> We support prompt=login. > >>> > >>> > >>> On 3/6/17 9:33 AM, Stian Thorgersen wrote: > >>>> OIDC has prompt=login and max_age params for it. Pretty sure we don't > >>>> support either at the moment though. > >>>> > >>>> On 6 March 2017 at 15:14, John D. Ament > wrote: > >>>> > >>>>> On Mon, Mar 6, 2017 at 9:12 AM John Dennis > wrote: > >>>>> > >>>>>> On 03/06/2017 08:47 AM, John D. Ament wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I have a use case where I need to reauthenticate a client, even if > >>>>> their > >>>>>>> session is active. I can use the Keycloak javascript adapter on > the > >>>>>> client > >>>>>>> side, if needed, and was wondering if this is something built in? > I > >>>>> was > >>>>>>> also expecting to leverage either the OIDC or SAML adapter on the > >>>>> server > >>>>>>> side. Can that work, regardless or server side adapter? > >>>>>> In SAML you set ForceAuthn=True in the AuthnRequest. > >>>>>> > >>>>>> > >>>>> This is not SAML specific. > >>>>> > >>>>> > >>>>>> -- > >>>>>> John > >>>>>> _______________________________________________ > >>>>>> keycloak-user mailing list > >>>>>> keycloak-user at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From campbellg at teds.com Wed Mar 8 08:01:20 2017 From: campbellg at teds.com (Glenn Campbell) Date: Wed, 8 Mar 2017 08:01:20 -0500 Subject: [keycloak-user] problem setting up identity brokering from Keycloak to ADFS In-Reply-To: References: <1f4095c5-f3f9-bc72-eccd-24aad7191a15@redhat.com> Message-ID: (re-sent, forgot to include keycloak-user) I'm using Keycloak 2.5.0. And I think my ADFS is 2.1. It appears that I don't have permission to view KEYCLOAK-3932 so I'm not sure of the proper way to turn on SAML logging. I turned on debug logging for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my log file wasn't very helpful. It looked like most of the info was encrypted and/or hashed. However, I think I have a working configuration now. I need to test more to be sure but it looks promising so far. In my frustration I changed several things but I think the changes that made a difference were as follows: 1) Self-signed Certificates The self-signed certificates I'm using in my test environment may have been getting in my way. Or rather the various machines in my test environment not trusting the self-signed certificates of the other machines. It is probably unnecessary but I set all machines in my test environment to trust the certificates from all other machines. I know client machines will need to trust the certificates from both my Keycloak machine and my SAML machine but do the Keycloak and SAML machines need to trust the certificates from each other? 2) NameID Policy Format I tried your suggestion of using "Windows Domain Qualified Name" but that didn't seem to work. I set it to "Unspecified" and that didn't work either until... 3) ADFS Relying Party Claim mapping I added a Claim mapping on the Relying Party for Keycloak to map "SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have let things start working. Being an ADFS novice (or SAML novice in general) I'm not clear on why the above items make everything work. Can you provide any information regarding why the above items are important? I'm happy when things work but I'm even happier when I understand why they work. Thanks again for all of your help. On Tue, Mar 7, 2017 at 4:26 PM, Glenn Campbell wrote: > I'm using Keycloak 2.5.0. And I think my ADFS is 2.1. > > It appears that I don't have permission to view KEYCLOAK-3932 so I'm not > sure of the proper way to turn on SAML logging. I turned on debug logging > for "org.keycloak.saml" and "org.keycloak.broker.saml" but what I got in my > log file wasn't very helpful. It looked like most of the info was encrypted > and/or hashed. > > However, I think I have a working configuration now. I need to test more > to be sure but it looks promising so far. In my frustration I changed > several things but I think the changes that made a difference were as > follows: > > 1) Self-signed Certificates > The self-signed certificates I'm using in my test environment may have > been getting in my way. Or rather the various machines in my test > environment not trusting the self-signed certificates of the other > machines. It is probably unnecessary but I set all machines in my test > environment to trust the certificates from all other machines. I know > client machines will need to trust the certificates from both my Keycloak > machine and my SAML machine but do the Keycloak and SAML machines need to > trust the certificates from each other? > > 2) NameID Policy Format > I tried your suggestion of using "Windows Domain Qualified Name" but that > didn't seem to work. I set it to "Unspecified" and that didn't work either > until... > > 3) ADFS Relying Party Claim mapping > I added a Claim mapping on the Relying Party for Keycloak to map > "SAM-Account-Name" to "Name ID". This in conjunction with #2 seems to have > let things start working. > > Being an ADFS novice (or SAML novice in general) I'm not clear on why the > above items make everything work. Can you provide any information regarding > why the above items are important? I'm happy when things work but I'm even > happier when I understand why they work. > > Thanks again for all of your help. > Glenn > > On Tue, Mar 7, 2017 at 4:58 AM, Hynek Mlnarik wrote: > >> What is your Keycloak and ADFS versions? What are the responses you >> receive from ADFS? Please enable logging of SAML messages to see them (see >> [1] how to do that). >> >> A wild guess: does setting the "NameID Policy Format" [2] to "Windows >> Domain Qualified Name" help? >> >> --Hynek >> >> [1] https://issues.jboss.org/browse/KEYCLOAK-3932?focusedComment >> Id=13336560&page=com.atlassian.jira.plugin.system.issuetabpa >> nels%3Acomment-tabpanel#comment-13336560 >> [2] https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/topics/identity-broker/saml.html >> >> On 03/03/2017 09:49 PM, Glenn Campbell wrote: >> >>> Thank you for your suggestions. Making those changes seems to have >>> solved that problem. I don't think I would have ever figured that out on my >>> own. >>> >>> Now I'm on to the next problem. When I enter the login credentials on >>> the SAML IdP login page I get an error in Keycloak and the log file has a >>> "Could not process response from SAML identity provider" error message with >>> a root cause of "No assertion from response". >>> >>> Do you have any suggestions on what I need to do to fix this problem? >>> >>> On Fri, Mar 3, 2017 at 3:34 AM, Hynek Mlnarik >> > wrote: >>> >>> Actually https matters, ADFS had been rejecting any SAML >>> communication >>> with keycloak for me until https was enabled. Also for ADFS, there is >>> a special settings for KeyInfo element that needs to be set to >>> CERT_SUBJECT in SAML Signature Key Name option of SAML Identity >>> Provider settings [1]. >>> >>> [1] https://keycloak.gitbooks.io/documentation/server_admin/topi >>> cs/identity-broker/saml.html >> documentation/server_admin/topics/identity-broker/saml.html> >>> >>> >>> On Thu, Mar 2, 2017 at 11:45 PM, Glenn Campbell >> > wrote: >>> > What is the correct way to set up identity brokering from Keycloak >>> to ADFS? >>> > I?m new to ADFS so I suspect I?ve configured something incorrectly >>> there. >>> > >>> > Here?s what I?ve done so far: >>> > >>> > 1) Installed ADFS. >>> > 2) Opened ADFS Management. >>> > 3) Walked through the ADFS Configuration Wizard. >>> > At one point in the process it asked which certificate I wanted to >>> use. I >>> > didn?t have one so I went into IIS Manager and created a >>> self-signed >>> > certificate. Then I came back to the ADFS Configuration Wizard and >>> selected >>> > the newly created certificate. >>> > At the end of the process there was a list of configuration items >>> that had >>> > been performed and they all had green checkmarks by them. >>> > Clicked Close. >>> > >>> > 4) At this point ADFS Management said I needed to configure a >>> Trusted >>> > Relying Party so I went to Keycloak to start setting up that side >>> of things. >>> > 5) Since the certificate used by ADFS is self-signed I exported it >>> from IIS >>> > and imported it into the Wildfly jssecerts where Keycloak is >>> running and >>> > restarted Wildfly/Keycloak. >>> > 6) Saved the ADFS FederationMetadata.xml via the url https://>> > server>/FederationMetadata/2007-06/FederationMetadata.xml >>> > 7) In Keycloak admin console, on the Identity Providers page I >>> chose ?Add >>> > provider? SAML v2.0? >>> > 8) Entered an alias for the new IdP then in ?Import from file -> >>> Select >>> > File? I chose the FederationMetadata.xml that I acquired from the >>> ADFS >>> > server. >>> > 9) Saved the IdP configuration. >>> > 10) Went to the Export tab of the newly created IdP and downloaded >>> the xml >>> > config file. >>> > >>> > 11) At this point I went back to ADFS Management and followed the >>> steps to >>> > create a Trusted Relying Party, choosing to import data about the >>> relying >>> > party from the xml file exported from Keycloak. >>> > 12) For the rest of the Relying Party configuration I accepted the >>> defaults. >>> > >>> > When I go to the url for my application I?m redirected to the >>> Keycloak >>> > login screen where I select the Identity Provider I configured. I >>> get a >>> > security certificate warning since the certificate from the server >>> is >>> > self-signed but I choose to continue despite the warning. Then I >>> get an >>> > error page saying there was a problem accessing the site. I don?t >>> get the >>> > ADFS page where I would enter my login credentials. >>> > >>> > I don?t know if it matters but my application and Keycloak >>> currently use >>> > http rather than https. >>> > >>> > Any help would be greatly appreciated. >>> > Thanks in advance, >>> > Glenn >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >> oss.org> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user < >>> https://lists.jboss.org/mailman/listinfo/keycloak-user> >>> >>> >>> >>> -- >>> >>> --Hynek >>> >>> >>> > From alexander.chriztopher at gmail.com Wed Mar 8 08:26:38 2017 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Wed, 8 Mar 2017 14:26:38 +0100 Subject: [keycloak-user] Session timeout settings on a per application basis In-Reply-To: References: Message-ID: Our use case is that we have different businesses and each business has its own constraints. In one of them (2 applications today) we want the session to timeout very quickly if the user is not active for security reasons and in another we want a rather "normal" timeout as the security constraints are not the same (a lot more applications here). On Wed, Mar 8, 2017 at 12:10 PM, Stian Thorgersen wrote: > Session timeouts are for the SSO session and it wouldn't make any sense to > have them on a per-application basis. What's your actual use-case? > > On 8 March 2017 at 10:15, Alexander Chriztopher < > alexander.chriztopher at gmail.com> wrote: > >> Hi, >> >> We would like to know whether this is now available or not ? >> >> I have found the following thread that was sent in 12/2014 : >> http://lists.jboss.org/pipermail/keycloak-user/2014-December/001295.html >> >> Thanks for your answers. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From celso.agra at gmail.com Wed Mar 8 09:29:15 2017 From: celso.agra at gmail.com (Celso Agra) Date: Wed, 8 Mar 2017 11:29:15 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration Message-ID: Hi all, I'm trying to configure KC with LDAP, but some errors are occurring. First, I configured my LDAP to write in the LDAP server, but for some reasons I got this error when I try to register an user: 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) > KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: > Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:410) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:104) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPIdentityStore.update(LDAPIdentityStore.java:105) at org.keycloak.federation.ldap.mappers.msad. > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:235) at org.keycloak.federation.ldap.mappers.msad. > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:220) at org.keycloak.models.utils.UserModelDelegate.addRequiredAction( > UserModelDelegate.java:112) at org.keycloak.authentication.forms.RegistrationPassword. > success(RegistrationPassword.java:101) at org.keycloak.authentication.FormAuthenticationFlow.processAction( > FormAuthenticationFlow.java:234) at org.keycloak.authentication.DefaultAuthenticationFlow. > processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor. > authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow( > LoginActionsService.java:356) at org.keycloak.services.resources.LoginActionsService. > processRegistration(LoginActionsService.java:477) at org.keycloak.services.resources.LoginActionsService. > processRegister(LoginActionsService.java:535) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter. > doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc. > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler. > dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1. > handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.directory.InvalidAttributeIdentifierException: > [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining > name 'uid=11111111111,dc=zz,dc=dd,dc=aa' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( > ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes( > InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes( > InitialDirContext.java:167) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager$6.execute(LDAPOperationManager.java:405) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager$6.execute(LDAPOperationManager.java:402) at org.keycloak.federation.ldap.idm.store.ldap. > LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > modifyAttributes(LDAPOperationManager.java:402) ... 59 more 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) > type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, > ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, > auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1: > 8080/teste-portal/ and then, I got this result in my ldap: dn: uid=11111111111,dc=zz,dc=dd,dc=aa givenName:: IA== uid: 11111111111 objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: phpgwAccount objectClass: shadowAccount sn:: IA== cn:: IA== structuralObjectClass: inetOrgPerson entryUUID: 07f0e7caxxxxxxxxxxx creatorsName: cn=admin,dc=zz,dc=dd,dc=aa createTimestamp: 20170308140529Z entryCSN: 20170308140529.527857Z#000000#000#000000 modifiersName: cn=admin,dc=zz,dc=dd,dc=aa modifyTimestamp: 20170308140529Z So, I wrote the uid as 11111111111, but I didn't set the sn, cn and givenName as 'IA=='. It looks like some problem occurs in my configuration. please, need help!! Best Regards, -- --- *Celso Agra* From juan.amat at nokia.com Wed Mar 8 10:28:23 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Wed, 8 Mar 2017 15:28:23 +0000 Subject: [keycloak-user] oidc wildfly apdater and wildfly single-sign-on Message-ID: I will start by saying that this is my first post to this list so forgive me if this topic has already been addressed. I will also thank all the people who work on Keycloak (regulars and contributors). Now back to my topic. In our next release we are planning to use Keycloak (version 2.5.1) in the context of a new Angular2 based client and stateless REST services. At the time we also want to use Keycloak with our legacy applications. Our legacy applications (a bunch of webapps and rest services) run on Wildfly 10. The 'Getting Started' Chapter of the Keycloak documentation looks to good as simply adding some configuration in the standalone.xml and with no code changes it works. I did try that and it worked fine with our legacy applications except for the logout. I opened (twice) this ticket: https://issues.jboss.org/browse/KEYCLOAK-4397 The problem is that we used to configure the undertow sub-system with which allow us to log in to one webapp and navigate to another without the need to reauthenticate. I removed this and now we had other problems. Our webapp sometimes do XMLHttpRequest requests to another webapp/rest service. And Keycloak will then return 302 which does not work too well. I did see this ticket https://issues.jboss.org/browse/KEYCLOAK-2962 but it will not help us much I think (It is my understanding that with this fix and using autodetect we will get 401 back and this is not what we want). We did configure Keycloak with the 'session' token store so we thought that maybe using the 'cookie' token store will be better. But it did not help because the path of the cookie is the webapp context. IOW it is not propagated when we call another webapp. There is this opened ticket https://issues.jboss.org/browse/KEYCLOAK-4342 about the same issue. In the end I am wondering if Keycloak should support this configuration, that is having undertow enabled. Or, and it would be also OK for us, if we could configure the Keycloak cookie path. Did any of you had the same issue? And if so how did you resolve it? Or is what I am doing not possible without some code changes? TIA. From AChoimet.prestataire at voyages-sncf.com Wed Mar 8 10:58:00 2017 From: AChoimet.prestataire at voyages-sncf.com (Choimet Antoine) Date: Wed, 8 Mar 2017 15:58:00 +0000 Subject: [keycloak-user] keycloak 2.5.4 - Multi Data Center with TCP Message-ID: <221042a2c9c741719a088b7c06da67c3@ECLIPSE.groupevsc.com> Hello, We want to implement Multi datacenter feature with keycloak 2.5.4. We already have two clusters with TCP stacks. We need the relay the backups between the two, I've tried to put a back up mais the property 'site' is not recognized. Anyone has a sample of configuration in TCP for multi data center please ? From imxxx021 at umn.edu Wed Mar 8 13:13:03 2017 From: imxxx021 at umn.edu (Danny Im) Date: Wed, 8 Mar 2017 12:13:03 -0600 Subject: [keycloak-user] Is there a pre-save event Message-ID: Hi, I'm implementing an Event Listener Provider, and was wondering if there is a way to add some functionality before an object is created or updated. In my case, I would like to do some extra validation on incoming fields before a user is created within keycloak. In the javadoc: http://www.keycloak.org/docs-api/2.5/javadocs/index.html under org.keycloak.events.admin.OperationType I only see four actions: ACTION , CREATE, DELETE , and UPDATE Thanks! -- Danny Im Software Developer Polar Geospatial Center University of Minnesota From juan.amat at nokia.com Wed Mar 8 14:10:13 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Wed, 8 Mar 2017 19:10:13 +0000 Subject: [keycloak-user] JAAS plugin and roles Message-ID: I was trying to use this login module with an application deployed on Wildfly 10: org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule And it kind of worked. By that I mean that when you log in, you are authenticated fine but then calling HttpServletRequest.isUserInRole(xxx) did not work. The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group. This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html says: "The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login." A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work. Am I doing something wrong? Thank you. From RLewis at carbonite.com Wed Mar 8 18:01:55 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 8 Mar 2017 23:01:55 +0000 Subject: [keycloak-user] Using a different claim in the data from a Third Party IDP to associate the user with a Keycloak User.. Message-ID: Note, This is the second attempt to send this. The first did not seem to go through. Right now I am working on getting Keycloak to be able to use Azure with Keycloak logging in. The issue is that we are going to prepopulate the users in Keycloak by calling Azure to get a list of users using the Azure route here: https://graph.microsoft.com/v1.0/myOrganization/users We get an access and refresh token not using Keycloak, then call the above route. It returns data like this: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","@odata.nextLink":"https://graph.microsoft.com/v1.0/myOrganization/users?$skiptoken=X%","value":[{"id":"","businessPhones":[],"displayName":"user081","givenName":null,"jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":null,"userPrincipalName":"nothing at carboniteinc.com"} Continuing on and on. The is a guuid that identifies the user. When I use Keycloak in debug mode this is in the log file: {"amr":"[\"wia\"]","family_name":"someone","given_name":?first","ipaddr":"","name":"me","oid":"?,"onprem_sid":"something else", "platf":"5","sub":"A different value here","tid":"Another differen value","unique_name":"@carbonite.com","upn":"@carbonite.com","ver":"1.0"} It is using the value in the ?sub? claim to associate the user in Azure with the user in Keycloak. Is there a way to change Keycloak in the config to use the OID instead since that matches what I get from the user listing? Because the sub claim is not known when listing the users. Thank you, Reed Lewis This message is the property of CARBONITE, INC. and may contain confidential or privileged information. If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail. From sagarahire at arvindinternet.com Thu Mar 9 00:41:54 2017 From: sagarahire at arvindinternet.com (Sagar Ahire) Date: Thu, 9 Mar 2017 11:11:54 +0530 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: I tried with standalone-ha.xml, still facing the same issue. regards, -Sagar On Tue, Mar 7, 2017 at 7:50 PM, Hynek Mlnarik wrote: > Depending on your setup, you should be using either standalone-ha.xml > or standalone-full-ha.xml to run in cluster. > > --Hynek > > On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire > wrote: > > I'm using the standard keycloak 2.4.0 docker image, I modified the > > standalone.xml in docker file. I've increased owners count to 4. > following > > are the tags I changed in *standalone.xml*. > > > > > > > > > > > > But still facing the same issue. Is standalone.xml the correct file I > need > > to change? or I'm missing something here. > > > > > > regards, > > -Sagar > > > > On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk wrote: > > > >> Have you increased the owner count for the various caches to something > >> greater than 1? > >> > >> On Mar 6, 2017 7:56 AM, "Sagar Ahire" > >> wrote: > >> > >>> Hello, > >>> > >>> I've deployed keyclock 2.4.0 in a kubernetes environment. While > refreshing > >>> the access token I'm getting following response. > >>> {'error': 'invalid_grant', 'error_description': 'Client session not > >>> active'}. > >>> > >>> Here is what I did: > >>> Step1: First, I generated three access tokens and refresh tokens > >>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access > >>> tokens. I got the access tokens successfully for all three requests. > >>> (Successful scenario) > >>> > >>> Step2: I restarted some of the pods from the keyclock cluster, I tried > to > >>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) > >>> again, > >>> using rf1 I could refresh the access token but using rf2,rf3 I got the > >>> response mentioned above ('client session not active'). I made sure rf2 > >>> and > >>> rf3 are not expired. > >>> > >>> I'm unable to use refresh token even though it is not expired. I > suspect > >>> session created on one pod is not properly shared between all the > members > >>> of a cluster and I'm loosing the session if one of my pod is restarted > or > >>> goes down. > >>> > >>> Can someone please suggest any solution for this? Any help would be > >>> greatly > >>> appreciated. > >>> > >>> > >>> > >>> > >>> regards, > >>> -Sagar > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > --Hynek > From azenk at umn.edu Thu Mar 9 01:20:08 2017 From: azenk at umn.edu (Andrew Zenk) Date: Thu, 9 Mar 2017 00:20:08 -0600 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: Beyond looking at debug log output, is there a way to check on the health of the cache? It would be useful here. I know there's a feature request open for a health endpoint but, to my knowledge, it hasn't been worked on yet. Ideally I'd like to be able to verify that all nodes are joined to the cluster and that all data has been replicated/balanced appropriately. Anyway, if you turn up logging a bit you should see some output from one of the jgroups packages showing the current cluster members. I've been using the kube_ping module successfully for discovery on openshift. On Wed, Mar 8, 2017 at 11:41 PM, Sagar Ahire wrote: > I tried with standalone-ha.xml, still facing the same issue. > > regards, > -Sagar > > On Tue, Mar 7, 2017 at 7:50 PM, Hynek Mlnarik wrote: > >> Depending on your setup, you should be using either standalone-ha.xml >> or standalone-full-ha.xml to run in cluster. >> >> --Hynek >> >> On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire >> wrote: >> > I'm using the standard keycloak 2.4.0 docker image, I modified the >> > standalone.xml in docker file. I've increased owners count to 4. >> following >> > are the tags I changed in *standalone.xml*. >> > >> > >> > >> > >> > >> > But still facing the same issue. Is standalone.xml the correct file I >> need >> > to change? or I'm missing something here. >> > >> > >> > regards, >> > -Sagar >> > >> > On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk wrote: >> > >> >> Have you increased the owner count for the various caches to something >> >> greater than 1? >> >> >> >> On Mar 6, 2017 7:56 AM, "Sagar Ahire" >> >> wrote: >> >> >> >>> Hello, >> >>> >> >>> I've deployed keyclock 2.4.0 in a kubernetes environment. While >> refreshing >> >>> the access token I'm getting following response. >> >>> {'error': 'invalid_grant', 'error_description': 'Client session not >> >>> active'}. >> >>> >> >>> Here is what I did: >> >>> Step1: First, I generated three access tokens and refresh tokens >> >>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access >> >>> tokens. I got the access tokens successfully for all three requests. >> >>> (Successful scenario) >> >>> >> >>> Step2: I restarted some of the pods from the keyclock cluster, I >> tried to >> >>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) >> >>> again, >> >>> using rf1 I could refresh the access token but using rf2,rf3 I got the >> >>> response mentioned above ('client session not active'). I made sure >> rf2 >> >>> and >> >>> rf3 are not expired. >> >>> >> >>> I'm unable to use refresh token even though it is not expired. I >> suspect >> >>> session created on one pod is not properly shared between all the >> members >> >>> of a cluster and I'm loosing the session if one of my pod is >> restarted or >> >>> goes down. >> >>> >> >>> Can someone please suggest any solution for this? Any help would be >> >>> greatly >> >>> appreciated. >> >>> >> >>> >> >>> >> >>> >> >>> regards, >> >>> -Sagar >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at lists.jboss.org >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>> >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> >> --Hynek >> > > -- Andrew Zenk, EIT Polar Geospatial Center University of Minnesota Office: (612) 625-0872 Cell: (612) 414-9617 From mposolda at redhat.com Thu Mar 9 03:05:48 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Mar 2017 09:05:48 +0100 Subject: [keycloak-user] keycloak 2.5.4 - Multi Data Center with TCP In-Reply-To: <221042a2c9c741719a088b7c06da67c3@ECLIPSE.groupevsc.com> References: <221042a2c9c741719a088b7c06da67c3@ECLIPSE.groupevsc.com> Message-ID: Hi, this is something, which we are going to properly support in Keycloak 3.X . Right now, there is already some basic support available regarding our invalidation caches. You can see some notes here [1] and also the JDG/Infinispan documentation around this subject, which contains some additional details how to setup JDG servers etc. As you can see in my notes, the biggest limitation is, that userSessions, offline sessions and login failures caches are not aware of cross-DC. So if you want sessions to be shared between datacenters, you would need to setup all those "distributed" caches to be cross-dc aware too. Probably something similar like the "work" cache setup in the notes. But we didn't tested it yet. And also there will be a lot of communications between datacenters as every login writes few times to the "sessions" cache. This is something, which we are going to optimize. [1] https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md Marek On 08/03/17 16:58, Choimet Antoine wrote: > Hello, > > We want to implement Multi datacenter feature with keycloak 2.5.4. > > We already have two clusters with TCP stacks. > > We need the relay the backups between the two, I've tried to put a back up mais the property 'site' is not recognized. > > Anyone has a sample of configuration in TCP for multi data center please ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Mar 9 03:15:32 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Mar 2017 09:15:32 +0100 Subject: [keycloak-user] Is there a pre-save event In-Reply-To: References: Message-ID: <0bef7355-55b1-65a1-dd7a-28c08a48cdf6@redhat.com> AFAIK we don't have any additional validation for creating user through admin REST API. But I can see that "success" event in UsersResource.createUser is invoked even before the transaction commit happened. So I think that if you do the validations in your event listener and throw the ModelException from it, it will cause the transaction rollback and user won't be written to DB. Maybe there is some space for improvement in our API (eg. infinispan has both "pre" and "post" events), however this one above should work too. Marek On 08/03/17 19:13, Danny Im wrote: > Hi, > > I'm implementing an Event Listener Provider, and was wondering if there is > a way to add some functionality before an object is created or updated. In > my case, I would like to do some extra validation on incoming fields before > a user is created within keycloak. > > In the javadoc: > http://www.keycloak.org/docs-api/2.5/javadocs/index.html > under org.keycloak.events.admin.OperationType I only see four actions: > ACTION > , > CREATE, > > DELETE > , > and UPDATE > > > > Thanks! > From mposolda at redhat.com Thu Mar 9 03:23:03 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Mar 2017 09:23:03 +0100 Subject: [keycloak-user] JAAS plugin and roles In-Reply-To: References: Message-ID: I recently did some example of the remote EJB client. You're right, there are special groups on Wildfly, which JAAS Subject needs to be member of. See the example here [1] . Especially take a look at the security-domain configuration and the "ConvertKEycloakRolesLoginModule", which needs to be put to the chain after DirectAccessGrantsLoginModule. Btv. if you are using web (HttpServletRequest etc), you should maybe rather use our OIDC/SAML adapters? But maybe I am missing something in your setup... [1] https://github.com/mposolda/keycloak-remote-ejb Marek On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote: > I was trying to use this login module with an application deployed on Wildfly 10: > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > And it kind of worked. > By that I mean that when you log in, you are authenticated fine but then calling > HttpServletRequest.isUserInRole(xxx) did not work. > > The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group. > > This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html says: > > "The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. > The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. > The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login." > > A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work. > > Am I doing something wrong? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Mar 9 03:26:18 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Mar 2017 09:26:18 +0100 Subject: [keycloak-user] Unable To Use Refresh Token In-Reply-To: References: Message-ID: <22ca7910-3109-00eb-6c39-00ac038ac3ee@redhat.com> Yes, that will be useful. Feel free to create JIRA. As a workaround, you can write the REST endpoint provider, which will check the status of the caches. See our "providers/rest" example in the keycloak-examples distribution on how to write REST endpoint. Marek On 09/03/17 07:20, Andrew Zenk wrote: > Beyond looking at debug log output, is there a way to check on the health > of the cache? It would be useful here. I know there's a feature request > open for a health endpoint but, to my knowledge, it hasn't been worked on > yet. Ideally I'd like to be able to verify that all nodes are joined to > the cluster and that all data has been replicated/balanced appropriately. > > Anyway, if you turn up logging a bit you should see some output from one of > the jgroups packages showing the current cluster members. I've been using > the kube_ping module successfully for discovery on openshift. > > On Wed, Mar 8, 2017 at 11:41 PM, Sagar Ahire > wrote: > >> I tried with standalone-ha.xml, still facing the same issue. >> >> regards, >> -Sagar >> >> On Tue, Mar 7, 2017 at 7:50 PM, Hynek Mlnarik wrote: >> >>> Depending on your setup, you should be using either standalone-ha.xml >>> or standalone-full-ha.xml to run in cluster. >>> >>> --Hynek >>> >>> On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire >>> wrote: >>>> I'm using the standard keycloak 2.4.0 docker image, I modified the >>>> standalone.xml in docker file. I've increased owners count to 4. >>> following >>>> are the tags I changed in *standalone.xml*. >>>> >>>> >>>> >>>> >>>> >>>> But still facing the same issue. Is standalone.xml the correct file I >>> need >>>> to change? or I'm missing something here. >>>> >>>> >>>> regards, >>>> -Sagar >>>> >>>> On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk wrote: >>>> >>>>> Have you increased the owner count for the various caches to something >>>>> greater than 1? >>>>> >>>>> On Mar 6, 2017 7:56 AM, "Sagar Ahire" >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> I've deployed keyclock 2.4.0 in a kubernetes environment. While >>> refreshing >>>>>> the access token I'm getting following response. >>>>>> {'error': 'invalid_grant', 'error_description': 'Client session not >>>>>> active'}. >>>>>> >>>>>> Here is what I did: >>>>>> Step1: First, I generated three access tokens and refresh tokens >>>>>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access >>>>>> tokens. I got the access tokens successfully for all three requests. >>>>>> (Successful scenario) >>>>>> >>>>>> Step2: I restarted some of the pods from the keyclock cluster, I >>> tried to >>>>>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3) >>>>>> again, >>>>>> using rf1 I could refresh the access token but using rf2,rf3 I got the >>>>>> response mentioned above ('client session not active'). I made sure >>> rf2 >>>>>> and >>>>>> rf3 are not expired. >>>>>> >>>>>> I'm unable to use refresh token even though it is not expired. I >>> suspect >>>>>> session created on one pod is not properly shared between all the >>> members >>>>>> of a cluster and I'm loosing the session if one of my pod is >>> restarted or >>>>>> goes down. >>>>>> >>>>>> Can someone please suggest any solution for this? Any help would be >>>>>> greatly >>>>>> appreciated. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> regards, >>>>>> -Sagar >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> >>> --Hynek >>> >> > From mposolda at redhat.com Thu Mar 9 03:46:58 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Mar 2017 09:46:58 +0100 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: References: Message-ID: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> Hi, The error may indicate that you configured "pwdLastSet" attribute mapper in Keycloak to write into the LDAP, but it looks that writing this attribute is unsupported. Maybe switch this mapper to read-only will help? Marek On 08/03/17 15:29, Celso Agra wrote: > Hi all, > > I'm trying to configure KC with LDAP, but some errors are occurring. > First, I configured my LDAP to write in the LDAP server, but for some > reasons I got this error when I try to register an user: > > 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: >> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> modifyAttributes(LDAPOperationManager.java:410) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> modifyAttributes(LDAPOperationManager.java:104) > at org.keycloak.federation.ldap.idm.store.ldap. >> LDAPIdentityStore.update(LDAPIdentityStore.java:105) > at org.keycloak.federation.ldap.mappers.msad. >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:235) > at org.keycloak.federation.ldap.mappers.msad. >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:220) > at org.keycloak.models.utils.UserModelDelegate.addRequiredAction( >> UserModelDelegate.java:112) > at org.keycloak.authentication.forms.RegistrationPassword. >> success(RegistrationPassword.java:101) > at org.keycloak.authentication.FormAuthenticationFlow.processAction( >> FormAuthenticationFlow.java:234) > at org.keycloak.authentication.DefaultAuthenticationFlow. >> processAction(DefaultAuthenticationFlow.java:76) > at org.keycloak.authentication.AuthenticationProcessor. >> authenticationAction(AuthenticationProcessor.java:759) > at org.keycloak.services.resources.LoginActionsService.processFlow( >> LoginActionsService.java:356) > at org.keycloak.services.resources.LoginActionsService. >> processRegistration(LoginActionsService.java:477) > at org.keycloak.services.resources.LoginActionsService. >> processRegister(LoginActionsService.java:535) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke( >> NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( >> DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker. >> invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet. >> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at io.undertow.servlet.handlers.ServletHandler.handleRequest( >> ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter. >> doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter( >> ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest( >> FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >> handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler. >> handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security. >> SecurityContextAssociationHandler.handleRequest( >> SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) > at io.undertow.servlet.handlers.security. >> SSLInformationAssociationHandler.handleRequest( >> SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security. >> ServletAuthenticationCallHandler.handleRequest( >> ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security. >> ServletConfidentialityConstraintHandler.handleRequest( >> ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security. >> CachedAuthenticatedSessionHandler.handleRequest( >> CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler. >> handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssocia >> tionHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc. >> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler. >> handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler. >> dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$ >> 000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1. >> handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors. >> java:202) > at io.undertow.server.HttpServerExchange$1.run( >> HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker( >> ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > Caused by: javax.naming.directory.InvalidAttributeIdentifierException: >> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining >> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) > > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) > > at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) > > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( >> ComponentDirContext.java:277) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> modifyAttributes(PartialCompositeDirContext.java:192) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> modifyAttributes(PartialCompositeDirContext.java:181) > at javax.naming.directory.InitialDirContext.modifyAttributes( >> InitialDirContext.java:167) > at javax.naming.directory.InitialDirContext.modifyAttributes( >> InitialDirContext.java:167) > at org.keycloak.federation.ldap.idm.store.ldap. >> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) > at org.keycloak.federation.ldap.idm.store.ldap. >> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) > at org.keycloak.federation.ldap.idm.store.ldap. >> LDAPOperationManager.execute(LDAPOperationManager.java:535) > at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> modifyAttributes(LDAPOperationManager.java:402) > ... 59 more > > 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >> auth_method=openid-connect, auth_type=code, redirect_uri=http://127.0.0.1: >> 8080/teste-portal/ > > and then, I got this result in my ldap: > > dn: uid=11111111111,dc=zz,dc=dd,dc=aa > > givenName:: IA== > > uid: 11111111111 > > objectClass: top > > objectClass: inetOrgPerson > > objectClass: person > > objectClass: organizationalPerson > > objectClass: phpgwAccount > > objectClass: shadowAccount > > sn:: IA== > > cn:: IA== > > structuralObjectClass: inetOrgPerson > > entryUUID: 07f0e7caxxxxxxxxxxx > > creatorsName: cn=admin,dc=zz,dc=dd,dc=aa > > createTimestamp: 20170308140529Z > > entryCSN: 20170308140529.527857Z#000000#000#000000 > > modifiersName: cn=admin,dc=zz,dc=dd,dc=aa > > modifyTimestamp: 20170308140529Z > > > So, I wrote the uid as 11111111111, but I didn't set the sn, cn and > givenName as 'IA=='. It looks like some problem occurs in my configuration. > > please, need help!! > > > Best Regards, > From moon3854 at gmail.com Thu Mar 9 04:39:43 2017 From: moon3854 at gmail.com (Dmitry Korchemkin) Date: Thu, 9 Mar 2017 12:39:43 +0300 Subject: [keycloak-user] Logout in broker mode doesn't propagate session's termination Message-ID: I'm killing sessions using keycloak's admin console GUI, namely Session tab, where i can either kill a session or send a Revocation message. I've tried setting up Single Log Out URL's the way examples suggest, i.e. for SAML it is set to " http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml", as specified in xml descriptor. Same with backchannel logout, switching it on or off seems to do nothing in this case. 2017-03-07 21:51 GMT+03:00 : > > Date: Tue, 7 Mar 2017 08:57:04 -0500 > From: Bill Burke > Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate > session's termination > To: keycloak-user at lists.jboss.org > Message-ID: > Content-Type: text/plain; charset=windows-1252; format=flowed > > How exactly are you killing sessions? Through the admin console? Can > you specify exactly what operations you are performing. > > For SAML and OIDC there is a logout URL you have to specify. There's > also a "Backchannel Logout" supported switch that has to be true. > > > On 3/7/17 6:33 AM, Dmitry Korchemkin wrote: > > I was testing single logout in broker mode and came around this logical, > > but not exactly desirable behaviour, when session on the broker and > session > > on the external idp states are not linked between the idp's. > > > > My setup is broker saml example provided with keycloak, but instead of an > > actual application i log in to the broker using "/account" url. Should be > > all the same, since it's just another web-app, protected by this realm. > > > > The behaviour is as follows: > > If i kill a session on the external keycloak idp, the user is not logged > > out. I assume since local session is alive and well the token is not > being > > revoked. > > > > If i kill a session on the broker keycloak, upon hitting f5 user is > > redirected to the broker login page, but when i press external idp login > > button, he's logged right back with no credentials asked. I guess since > the > > session between 2 idp's is still up, broker thinks this user is already > > authenticated. > > > > I tested both oidc and saml, tried different backchannel/frontchannel > > toggles in the UI of both broker and external IDP, but this had no > visible > > effect. > > > > Can you please clarify if the behaviour observed is expected and normal, > or > > did i miss some configuration steps? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Joerg.Zaunegger at kvbawue.de Thu Mar 9 04:46:46 2017 From: Joerg.Zaunegger at kvbawue.de (=?Windows-1252?Q?Zaunegger=2C_J=F6rg?=) Date: Thu, 9 Mar 2017 09:46:46 +0000 Subject: [keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext Message-ID: <8661B716A6678E46A20FB7FCFF2504A10122048EA8@VMSST108.kvbw.local> Hi, we want to use keycloak in our spring-boot-application. So as a keycloak adapter we are using the keycloak-spring-security-adapter. For using authorization in keycloak-spring-security-adapter we found the following jira enhancement https://issues.jboss.org/browse/KEYCLOAK-3474. So we configured our WebSecurityConfigurationAdapter#configure() like this for using KeycloakAuthenticationProcessingFilter: http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class) .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class) .addFilterAfter(keycloakAuthenticatedActionsFilter(), KeycloakAuthenticationProcessingFilter.class) ? The problem is, we are now getting a ClassCastException in SimpleHttpFacade. Stack trace: Caused by: java.lang.ClassCastException: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount cannot be cast to org.keycloak.KeycloakSecurityContext at org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade.getSecurityContext(SimpleHttpFacade.java:60) ~[keycloak-spring-security-adapter-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:70) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:79) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] at org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) ~[keycloak-adapter-core-2.5.4.Final.jar:2.5.4.Final] ... 56 common frames omitted We could fix this, with the following changes: 1) Override SimpleHttpFacade#getSecurityContext() and changed it as following: Object details = getAuthentication(SecurityContextHolder.getContext()); if (details != null) { if (details instanceof KeycloakSecurityContext) { return (KeycloakSecurityContext) details; } else if (details instanceof OidcKeycloakAccount) { return ((OidcKeycloakAccount) details).getKeycloakSecurityContext(); } } return null; 2) Using our own KeycloakAuthenticatedActionsFilter, which is a copy of the original KeycloakAuthenticatedActionsFilter, except we are then using our own SimpleHttpFacade. So is there a bug in SimpleHttpFacade or is the problem caused by a misconfiguration of ourselves? Regards J?rg Zaunegger From sven.thoms at gmail.com Thu Mar 9 05:17:26 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Thu, 9 Mar 2017 11:17:26 +0100 Subject: [keycloak-user] REST API client allowRemoteResourceManagement In-Reply-To: References: Message-ID: Both on the POST and PUT for client, with authorizationservicesenabled Set to true, I cannot set allowRemoteResourceManagement to true. It is as if the Admin REST interface just ignores that setting. Can anyone confirm and possibly explain, please? From dev.ebondu at gmail.com Thu Mar 9 06:22:21 2017 From: dev.ebondu at gmail.com (ebondu) Date: Thu, 9 Mar 2017 04:22:21 -0700 (MST) Subject: [keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext In-Reply-To: <8661B716A6678E46A20FB7FCFF2504A10122048EA8@VMSST108.kvbw.local> References: <8661B716A6678E46A20FB7FCFF2504A10122048EA8@VMSST108.kvbw.local> Message-ID: <1489058541044-3079.post@n6.nabble.com> Hi, I think it is related to the bug KEYCLOAK-3471 . Regarding your conf, I use almost the same one (in xml) but without the BasicAuthenticationFilter in the security chain. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ClassCastException-in-SimpleHttpFacade-WebAuthenticationDetails-cannot-be-cast-to-Secut-tp3077p3079.html Sent from the keycloak-user mailing list archive at Nabble.com. From psilva at redhat.com Thu Mar 9 06:49:31 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Mar 2017 08:49:31 -0300 Subject: [keycloak-user] REST API client allowRemoteResourceManagement In-Reply-To: References: Message-ID: What are you using to call the API ? On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms wrote: > Both on the POST and PUT for client, with authorizationservicesenabled Set > to true, I cannot set > > allowRemoteResourceManagement > > to true. It is as if the Admin REST interface just ignores that setting. > > Can anyone confirm and possibly explain, please? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Ori.Doolman at amdocs.com Thu Mar 9 06:54:03 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Thu, 9 Mar 2017 11:54:03 +0000 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: >From this discussion I understand that for all realm users, current password hashing algorithm is using SHA1 before the hashed password is saved to the DB. Can you please point me to the place in the code where this hashing occurs ? Thanks. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bruno Oliveira Sent: ????? 06 ??? 2017 14:08 To: stian at redhat.com; Adam Kaplan Cc: keycloak-user Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen wrote: > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than > sufficient? > +1 > > On 2 March 2017 at 15:28, Adam Kaplan wrote: > > This is now in the jboss JIRA: > https://issues.jboss.org/browse/KEYCLOAK-4523 > > I intend to work on it over the next week or two and submit a PR. > > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira > wrote: > > > Hi Adam and John, I understand your concern. Although, collisions > > are not practical for key derivation functions. There's a long > > discussion about this subject here[1]. > > > > Anyways, you can file a Jira as a feature request. If you feel like > > you would like to attach a PR, better. > > > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > > > > wrote: > > > >> I deal with similarly concerned customer bases. I would be happy > >> to see some of these algorithms added. +1 > >> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan wrote: > >> > >> > My company has a client whose security prerequisites require us > >> > to > store > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). > >> > We're > >> looking > >> > to migrate our user management functions to Keycloak, and I > >> > noticed > that > >> > hashing with SHA-1 is only provider out of the box. > >> > > >> > I propose adding the following providers (and will be happy to > >> > contribute!), using the hash functions available in the Java 8 > >> > runtime > >> > environment: > >> > > >> > 1. PBKDF2WithHmacSHA224 > >> > 2. PBKDF2WithHmacSHA256 > >> > 3. PBKDF2WithHmacSHA384 > >> > 4. PBKDF2WithHmacSHA512 > >> > > >> > I also propose marking the current Pbkdf2PasswordHashProvider as > >> > deprecated, now that a real SHA-1 hash collision has been > >> > published by Google Security. > >> > > >> > -- > >> > *Adam Kaplan* > >> > Senior Engineer > >> > findyr > > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> > >> > >> <(914)%20924-5186> <(914)%20924-5186>> | e > > > >> > akaplan at findyr.com > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > -- > > > *Adam Kaplan* > Senior Engineer > findyr > > m 914.924.5186 | e akaplan at findyr.com > > > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From sven.thoms at gmail.com Thu Mar 9 06:55:29 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Thu, 9 Mar 2017 12:55:29 +0100 Subject: [keycloak-user] REST API client allowRemoteResourceManagement In-Reply-To: References: Message-ID: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=admin-cli&username=admin&password=xxx&grant_type=password" \ https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid- connect/token | jq I am using the access_token as bearer token in the ADMIN REST interface: curl -v -X POST \ -H "Content-Type:application/json" \ -H 'Authorization: bearer xxxxx' \ -d '{ "clientId": "test_client", "name": "test_client", "rootUrl": "", "adminUrl": "", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "redirectUris": [ "/*" ], "webOrigins": [ "/*" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "fullScopeAllowed": true, "authorizationSettings": { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "Default Resource", "uri": "/*", "type": "urn:test_client:resources:default", "typedScopes": [] } ], "policies": [ { "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }, { "name": "Default Permission", "description": "A permission that applies to the default resource type", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "defaultResourceType": "urn:test_client:resources:default", "default": "true", "applyPolicies": "[\"Default Policy\"]" } } ], "scopes": [] } }' \ https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients The client is added correctly, and it is now a resource with the authZ resources and permissions, but under Authorization - Settings, Remote Resource Management is still off. Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva" : > What are you using to call the API ? > > On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms wrote: > >> Both on the POST and PUT for client, with authorizationservicesenabled Set >> to true, I cannot set >> >> allowRemoteResourceManagement >> >> to true. It is as if the Admin REST interface just ignores that setting. >> >> Can anyone confirm and possibly explain, please? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From upesh.m at edgeverve.com Thu Mar 9 06:58:29 2017 From: upesh.m at edgeverve.com (upesh.m) Date: Thu, 9 Mar 2017 04:58:29 -0700 (MST) Subject: [keycloak-user] Realm PasswordPolicy PasswordHashProvider xxxx not found Message-ID: <1489060709865-3083.post@n6.nabble.com> Hi,I created a custom PasswordHashprovider which implements PasswordHashProviderFactory, PasswordHashProvider. I have given an id to the algorithm also, the getId( ) method returns a value 'xxxx'. I created a*org.keycloak.hash.PasswordHashProviderFactory* file and added the packagename+(name of my provider) to the file. Then the complete jar file was dropped to deployments folder, it got deployed successfully. Then I went to password policy subtab under Authentication and changed algorithm name to 'xxxx'. But still its not working. In the log it says Realm PasswordPolicy PasswordHashProvider xxxx not found . Is there any place where I need to configure this provider inside keycloak?ThanksUpesh M. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Realm-PasswordPolicy-PasswordHashProvider-xxxx-not-found-tp3083.html Sent from the keycloak-user mailing list archive at Nabble.com. From psilva at redhat.com Thu Mar 9 07:13:45 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Mar 2017 09:13:45 -0300 Subject: [keycloak-user] REST API client allowRemoteResourceManagement In-Reply-To: References: Message-ID: Now I see. The "authorizationSettings" is not used at all when creating/updating a client. Reason for that we tried to decouple authz functionality from the rest as much as we can when we introduce it. To change authz settings you need a call to https://keycloak.fin.uniquedomain/auth/auth/admin/realms/servlet-authz/clients/{client_id}/authz/resource-server (maybe you can check how admin console is doing this). You can also use the Keycloak Admin Client Java API to import settings for a client. On Thu, Mar 9, 2017 at 8:55 AM, Sven Thoms wrote: > curl -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -d "client_id=admin-cli&username=admin&password=xxx&grant_type=password" > \ > https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid- > connect/token | jq > > I am using the access_token as bearer token in the ADMIN REST interface: > > curl -v -X POST \ > -H "Content-Type:application/json" \ > -H 'Authorization: bearer xxxxx' \ > -d '{ > "clientId": "test_client", > "name": "test_client", > "rootUrl": "", > "adminUrl": "", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "/*" > ], > "webOrigins": [ > "/*" > ], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "fullScopeAllowed": true, > "authorizationSettings": > { > "allowRemoteResourceManagement": true, > "policyEnforcementMode": "ENFORCING", > "resources": [ > { > "name": "Default Resource", > "uri": "/*", > "type": "urn:test_client:resources:default", > "typedScopes": [] > } > ], > "policies": [ > { > "name": "Default Policy", > "description": "A policy that grants access only for users within > this realm", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": "AFFIRMATIVE", > "config": { > "code": "// by default, grants any permission associated with > this policy\n$evaluation.grant();\n" > } > }, > { > "name": "Default Permission", > "description": "A permission that applies to the default resource > type", > "type": "resource", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "defaultResourceType": "urn:test_client:resources:default", > "default": "true", > "applyPolicies": "[\"Default Policy\"]" > } > } > ], > "scopes": [] > } > }' \ > https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients > > The client is added correctly, and it is now a resource with the authZ > resources and permissions, but under Authorization - Settings, Remote > Resource Management is still off. > > > Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva" : > > > What are you using to call the API ? > > > > On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms wrote: > > > >> Both on the POST and PUT for client, with authorizationservicesenabled > Set > >> to true, I cannot set > >> > >> allowRemoteResourceManagement > >> > >> to true. It is as if the Admin REST interface just ignores that > setting. > >> > >> Can anyone confirm and possibly explain, please? > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sven.thoms at gmail.com Thu Mar 9 07:20:46 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Thu, 9 Mar 2017 13:20:46 +0100 Subject: [keycloak-user] REST API client allowRemoteResourceManagement In-Reply-To: References: Message-ID: Hello Pedro I see and get the general idea. I will try setting it via the endpoint you mentioned. Should be ok. If not, I will get back to you here. Thanks Sven Am 09.03.2017 1:13 nachm. schrieb "Pedro Igor Silva" : > Now I see. The "authorizationSettings" is not used at all when > creating/updating a client. Reason for that we tried to decouple authz > functionality from the rest as much as we can when we introduce it. > > To change authz settings you need a call to https://keycloak.fin. > uniquedomain/auth/auth/admin/realms/servlet-authz/clients/{ > client_id}/authz/resource-server (maybe you can check how admin console > is doing this). > > You can also use the Keycloak Admin Client Java API to import settings for > a client. > > On Thu, Mar 9, 2017 at 8:55 AM, Sven Thoms wrote: > >> curl -X POST \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -d "client_id=admin-cli&username=admin&password=xxx&grant_type=password" >> \ >> https://keycloak.fin.uniquedomain/auth/realms/master/protocol/openid- >> connect/token >> >> | jq >> >> I am using the access_token as bearer token in the ADMIN REST interface: >> >> curl -v -X POST \ >> -H "Content-Type:application/json" \ >> -H 'Authorization: bearer xxxxx' \ >> -d '{ >> "clientId": "test_client", >> "name": "test_client", >> "rootUrl": "", >> "adminUrl": "", >> "surrogateAuthRequired": false, >> "enabled": true, >> "clientAuthenticatorType": "client-secret", >> "redirectUris": [ >> "/*" >> ], >> "webOrigins": [ >> "/*" >> ], >> "notBefore": 0, >> "bearerOnly": false, >> "consentRequired": false, >> "standardFlowEnabled": true, >> "implicitFlowEnabled": false, >> "directAccessGrantsEnabled": true, >> "serviceAccountsEnabled": true, >> "authorizationServicesEnabled": true, >> "publicClient": false, >> "frontchannelLogout": false, >> "protocol": "openid-connect", >> "fullScopeAllowed": true, >> "authorizationSettings": >> { >> "allowRemoteResourceManagement": true, >> "policyEnforcementMode": "ENFORCING", >> "resources": [ >> { >> "name": "Default Resource", >> "uri": "/*", >> "type": "urn:test_client:resources:default", >> "typedScopes": [] >> } >> ], >> "policies": [ >> { >> "name": "Default Policy", >> "description": "A policy that grants access only for users >> within >> this realm", >> "type": "js", >> "logic": "POSITIVE", >> "decisionStrategy": "AFFIRMATIVE", >> "config": { >> "code": "// by default, grants any permission associated with >> this policy\n$evaluation.grant();\n" >> } >> }, >> { >> "name": "Default Permission", >> "description": "A permission that applies to the default >> resource >> type", >> "type": "resource", >> "logic": "POSITIVE", >> "decisionStrategy": "UNANIMOUS", >> "config": { >> "defaultResourceType": "urn:test_client:resources:default", >> "default": "true", >> "applyPolicies": "[\"Default Policy\"]" >> } >> } >> ], >> "scopes": [] >> } >> }' \ >> https://keycloak.fin.uniquedomain/auth/admin/realms/myrealm/clients >> >> The client is added correctly, and it is now a resource with the authZ >> resources and permissions, but under Authorization - Settings, Remote >> Resource Management is still off. >> >> >> Am 09.03.2017 12:49 nachm. schrieb "Pedro Igor Silva" > >: >> >> > What are you using to call the API ? >> > >> > On Thu, Mar 9, 2017 at 7:17 AM, Sven Thoms >> wrote: >> > >> >> Both on the POST and PUT for client, with authorizationservicesenabled >> Set >> >> to true, I cannot set >> >> >> >> allowRemoteResourceManagement >> >> >> >> to true. It is as if the Admin REST interface just ignores that >> setting. >> >> >> >> Can anyone confirm and possibly explain, please? >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From celso.agra at gmail.com Thu Mar 9 07:47:55 2017 From: celso.agra at gmail.com (Celso Agra) Date: Thu, 9 Mar 2017 09:47:55 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> Message-ID: Got it! But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the "Edit Mode" as WRITABLE, but I'm not setting this attribute. Here is my attributes: > cn > MSAD account controls > cpf > creation date > email > first name > last name > modify date > phpgwAccountStatus > username Thanks!! Best Regards, Celso Agra 2017-03-09 5:46 GMT-03:00 Marek Posolda : > Hi, > > The error may indicate that you configured "pwdLastSet" attribute mapper > in Keycloak to write into the LDAP, but it looks that writing this > attribute is unsupported. Maybe switch this mapper to read-only will help? > > Marek > > > On 08/03/17 15:29, Celso Agra wrote: > >> Hi all, >> >> I'm trying to configure KC with LDAP, but some errors are occurring. >> First, I configured my LDAP to write in the LDAP server, but for some >> reasons I got this error when I try to register an user: >> >> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >> >>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep >>> tion: >>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] >>> >> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >> ager. >> >>> modifyAttributes(LDAPOperationManager.java:410) >>> >> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >> ager. >> >>> modifyAttributes(LDAPOperationManager.java:104) >>> >> at org.keycloak.federation.ldap.idm.store.ldap. >> >>> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >>> >> at org.keycloak.federation.ldap.mappers.msad. >> >>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>> MSADUserAccountControlMapper.java:235) >>> >> at org.keycloak.federation.ldap.mappers.msad. >> >>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>> MSADUserAccountControlMapper.java:220) >>> >> at org.keycloak.models.utils.UserModelDelegate.addRequiredActio >> n( >> >>> UserModelDelegate.java:112) >>> >> at org.keycloak.authentication.forms.RegistrationPassword. >> >>> success(RegistrationPassword.java:101) >>> >> at org.keycloak.authentication.FormAuthenticationFlow.processAc >> tion( >> >>> FormAuthenticationFlow.java:234) >>> >> at org.keycloak.authentication.DefaultAuthenticationFlow. >> >>> processAction(DefaultAuthenticationFlow.java:76) >>> >> at org.keycloak.authentication.AuthenticationProcessor. >> >>> authenticationAction(AuthenticationProcessor.java:759) >>> >> at org.keycloak.services.resources.LoginActionsService.processF >> low( >> >>> LoginActionsService.java:356) >>> >> at org.keycloak.services.resources.LoginActionsService. >> >>> processRegistration(LoginActionsService.java:477) >>> >> at org.keycloak.services.resources.LoginActionsService. >> >>> processRegister(LoginActionsService.java:535) >>> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke( >> >>> NativeMethodAccessorImpl.java:62) >>> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >> >>> DelegatingMethodAccessorImpl.java:43) >>> >> at java.lang.reflect.Method.invoke(Method.java:498) >> >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> >>> MethodInjectorImpl.java:139) >>> >> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> >>> ResourceMethodInvoker.java:295) >>> >> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> >>> ResourceMethodInvoker.java:249) >>> >> at org.jboss.resteasy.core.ResourceLocatorInvoker. >> >>> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>> >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> >>> ResourceLocatorInvoker.java:101) >>> >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> >>> SynchronousDispatcher.java:395) >>> >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> >>> SynchronousDispatcher.java:202) >>> >> at org.jboss.resteasy.plugins.server.servlet. >> >>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>> >> at org.jboss.resteasy.plugins.server.servlet. >> >>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> >> at org.jboss.resteasy.plugins.server.servlet. >> >>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> >> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >> >>> ServletHandler.java:85) >>> >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> >>> doFilter(FilterHandler.java:129) >>> >> at org.keycloak.services.filters.KeycloakSessionServletFilter. >> >>> doFilter(KeycloakSessionServletFilter.java:90) >>> >> at io.undertow.servlet.core.ManagedFilter.doFilter( >> >>> ManagedFilter.java:60) >>> >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> >>> doFilter(FilterHandler.java:131) >>> >> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >> >>> FilterHandler.java:84) >>> >> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >> dler. >> >>> handleRequest(ServletSecurityRoleHandler.java:62) >>> >> at io.undertow.servlet.handlers.ServletDispatchingHandler. >> >>> handleRequest(ServletDispatchingHandler.java:36) >>> >> at org.wildfly.extension.undertow.security. >> >>> SecurityContextAssociationHandler.handleRequest( >>> SecurityContextAssociationHandler.java:78) >>> >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> >>> PredicateHandler.java:43) >>> >> at io.undertow.servlet.handlers.security. >> >>> SSLInformationAssociationHandler.handleRequest( >>> SSLInformationAssociationHandler.java:131) >>> >> at io.undertow.servlet.handlers.security. >> >>> ServletAuthenticationCallHandler.handleRequest( >>> ServletAuthenticationCallHandler.java:57) >>> >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> >>> PredicateHandler.java:43) >>> >> at io.undertow.security.handlers.AbstractConfidentialityHandler >> >>> .handleRequest(AbstractConfidentialityHandler.java:46) >>> >> at io.undertow.servlet.handlers.security. >> >>> ServletConfidentialityConstraintHandler.handleRequest( >>> ServletConfidentialityConstraintHandler.java:64) >>> >> at io.undertow.security.handlers.AuthenticationMechanismsHandle >> >>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>> >> at io.undertow.servlet.handlers.security. >> >>> CachedAuthenticatedSessionHandler.handleRequest( >>> CachedAuthenticatedSessionHandler.java:77) >>> >> at io.undertow.security.handlers.NotificationReceiverHandler. >> >>> handleRequest(NotificationReceiverHandler.java:50) >>> >> at io.undertow.security.handlers.AbstractSecurityContextAssocia >> >>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>> tionHandler.java:43) >>> >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> >>> PredicateHandler.java:43) >>> >> at org.wildfly.extension.undertow.security.jacc. >> >>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> >>> PredicateHandler.java:43) >>> >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> >>> PredicateHandler.java:43) >>> >> at io.undertow.servlet.handlers.ServletInitialHandler. >> >>> handleFirstRequest(ServletInitialHandler.java:284) >>> >> at io.undertow.servlet.handlers.ServletInitialHandler. >> >>> dispatchRequest(ServletInitialHandler.java:263) >>> >> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >> >>> 000(ServletInitialHandler.java:81) >>> >> at io.undertow.servlet.handlers.ServletInitialHandler$1. >> >>> handleRequest(ServletInitialHandler.java:174) >>> >> at io.undertow.server.Connectors.executeRootHandler(Connectors. >> >>> java:202) >>> >> at io.undertow.server.HttpServerExchange$1.run( >> >>> HttpServerExchange.java:793) >>> >> at java.util.concurrent.ThreadPoolExecutor.runWorker( >> >>> ThreadPoolExecutor.java:1142) >>> >> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> >>> ThreadPoolExecutor.java:617) >>> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: javax.naming.directory.InvalidAttributeIdentifierException: >> >>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining >>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >>> >> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >> >> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java: >> 3082) >> >> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java: >> 2888) >> >> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:14 >> 75) >> >> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttribu >> tes( >> >>> ComponentDirContext.java:277) >>> >> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> >>> modifyAttributes(PartialCompositeDirContext.java:192) >>> >> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> >>> modifyAttributes(PartialCompositeDirContext.java:181) >>> >> at javax.naming.directory.InitialDirContext.modifyAttributes( >> >>> InitialDirContext.java:167) >>> >> at javax.naming.directory.InitialDirContext.modifyAttributes( >> >>> InitialDirContext.java:167) >>> >> at org.keycloak.federation.ldap.idm.store.ldap. >> >>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >>> >> at org.keycloak.federation.ldap.idm.store.ldap. >> >>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >>> >> at org.keycloak.federation.ldap.idm.store.ldap. >> >>> LDAPOperationManager.execute(LDAPOperationManager.java:535) >>> >> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >> ager. >> >>> modifyAttributes(LDAPOperationManager.java:402) >>> >> ... 59 more >> >> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >> >>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >>> auth_method=openid-connect, auth_type=code, redirect_uri= >>> http://127.0.0.1: >>> 8080/teste-portal/ >>> >> >> and then, I got this result in my ldap: >> >> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >> >> givenName:: IA== >> >> uid: 11111111111 >> >> objectClass: top >> >> objectClass: inetOrgPerson >> >> objectClass: person >> >> objectClass: organizationalPerson >> >> objectClass: phpgwAccount >> >> objectClass: shadowAccount >> >> sn:: IA== >> >> cn:: IA== >> >> structuralObjectClass: inetOrgPerson >> >> entryUUID: 07f0e7caxxxxxxxxxxx >> >> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >> >> createTimestamp: 20170308140529Z >> >> entryCSN: 20170308140529.527857Z#000000#000#000000 >> >> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >> >> modifyTimestamp: 20170308140529Z >> >> >> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and >> givenName as 'IA=='. It looks like some problem occurs in my >> configuration. >> >> please, need help!! >> >> >> Best Regards, >> >> > -- --- *Celso Agra* From sthorger at redhat.com Thu Mar 9 08:24:53 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 9 Mar 2017 14:24:53 +0100 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: Search for usage of the class PasswordHashProvider On 9 March 2017 at 12:54, Ori Doolman wrote: > From this discussion I understand that for all realm users, current > password hashing algorithm is using SHA1 before the hashed password is > saved to the DB. > > Can you please point me to the place in the code where this hashing occurs > ? > > Thanks. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Bruno Oliveira > Sent: ??? ? 06 ??? 2017 14:08 > To: stian at redhat.com; Adam Kaplan > Cc: keycloak-user > Subject: Re: [keycloak-user] Submitted Feature: More Secure > PassowrdHashProviders > > On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen > wrote: > > > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than > > sufficient? > > > > +1 > > > > > > On 2 March 2017 at 15:28, Adam Kaplan wrote: > > > > This is now in the jboss JIRA: > > https://issues.jboss.org/browse/KEYCLOAK-4523 > > > > I intend to work on it over the next week or two and submit a PR. > > > > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira > > wrote: > > > > > Hi Adam and John, I understand your concern. Although, collisions > > > are not practical for key derivation functions. There's a long > > > discussion about this subject here[1]. > > > > > > Anyways, you can file a Jira as a feature request. If you feel like > > > you would like to attach a PR, better. > > > > > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > > > > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > > > > > > wrote: > > > > > >> I deal with similarly concerned customer bases. I would be happy > > >> to see some of these algorithms added. +1 > > >> > > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan > wrote: > > >> > > >> > My company has a client whose security prerequisites require us > > >> > to > > store > > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). > > >> > We're > > >> looking > > >> > to migrate our user management functions to Keycloak, and I > > >> > noticed > > that > > >> > hashing with SHA-1 is only provider out of the box. > > >> > > > >> > I propose adding the following providers (and will be happy to > > >> > contribute!), using the hash functions available in the Java 8 > > >> > runtime > > >> > environment: > > >> > > > >> > 1. PBKDF2WithHmacSHA224 > > >> > 2. PBKDF2WithHmacSHA256 > > >> > 3. PBKDF2WithHmacSHA384 > > >> > 4. PBKDF2WithHmacSHA512 > > >> > > > >> > I also propose marking the current Pbkdf2PasswordHashProvider as > > >> > deprecated, now that a real SHA-1 hash collision has been > > >> > published by Google Security. > > >> > > > >> > -- > > >> > *Adam Kaplan* > > >> > Senior Engineer > > >> > findyr > > > > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> > > >> > > >> <(914)%20924-5186> <(914)%20924-5186>> | e > > > > > > >> > akaplan at findyr.com > > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > > >> > _______________________________________________ > > >> > keycloak-user mailing list > > >> > keycloak-user at lists.jboss.org > > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > > > > > > > > > -- > > > > > > *Adam Kaplan* > > Senior Engineer > > findyr > > > > m 914.924.5186 | e akaplan at findyr.com > > > > > > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at http://www.amdocs.com/email_disclaimer.asp > From bburke at redhat.com Thu Mar 9 08:59:52 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 9 Mar 2017 08:59:52 -0500 Subject: [keycloak-user] Logout in broker mode doesn't propagate session's termination In-Reply-To: References: Message-ID: <4cc68715-4f94-a09b-d77e-550abac36dae@redhat.com> Looking at the code, LogoutAll seems to expect that all connections are OIDC. Logging out a single session does seem to use the appropriate protocol. I'll dive into our tests to see what coverage we're missing here. On 3/9/17 4:39 AM, Dmitry Korchemkin wrote: > I'm killing sessions using keycloak's admin console GUI, namely Session > tab, where i can either kill a session or send a Revocation message. > > I've tried setting up Single Log Out URL's the way examples suggest, i.e. > for SAML it is set to " > http://localhost:8080/auth/realms/saml-broker-realm/protocol/saml", as > specified in xml descriptor. Same with backchannel logout, switching it on > or off seems to do nothing in this case. > > 2017-03-07 21:51 GMT+03:00 : > >> Date: Tue, 7 Mar 2017 08:57:04 -0500 >> From: Bill Burke >> Subject: Re: [keycloak-user] Logout in broker mode doesn't propagate >> session's termination >> To: keycloak-user at lists.jboss.org >> Message-ID: >> Content-Type: text/plain; charset=windows-1252; format=flowed >> >> How exactly are you killing sessions? Through the admin console? Can >> you specify exactly what operations you are performing. >> >> For SAML and OIDC there is a logout URL you have to specify. There's >> also a "Backchannel Logout" supported switch that has to be true. >> >> >> On 3/7/17 6:33 AM, Dmitry Korchemkin wrote: >>> I was testing single logout in broker mode and came around this logical, >>> but not exactly desirable behaviour, when session on the broker and >> session >>> on the external idp states are not linked between the idp's. >>> >>> My setup is broker saml example provided with keycloak, but instead of an >>> actual application i log in to the broker using "/account" url. Should be >>> all the same, since it's just another web-app, protected by this realm. >>> >>> The behaviour is as follows: >>> If i kill a session on the external keycloak idp, the user is not logged >>> out. I assume since local session is alive and well the token is not >> being >>> revoked. >>> >>> If i kill a session on the broker keycloak, upon hitting f5 user is >>> redirected to the broker login page, but when i press external idp login >>> button, he's logged right back with no credentials asked. I guess since >> the >>> session between 2 idp's is still up, broker thinks this user is already >>> authenticated. >>> >>> I tested both oidc and saml, tried different backchannel/frontchannel >>> toggles in the UI of both broker and external IDP, but this had no >> visible >>> effect. >>> >>> Can you please clarify if the behaviour observed is expected and normal, >> or >>> did i miss some configuration steps? >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Joerg.Zaunegger at kvbawue.de Thu Mar 9 09:20:20 2017 From: Joerg.Zaunegger at kvbawue.de (=?Windows-1252?Q?Zaunegger=2C_J=F6rg?=) Date: Thu, 9 Mar 2017 14:20:20 +0000 Subject: [keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext Message-ID: <8661B716A6678E46A20FB7FCFF2504A101220490F8@VMSST108.kvbw.local> Hi ebondu, I applied the patch of KEYCLOAK-3471 in my code. Now it's working. Thanks for the hint. Regards J?rg -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von ebondu Gesendet: Donnerstag, 9. M?rz 2017 12:22 An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext Hi, I think it is related to the bug KEYCLOAK-3471 . Regarding your conf, I use almost the same one (in xml) but without the BasicAuthenticationFilter in the security chain. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ClassCastException-in-SimpleHttpFacade-WebAuthenticationDetails-cannot-be-cast-to-Secut-tp3077p3079.html Sent from the keycloak-user mailing list archive at Nabble.com. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From juan.amat at nokia.com Thu Mar 9 09:33:01 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Thu, 9 Mar 2017 14:33:01 +0000 Subject: [keycloak-user] JAAS plugin and roles In-Reply-To: References: Message-ID: Thank you for the pointer. I would have expected that this would be supported out of the box. Another comment. In the logout method of AbstractKeycloakLoginModule.java, we remove the RolePrincipal.class principals from the subject's principals. We can though configure the class used for the 'role' principal. Should this class be used instead? Juan. > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Thursday, March 09, 2017 12:23 AM > To: Amat, Juan (Nokia - US) ; keycloak- > user at lists.jboss.org > Subject: Re: [keycloak-user] JAAS plugin and roles > > I recently did some example of the remote EJB client. You're right, there are > special groups on Wildfly, which JAAS Subject needs to be member of. > > See the example here [1] . Especially take a look at the security-domain > configuration and the "ConvertKEycloakRolesLoginModule", which needs to be > put to the chain after DirectAccessGrantsLoginModule. > > Btv. if you are using web (HttpServletRequest etc), you should maybe rather use > our OIDC/SAML adapters? But maybe I am missing something in your setup... > > [1] https://github.com/mposolda/keycloak-remote-ejb > > Marek > > On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote: > > I was trying to use this login module with an application deployed on Wildfly > 10: > > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > > And it kind of worked. > > By that I mean that when you log in, you are authenticated fine but > > then calling > > HttpServletRequest.isUserInRole(xxx) did not work. > > > > The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific > group. > > > > This page > https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modu > les.html says: > > > > "The JBossSX framework uses two well-known role sets with the names Roles > and CallerPrincipal. > > The Roles group is the collection of Principals for the named roles as known in > the application domain under which the Subject has been authenticated. This > role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs > can use to see if the current caller belongs to the named application domain > role. The security interceptor logic that performs method permission checks also > uses this role set. > > The CallerPrincipalGroup consists of the single Principal identity assigned to > the user in the application domain. The EJBContext.getCallerPrincipal() method > uses the CallerPrincipal to allow the application domain to map from the > operation environment identity to a user identity suitable for the application. If a > Subject does not have a CallerPrincipalGroup, the application identity is the > same used for login." > > > > A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing > work. > > > > Am I doing something wrong? > > > > Thank you. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Koloman.KLIMPFINGER at frequentis.com Thu Mar 9 09:58:24 2017 From: Koloman.KLIMPFINGER at frequentis.com (KLIMPFINGER Koloman) Date: Thu, 9 Mar 2017 14:58:24 +0000 Subject: [keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified Message-ID: Hi keycloak users! I've a question about using scope and resource permissions to protect my resources. To me it seems that keycloak is granting broader authorization entitlements than I specified it with the policies & permissions - a security issue from my point of view. For example keycloak - according to the entitlement token of a user - grants access to a resource and ALL its scopes, even if I only specified a permission to access only ONE scope on that resource for that user (with a policy). Is It wrong to assume that the user should only have access to the one scope? Another issue is that keycloak grants access to a resource and ALL its scopes, even if I only specified a permission to access only that resource for that user (with a policy) without a scope. Is the assumption wrong that the user should only know about the resource but not the scopes? Or is my understanding of how to handle the authorization entitlements for resources and their scopes with keycloak wrong? What would be the best practice to secure the resources and their scopes? Here I describe the scenario & point to a live example: _ The scenario _ Created Entities: User: Marta Policy: Policy-IsUser-Marta Scopes: read, write, execute Resource: resource-a (with all three scopes) Resource: resource-c (with all three scopes) Resource-Permission: resource-c -> Policy-IsUser-Marta Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta Retrieve entitlements: Get your (Martas) entitlements token and check the granted permissions - they are: - resource-a -> read + write + execute - resource-c -> read + write + execute What I would expect: - resource-a -> read - resource-c -> (no scopes) _ Sample Project _ I created a sample to see it live in action: https://github.com/kklimpfi/keycloak-scenarios It contains a keycloak-migration.json with some sample data (in master realm) + an java application that retrieves the Permissions. you can clone it and try it (configure setup script for importing and pass the system property for the java application to its configuration). (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on Linux) kind regards, Koloman From celso.agra at gmail.com Thu Mar 9 10:03:19 2017 From: celso.agra at gmail.com (Celso Agra) Date: Thu, 9 Mar 2017 12:03:19 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> Message-ID: Hi, I solved this error, just removing the MSAD account controls, but now I'm getting a new error, when I finished my registration: here is the log: 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1) > UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action: > org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at org.keycloak.events.EventBuilder.user(EventBuilder.java:103) > at > org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815) > at > org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88) > at > org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297) > at > org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853) > at > org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more 2017-03-09 9:47 GMT-03:00 Celso Agra : > Got it! > > But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the > "Edit Mode" as WRITABLE, but I'm not setting this attribute. > Here is my attributes: > >> cn >> MSAD account controls >> cpf >> creation date >> email >> first name >> last name >> modify date >> phpgwAccountStatus >> username > > > Thanks!! > > Best Regards, > > Celso Agra > > 2017-03-09 5:46 GMT-03:00 Marek Posolda : > >> Hi, >> >> The error may indicate that you configured "pwdLastSet" attribute mapper >> in Keycloak to write into the LDAP, but it looks that writing this >> attribute is unsupported. Maybe switch this mapper to read-only will help? >> >> Marek >> >> >> On 08/03/17 15:29, Celso Agra wrote: >> >>> Hi all, >>> >>> I'm trying to configure KC with LDAP, but some errors are occurring. >>> First, I configured my LDAP to write in the LDAP server, but for some >>> reasons I got this error when I try to register an user: >>> >>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >>> >>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep >>>> tion: >>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >>> ager. >>> >>>> modifyAttributes(LDAPOperationManager.java:410) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >>> ager. >>> >>>> modifyAttributes(LDAPOperationManager.java:104) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap. >>> >>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >>>> >>> at org.keycloak.federation.ldap.mappers.msad. >>> >>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>> MSADUserAccountControlMapper.java:235) >>>> >>> at org.keycloak.federation.ldap.mappers.msad. >>> >>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>> MSADUserAccountControlMapper.java:220) >>>> >>> at org.keycloak.models.utils.UserModelDelegate.addRequiredActio >>> n( >>> >>>> UserModelDelegate.java:112) >>>> >>> at org.keycloak.authentication.forms.RegistrationPassword. >>> >>>> success(RegistrationPassword.java:101) >>>> >>> at org.keycloak.authentication.FormAuthenticationFlow.processAc >>> tion( >>> >>>> FormAuthenticationFlow.java:234) >>>> >>> at org.keycloak.authentication.DefaultAuthenticationFlow. >>> >>>> processAction(DefaultAuthenticationFlow.java:76) >>>> >>> at org.keycloak.authentication.AuthenticationProcessor. >>> >>>> authenticationAction(AuthenticationProcessor.java:759) >>>> >>> at org.keycloak.services.resources.LoginActionsService.processF >>> low( >>> >>>> LoginActionsService.java:356) >>>> >>> at org.keycloak.services.resources.LoginActionsService. >>> >>>> processRegistration(LoginActionsService.java:477) >>>> >>> at org.keycloak.services.resources.LoginActionsService. >>> >>>> processRegister(LoginActionsService.java:535) >>>> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> >>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>> >>>> NativeMethodAccessorImpl.java:62) >>>> >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> >>>> DelegatingMethodAccessorImpl.java:43) >>>> >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>> >>>> MethodInjectorImpl.java:139) >>>> >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >>> ( >>> >>>> ResourceMethodInvoker.java:295) >>>> >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>> >>>> ResourceMethodInvoker.java:249) >>>> >>> at org.jboss.resteasy.core.ResourceLocatorInvoker. >>> >>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>> >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>> >>>> ResourceLocatorInvoker.java:101) >>>> >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> >>>> SynchronousDispatcher.java:395) >>>> >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>> >>>> SynchronousDispatcher.java:202) >>>> >>> at org.jboss.resteasy.plugins.server.servlet. >>> >>>> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >>>> >>> at org.jboss.resteasy.plugins.server.servlet. >>> >>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>> >>> at org.jboss.resteasy.plugins.server.servlet. >>> >>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> >>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >>> >>>> ServletHandler.java:85) >>>> >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>> >>>> doFilter(FilterHandler.java:129) >>>> >>> at org.keycloak.services.filters.KeycloakSessionServletFilter. >>> >>>> doFilter(KeycloakSessionServletFilter.java:90) >>>> >>> at io.undertow.servlet.core.ManagedFilter.doFilter( >>> >>>> ManagedFilter.java:60) >>>> >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>> >>>> doFilter(FilterHandler.java:131) >>>> >>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>> >>>> FilterHandler.java:84) >>>> >>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>> dler. >>> >>>> handleRequest(ServletSecurityRoleHandler.java:62) >>>> >>> at io.undertow.servlet.handlers.ServletDispatchingHandler. >>> >>>> handleRequest(ServletDispatchingHandler.java:36) >>>> >>> at org.wildfly.extension.undertow.security. >>> >>>> SecurityContextAssociationHandler.handleRequest( >>>> SecurityContextAssociationHandler.java:78) >>>> >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> >>>> PredicateHandler.java:43) >>>> >>> at io.undertow.servlet.handlers.security. >>> >>>> SSLInformationAssociationHandler.handleRequest( >>>> SSLInformationAssociationHandler.java:131) >>>> >>> at io.undertow.servlet.handlers.security. >>> >>>> ServletAuthenticationCallHandler.handleRequest( >>>> ServletAuthenticationCallHandler.java:57) >>>> >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> >>>> PredicateHandler.java:43) >>>> >>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>> >>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>> >>> at io.undertow.servlet.handlers.security. >>> >>>> ServletConfidentialityConstraintHandler.handleRequest( >>>> ServletConfidentialityConstraintHandler.java:64) >>>> >>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>> >>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> >>> at io.undertow.servlet.handlers.security. >>> >>>> CachedAuthenticatedSessionHandler.handleRequest( >>>> CachedAuthenticatedSessionHandler.java:77) >>>> >>> at io.undertow.security.handlers.NotificationReceiverHandler. >>> >>>> handleRequest(NotificationReceiverHandler.java:50) >>>> >>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>> >>>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>>> tionHandler.java:43) >>>> >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> >>>> PredicateHandler.java:43) >>>> >>> at org.wildfly.extension.undertow.security.jacc. >>> >>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>> >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> >>>> PredicateHandler.java:43) >>>> >>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>> >>>> PredicateHandler.java:43) >>>> >>> at io.undertow.servlet.handlers.ServletInitialHandler. >>> >>>> handleFirstRequest(ServletInitialHandler.java:284) >>>> >>> at io.undertow.servlet.handlers.ServletInitialHandler. >>> >>>> dispatchRequest(ServletInitialHandler.java:263) >>>> >>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >>> >>>> 000(ServletInitialHandler.java:81) >>>> >>> at io.undertow.servlet.handlers.ServletInitialHandler$1. >>> >>>> handleRequest(ServletInitialHandler.java:174) >>>> >>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>> >>>> java:202) >>>> >>> at io.undertow.server.HttpServerExchange$1.run( >>> >>>> HttpServerExchange.java:793) >>>> >>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>> >>>> ThreadPoolExecutor.java:1142) >>>> >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>> >>>> ThreadPoolExecutor.java:617) >>>> >>> at java.lang.Thread.run(Thread.java:745) >>> >>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException: >>> >>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining >>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >>>> >>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >>> >>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:308 >>> 2) >>> >>> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:288 >>> 8) >>> >>> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:14 >>> 75) >>> >>> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttribu >>> tes( >>> >>>> ComponentDirContext.java:277) >>>> >>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>> >>>> modifyAttributes(PartialCompositeDirContext.java:192) >>>> >>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>> >>>> modifyAttributes(PartialCompositeDirContext.java:181) >>>> >>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>> >>>> InitialDirContext.java:167) >>>> >>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>> >>>> InitialDirContext.java:167) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap. >>> >>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap. >>> >>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap. >>> >>>> LDAPOperationManager.execute(LDAPOperationManager.java:535) >>>> >>> at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationMan >>> ager. >>> >>>> modifyAttributes(LDAPOperationManager.java:402) >>>> >>> ... 59 more >>> >>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >>> >>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >>>> auth_method=openid-connect, auth_type=code, redirect_uri= >>>> http://127.0.0.1: >>>> 8080/teste-portal/ >>>> >>> >>> and then, I got this result in my ldap: >>> >>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >>> >>> givenName:: IA== >>> >>> uid: 11111111111 >>> >>> objectClass: top >>> >>> objectClass: inetOrgPerson >>> >>> objectClass: person >>> >>> objectClass: organizationalPerson >>> >>> objectClass: phpgwAccount >>> >>> objectClass: shadowAccount >>> >>> sn:: IA== >>> >>> cn:: IA== >>> >>> structuralObjectClass: inetOrgPerson >>> >>> entryUUID: 07f0e7caxxxxxxxxxxx >>> >>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >>> >>> createTimestamp: 20170308140529Z >>> >>> entryCSN: 20170308140529.527857Z#000000#000#000000 >>> >>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >>> >>> modifyTimestamp: 20170308140529Z >>> >>> >>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and >>> givenName as 'IA=='. It looks like some problem occurs in my >>> configuration. >>> >>> please, need help!! >>> >>> >>> Best Regards, >>> >>> >> > > > -- > --- > *Celso Agra* > -- --- *Celso Agra* From RLewis at carbonite.com Thu Mar 9 10:28:13 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 9 Mar 2017 15:28:13 +0000 Subject: [keycloak-user] Sending email from Azure hosted Keycloak instances Message-ID: We are planning on running Keycloak in Azure and of course need a mail server to send the emails that Keycloak generates. As you may know, Azure IP addresses are blocked from sending email to other people. I have found the following companies already: https://sendgrid.com https://www.smtp.com/ https://www.mailjet.com/ Are there any others that work better? Any experience with these or any others? Thanks! This message is the property of CARBONITE, INC. and may contain confidential or privileged information. If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail. From karpenkorn at gmail.com Thu Mar 9 10:31:35 2017 From: karpenkorn at gmail.com (Roman Nikolaevich) Date: Thu, 9 Mar 2017 17:31:35 +0200 Subject: [keycloak-user] Multi tenancy quesiton Message-ID: We are testing example from official documentation regarding multi tenancy https://keycloak.gitbooks.io/securing-client-applications- guide/content/topics/oidc/java/multi-tenancy.html So we are getting realm name from path but at some point our request is getting redirected to /sso/login url and as result realm name is lost, simply because of this method org.keycloak.adapters.springsecurity.authentication. KeycloakAuthenticationEntryPoint#commenceLoginRedirect protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException { String contextAwareLoginUri = request.getContextPath() + loginUri; log.debug("Redirecting to login URI {}", contextAwareLoginUri); response.sendRedirect(contextAwareLoginUri); } Could you please advise how to handle such situation ? We see an option to override commenceLoginRedirect method, but we are not sure that it is correct way. Thanks in advance. Br, Roma From psilva at redhat.com Thu Mar 9 11:34:46 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Mar 2017 13:34:46 -0300 Subject: [keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified In-Reply-To: References: Message-ID: On Thu, Mar 9, 2017 at 11:58 AM, KLIMPFINGER Koloman < Koloman.KLIMPFINGER at frequentis.com> wrote: > Hi keycloak users! > > I've a question about using scope and resource permissions to protect my > resources. > To me it seems that keycloak is granting broader authorization > entitlements than I specified it with the policies & permissions - a > security issue from my point of view. > For example keycloak - according to the entitlement token of a user - > grants access to a resource and ALL its scopes, even if I only specified a > permission to access only ONE scope on that resource for that user (with a > policy). > Is It wrong to assume that the user should only have access to the one > scope? Another issue is that keycloak grants access to a resource and ALL its > scopes, even if I only specified a permission to access only that resource > for that user (with a policy) without a scope. > Is the assumption wrong that the user should only know about the resource > but not the scopes? > > Or is my understanding of how to handle the authorization entitlements for > resources and their scopes with keycloak wrong? > What would be the best practice to secure the resources and their scopes? > You are correct. This is an issue with the Entitlement API and Scope-based Permissions. Created https://issues.jboss.org/browse/KEYCLOAK-4555, sending a fix shortly. You should not see this happening if using Authorization API where evaluation is performed on a per-resource/scope basis. Will take a look on that repository (just perfect to understand what is happening) you pointed out and check the results once I have the issue fixed. Can you watch that JIRA for updates ? > > Here I describe the scenario & point to a live example: > > _ The scenario _ > > Created Entities: > User: Marta > Policy: Policy-IsUser-Marta > Scopes: read, write, execute > Resource: resource-a (with all three scopes) > Resource: resource-c (with all three scopes) > Resource-Permission: resource-c -> Policy-IsUser-Marta > Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta > > Retrieve entitlements: > Get your (Martas) entitlements token and check the granted permissions - > they are: > > - resource-a -> read + write + execute > > - resource-c -> read + write + execute > > What I would expect: > > - resource-a -> read > > - resource-c -> (no scopes) > > _ Sample Project _ > I created a sample to see it live in action: > https://github.com/kklimpfi/keycloak-scenarios > > It contains a keycloak-migration.json with some sample data (in master > realm) + an java application that retrieves the Permissions. > you can clone it and try it (configure setup script for importing and pass > the system property for the java application to its configuration). > (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on > Linux) > > kind regards, > Koloman > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From b.passon at first8.nl Thu Mar 9 11:49:16 2017 From: b.passon at first8.nl (Bas Passon) Date: Thu, 9 Mar 2017 17:49:16 +0100 Subject: [keycloak-user] Problem with keycloak behind a proxy using port 8080 Message-ID: <62B5864D-5077-489B-960F-4852DA9B4FA7@first8.nl> Hello, I seem to have an issue with keycloak 2.5.1.Final running behind nginx. Nginx is configured to listen to port 8080. When i now try to request the admin panel using http://keycloak-local:8080/auth/admin/ I get redirected to http://keycloak-local/auth/admin/master/console/ . I would expect to be redirected to http://keycloak-local:8080/auth/admin/master/console/ . I have added the request dump and keycloak undertow subsystem configuration below. What do I need to do to make keycloak redirect to the correct url? Kind Regards, Bas Passon 16:34:15,131 INFO [io.undertow.request.dump] (default task-1) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null header=X-Real-IP=172.17.0.1 header=Accept=*/* header=User-Agent=curl/7.43.0 header=Connection=close header=X-Forwarded-Proto=http header=X-Forwarded-Port=8080 header=X-Forwarded-For=172.17.0.1 header=Host=keycloak-local header=X-Forwarded-Host=keycloak-local locale=[] method=GET protocol=HTTP/1.1 queryString= remoteAddr=172.17.0.1:0 remoteHost=172.17.0.1 scheme=http host=keycloak-local serverPort=8080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=close header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Location=http://keycloak-local/auth/admin/master/console/ header=Content-Length=0 header=Date=Thu, 09 Mar 2017 16:34:15 GMT status=302 ============================================================== -- First Eight BV KvK dossiernr: 30.17.95.44 Gemeente Utrecht Kerkenbos 1059b 6546 BB NIJMEGEN T: 024-3483570 F: 024-3483571 E: b.passon at first8.nl W: www.first8.nl Disclaimer: Op alle offertes, aanbiedingen of overeenkomsten van First Eight BV zijn, tenzij expliciet anders overeengekomen, de Algemene Voorwaarden van Conclusion B.V. van toepassing, welke zijn te vinden op www.conclusion.nl . Tevens zijn deze gedeponeerd bij de Kamer van Koophandel Midden-Nederland onder nummer 16059253. Op schriftelijk verzoek zullen de Algemene Voorwaarden u kosteloos worden toegezonden. De inhoud van dit e-mailbericht is uitsluitend bestemd voor de geadresseerde(n). Gebruik van de inhoud daarvan door anderen of verzending aan anderen is zonder toestemming van de afzender of geadresseerde(n) onrechtmatig. Mocht dit e-mailbericht ten onrechte bij u terechtgekomen zijn, dan verzoeken wij u onmiddellijk contact met ons op te nemen. First Eight BV betracht de grootst mogelijke zorgvuldigheid bij het voorkomen van virussen in de bijlage(n) bij dit bericht. Desondanks dient u zelf de bijlage(n) te controleren op de aanwezigheid van virussen en kan First Eight BV niet aansprakelijk worden gehouden indien bijlage(n) schade, waaronder schade aan computer(systeem), veroorzaken. From bernardo at zwift.com Thu Mar 9 12:11:19 2017 From: bernardo at zwift.com (Bernardo Pacheco) Date: Thu, 09 Mar 2017 17:11:19 +0000 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? Message-ID: Hi everybody, I'm trying to find out if Keycloak has an endpoint where I can submit my username and password to get a code. Later with this code I could exchange it for an access token. According to the Keycloak's documentation and taking a looking into the Keycloak source code, the only endpoint I found out is the following: auth/realms/{realm-name}/protocol/openid-connect/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&login=true However, this endpoint returns a HTML page with a form where an user could enter with username and password. The form action is: auth/realms/zwift/login-actions/request/login?code={code} The code parameter is generated by Keycloak when the HTML was processed and served, so I cannot call this endpoint directly because I need this code parameter. My question is: in any Keycloak version, is there a public Keycloak endpoint where I can submit username and password to get a code that will be used to get a access token later via /token endpoint? Just a note, I'm using an old Keycloak version: v1.2.0-Final. Regards, From akaplan at findyr.com Thu Mar 9 12:15:26 2017 From: akaplan at findyr.com (Adam Kaplan) Date: Thu, 9 Mar 2017 12:15:26 -0500 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: I'd agree with 4 being overkill - I just listed what was available in in the JRE. I started down the path of implementing - feature branch is here: https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523 On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen wrote: > Search for usage of the class PasswordHashProvider > > On 9 March 2017 at 12:54, Ori Doolman wrote: > >> From this discussion I understand that for all realm users, current >> password hashing algorithm is using SHA1 before the hashed password is >> saved to the DB. >> >> Can you please point me to the place in the code where this hashing >> occurs ? >> >> Thanks. >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org [mailto: >> keycloak-user-bounces at lists.jboss.org] On Behalf Of Bruno Oliveira >> Sent: ??? ? 06 ??? 2017 14:08 >> To: stian at redhat.com; Adam Kaplan >> Cc: keycloak-user >> Subject: Re: [keycloak-user] Submitted Feature: More Secure >> PassowrdHashProviders >> >> On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen >> wrote: >> >> > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than >> > sufficient? >> > >> >> +1 >> >> >> > >> > On 2 March 2017 at 15:28, Adam Kaplan wrote: >> > >> > This is now in the jboss JIRA: >> > https://issues.jboss.org/browse/KEYCLOAK-4523 >> > >> > I intend to work on it over the next week or two and submit a PR. >> > >> > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira >> > wrote: >> > >> > > Hi Adam and John, I understand your concern. Although, collisions >> > > are not practical for key derivation functions. There's a long >> > > discussion about this subject here[1]. >> > > >> > > Anyways, you can file a Jira as a feature request. If you feel like >> > > you would like to attach a PR, better. >> > > >> > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 >> > > >> > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament >> > > >> > > wrote: >> > > >> > >> I deal with similarly concerned customer bases. I would be happy >> > >> to see some of these algorithms added. +1 >> > >> >> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan >> wrote: >> > >> >> > >> > My company has a client whose security prerequisites require us >> > >> > to >> > store >> > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). >> > >> > We're >> > >> looking >> > >> > to migrate our user management functions to Keycloak, and I >> > >> > noticed >> > that >> > >> > hashing with SHA-1 is only provider out of the box. >> > >> > >> > >> > I propose adding the following providers (and will be happy to >> > >> > contribute!), using the hash functions available in the Java 8 >> > >> > runtime >> > >> > environment: >> > >> > >> > >> > 1. PBKDF2WithHmacSHA224 >> > >> > 2. PBKDF2WithHmacSHA256 >> > >> > 3. PBKDF2WithHmacSHA384 >> > >> > 4. PBKDF2WithHmacSHA512 >> > >> > >> > >> > I also propose marking the current Pbkdf2PasswordHashProvider as >> > >> > deprecated, now that a real SHA-1 hash collision has been >> > >> > published by Google Security. >> > >> > >> > >> > -- >> > >> > *Adam Kaplan* >> > >> > Senior Engineer >> > >> > findyr >> > >> > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> >> > >> > > > >> <(914)%20924-5186> <(914)%20924-5186>> | e >> > >> > >> > >> > akaplan at findyr.com >> > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 >> > >> > _______________________________________________ >> > >> > keycloak-user mailing list >> > >> > keycloak-user at lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> _______________________________________________ >> > >> keycloak-user mailing list >> > >> keycloak-user at lists.jboss.org >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> > > >> > >> > >> > >> > -- >> > >> > >> > *Adam Kaplan* >> > Senior Engineer >> > findyr >> > >> > m 914.924.5186 | e akaplan at findyr.com >> > >> > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> >> you may review at http://www.amdocs.com/email_disclaimer.asp >> > > -- *Adam Kaplan* Senior Engineer findyr m 914.924.5186 | e akaplan at findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 From bruno at abstractj.org Thu Mar 9 12:26:01 2017 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 09 Mar 2017 17:26:01 +0000 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? In-Reply-To: References: Message-ID: Please look at the docs http://www.keycloak.org/docs-api/2.5/rest-api/index.html and upgrade if possible. On Thu, Mar 9, 2017 at 2:12 PM Bernardo Pacheco wrote: > Hi everybody, > > I'm trying to find out if Keycloak has an endpoint where I can submit my > username and password to get a code. Later with this code I could exchange > it for an access token. > > According to the Keycloak's documentation and taking a looking into the > Keycloak source code, the only endpoint I found out is the following: > > > auth/realms/{realm-name}/protocol/openid-connect/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&login=true > > However, this endpoint returns a HTML page with a form where an user could > enter with username and password. The form action is: > > auth/realms/zwift/login-actions/request/login?code={code} > > The code parameter is generated by Keycloak when the HTML was processed and > served, so I cannot call this endpoint directly because I need this code > parameter. > > My question is: in any Keycloak version, is there a public Keycloak > endpoint where I can submit username and password to get a code that will > be used to get a access token later via /token endpoint? > > Just a note, I'm using an old Keycloak version: v1.2.0-Final. > > Regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From akaplan at findyr.com Thu Mar 9 12:36:44 2017 From: akaplan at findyr.com (Adam Kaplan) Date: Thu, 9 Mar 2017 12:36:44 -0500 Subject: [keycloak-user] KEYCLOAK-4523 SPI implementation Message-ID: I noticed the ID for the original PasswordHashProvider (Pbkdf2PasswordHashProvider) was hard-coded in several places. 1. Should I add an SPI definition to default-server-subsys-config.properties? 2. Does calling getProvider(Class.class) on a KeycloakSession return the default provider? On Thu, Mar 9, 2017 at 12:15 PM, Adam Kaplan wrote: > I'd agree with 4 being overkill - I just listed what was available in in > the JRE. > > I started down the path of implementing - feature branch is here: > https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523 > > On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen > wrote: > >> Search for usage of the class PasswordHashProvider >> >> On 9 March 2017 at 12:54, Ori Doolman wrote: >> >>> From this discussion I understand that for all realm users, current >>> password hashing algorithm is using SHA1 before the hashed password is >>> saved to the DB. >>> >>> Can you please point me to the place in the code where this hashing >>> occurs ? >>> >>> Thanks. >>> >>> >>> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org [mailto: >>> keycloak-user-bounces at lists.jboss.org] On Behalf Of Bruno Oliveira >>> Sent: ??? ? 06 ??? 2017 14:08 >>> To: stian at redhat.com; Adam Kaplan >>> Cc: keycloak-user >>> Subject: Re: [keycloak-user] Submitted Feature: More Secure >>> PassowrdHashProviders >>> >>> On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen >>> wrote: >>> >>> > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than >>> > sufficient? >>> > >>> >>> +1 >>> >>> >>> > >>> > On 2 March 2017 at 15:28, Adam Kaplan wrote: >>> > >>> > This is now in the jboss JIRA: >>> > https://issues.jboss.org/browse/KEYCLOAK-4523 >>> > >>> > I intend to work on it over the next week or two and submit a PR. >>> > >>> > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira >>> > wrote: >>> > >>> > > Hi Adam and John, I understand your concern. Although, collisions >>> > > are not practical for key derivation functions. There's a long >>> > > discussion about this subject here[1]. >>> > > >>> > > Anyways, you can file a Jira as a feature request. If you feel like >>> > > you would like to attach a PR, better. >>> > > >>> > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 >>> > > >>> > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament >>> > > >>> > > wrote: >>> > > >>> > >> I deal with similarly concerned customer bases. I would be happy >>> > >> to see some of these algorithms added. +1 >>> > >> >>> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan >>> wrote: >>> > >> >>> > >> > My company has a client whose security prerequisites require us >>> > >> > to >>> > store >>> > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). >>> > >> > We're >>> > >> looking >>> > >> > to migrate our user management functions to Keycloak, and I >>> > >> > noticed >>> > that >>> > >> > hashing with SHA-1 is only provider out of the box. >>> > >> > >>> > >> > I propose adding the following providers (and will be happy to >>> > >> > contribute!), using the hash functions available in the Java 8 >>> > >> > runtime >>> > >> > environment: >>> > >> > >>> > >> > 1. PBKDF2WithHmacSHA224 >>> > >> > 2. PBKDF2WithHmacSHA256 >>> > >> > 3. PBKDF2WithHmacSHA384 >>> > >> > 4. PBKDF2WithHmacSHA512 >>> > >> > >>> > >> > I also propose marking the current Pbkdf2PasswordHashProvider as >>> > >> > deprecated, now that a real SHA-1 hash collision has been >>> > >> > published by Google Security. >>> > >> > >>> > >> > -- >>> > >> > *Adam Kaplan* >>> > >> > Senior Engineer >>> > >> > findyr >>> > >>> > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> >>> > >> > >> > >> <(914)%20924-5186> <(914)%20924-5186>> | e >>> > >>> > >>> > >> > akaplan at findyr.com >>> > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 >>> > >> > _______________________________________________ >>> > >> > keycloak-user mailing list >>> > >> > keycloak-user at lists.jboss.org >>> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >> > >>> > >> _______________________________________________ >>> > >> keycloak-user mailing list >>> > >> keycloak-user at lists.jboss.org >>> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >> >>> > > >>> > >>> > >>> > >>> > -- >>> > >>> > >>> > *Adam Kaplan* >>> > Senior Engineer >>> > findyr >>> > >>> > m 914.924.5186 | e akaplan at findyr.com >>> > >>> > >>> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> This message and the information contained herein is proprietary and >>> confidential and subject to the Amdocs policy statement, >>> >>> you may review at http://www.amdocs.com/email_disclaimer.asp >>> >> >> > > > -- > *Adam Kaplan* > Senior Engineer > findyr > m 914.924.5186 | e akaplan at findyr.com > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > -- *Adam Kaplan* Senior Engineer findyr m 914.924.5186 | e akaplan at findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 From max.catarino at rps.com.br Thu Mar 9 12:47:39 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Thu, 9 Mar 2017 10:47:39 -0700 (MST) Subject: [keycloak-user] Credential Representation TOTP example In-Reply-To: <1488912423671-3057.post@n6.nabble.com> References: <1488912423671-3057.post@n6.nabble.com> Message-ID: <1489081659555-3102.post@n6.nabble.com> No one? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-example-tp3057p3102.html Sent from the keycloak-user mailing list archive at Nabble.com. From bernardo at zwift.com Thu Mar 9 13:32:17 2017 From: bernardo at zwift.com (Bernardo Pacheco) Date: Thu, 09 Mar 2017 18:32:17 +0000 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? In-Reply-To: References: Message-ID: Thanks Bruno, but these APIs are only for admin use. I'm looking for a OIDC API where an user can submit his username/password to get a code. Regards, On Thu, Mar 9, 2017 at 2:26 PM Bruno Oliveira wrote: > Please look at the docs > http://www.keycloak.org/docs-api/2.5/rest-api/index.html and upgrade if > possible. > > On Thu, Mar 9, 2017 at 2:12 PM Bernardo Pacheco > wrote: > > Hi everybody, > > I'm trying to find out if Keycloak has an endpoint where I can submit my > username and password to get a code. Later with this code I could exchange > it for an access token. > > According to the Keycloak's documentation and taking a looking into the > Keycloak source code, the only endpoint I found out is the following: > > > auth/realms/{realm-name}/protocol/openid-connect/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&login=true > > However, this endpoint returns a HTML page with a form where an user could > enter with username and password. The form action is: > > auth/realms/zwift/login-actions/request/login?code={code} > > The code parameter is generated by Keycloak when the HTML was processed and > served, so I cannot call this endpoint directly because I need this code > parameter. > > My question is: in any Keycloak version, is there a public Keycloak > endpoint where I can submit username and password to get a code that will > be used to get a access token later via /token endpoint? > > Just a note, I'm using an old Keycloak version: v1.2.0-Final. > > Regards, > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- BERNARDO PACHECO *SOFTWARE ENGINEER at Zwift, Inc.* bernardo at zwift.com From sblanc at redhat.com Thu Mar 9 13:49:52 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 9 Mar 2017 19:49:52 +0100 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? In-Reply-To: References: Message-ID: With Direct Grant Access enabled , you can use /realms/{realm-name}/protocol/openid-connect/token but for older Keycloak version I think it's something like /auth/realms/aerogear/tokens/grants/access , it's a POST and the body must form encoded On Thu, Mar 9, 2017 at 7:32 PM, Bernardo Pacheco wrote: > Thanks Bruno, but these APIs are only for admin use. I'm looking for a OIDC > API where an user can submit his username/password to get a code. > > Regards, > > On Thu, Mar 9, 2017 at 2:26 PM Bruno Oliveira wrote: > > > Please look at the docs > > http://www.keycloak.org/docs-api/2.5/rest-api/index.html and upgrade if > > possible. > > > > On Thu, Mar 9, 2017 at 2:12 PM Bernardo Pacheco > > wrote: > > > > Hi everybody, > > > > I'm trying to find out if Keycloak has an endpoint where I can submit my > > username and password to get a code. Later with this code I could > exchange > > it for an access token. > > > > According to the Keycloak's documentation and taking a looking into the > > Keycloak source code, the only endpoint I found out is the following: > > > > > > auth/realms/{realm-name}/protocol/openid-connect/auth? > response_type=code&client_id={client_id}&redirect_uri={ > redirect_uri}&state={state}&login=true > > > > However, this endpoint returns a HTML page with a form where an user > could > > enter with username and password. The form action is: > > > > auth/realms/zwift/login-actions/request/login?code={code} > > > > The code parameter is generated by Keycloak when the HTML was processed > and > > served, so I cannot call this endpoint directly because I need this code > > parameter. > > > > My question is: in any Keycloak version, is there a public Keycloak > > endpoint where I can submit username and password to get a code that will > > be used to get a access token later via /token endpoint? > > > > Just a note, I'm using an old Keycloak version: v1.2.0-Final. > > > > Regards, > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > BERNARDO PACHECO > *SOFTWARE ENGINEER at Zwift, Inc.* > bernardo at zwift.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bernardo at zwift.com Thu Mar 9 14:06:40 2017 From: bernardo at zwift.com (Bernardo Pacheco) Date: Thu, 09 Mar 2017 19:06:40 +0000 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? In-Reply-To: References: Message-ID: In a newer KC version, when I call POST /realms/{realm-name}/protocol/openid-connect/token: 1 - Which body params should I send? 2 - Does this API return a code or an access token / refresh token? The older version has a /auth/realms/{realm-name}/tokens/grant/access API, but it is deprecated and I can't call it. Thanks Sebastien, On Thu, Mar 9, 2017 at 3:49 PM Sebastien Blanc wrote: > With Direct Grant Access enabled , you can use > /realms/{realm-name}/protocol/openid-connect/token but for older Keycloak > version I think it's something like > /auth/realms/aerogear/tokens/grants/access , it's a POST and the body > must form encoded > > > On Thu, Mar 9, 2017 at 7:32 PM, Bernardo Pacheco > wrote: > > Thanks Bruno, but these APIs are only for admin use. I'm looking for a OIDC > API where an user can submit his username/password to get a code. > > Regards, > > On Thu, Mar 9, 2017 at 2:26 PM Bruno Oliveira wrote: > > > Please look at the docs > > http://www.keycloak.org/docs-api/2.5/rest-api/index.html and upgrade if > > possible. > > > > On Thu, Mar 9, 2017 at 2:12 PM Bernardo Pacheco > > wrote: > > > > Hi everybody, > > > > I'm trying to find out if Keycloak has an endpoint where I can submit my > > username and password to get a code. Later with this code I could > exchange > > it for an access token. > > > > According to the Keycloak's documentation and taking a looking into the > > Keycloak source code, the only endpoint I found out is the following: > > > > > > > auth/realms/{realm-name}/protocol/openid-connect/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&state={state}&login=true > > > > However, this endpoint returns a HTML page with a form where an user > could > > enter with username and password. The form action is: > > > > auth/realms/zwift/login-actions/request/login?code={code} > > > > The code parameter is generated by Keycloak when the HTML was processed > and > > served, so I cannot call this endpoint directly because I need this code > > parameter. > > > > My question is: in any Keycloak version, is there a public Keycloak > > endpoint where I can submit username and password to get a code that will > > be used to get a access token later via /token endpoint? > > > > Just a note, I'm using an old Keycloak version: v1.2.0-Final. > > > > Regards, > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > BERNARDO PACHECO > > *SOFTWARE ENGINEER at Zwift, Inc.* > bernardo at zwift.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From thomas.darimont at googlemail.com Thu Mar 9 15:59:31 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 9 Mar 2017 21:59:31 +0100 Subject: [keycloak-user] Credential Representation TOTP example In-Reply-To: <1489081659555-3102.post@n6.nabble.com> References: <1488912423671-3057.post@n6.nabble.com> <1489081659555-3102.post@n6.nabble.com> Message-ID: Hello Maximiliano, the current Keycloak Admin REST API (org.keycloak.services.resources.admin.UsersResource#resetPassword) doesn't allow to add TOTP credentials. Currently only password updates and TOTP removals are supported. Perhaphs you can set the totp credential via the AccountService endpoints which are used by the account client. See: org.keycloak.services.resources.AccountService#processTotpUpdate Cheers, Thomas 2017-03-09 18:47 GMT+01:00 Maximiliano : > No one? > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Credential-Representation-TOTP-example-tp3057p3102.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pepcitron at gmail.com Thu Mar 9 16:11:48 2017 From: pepcitron at gmail.com (Pierre-Emmanuel PEDRON) Date: Thu, 9 Mar 2017 22:11:48 +0100 Subject: [keycloak-user] [Custom User Federation] - Access to the ClientModel on a custom UserStorageProvider Message-ID: Hello, I develop a custom user federation (oidc - grant password) to call a legacy authentication service. On isValid() method, I want to access to the ClientModel to retrieve some information I need (clientId and its roles) to call the legacy web service. But I don?t know how? The KeycloakSession is not enough to access to these information. I need to get the ClientSession. Do I make a custom authenticator to set the ClientModel to the KeycloakSession ? Any Ideas ? This is a bottle in the sea J Many thanks, Regards, Pierre-Emmanuel Pedron -- Cordialement, PEDRON Pierre Emmanuel From bburke at redhat.com Thu Mar 9 16:44:57 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 9 Mar 2017 16:44:57 -0500 Subject: [keycloak-user] [Custom User Federation] - Access to the ClientModel on a custom UserStorageProvider In-Reply-To: References: Message-ID: Yes, you'll have to implement an Authenticator for this On 3/9/17 4:11 PM, Pierre-Emmanuel PEDRON wrote: > Hello, > > > > I develop a custom user federation (oidc - grant password) to call a legacy > authentication service. > > > > On isValid() method, I want to access to the ClientModel to retrieve some > information I need (clientId and its roles) to call the legacy web service. But > I don?t know how? > > The KeycloakSession is not enough to access to these information. I need to > get the ClientSession. > > > > Do I make a custom authenticator to set the ClientModel to the > KeycloakSession ? Any Ideas ? > > This is a bottle in the sea J > > > > Many thanks, > > Regards, > Pierre-Emmanuel Pedron > From max.catarino at rps.com.br Thu Mar 9 16:49:09 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Thu, 9 Mar 2017 14:49:09 -0700 (MST) Subject: [keycloak-user] Credential Representation TOTP example In-Reply-To: References: <1488912423671-3057.post@n6.nabble.com> <1489081659555-3102.post@n6.nabble.com> Message-ID: <1489096149810-3108.post@n6.nabble.com> Thanks for answering Thomas Darimont. Maybe UserResource.update to overwrite credentials? Best regards. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-example-tp3057p3108.html Sent from the keycloak-user mailing list archive at Nabble.com. From thomas.darimont at googlemail.com Thu Mar 9 17:53:35 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 9 Mar 2017 23:53:35 +0100 Subject: [keycloak-user] Credential Representation TOTP example In-Reply-To: <1489096149810-3108.post@n6.nabble.com> References: <1488912423671-3057.post@n6.nabble.com> <1489081659555-3102.post@n6.nabble.com> <1489096149810-3108.post@n6.nabble.com> Message-ID: The UsersResource#updateUser endpoint doesn't support credential updates at the moment. org.keycloak.services.resources.admin.UsersResource#updateUser org.keycloak.services.resources.admin.UsersResource#updateUserFromRep E.g. if you want to update a password you need to use the resetPassword endpoint: CredentialRepresentation passwordCred = new CredentialRepresentation(); passwordCred.setTemporary(false); passwordCred.setType(CredentialRepresentation.PASSWORD); passwordCred.setValue("test"); keycloak.realm(realmName).users().get(userId).resetPassword(passwordCred); From Vaughn at climatecontrolgroup.com Thu Mar 9 18:46:00 2017 From: Vaughn at climatecontrolgroup.com (Brent Vaughn) Date: Thu, 9 Mar 2017 23:46:00 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException in JSF custom component Message-ID: Using KeyCloak 2.5.4 and Wildfly 10.1.0 I am attempting to create a JSF component that involves Keycloak. I am getting this exception: java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal Below is the line of code that throws the exception. public void encodeBegin(FacesContext context) { .......... KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); .......... } Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. Can anyone help me with this? From Vaughn at climatecontrolgroup.com Thu Mar 9 18:49:34 2017 From: Vaughn at climatecontrolgroup.com (Brent Vaughn) Date: Thu, 9 Mar 2017 23:49:34 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException Message-ID: Using KeyCloak 2.5.4 and Wildfly 10.1.0 I am attempting to create a JSF component that involves Keycloak. I am getting this exception: java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal Below is the line of code that throws the exception. public void encodeBegin(FacesContext context) { .......... KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); .......... } Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. Can anyone help me with this? From bburke at redhat.com Thu Mar 9 20:06:00 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 9 Mar 2017 20:06:00 -0500 Subject: [keycloak-user] KeycloakPrincipal ClassCastException In-Reply-To: References: Message-ID: <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> What do you mean "separate jar"? A jar in the WAR? On 3/9/17 6:49 PM, Brent Vaughn wrote: > Using KeyCloak 2.5.4 and Wildfly 10.1.0 > > I am attempting to create a JSF component that involves Keycloak. I am getting this exception: > > java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal > > > Below is the line of code that throws the exception. > > public void encodeBegin(FacesContext context) { > .......... > KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); > .......... > } > > > Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. > > Can anyone help me with this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Vaughn at climatecontrolgroup.com Thu Mar 9 20:46:53 2017 From: Vaughn at climatecontrolgroup.com (Brent Vaughn) Date: Fri, 10 Mar 2017 01:46:53 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException In-Reply-To: <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> References: , <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> Message-ID: Yes. But it is an Ear file instead of a War file. A separate jar in an Ear file. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Bill Burke Sent: Thursday, March 9, 2017 7:06:00 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException What do you mean "separate jar"? A jar in the WAR? On 3/9/17 6:49 PM, Brent Vaughn wrote: > Using KeyCloak 2.5.4 and Wildfly 10.1.0 > > I am attempting to create a JSF component that involves Keycloak. I am getting this exception: > > java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal > > > Below is the line of code that throws the exception. > > public void encodeBegin(FacesContext context) { > .......... > KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); > .......... > } > > > Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. > > Can anyone help me with this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Thu Mar 9 21:14:11 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 10 Mar 2017 02:14:11 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException In-Reply-To: References: <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> Message-ID: This sounds like you're ending up with duplicate keycloak libraries on your classpath. Did you include the keycloak client subsystem? Are the keycloak libraries also ending up in your EAR or WAR? On Thu, Mar 9, 2017 at 9:12 PM Brent Vaughn wrote: > Yes. But it is an Ear file instead of a War file. A separate jar in an > Ear file. > ________________________________ > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke < > bburke at redhat.com> > Sent: Thursday, March 9, 2017 7:06:00 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException > > What do you mean "separate jar"? A jar in the WAR? > > > On 3/9/17 6:49 PM, Brent Vaughn wrote: > > Using KeyCloak 2.5.4 and Wildfly 10.1.0 > > > > I am attempting to create a JSF component that involves Keycloak. I am > getting this exception: > > > > java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be > cast to org.keycloak.KeycloakPrincipal > > > > > > Below is the line of code that throws the exception. > > > > public void encodeBegin(FacesContext context) { > > .......... > > KeycloakPrincipal kp = > (KeycloakPrincipal) > context.getExternalContext().getUserPrincipal(); > > .......... > > } > > > > > > Funny thing is this. The exception is only thrown when the JSF > Component is in a separate jar and then added to the project. If I put the > code in question directly in the project, it doesn't throw the exception. > > > > Can anyone help me with this? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Vaughn at climatecontrolgroup.com Thu Mar 9 21:54:27 2017 From: Vaughn at climatecontrolgroup.com (Brent Vaughn) Date: Fri, 10 Mar 2017 02:54:27 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException In-Reply-To: References: <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> , Message-ID: The keycloak libraries are in my subsystem. When I include Keycloak jars in my EAR, I get the ClassCastException. When I don't include the Keycloak jars in my EAR, I get a java.lang.NoClassDefFoundError: org/keycloak/KeycloakPrincipal exception Here is my Dockerfile I use as my base image. It has the Keycloak adapter in it. FROM openjdk:8u121-jdk USER root ENV WILDFLY_VERSION 10.1.0.Final ENV WILDFLY_SHA1 9ee3c0255e2e6007d502223916cefad2a1a5e333 ENV JBOSS_HOME /opt/jboss/wildfly ENV FILEBEAT_DEB filebeat-5.0.0-amd64.deb ENV KEYCLOAK_VERSION 2.5.4.Final # Add the WildFly distribution to /opt, and make wildfly the owner of the extracted tar content # Make sure the distribution is available from a well-known place RUN cd $HOME \ && curl -O https://download.jboss.org/wildfly/$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz \ && sha1sum wildfly-$WILDFLY_VERSION.tar.gz | grep $WILDFLY_SHA1 \ && tar xf wildfly-$WILDFLY_VERSION.tar.gz \ && mkdir -p $JBOSS_HOME \ && mv $HOME/wildfly-$WILDFLY_VERSION/* $JBOSS_HOME \ && rm wildfly-$WILDFLY_VERSION.tar.gz # Ensure signals are forwarded to the JVM process correctly for graceful shutdown ENV LAUNCH_JBOSS_IN_BACKGROUND true EXPOSE 8080 RUN apt-get update -y \ && curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/$FILEBEAT_DEB \ && dpkg -i $FILEBEAT_DEB \ && apt-get install -y swaks \ && mkdir -p /etc/pki/tls/certs \ && ln -fs /usr/share/zoneinfo/US/Central /etc/localtime && dpkg-reconfigure -f noninteractive tzdata \ && rm $FILEBEAT_DEB #Keycloak Adapter WORKDIR /opt/jboss/wildfly RUN curl -L https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/adapters/keycloak-oidc/keycloak-wildfly-adapter-dist-$KEYCLOAK_VERSION.tar.gz | tar zx WORKDIR /opt/jboss # Standalone.xml modifications. RUN sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone.xml && \ sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone.xml && \ sed -i -e 's//&\n \n \n \n <\/authentication>\n <\/security-domain>/' $JBOSS_HOME/standalone/configuration/standalone.xml # Standalone-full.xml modifications. RUN sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone-full.xml && \ sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone-full.xml && \ sed -i -e 's//&\n \n \n \n <\/authentication>\n <\/security-domain>/' $JBOSS_HOME/standalone/configuration/standalone-full.xml ________________________________ From: John D. Ament Sent: Thursday, March 9, 2017 8:14:11 PM To: Brent Vaughn; Bill Burke; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException This sounds like you're ending up with duplicate keycloak libraries on your classpath. Did you include the keycloak client subsystem? Are the keycloak libraries also ending up in your EAR or WAR? On Thu, Mar 9, 2017 at 9:12 PM Brent Vaughn > wrote: Yes. But it is an Ear file instead of a War file. A separate jar in an Ear file. ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Bill Burke > Sent: Thursday, March 9, 2017 7:06:00 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException What do you mean "separate jar"? A jar in the WAR? On 3/9/17 6:49 PM, Brent Vaughn wrote: > Using KeyCloak 2.5.4 and Wildfly 10.1.0 > > I am attempting to create a JSF component that involves Keycloak. I am getting this exception: > > java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal > > > Below is the line of code that throws the exception. > > public void encodeBegin(FacesContext context) { > .......... > KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); > .......... > } > > > Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. > > Can anyone help me with this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Vaughn at climatecontrolgroup.com Thu Mar 9 22:46:10 2017 From: Vaughn at climatecontrolgroup.com (Brent Vaughn) Date: Fri, 10 Mar 2017 03:46:10 +0000 Subject: [keycloak-user] KeycloakPrincipal ClassCastException In-Reply-To: References: <7d276112-67b3-3520-5256-ffac58902dfa@redhat.com> , , Message-ID: When I change the project to not include the Keycloak jars and to build as a WAR file, it works great. Not sure why it doesn't work as an EAR file without the Keycloak jars. ________________________________ From: Brent Vaughn Sent: Thursday, March 9, 2017 8:54:27 PM To: John D. Ament; Bill Burke; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException The keycloak libraries are in my subsystem. When I include Keycloak jars in my EAR, I get the ClassCastException. When I don't include the Keycloak jars in my EAR, I get a java.lang.NoClassDefFoundError: org/keycloak/KeycloakPrincipal exception Here is my Dockerfile I use as my base image. It has the Keycloak adapter in it. FROM openjdk:8u121-jdk USER root ENV WILDFLY_VERSION 10.1.0.Final ENV WILDFLY_SHA1 9ee3c0255e2e6007d502223916cefad2a1a5e333 ENV JBOSS_HOME /opt/jboss/wildfly ENV FILEBEAT_DEB filebeat-5.0.0-amd64.deb ENV KEYCLOAK_VERSION 2.5.4.Final # Add the WildFly distribution to /opt, and make wildfly the owner of the extracted tar content # Make sure the distribution is available from a well-known place RUN cd $HOME \ && curl -O https://download.jboss.org/wildfly/$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz \ && sha1sum wildfly-$WILDFLY_VERSION.tar.gz | grep $WILDFLY_SHA1 \ && tar xf wildfly-$WILDFLY_VERSION.tar.gz \ && mkdir -p $JBOSS_HOME \ && mv $HOME/wildfly-$WILDFLY_VERSION/* $JBOSS_HOME \ && rm wildfly-$WILDFLY_VERSION.tar.gz # Ensure signals are forwarded to the JVM process correctly for graceful shutdown ENV LAUNCH_JBOSS_IN_BACKGROUND true EXPOSE 8080 RUN apt-get update -y \ && curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/$FILEBEAT_DEB \ && dpkg -i $FILEBEAT_DEB \ && apt-get install -y swaks \ && mkdir -p /etc/pki/tls/certs \ && ln -fs /usr/share/zoneinfo/US/Central /etc/localtime && dpkg-reconfigure -f noninteractive tzdata \ && rm $FILEBEAT_DEB #Keycloak Adapter WORKDIR /opt/jboss/wildfly RUN curl -L https://downloads.jboss.org/keycloak/$KEYCLOAK_VERSION/adapters/keycloak-oidc/keycloak-wildfly-adapter-dist-$KEYCLOAK_VERSION.tar.gz | tar zx WORKDIR /opt/jboss # Standalone.xml modifications. RUN sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone.xml && \ sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone.xml && \ sed -i -e 's//&\n \n \n \n <\/authentication>\n <\/security-domain>/' $JBOSS_HOME/standalone/configuration/standalone.xml # Standalone-full.xml modifications. RUN sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone-full.xml && \ sed -i -e 's//&\n /' $JBOSS_HOME/standalone/configuration/standalone-full.xml && \ sed -i -e 's//&\n \n \n \n <\/authentication>\n <\/security-domain>/' $JBOSS_HOME/standalone/configuration/standalone-full.xml ________________________________ From: John D. Ament Sent: Thursday, March 9, 2017 8:14:11 PM To: Brent Vaughn; Bill Burke; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException This sounds like you're ending up with duplicate keycloak libraries on your classpath. Did you include the keycloak client subsystem? Are the keycloak libraries also ending up in your EAR or WAR? On Thu, Mar 9, 2017 at 9:12 PM Brent Vaughn > wrote: Yes. But it is an Ear file instead of a War file. A separate jar in an Ear file. ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Bill Burke > Sent: Thursday, March 9, 2017 7:06:00 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeycloakPrincipal ClassCastException What do you mean "separate jar"? A jar in the WAR? On 3/9/17 6:49 PM, Brent Vaughn wrote: > Using KeyCloak 2.5.4 and Wildfly 10.1.0 > > I am attempting to create a JSF component that involves Keycloak. I am getting this exception: > > java.lang.ClassCastException: org.keycloak.KeycloakPrincipal cannot be cast to org.keycloak.KeycloakPrincipal > > > Below is the line of code that throws the exception. > > public void encodeBegin(FacesContext context) { > .......... > KeycloakPrincipal kp = (KeycloakPrincipal) context.getExternalContext().getUserPrincipal(); > .......... > } > > > Funny thing is this. The exception is only thrown when the JSF Component is in a separate jar and then added to the project. If I put the code in question directly in the project, it doesn't throw the exception. > > Can anyone help me with this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From eduard.matuszak at worldline.com Fri Mar 10 02:53:33 2017 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Fri, 10 Mar 2017 07:53:33 +0000 Subject: [keycloak-user] Additional token claims dynamically set via login by external Id Provider Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723EDAC56@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello Keycloak Team For logins taking place via keycloak login mask, I am able to edit a user property "on the fly" in user-storage-provider's isValid-method and can add it into the token (after adding an appropriate mapper for the corresponding client): @Override public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) .. List attr_dyn_list = new ArrayList(); attr_dyn_list.add("attr_dyn_val"); local.setAttribute("attr_dyn", attr_dyn_list); .. Now I also want to set an additional claim dynamically into an access token when a user tries to log in (not only the first time) via an external Id Provider. Is there any hook I can override to do so or is this feature planned to be implemented in near future? Best regards, Eduard Matuszak From thomas.darimont at googlemail.com Fri Mar 10 03:25:34 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 10 Mar 2017 09:25:34 +0100 Subject: [keycloak-user] Additional token claims dynamically set via login by external Id Provider In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723EDAC56@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> References: <61D077C6283D454FAFD06F6AC4AB74D723EDAC56@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: Hello Eduard, do you set the attribute on the user? If so you could try to configure a custom user-attribute mapper for your client. The mapper could then inject the attribute value into the token with the name provided in the mapper. Cheers, Thomas 2017-03-10 8:53 GMT+01:00 Matuszak, Eduard : > Hello Keycloak Team > > For logins taking place via keycloak login mask, I am able to edit a user > property "on the fly" in user-storage-provider's isValid-method and can add > it into the token (after adding an appropriate mapper for the corresponding > client): > > @Override > public boolean isValid(RealmModel realm, UserModel user, > CredentialInput input) > .. > List attr_dyn_list = new ArrayList(); > attr_dyn_list.add("attr_dyn_val"); > local.setAttribute("attr_dyn", attr_dyn_list); > .. > > > Now I also want to set an additional claim dynamically into an access > token when a user tries to log in (not only the first time) via an external > Id Provider. Is there any hook I can override to do so or is this feature > planned to be implemented in near future? > > Best regards, Eduard Matuszak > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dev.ebondu at gmail.com Fri Mar 10 04:10:30 2017 From: dev.ebondu at gmail.com (ebondu) Date: Fri, 10 Mar 2017 02:10:30 -0700 (MST) Subject: [keycloak-user] ClassCastException in SimpleHttpFacade - WebAuthenticationDetails cannot be cast to SecurityContext In-Reply-To: <8661B716A6678E46A20FB7FCFF2504A101220490F8@VMSST108.kvbw.local> References: <8661B716A6678E46A20FB7FCFF2504A10122048EA8@VMSST108.kvbw.local> <8661B716A6678E46A20FB7FCFF2504A101220490F8@VMSST108.kvbw.local> Message-ID: <1489137030555-3120.post@n6.nabble.com> Hi, You are welcome. You can vote for the issue on jira ;) -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ClassCastException-in-SimpleHttpFacade-WebAuthenticationDetails-cannot-be-cast-to-Secut-tp3077p3120.html Sent from the keycloak-user mailing list archive at Nabble.com. From alexander.chriztopher at gmail.com Fri Mar 10 04:31:28 2017 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Fri, 10 Mar 2017 10:31:28 +0100 Subject: [keycloak-user] Session timeout settings on a per application basis In-Reply-To: References: Message-ID: any hints to how to achieve this ? should we do it manually by canceling the access_token when we want to (we are using Direct Access Grant by the way) ? On Wed, Mar 8, 2017 at 2:26 PM, Alexander Chriztopher < alexander.chriztopher at gmail.com> wrote: > Our use case is that we have different businesses and each business has > its own constraints. > > In one of them (2 applications today) we want the session to timeout very > quickly if the user is not active for security reasons and in another we > want a rather "normal" timeout as the security constraints are not the same > (a lot more applications here). > > On Wed, Mar 8, 2017 at 12:10 PM, Stian Thorgersen > wrote: > >> Session timeouts are for the SSO session and it wouldn't make any sense >> to have them on a per-application basis. What's your actual use-case? >> >> On 8 March 2017 at 10:15, Alexander Chriztopher < >> alexander.chriztopher at gmail.com> wrote: >> >>> Hi, >>> >>> We would like to know whether this is now available or not ? >>> >>> I have found the following thread that was sent in 12/2014 : >>> http://lists.jboss.org/pipermail/keycloak-user/2014-December/001295.html >>> >>> Thanks for your answers. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sanchoponchos at gmail.com Fri Mar 10 04:47:17 2017 From: sanchoponchos at gmail.com (sanchoponchos at gmail.com) Date: Fri, 10 Mar 2017 16:47:17 +0700 Subject: [keycloak-user] How to upgrade server keycloak-overlay Message-ID: ave wildfly version 10 and server keycloak-overlay version 1.9.7. I want to upgrade server keycloak-overlay to 2.5.4 version. As I understand, instruction http://www.keycloak.org/docs/2.5/server_admin_guide/topics/MigrationFromOlderVersions.html for upgrade standalone server. Where I can found instruction for update server keycloak-overlay? From abhi.raghav007 at gmail.com Fri Mar 10 05:31:01 2017 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 10 Mar 2017 16:01:01 +0530 Subject: [keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP Message-ID: Hi I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in an *MSAD*. Similar is the case for a set of *Groups*. But when I *assign a group with a certain role, the assignment is visible in Keycloak. But the same is not reflected on the AD.* I mean, this mapping of role and group is *not stored in the "member" or "memberof" attributes of either the respective group or the role*. Please suggest is this functionality available using any mapper from Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, how? *- Best Regards* Abhishek Raghav From mposolda at redhat.com Fri Mar 10 05:34:36 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Mar 2017 11:34:36 +0100 Subject: [keycloak-user] JAAS plugin and roles In-Reply-To: References: Message-ID: <36845be9-dfef-5159-4fb8-b0119d562c06@redhat.com> On 09/03/17 15:33, Amat, Juan (Nokia - US) wrote: > Thank you for the pointer. > > I would have expected that this would be supported out of the box. If there is enough people asking for it, we can add it though. Feel free to create JIRA. > > Another comment. > In the logout method of AbstractKeycloakLoginModule.java, we remove the RolePrincipal.class principals from the subject's principals. > We can though configure the class used for the 'role' principal. Should this class be used instead? Yes, good point. Feel free to add that into the JIRA too. Marek > > Juan. >> -----Original Message----- >> From: Marek Posolda [mailto:mposolda at redhat.com] >> Sent: Thursday, March 09, 2017 12:23 AM >> To: Amat, Juan (Nokia - US) ; keycloak- >> user at lists.jboss.org >> Subject: Re: [keycloak-user] JAAS plugin and roles >> >> I recently did some example of the remote EJB client. You're right, there are >> special groups on Wildfly, which JAAS Subject needs to be member of. >> >> See the example here [1] . Especially take a look at the security-domain >> configuration and the "ConvertKEycloakRolesLoginModule", which needs to be >> put to the chain after DirectAccessGrantsLoginModule. >> >> Btv. if you are using web (HttpServletRequest etc), you should maybe rather use >> our OIDC/SAML adapters? But maybe I am missing something in your setup... >> >> [1] https://github.com/mposolda/keycloak-remote-ejb >> >> Marek >> >> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote: >>> I was trying to use this login module with an application deployed on Wildfly >> 10: >>> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule >>> And it kind of worked. >>> By that I mean that when you log in, you are authenticated fine but >>> then calling >>> HttpServletRequest.isUserInRole(xxx) did not work. >>> >>> The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific >> group. >>> This page >> https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modu >> les.html says: >>> "The JBossSX framework uses two well-known role sets with the names Roles >> and CallerPrincipal. >>> The Roles group is the collection of Principals for the named roles as known in >> the application domain under which the Subject has been authenticated. This >> role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs >> can use to see if the current caller belongs to the named application domain >> role. The security interceptor logic that performs method permission checks also >> uses this role set. >>> The CallerPrincipalGroup consists of the single Principal identity assigned to >> the user in the application domain. The EJBContext.getCallerPrincipal() method >> uses the CallerPrincipal to allow the application domain to map from the >> operation environment identity to a user identity suitable for the application. If a >> Subject does not have a CallerPrincipalGroup, the application identity is the >> same used for login." >>> A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing >> work. >>> Am I doing something wrong? >>> >>> Thank you. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Mar 10 05:35:56 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 10 Mar 2017 11:35:56 +0100 Subject: [keycloak-user] How to upgrade server keycloak-overlay In-Reply-To: References: Message-ID: There are none. Overlay is not something we recommend in production and hence there are no upgrade instructions. Would be similar steps to the standalone server. New WF installation add new KC overlay, copy standalone.xml, themes, etc. over., etc.. On 10 March 2017 at 10:47, sanchoponchos at gmail.com wrote: > ave wildfly version 10 and server keycloak-overlay version 1.9.7. > > I want to upgrade server keycloak-overlay to 2.5.4 version. > > As I understand, instruction http://www.keycloak.org/docs/ > 2.5/server_admin_guide/topics/MigrationFromOlderVersions.html for upgrade > standalone server. > > Where I can found instruction for update server keycloak-overlay? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Mar 10 05:36:52 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 10 Mar 2017 11:36:52 +0100 Subject: [keycloak-user] Is there any public Keycloak endpoint to get a code? In-Reply-To: References: Message-ID: Securing apps and services guide - it's all explained in the OIDC section. On 9 March 2017 at 20:06, Bernardo Pacheco wrote: > In a newer KC version, when I call POST > /realms/{realm-name}/protocol/openid-connect/token: > > 1 - Which body params should I send? > 2 - Does this API return a code or an access token / refresh token? > > The older version has a /auth/realms/{realm-name}/tokens/grant/access API, > but it is deprecated and I can't call it. > > Thanks Sebastien, > > On Thu, Mar 9, 2017 at 3:49 PM Sebastien Blanc wrote: > > > With Direct Grant Access enabled , you can use > > /realms/{realm-name}/protocol/openid-connect/token but for older > Keycloak > > version I think it's something like > > /auth/realms/aerogear/tokens/grants/access , it's a POST and the body > > must form encoded > > > > > > On Thu, Mar 9, 2017 at 7:32 PM, Bernardo Pacheco > > wrote: > > > > Thanks Bruno, but these APIs are only for admin use. I'm looking for a > OIDC > > API where an user can submit his username/password to get a code. > > > > Regards, > > > > On Thu, Mar 9, 2017 at 2:26 PM Bruno Oliveira > wrote: > > > > > Please look at the docs > > > http://www.keycloak.org/docs-api/2.5/rest-api/index.html and upgrade > if > > > possible. > > > > > > On Thu, Mar 9, 2017 at 2:12 PM Bernardo Pacheco > > > wrote: > > > > > > Hi everybody, > > > > > > I'm trying to find out if Keycloak has an endpoint where I can submit > my > > > username and password to get a code. Later with this code I could > > exchange > > > it for an access token. > > > > > > According to the Keycloak's documentation and taking a looking into the > > > Keycloak source code, the only endpoint I found out is the following: > > > > > > > > > > > auth/realms/{realm-name}/protocol/openid-connect/auth? > response_type=code&client_id={client_id}&redirect_uri={ > redirect_uri}&state={state}&login=true > > > > > > However, this endpoint returns a HTML page with a form where an user > > could > > > enter with username and password. The form action is: > > > > > > auth/realms/zwift/login-actions/request/login?code={code} > > > > > > The code parameter is generated by Keycloak when the HTML was processed > > and > > > served, so I cannot call this endpoint directly because I need this > code > > > parameter. > > > > > > My question is: in any Keycloak version, is there a public Keycloak > > > endpoint where I can submit username and password to get a code that > will > > > be used to get a access token later via /token endpoint? > > > > > > Just a note, I'm using an old Keycloak version: v1.2.0-Final. > > > > > > Regards, > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > BERNARDO PACHECO > > > > *SOFTWARE ENGINEER at Zwift, Inc.* > > bernardo at zwift.com > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Mar 10 05:39:39 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 10 Mar 2017 11:39:39 +0100 Subject: [keycloak-user] Session timeout settings on a per application basis In-Reply-To: References: Message-ID: With direct grant you don't have SSO so you could logout after a timeout. You can also use prompt=login and check the authentication time on the token to require a user to have re-authenticated recently to the sensitive apps. On 10 March 2017 at 10:31, Alexander Chriztopher < alexander.chriztopher at gmail.com> wrote: > any hints to how to achieve this ? should we do it manually by canceling > the access_token when we want to (we are using Direct Access Grant by the > way) ? > > On Wed, Mar 8, 2017 at 2:26 PM, Alexander Chriztopher < > alexander.chriztopher at gmail.com> wrote: > >> Our use case is that we have different businesses and each business has >> its own constraints. >> >> In one of them (2 applications today) we want the session to timeout very >> quickly if the user is not active for security reasons and in another we >> want a rather "normal" timeout as the security constraints are not the same >> (a lot more applications here). >> >> On Wed, Mar 8, 2017 at 12:10 PM, Stian Thorgersen >> wrote: >> >>> Session timeouts are for the SSO session and it wouldn't make any sense >>> to have them on a per-application basis. What's your actual use-case? >>> >>> On 8 March 2017 at 10:15, Alexander Chriztopher < >>> alexander.chriztopher at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> We would like to know whether this is now available or not ? >>>> >>>> I have found the following thread that was sent in 12/2014 : >>>> http://lists.jboss.org/pipermail/keycloak-user/2014-December >>>> /001295.html >>>> >>>> Thanks for your answers. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From mposolda at redhat.com Fri Mar 10 05:41:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Mar 2017 11:41:56 +0100 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> Message-ID: <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> This looks like bad LDAP mapping for username and UUID. Which LDAP are you using btv? Marek On 09/03/17 16:03, Celso Agra wrote: > Hi, > > I solved this error, just removing the MSAD account controls, but now > I'm getting a new error, when I finished my registration: > here is the log: > > 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default > task-1) UT005023: Exception handling request to > /auth/realms/myrealm/login-actions/required-action: > org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at > org.keycloak.events.EventBuilder.user(EventBuilder.java:103) > at > org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815) > at > org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88) > at > org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297) > at > org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853) > at > org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > > > > > > 2017-03-09 9:47 GMT-03:00 Celso Agra >: > > Got it! > > But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm > using the "Edit Mode" as WRITABLE, but I'm not setting this attribute. > Here is my attributes: > > cn > MSAD account controls > cpf > creation date > email > first name > last name > modify date > phpgwAccountStatus > username > > > Thanks!! > > Best Regards, > > Celso Agra > > 2017-03-09 5:46 GMT-03:00 Marek Posolda >: > > Hi, > > The error may indicate that you configured "pwdLastSet" > attribute mapper in Keycloak to write into the LDAP, but it > looks that writing this attribute is unsupported. Maybe switch > this mapper to read-only will help? > > Marek > > > On 08/03/17 15:29, Celso Agra wrote: > > Hi all, > > I'm trying to configure KC with LDAP, but some errors are > occurring. > First, I configured my LDAP to write in the LDAP server, > but for some > reasons I got this error when I try to register an user: > > 2017-03-08 11:05:28,862 WARN [org.keycloak.services] > (default task-6) > > KC-SERVICES0013: Failed authentication: > org.keycloak.models.ModelException: > Could not modify attribute for DN > [uid=11111111111,dc=zz,dc=dd,dc=aa] > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > > modifyAttributes(LDAPOperationManager.java:410) > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > > modifyAttributes(LDAPOperationManager.java:104) > > at org.keycloak.federation.ldap.idm.store.ldap. > > LDAPIdentityStore.update(LDAPIdentityStore.java:105) > > at org.keycloak.federation.ldap.mappers.msad. > > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:235) > > at org.keycloak.federation.ldap.mappers.msad. > > MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( > MSADUserAccountControlMapper.java:220) > > at > org.keycloak.models.utils.UserModelDelegate.addRequiredAction( > > UserModelDelegate.java:112) > > at org.keycloak.authentication.fo > rms.RegistrationPassword. > > success(RegistrationPassword.java:101) > > at org.keycloak.authentication.Fo > rmAuthenticationFlow.processAction( > > FormAuthenticationFlow.java:234) > > at org.keycloak.authentication.De > faultAuthenticationFlow. > > processAction(DefaultAuthenticationFlow.java:76) > > at org.keycloak.authentication.Au > thenticationProcessor. > > authenticationAction(AuthenticationProcessor.java:759) > > at > org.keycloak.services.resources.LoginActionsService.processFlow( > > LoginActionsService.java:356) > > at > org.keycloak.services.resources.LoginActionsService. > > processRegistration(LoginActionsService.java:477) > > at > org.keycloak.services.resources.LoginActionsService. > > processRegister(LoginActionsService.java:535) > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > > MethodInjectorImpl.java:139) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > > ResourceMethodInvoker.java:295) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > > ResourceMethodInvoker.java:249) > > at org.jboss.resteasy.core.ResourceLocatorInvoker. > > invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > > ResourceLocatorInvoker.java:101) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > > SynchronousDispatcher.java:395) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > > SynchronousDispatcher.java:202) > > at org.jboss.resteasy.plugins.server.servlet. > > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > > at org.jboss.resteasy.plugins.server.servlet. > > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at org.jboss.resteasy.plugins.server.servlet. > > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > > ServletHandler.java:85) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > > doFilter(FilterHandler.java:129) > > at > org.keycloak.services.filters.KeycloakSessionServletFilter. > > doFilter(KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter( > > ManagedFilter.java:60) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > > doFilter(FilterHandler.java:131) > > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > > FilterHandler.java:84) > > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > > handleRequest(ServletSecurityRoleHandler.java:62) > > at > io.undertow.servlet.handlers.ServletDispatchingHandler. > > handleRequest(ServletDispatchingHandler.java:36) > > at org.wildfly.extension.undertow.security. > > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) > > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.servlet.handlers.security. > > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) > > at io.undertow.servlet.handlers.security. > > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) > > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > > PredicateHandler.java:43) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler > > .handleRequest(AbstractConfidentialityHandler.java:46) > > at io.undertow.servlet.handlers.security. > > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > > r.handleRequest(AuthenticationMechanismsHandler.java:60) > > at io.undertow.servlet.handlers.security. > > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) > > at > io.undertow.security.handlers.NotificationReceiverHandler. > > handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > > PredicateHandler.java:43) > > at org.wildfly.extension.undertow.security.jacc. > > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > > PredicateHandler.java:43) > > at io.undertow.server.handlers.Pr > edicateHandler.handleRequest( > > PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.ServletInitialHandler. > > handleFirstRequest(ServletInitialHandler.java:284) > > at > io.undertow.servlet.handlers.ServletInitialHandler. > > dispatchRequest(ServletInitialHandler.java:263) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > > 000(ServletInitialHandler.java:81) > > at > io.undertow.servlet.handlers.ServletInitialHandler$1. > > handleRequest(ServletInitialHandler.java:174) > > at > io.undertow.server.Connectors.executeRootHandler(Connectors. > > java:202) > > at io.undertow.server.HttpServerExchange$1.run( > > HttpServerExchange.java:793) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > > ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: > javax.naming.directory.InvalidAttributeIdentifierException: > > [LDAP: error code 17 - pwdLastSet: attribute type > undefined]; remaining > name 'uid=11111111111,dc=zz,dc=dd,dc=aa' > > at > com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) > > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) > > at > com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) > > at > com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) > > at > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( > > ComponentDirContext.java:277) > > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > > modifyAttributes(PartialCompositeDirContext.java:192) > > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. > > modifyAttributes(PartialCompositeDirContext.java:181) > > at > javax.naming.directory.InitialDirContext.modifyAttributes( > > InitialDirContext.java:167) > > at > javax.naming.directory.InitialDirContext.modifyAttributes( > > InitialDirContext.java:167) > > at org.keycloak.federation.ldap.idm.store.ldap. > > LDAPOperationManager$6.execute(LDAPOperationManager.java:405) > > at org.keycloak.federation.ldap.idm.store.ldap. > > LDAPOperationManager$6.execute(LDAPOperationManager.java:402) > > at org.keycloak.federation.ldap.idm.store.ldap. > > LDAPOperationManager.execute(LDAPOperationManager.java:535) > > at > org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. > > modifyAttributes(LDAPOperationManager.java:402) > > ... 59 more > > 2017-03-08 11:05:28,865 WARN [org.keycloak.events] > (default task-6) > > type=LOGIN_ERROR, realmId=myrealm, > clientId=teste-portal, userId=null, > ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, > auth_method=openid-connect, auth_type=code, > redirect_uri=http://127.0.0.1: > 8080/teste-portal/ > > > and then, I got this result in my ldap: > > dn: uid=11111111111,dc=zz,dc=dd,dc=aa > > givenName:: IA== > > uid: 11111111111 > > objectClass: top > > objectClass: inetOrgPerson > > objectClass: person > > objectClass: organizationalPerson > > objectClass: phpgwAccount > > objectClass: shadowAccount > > sn:: IA== > > cn:: IA== > > structuralObjectClass: inetOrgPerson > > entryUUID: 07f0e7caxxxxxxxxxxx > > creatorsName: cn=admin,dc=zz,dc=dd,dc=aa > > createTimestamp: 20170308140529Z > > entryCSN: 20170308140529.527857Z#000000#000#000000 > > modifiersName: cn=admin,dc=zz,dc=dd,dc=aa > > modifyTimestamp: 20170308140529Z > > > So, I wrote the uid as 11111111111, but I didn't set the > sn, cn and > givenName as 'IA=='. It looks like some problem occurs in > my configuration. > > please, need help!! > > > Best Regards, > > > > > > -- > --- > *Celso Agra* > > > > > -- > --- > *Celso Agra* From mposolda at redhat.com Fri Mar 10 06:02:10 2017 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Mar 2017 12:02:10 +0100 Subject: [keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP In-Reply-To: References: Message-ID: <462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com> Yes, you're right. This is not available ATM. What is available is the support for Keycloak group inheritance to be mapped for LDAP groups. But mapping for: - Groups-roles membership mappings - Roles to composite roles membership mappings is not available now. Feel free to create JIRA. But not sure if we ever go into it... Marek On 10/03/17 11:31, abhishek raghav wrote: > Hi > > I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in an > *MSAD*. Similar is the case for a set of *Groups*. > > But when I *assign a group with a certain role, the assignment is visible > in Keycloak. But the same is not reflected on the AD.* > I mean, this mapping of role and group is *not stored in the "member" or > "memberof" attributes of either the respective group or the role*. > > Please suggest is this functionality available using any mapper from > Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, how? > > > *- Best Regards* > Abhishek Raghav > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Fri Mar 10 06:15:11 2017 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 10 Mar 2017 16:45:11 +0530 Subject: [keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP In-Reply-To: <462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com> References: <462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com> Message-ID: Thanks Marek. Is it possible by writing a *custom ldap mapper* and deploy in Keycloak for this scenario. We am using *MSAD *as our LDAP provider. If yes, do you have any example implementation for the same. I also found that there is some SPI for User Federation Mapper SPI. https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html *- Best Regards* Abhishek Raghav On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda wrote: > Yes, you're right. This is not available ATM. What is available is the > support for Keycloak group inheritance to be mapped for LDAP groups. But > mapping for: > - Groups-roles membership mappings > - Roles to composite roles membership mappings > is not available now. > > Feel free to create JIRA. But not sure if we ever go into it... > > Marek > > > On 10/03/17 11:31, abhishek raghav wrote: > >> Hi >> >> I have a set of* Realm Roles* that is mapped to an certain *OU=Roles* in >> an >> *MSAD*. Similar is the case for a set of *Groups*. >> >> But when I *assign a group with a certain role, the assignment is visible >> in Keycloak. But the same is not reflected on the AD.* >> I mean, this mapping of role and group is *not stored in the "member" or >> "memberof" attributes of either the respective group or the role*. >> >> Please suggest is this functionality available using any mapper from >> Keycloak to AD? Or do we need to create our own Custom Mapper? If yes, >> how? >> >> >> *- Best Regards* >> Abhishek Raghav >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From nicolas.gillet at market-ip.com Fri Mar 10 07:39:09 2017 From: nicolas.gillet at market-ip.com (Nicolas Gillet) Date: Fri, 10 Mar 2017 12:39:09 +0000 Subject: [keycloak-user] Theming applications by customers Message-ID: Hello, I am looking for an SSO solution and started playing around with Keycloak. We currently have no SSO solution but it has become a need that our application can seamlessly interact. Our customers have "branding" requirement so we adapt the look of our application pages (including login pages) with their logo and colors. For some customers, we use a cookie to know which branding they need, for others we have dedicated domain names pointing to the very same IP's. >From what I grasped of Keycloak, this branding can be achieved with "themes" that can be configured on "realms". Configuring a realm seems to require quite some time and if we have an important number of branded customer this might become hard to maintain. Also, the "topology" of our application (which are "clients" in Keycloak I think) remains the same for all customers of ours but as a "client" belongs to a single "realm" we'll have to duplicate this configuration and propagate the changes to any realm. So, I am wondering if Keycloak can fit our need of if I don't get it correctly. If someone could be kind enough to shed some light on this for me or point me toward a way to achieve our goal I'd be very thankful. Kind regards, Nicolas GILLET Market-IP - Creating Mobile Intelligence Phone : +32 81 33 11 11 Fax : +32 81 33 11 10 www.market-ip.com - www.telefleet.com - www.geoplanning.net - www.drivexpert.net From sthorger at redhat.com Fri Mar 10 07:54:29 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 10 Mar 2017 13:54:29 +0100 Subject: [keycloak-user] Theming applications by customers In-Reply-To: References: Message-ID: Would https://issues.jboss.org/browse/KEYCLOAK-3370 do the trick? On 10 March 2017 at 13:39, Nicolas Gillet wrote: > Hello, > > I am looking for an SSO solution and started playing around with Keycloak. > We currently have no SSO solution but it has become a need that our > application can seamlessly interact. > > Our customers have "branding" requirement so we adapt the look of our > application pages (including login pages) with their logo and colors. > For some customers, we use a cookie to know which branding they need, for > others we have dedicated domain names pointing to the very same IP's. > > >From what I grasped of Keycloak, this branding can be achieved with > "themes" that can be configured on "realms". > Configuring a realm seems to require quite some time and if we have an > important number of branded customer this might become hard to maintain. > Also, the "topology" of our application (which are "clients" in Keycloak I > think) remains the same for all customers of ours but as a "client" belongs > to a single "realm" we'll have to duplicate this configuration and > propagate the changes to any realm. > > So, I am wondering if Keycloak can fit our need of if I don't get it > correctly. > > If someone could be kind enough to shed some light on this for me or point > me toward a way to achieve our goal I'd be very thankful. > > Kind regards, > > Nicolas GILLET > > Market-IP - Creating Mobile Intelligence > Phone : +32 81 33 11 11 > Fax : +32 81 33 11 10 > www.market-ip.com - www.telefleet.com< > http://www.telefleet.com/> - www.geoplanning.net www.geoplanning.net/> - www.drivexpert.net > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.catarino at rps.com.br Fri Mar 10 08:34:04 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Fri, 10 Mar 2017 06:34:04 -0700 (MST) Subject: [keycloak-user] Credential Representation TOTP example In-Reply-To: References: <1488912423671-3057.post@n6.nabble.com> <1489081659555-3102.post@n6.nabble.com> <1489096149810-3108.post@n6.nabble.com> Message-ID: <1489152844892-3133.post@n6.nabble.com> I want to add a TOTP. Passwords resets it's not a problem. AccountService objects will be accessible only by Java Adapters, right? If that is true, I can't use org.keycloak.services.resources.AccountService. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-example-tp3057p3133.html Sent from the keycloak-user mailing list archive at Nabble.com. From celso.agra at gmail.com Fri Mar 10 08:40:07 2017 From: celso.agra at gmail.com (Celso Agra) Date: Fri, 10 Mar 2017 10:40:07 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> Message-ID: I'm using slapd. Here is the object classes that I'm using: top, inetOrgPerson, person, organizationalPerson, phpgwAccount, shadowAccount 2017-03-10 7:41 GMT-03:00 Marek Posolda : > This looks like bad LDAP mapping for username and UUID. Which LDAP are you > using btv? > > Marek > > > On 09/03/17 16:03, Celso Agra wrote: > > Hi, > > I solved this error, just removing the MSAD account controls, but now I'm > getting a new error, when I finished my registration: > here is the log: > > 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1) >> UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action: >> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException >> at org.jboss.resteasy.core.ExceptionHandler. >> handleApplicationException(ExceptionHandler.java:76) >> at org.jboss.resteasy.core.ExceptionHandler.handleException( >> ExceptionHandler.java:212) >> at org.jboss.resteasy.core.SynchronousDispatcher.writeException( >> SynchronousDispatcher.java:168) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:411) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:202) >> at org.jboss.resteasy.plugins.server.servlet. >> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at org.jboss.resteasy.plugins.server.servlet. >> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >> ServletHandler.java:85) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:129) >> at org.keycloak.services.filters.KeycloakSessionServletFilter. >> doFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter( >> ManagedFilter.java:60) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> doFilter(FilterHandler.java:131) >> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >> FilterHandler.java:84) >> at io.undertow.servlet.handlers.security. >> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler. >> java:62) >> at io.undertow.servlet.handlers.ServletDispatchingHandler. >> handleRequest(ServletDispatchingHandler.java:36) >> at org.wildfly.extension.undertow.security. >> SecurityContextAssociationHandler.handleRequest( >> SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.servlet.handlers.security. >> SSLInformationAssociationHandler.handleRequest( >> SSLInformationAssociationHandler.java:131) >> at io.undertow.servlet.handlers.security. >> ServletAuthenticationCallHandler.handleRequest( >> ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) >> at io.undertow.servlet.handlers.security. >> ServletConfidentialityConstraintHandler.handleRequest( >> ServletConfidentialityConstraintHandler.java:64) >> at io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> at io.undertow.servlet.handlers.security. >> CachedAuthenticatedSessionHandler.handleRequest( >> CachedAuthenticatedSessionHandler.java:77) >> at io.undertow.security.handlers.NotificationReceiverHandler. >> handleRequest(NotificationReceiverHandler.java:50) >> at io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssocia >> tionHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at org.wildfly.extension.undertow.security.jacc. >> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest( >> PredicateHandler.java:43) >> at io.undertow.servlet.handlers.ServletInitialHandler. >> handleFirstRequest(ServletInitialHandler.java:284) >> at io.undertow.servlet.handlers.ServletInitialHandler. >> dispatchRequest(ServletInitialHandler.java:263) >> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >> 000(ServletInitialHandler.java:81) >> at io.undertow.servlet.handlers.ServletInitialHandler$1. >> handleRequest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors. >> java:202) >> at io.undertow.server.HttpServerExchange$1.run( >> HttpServerExchange.java:793) >> at java.util.concurrent.ThreadPoolExecutor.runWorker( >> ThreadPoolExecutor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >> ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.NullPointerException >> at org.keycloak.events.EventBuilder.user(EventBuilder.java:103) >> at org.keycloak.services.resources.LoginActionsService. >> initEvent(LoginActionsService.java:815) >> at org.keycloak.services.resources.LoginActionsService. >> access$500(LoginActionsService.java:88) >> at org.keycloak.services.resources.LoginActionsService$ >> Checks.verifyRequiredAction(LoginActionsService.java:297) >> at org.keycloak.services.resources.LoginActionsService. >> processRequireAction(LoginActionsService.java:853) >> at org.keycloak.services.resources.LoginActionsService. >> requiredActionGET(LoginActionsService.java:846) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke( >> NativeMethodAccessorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >> DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> MethodInjectorImpl.java:139) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> ResourceMethodInvoker.java:295) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> ResourceMethodInvoker.java:249) >> at org.jboss.resteasy.core.ResourceLocatorInvoker. >> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> ResourceLocatorInvoker.java:101) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> SynchronousDispatcher.java:395) >> ... 37 more > > > > > > 2017-03-09 9:47 GMT-03:00 Celso Agra : > >> Got it! >> >> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the >> "Edit Mode" as WRITABLE, but I'm not setting this attribute. >> Here is my attributes: >> >>> cn >>> MSAD account controls >>> cpf >>> creation date >>> email >>> first name >>> last name >>> modify date >>> phpgwAccountStatus >>> username >> >> >> Thanks!! >> >> Best Regards, >> >> Celso Agra >> >> 2017-03-09 5:46 GMT-03:00 Marek Posolda : >> >>> Hi, >>> >>> The error may indicate that you configured "pwdLastSet" attribute mapper >>> in Keycloak to write into the LDAP, but it looks that writing this >>> attribute is unsupported. Maybe switch this mapper to read-only will help? >>> >>> Marek >>> >>> >>> On 08/03/17 15:29, Celso Agra wrote: >>> >>>> Hi all, >>>> >>>> I'm trying to configure KC with LDAP, but some errors are occurring. >>>> First, I configured my LDAP to write in the LDAP server, but for some >>>> reasons I got this error when I try to register an user: >>>> >>>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >>>> >>>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep >>>>> tion: >>>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] >>>>> >>>> at org.keycloak.federation.ldap.i >>>> dm.store.ldap.LDAPOperationManager. >>>> >>>>> modifyAttributes(LDAPOperationManager.java:410) >>>>> >>>> at org.keycloak.federation.ldap.i >>>> dm.store.ldap.LDAPOperationManager. >>>> >>>>> modifyAttributes(LDAPOperationManager.java:104) >>>>> >>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>> >>>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >>>>> >>>> at org.keycloak.federation.ldap.mappers.msad. >>>> >>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>>> MSADUserAccountControlMapper.java:235) >>>>> >>>> at org.keycloak.federation.ldap.mappers.msad. >>>> >>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>>> MSADUserAccountControlMapper.java:220) >>>>> >>>> at org.keycloak.models.utils.User >>>> ModelDelegate.addRequiredAction( >>>> >>>>> UserModelDelegate.java:112) >>>>> >>>> at org.keycloak.authentication.forms.RegistrationPassword. >>>> >>>>> success(RegistrationPassword.java:101) >>>>> >>>> at org.keycloak.authentication.Fo >>>> rmAuthenticationFlow.processAction( >>>> >>>>> FormAuthenticationFlow.java:234) >>>>> >>>> at org.keycloak.authentication.DefaultAuthenticationFlow. >>>> >>>>> processAction(DefaultAuthenticationFlow.java:76) >>>>> >>>> at org.keycloak.authentication.AuthenticationProcessor. >>>> >>>>> authenticationAction(AuthenticationProcessor.java:759) >>>>> >>>> at org.keycloak.services.resource >>>> s.LoginActionsService.processFlow( >>>> >>>>> LoginActionsService.java:356) >>>>> >>>> at org.keycloak.services.resources.LoginActionsService. >>>> >>>>> processRegistration(LoginActionsService.java:477) >>>>> >>>> at org.keycloak.services.resources.LoginActionsService. >>>> >>>>> processRegister(LoginActionsService.java:535) >>>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>>> >>>>> NativeMethodAccessorImpl.java:62) >>>>> >>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>>> >>>>> DelegatingMethodAccessorImpl.java:43) >>>>> >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> >>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>>> >>>>> MethodInjectorImpl.java:139) >>>>> >>>> at org.jboss.resteasy.core.Resour >>>> ceMethodInvoker.invokeOnTarget( >>>> >>>>> ResourceMethodInvoker.java:295) >>>>> >>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>>> >>>>> ResourceMethodInvoker.java:249) >>>>> >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. >>>> >>>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>>> >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>> >>>>> ResourceLocatorInvoker.java:101) >>>>> >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>> >>>>> SynchronousDispatcher.java:395) >>>>> >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>> >>>>> SynchronousDispatcher.java:202) >>>>> >>>> at org.jboss.resteasy.plugins.server.servlet. >>>> >>>>> ServletContainerDispatcher.service(ServletContainerDispatche >>>>> r.java:221) >>>>> >>>> at org.jboss.resteasy.plugins.server.servlet. >>>> >>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>> >>>> at org.jboss.resteasy.plugins.server.servlet. >>>> >>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>> >>>> at javax.servlet.http.HttpServlet >>>> .service(HttpServlet.java:790) >>>> >>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >>>> >>>>> ServletHandler.java:85) >>>>> >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>>> >>>>> doFilter(FilterHandler.java:129) >>>>> >>>> at org.keycloak.services.filters.KeycloakSessionServletFilter. >>>> >>>>> doFilter(KeycloakSessionServletFilter.java:90) >>>>> >>>> at io.undertow.servlet.core.ManagedFilter.doFilter( >>>> >>>>> ManagedFilter.java:60) >>>>> >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >>>> >>>>> doFilter(FilterHandler.java:131) >>>>> >>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>>> >>>>> FilterHandler.java:84) >>>>> >>>> at io.undertow.servlet.handlers.s >>>> ecurity.ServletSecurityRoleHandler. >>>> >>>>> handleRequest(ServletSecurityRoleHandler.java:62) >>>>> >>>> at io.undertow.servlet.handlers.ServletDispatchingHandler. >>>> >>>>> handleRequest(ServletDispatchingHandler.java:36) >>>>> >>>> at org.wildfly.extension.undertow.security. >>>> >>>>> SecurityContextAssociationHandler.handleRequest( >>>>> SecurityContextAssociationHandler.java:78) >>>>> >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> >>>>> PredicateHandler.java:43) >>>>> >>>> at io.undertow.servlet.handlers.security. >>>> >>>>> SSLInformationAssociationHandler.handleRequest( >>>>> SSLInformationAssociationHandler.java:131) >>>>> >>>> at io.undertow.servlet.handlers.security. >>>> >>>>> ServletAuthenticationCallHandler.handleRequest( >>>>> ServletAuthenticationCallHandler.java:57) >>>>> >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> >>>>> PredicateHandler.java:43) >>>>> >>>> at io.undertow.security.handlers. >>>> AbstractConfidentialityHandler >>>> >>>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>>> >>>> at io.undertow.servlet.handlers.security. >>>> >>>>> ServletConfidentialityConstraintHandler.handleRequest( >>>>> ServletConfidentialityConstraintHandler.java:64) >>>>> >>>> at io.undertow.security.handlers. >>>> AuthenticationMechanismsHandle >>>> >>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>> >>>> at io.undertow.servlet.handlers.security. >>>> >>>>> CachedAuthenticatedSessionHandler.handleRequest( >>>>> CachedAuthenticatedSessionHandler.java:77) >>>>> >>>> at io.undertow.security.handlers.NotificationReceiverHandler. >>>> >>>>> handleRequest(NotificationReceiverHandler.java:50) >>>>> >>>> at io.undertow.security.handlers. >>>> AbstractSecurityContextAssocia >>>> >>>>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>>>> tionHandler.java:43) >>>>> >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> >>>>> PredicateHandler.java:43) >>>>> >>>> at org.wildfly.extension.undertow.security.jacc. >>>> >>>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>> >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> >>>>> PredicateHandler.java:43) >>>>> >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest( >>>> >>>>> PredicateHandler.java:43) >>>>> >>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>> >>>>> handleFirstRequest(ServletInitialHandler.java:284) >>>>> >>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>> >>>>> dispatchRequest(ServletInitialHandler.java:263) >>>>> >>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >>>> >>>>> 000(ServletInitialHandler.java:81) >>>>> >>>> at io.undertow.servlet.handlers.ServletInitialHandler$1. >>>> >>>>> handleRequest(ServletInitialHandler.java:174) >>>>> >>>> at io.undertow.server.Connectors. >>>> executeRootHandler(Connectors. >>>> >>>>> java:202) >>>>> >>>> at io.undertow.server.HttpServerExchange$1.run( >>>> >>>>> HttpServerExchange.java:793) >>>>> >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>>> >>>>> ThreadPoolExecutor.java:1142) >>>>> >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>> >>>>> ThreadPoolExecutor.java:617) >>>>> >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException: >>>> >>>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; remaining >>>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >>>>> >>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >>>> >>>> at com.sun.jndi.ldap.LdapCtx.proc >>>> essReturnCode(LdapCtx.java:3082) >>>> >>>> at com.sun.jndi.ldap.LdapCtx.proc >>>> essReturnCode(LdapCtx.java:2888) >>>> >>>> at com.sun.jndi.ldap.LdapCtx.c_mo >>>> difyAttributes(LdapCtx.java:1475) >>>> >>>> at com.sun.jndi.toolkit.ctx.Compo >>>> nentDirContext.p_modifyAttributes( >>>> >>>>> ComponentDirContext.java:277) >>>>> >>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>> >>>>> modifyAttributes(PartialCompositeDirContext.java:192) >>>>> >>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>> >>>>> modifyAttributes(PartialCompositeDirContext.java:181) >>>>> >>>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>>> >>>>> InitialDirContext.java:167) >>>>> >>>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>>> >>>>> InitialDirContext.java:167) >>>>> >>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>> >>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >>>>> >>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>> >>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >>>>> >>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>> >>>>> LDAPOperationManager.execute(LDAPOperationManager.java:535) >>>>> >>>> at org.keycloak.federation.ldap.i >>>> dm.store.ldap.LDAPOperationManager. >>>> >>>>> modifyAttributes(LDAPOperationManager.java:402) >>>>> >>>> ... 59 more >>>> >>>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >>>> >>>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >>>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >>>>> auth_method=openid-connect, auth_type=code, redirect_uri= >>>>> http://127.0.0.1: >>>>> 8080/teste-portal/ >>>>> >>>> >>>> and then, I got this result in my ldap: >>>> >>>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >>>> >>>> givenName:: IA== >>>> >>>> uid: 11111111111 >>>> >>>> objectClass: top >>>> >>>> objectClass: inetOrgPerson >>>> >>>> objectClass: person >>>> >>>> objectClass: organizationalPerson >>>> >>>> objectClass: phpgwAccount >>>> >>>> objectClass: shadowAccount >>>> >>>> sn:: IA== >>>> >>>> cn:: IA== >>>> >>>> structuralObjectClass: inetOrgPerson >>>> >>>> entryUUID: 07f0e7caxxxxxxxxxxx >>>> >>>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >>>> >>>> createTimestamp: 20170308140529Z >>>> >>>> entryCSN: 20170308140529.527857Z#000000#000#000000 >>>> >>>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >>>> >>>> modifyTimestamp: 20170308140529Z >>>> >>>> >>>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and >>>> givenName as 'IA=='. It looks like some problem occurs in my >>>> configuration. >>>> >>>> please, need help!! >>>> >>>> >>>> Best Regards, >>>> >>>> >>> >> >> >> -- >> --- >> *Celso Agra* >> > > > > -- > --- > *Celso Agra* > > > -- --- *Celso Agra* From nicolas.gillet at market-ip.com Fri Mar 10 09:02:34 2017 From: nicolas.gillet at market-ip.com (Nicolas Gillet) Date: Fri, 10 Mar 2017 14:02:34 +0000 Subject: [keycloak-user] Theming applications by customers In-Reply-To: References: Message-ID: Hello Stian Thank you for the quick reply. I saw that issue when google-ing about Keycloak theming. It would indeed be helpful for us but doesn?t fully fit our need. Some of our customers use several applications of ours. For each application, they currently have a separate account. (cumbersome for them) For these customers, we create branding of our applications, these branding are then also replicated in the different applications (cumbersome for us) I think an example may be helpful Let?s say we have a blue customer and a green customer as well as an app1 and an app2. Our blue customer will use www.app1.blue.com and www.app2.blue.com Our green customer will use www.app1.green.com and www.app2.green.com Both app1.blue.com and app1.green.com are the very same application ?app1? (same IP, same server, same database) Same goes for app2.blue.com and app2.green.com that are the very same application ?app2? (IP, server, DB) separated from ?app1? The login pages of the applications are aware that the domain is ?green? or ?blue? and then display a blue or green branding. With Keycloak ?app1? and ?app2? will be ?clients? in a realm (as far as I understand it). To be able to display the correct color to the correct customer, I see no other solutions than creating a ?blue? and a ?green? realm (+theme) duplicating the configuration of clients ?app1? and ?app2? in both realms. So, I was wondering if there exists a way in Keycloak to avoid this duplication and still offer unified branding across different applications. Kind regards, Nicolas GILLET Market-IP ? Creating Mobile Intelligence Phone : +32 81 33 11 11 Fax : +32 81 33 11 10 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : vendredi 10 mars 2017 13:54 ? : Nicolas Gillet Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Theming applications by customers Would https://issues.jboss.org/browse/KEYCLOAK-3370 do the trick? On 10 March 2017 at 13:39, Nicolas Gillet > wrote: Hello, I am looking for an SSO solution and started playing around with Keycloak. We currently have no SSO solution but it has become a need that our application can seamlessly interact. Our customers have "branding" requirement so we adapt the look of our application pages (including login pages) with their logo and colors. For some customers, we use a cookie to know which branding they need, for others we have dedicated domain names pointing to the very same IP's. >From what I grasped of Keycloak, this branding can be achieved with "themes" that can be configured on "realms". Configuring a realm seems to require quite some time and if we have an important number of branded customer this might become hard to maintain. Also, the "topology" of our application (which are "clients" in Keycloak I think) remains the same for all customers of ours but as a "client" belongs to a single "realm" we'll have to duplicate this configuration and propagate the changes to any realm. So, I am wondering if Keycloak can fit our need of if I don't get it correctly. If someone could be kind enough to shed some light on this for me or point me toward a way to achieve our goal I'd be very thankful. Kind regards, Nicolas GILLET Market-IP - Creating Mobile Intelligence Phone : +32 81 33 11 11 Fax : +32 81 33 11 10 www.market-ip.com - www.telefleet.com - www.geoplanning.net - www.drivexpert.net _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sven.thoms at gmail.com Fri Mar 10 10:07:43 2017 From: sven.thoms at gmail.com (Sven Thoms) Date: Fri, 10 Mar 2017 16:07:43 +0100 Subject: [keycloak-user] Admin REST New User Client Roles In-Reply-To: References: Message-ID: I am having trouble adding a default client role when posting a new user to the ADMIN REST interface. According to one data migration code, it would work: https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39 d10143b920/examples/authz/photoz/photoz-realm.json curl -v -X POST \ -H "Content-Type:application/json" \ -H 'Authorization: bearer xxxx' \ -d '{ "username": "my_user", "enabled": true, "credentials": [ { "value" : "my_password", "temporary" : false } ], "realmRoles": [ "offline_access", "uma_authorization" ], "clientRoles": { "realm-management": [ "view-clients" ] } }' \ https://mydomain/auth/admin/realms/myrealm/users The new user is created, but role mappings are not assigned. Is this another case of Admin REST API and AuthZ not working together? From pavel.masloff at gmail.com Fri Mar 10 10:49:55 2017 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Fri, 10 Mar 2017 16:49:55 +0100 Subject: [keycloak-user] [keycloak-spring-boot-adapter] disable security via application.properties file Message-ID: Hi all, Sometimes (for testing purposes) I need to disable keycloak security Is it possible to do so via application.properties file? Right now apart from the properties file I also have to comment out these dependencies and rebuild the project: compile 'org.keycloak:keycloak-spring-boot-adapter:2.5.1.Final' compile 'org.keycloak:keycloak-tomcat8-adapter:2.5.1.Final' Regards, Pavel Maslov, MS From marcelo.nardelli at gmail.com Fri Mar 10 12:41:42 2017 From: marcelo.nardelli at gmail.com (Marcelo Nardelli) Date: Fri, 10 Mar 2017 14:41:42 -0300 Subject: [keycloak-user] Integration with legacy systems Message-ID: Hello, We recently started using Keycloak in our organization but we are not sure which approach would be best to use when there are some user permissions that rely on information managed by other systems (legacy systems that we have). In our specific case, we have the following setup: - A Keycloak server integrated with LDAP to retrieve users - A Java backend protected by Bearer Token - A Javascript frontend developed in EmberJS that accesses the Java backend One of the requirements we have is the following: - Users who have a certain managerial position must have a common set of permissions. To meet this requirement, we created a group, included the relevant users, and assigned the appropriate permissions (roles) to the group. This works fine for us. However, we have a legacy system that manages the positions that a user assumes in the organization, so that a user who today holds a management position may no longer have that position tomorrow in the legacy system. When he loses the management position, someone needs to be warned and manually remove the user from the Keycloak group. Ideally, we would like this process not to be so manual. Which approaches would be recommended for this situation? - Make the legacy system somehow access Keycloak to remove users from the group when needed - Make our application query the legacy system to verify that the permissions that are on the token are appropriate for the user's current position - Change the keycloak in some way to query the legacy system and determine based on this information whether the user should receive the permissions Thanks for the attention Marcelo Nardelli From psilva at redhat.com Fri Mar 10 15:55:20 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 10 Mar 2017 17:55:20 -0300 Subject: [keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified In-Reply-To: References: Message-ID: Hello Koloman, As you may have noticed, I have sent a PR with some fixes and improvements to the policy evaluation engine. I've used your repository to test things out and I only have one comment. There you have a resource-c which is granted by a resource-based permission and for this resource you will be granted with all scopes associated with the resource. Differently than resource-a, where you have only a scope-resource permission for a specific scope, which does not imply granting additional scopes. If you want to provide more fine-grained permissions to the scopes associated with resource-c, you can define scope permissions to the scopes you want to protect. I think I'm going to review the ENFORCING mode for 3.0 in order to also include "orphan" scopes when evaluation policies. This may bring some usability issues as a consequence of a more restrictive permissioning model. Or we can create a separated enforcement mode for this kind of stuff, maybe a configuration option on a resource permission, I don't know .... Regards. Pedro Igor On Thu, Mar 9, 2017 at 1:34 PM, Pedro Igor Silva wrote: > On Thu, Mar 9, 2017 at 11:58 AM, KLIMPFINGER Koloman frequentis.com> wrote: > >> Hi keycloak users! >> >> I've a question about using scope and resource permissions to protect my >> resources. >> To me it seems that keycloak is granting broader authorization >> entitlements than I specified it with the policies & permissions - a >> security issue from my point of view. >> For example keycloak - according to the entitlement token of a user - >> grants access to a resource and ALL its scopes, even if I only specified a >> permission to access only ONE scope on that resource for that user (with a >> policy). >> Is It wrong to assume that the user should only have access to the one >> scope? > > Another issue is that keycloak grants access to a resource and ALL its >> scopes, even if I only specified a permission to access only that resource >> for that user (with a policy) without a scope. >> Is the assumption wrong that the user should only know about the resource >> but not the scopes? >> >> Or is my understanding of how to handle the authorization entitlements >> for resources and their scopes with keycloak wrong? >> What would be the best practice to secure the resources and their scopes? >> > > You are correct. This is an issue with the Entitlement API and Scope-based > Permissions. Created https://issues.jboss.org/browse/KEYCLOAK-4555, > sending a fix shortly. > > You should not see this happening if using Authorization API where > evaluation is performed on a per-resource/scope basis. > > Will take a look on that repository (just perfect to understand what is > happening) you pointed out and check the results once I have the issue > fixed. Can you watch that JIRA for updates ? > > >> >> Here I describe the scenario & point to a live example: >> >> _ The scenario _ >> >> Created Entities: >> User: Marta >> Policy: Policy-IsUser-Marta >> Scopes: read, write, execute >> Resource: resource-a (with all three scopes) >> Resource: resource-c (with all three scopes) >> Resource-Permission: resource-c -> Policy-IsUser-Marta >> Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta >> >> Retrieve entitlements: >> Get your (Martas) entitlements token and check the granted permissions - >> they are: >> >> - resource-a -> read + write + execute >> >> - resource-c -> read + write + execute >> >> What I would expect: >> >> - resource-a -> read >> >> - resource-c -> (no scopes) >> >> _ Sample Project _ >> I created a sample to see it live in action: >> https://github.com/kklimpfi/keycloak-scenarios >> >> It contains a keycloak-migration.json with some sample data (in master >> realm) + an java application that retrieves the Permissions. >> you can clone it and try it (configure setup script for importing and >> pass the system property for the java application to its configuration). >> (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on >> Linux) >> >> kind regards, >> Koloman >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From thomas.darimont at googlemail.com Fri Mar 10 16:18:26 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 10 Mar 2017 22:18:26 +0100 Subject: [keycloak-user] Admin REST New User Client Roles In-Reply-To: References: Message-ID: Hello, to assign client or realm roles you need to use dedicated sub resources of the user resource, The following example creates a new user and assigns a realm role and client role via the Keycloak Admin Client API: package de.tdlabs.keycloak.client; import org.keycloak.OAuth2Constants; import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.KeycloakBuilder; import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.UsersResource; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; import javax.ws.rs.core.Response; import java.util.Arrays; import java.util.Collections; /** * Created by tom on 09.08.16. */ public class KeycloakClientExample { public static void main(String[] args) { String serverUrl = "http://localhost:8081/auth"; String realm = "acme"; String clientId = "idm-client"; String clientSecret = "288876a6-c469-4a58-bdbb-5aefa8fd82ab"; Keycloak keycloak = KeycloakBuilder.builder() // .serverUrl(serverUrl) .realm(realm) .grantType(OAuth2Constants.CLIENT_CREDENTIALS) .clientId(clientId) .clientSecret(clientSecret) .build(); UserRepresentation user = new UserRepresentation(); user.setEnabled(true); user.setUsername("tester1"); user.setEmail("tom+tester1 at localhost"); user.setAttributes(Collections.singletonMap("origin", Arrays.asList("demo"))); RealmResource realmResource = keycloak.realm(realm); UsersResource userRessource = realmResource.users(); Response response = userRessource.create(user); System.out.println(response.getLocation()); String userId = response.getLocation().getPath().replaceAll(".*/([^/]+)$", "$1"); RoleRepresentation testerRealmRole = realmResource.roles().get("tester").toRepresentation(); userRessource.get(userId).roles().realmLevel().add(Arrays.asList(testerRealmRole)); ClientRepresentation app1Client = realmResource.clients().findByClientId("app1").get(0); RoleRepresentation userClientRole = realmResource.clients().get(app1Client.getId()).roles().get("user").toRepresentation(); userRessource.get(userId).roles().clientLevel(app1Client.getId()).add(Arrays.asList(userClientRole)); CredentialRepresentation passwordCred = new CredentialRepresentation(); passwordCred.setTemporary(false); passwordCred.setType(CredentialRepresentation.PASSWORD); passwordCred.setValue("test"); userRessource.get(userId).resetPassword(passwordCred); } } Cheers, Thomas 2017-03-10 16:07 GMT+01:00 Sven Thoms : > I am having trouble adding a default client role when posting a new user to > the ADMIN REST interface. > According to one data migration code, it would work: > > https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39 > d10143b920/examples/authz/photoz/photoz-realm.json > > > curl -v -X POST \ > -H "Content-Type:application/json" \ > -H 'Authorization: bearer xxxx' \ > -d '{ > "username": "my_user", > "enabled": true, > "credentials": [ > { > "value" : "my_password", > "temporary" : false > } ], > "realmRoles": [ > "offline_access", "uma_authorization" > ], > "clientRoles": { > "realm-management": [ > "view-clients" > ] > } > }' \ > https://mydomain/auth/admin/realms/myrealm/users > > > The new user is created, but role mappings are not assigned. Is this > another case of Admin REST API and AuthZ not working together? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mehdi.alishahi at gmail.com Sat Mar 11 04:32:12 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Sat, 11 Mar 2017 10:32:12 +0100 Subject: [keycloak-user] Obtain Token and Invoke Service throught CLI Message-ID: Hi I have read http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html for trying to authenicate to KC with username and password through CLI. But it seems this method does not work with KC 2.5.4, because public client does not provide Redirect URI field. See below: Obtain Token and Invoke Service First we need to create a client that can be used to obtain the token. Go to the Keycloak admin console again and create a new client. This time give it the *Client ID* curl and select public for access type. Under *Valid Redirect URIs* enter http://localhost. How can I do this with KC 2.5.4? Thanks, Mehdi From lganga14 at gmail.com Sat Mar 11 11:23:24 2017 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Sat, 11 Mar 2017 21:53:24 +0530 Subject: [keycloak-user] Not able to invoke keycloak admin REST apis from wildfly container Message-ID: Hi, I am not able to invoke keycloak admin REST apis from our wildfly container. Both keycloak and wildfly are ssl enabled and our app is using keycloak authentication. We are getting SSLHandshakeFailure error while trying to invoke keycloak's admin rest api to disable user. We are just making a client request. Below is the error, "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" Regards, Ganga Lakshmanasamy From karpenkorn at gmail.com Sat Mar 11 11:42:45 2017 From: karpenkorn at gmail.com (Roman Nikolaevich) Date: Sat, 11 Mar 2017 18:42:45 +0200 Subject: [keycloak-user] Multi tenancy quesiton Message-ID: Hello Guys, We are testing example from official documentation regarding multi tenancy https://keycloak.gitbooks.io/securing-client-applications- guide/content/topics/oidc/java/multi-tenancy.html So we are getting realm name from path but at some point our request is getting redirected to /sso/login url and as result realm name is lost, simply because of this method org.keycloak.adapters.springsecurity.authentication. KeycloakAuthenticationEntryPoint#commenceLoginRedirect protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException { String contextAwareLoginUri = request.getContextPath() + loginUri; log.debug("Redirecting to login URI {}", contextAwareLoginUri); response.sendRedirect(contextAwareLoginUri); } Could you please advise how to handle such situation ? We see an option to override commenceLoginRedirect method, but we are not sure that it is correct way. Thanks in advance. Br, Roma From juan.amat at nokia.com Sat Mar 11 15:26:07 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Sat, 11 Mar 2017 20:26:07 +0000 Subject: [keycloak-user] JAAS plugin and roles In-Reply-To: <36845be9-dfef-5159-4fb8-b0119d562c06@redhat.com> References: <36845be9-dfef-5159-4fb8-b0119d562c06@redhat.com> Message-ID: Created: https://issues.jboss.org/browse/KEYCLOAK-4567 Thank you. > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Friday, March 10, 2017 2:35 AM > To: Amat, Juan (Nokia - US) ; keycloak- > user at lists.jboss.org > Subject: Re: [keycloak-user] JAAS plugin and roles > > On 09/03/17 15:33, Amat, Juan (Nokia - US) wrote: > > Thank you for the pointer. > > > > I would have expected that this would be supported out of the box. > If there is enough people asking for it, we can add it though. Feel free to create > JIRA. > > > > Another comment. > > In the logout method of AbstractKeycloakLoginModule.java, we remove the > RolePrincipal.class principals from the subject's principals. > > We can though configure the class used for the 'role' principal. Should this > class be used instead? > Yes, good point. Feel free to add that into the JIRA too. > > Marek > > > > Juan. > >> -----Original Message----- > >> From: Marek Posolda [mailto:mposolda at redhat.com] > >> Sent: Thursday, March 09, 2017 12:23 AM > >> To: Amat, Juan (Nokia - US) ; keycloak- > >> user at lists.jboss.org > >> Subject: Re: [keycloak-user] JAAS plugin and roles > >> > >> I recently did some example of the remote EJB client. You're right, > >> there are special groups on Wildfly, which JAAS Subject needs to be member > of. > >> > >> See the example here [1] . Especially take a look at the > >> security-domain configuration and the > >> "ConvertKEycloakRolesLoginModule", which needs to be put to the chain > after DirectAccessGrantsLoginModule. > >> > >> Btv. if you are using web (HttpServletRequest etc), you should maybe > >> rather use our OIDC/SAML adapters? But maybe I am missing something in > your setup... > >> > >> [1] https://github.com/mposolda/keycloak-remote-ejb > >> > >> Marek > >> > >> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote: > >>> I was trying to use this login module with an application deployed > >>> on Wildfly > >> 10: > >>> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > >>> And it kind of worked. > >>> By that I mean that when you log in, you are authenticated fine but > >>> then calling > >>> HttpServletRequest.isUserInRole(xxx) did not work. > >>> > >>> The reason is that JBoss (EAP and Wildfly I think) expects the roles > >>> in a specific > >> group. > >>> This page > >> https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Log > >> in_Modu > >> les.html says: > >>> "The JBossSX framework uses two well-known role sets with the names > >>> Roles > >> and CallerPrincipal. > >>> The Roles group is the collection of Principals for the named roles > >>> as known in > >> the application domain under which the Subject has been > >> authenticated. This role set is used by methods like the > >> EJBContext.isCallerInRole(String), which EJBs can use to see if the > >> current caller belongs to the named application domain role. The > >> security interceptor logic that performs method permission checks also uses > this role set. > >>> The CallerPrincipalGroup consists of the single Principal identity > >>> assigned to > >> the user in the application domain. The > >> EJBContext.getCallerPrincipal() method uses the CallerPrincipal to > >> allow the application domain to map from the operation environment > >> identity to a user identity suitable for the application. If a > >> Subject does not have a CallerPrincipalGroup, the application identity is the > same used for login." > >>> A q&d patch of AbstractKeycloakLoginModule.java makes the whole > >>> thing > >> work. > >>> Am I doing something wrong? > >>> > >>> Thank you. > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From juan.amat at nokia.com Sat Mar 11 15:32:02 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Sat, 11 Mar 2017 20:32:02 +0000 Subject: [keycloak-user] Session already invalidated Message-ID: Hello, I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009550.html I am hitting the same issue and I can use the same workaround. But I would really like to know why Keycloak calls session.invalidate when processing the logout. 'logout' and 'invalidate' are 2 different operations and in theory you may want to logout while still keeping the session alive. Thank you. From eduard.matuszak at worldline.com Sun Mar 12 07:07:24 2017 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Sun, 12 Mar 2017 11:07:24 +0000 Subject: [keycloak-user] Additional token claims dynamically set via login by external Id Provider In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723EDAC56@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723EDB18B@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello Thomas Thanks for the answer. For the User Storage Provider managing the logins via Keycloak?s login mask, the code-snippet in the isValid-method shown below allows to set a custom userattribute on each(!) login action with an actual value. And indeed via a client-specific user-attribute-mapper the attribute will be taken over as a claim-value into the token. So when enhancing the code snippet appropiately I am able to set a specific claim value of a token in a flexible and dynamic manner, for instance taking the the current timestamp or the current value of a database-entry. All is fine so far, but when logging in via an Id-broker, the same is only possible when the user logs in for the first(!) time, when again the isValid-method of the User Storage Provider being involved does it?s work. Unfortunately any successive logins will skip the isValid-method. So my question targets the possiblility of ?catching? all (successive) logins via an external ID broker, being able to manipulate the UserModel as we can do in the User Storage Provider isValid method. From: Thomas Darimont [mailto:thomas.darimont at googlemail.com] Sent: Friday, March 10, 2017 9:26 AM To: Matuszak, Eduard Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Additional token claims dynamically set via login by external Id Provider Hello Eduard, do you set the attribute on the user? If so you could try to configure a custom user-attribute mapper for your client. The mapper could then inject the attribute value into the token with the name provided in the mapper. Cheers, Thomas 2017-03-10 8:53 GMT+01:00 Matuszak, Eduard >: Hello Keycloak Team For logins taking place via keycloak login mask, I am able to edit a user property "on the fly" in user-storage-provider's isValid-method and can add it into the token (after adding an appropriate mapper for the corresponding client): @Override public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) .. List attr_dyn_list = new ArrayList(); attr_dyn_list.add("attr_dyn_val"); local.setAttribute("attr_dyn", attr_dyn_list); .. Now I also want to set an additional claim dynamically into an access token when a user tries to log in (not only the first time) via an external Id Provider. Is there any hook I can override to do so or is this feature planned to be implemented in near future? Best regards, Eduard Matuszak _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From matt at woolnough.com.au Sun Mar 12 07:49:58 2017 From: matt at woolnough.com.au (Matthew Woolnough) Date: Sun, 12 Mar 2017 21:49:58 +1000 Subject: [keycloak-user] Keycloak Social Login In-Reply-To: References: Message-ID: Anunay, did you get any answers to these questions? I would like to know the answers to the posed questions also. On 11 February 2017 at 00:09, Anunay Sinha wrote: > Hi > I am using keycloak as security layer and working towards enabling social > login. > Social login was working and I was able to integrate Facebook with just > configurations using the doicuments. > > However I have a requirement where in I need to provide an API end points > for the same. > Our mobile devices will be communicating to facebook via the app and will > have the token from the facebook (Implicit Flow). > I will then be exchanging the token with keycloak for the keycloak access > token. > > I have two questions > 1. Is this approach correct, if not why > 2. How can I achieve this. I was thinking of writing a custom authenticator > (Am not sure if thats the right approoach as I have to register user are > well if FB Access token user is not available with us (We can afford to > login user and with jsut emailID as we can onbaord new users later) > > I am blocked because authenticator is not working with any build from 2.4.0 > onwards > > Let me know if my approach is correct and if so how to proceed about it. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From georgijsr at scandiweb.com Sun Mar 12 10:47:36 2017 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Sun, 12 Mar 2017 16:47:36 +0200 Subject: [keycloak-user] Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found Message-ID: <2b9a9476-06fd-4924-b018-b25bf19c3cd4@scandiweb.com> Hello, everyone! My current setup: 2 Keycloak 2.5.4 servers in Standalone HA mode, MySQL 5.6.27 database hosted on Amazon AWS RDS. Recently, I've migrated my Keycloak servers from 2.1.0 to 2.5.4. I've copied "standalone-ha.xml" and "keycloak-server.json" to the new installation and ran "jboss-cli.sh --file=migrate-standalone-ha.cli"|, |as per migration instructions in Keycloak documentation. jboss-cli.sh complete without errors, and the 2.5.4 server started successfully. All operations seemed running fine, until I've tried to add another LDAP server to User Federation... When I click "https://%server_fqdn%/auth/admin/master/console/#/realms/%realm_name%/user-federation" link, I get "Resource not found" page, and server logs show this error: "ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-16) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: https://%server_fqdn%/auth/admin/realms/%realm_name%/user-federation/providers" Also, Chrome console shows error with angluar.js Did anyone experienced similar problems? Any advice? -- From Kuopching at atlas.sk Sun Mar 12 13:07:35 2017 From: Kuopching at atlas.sk (=?utf-8?q?Daniel_Jano=C5=A1ka?=) Date: Sun, 12 Mar 2017 18:07:35 +0100 Subject: [keycloak-user] =?utf-8?q?ParsingException_Unknown_xsi=3Atype?= Message-ID: <20170312180735.AA7C4F97@atlas.sk> Hi, I'm trying to setup my keycloak as SAML broker identity with external IDp but with no luck. I've setup my Identity Provider with IDP FederationMetadata/2007-06/FederationMetadata.xml. I login with external Idp successfully but after Keycloak receives SAML Assertion? I'm getting some Parser exception [1] Could you? please provide me some solution? Thank you 1. Error in base64 decoding saml message: ParsingException [location=null]org.keycloak.saml.common.exceptions.ParsingException: PL0065: Parser : Unknown xsi:type=tn:countryCodeOfBirth UT005023: Exception handling request to /auth/realms/test-auth0/broker/saml/endpoint: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException ... Caused by: java.lang.NullPointerException at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:420) Disclaimer: I'm novice. My setup: Keycloak server 2.5.4 final Oracle jdk 8 Windows 7 64bit ? From known.michael at gmail.com Sun Mar 12 14:13:16 2017 From: known.michael at gmail.com (Known Michael) Date: Sun, 12 Mar 2017 20:13:16 +0200 Subject: [keycloak-user] How I possible to reuse configuration between authenticators? Message-ID: I need to use 2 authenticators in 2 different flows: browser and direct grant flows. It will be different authenticators from the keycloak point of view same Java classes. I want to reuse the authenticator configuration: - I want to update configuration of only one authenticator - I want to store it in one place in the database - I want its configuration properties will be provided only for one authenticator - I want to reuse the configuration in the second authenticator How is possible to do it? From bburke at redhat.com Sun Mar 12 16:06:28 2017 From: bburke at redhat.com (Bill Burke) Date: Sun, 12 Mar 2017 16:06:28 -0400 Subject: [keycloak-user] Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found In-Reply-To: <2b9a9476-06fd-4924-b018-b25bf19c3cd4@scandiweb.com> References: <2b9a9476-06fd-4924-b018-b25bf19c3cd4@scandiweb.com> Message-ID: see docs. User federation SPI is gone and has been refactored into the new User Storage SPI. On 3/12/17 10:47 AM, Georgijs Radovs wrote: > Hello, everyone! > > My current setup: > > 2 Keycloak 2.5.4 servers in Standalone HA mode, > > MySQL 5.6.27 database hosted on Amazon AWS RDS. > > Recently, I've migrated my Keycloak servers from 2.1.0 to 2.5.4. > > I've copied "standalone-ha.xml" and "keycloak-server.json" to the new > installation and ran "jboss-cli.sh --file=migrate-standalone-ha.cli"|, > |as per migration instructions in Keycloak documentation. > > jboss-cli.sh complete without errors, and the 2.5.4 server started > successfully. > > All operations seemed running fine, until I've tried to add another LDAP > server to User Federation... > > When I click > "https://%server_fqdn%/auth/admin/master/console/#/realms/%realm_name%/user-federation" > link, I get "Resource not found" page, and server logs show this error: > > "ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-16) > RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: > RESTEASY003210: Could not find resource for full path: > https://%server_fqdn%/auth/admin/realms/%realm_name%/user-federation/providers" > > Also, Chrome console shows error with angluar.js > > Did anyone experienced similar problems? > Any advice? > > From pnalyvayko at agi.com Sun Mar 12 23:01:39 2017 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Mon, 13 Mar 2017 03:01:39 +0000 Subject: [keycloak-user] Not able to invoke keycloak admin REST apis from wildfly container In-Reply-To: References: Message-ID: Hi Ganga, I believe the problem is that the x.509 server cert your keycloak instance uses to secure SSL/HTTPS connections is not trusted, i.e. not signed by one of the trusted CAs that exist in the Java trusted cert key store. You can either disable the PKIX cert path validation or add your x.509 server cert to the java keystore. ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Ganga Lakshmanasamy [lganga14 at gmail.com] Sent: Saturday, March 11, 2017 11:23 AM To: keycloak-user Subject: [keycloak-user] Not able to invoke keycloak admin REST apis from wildfly container Hi, I am not able to invoke keycloak admin REST apis from our wildfly container. Both keycloak and wildfly are ssl enabled and our app is using keycloak authentication. We are getting SSLHandshakeFailure error while trying to invoke keycloak's admin rest api to disable user. We are just making a client request. Below is the error, "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" Regards, Ganga Lakshmanasamy _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Mar 13 03:43:50 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 13 Mar 2017 08:43:50 +0100 Subject: [keycloak-user] Theming applications by customers In-Reply-To: References: Message-ID: If KEYCLOAK-3370 was implemented you could have different client definitions for the two domains. Then set the theme on a per client basis. I guess it's not ideal. but would work. On 10 March 2017 at 15:02, Nicolas Gillet wrote: > Hello Stian > > > > Thank you for the quick reply. > > > > I saw that issue when google-ing about Keycloak theming. > > > > It would indeed be helpful for us but doesn?t fully fit our need. > > > > Some of our customers use several applications of ours. For each > application, they currently have a separate account. (cumbersome for them) > > For these customers, we create branding of our applications, these > branding are then also replicated in the different applications (cumbersome > for us) > > > > I think an example may be helpful > > Let?s say we have a blue customer and a green customer as well as an app1 > and an app2. > > > > Our blue customer will use www.app1.blue.com and www.app2.blue.com > > Our green customer will use www.app1.green.com and www.app2.green.com > > > > Both *app1*.blue.com and *app1*.green.com are the very same application > ?app1? (same IP, same server, same database) > > Same goes for *app2*.blue.com and *app2*.green.com that are the very same > application ?app2? (IP, server, DB) separated from ?app1? > > > > The login pages of the applications are aware that the domain is ?green? > or ?blue? and then display a blue or green branding. > > > > With Keycloak ?app1? and ?app2? will be ?clients? in a realm (as far as I > understand it). > > > > To be able to display the correct color to the correct customer, I see no > other solutions than creating a ?blue? and a ?green? realm (+theme) > duplicating the configuration of clients ?app1? and ?app2? in both realms. > > > > So, I was wondering if there exists a way in Keycloak to avoid this > duplication and still offer unified branding across different applications. > > > > Kind regards, > > > > > > Nicolas GILLET > > > > *Market-IP ?* *Creating Mobile Intelligence* > > Phone : +32 81 33 11 11 <+32%2081%2033%2011%2011> > > Fax : +32 81 33 11 10 <+32%2081%2033%2011%2010> > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* vendredi 10 mars 2017 13:54 > *? :* Nicolas Gillet > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Theming applications by customers > > > > Would https://issues.jboss.org/browse/KEYCLOAK-3370 do the trick? > > > > On 10 March 2017 at 13:39, Nicolas Gillet > wrote: > > Hello, > > I am looking for an SSO solution and started playing around with Keycloak. > We currently have no SSO solution but it has become a need that our > application can seamlessly interact. > > Our customers have "branding" requirement so we adapt the look of our > application pages (including login pages) with their logo and colors. > For some customers, we use a cookie to know which branding they need, for > others we have dedicated domain names pointing to the very same IP's. > > >From what I grasped of Keycloak, this branding can be achieved with > "themes" that can be configured on "realms". > Configuring a realm seems to require quite some time and if we have an > important number of branded customer this might become hard to maintain. > Also, the "topology" of our application (which are "clients" in Keycloak I > think) remains the same for all customers of ours but as a "client" belongs > to a single "realm" we'll have to duplicate this configuration and > propagate the changes to any realm. > > So, I am wondering if Keycloak can fit our need of if I don't get it > correctly. > > If someone could be kind enough to shed some light on this for me or point > me toward a way to achieve our goal I'd be very thankful. > > Kind regards, > > Nicolas GILLET > > Market-IP - Creating Mobile Intelligence > Phone : +32 81 33 11 11 > Fax : +32 81 33 11 10 > www.market-ip.com - www.telefleet.com< > http://www.telefleet.com/> - www.geoplanning.net www.geoplanning.net/> - www.drivexpert.net > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From mposolda at redhat.com Mon Mar 13 04:50:56 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 13 Mar 2017 09:50:56 +0100 Subject: [keycloak-user] Integration with legacy systems In-Reply-To: References: Message-ID: On 10/03/17 18:41, Marcelo Nardelli wrote: > Hello, > > We recently started using Keycloak in our organization but we are not sure > which approach would be best to use when there are some user permissions > that rely on information managed by other systems (legacy systems that we > have). > > In our specific case, we have the following setup: > > - A Keycloak server integrated with LDAP to retrieve users > - A Java backend protected by Bearer Token > - A Javascript frontend developed in EmberJS that accesses the Java backend > > One of the requirements we have is the following: > > - Users who have a certain managerial position must have a common set of > permissions. > > To meet this requirement, we created a group, included the relevant users, > and assigned the appropriate permissions (roles) to the group. This works > fine for us. > > However, we have a legacy system that manages the positions that a user > assumes in the organization, so that a user who today holds a management > position may no longer have that position tomorrow in the legacy system. > When he loses the management position, someone needs to be warned and > manually remove the user from the Keycloak group. > > Ideally, we would like this process not to be so manual. Which approaches > would be recommended for this situation? > > - Make the legacy system somehow access Keycloak to remove users from the > group when needed That should work. We have admin REST API, which can be used to remove user from some group. So if you can somehow notify that change in legacy system will invoke this REST API, you should be fine. > - Make our application query the legacy system to verify that the > permissions that are on the token are appropriate for the user's current > position That can work too, but question here is performance. > - Change the keycloak in some way to query the legacy system and determine > based on this information whether the user should receive the permissions That can finally work too. If your users are in LDAP and the information about group membership is in LDAP too, you can use our builtin LDAP Group mapper. Then will mean that Keycloak will be able to retrieve group memberships from LDAP. If this information is somewhere else, but still, your users are in LDAP, you can possibly implement new LDAP mapper, which will be able to query your 3rd party system. But note that we have caching for LDAP, so Keycloak may not be immediatelly aware of the change in legacy system. In shortcut, last solution is the best in case that your group membership can be retrieved from LDAP. Otherwise probably the first one as long as you can be automatically notified by your legacy system. Really depends on the details of your usecase which solution is best. Marek > > Thanks for the attention > > Marcelo Nardelli > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Mar 13 05:00:32 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 13 Mar 2017 10:00:32 +0100 Subject: [keycloak-user] Keycloak Social Login In-Reply-To: References: Message-ID: <2bafc751-cf0e-32cc-aff5-90e0f2b513ad@redhat.com> Yes, I think that writing custom authenticator, which will be able to login you based on the Facebook token, will be the best for now. Maybe we should have something better OOTB for this usecase, but we don't have AFAIK. Marek On 12/03/17 12:49, Matthew Woolnough wrote: > Anunay, did you get any answers to these questions? I would like to know > the answers to the posed questions also. > > > On 11 February 2017 at 00:09, Anunay Sinha > wrote: > >> Hi >> I am using keycloak as security layer and working towards enabling social >> login. >> Social login was working and I was able to integrate Facebook with just >> configurations using the doicuments. >> >> However I have a requirement where in I need to provide an API end points >> for the same. >> Our mobile devices will be communicating to facebook via the app and will >> have the token from the facebook (Implicit Flow). >> I will then be exchanging the token with keycloak for the keycloak access >> token. >> >> I have two questions >> 1. Is this approach correct, if not why >> 2. How can I achieve this. I was thinking of writing a custom authenticator >> (Am not sure if thats the right approoach as I have to register user are >> well if FB Access token user is not available with us (We can afford to >> login user and with jsut emailID as we can onbaord new users later) >> >> I am blocked because authenticator is not working with any build from 2.4.0 >> onwards >> >> Let me know if my approach is correct and if so how to proceed about it. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Mar 13 05:04:18 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 13 Mar 2017 10:04:18 +0100 Subject: [keycloak-user] Session already invalidated In-Reply-To: References: Message-ID: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> It looks like quite unsafe to logout and not invalidate session at the same time. And AFAIK Wildfly is also invalidates HttpSession automatically during logout for their builtin authentication mechanisms (when Keycloak integration is disabled). You may use something else then HttpSession if you really have the usecase when some session data shouldn't be invalidated at logout (eg. some custom storage backed by custom session cookie). Marek On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote: > Hello, > > I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009550.html > I am hitting the same issue and I can use the same workaround. > > But I would really like to know why Keycloak calls session.invalidate when processing the logout. > 'logout' and 'invalidate' are 2 different operations and in theory you may want to logout while still keeping the session alive. > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Mar 13 05:12:40 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 13 Mar 2017 10:12:40 +0100 Subject: [keycloak-user] How I possible to reuse configuration between authenticators? In-Reply-To: References: Message-ID: On 12/03/17 19:13, Known Michael wrote: > I need to use 2 authenticators in 2 different flows: browser and direct > grant flows. > > It will be different authenticators from the keycloak point of view same > Java classes. > > I want to reuse the authenticator configuration: > > - I want to update configuration of only one authenticator > > - I want to store it in one place in the database > > - I want its configuration properties will be provided only for > one authenticator > > - I want to reuse the configuration in the second authenticator > > How is possible to do it? Not sure I understand fully, but if your authenticator configuration is stored in database or in properties file, then you can just add 1 property and/or 2 properties to your authenticator in Keycloak. And that will be "databaseURL" and/or "propertiesFile" . You may not even need any property as long as your DB and/or property file is at some known location and can be hardcoded in your implementation. For example, if your properties file is in "/foo/my-authenticator.properties", then your Authenticator implementation can just read the configuration from this property file. And if you change something in this property file, then both KC authenticator instances for "Browser" and "directGrant" will be immediately able to see that change. Marek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From matt at woolnough.com.au Mon Mar 13 05:16:15 2017 From: matt at woolnough.com.au (Matthew Woolnough) Date: Mon, 13 Mar 2017 19:16:15 +1000 Subject: [keycloak-user] Event Listener SPI Add to Queue Message-ID: I'd like to queue messages to NSQ upon user CRUD operations. Are there any examples for this or any other queue? Thanks, mW From mposolda at redhat.com Mon Mar 13 05:45:38 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 13 Mar 2017 10:45:38 +0100 Subject: [keycloak-user] Unable to Store and Retrieve Group-Role relationship in LDAP In-Reply-To: References: <462a2f04-e0f3-b019-66bb-1dc8436f395b@redhat.com> Message-ID: On 10/03/17 12:15, abhishek raghav wrote: > Thanks Marek. > > Is it possible by writing a *custom ldap mapper* and deploy in > Keycloak for this scenario. > We am using *MSAD *as our LDAP provider. The usecase you pointed, won't be easily solvable with LDAP mapper SPI. We don't have federation for groups or roles. So once you assign new role to some group in KC admin console, there is currently not a way to propagate this info and being visible by LDAP mappers. What would work is the opposite though. If you assign some LDAP group "foo-group" as "member" of LDAP role "bar-role", then you won't see membership between this group and role in KC admin console. However your users in Keycloak, which are members of "foo-group" will be automatically treated as members of "bar-role" in Keycloak as well. Note that you may need to switch "User Roles Retrieve Strategy" to "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" for your role mapper here. Marek > > If yes, do you have any example implementation for the same. > I also found that there is some SPI for User Federation Mapper SPI. > https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/user-federation-mapper.html > > > > > > *- Best Regards* > Abhishek Raghav > > > > > > > > On Fri, Mar 10, 2017 at 4:32 PM, Marek Posolda > wrote: > > Yes, you're right. This is not available ATM. What is available is > the support for Keycloak group inheritance to be mapped for LDAP > groups. But mapping for: > - Groups-roles membership mappings > - Roles to composite roles membership mappings > is not available now. > > Feel free to create JIRA. But not sure if we ever go into it... > > Marek > > > On 10/03/17 11:31, abhishek raghav wrote: > > Hi > > I have a set of* Realm Roles* that is mapped to an certain > *OU=Roles* in an > *MSAD*. Similar is the case for a set of *Groups*. > > But when I *assign a group with a certain role, the assignment > is visible > in Keycloak. But the same is not reflected on the AD.* > I mean, this mapping of role and group is *not stored in the > "member" or > "memberof" attributes of either the respective group or the role*. > > Please suggest is this functionality available using any > mapper from > Keycloak to AD? Or do we need to create our own Custom Mapper? > If yes, how? > > > *- Best Regards* > Abhishek Raghav > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From Ori.Doolman at amdocs.com Mon Mar 13 05:51:33 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Mon, 13 Mar 2017 09:51:33 +0000 Subject: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders In-Reply-To: References: Message-ID: Adam, From this code change: -spi-private/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java : -public class Pbkdf2PasswordHashProvider implements PasswordHashProviderFactory, PasswordHashProvider { +public class Pbkdf2PasswordHashProvider extends APbkdf2PasswordHashProvider implements PasswordHashProviderFactory { I am concerned that backward compatibility is not maintained, and I would have to replace all active user passwords after upgrade. Is that correct? Also, where do I set the SHA-256 option eventually? Do I control it from the Admin Console UI? Thanks, Ori. From: Adam Kaplan [mailto:akaplan at findyr.com] Sent: ??? ? 09 ??? 2017 19:15 To: stian at redhat.com Cc: Ori Doolman ; Bruno Oliveira ; keycloak-user Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders I'd agree with 4 being overkill - I just listed what was available in in the JRE. I started down the path of implementing - feature branch is here: https://github.com/adambkaplan/keycloak/tree/feature/KEYCLOAK-4523 On Thu, Mar 9, 2017 at 8:24 AM, Stian Thorgersen > wrote: Search for usage of the class PasswordHashProvider On 9 March 2017 at 12:54, Ori Doolman > wrote: From this discussion I understand that for all realm users, current password hashing algorithm is using SHA1 before the hashed password is saved to the DB. Can you please point me to the place in the code where this hashing occurs ? Thanks. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bruno Oliveira Sent: ??? ? 06 ??? 2017 14:08 To: stian at redhat.com; Adam Kaplan > Cc: keycloak-user > Subject: Re: [keycloak-user] Submitted Feature: More Secure PassowrdHashProviders On Mon, Mar 6, 2017 at 8:37 AM Stian Thorgersen > wrote: > 4 new providers is surely a bit overkill? Isn't 256 and 512 more than > sufficient? > +1 > > On 2 March 2017 at 15:28, Adam Kaplan > wrote: > > This is now in the jboss JIRA: > https://issues.jboss.org/browse/KEYCLOAK-4523 > > I intend to work on it over the next week or two and submit a PR. > > On Thu, Mar 2, 2017 at 4:39 AM, Bruno Oliveira > > wrote: > > > Hi Adam and John, I understand your concern. Although, collisions > > are not practical for key derivation functions. There's a long > > discussion about this subject here[1]. > > > > Anyways, you can file a Jira as a feature request. If you feel like > > you would like to attach a PR, better. > > > > [1] - http://comments.gmane.org/gmane.comp.security.phc/973 > > > > On Wed, Mar 1, 2017 at 3:33 PM John D. Ament > > > > > wrote: > > > >> I deal with similarly concerned customer bases. I would be happy > >> to see some of these algorithms added. +1 > >> > >> On Wed, Mar 1, 2017 at 12:56 PM Adam Kaplan > wrote: > >> > >> > My company has a client whose security prerequisites require us > >> > to > store > >> > passwords using SHA-2 or better for the hash (SHA-512 ideal). > >> > We're > >> looking > >> > to migrate our user management functions to Keycloak, and I > >> > noticed > that > >> > hashing with SHA-1 is only provider out of the box. > >> > > >> > I propose adding the following providers (and will be happy to > >> > contribute!), using the hash functions available in the Java 8 > >> > runtime > >> > environment: > >> > > >> > 1. PBKDF2WithHmacSHA224 > >> > 2. PBKDF2WithHmacSHA256 > >> > 3. PBKDF2WithHmacSHA384 > >> > 4. PBKDF2WithHmacSHA512 > >> > > >> > I also propose marking the current Pbkdf2PasswordHashProvider as > >> > deprecated, now that a real SHA-1 hash collision has been > >> > published by Google Security. > >> > > >> > -- > >> > *Adam Kaplan* > >> > Senior Engineer > >> > findyr > > >> > m 914.924.5186 <(914)%20924-5186> <(914)%20924-5186> > >> > > >> <(914)%20924-5186> <(914)%20924-5186>> | e > > > >> > akaplan at findyr.com > >> > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > -- > > > *Adam Kaplan* > Senior Engineer > findyr > > m 914.924.5186 > | e akaplan at findyr.com > > > WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp -- Adam Kaplan Senior Engineer findyr m 914.924.5186 | e akaplan at findyr.com WeWork c/o Findyr | 1460 Broadway | New York, NY 10036 This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From thomas.darimont at googlemail.com Mon Mar 13 06:05:20 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 13 Mar 2017 11:05:20 +0100 Subject: [keycloak-user] Event Listener SPI Add to Queue In-Reply-To: References: Message-ID: Hello Matthew, there is (was) a JIRA for that: https://issues.jboss.org/browse/KEYCLOAK-2302 I demo'ed a JMS based Keycloak Event forwarder a while ago:... https://github.com/jugsaar/visit-yajug-20161023-keycloak (/keycloak-jms-event-forwarder ) Hope that helps. Cheers, Thomas 2017-03-13 10:16 GMT+01:00 Matthew Woolnough : > I'd like to queue messages to NSQ upon user CRUD > operations. > > Are there any examples for this or any other queue? > > Thanks, > > mW > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mehdi.alishahi at gmail.com Mon Mar 13 06:14:08 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Mon, 13 Mar 2017 11:14:08 +0100 Subject: [keycloak-user] Fwd: Obtain Token and Invoke Service throught CLI In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Mehdi Sheikhalishahi Date: Sat, Mar 11, 2017 at 10:32 AM Subject: Obtain Token and Invoke Service throught CLI To: keycloak-user at lists.jboss.org Hi I have read http://blog.keycloak.org/2015/10/getting-started-with- keycloak-securing.html for trying to authenicate to KC with username and password through CLI. But it seems this method does not work with KC 2.5.4, because public client does not provide Redirect URI field. See below: Obtain Token and Invoke Service First we need to create a client that can be used to obtain the token. Go to the Keycloak admin console again and create a new client. This time give it the *Client ID* curl and select public for access type. Under *Valid Redirect URIs* enter http://localhost. How can I do this with KC 2.5.4? Thanks, Mehdi From mstrukel at redhat.com Mon Mar 13 07:18:20 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 13 Mar 2017 12:18:20 +0100 Subject: [keycloak-user] Fwd: Obtain Token and Invoke Service throught CLI In-Reply-To: References: Message-ID: What is it that you do exactly, and what error do you get? On Mon, Mar 13, 2017 at 11:14 AM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > ---------- Forwarded message ---------- > From: Mehdi Sheikhalishahi > Date: Sat, Mar 11, 2017 at 10:32 AM > Subject: Obtain Token and Invoke Service throught CLI > To: keycloak-user at lists.jboss.org > > > Hi > > I have read http://blog.keycloak.org/2015/10/getting-started-with- > keycloak-securing.html for trying to authenicate to KC with username and > password through CLI. But it seems this method does not work with KC 2.5.4, > because public client does not provide Redirect URI field. > > See below: > > Obtain Token and Invoke Service > > First we need to create a client that can be used to obtain the token. Go > to the Keycloak admin console again and create a new client. This time give > it the *Client ID* curl and select public for access type. Under *Valid > Redirect URIs* enter http://localhost. > > > How can I do this with KC 2.5.4? > > Thanks, > Mehdi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mehdi.alishahi at gmail.com Mon Mar 13 08:05:23 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Mon, 13 Mar 2017 13:05:23 +0100 Subject: [keycloak-user] Fwd: Obtain Token and Invoke Service throught CLI In-Reply-To: References: Message-ID: First of all, in curret KC public client does not provide Redirect URI field. Then, I've create a client without this field. When I issue the following commnad: RESULT=`curl --data "grant_type=password&client_id=curl&username=user&password=password" http://localhost:8180/auth/realms/master/protocol/openid-connect/token` I get the following error: {"error":"invalid_grant","error_description":"Invalid user credentials"} access_token\n On Mon, Mar 13, 2017 at 12:18 PM, Marko Strukelj wrote: > What is it that you do exactly, and what error do you get? > > On Mon, Mar 13, 2017 at 11:14 AM, Mehdi Sheikhalishahi < > mehdi.alishahi at gmail.com> wrote: > >> ---------- Forwarded message ---------- >> From: Mehdi Sheikhalishahi >> Date: Sat, Mar 11, 2017 at 10:32 AM >> Subject: Obtain Token and Invoke Service throught CLI >> To: keycloak-user at lists.jboss.org >> >> >> Hi >> >> I have read http://blog.keycloak.org/2015/10/getting-started-with- >> keycloak-securing.html for trying to authenicate to KC with username and >> password through CLI. But it seems this method does not work with KC >> 2.5.4, >> because public client does not provide Redirect URI field. >> >> See below: >> >> Obtain Token and Invoke Service >> >> First we need to create a client that can be used to obtain the token. Go >> to the Keycloak admin console again and create a new client. This time >> give >> it the *Client ID* curl and select public for access type. Under *Valid >> Redirect URIs* enter http://localhost. >> >> >> How can I do this with KC 2.5.4? >> >> Thanks, >> Mehdi >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From RLewis at carbonite.com Mon Mar 13 08:57:00 2017 From: RLewis at carbonite.com (Reed Lewis) Date: Mon, 13 Mar 2017 12:57:00 +0000 Subject: [keycloak-user] Second try: Using a different claim in the data from a Third Party IDP to associate the user with a Keycloak User.. Message-ID: <2B416DAC-C3F7-4568-A94F-9B344D8FB5D9@carbonite.com> Can anyone help please? I really need to figure this out. Thank you! Right now I am working on getting Keycloak to be able to use Azure with Keycloak logging in. The issue is that we are going to prepopulate the users in Keycloak by calling Azure to get a list of users using the Azure route here: https://graph.microsoft.com/v1.0/myOrganization/users We get an access and refresh token not using Keycloak, then call the above route. It returns data like this: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","@odata.nextLink":"https://graph.microsoft.com/v1.0/myOrganization/users?$skiptoken=X%","value":[{"id":"","businessPhones":[],"displayName":"user081","givenName":null,"jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":null,"userPrincipalName":"nothing at carboniteinc.com"} Continuing on and on. The is a guuid that identifies the user. When I use Keycloak in debug mode this is in the log file: {"amr":"[\"wia\"]","family_name":"someone","given_name":?first","ipaddr":"","name":"me","oid":"?,"onprem_sid":"something else", "platf":"5","sub":"A different value here","tid":"Another differen value","unique_name":"@carbonite.com","upn":"@carbonite.com","ver":"1.0"} It is using the value in the ?sub? claim to associate the user in Azure with the user in Keycloak. Is there a way to change Keycloak in the config to use the OID instead since that matches what I get from the user listing? Because the sub claim is not known when listing the users. Thank you, Reed Lewis This message is the property of CARBONITE, INC. and may contain confidential or privileged information. If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail. From sanchoponchos at gmail.com Mon Mar 13 09:18:15 2017 From: sanchoponchos at gmail.com (ko lo) Date: Mon, 13 Mar 2017 20:18:15 +0700 Subject: [keycloak-user] How to upgrade server keycloak-overlay Message-ID: I have applications including those not deployed directly to the Keycloak server. I want to upgrade the adapter. I have to do similar steps to the standalone server? New WF installation add new KC adapter, copy standalone.xml, themes, etc. over., etc.. From juan.amat at nokia.com Mon Mar 13 10:27:56 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Mon, 13 Mar 2017 14:27:56 +0000 Subject: [keycloak-user] Session already invalidated In-Reply-To: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> Message-ID: Actually I do not think that this is the case with Wildfly (or we would have this 'Session already invalidated' error and we do not see it). True, there is a flag in undertow that you can set to invalidate the session during logout. But again I do not think that this is used by default in Wildfly. And please tell me why this would be 'unsafe'? > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Monday, March 13, 2017 2:04 AM > To: Amat, Juan (Nokia - US) ; keycloak- > user at lists.jboss.org > Subject: Re: [keycloak-user] Session already invalidated > > It looks like quite unsafe to logout and not invalidate session at the same time. > And AFAIK Wildfly is also invalidates HttpSession automatically during logout for > their builtin authentication mechanisms (when Keycloak integration is disabled). > You may use something else then HttpSession if you really have the usecase > when some session data shouldn't be invalidated at logout (eg. some custom > storage backed by custom session cookie). > > Marek > > On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote: > > Hello, > > > > I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017- > February/009550.html > > I am hitting the same issue and I can use the same workaround. > > > > But I would really like to know why Keycloak calls session.invalidate when > processing the logout. > > 'logout' and 'invalidate' are 2 different operations and in theory you may want > to logout while still keeping the session alive. > > > > Thank you. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Mon Mar 13 10:34:59 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 13 Mar 2017 15:34:59 +0100 Subject: [keycloak-user] Fwd: Obtain Token and Invoke Service throught CLI In-Reply-To: References: Message-ID: The field definitely exists. If you use web Admin Console to create a new client, you won't see that field at first. Just click 'Save', and then you will get a full list of fields including 'Valid Redirect URIs'. Take a look at Admin CLI (https://keycloak.gitbooks.io/ documentation/server_admin/topics/admin-cli.html) which exists precisely to allow you to perform Admin REST operations from CLI. Or if you only need dynamic registration of clients, check out Client Registration CLI (https://keycloak.gitbooks.io/documentation/securing_apps/ topics/client-registration/client-registration-cli.html). For that you don't need to create a new client. Every realm automatically has a public client called 'admin-cli' which is used by default by Admin CLI, and Client Registration CLI. However, if you insist on using curl that's possible as well but more complicated. See http://lists.jboss.org/pipermail/keycloak-user/2016-July/006793.html. On Mon, Mar 13, 2017 at 1:05 PM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > First of all, in curret KC public client does not provide Redirect URI > field. > Then, I've create a client without this field. > > When I issue the following commnad: > > RESULT=`curl --data "grant_type=password&client_id=curl&username=user&password=password" http://localhost:8180/auth/realms/master/protocol/openid-connect/token` > > I get the following error: > > {"error":"invalid_grant","error_description":"Invalid user credentials"} > access_token\n > > > On Mon, Mar 13, 2017 at 12:18 PM, Marko Strukelj > wrote: > >> What is it that you do exactly, and what error do you get? >> >> On Mon, Mar 13, 2017 at 11:14 AM, Mehdi Sheikhalishahi < >> mehdi.alishahi at gmail.com> wrote: >> >>> ---------- Forwarded message ---------- >>> From: Mehdi Sheikhalishahi >>> Date: Sat, Mar 11, 2017 at 10:32 AM >>> Subject: Obtain Token and Invoke Service throught CLI >>> To: keycloak-user at lists.jboss.org >>> >>> >>> Hi >>> >>> I have read http://blog.keycloak.org/2015/10/getting-started-with- >>> keycloak-securing.html for trying to authenicate to KC with username and >>> password through CLI. But it seems this method does not work with KC >>> 2.5.4, >>> because public client does not provide Redirect URI field. >>> >>> See below: >>> >>> Obtain Token and Invoke Service >>> >>> First we need to create a client that can be used to obtain the token. Go >>> to the Keycloak admin console again and create a new client. This time >>> give >>> it the *Client ID* curl and select public for access type. Under *Valid >>> Redirect URIs* enter http://localhost. >>> >>> >>> How can I do this with KC 2.5.4? >>> >>> Thanks, >>> Mehdi >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From marcelo.nardelli at gmail.com Mon Mar 13 10:49:14 2017 From: marcelo.nardelli at gmail.com (Marcelo Nardelli) Date: Mon, 13 Mar 2017 11:49:14 -0300 Subject: [keycloak-user] Integration with legacy systems In-Reply-To: References: Message-ID: Thanks for answering, Marek Are there any examples on how to implement a custom LDAP mapper? The information I need is not on LDAP, so the mapper would need to query the other system. If I can't make that work, I'll problably go with the option of trying to make the other system notify keycloak through the admin REST API. Marcelo Nardelli On Mon, Mar 13, 2017 at 5:50 AM, Marek Posolda wrote: > On 10/03/17 18:41, Marcelo Nardelli wrote: > >> Hello, >> >> We recently started using Keycloak in our organization but we are not sure >> which approach would be best to use when there are some user permissions >> that rely on information managed by other systems (legacy systems that we >> have). >> >> In our specific case, we have the following setup: >> >> - A Keycloak server integrated with LDAP to retrieve users >> - A Java backend protected by Bearer Token >> - A Javascript frontend developed in EmberJS that accesses the Java >> backend >> >> One of the requirements we have is the following: >> >> - Users who have a certain managerial position must have a common set of >> permissions. >> >> To meet this requirement, we created a group, included the relevant users, >> and assigned the appropriate permissions (roles) to the group. This works >> fine for us. >> >> However, we have a legacy system that manages the positions that a user >> assumes in the organization, so that a user who today holds a management >> position may no longer have that position tomorrow in the legacy system. >> When he loses the management position, someone needs to be warned and >> manually remove the user from the Keycloak group. >> >> Ideally, we would like this process not to be so manual. Which approaches >> would be recommended for this situation? >> >> - Make the legacy system somehow access Keycloak to remove users from the >> group when needed >> > That should work. We have admin REST API, which can be used to remove user > from some group. So if you can somehow notify that change in legacy system > will invoke this REST API, you should be fine. > >> - Make our application query the legacy system to verify that the >> permissions that are on the token are appropriate for the user's current >> position >> > That can work too, but question here is performance. > >> - Change the keycloak in some way to query the legacy system and determine >> based on this information whether the user should receive the permissions >> > That can finally work too. If your users are in LDAP and the information > about group membership is in LDAP too, you can use our builtin LDAP Group > mapper. Then will mean that Keycloak will be able to retrieve group > memberships from LDAP. If this information is somewhere else, but still, > your users are in LDAP, you can possibly implement new LDAP mapper, which > will be able to query your 3rd party system. But note that we have caching > for LDAP, so Keycloak may not be immediatelly aware of the change in legacy > system. > > In shortcut, last solution is the best in case that your group membership > can be retrieved from LDAP. Otherwise probably the first one as long as you > can be automatically notified by your legacy system. Really depends on the > details of your usecase which solution is best. > > Marek > >> >> Thanks for the attention >> >> Marcelo Nardelli >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From david_delbecq at trimble.com Mon Mar 13 11:17:25 2017 From: david_delbecq at trimble.com (David Delbecq) Date: Mon, 13 Mar 2017 15:17:25 +0000 Subject: [keycloak-user] keycloak java rest client compatibility Message-ID: Hello, For some operation in our software, we need to perform some REST operations on keycloak (mainly set some client role in response to some business logic). For that we use the provided java rest client. However, we noticed in the past that if the client and server don't run the exact same version, you start getting exceptions on the client side. It was due to server replying with additional parameters in the json, and the client throwing Exception on parsing those unattended additional properties. I think I was running at that time client 2.3 on a 2.5 server. It seems like the api used to generate java client has a parameter to be more relax on unexpected properties, but it has been generated by requesting a strict adherence to expected reply. Is it expected behavior that java client crash if server is not at the same version? That doesn't seem very practical from a production point of view, if you need to upgrade your keycloak server, you then need to sync with applications upgrade schedule. -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From mstrukel at redhat.com Mon Mar 13 11:34:05 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 13 Mar 2017 16:34:05 +0100 Subject: [keycloak-user] How to upgrade server keycloak-overlay In-Reply-To: References: Message-ID: That's a good point. Our install mechanism for adapters is to simply unzip an archive. If you want to upgrade the cleanest way would be to completely delete the old adapter, and install the new one. We don't have a mechanism to delete files so you're on your own here. On Linux and MacOS you could do: cd WILDFLY_HOME jar tf ~/Downloads/keycloak-wildfly-adapter-dist-PREVIOUS_VERSION.zip | xargs -I {} rm {} unzip ~/Downloads/keycloak-wildfly-adapter-dist-NEW_VERSION.zip Neither do we have a script for uninstalling the components from Wildfly. You could do something On Mon, Mar 13, 2017 at 2:18 PM, ko lo wrote: > I have applications including those not deployed directly to the Keycloak > server. I want to upgrade the adapter. > I have to do similar steps to the standalone server? New WF installation > add new KC adapter, copy standalone.xml, themes, etc. over., etc.. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Mon Mar 13 11:40:55 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 13 Mar 2017 16:40:55 +0100 Subject: [keycloak-user] How to upgrade server keycloak-overlay In-Reply-To: References: Message-ID: You could do something like the following before deleting the adapter files to uninstall all the components from Wildfly so that you can run adapter-install-offline.cli script after installing the new version: embed-server --server-config=standalone.xml /subsystem=keycloak:remove /extension=org.keycloak.keycloak-adapter-subsystem/:remove /subsystem=security/security-domain=keycloak/authentication=classic/:remove /subsystem=security/security-domain=keycloak/:remove On Mon, Mar 13, 2017 at 4:34 PM, Marko Strukelj wrote: > That's a good point. Our install mechanism for adapters is to simply unzip > an archive. > If you want to upgrade the cleanest way would be to completely delete the > old adapter, and install the new one. > > We don't have a mechanism to delete files so you're on your own here. > > On Linux and MacOS you could do: > > cd WILDFLY_HOME > jar tf ~/Downloads/keycloak-wildfly-adapter-dist-PREVIOUS_VERSION.zip | > xargs -I {} rm {} > unzip ~/Downloads/keycloak-wildfly-adapter-dist-NEW_VERSION.zip > > > Neither do we have a script for uninstalling the components from Wildfly. > You could do something > > > > On Mon, Mar 13, 2017 at 2:18 PM, ko lo wrote: > >> I have applications including those not deployed directly to the Keycloak >> server. I want to upgrade the adapter. >> I have to do similar steps to the standalone server? New WF installation >> add new KC adapter, copy standalone.xml, themes, etc. over., etc.. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From ansarihaseb at gmail.com Mon Mar 13 12:18:26 2017 From: ansarihaseb at gmail.com (Haseb Ansari) Date: Mon, 13 Mar 2017 17:18:26 +0100 Subject: [keycloak-user] Getting abstract method error for creating external Provider SPI Message-ID: Hello, My usecase was with JWE tokens and hence I started with implementing custom external IDP extension like oidc in keycloak. I started my SPI by extending AbstractIdentityProviderFactory, AbstractOAuth2IdentityProvider, OAuth2IdentityProviderConfig classes. But when I try to use this provider for login I get the below error: ERROR [io.undertow.request] (default task-15) UT005023: Exception handling request to /auth/realms/com/broker/cust/login: org.jboss.resteasy.spi.UnhandledException: java.lang.AbstractMethodError: co.com.custom.spi.CustomtIdentityProviderFactory.create(Lorg/keycloak/models/IdentityProviderModel;)Lorg/keycloak/broker/provider/IdentityProvider; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) Caused by: java.lang.AbstractMethodError: co.com.custom.spi.CustomIdentityProviderFactory.create(Lorg/keycloak/models/IdentityProviderModel;)Lorg/keycloak/broker/provider/IdentityProvider; at org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:805) at org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:156) Can anyone help me where did I go wrong ? Thanks From juan.amat at nokia.com Mon Mar 13 12:56:51 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Mon, 13 Mar 2017 16:56:51 +0000 Subject: [keycloak-user] Suspected SPAM - Re: Session already invalidated In-Reply-To: References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> Message-ID: Do not get me wrong, I will add the try/catch in our code as anyway we also invalidate the session so this is not a problem for us. I am just curious why it was implemented this way in Keycloak. > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user- > bounces at lists.jboss.org] On Behalf Of Amat, Juan (Nokia - US) > Sent: Monday, March 13, 2017 7:28 AM > To: Marek Posolda ; keycloak-user at lists.jboss.org > Subject: Suspected SPAM - Re: [keycloak-user] Session already invalidated > > Actually I do not think that this is the case with Wildfly (or we would have this > 'Session already invalidated' error and we do not see it). > True, there is a flag in undertow that you can set to invalidate the session during > logout. > But again I do not think that this is used by default in Wildfly. > > And please tell me why this would be 'unsafe'? > > > -----Original Message----- > > From: Marek Posolda [mailto:mposolda at redhat.com] > > Sent: Monday, March 13, 2017 2:04 AM > > To: Amat, Juan (Nokia - US) ; keycloak- > > user at lists.jboss.org > > Subject: Re: [keycloak-user] Session already invalidated > > > > It looks like quite unsafe to logout and not invalidate session at the same time. > > And AFAIK Wildfly is also invalidates HttpSession automatically during > > logout for their builtin authentication mechanisms (when Keycloak integration > is disabled). > > You may use something else then HttpSession if you really have the > > usecase when some session data shouldn't be invalidated at logout (eg. > > some custom storage backed by custom session cookie). > > > > Marek > > > > On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote: > > > Hello, > > > > > > I read this thread: > > > http://lists.jboss.org/pipermail/keycloak-user/2017- > > February/009550.html > > > I am hitting the same issue and I can use the same workaround. > > > > > > But I would really like to know why Keycloak calls > > > session.invalidate when > > processing the logout. > > > 'logout' and 'invalidate' are 2 different operations and in theory > > > you may want > > to logout while still keeping the session alive. > > > > > > Thank you. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tomas at intrahouse.com Mon Mar 13 12:56:59 2017 From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=) Date: Mon, 13 Mar 2017 16:56:59 +0000 Subject: [keycloak-user] UI for custom providers Message-ID: Hi, I wonder if it's planned to add the possibility to make UI (HTML) for a custom provider, like having a Providers section in the Keycloak dashboard menu where it will appear all of those providers with custom UI. For example, for an Keycloak custom API I've made, I want to let the admin to change a whitelist of clients used inside the provider. Right now, I'll have to use the configuration stuff inside the standalone.xml file, which means that the server must be reset each time. In this issue (https://issues.jboss.org/browse/KEYCLOAK-3605), Stian you said: "I think you misunderstood me. We now have a generic component storage mechanism that makes it easy to add configurable providers. It sorts out persistence as well as UI automatically. To support that the Email Sender SPI including UI screens have to be changed. IMO that should be done prior to adding more options to the email sender. " Is this generic component storage mechanism going in this direction? Is there an explanation somewhere about this mechanism? Example code? Thanks. From bburke at redhat.com Mon Mar 13 13:18:25 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 13 Mar 2017 13:18:25 -0400 Subject: [keycloak-user] UI for custom providers In-Reply-To: References: Message-ID: <6178d274-3b0a-2ae0-2729-96d18e6dcdc3@redhat.com> There's 2 types of configuration: * Config for the ProviderFactory. This is for the entire Keycloak instance. We do not support configuring this through admin console as this configuration applies to ALL REALMS managed by the keycloak server. * Config for Provider instances created. This depends on the provider. These SPIs can generically render configuration for Provider instances in the admin console: * User Storage SPI * Mapper SPIs (broker and clients) * Authentication SPI config * Key management Unfortunately, they all use a little bit different mechanism. User Storage SPI and Key management SPI do use the new Component SPI. Other SPIs will eventually be ported to use the generic mechanism. On 3/13/17 12:56 PM, Tom?s Garc?a wrote: > Hi, > > I wonder if it's planned to add the possibility to make UI (HTML) for a > custom provider, like having a Providers section in the Keycloak dashboard > menu where it will appear all of those providers with custom UI. For > example, for an Keycloak custom API I've made, I want to let the admin to > change a whitelist of clients used inside the provider. Right now, I'll > have to use the configuration stuff inside the standalone.xml file, which > means that the server must be reset each time. > > In this issue (https://issues.jboss.org/browse/KEYCLOAK-3605), Stian you > said: > > "I think you misunderstood me. We now have a generic component storage > mechanism that makes it easy to add configurable providers. It sorts out > persistence as well as UI automatically. To support that the Email Sender > SPI including UI screens have to be changed. IMO that should be done prior > to adding more options to the email sender. " > > Is this generic component storage mechanism going in this direction? Is > there an explanation somewhere about this mechanism? Example code? > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mehdi.alishahi at gmail.com Mon Mar 13 13:38:30 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Mon, 13 Mar 2017 18:38:30 +0100 Subject: [keycloak-user] Access Control for an IoT environment Message-ID: Hi, I'd like to validate my solution based on KeyCloak for securing access to sensors. Our environment consists of a dashboard, a sensors service (a database of sensors), and KeyCloak. We need to display the list of sensors associated to the authenticated user in the dashboard, and implement Access Control to sensors. A user can have different accesses to different sensors. For simplicity, we define read, and write access types. Our solution is to use User Attributes; for that we create two user attributes for each user: one for read, and one for write. And the value of each attribute will be the list of sensors. This list states that the user has this type of access to this list of sensors. Hence, this is a database that can be used for defining policies. For presentation, we simply can read these attributes and present them in the Dashboard with appropriate columns to present read and write accesses. We need to implement another operation that is called evaluation of authorization requests. That is when a user sends a request to access a sensor for an access type (read or write), this request should be evaluated (validated) by KeyCloak. Here is the place in which KeyCloak policies come into the place. For that, we need to write a policy (an attributed based policy, or a mix kind of policy, such as JavaScript?) to evaluate if this user is authorized to perform such an operation. The output of this operation is allow or deny. If the evaluation results is allow, then the request will be sent to the database of sensors, and the result of this operation will be returned back to the Dashboard for the user. My questions are as the following: - Is this solution approach the right one? - How we provide the access request for KeyCloak? So policy, we will have all inputs that we need for evaluation, that is user information, requested sensor, and requested access type? Thanks, Mehdi From jdennis at redhat.com Mon Mar 13 13:41:35 2017 From: jdennis at redhat.com (John Dennis) Date: Mon, 13 Mar 2017 13:41:35 -0400 Subject: [keycloak-user] Obtain Token and Invoke Service throught CLI In-Reply-To: References: Message-ID: On 03/11/2017 04:32 AM, Mehdi Sheikhalishahi wrote: > Hi > > I have read > http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html > for trying to authenicate to KC with username and password through CLI. But > it seems this method does not work with KC 2.5.4, because public client > does not provide Redirect URI field. > > See below: > > Obtain Token and Invoke Service > > First we need to create a client that can be used to obtain the token. Go > to the Keycloak admin console again and create a new client. This time give > it the *Client ID* curl and select public for access type. Under *Valid > Redirect URIs* enter http://localhost. > > > How can I do this with KC 2.5.4? The keycloak-httpd-client-install too (written in Python) has examples of using Keycloak's REST interface. The project is here: https://github.com/jdennis/keycloak-httpd-client-install And here is a class that authenticates as an admin using a username/password such that it can perform admin actions using the REST interface. https://github.com/jdennis/keycloak-httpd-client-install/blob/master/keycloak_httpd_client/keycloak_cli.py#L700 -- John From imxxx021 at umn.edu Mon Mar 13 15:43:09 2017 From: imxxx021 at umn.edu (Danny Im) Date: Mon, 13 Mar 2017 14:43:09 -0500 Subject: [keycloak-user] Unable to create keycloak admin client instance: class loader issue Message-ID: Hi, I'm trying to use the admin client (version 2.5.1) from within a custom Event Listener Provider, and when I try creating an instance of the admin client (via a call to the getInstance method of the org.keycloak.admin.client.Keycloak class), I get the following error: ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /auth/admin/realms/master/events/config: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader Attached is the stack trace. Any idea why this is happening? Thanks! -- Danny Im Software Developer Polar Geospatial Center University of Minnesota From mstrukel at redhat.com Mon Mar 13 17:38:58 2017 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 13 Mar 2017 22:38:58 +0100 Subject: [keycloak-user] Unable to create keycloak admin client instance: class loader issue In-Reply-To: References: Message-ID: There should be a better way to access admin services within the same container than by trying to do HTTP calls to Admin REST API. Inside your custom listener you have access to a KeycloakSession, and through it to all the system components you may wish for - you should definitely use these rather than the roundabout way via DNS + HTTP + Authentication + REST serialization / deserialization. On Mon, Mar 13, 2017 at 8:43 PM, Danny Im wrote: > Hi, > > I'm trying to use the admin client (version 2.5.1) from within a custom > Event Listener Provider, and when I try creating an instance of the admin > client (via a call to the getInstance method of the > org.keycloak.admin.client.Keycloak class), I get the following error: > > ERROR [io.undertow.request] (default task-14) UT005023: Exception handling > request to /auth/admin/realms/master/events/config: > org.jboss.resteasy.spi.UnhandledException: > java.lang.IllegalArgumentException: interface > org.keycloak.admin.client.token.TokenService is not visible from class > loader > > Attached is the stack trace. > > Any idea why this is happening? > > Thanks! > > > -- > Danny Im > Software Developer > Polar Geospatial Center > University of Minnesota > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From favez.steve at gmail.com Mon Mar 13 19:29:48 2017 From: favez.steve at gmail.com (Steve Favez) Date: Tue, 14 Mar 2017 00:29:48 +0100 Subject: [keycloak-user] Optional 2FA Delegate Authenticator Message-ID: Dear Keycloak community, I'm trying to get the following functionality in my browser authentication flow: 1. Like "OptionalOTP" I'd like to get, after user login authenticator, an Option2FA (second authentication Factor) that will ask for a second factor of authentication according to some predicates (client IP, time, user role, ...) 2. I need more than OTP as second factor. OTP is one good solution, but I need to provide to the end user a set of 2FA, like SMS, MatrixCard and so on.(can be configured). But I also need to leverage on existing authenticator, so, my wish is to reuse existing or new Authenticator. In that sense, I tried to create a skeleton implementation - and share it through github, I really need some input from the community, if it sounds correct or if you have any better idea to implement such a use case. see . https://github.com/stevefavez/keycloakext class : ConditionalMultiFactorAuthenticatorDelegate I look forward for your valuable feedback. (By the way, I know that this feature should be implemented in the next release, but I must implement it on 2.x, because we're using rh sso.) Thanks in advance for your help. Best regards Steve From mehdi.alishahi at gmail.com Tue Mar 14 03:35:21 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Tue, 14 Mar 2017 08:35:21 +0100 Subject: [keycloak-user] User Attributes in User Profile Message-ID: Hi, How we can get/set user attributes through KC APIs or SDK? I could not find any resource. Also, I was wondering if it is possible to enable user attributes presentation as part of User Profile/Account in KC? Thanks, Mehdi From mposolda at redhat.com Tue Mar 14 03:50:49 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 14 Mar 2017 08:50:49 +0100 Subject: [keycloak-user] Session already invalidated In-Reply-To: References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> Message-ID: <324b6d47-ff05-992d-58fc-1db4626dadf7@redhat.com> On 13/03/17 15:27, Amat, Juan (Nokia - US) wrote: > Actually I do not think that this is the case with Wildfly (or we would have this 'Session already invalidated' error and we do not see it). > True, there is a flag in undertow that you can set to invalidate the session during logout. > But again I do not think that this is used by default in Wildfly. > > And please tell me why this would be 'unsafe'? Yes. For example scenario like this: - You login to the "bank account" application - You can see the details of you bank account now - You click "Logout". In case, that this will logout you, but won't invalidate the session, then anyone who came to the computer after you will see the details about your bank account I personally never saw web application where logout doesn't invalidate httpSession as well. I can understand some data might be persistent even after logout (eg. locale). In this case, you can use separate cookie and separate storage, which will be persistent among logouts. BTV. Keycloak also has support for offline tokens, which allows to have the token inside application even if user is logged-out and do some actions on behalf of user (eg. some nightly periodic tasks etc). But I guess that's not related to your usecase? Another thing is, that in the last mail of the thread you referenced, it's mentioned that there is bug in undertow. It will be fixed in undertow 1.4.7.Final. So once it's possible to have Wildfly upgraded to this version, it won't be needed to have try/catch block anymore. Marek > >> -----Original Message----- >> From: Marek Posolda [mailto:mposolda at redhat.com] >> Sent: Monday, March 13, 2017 2:04 AM >> To: Amat, Juan (Nokia - US) ; keycloak- >> user at lists.jboss.org >> Subject: Re: [keycloak-user] Session already invalidated >> >> It looks like quite unsafe to logout and not invalidate session at the same time. >> And AFAIK Wildfly is also invalidates HttpSession automatically during logout for >> their builtin authentication mechanisms (when Keycloak integration is disabled). >> You may use something else then HttpSession if you really have the usecase >> when some session data shouldn't be invalidated at logout (eg. some custom >> storage backed by custom session cookie). >> >> Marek >> >> On 11/03/17 21:32, Amat, Juan (Nokia - US) wrote: >>> Hello, >>> >>> I read this thread: http://lists.jboss.org/pipermail/keycloak-user/2017- >> February/009550.html >>> I am hitting the same issue and I can use the same workaround. >>> >>> But I would really like to know why Keycloak calls session.invalidate when >> processing the logout. >>> 'logout' and 'invalidate' are 2 different operations and in theory you may want >> to logout while still keeping the session alive. >>> Thank you. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Mar 14 03:53:08 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 14 Mar 2017 08:53:08 +0100 Subject: [keycloak-user] Integration with legacy systems In-Reply-To: References: Message-ID: <862f7c45-548f-3eed-ad38-b7a98703cc11@redhat.com> On 13/03/17 15:49, Marcelo Nardelli wrote: > Thanks for answering, Marek > > Are there any examples on how to implement a custom LDAP mapper? The > information I need is not on LDAP, so the mapper would need to query > the other system. If I can't make that work, I'll problably go with > the option of trying to make the other system notify keycloak through > the admin REST API. Nope. This is considered private SPI, so no example. You can take a look to the Keycloak codebase for the example how to implement LDAP mapper. For example class GroupLDAPStorageMapper. Marek > > Marcelo Nardelli > > On Mon, Mar 13, 2017 at 5:50 AM, Marek Posolda > wrote: > > On 10/03/17 18:41, Marcelo Nardelli wrote: > > Hello, > > We recently started using Keycloak in our organization but we > are not sure > which approach would be best to use when there are some user > permissions > that rely on information managed by other systems (legacy > systems that we > have). > > In our specific case, we have the following setup: > > - A Keycloak server integrated with LDAP to retrieve users > - A Java backend protected by Bearer Token > - A Javascript frontend developed in EmberJS that accesses the > Java backend > > One of the requirements we have is the following: > > - Users who have a certain managerial position must have a > common set of > permissions. > > To meet this requirement, we created a group, included the > relevant users, > and assigned the appropriate permissions (roles) to the group. > This works > fine for us. > > However, we have a legacy system that manages the positions > that a user > assumes in the organization, so that a user who today holds a > management > position may no longer have that position tomorrow in the > legacy system. > When he loses the management position, someone needs to be > warned and > manually remove the user from the Keycloak group. > > Ideally, we would like this process not to be so manual. Which > approaches > would be recommended for this situation? > > - Make the legacy system somehow access Keycloak to remove > users from the > group when needed > > That should work. We have admin REST API, which can be used to > remove user from some group. So if you can somehow notify that > change in legacy system will invoke this REST API, you should be fine. > > - Make our application query the legacy system to verify that the > permissions that are on the token are appropriate for the > user's current > position > > That can work too, but question here is performance. > > - Change the keycloak in some way to query the legacy system > and determine > based on this information whether the user should receive the > permissions > > That can finally work too. If your users are in LDAP and the > information about group membership is in LDAP too, you can use our > builtin LDAP Group mapper. Then will mean that Keycloak will be > able to retrieve group memberships from LDAP. If this information > is somewhere else, but still, your users are in LDAP, you can > possibly implement new LDAP mapper, which will be able to query > your 3rd party system. But note that we have caching for LDAP, so > Keycloak may not be immediatelly aware of the change in legacy system. > > In shortcut, last solution is the best in case that your group > membership can be retrieved from LDAP. Otherwise probably the > first one as long as you can be automatically notified by your > legacy system. Really depends on the details of your usecase which > solution is best. > > Marek > > > Thanks for the attention > > Marcelo Nardelli > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From tomas at intrahouse.com Tue Mar 14 08:34:19 2017 From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=) Date: Tue, 14 Mar 2017 12:34:19 +0000 Subject: [keycloak-user] UI for custom providers In-Reply-To: <6178d274-3b0a-2ae0-2729-96d18e6dcdc3@redhat.com> References: <6178d274-3b0a-2ae0-2729-96d18e6dcdc3@redhat.com> Message-ID: Thanks for the explanation, Bill. I guess there's no point on opening an issue to propose what I said, right? On Mon, Mar 13, 2017 at 5:34 PM Bill Burke wrote: > There's 2 types of configuration: > > * Config for the ProviderFactory. This is for the entire Keycloak > instance. We do not support configuring this through admin console as > this configuration applies to ALL REALMS managed by the keycloak server. > > * Config for Provider instances created. This depends on the provider. > > These SPIs can generically render configuration for Provider instances > in the admin console: > > * User Storage SPI > > * Mapper SPIs (broker and clients) > > * Authentication SPI config > > * Key management > > Unfortunately, they all use a little bit different mechanism. User > Storage SPI and Key management SPI do use the new Component SPI. Other > SPIs will eventually be ported to use the generic mechanism. > > > On 3/13/17 12:56 PM, Tom?s Garc?a wrote: > > Hi, > > > > I wonder if it's planned to add the possibility to make UI (HTML) for a > > custom provider, like having a Providers section in the Keycloak > dashboard > > menu where it will appear all of those providers with custom UI. For > > example, for an Keycloak custom API I've made, I want to let the admin to > > change a whitelist of clients used inside the provider. Right now, I'll > > have to use the configuration stuff inside the standalone.xml file, which > > means that the server must be reset each time. > > > > In this issue (https://issues.jboss.org/browse/KEYCLOAK-3605), Stian you > > said: > > > > "I think you misunderstood me. We now have a generic component storage > > mechanism that makes it easy to add configurable providers. It sorts out > > persistence as well as UI automatically. To support that the Email Sender > > SPI including UI screens have to be changed. IMO that should be done > prior > > to adding more options to the email sender. " > > > > Is this generic component storage mechanism going in this direction? Is > > there an explanation somewhere about this mechanism? Example code? > > > > Thanks. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From campbellg at teds.com Tue Mar 14 08:52:31 2017 From: campbellg at teds.com (Glenn Campbell) Date: Tue, 14 Mar 2017 08:52:31 -0400 Subject: [keycloak-user] kc_idp_hint for Kerberos Message-ID: Is there some mechanism similar to kc_idp_hint=login that will let me skip authentication via Kerberos ticket and let me log in via the Keycloak login page? My situation is that I have admin user accounts in my application but users don't log in to Windows with these accounts. So UserA logs in to Windows with his UserA account but sometimes needs to log in to my application as AdminX. I see that I can use impersonation from the Keycloak admin console to impersonate AdminX and then open a browser tab and go to my application and I'll be logged in to my application as AdminX. But this strategy is a little inconvenient for users to use on a daily basis. Not horrible by any means but I'm sure I'll get some complaints. More importantly these users are admins in my application but they are not Keycloak admins and I'd rather not have them mucking around in the Keycloak admin console. From mehdi.alishahi at gmail.com Tue Mar 14 09:29:54 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Tue, 14 Mar 2017 14:29:54 +0100 Subject: [keycloak-user] Fwd: User Attributes in User Profile In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Mehdi Sheikhalishahi Date: Tue, Mar 14, 2017 at 8:35 AM Subject: User Attributes in User Profile To: keycloak-user Hi, How we can get/set user attributes through KC APIs or SDK? I could not find any resource. Also, I was wondering if it is possible to enable user attributes presentation as part of User Profile/Account in KC? Thanks, Mehdi From AChoimet.prestataire at voyages-sncf.com Tue Mar 14 09:49:16 2017 From: AChoimet.prestataire at voyages-sncf.com (Choimet Antoine) Date: Tue, 14 Mar 2017 13:49:16 +0000 Subject: [keycloak-user] Keycloak 2.5.4 - persistence of replicated cache Session to file ? Message-ID: <2aa02776ee714d84ac788d370a6e39e3@ECLIPSE.groupevsc.com> Hello, We want to keep the sessions after a restart of an entire cluster of keycloaks. Can we store the data of the sessions caches (and maybe others) to a file ? The purpose here is if the cluster goes down, he can recover sessions from files. So the restart can be the more transparent to the client. ANTOINE CHOIMET Ingenieur d'Etudes et Developpement From dt at zyres.com Tue Mar 14 09:59:10 2017 From: dt at zyres.com (Danny Trunk) Date: Tue, 14 Mar 2017 14:59:10 +0100 Subject: [keycloak-user] Custom password hash provider seems not getting triggered Message-ID: Hi, I've implemented a custom user storage provider and a custom password hash provider as the user storage doesn't use Pbkdf2. I added some logging to check if I can see it in the server.log but there's no output from my custom password hash provider: public class MyPasswordHashProvider implements PasswordHashProviderFactory, PasswordHashProvider { private static final Logger logger = Logger.getLogger(MyPasswordHashProvider.class); public static final String ID = "XX"; public PasswordHashProvider create(KeycloakSession session) { logger.info(">>>>>> Creating factory"); return this; } public void close() { logger.info("<<<<<< Closing provider/factory"); } public void encode(String rawPassword, PasswordPolicy policy, CredentialModel credential) { logger.info("Encoding password"); String salt = getSalt(); String encodedPassword = encode(rawPassword, salt); credential.setType(UserCredentialModel.PASSWORD); credential.setValue(encodedPassword); credential.setSalt(salt.getBytes()); credential.setAlgorithm(ID); logger.info("Credential model: " + credential); } } In src/main/resources/META-INF/services I've created a file called org.keycloak.credential.hash.PasswordHashProviderFactory which contains the fully qualified class name (including package): com.example.keycloak.credential.hash.MyPasswordHashProvider This is the log I can see while trying to login: 2017-03-14 14:57:14,215 INFO [com.example.keycloak.storage.MyUserStorageProviderFactory] (default task-4) >>>>>> Creating factory 2017-03-14 14:57:14,217 WARN [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=test, clientId=test, userId=f:dbXXXXbb-aXXf-XXXX-befb-XXXeaXcbXXbb:john.doe at example.com, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://XXX.XXX.XX.XX:8443/login.html, code_id=fbfXbXXX-dfdX-Xfba-bfXX-XXXXacXXXeXe, username=john.doe at example.com Do I miss something? From bburke at redhat.com Tue Mar 14 11:21:48 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 14 Mar 2017 11:21:48 -0400 Subject: [keycloak-user] Custom password hash provider seems not getting triggered In-Reply-To: References: Message-ID: <0c3ba3be-06bf-892e-b5d9-4907d58243b5@redhat.com> Hmm, the log message should be popping up. How are you deploying your hash provider? Is it in the same jar as the User Storage Provider? How do you deploy this jar? What version of Keycloak? On 3/14/17 9:59 AM, Danny Trunk wrote: > Hi, > > I've implemented a custom user storage provider and a custom password > hash provider as the user storage doesn't use Pbkdf2. > I added some logging to check if I can see it in the server.log but > there's no output from my custom password hash provider: > > public class MyPasswordHashProvider implements > PasswordHashProviderFactory, PasswordHashProvider { > > private static final Logger logger = > Logger.getLogger(MyPasswordHashProvider.class); > public static final String ID = "XX"; > > public PasswordHashProvider create(KeycloakSession session) { > logger.info(">>>>>> Creating factory"); > return this; > } > > public void close() { > logger.info("<<<<<< Closing provider/factory"); > } > > public void encode(String rawPassword, PasswordPolicy policy, > CredentialModel credential) { > logger.info("Encoding password"); > > String salt = getSalt(); > String encodedPassword = encode(rawPassword, salt); > > credential.setType(UserCredentialModel.PASSWORD); > credential.setValue(encodedPassword); > credential.setSalt(salt.getBytes()); > credential.setAlgorithm(ID); > > logger.info("Credential model: " + credential); > } > } > > In src/main/resources/META-INF/services I've created a file called > org.keycloak.credential.hash.PasswordHashProviderFactory which contains > the fully qualified class name (including package): > com.example.keycloak.credential.hash.MyPasswordHashProvider > > This is the log I can see while trying to login: > 2017-03-14 14:57:14,215 INFO > [com.example.keycloak.storage.MyUserStorageProviderFactory] (default > task-4) >>>>>> Creating factory > 2017-03-14 14:57:14,217 WARN [org.keycloak.events] (default task-4) > type=LOGIN_ERROR, realmId=test, clientId=test, > userId=f:dbXXXXbb-aXXf-XXXX-befb-XXXeaXcbXXbb:john.doe at example.com, > ipAddress=127.0.0.1, error=invalid_user_credentials, > auth_method=openid-connect, auth_type=code, > redirect_uri=https://XXX.XXX.XX.XX:8443/login.html, > code_id=fbfXbXXX-dfdX-Xfba-bfXX-XXXXacXXXeXe, username=john.doe at example.com > > Do I miss something? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juan.amat at nokia.com Tue Mar 14 11:24:45 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Tue, 14 Mar 2017 15:24:45 +0000 Subject: [keycloak-user] Session already invalidated In-Reply-To: <324b6d47-ff05-992d-58fc-1db4626dadf7@redhat.com> References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> <324b6d47-ff05-992d-58fc-1db4626dadf7@redhat.com> Message-ID: > > And please tell me why this would be 'unsafe'? > Yes. For example scenario like this: > - You login to the "bank account" application > - You can see the details of you bank account now > - You click "Logout". In case, that this will logout you, but won't invalidate the > session, then anyone who came to the computer after you will see the details > about your bank account [JA] Hmm? How would you see the details? If the bank account app stores confidential information related to the authenticated user, then it should clean it up before calling HttpServletRequest.logout. And even if it does not clean it up, it will not magically show up. IOW yes there could be bug but then this another story. > > I personally never saw web application where logout doesn't invalidate > httpSession as well. [JA] Maybe but this is up to the application to decide what to do. And again wildfly will not do it. > > I can understand some data might be persistent even after logout (eg. > locale). In this case, you can use separate cookie and separate storage, which > will be persistent among logouts. [JA] For me it is up to the application to decide to keep the session or not. > But I guess that's not related to your usecase? [JA] Correct, we do invalidate the session so this does not concern our use case. But it may affect other users. > > Another thing is, that in the last mail of the thread you referenced, it's > mentioned that there is bug in undertow. It will be fixed in undertow 1.4.7.Final. > So once it's possible to have Wildfly upgraded to this version, it won't be needed > to have try/catch block anymore. [JA] Can you point me to the undertow ticket? I seem to remember reading some ticket where they wanted to fix a similar issue but decided against as anyway there is a still a time window when the session can be invalidated by another thread. From juan.amat at nokia.com Tue Mar 14 12:20:51 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Tue, 14 Mar 2017 16:20:51 +0000 Subject: [keycloak-user] Session already invalidated Message-ID: > > > > Another thing is, that in the last mail of the thread you referenced, > > it's mentioned that there is bug in undertow. It will be fixed in undertow > 1.4.7.Final. > > So once it's possible to have Wildfly upgraded to this version, it > > won't be needed to have try/catch block anymore. > [JA] > Can you point me to the undertow ticket? I seem to remember reading some > ticket where they wanted to fix a similar issue but decided against as anyway > there is a still a time window when the session can be invalidated by another > thread. [JA] I probably got confused I was referring to this ticket: https://issues.jboss.org/browse/UNDERTOW-909 And indeed it was fixed in 1.4.7.Final. Not sure if this the same use case. In any case, ideally for me, Keycloak could have a 'invalidateSessionOnLogout' flag (as undertow has). By default it could be set to 'true' to keep the existing behavior but then applications could change it. From marcelo.nardelli at gmail.com Tue Mar 14 13:10:58 2017 From: marcelo.nardelli at gmail.com (Marcelo Nardelli) Date: Tue, 14 Mar 2017 14:10:58 -0300 Subject: [keycloak-user] Integration with legacy systems In-Reply-To: <862f7c45-548f-3eed-ad38-b7a98703cc11@redhat.com> References: <862f7c45-548f-3eed-ad38-b7a98703cc11@redhat.com> Message-ID: Ok, I'll take look at that. Thanks again, Marek! Marcelo Nardelli On Tue, Mar 14, 2017 at 4:53 AM, Marek Posolda wrote: > On 13/03/17 15:49, Marcelo Nardelli wrote: > > Thanks for answering, Marek > > Are there any examples on how to implement a custom LDAP mapper? The > information I need is not on LDAP, so the mapper would need to query the > other system. If I can't make that work, I'll problably go with the option > of trying to make the other system notify keycloak through the admin REST > API. > > Nope. This is considered private SPI, so no example. You can take a look > to the Keycloak codebase for the example how to implement LDAP mapper. For > example class GroupLDAPStorageMapper. > > Marek > > > Marcelo Nardelli > > On Mon, Mar 13, 2017 at 5:50 AM, Marek Posolda > wrote: > >> On 10/03/17 18:41, Marcelo Nardelli wrote: >> >>> Hello, >>> >>> We recently started using Keycloak in our organization but we are not >>> sure >>> which approach would be best to use when there are some user permissions >>> that rely on information managed by other systems (legacy systems that we >>> have). >>> >>> In our specific case, we have the following setup: >>> >>> - A Keycloak server integrated with LDAP to retrieve users >>> - A Java backend protected by Bearer Token >>> - A Javascript frontend developed in EmberJS that accesses the Java >>> backend >>> >>> One of the requirements we have is the following: >>> >>> - Users who have a certain managerial position must have a common set of >>> permissions. >>> >>> To meet this requirement, we created a group, included the relevant >>> users, >>> and assigned the appropriate permissions (roles) to the group. This works >>> fine for us. >>> >>> However, we have a legacy system that manages the positions that a user >>> assumes in the organization, so that a user who today holds a management >>> position may no longer have that position tomorrow in the legacy system. >>> When he loses the management position, someone needs to be warned and >>> manually remove the user from the Keycloak group. >>> >>> Ideally, we would like this process not to be so manual. Which approaches >>> would be recommended for this situation? >>> >>> - Make the legacy system somehow access Keycloak to remove users from the >>> group when needed >>> >> That should work. We have admin REST API, which can be used to remove >> user from some group. So if you can somehow notify that change in legacy >> system will invoke this REST API, you should be fine. >> >>> - Make our application query the legacy system to verify that the >>> permissions that are on the token are appropriate for the user's current >>> position >>> >> That can work too, but question here is performance. >> >>> - Change the keycloak in some way to query the legacy system and >>> determine >>> based on this information whether the user should receive the permissions >>> >> That can finally work too. If your users are in LDAP and the information >> about group membership is in LDAP too, you can use our builtin LDAP Group >> mapper. Then will mean that Keycloak will be able to retrieve group >> memberships from LDAP. If this information is somewhere else, but still, >> your users are in LDAP, you can possibly implement new LDAP mapper, which >> will be able to query your 3rd party system. But note that we have caching >> for LDAP, so Keycloak may not be immediatelly aware of the change in legacy >> system. >> >> In shortcut, last solution is the best in case that your group membership >> can be retrieved from LDAP. Otherwise probably the first one as long as you >> can be automatically notified by your legacy system. Really depends on the >> details of your usecase which solution is best. >> >> Marek >> >>> >>> Thanks for the attention >>> >>> Marcelo Nardelli >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > From celso.agra at gmail.com Tue Mar 14 13:50:09 2017 From: celso.agra at gmail.com (Celso Agra) Date: Tue, 14 Mar 2017 14:50:09 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> Message-ID: Hi all, I saw an example about LDAP and Keycloak integration here . So, it is running with ApacheDS LDAP server. I was thinking, would be possible run this integration with *slapd* tool? Also, I'm using schema instead of ldif structure. It could be a problem? Thanks! 2017-03-10 10:40 GMT-03:00 Celso Agra : > I'm using slapd. > > Here is the object classes that I'm using: top, inetOrgPerson, person, > organizationalPerson, phpgwAccount, shadowAccount > > > 2017-03-10 7:41 GMT-03:00 Marek Posolda : > >> This looks like bad LDAP mapping for username and UUID. Which LDAP are >> you using btv? >> >> Marek >> >> >> On 09/03/17 16:03, Celso Agra wrote: >> >> Hi, >> >> I solved this error, just removing the MSAD account controls, but now I'm >> getting a new error, when I finished my registration: >> here is the log: >> >> 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1) >>> UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action: >>> org.jboss.resteasy.spi.UnhandledException: >>> java.lang.NullPointerException >>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx >>> ception(ExceptionHandler.java:76) >>> at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc >>> eptionHandler.java:212) >>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException >>> (SynchronousDispatcher.java:168) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>> nousDispatcher.java:411) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>> nousDispatcher.java:202) >>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>> spatcher.service(ServletContainerDispatcher.java:221) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:56) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>> rvletHandler.java:85) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:129) >>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d >>> oFilter(KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>> r.java:60) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:131) >>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>> terHandler.java:84) >>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>> eRequest(ServletDispatchingHandler.java:36) >>> at org.wildfly.extension.undertow.security.SecurityContextAssoc >>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.servlet.handlers.security.SSLInformationAssociat >>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at io.undertow.servlet.handlers.security.ServletAuthenticationC >>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>> .handleRequest(AbstractConfidentialityHandler.java:46) >>> at io.undertow.servlet.handlers.security.ServletConfidentiality >>> ConstraintHandler.handleRequest(ServletConfident >>> ialityConstraintHandler.java:64) >>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at io.undertow.security.handlers.NotificationReceiverHandler.ha >>> ndleRequest(NotificationReceiverHandler.java:50) >>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>> Handler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>> ndler.handleRequest(JACCContextIdHandler.java:61) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>> stRequest(ServletInitialHandler.java:284) >>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>> equest(ServletInitialHandler.java:263) >>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>> 0(ServletInitialHandler.java:81) >>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>> equest(ServletInitialHandler.java:174) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>> java:202) >>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>> ge.java:793) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: java.lang.NullPointerException >>> at org.keycloak.events.EventBuilder.user(EventBuilder.java:103) >>> at org.keycloak.services.resources.LoginActionsService.initEven >>> t(LoginActionsService.java:815) >>> at org.keycloak.services.resources.LoginActionsService.access$ >>> 500(LoginActionsService.java:88) >>> at org.keycloak.services.resources.LoginActionsService$Checks. >>> verifyRequiredAction(LoginActionsService.java:297) >>> at org.keycloak.services.resources.LoginActionsService.processR >>> equireAction(LoginActionsService.java:853) >>> at org.keycloak.services.resources.LoginActionsService.required >>> ActionGET(LoginActionsService.java:846) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >>> ctorImpl.java:139) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >>> (ResourceMethodInvoker.java:295) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >>> eMethodInvoker.java:249) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >>> tObject(ResourceLocatorInvoker.java:138) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >>> ceLocatorInvoker.java:101) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>> nousDispatcher.java:395) >>> ... 37 more >> >> >> >> >> >> 2017-03-09 9:47 GMT-03:00 Celso Agra : >> >>> Got it! >>> >>> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using the >>> "Edit Mode" as WRITABLE, but I'm not setting this attribute. >>> Here is my attributes: >>> >>>> cn >>>> MSAD account controls >>>> cpf >>>> creation date >>>> email >>>> first name >>>> last name >>>> modify date >>>> phpgwAccountStatus >>>> username >>> >>> >>> Thanks!! >>> >>> Best Regards, >>> >>> Celso Agra >>> >>> 2017-03-09 5:46 GMT-03:00 Marek Posolda : >>> >>>> Hi, >>>> >>>> The error may indicate that you configured "pwdLastSet" attribute >>>> mapper in Keycloak to write into the LDAP, but it looks that writing this >>>> attribute is unsupported. Maybe switch this mapper to read-only will help? >>>> >>>> Marek >>>> >>>> >>>> On 08/03/17 15:29, Celso Agra wrote: >>>> >>>>> Hi all, >>>>> >>>>> I'm trying to configure KC with LDAP, but some errors are occurring. >>>>> First, I configured my LDAP to write in the LDAP server, but for some >>>>> reasons I got this error when I try to register an user: >>>>> >>>>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >>>>> >>>>>> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelExcep >>>>>> tion: >>>>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,dc=aa] >>>>>> >>>>> at org.keycloak.federation.ldap.i >>>>> dm.store.ldap.LDAPOperationManager. >>>>> >>>>>> modifyAttributes(LDAPOperationManager.java:410) >>>>>> >>>>> at org.keycloak.federation.ldap.i >>>>> dm.store.ldap.LDAPOperationManager. >>>>> >>>>>> modifyAttributes(LDAPOperationManager.java:104) >>>>>> >>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>> >>>>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >>>>>> >>>>> at org.keycloak.federation.ldap.mappers.msad. >>>>> >>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>>>> MSADUserAccountControlMapper.java:235) >>>>>> >>>>> at org.keycloak.federation.ldap.mappers.msad. >>>>> >>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >>>>>> MSADUserAccountControlMapper.java:220) >>>>>> >>>>> at org.keycloak.models.utils.User >>>>> ModelDelegate.addRequiredAction( >>>>> >>>>>> UserModelDelegate.java:112) >>>>>> >>>>> at org.keycloak.authentication.forms.RegistrationPassword. >>>>> >>>>>> success(RegistrationPassword.java:101) >>>>>> >>>>> at org.keycloak.authentication.Fo >>>>> rmAuthenticationFlow.processAction( >>>>> >>>>>> FormAuthenticationFlow.java:234) >>>>>> >>>>> at org.keycloak.authentication.DefaultAuthenticationFlow. >>>>> >>>>>> processAction(DefaultAuthenticationFlow.java:76) >>>>>> >>>>> at org.keycloak.authentication.AuthenticationProcessor. >>>>> >>>>>> authenticationAction(AuthenticationProcessor.java:759) >>>>>> >>>>> at org.keycloak.services.resource >>>>> s.LoginActionsService.processFlow( >>>>> >>>>>> LoginActionsService.java:356) >>>>>> >>>>> at org.keycloak.services.resources.LoginActionsService. >>>>> >>>>>> processRegistration(LoginActionsService.java:477) >>>>>> >>>>> at org.keycloak.services.resources.LoginActionsService. >>>>> >>>>>> processRegister(LoginActionsService.java:535) >>>>>> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>> Method) >>>>> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>>>> >>>>>> NativeMethodAccessorImpl.java:62) >>>>>> >>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>>>> >>>>>> DelegatingMethodAccessorImpl.java:43) >>>>>> >>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>> >>>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>>>> >>>>>> MethodInjectorImpl.java:139) >>>>>> >>>>> at org.jboss.resteasy.core.Resour >>>>> ceMethodInvoker.invokeOnTarget( >>>>> >>>>>> ResourceMethodInvoker.java:295) >>>>>> >>>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>>>> >>>>>> ResourceMethodInvoker.java:249) >>>>>> >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. >>>>> >>>>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>>>> >>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>>> >>>>>> ResourceLocatorInvoker.java:101) >>>>>> >>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>>> >>>>>> SynchronousDispatcher.java:395) >>>>>> >>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>>> >>>>>> SynchronousDispatcher.java:202) >>>>>> >>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>> >>>>>> ServletContainerDispatcher.service(ServletContainerDispatche >>>>>> r.java:221) >>>>>> >>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>> >>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>>> >>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>> >>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>>> >>>>> at javax.servlet.http.HttpServlet >>>>> .service(HttpServlet.java:790) >>>>> >>>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest( >>>>> >>>>>> ServletHandler.java:85) >>>>>> >>>>> at io.undertow.servlet.handlers.F >>>>> ilterHandler$FilterChainImpl. >>>>> >>>>>> doFilter(FilterHandler.java:129) >>>>>> >>>>> at org.keycloak.services.filters. >>>>> KeycloakSessionServletFilter. >>>>> >>>>>> doFilter(KeycloakSessionServletFilter.java:90) >>>>>> >>>>> at io.undertow.servlet.core.ManagedFilter.doFilter( >>>>> >>>>>> ManagedFilter.java:60) >>>>>> >>>>> at io.undertow.servlet.handlers.F >>>>> ilterHandler$FilterChainImpl. >>>>> >>>>>> doFilter(FilterHandler.java:131) >>>>>> >>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>>>> >>>>>> FilterHandler.java:84) >>>>>> >>>>> at io.undertow.servlet.handlers.s >>>>> ecurity.ServletSecurityRoleHandler. >>>>> >>>>>> handleRequest(ServletSecurityRoleHandler.java:62) >>>>>> >>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler. >>>>> >>>>>> handleRequest(ServletDispatchingHandler.java:36) >>>>>> >>>>> at org.wildfly.extension.undertow.security. >>>>> >>>>>> SecurityContextAssociationHandler.handleRequest( >>>>>> SecurityContextAssociationHandler.java:78) >>>>>> >>>>> at io.undertow.server.handlers.Pr >>>>> edicateHandler.handleRequest( >>>>> >>>>>> PredicateHandler.java:43) >>>>>> >>>>> at io.undertow.servlet.handlers.security. >>>>> >>>>>> SSLInformationAssociationHandler.handleRequest( >>>>>> SSLInformationAssociationHandler.java:131) >>>>>> >>>>> at io.undertow.servlet.handlers.security. >>>>> >>>>>> ServletAuthenticationCallHandler.handleRequest( >>>>>> ServletAuthenticationCallHandler.java:57) >>>>>> >>>>> at io.undertow.server.handlers.Pr >>>>> edicateHandler.handleRequest( >>>>> >>>>>> PredicateHandler.java:43) >>>>>> >>>>> at io.undertow.security.handlers. >>>>> AbstractConfidentialityHandler >>>>> >>>>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>>>> >>>>> at io.undertow.servlet.handlers.security. >>>>> >>>>>> ServletConfidentialityConstraintHandler.handleRequest( >>>>>> ServletConfidentialityConstraintHandler.java:64) >>>>>> >>>>> at io.undertow.security.handlers. >>>>> AuthenticationMechanismsHandle >>>>> >>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>> >>>>> at io.undertow.servlet.handlers.security. >>>>> >>>>>> CachedAuthenticatedSessionHandler.handleRequest( >>>>>> CachedAuthenticatedSessionHandler.java:77) >>>>>> >>>>> at io.undertow.security.handlers.NotificationReceiverHandler. >>>>> >>>>>> handleRequest(NotificationReceiverHandler.java:50) >>>>>> >>>>> at io.undertow.security.handlers. >>>>> AbstractSecurityContextAssocia >>>>> >>>>>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>>>>> tionHandler.java:43) >>>>>> >>>>> at io.undertow.server.handlers.Pr >>>>> edicateHandler.handleRequest( >>>>> >>>>>> PredicateHandler.java:43) >>>>>> >>>>> at org.wildfly.extension.undertow.security.jacc. >>>>> >>>>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>>> >>>>> at io.undertow.server.handlers.Pr >>>>> edicateHandler.handleRequest( >>>>> >>>>>> PredicateHandler.java:43) >>>>>> >>>>> at io.undertow.server.handlers.Pr >>>>> edicateHandler.handleRequest( >>>>> >>>>>> PredicateHandler.java:43) >>>>>> >>>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>>> >>>>>> handleFirstRequest(ServletInitialHandler.java:284) >>>>>> >>>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>>> >>>>>> dispatchRequest(ServletInitialHandler.java:263) >>>>>> >>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$ >>>>> >>>>>> 000(ServletInitialHandler.java:81) >>>>>> >>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1. >>>>> >>>>>> handleRequest(ServletInitialHandler.java:174) >>>>>> >>>>> at io.undertow.server.Connectors. >>>>> executeRootHandler(Connectors. >>>>> >>>>>> java:202) >>>>>> >>>>> at io.undertow.server.HttpServerExchange$1.run( >>>>> >>>>>> HttpServerExchange.java:793) >>>>>> >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> >>>>>> ThreadPoolExecutor.java:1142) >>>>>> >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> >>>>>> ThreadPoolExecutor.java:617) >>>>>> >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>>> Caused by: javax.naming.directory.InvalidAttributeIdentifierException: >>>>> >>>>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; >>>>>> remaining >>>>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >>>>>> >>>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >>>>> >>>>> at com.sun.jndi.ldap.LdapCtx.proc >>>>> essReturnCode(LdapCtx.java:3082) >>>>> >>>>> at com.sun.jndi.ldap.LdapCtx.proc >>>>> essReturnCode(LdapCtx.java:2888) >>>>> >>>>> at com.sun.jndi.ldap.LdapCtx.c_mo >>>>> difyAttributes(LdapCtx.java:1475) >>>>> >>>>> at com.sun.jndi.toolkit.ctx.Compo >>>>> nentDirContext.p_modifyAttributes( >>>>> >>>>>> ComponentDirContext.java:277) >>>>>> >>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>>> >>>>>> modifyAttributes(PartialCompositeDirContext.java:192) >>>>>> >>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>>> >>>>>> modifyAttributes(PartialCompositeDirContext.java:181) >>>>>> >>>>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>>>> >>>>>> InitialDirContext.java:167) >>>>>> >>>>> at javax.naming.directory.InitialDirContext.modifyAttributes( >>>>> >>>>>> InitialDirContext.java:167) >>>>>> >>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>> >>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >>>>>> >>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>> >>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >>>>>> >>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>> >>>>>> LDAPOperationManager.execute(LDAPOperationManager.java:535) >>>>>> >>>>> at org.keycloak.federation.ldap.i >>>>> dm.store.ldap.LDAPOperationManager. >>>>> >>>>>> modifyAttributes(LDAPOperationManager.java:402) >>>>>> >>>>> ... 59 more >>>>> >>>>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >>>>> >>>>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, userId=null, >>>>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >>>>>> auth_method=openid-connect, auth_type=code, redirect_uri= >>>>>> http://127.0.0.1: >>>>>> 8080/teste-portal/ >>>>>> >>>>> >>>>> and then, I got this result in my ldap: >>>>> >>>>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >>>>> >>>>> givenName:: IA== >>>>> >>>>> uid: 11111111111 >>>>> >>>>> objectClass: top >>>>> >>>>> objectClass: inetOrgPerson >>>>> >>>>> objectClass: person >>>>> >>>>> objectClass: organizationalPerson >>>>> >>>>> objectClass: phpgwAccount >>>>> >>>>> objectClass: shadowAccount >>>>> >>>>> sn:: IA== >>>>> >>>>> cn:: IA== >>>>> >>>>> structuralObjectClass: inetOrgPerson >>>>> >>>>> entryUUID: 07f0e7caxxxxxxxxxxx >>>>> >>>>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >>>>> >>>>> createTimestamp: 20170308140529Z >>>>> >>>>> entryCSN: 20170308140529.527857Z#000000#000#000000 >>>>> >>>>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >>>>> >>>>> modifyTimestamp: 20170308140529Z >>>>> >>>>> >>>>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and >>>>> givenName as 'IA=='. It looks like some problem occurs in my >>>>> configuration. >>>>> >>>>> please, need help!! >>>>> >>>>> >>>>> Best Regards, >>>>> >>>>> >>>> >>> >>> >>> -- >>> --- >>> *Celso Agra* >>> >> >> >> >> -- >> --- >> *Celso Agra* >> >> >> > > > -- > --- > *Celso Agra* > -- --- *Celso Agra* From imxxx021 at umn.edu Tue Mar 14 13:57:18 2017 From: imxxx021 at umn.edu (Danny Im) Date: Tue, 14 Mar 2017 12:57:18 -0500 Subject: [keycloak-user] Unable to create keycloak admin client instance: class loader issue In-Reply-To: References: Message-ID: Ah, using the KeycloakSession within the custom listener is much easier. Thanks! On Mon, Mar 13, 2017 at 4:38 PM, Marko Strukelj wrote: > There should be a better way to access admin services within the same > container than by trying to do HTTP calls to Admin REST API. > > Inside your custom listener you have access to a KeycloakSession, and > through it to all the system components you may wish for - you should > definitely use these rather than the roundabout way via DNS + HTTP + > Authentication + REST serialization / deserialization. > > > On Mon, Mar 13, 2017 at 8:43 PM, Danny Im wrote: > >> Hi, >> >> I'm trying to use the admin client (version 2.5.1) from within a custom >> Event Listener Provider, and when I try creating an instance of the admin >> client (via a call to the getInstance method of the >> org.keycloak.admin.client.Keycloak class), I get the following error: >> >> ERROR [io.undertow.request] (default task-14) UT005023: Exception handling >> request to /auth/admin/realms/master/events/config: >> org.jboss.resteasy.spi.UnhandledException: >> java.lang.IllegalArgumentException: interface >> org.keycloak.admin.client.token.TokenService is not visible from class >> loader >> >> Attached is the stack trace. >> >> Any idea why this is happening? >> >> Thanks! >> >> >> -- >> Danny Im >> Software Developer >> Polar Geospatial Center >> University of Minnesota >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Danny Im Software Developer Polar Geospatial Center University of Minnesota From imxxx021 at umn.edu Tue Mar 14 14:17:06 2017 From: imxxx021 at umn.edu (Danny Im) Date: Tue, 14 Mar 2017 13:17:06 -0500 Subject: [keycloak-user] Is there a pre-save event In-Reply-To: <0bef7355-55b1-65a1-dd7a-28c08a48cdf6@redhat.com> References: <0bef7355-55b1-65a1-dd7a-28c08a48cdf6@redhat.com> Message-ID: Thanks for the suggestion, I tried throwing a ModelException from within my custom event listener provider's onEvent method but the user still got created. On Thu, Mar 9, 2017 at 2:15 AM, Marek Posolda wrote: > AFAIK we don't have any additional validation for creating user through > admin REST API. But I can see that "success" event in > UsersResource.createUser is invoked even before the transaction commit > happened. So I think that if you do the validations in your event listener > and throw the ModelException from it, it will cause the transaction > rollback and user won't be written to DB. > > Maybe there is some space for improvement in our API (eg. infinispan has > both "pre" and "post" events), however this one above should work too. > > Marek > > On 08/03/17 19:13, Danny Im wrote: > >> Hi, >> >> I'm implementing an Event Listener Provider, and was wondering if there is >> a way to add some functionality before an object is created or updated. >> In >> my case, I would like to do some extra validation on incoming fields >> before >> a user is created within keycloak. >> >> In the javadoc: >> http://www.keycloak.org/docs-api/2.5/javadocs/index.html >> under org.keycloak.events.admin.OperationType I only see four actions: >> ACTION >> > events/admin/OperationType.html#ACTION>, >> CREATE, >> > events/admin/OperationType.html#CREATE> >> DELETE >> > events/admin/OperationType.html#DELETE>, >> and UPDATE >> > events/admin/OperationType.html#UPDATE> >> >> >> Thanks! >> >> > -- Danny Im Software Developer Polar Geospatial Center University of Minnesota From mposolda at redhat.com Tue Mar 14 15:40:40 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 14 Mar 2017 20:40:40 +0100 Subject: [keycloak-user] kc_idp_hint for Kerberos In-Reply-To: References: Message-ID: <24fd7e7a-d133-72b7-07de-3143432880dc@redhat.com> I see your concerns. ATM there is nothing available OOTB, but OIDC specification has some support for authentication levels, which we plan to add. Then you will be able to define in your application if you want "normal" level login (which can use Kerberos) or "admin" level login (which won't use kerberos). Until that, you will need to subclass SpnegoAuthenticator and do something on your own. Marek On 14/03/17 13:52, Glenn Campbell wrote: > Is there some mechanism similar to kc_idp_hint=login that will let me skip > authentication via Kerberos ticket and let me log in via the Keycloak login > page? > > My situation is that I have admin user accounts in my application but users > don't log in to Windows with these accounts. So UserA logs in to Windows > with his UserA account but sometimes needs to log in to my application as > AdminX. > > I see that I can use impersonation from the Keycloak admin console to > impersonate AdminX and then open a browser tab and go to my application and > I'll be logged in to my application as AdminX. But this strategy is a > little inconvenient for users to use on a daily basis. Not horrible by any > means but I'm sure I'll get some complaints. More importantly these users > are admins in my application but they are not Keycloak admins and I'd > rather not have them mucking around in the Keycloak admin console. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Mar 14 15:47:40 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 14 Mar 2017 20:47:40 +0100 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> Message-ID: <8f74a41f-3e4e-d316-1d95-68818477041a@redhat.com> On 14/03/17 18:50, Celso Agra wrote: > Hi all, > > I saw an example about LDAP and Keycloak integration here > . > > So, it is running with ApacheDS LDAP server. I was thinking, would be > possible run this integration with *slapd* tool? Also, I'm using > schema instead of ldif structure. It could be a problem? This example is just a "quickstart" to quickly show LDAP in action. It uses ApacheDS just because it's Java based LDAP, which easily runs everywhere just by executing "mvn exec:java" without additional steps needed and without a need to install something at OS level etc. I never tried this example with slapd. I think the most things will work, but devil is in details, so not sure at 100%. Marek > > Thanks! > > 2017-03-10 10:40 GMT-03:00 Celso Agra >: > > I'm using slapd. > > Here is the object classes that I'm using: top, inetOrgPerson, > person, organizationalPerson, phpgwAccount, shadowAccount > > > 2017-03-10 7:41 GMT-03:00 Marek Posolda >: > > This looks like bad LDAP mapping for username and UUID. Which > LDAP are you using btv? > > Marek > > > On 09/03/17 16:03, Celso Agra wrote: >> Hi, >> >> I solved this error, just removing the MSAD account controls, >> but now I'm getting a new error, when I finished my registration: >> here is the log: >> >> 2017-03-09 11:58:00,375 ERROR [io.undertow.request] >> (default task-1) UT005023: Exception handling request to >> /auth/realms/myrealm/login-actions/required-action: >> org.jboss.resteasy.spi.UnhandledException: >> java.lang.NullPointerException >> at >> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.events.EventBuilder.user(EventBuilder.java:103) >> at >> org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:815) >> at >> org.keycloak.services.resources.LoginActionsService.access$500(LoginActionsService.java:88) >> at >> org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:297) >> at >> org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853) >> at >> org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >> ... 37 more >> >> >> >> >> >> 2017-03-09 9:47 GMT-03:00 Celso Agra > >: >> >> Got it! >> >> But I haven't seen the pwdLastSet here in my >> LDAP`mappers. I'm using the "Edit Mode" as WRITABLE, but >> I'm not setting this attribute. >> Here is my attributes: >> >> cn >> MSAD account controls >> cpf >> creation date >> email >> first name >> last name >> modify date >> phpgwAccountStatus >> username >> >> >> Thanks!! >> >> Best Regards, >> >> Celso Agra >> >> 2017-03-09 5:46 GMT-03:00 Marek Posolda >> >: >> >> Hi, >> >> The error may indicate that you configured >> "pwdLastSet" attribute mapper in Keycloak to write >> into the LDAP, but it looks that writing this >> attribute is unsupported. Maybe switch this mapper to >> read-only will help? >> >> Marek >> >> >> On 08/03/17 15:29, Celso Agra wrote: >> >> Hi all, >> >> I'm trying to configure KC with LDAP, but some >> errors are occurring. >> First, I configured my LDAP to write in the LDAP >> server, but for some >> reasons I got this error when I try to register >> an user: >> >> 2017-03-08 11:05:28,862 WARN >> [org.keycloak.services] (default task-6) >> >> KC-SERVICES0013: Failed authentication: >> org.keycloak.models.ModelException: >> Could not modify attribute for DN >> [uid=11111111111,dc=zz,dc=dd,dc=aa] >> >> at >> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> >> modifyAttributes(LDAPOperationManager.java:410) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> >> modifyAttributes(LDAPOperationManager.java:104) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap. >> >> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >> >> at >> org.keycloak.federation.ldap.mappers.msad. >> >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:235) >> >> at >> org.keycloak.federation.ldap.mappers.msad. >> >> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequiredAction( >> MSADUserAccountControlMapper.java:220) >> >> at >> org.keycloak.models.utils.UserModelDelegate.addRequiredAction( >> >> UserModelDelegate.java:112) >> >> at org.keycloak.authentication.fo >> rms.RegistrationPassword. >> >> success(RegistrationPassword.java:101) >> >> at org.keycloak.authentication.Fo >> rmAuthenticationFlow.processAction( >> >> FormAuthenticationFlow.java:234) >> >> at org.keycloak.authentication.De >> faultAuthenticationFlow. >> >> processAction(DefaultAuthenticationFlow.java:76) >> >> at org.keycloak.authentication.Au >> thenticationProcessor. >> >> authenticationAction(AuthenticationProcessor.java:759) >> >> at >> org.keycloak.services.resources.LoginActionsService.processFlow( >> >> LoginActionsService.java:356) >> >> at >> org.keycloak.services.resources.LoginActionsService. >> >> processRegistration(LoginActionsService.java:477) >> >> at >> org.keycloak.services.resources.LoginActionsService. >> >> processRegister(LoginActionsService.java:535) >> >> at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> >> at >> sun.reflect.NativeMethodAccessorImpl.invoke( >> >> NativeMethodAccessorImpl.java:62) >> >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke( >> >> DelegatingMethodAccessorImpl.java:43) >> >> at >> java.lang.reflect.Method.invoke(Method.java:498) >> >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke( >> >> MethodInjectorImpl.java:139) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( >> >> ResourceMethodInvoker.java:295) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >> >> ResourceMethodInvoker.java:249) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker. >> >> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >> >> ResourceLocatorInvoker.java:101) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> >> SynchronousDispatcher.java:395) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke( >> >> SynchronousDispatcher.java:202) >> >> at >> org.jboss.resteasy.plugins.server.servlet. >> >> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> >> at >> org.jboss.resteasy.plugins.server.servlet. >> >> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> >> at >> org.jboss.resteasy.plugins.server.servlet. >> >> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest( >> >> ServletHandler.java:85) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> >> doFilter(FilterHandler.java:129) >> >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter. >> >> doFilter(KeycloakSessionServletFilter.java:90) >> >> at >> io.undertow.servlet.core.ManagedFilter.doFilter( >> >> ManagedFilter.java:60) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. >> >> doFilter(FilterHandler.java:131) >> >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest( >> >> FilterHandler.java:84) >> >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. >> >> handleRequest(ServletSecurityRoleHandler.java:62) >> >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler. >> >> handleRequest(ServletDispatchingHandler.java:36) >> >> at org.wildfly.extension.undertow.security. >> >> SecurityContextAssociationHandler.handleRequest( >> SecurityContextAssociationHandler.java:78) >> >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest( >> >> PredicateHandler.java:43) >> >> at io.undertow.servlet.handlers.security. >> >> SSLInformationAssociationHandler.handleRequest( >> SSLInformationAssociationHandler.java:131) >> >> at io.undertow.servlet.handlers.security. >> >> ServletAuthenticationCallHandler.handleRequest( >> ServletAuthenticationCallHandler.java:57) >> >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest( >> >> PredicateHandler.java:43) >> >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler >> >> .handleRequest(AbstractConfidentialityHandler.java:46) >> >> at io.undertow.servlet.handlers.security. >> >> ServletConfidentialityConstraintHandler.handleRequest( >> ServletConfidentialityConstraintHandler.java:64) >> >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandle >> >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> >> at io.undertow.servlet.handlers.security. >> >> CachedAuthenticatedSessionHandler.handleRequest( >> CachedAuthenticatedSessionHandler.java:77) >> >> at >> io.undertow.security.handlers.NotificationReceiverHandler. >> >> handleRequest(NotificationReceiverHandler.java:50) >> >> at >> io.undertow.security.handlers.AbstractSecurityContextAssocia >> >> tionHandler.handleRequest(AbstractSecurityContextAssocia >> tionHandler.java:43) >> >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest( >> >> PredicateHandler.java:43) >> >> at >> org.wildfly.extension.undertow.security.jacc. >> >> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest( >> >> PredicateHandler.java:43) >> >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest( >> >> PredicateHandler.java:43) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler. >> >> handleFirstRequest(ServletInitialHandler.java:284) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler. >> >> dispatchRequest(ServletInitialHandler.java:263) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$ >> >> 000(ServletInitialHandler.java:81) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1. >> >> handleRequest(ServletInitialHandler.java:174) >> >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors. >> >> java:202) >> >> at >> io.undertow.server.HttpServerExchange$1.run( >> >> HttpServerExchange.java:793) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker( >> >> ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run( >> >> ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: >> javax.naming.directory.InvalidAttributeIdentifierException: >> >> [LDAP: error code 17 - pwdLastSet: attribute >> type undefined]; remaining >> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >> >> at >> com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >> >> at >> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) >> >> at >> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) >> >> at >> com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) >> >> at >> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( >> >> ComponentDirContext.java:277) >> >> at >> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> >> modifyAttributes(PartialCompositeDirContext.java:192) >> >> at >> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >> >> modifyAttributes(PartialCompositeDirContext.java:181) >> >> at >> javax.naming.directory.InitialDirContext.modifyAttributes( >> >> InitialDirContext.java:167) >> >> at >> javax.naming.directory.InitialDirContext.modifyAttributes( >> >> InitialDirContext.java:167) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap. >> >> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap. >> >> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap. >> >> LDAPOperationManager.execute(LDAPOperationManager.java:535) >> >> at >> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager. >> >> modifyAttributes(LDAPOperationManager.java:402) >> >> ... 59 more >> >> 2017-03-08 11:05:28,865 WARN >> [org.keycloak.events] (default task-6) >> >> type=LOGIN_ERROR, realmId=myrealm, >> clientId=teste-portal, userId=null, >> ipAddress=xxx.xxx.xxx.xxx, >> error=invalid_user_credentials, >> auth_method=openid-connect, auth_type=code, >> redirect_uri=http://127.0.0.1: >> 8080/teste-portal/ >> >> >> and then, I got this result in my ldap: >> >> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >> >> givenName:: IA== >> >> uid: 11111111111 >> >> objectClass: top >> >> objectClass: inetOrgPerson >> >> objectClass: person >> >> objectClass: organizationalPerson >> >> objectClass: phpgwAccount >> >> objectClass: shadowAccount >> >> sn:: IA== >> >> cn:: IA== >> >> structuralObjectClass: inetOrgPerson >> >> entryUUID: 07f0e7caxxxxxxxxxxx >> >> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >> >> createTimestamp: 20170308140529Z >> >> entryCSN: 20170308140529.527857Z#000000#000#000000 >> >> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >> >> modifyTimestamp: 20170308140529Z >> >> >> So, I wrote the uid as 11111111111, but I didn't >> set the sn, cn and >> givenName as 'IA=='. It looks like some problem >> occurs in my configuration. >> >> please, need help!! >> >> >> Best Regards, >> >> >> >> >> >> -- >> --- >> *Celso Agra* >> >> >> >> >> -- >> --- >> *Celso Agra* > > > > > > -- > --- > *Celso Agra* > > > > > -- > --- > *Celso Agra* From mposolda at redhat.com Tue Mar 14 15:55:40 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 14 Mar 2017 20:55:40 +0100 Subject: [keycloak-user] Session already invalidated In-Reply-To: References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> <324b6d47-ff05-992d-58fc-1db4626dadf7@redhat.com> Message-ID: <03aa3005-b6c3-acfd-2726-19428cc3d930@redhat.com> On 14/03/17 16:24, Amat, Juan (Nokia - US) wrote: >>> And please tell me why this would be 'unsafe'? >> Yes. For example scenario like this: >> - You login to the "bank account" application >> - You can see the details of you bank account now >> - You click "Logout". In case, that this will logout you, but won't invalidate the >> session, then anyone who came to the computer after you will see the details >> about your bank account > [JA] > Hmm? How would you see the details? > If the bank account app stores confidential information related to the authenticated user, > then it should clean it up before calling HttpServletRequest.logout. And even if it does not > clean it up, it will not magically show up. IOW yes there could be bug but then this another story. Yes, exactly. Without not automatically invalidate httpSession, application needs to care of the cleanup data manually. And yes, there could be bug, which could potentially mean showing sensitive data to someone else. That's why I think it's quite unsafe and error-prone practice to not expire httpSession automatically at logout. Feel free to create JIRA for invalidateSessionOnLogout flag. But TBH, I think that it will have quite a low priority unless more people asks for this. Marek > >> I personally never saw web application where logout doesn't invalidate >> httpSession as well. > [JA] > Maybe but this is up to the application to decide what to do. And again wildfly will not do it. > >> I can understand some data might be persistent even after logout (eg. >> locale). In this case, you can use separate cookie and separate storage, which >> will be persistent among logouts. > [JA] > For me it is up to the application to decide to keep the session or not. > >> But I guess that's not related to your usecase? > [JA] > Correct, we do invalidate the session so this does not concern our use case. > But it may affect other users. > >> Another thing is, that in the last mail of the thread you referenced, it's >> mentioned that there is bug in undertow. It will be fixed in undertow 1.4.7.Final. >> So once it's possible to have Wildfly upgraded to this version, it won't be needed >> to have try/catch block anymore. > [JA] > Can you point me to the undertow ticket? I seem to remember reading some ticket > where they wanted to fix a similar issue but decided against as anyway there > is a still a time window when the session can be invalidated by another thread. From juan.amat at nokia.com Tue Mar 14 15:58:44 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Tue, 14 Mar 2017 19:58:44 +0000 Subject: [keycloak-user] Session already invalidated In-Reply-To: <03aa3005-b6c3-acfd-2726-19428cc3d930@redhat.com> References: <6811b50f-c404-9143-6a93-5c565b88a0fb@redhat.com> <324b6d47-ff05-992d-58fc-1db4626dadf7@redhat.com> <03aa3005-b6c3-acfd-2726-19428cc3d930@redhat.com> Message-ID: > > Feel free to create JIRA for invalidateSessionOnLogout flag. But TBH, I think that > it will have quite a low priority unless more people asks for this. > OK I will open a minor improvement ticket. Thank you. From matt at woolnough.com.au Tue Mar 14 16:19:46 2017 From: matt at woolnough.com.au (Matthew Woolnough) Date: Wed, 15 Mar 2017 06:19:46 +1000 Subject: [keycloak-user] Event Listener SPI Add to Queue In-Reply-To: References: Message-ID: <49c3039b-ab5b-453c-993f-ebbaf026ef71@Spark> Thanks very much. That's a great help. mW On 13 Mar 2017, 8:05 PM +1000, Thomas Darimont , wrote: > Hello Matthew, > > there is (was) a JIRA for that: > https://issues.jboss.org/browse/KEYCLOAK-2302 > > I demo'ed a JMS based Keycloak Event forwarder a while ago:... > https://github.com/jugsaar/visit-yajug-20161023-keycloak (/keycloak-jms-event-forwarder ) > > Hope that helps. > > Cheers, > Thomas > > > 2017-03-13 10:16 GMT+01:00 Matthew Woolnough : > > I'd like to queue messages to NSQ upon user CRUD > > operations. > > > > Are there any examples for this or any other queue? > > > > Thanks, > > > > mW > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org (mailto:keycloak-user at lists.jboss.org) > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From marcelo.nardelli at gmail.com Tue Mar 14 16:31:56 2017 From: marcelo.nardelli at gmail.com (Marcelo Nardelli) Date: Tue, 14 Mar 2017 17:31:56 -0300 Subject: [keycloak-user] Bearer only and client credentials Message-ID: Hello, According to documentation, the OAuth2 client credentials flow corresponds to the concept of Service Accounts in Keycloak, right? Also, it seems that only confidential clients are allowed to participate in this flow, so this is not an option for bearer-only clients (I also found this issue here https://issues.jboss.org/browse/KEYCLOAK-4156) So, if a bearer-only client needs to access another protected resource regardless of who is calling it, what would be the recommended approach? Do I always need to make sure that any token generated for the bearer-only client also has the permissions for the other proteced resource? Or is there a way to make the bearer-only client get a token on it's own behalf? Did anyone else had this problem and used some sort of workaround to get the token for the bearer-only client? Thanks, Marcelo Nardelli From known.michael at gmail.com Wed Mar 15 02:52:02 2017 From: known.michael at gmail.com (Known Michael) Date: Wed, 15 Mar 2017 08:52:02 +0200 Subject: [keycloak-user] How explicitly enable session management in Keycloak? In-Reply-To: References: Message-ID: Can anybody help? Do we have bug in 2.5.4? On Sun, Mar 12, 2017 at 11:56 AM, Known Michael wrote: > Stian, > > I have upgraded to Keycloak 2.5.4 but unfortunately I still have the > problem. > > I see in mod_auth_openidc logs the following: > > > > [Sun Mar 12 11:40:24 2017] [debug] src/mod_auth_openidc.c(1556): [client > clientIP] oidc_save_in_session: session management disabled: session_state > ((null)) and/or check_session_iframe (https://localhost/auth/ > realms/comp-realm/protocol/openid-connect/login-status-iframe.html) is > not provided, referer: https://server_ip/auth/realms/ > comp-realm/protocol/openid-connect/auth?response_type= > code&scope=openid&client_id=httpd_server_ip&state= > 8DpklUhcfpymZa89Dj0s7KNG9Xo&redirect_uri=https%3A%2F% > 2Fserver_ip%2Fprotected%2Fredirect_uri&nonce= > YxVGddiIoSvZtfxftxgKUQzZICfDsU1x7T5hCLhPpPk > > > > On Mon, Feb 6, 2017 at 9:33 AM, Stian Thorgersen > wrote: > >> It was fixed as part of https://issues.jboss.org/browse/KEYCLOAK-4338. >> >> On 3 February 2017 at 17:37, Known Michael >> wrote: >> >>> Stian, >>> Do you have open issues? >>> >>> >>> On Fri, Feb 3, 2017 at 10:47 AM, Stian Thorgersen >>> wrote: >>> >>>> There's some fixes to the RP iframe coming in 2.5.4 which will be out >>>> in a week or two. There was an issue with it expecting a "session_state" >>>> value that wasn't equal to the value from the tokens. >>>> >>>> You can try building master if you'd like to try it out in advance. >>>> >>>> On 1 February 2017 at 16:59, Known Michael >>>> wrote: >>>> >>>>> Hey, >>>>> >>>>> I use mod_auth_openidc version "2.1.2", Keycloak version ?2.4.0? >>>>> >>>>> I was not able to implement the session management using OP and RP >>>>> frames >>>>> as described here: >>>>> >>>>> https://github.com/pingidentity/mod_auth_openidc/wiki/Sessio >>>>> n-Management >>>>> >>>>> I see in mod_auth_openidc logs the following: >>>>> >>>>> [Wed Feb 01 14:12:54 2017] [debug] src/mod_auth_openidc.c(1556): >>>>> [client >>>>> 192.168.111.33] oidc_save_in_session: session management disabled: >>>>> session_state ((null)) and/or check_session_iframe ( >>>>> https://localhost/auth/realms/realm/protocol/openid-connect/ >>>>> login-status-iframe.html) >>>>> is not provided, referer: >>>>> https://192.168.110.2/auth/realms/realm/protocol/openid-conn >>>>> ect/auth?response_type=code&scope=openid&client_id=httpd_192 >>>>> .168.110.2&state=i1YQ39FbBLSCTRyIgEN-F9CdDH4&redirect_uri=ht >>>>> tps%3A%2F%2F192.168.110.2%2Fprotected%2Fredirect_uri&nonce=0 >>>>> VJ7AO-QBaxVaUBL9goen7muN4Oka1dP_1iPEQ43o-M >>>>> >>>>> It looks like the session management is disabled because the Provider >>>>> did >>>>> not return a session_state parameter in the authentication response >>>>> (which >>>>> in its turn can be verified via the referer URL in the same log entry) >>>>> as >>>>> the spec dictates: >>>>> https://openid.net/specs/openid-connect-session-1_0.html#Cre >>>>> atingUpdatingSessions >>>>> >>>>> How should I configure explicitly enable session management in >>>>> Keycloak? >>>>> It should starts returning session_state in the authentication >>>>> responses. >>>>> >>>>> I see that it is implemented already >>>>> https://issues.jboss.org/browse/KEYCLOAK-451 but probably I miss >>>>> something. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >> > From dt at zyres.com Wed Mar 15 03:06:34 2017 From: dt at zyres.com (Danny Trunk) Date: Wed, 15 Mar 2017 08:06:34 +0100 Subject: [keycloak-user] Custom password hash provider seems not getting triggered In-Reply-To: <0c3ba3be-06bf-892e-b5d9-4907d58243b5@redhat.com> References: <0c3ba3be-06bf-892e-b5d9-4907d58243b5@redhat.com> Message-ID: I deployed the hash provider the same way I deployed the user storage provider: I've put the jar files into standalone/deployments: 2017-03-15 08:03:06,012 INFO [org.jboss.as.repository] (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location /opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content 2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-navcrypt-provider.jar" (runtime-name: "keycloak-navcrypt-provider.jar") 2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC service thread 1-4) WFLYSRV0018: Deployment "deployment.keycloak-navcrypt-provider.jar" is using a private module ("org.apache.commons.codec:main") which may be changed or removed in future versions without notice. 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC service thread 1-4) WFLYSRV0018: Deployment "deployment.keycloak-navcrypt-provider.jar" is using a private module ("org.apache.commons.lang:main") which may be changed or removed in future versions without notice. 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC service thread 1-4) WFLYSRV0018: Deployment "deployment.keycloak-navcrypt-provider.jar" is using a private module ("org.keycloak.keycloak-server-spi-private:main") which may be changed or removed in future versions without notice. 2017-03-15 08:03:06,040 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-3) Deploying Keycloak provider: {0} 2017-03-15 08:03:06,076 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "keycloak-navcrypt-provider.jar" (runtime-name : "keycloak-navcrypt-provider.jar") Keycloak version is 2.5.4.Final In Server Info > Providers I can see my provider: password-hashing pbkdf2 navcrypt Maybe I misunderstood the SPI? I'm expecting the hash provider to be called while authentication process. Am 14.03.2017 um 16:21 schrieb Bill Burke: > Hmm, the log message should be popping up. How are you deploying your > hash provider? Is it in the same jar as the User Storage Provider? How > do you deploy this jar? What version of Keycloak? From sthorger at redhat.com Wed Mar 15 03:33:47 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 15 Mar 2017 08:33:47 +0100 Subject: [keycloak-user] Russian translation review Message-ID: Anyone capable of reviewing PR for the Russian translations: https://github.com/keycloak/keycloak/pull/3898 From sthorger at redhat.com Wed Mar 15 03:35:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 15 Mar 2017 08:35:57 +0100 Subject: [keycloak-user] Keycloak 2.5.5.Final Released Message-ID: Keycloak 2.5.5.Final is out. There's nothing much except a handful bug fixes, but it's still worth upgrading. To download the release go to the Keycloak homepage . Highlights - A few bug fixes The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . From h.benz at first8.nl Wed Mar 15 04:08:17 2017 From: h.benz at first8.nl (Hartmut Benz) Date: Wed, 15 Mar 2017 09:08:17 +0100 Subject: [keycloak-user] Theming applications by customers In-Reply-To: References: Message-ID: Hi Nicolas, I think we have done something quite similar that you could try if it matches your use case. We have different clients that we map to different realms (from your description I did not quite get if you can or cannot do that). Then we modified PathBasedKeycloakConfigResolver.java from the KC examples and turned it into a DomainBased config resolver that selects the correct KC config. In your example this would be the blue and the green KC-config, matching the blue and green realms, respectively. The realms are configured for the customer-specific blue and green themes, which both inherit from the general application theme. Hope that helps you further /Hartmut On 10/03/2017 15:02, Nicolas Gillet wrote: > Hello Stian > > Thank you for the quick reply. > > I saw that issue when google-ing about Keycloak theming. > > It would indeed be helpful for us but doesn?t fully fit our need. > > Some of our customers use several applications of ours. For each application, they currently have a separate account. (cumbersome for them) > For these customers, we create branding of our applications, these branding are then also replicated in the different applications (cumbersome for us) > > I think an example may be helpful > Let?s say we have a blue customer and a green customer as well as an app1 and an app2. > > Our blue customer will use www.app1.blue.com and www.app2.blue.com > Our green customer will use www.app1.green.com and www.app2.green.com > > Both app1.blue.com and app1.green.com are the very same application ?app1? (same IP, same server, same database) > Same goes for app2.blue.com and app2.green.com that are the very same application ?app2? (IP, server, DB) separated from ?app1? > > The login pages of the applications are aware that the domain is ?green? or ?blue? and then display a blue or green branding. > > With Keycloak ?app1? and ?app2? will be ?clients? in a realm (as far as I understand it). > > To be able to display the correct color to the correct customer, I see no other solutions than creating a ?blue? and a ?green? realm (+theme) duplicating the configuration of clients ?app1? and ?app2? in both realms. > > So, I was wondering if there exists a way in Keycloak to avoid this duplication and still offer unified branding across different applications. > > Kind regards, > > > Nicolas GILLET > > Market-IP ? Creating Mobile Intelligence > Phone : +32 81 33 11 11 > Fax : +32 81 33 11 10 > > De : Stian Thorgersen [mailto:sthorger at redhat.com] > Envoy? : vendredi 10 mars 2017 13:54 > ? : Nicolas Gillet > Cc : keycloak-user at lists.jboss.org > Objet : Re: [keycloak-user] Theming applications by customers > > Would https://issues.jboss.org/browse/KEYCLOAK-3370 do the trick? > > On 10 March 2017 at 13:39, Nicolas Gillet > wrote: > Hello, > > I am looking for an SSO solution and started playing around with Keycloak. > We currently have no SSO solution but it has become a need that our application can seamlessly interact. > > Our customers have "branding" requirement so we adapt the look of our application pages (including login pages) with their logo and colors. > For some customers, we use a cookie to know which branding they need, for others we have dedicated domain names pointing to the very same IP's. > > >From what I grasped of Keycloak, this branding can be achieved with "themes" that can be configured on "realms". > Configuring a realm seems to require quite some time and if we have an important number of branded customer this might become hard to maintain. > Also, the "topology" of our application (which are "clients" in Keycloak I think) remains the same for all customers of ours but as a "client" belongs to a single "realm" we'll have to duplicate this configuration and propagate the changes to any realm. > > So, I am wondering if Keycloak can fit our need of if I don't get it correctly. > > If someone could be kind enough to shed some light on this for me or point me toward a way to achieve our goal I'd be very thankful. > > Kind regards, > > Nicolas GILLET > > Market-IP - Creating Mobile Intelligence > Phone : +32 81 33 11 11 > Fax : +32 81 33 11 10 > www.market-ip.com - www.telefleet.com - www.geoplanning.net - www.drivexpert.net > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Dr. Hartmut Benz +31 (0)6 30 167 093 First8 B.V. Kerkenbos 10-59b +31 (0)24 34 835 70 www.first8.nl 6546BB Nijmegen h.benz at first8.nl From mehdi.alishahi at gmail.com Wed Mar 15 04:19:11 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Wed, 15 Mar 2017 09:19:11 +0100 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Mehdi Sheikhalishahi Date: Mon, Mar 13, 2017 at 6:38 PM Subject: Access Control for an IoT environment To: keycloak-user Hi, I'd like to validate my solution based on KeyCloak for securing access to sensors. Our environment consists of a dashboard, a sensors service (a database of sensors), and KeyCloak. We need to display the list of sensors associated to the authenticated user in the dashboard, and implement Access Control to sensors. A user can have different accesses to different sensors. For simplicity, we define read, and write access types. Our solution is to use User Attributes; for that we create two user attributes for each user: one for read, and one for write. And the value of each attribute will be the list of sensors. This list states that the user has this type of access to this list of sensors. Hence, this is a database that can be used for defining policies. For presentation, we simply can read these attributes and present them in the Dashboard with appropriate columns to present read and write accesses. We need to implement another operation that is called evaluation of authorization requests. That is when a user sends a request to access a sensor for an access type (read or write), this request should be evaluated (validated) by KeyCloak. Here is the place in which KeyCloak policies come into the place. For that, we need to write a policy (an attributed based policy, or a mix kind of policy, such as JavaScript?) to evaluate if this user is authorized to perform such an operation. The output of this operation is allow or deny. If the evaluation results is allow, then the request will be sent to the database of sensors, and the result of this operation will be returned back to the Dashboard for the user. My questions are as the following: - Is this solution approach the right one? - How we provide the access request for KeyCloak? So policy, we will have all inputs that we need for evaluation, that is user information, requested sensor, and requested access type? Thanks, Mehdi From plunkett_mcgurk at accelerite.com Wed Mar 15 05:08:13 2017 From: plunkett_mcgurk at accelerite.com (Plunkett McGurk) Date: Wed, 15 Mar 2017 09:08:13 +0000 Subject: [keycloak-user] FW: SSO Session Idle and Keycloak-js In-Reply-To: References: Message-ID: Hi Guys, I sent this request out a while back but have not received any update, can anyone confirm if what I've mentioned below is expected behavior? Thanks Plunkett -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Plunkett McGurk Sent: 01 March 2017 16:48 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] SSO Session Idle and Keycloak-js Hi Guys, I have an Angular2 application utilising the Keycloak Javascript (v2.3.0) adapter. The application uses the 'login-required' on load option and the session status iframe is enabled. However I have noticed a potential problem regarding the function of SSO Session Idle. According to the documentation both the token and session are invalidated when either the SSO Session Idle time or SSO Session Max values have been reached. If the SSO Session Max value is reached the user is automatically redirected to the Login screen (logged out) however if the idle time is reached (idle time set to 5mins, Session max set to 30 mins) no redirect happens and any subsequent attempt to access keycloak results in the following error because of the expired token POST http://sso.keycloak-server.com/auth/realms/iot/protocol/openid-connect/token 400 (Bad Request) {"error":"invalid_grant","error_description":"Refresh token expired"} So is the lack of redirect to login ( expected behavior when the SSO Session Idle time has been exceeded? Thanks Plunkett DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. From dt at zyres.com Wed Mar 15 05:52:21 2017 From: dt at zyres.com (Danny Trunk) Date: Wed, 15 Mar 2017 10:52:21 +0100 Subject: [keycloak-user] Custom password hash provider seems not getting triggered In-Reply-To: References: <0c3ba3be-06bf-892e-b5d9-4907d58243b5@redhat.com> Message-ID: This is my CredentialInputValidator.isValid implementation of the user storage provider: public boolean isValid(RealmModel realm, UserModel user, CredentialInput input) { if (!supportsCredentialType(input.getType()) || !(input instanceof UserCredentialModel)) { return false; } UserCredentialModel cred = (UserCredentialModel) input; String password = getPassword(user); logger.info("isValid: " + password + " - " + cred.getValue()); return password != null && password.equals(cred.getValue()); } After adding the logging here I can see that password is the hashed password from the db and cred.getValue() returns the raw password. That's why I get an invalid credentials error message. But I don't know why it's raw in cred.getValue(). Do I have to add the hash provider there manually? Am 15.03.2017 um 08:06 schrieb Danny Trunk: > I deployed the hash provider the same way I deployed the user storage > provider: I've put the jar files into standalone/deployments: > > 2017-03-15 08:03:06,012 INFO [org.jboss.as.repository] > (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location > /opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content > 2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC > service thread 1-4) WFLYSRV0027: Starting deployment of > "keycloak-navcrypt-provider.jar" (runtime-name: > "keycloak-navcrypt-provider.jar") > 2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC > service thread 1-4) WFLYSRV0018: Deployment > "deployment.keycloak-navcrypt-provider.jar" is using a private module > ("org.apache.commons.codec:main") which may be changed or removed in > future versions without notice. > 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC > service thread 1-4) WFLYSRV0018: Deployment > "deployment.keycloak-navcrypt-provider.jar" is using a private module > ("org.apache.commons.lang:main") which may be changed or removed in > future versions without notice. > 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC > service thread 1-4) WFLYSRV0018: Deployment > "deployment.keycloak-navcrypt-provider.jar" is using a private module > ("org.keycloak.keycloak-server-spi-private:main") which may be changed > or removed in future versions without notice. > 2017-03-15 08:03:06,040 INFO > [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] > (MSC service thread 1-3) Deploying Keycloak provider: {0} > 2017-03-15 08:03:06,076 INFO [org.jboss.as.server] > (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed > "keycloak-navcrypt-provider.jar" (runtime-name : > "keycloak-navcrypt-provider.jar") > > Keycloak version is 2.5.4.Final > > In Server Info > Providers I can see my provider: > > password-hashing > > pbkdf2 > navcrypt > > Maybe I misunderstood the SPI? I'm expecting the hash provider to be > called while authentication process. > > Am 14.03.2017 um 16:21 schrieb Bill Burke: >> Hmm, the log message should be popping up. How are you deploying your >> hash provider? Is it in the same jar as the User Storage Provider? How >> do you deploy this jar? What version of Keycloak? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From celso.agra at gmail.com Wed Mar 15 10:11:33 2017 From: celso.agra at gmail.com (Celso Agra) Date: Wed, 15 Mar 2017 11:11:33 -0300 Subject: [keycloak-user] How to configure new params and edit them with Keycloak and LDAP integration In-Reply-To: <8f74a41f-3e4e-d316-1d95-68818477041a@redhat.com> References: <3bfbc7e6-ed2e-f0ae-5150-4e295153fbbd@redhat.com> <40ffbf48-670a-dbff-6de8-46983bde2bb0@redhat.com> <8f74a41f-3e4e-d316-1d95-68818477041a@redhat.com> Message-ID: Thanks Marek! Problem was solved! I was using a wrong filter. So this is ok. So, my problem for now is related to password. So, my LDAP is configured with MD5 hash algorithm. So, would be possible keycloak set hash password, for that? And how the application set the password in the LDAP repo? Here is my error below when I try to change the password: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br] 2017-03-15 10:52:58,541 WARN [org.keycloak.events] (default task-14) type=UPDATE_PASSWORD_ERROR, realmId=myRealm, clientId=teste-portal, userId=b18dd5a7-3c60-4470-ab9c-ac0f00920b29, ipAddress=xxx.xxx.xxx.xx, error=password_rejected, reason='Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]', auth_method=openid-connect, custom_required_action=UPDATE_PASSWORD, response_type=code, redirect_uri= http://127.0.0.1:8080/teste-portal/, code_id=e5fd81e1-fde6-4b35-a08e-5fe5c982e416, username=xxxxxxx, response_mode=query Also, my LDAP doesn't have 'userPassword' attribute, and this not being set by Keycloak. How set this attibute using keycloak register? Thanks! 2017-03-14 16:47 GMT-03:00 Marek Posolda : > On 14/03/17 18:50, Celso Agra wrote: > > Hi all, > > I saw an example about LDAP and Keycloak integration here > . > > So, it is running with ApacheDS LDAP server. I was thinking, would be > possible run this integration with *slapd* tool? Also, I'm using schema > instead of ldif structure. It could be a problem? > > This example is just a "quickstart" to quickly show LDAP in action. It > uses ApacheDS just because it's Java based LDAP, which easily runs > everywhere just by executing "mvn exec:java" without additional steps > needed and without a need to install something at OS level etc. > > I never tried this example with slapd. I think the most things will work, > but devil is in details, so not sure at 100%. > > Marek > > > Thanks! > > 2017-03-10 10:40 GMT-03:00 Celso Agra : > >> I'm using slapd. >> >> Here is the object classes that I'm using: top, inetOrgPerson, person, >> organizationalPerson, phpgwAccount, shadowAccount >> >> >> 2017-03-10 7:41 GMT-03:00 Marek Posolda : >> >>> This looks like bad LDAP mapping for username and UUID. Which LDAP are >>> you using btv? >>> >>> Marek >>> >>> >>> On 09/03/17 16:03, Celso Agra wrote: >>> >>> Hi, >>> >>> I solved this error, just removing the MSAD account controls, but now >>> I'm getting a new error, when I finished my registration: >>> here is the log: >>> >>> 2017-03-09 11:58:00,375 ERROR [io.undertow.request] (default task-1) >>>> UT005023: Exception handling request to /auth/realms/myrealm/login-actions/required-action: >>>> org.jboss.resteasy.spi.UnhandledException: >>>> java.lang.NullPointerException >>>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx >>>> ception(ExceptionHandler.java:76) >>>> at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc >>>> eptionHandler.java:212) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException >>>> (SynchronousDispatcher.java:168) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>>> nousDispatcher.java:411) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>>> nousDispatcher.java:202) >>>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>>> spatcher.service(ServletContainerDispatcher.java:221) >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>> her.service(HttpServletDispatcher.java:56) >>>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>>> her.service(HttpServletDispatcher.java:51) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>>> rvletHandler.java:85) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>> oFilter(FilterHandler.java:129) >>>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d >>>> oFilter(KeycloakSessionServletFilter.java:90) >>>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>>> r.java:60) >>>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>>> oFilter(FilterHandler.java:131) >>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>>> terHandler.java:84) >>>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>>> eRequest(ServletDispatchingHandler.java:36) >>>> at org.wildfly.extension.undertow.security.SecurityContextAssoc >>>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>> redicateHandler.java:43) >>>> at io.undertow.servlet.handlers.security.SSLInformationAssociat >>>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC >>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>> redicateHandler.java:43) >>>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>> at io.undertow.servlet.handlers.security.ServletConfidentiality >>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr >>>> aintHandler.java:64) >>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha >>>> ndleRequest(NotificationReceiverHandler.java:50) >>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>>> Handler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>> redicateHandler.java:43) >>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>>> ndler.handleRequest(JACCContextIdHandler.java:61) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>> redicateHandler.java:43) >>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>>> redicateHandler.java:43) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>>> stRequest(ServletInitialHandler.java:284) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>>> equest(ServletInitialHandler.java:263) >>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>>> 0(ServletInitialHandler.java:81) >>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>>> equest(ServletInitialHandler.java:174) >>>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>>> java:202) >>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>>> ge.java:793) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: java.lang.NullPointerException >>>> at org.keycloak.events.EventBuilder.user(EventBuilder.java:103) >>>> at org.keycloak.services.resources.LoginActionsService.initEven >>>> t(LoginActionsService.java:815) >>>> at org.keycloak.services.resources.LoginActionsService.access$5 >>>> 00(LoginActionsService.java:88) >>>> at org.keycloak.services.resources.LoginActionsService$Checks.v >>>> erifyRequiredAction(LoginActionsService.java:297) >>>> at org.keycloak.services.resources.LoginActionsService.processR >>>> equireAction(LoginActionsService.java:853) >>>> at org.keycloak.services.resources.LoginActionsService.required >>>> ActionGET(LoginActionsService.java:846) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>> ssorImpl.java:62) >>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>> thodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >>>> ctorImpl.java:139) >>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >>>> (ResourceMethodInvoker.java:295) >>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >>>> eMethodInvoker.java:249) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >>>> tObject(ResourceLocatorInvoker.java:138) >>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >>>> ceLocatorInvoker.java:101) >>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>>> nousDispatcher.java:395) >>>> ... 37 more >>> >>> >>> >>> >>> >>> 2017-03-09 9:47 GMT-03:00 Celso Agra : >>> >>>> Got it! >>>> >>>> But I haven't seen the pwdLastSet here in my LDAP`mappers. I'm using >>>> the "Edit Mode" as WRITABLE, but I'm not setting this attribute. >>>> Here is my attributes: >>>> >>>>> cn >>>>> MSAD account controls >>>>> cpf >>>>> creation date >>>>> email >>>>> first name >>>>> last name >>>>> modify date >>>>> phpgwAccountStatus >>>>> username >>>> >>>> >>>> Thanks!! >>>> >>>> Best Regards, >>>> >>>> Celso Agra >>>> >>>> 2017-03-09 5:46 GMT-03:00 Marek Posolda : >>>> >>>>> Hi, >>>>> >>>>> The error may indicate that you configured "pwdLastSet" attribute >>>>> mapper in Keycloak to write into the LDAP, but it looks that writing this >>>>> attribute is unsupported. Maybe switch this mapper to read-only will help? >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 08/03/17 15:29, Celso Agra wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I'm trying to configure KC with LDAP, but some errors are occurring. >>>>>> First, I configured my LDAP to write in the LDAP server, but for some >>>>>> reasons I got this error when I try to register an user: >>>>>> >>>>>> 2017-03-08 11:05:28,862 WARN [org.keycloak.services] (default task-6) >>>>>> >>>>>>> KC-SERVICES0013: Failed authentication: >>>>>>> org.keycloak.models.ModelException: >>>>>>> Could not modify attribute for DN [uid=11111111111,dc=zz,dc=dd,d >>>>>>> c=aa] >>>>>>> >>>>>> at org.keycloak.federation.ldap.i >>>>>> dm.store.ldap.LDAPOperationManager. >>>>>> >>>>>>> modifyAttributes(LDAPOperationManager.java:410) >>>>>>> >>>>>> at org.keycloak.federation.ldap.i >>>>>> dm.store.ldap.LDAPOperationManager. >>>>>> >>>>>>> modifyAttributes(LDAPOperationManager.java:104) >>>>>>> >>>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>>> >>>>>>> LDAPIdentityStore.update(LDAPIdentityStore.java:105) >>>>>>> >>>>>> at org.keycloak.federation.ldap.mappers.msad. >>>>>> >>>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequir >>>>>>> edAction( >>>>>>> MSADUserAccountControlMapper.java:235) >>>>>>> >>>>>> at org.keycloak.federation.ldap.mappers.msad. >>>>>> >>>>>>> MSADUserAccountControlMapper$MSADUserModelDelegate.addRequir >>>>>>> edAction( >>>>>>> MSADUserAccountControlMapper.java:220) >>>>>>> >>>>>> at org.keycloak.models.utils.User >>>>>> ModelDelegate.addRequiredAction( >>>>>> >>>>>>> UserModelDelegate.java:112) >>>>>>> >>>>>> at org.keycloak.authentication.forms.RegistrationPassword. >>>>>> >>>>>>> success(RegistrationPassword.java:101) >>>>>>> >>>>>> at org.keycloak.authentication.Fo >>>>>> rmAuthenticationFlow.processAction( >>>>>> >>>>>>> FormAuthenticationFlow.java:234) >>>>>>> >>>>>> at org.keycloak.authentication.DefaultAuthenticationFlow. >>>>>> >>>>>>> processAction(DefaultAuthenticationFlow.java:76) >>>>>>> >>>>>> at org.keycloak.authentication.AuthenticationProcessor. >>>>>> >>>>>>> authenticationAction(AuthenticationProcessor.java:759) >>>>>>> >>>>>> at org.keycloak.services.resource >>>>>> s.LoginActionsService.processFlow( >>>>>> >>>>>>> LoginActionsService.java:356) >>>>>>> >>>>>> at org.keycloak.services.resources.LoginActionsService. >>>>>> >>>>>>> processRegistration(LoginActionsService.java:477) >>>>>>> >>>>>> at org.keycloak.services.resources.LoginActionsService. >>>>>> >>>>>>> processRegister(LoginActionsService.java:535) >>>>>>> >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>>>>> Method) >>>>>> >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke( >>>>>> >>>>>>> NativeMethodAccessorImpl.java:62) >>>>>>> >>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>>>>> >>>>>>> DelegatingMethodAccessorImpl.java:43) >>>>>>> >>>>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>>>> >>>>>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke( >>>>>> >>>>>>> MethodInjectorImpl.java:139) >>>>>>> >>>>>> at org.jboss.resteasy.core.Resour >>>>>> ceMethodInvoker.invokeOnTarget( >>>>>> >>>>>>> ResourceMethodInvoker.java:295) >>>>>>> >>>>>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( >>>>>> >>>>>>> ResourceMethodInvoker.java:249) >>>>>>> >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker. >>>>>> >>>>>>> invokeOnTargetObject(ResourceLocatorInvoker.java:138) >>>>>>> >>>>>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( >>>>>> >>>>>>> ResourceLocatorInvoker.java:101) >>>>>>> >>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>>>> >>>>>>> SynchronousDispatcher.java:395) >>>>>>> >>>>>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke( >>>>>> >>>>>>> SynchronousDispatcher.java:202) >>>>>>> >>>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>>> >>>>>>> ServletContainerDispatcher.service(ServletContainerDispatche >>>>>>> r.java:221) >>>>>>> >>>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>>> >>>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>>>>> >>>>>> at org.jboss.resteasy.plugins.server.servlet. >>>>>> >>>>>>> HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>>>>> >>>>>> at javax.servlet.http.HttpServlet >>>>>> .service(HttpServlet.java:790) >>>>>> >>>>>> at io.undertow.servlet.handlers.S >>>>>> ervletHandler.handleRequest( >>>>>> >>>>>>> ServletHandler.java:85) >>>>>>> >>>>>> at io.undertow.servlet.handlers.F >>>>>> ilterHandler$FilterChainImpl. >>>>>> >>>>>>> doFilter(FilterHandler.java:129) >>>>>>> >>>>>> at org.keycloak.services.filters. >>>>>> KeycloakSessionServletFilter. >>>>>> >>>>>>> doFilter(KeycloakSessionServletFilter.java:90) >>>>>>> >>>>>> at io.undertow.servlet.core.ManagedFilter.doFilter( >>>>>> >>>>>>> ManagedFilter.java:60) >>>>>>> >>>>>> at io.undertow.servlet.handlers.F >>>>>> ilterHandler$FilterChainImpl. >>>>>> >>>>>>> doFilter(FilterHandler.java:131) >>>>>>> >>>>>> at io.undertow.servlet.handlers.FilterHandler.handleRequest( >>>>>> >>>>>>> FilterHandler.java:84) >>>>>>> >>>>>> at io.undertow.servlet.handlers.s >>>>>> ecurity.ServletSecurityRoleHandler. >>>>>> >>>>>>> handleRequest(ServletSecurityRoleHandler.java:62) >>>>>>> >>>>>> at io.undertow.servlet.handlers.ServletDispatchingHandler. >>>>>> >>>>>>> handleRequest(ServletDispatchingHandler.java:36) >>>>>>> >>>>>> at org.wildfly.extension.undertow.security. >>>>>> >>>>>>> SecurityContextAssociationHandler.handleRequest( >>>>>>> SecurityContextAssociationHandler.java:78) >>>>>>> >>>>>> at io.undertow.server.handlers.Pr >>>>>> edicateHandler.handleRequest( >>>>>> >>>>>>> PredicateHandler.java:43) >>>>>>> >>>>>> at io.undertow.servlet.handlers.security. >>>>>> >>>>>>> SSLInformationAssociationHandler.handleRequest( >>>>>>> SSLInformationAssociationHandler.java:131) >>>>>>> >>>>>> at io.undertow.servlet.handlers.security. >>>>>> >>>>>>> ServletAuthenticationCallHandler.handleRequest( >>>>>>> ServletAuthenticationCallHandler.java:57) >>>>>>> >>>>>> at io.undertow.server.handlers.Pr >>>>>> edicateHandler.handleRequest( >>>>>> >>>>>>> PredicateHandler.java:43) >>>>>>> >>>>>> at io.undertow.security.handlers. >>>>>> AbstractConfidentialityHandler >>>>>> >>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46) >>>>>>> >>>>>> at io.undertow.servlet.handlers.security. >>>>>> >>>>>>> ServletConfidentialityConstraintHandler.handleRequest( >>>>>>> ServletConfidentialityConstraintHandler.java:64) >>>>>>> >>>>>> at io.undertow.security.handlers. >>>>>> AuthenticationMechanismsHandle >>>>>> >>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>>>>>> >>>>>> at io.undertow.servlet.handlers.security. >>>>>> >>>>>>> CachedAuthenticatedSessionHandler.handleRequest( >>>>>>> CachedAuthenticatedSessionHandler.java:77) >>>>>>> >>>>>> at io.undertow.security.handlers. >>>>>> NotificationReceiverHandler. >>>>>> >>>>>>> handleRequest(NotificationReceiverHandler.java:50) >>>>>>> >>>>>> at io.undertow.security.handlers. >>>>>> AbstractSecurityContextAssocia >>>>>> >>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssocia >>>>>>> tionHandler.java:43) >>>>>>> >>>>>> at io.undertow.server.handlers.Pr >>>>>> edicateHandler.handleRequest( >>>>>> >>>>>>> PredicateHandler.java:43) >>>>>>> >>>>>> at org.wildfly.extension.undertow.security.jacc. >>>>>> >>>>>>> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>>>>> >>>>>> at io.undertow.server.handlers.Pr >>>>>> edicateHandler.handleRequest( >>>>>> >>>>>>> PredicateHandler.java:43) >>>>>>> >>>>>> at io.undertow.server.handlers.Pr >>>>>> edicateHandler.handleRequest( >>>>>> >>>>>>> PredicateHandler.java:43) >>>>>>> >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>>>> >>>>>>> handleFirstRequest(ServletInitialHandler.java:284) >>>>>>> >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler. >>>>>> >>>>>>> dispatchRequest(ServletInitialHandler.java:263) >>>>>>> >>>>>> at io.undertow.servlet.handlers.S >>>>>> ervletInitialHandler.access$ >>>>>> >>>>>>> 000(ServletInitialHandler.java:81) >>>>>>> >>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1. >>>>>> >>>>>>> handleRequest(ServletInitialHandler.java:174) >>>>>>> >>>>>> at io.undertow.server.Connectors. >>>>>> executeRootHandler(Connectors. >>>>>> >>>>>>> java:202) >>>>>>> >>>>>> at io.undertow.server.HttpServerExchange$1.run( >>>>>> >>>>>>> HttpServerExchange.java:793) >>>>>>> >>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>> >>>>>>> ThreadPoolExecutor.java:1142) >>>>>>> >>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>> >>>>>>> ThreadPoolExecutor.java:617) >>>>>>> >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> >>>>>> Caused by: javax.naming.directory.Invalid >>>>>> AttributeIdentifierException: >>>>>> >>>>>>> [LDAP: error code 17 - pwdLastSet: attribute type undefined]; >>>>>>> remaining >>>>>>> name 'uid=11111111111,dc=zz,dc=dd,dc=aa' >>>>>>> >>>>>> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3205) >>>>>> >>>>>> at com.sun.jndi.ldap.LdapCtx.proc >>>>>> essReturnCode(LdapCtx.java:3082) >>>>>> >>>>>> at com.sun.jndi.ldap.LdapCtx.proc >>>>>> essReturnCode(LdapCtx.java:2888) >>>>>> >>>>>> at com.sun.jndi.ldap.LdapCtx.c_mo >>>>>> difyAttributes(LdapCtx.java:1475) >>>>>> >>>>>> at com.sun.jndi.toolkit.ctx.Compo >>>>>> nentDirContext.p_modifyAttributes( >>>>>> >>>>>>> ComponentDirContext.java:277) >>>>>>> >>>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>>>> >>>>>>> modifyAttributes(PartialCompositeDirContext.java:192) >>>>>>> >>>>>> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext. >>>>>> >>>>>>> modifyAttributes(PartialCompositeDirContext.java:181) >>>>>>> >>>>>> at javax.naming.directory.Initial >>>>>> DirContext.modifyAttributes( >>>>>> >>>>>>> InitialDirContext.java:167) >>>>>>> >>>>>> at javax.naming.directory.Initial >>>>>> DirContext.modifyAttributes( >>>>>> >>>>>>> InitialDirContext.java:167) >>>>>>> >>>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>>> >>>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:405) >>>>>>> >>>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>>> >>>>>>> LDAPOperationManager$6.execute(LDAPOperationManager.java:402) >>>>>>> >>>>>> at org.keycloak.federation.ldap.idm.store.ldap. >>>>>> >>>>>>> LDAPOperationManager.execute(LDAPOperationManager.java:535) >>>>>>> >>>>>> at org.keycloak.federation.ldap.i >>>>>> dm.store.ldap.LDAPOperationManager. >>>>>> >>>>>>> modifyAttributes(LDAPOperationManager.java:402) >>>>>>> >>>>>> ... 59 more >>>>>> >>>>>> 2017-03-08 11:05:28,865 WARN [org.keycloak.events] (default task-6) >>>>>> >>>>>>> type=LOGIN_ERROR, realmId=myrealm, clientId=teste-portal, >>>>>>> userId=null, >>>>>>> ipAddress=xxx.xxx.xxx.xxx, error=invalid_user_credentials, >>>>>>> auth_method=openid-connect, auth_type=code, redirect_uri= >>>>>>> http://127.0.0.1: >>>>>>> 8080/teste-portal/ >>>>>>> >>>>>> >>>>>> and then, I got this result in my ldap: >>>>>> >>>>>> dn: uid=11111111111,dc=zz,dc=dd,dc=aa >>>>>> >>>>>> givenName:: IA== >>>>>> >>>>>> uid: 11111111111 >>>>>> >>>>>> objectClass: top >>>>>> >>>>>> objectClass: inetOrgPerson >>>>>> >>>>>> objectClass: person >>>>>> >>>>>> objectClass: organizationalPerson >>>>>> >>>>>> objectClass: phpgwAccount >>>>>> >>>>>> objectClass: shadowAccount >>>>>> >>>>>> sn:: IA== >>>>>> >>>>>> cn:: IA== >>>>>> >>>>>> structuralObjectClass: inetOrgPerson >>>>>> >>>>>> entryUUID: 07f0e7caxxxxxxxxxxx >>>>>> >>>>>> creatorsName: cn=admin,dc=zz,dc=dd,dc=aa >>>>>> >>>>>> createTimestamp: 20170308140529Z >>>>>> >>>>>> entryCSN: 20170308140529.527857Z#000000#000#000000 >>>>>> >>>>>> modifiersName: cn=admin,dc=zz,dc=dd,dc=aa >>>>>> >>>>>> modifyTimestamp: 20170308140529Z >>>>>> >>>>>> >>>>>> So, I wrote the uid as 11111111111, but I didn't set the sn, cn and >>>>>> givenName as 'IA=='. It looks like some problem occurs in my >>>>>> configuration. >>>>>> >>>>>> please, need help!! >>>>>> >>>>>> >>>>>> Best Regards, >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> --- >>>> *Celso Agra* >>>> >>> >>> >>> >>> -- >>> --- >>> *Celso Agra* >>> >>> >>> >> >> >> -- >> --- >> *Celso Agra* >> > > > > -- > --- > *Celso Agra* > > > -- --- *Celso Agra* From georgijsr at scandiweb.com Wed Mar 15 10:24:56 2017 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Wed, 15 Mar 2017 16:24:56 +0200 Subject: [keycloak-user] Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found In-Reply-To: References: Message-ID: Hello, Bill! Thank you for the info. Issue resolved. -- From psilva at redhat.com Wed Mar 15 10:26:50 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 15 Mar 2017 11:26:50 -0300 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > ---------- Forwarded message ---------- > From: Mehdi Sheikhalishahi > Date: Mon, Mar 13, 2017 at 6:38 PM > Subject: Access Control for an IoT environment > To: keycloak-user > > > Hi, > > I'd like to validate my solution based on KeyCloak for securing access to > sensors. > > Our environment consists of a dashboard, a sensors service (a database of > sensors), and KeyCloak. We need to display the list of sensors associated > to the authenticated user in the dashboard, and implement Access Control to > sensors. A user can have different accesses to different sensors. For > simplicity, we define read, and write access types. > > > Our solution is to use User Attributes; for that we create two user > attributes for each user: one for read, and one for write. And the value of > each attribute will be the list of sensors. This list states that the user > has this type of access to this list of sensors. Hence, this is a database > that can be used for defining policies. > > > For presentation, we simply can read these attributes and present them in > the Dashboard with appropriate columns to present read and write accesses. > > > We need to implement another operation that is called evaluation of > authorization requests. That is when a user sends a request to access a > sensor for an access type (read or write), this request should be evaluated > (validated) by KeyCloak. Here is the place in which KeyCloak policies come > into the place. For that, we need to write a policy (an attributed based > policy, or a mix kind of policy, such as JavaScript?) to evaluate if this > user is authorized to perform such an operation. The output of this > operation is allow or deny. If the evaluation results is allow, then the > request will be sent to the database of sensors, and the result of this > operation will be returned back to the Dashboard for the user. > > > My questions are as the following: > > > - Is this solution approach the right one? > I think it makes more sense to represent sensors as resources in Keycloak. And define read/write actions as scopes associated with these scopes. > > - How we provide the access request for KeyCloak? So policy, we will have > all inputs that we need for evaluation, that is user information, requested > sensor, and requested access type? > You can take a look at docs and some examples we have. But in a nutshell, your policies have access to: - The user and the client asking for a permission (resource+scope). As well any other claim associated with the access token previously issued to the client on behalf of the user. - The resource being requested. In your case, the resource representing a sensor. - The scope(s) being requested. In your case, read or write. A very simple config for your use case can be: Scopes READ, WRITE Resource: Name: Sensor A Scopes: READ, WRITE Policy: My JavaScrypt Policy Scope-Based Permission: Name: Sensor A Read Permission Resource: Sensor A Scope: READ Apply Policies: My JavaScript Policy When you as permissions for Sensor A, you will get a GRANT or DENY depending on the conditions you defined in My JavaScript Policy. You can also use a resource-based permission to enforce access to the resource too, if you want to do so. I would also suggest to try out our Evaluation Tool to check out how all that fits without requiring you to build an application or anything else. Btw, I'm looking for more examples about usages of Authz Services. If you can contribute with some example application based on your use case, I can help you. I think this kind of IoT scenario is very interesting and should provide a nice quickstart. > > > Thanks, > > Mehdi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mehdi.alishahi at gmail.com Wed Mar 15 11:14:18 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Wed, 15 Mar 2017 16:14:18 +0100 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: Dear Pedro, Thanks for the note. Yes, we can definitely contribute in providing our use cases as examples in Authz Services in KeyCloak. A question: How to represent sensors as resources? In our use case, each sensor has an endpoint, how we can associated a sensor with its endpoint as a resource? I know that we can define client, and then add resources, but I don't see any field for this endpoint. Cheers, Mehdi On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva wrote: > On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < > mehdi.alishahi at gmail.com> wrote: > >> ---------- Forwarded message ---------- >> From: Mehdi Sheikhalishahi >> Date: Mon, Mar 13, 2017 at 6:38 PM >> Subject: Access Control for an IoT environment >> To: keycloak-user >> >> >> Hi, >> >> I'd like to validate my solution based on KeyCloak for securing access to >> sensors. >> >> Our environment consists of a dashboard, a sensors service (a database of >> sensors), and KeyCloak. We need to display the list of sensors associated >> to the authenticated user in the dashboard, and implement Access Control >> to >> sensors. A user can have different accesses to different sensors. For >> simplicity, we define read, and write access types. >> >> >> Our solution is to use User Attributes; for that we create two user >> attributes for each user: one for read, and one for write. And the value >> of >> each attribute will be the list of sensors. This list states that the user >> has this type of access to this list of sensors. Hence, this is a database >> that can be used for defining policies. >> >> >> For presentation, we simply can read these attributes and present them in >> the Dashboard with appropriate columns to present read and write accesses. >> >> >> We need to implement another operation that is called evaluation of >> authorization requests. That is when a user sends a request to access a >> sensor for an access type (read or write), this request should be >> evaluated >> (validated) by KeyCloak. Here is the place in which KeyCloak policies come >> into the place. For that, we need to write a policy (an attributed based >> policy, or a mix kind of policy, such as JavaScript?) to evaluate if this >> user is authorized to perform such an operation. The output of this >> operation is allow or deny. If the evaluation results is allow, then the >> request will be sent to the database of sensors, and the result of this >> operation will be returned back to the Dashboard for the user. >> >> >> My questions are as the following: >> >> >> - Is this solution approach the right one? >> > > I think it makes more sense to represent sensors as resources in Keycloak. > And define read/write actions as scopes associated with these scopes. > > >> >> - How we provide the access request for KeyCloak? So policy, we will have >> all inputs that we need for evaluation, that is user information, >> requested >> sensor, and requested access type? >> > > You can take a look at docs and some examples we have. But in a nutshell, > your policies have access to: > > - The user and the client asking for a permission (resource+scope). As > well any other claim associated with the access token previously issued to > the client on behalf of the user. > - The resource being requested. In your case, the resource representing a > sensor. > - The scope(s) being requested. In your case, read or write. > > A very simple config for your use case can be: > > > Scopes > > READ, WRITE > > Resource: > > Name: Sensor A > Scopes: READ, WRITE > > Policy: > > My JavaScrypt Policy > > Scope-Based Permission: > > Name: Sensor A Read Permission > Resource: Sensor A > Scope: READ > Apply Policies: My JavaScript Policy > > When you as permissions for Sensor A, you will get a GRANT or DENY > depending on the conditions you defined in My JavaScript Policy. > > You can also use a resource-based permission to enforce access to the > resource too, if you want to do so. I would also suggest to try out our > Evaluation Tool to check out how all that fits without requiring you to > build an application or anything else. > > Btw, I'm looking for more examples about usages of Authz Services. If you > can contribute with some example application based on your use case, I can > help you. I think this kind of IoT scenario is very interesting and should > provide a nice quickstart. > > >> >> >> Thanks, >> >> Mehdi >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From georgijsr at scandiweb.com Wed Mar 15 12:06:34 2017 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Wed, 15 Mar 2017 18:06:34 +0200 Subject: [keycloak-user] Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found In-Reply-To: References: Message-ID: Sorry, rushed into declaring resolution on the issue. User Storage SPI documention "Migrating from an Earlier User Federation SPI" chapter mentions migration from custom User Storage providers, but my Keycloak servers don't use any custom providers, only default built-in "LDAP" providers to connect to FreeIPA servers. I've launched Keycloak 2.5.4 server with completely fresh MySQL database, but the same issue still persists. -- From campbellg at teds.com Wed Mar 15 15:44:42 2017 From: campbellg at teds.com (Glenn Campbell) Date: Wed, 15 Mar 2017 15:44:42 -0400 Subject: [keycloak-user] kc_idp_hint for Kerberos In-Reply-To: <24fd7e7a-d133-72b7-07de-3143432880dc@redhat.com> References: <24fd7e7a-d133-72b7-07de-3143432880dc@redhat.com> Message-ID: Thank you for the info. I'm looking forward to the release that has the authentication levels. It sounds like it might be helpful for one of my other needs. In my app I have a "super sensitive" section where the user is required to re-authenticate every time they access it. In the meantime I may look into setting up identity brokering to ADFS and have the Kerberos authentication happen there instead of directly in Keycloak. I haven't yet thought through all of the ramifications but at least I should have the ability to use kc_idp_hint=login to get a Keycloak login page where I can log in as my admin user. Thanks again for your help. On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda wrote: > I see your concerns. ATM there is nothing available OOTB, but OIDC > specification has some support for authentication levels, which we plan to > add. Then you will be able to define in your application if you want > "normal" level login (which can use Kerberos) or "admin" level login (which > won't use kerberos). > > Until that, you will need to subclass SpnegoAuthenticator and do something > on your own. > > Marek > > > On 14/03/17 13:52, Glenn Campbell wrote: > >> Is there some mechanism similar to kc_idp_hint=login that will let me skip >> authentication via Kerberos ticket and let me log in via the Keycloak >> login >> page? >> >> My situation is that I have admin user accounts in my application but >> users >> don't log in to Windows with these accounts. So UserA logs in to Windows >> with his UserA account but sometimes needs to log in to my application as >> AdminX. >> >> I see that I can use impersonation from the Keycloak admin console to >> impersonate AdminX and then open a browser tab and go to my application >> and >> I'll be logged in to my application as AdminX. But this strategy is a >> little inconvenient for users to use on a daily basis. Not horrible by any >> means but I'm sure I'll get some complaints. More importantly these users >> are admins in my application but they are not Keycloak admins and I'd >> rather not have them mucking around in the Keycloak admin console. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From georgijsr at scandiweb.com Wed Mar 15 18:08:53 2017 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 16 Mar 2017 00:08:53 +0200 Subject: [keycloak-user] Keycloak 2.5.4 + MySQL 5.6.27 - user-fedration/instances - not found Message-ID: <2391bf68-8870-155b-7459-7f341551bd17@scandiweb.com> I apologize for once again raising this issue. I've started Keycloak 2.5.4 server with default standalone-ha.xml config and "User Federation" worked! I guess, I need to remove all references to LDAP connections from production standalone-ha.xml config, start the server, and then re-add them. Issue resolved. Thank you for help. -- From mposolda at redhat.com Thu Mar 16 03:23:47 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 16 Mar 2017 08:23:47 +0100 Subject: [keycloak-user] kc_idp_hint for Kerberos In-Reply-To: References: <24fd7e7a-d133-72b7-07de-3143432880dc@redhat.com> Message-ID: <65591420-71c2-e91d-cf43-fbe3473516cb@redhat.com> On 15/03/17 20:44, Glenn Campbell wrote: > Thank you for the info. I'm looking forward to the release that has > the authentication levels. It sounds like it might be helpful for one > of my other needs. In my app I have a "super sensitive" section where > the user is required to re-authenticate every time they access it. Yes, that's another kind of use-case for it. > > In the meantime I may look into setting up identity brokering to ADFS > and have the Kerberos authentication happen there instead of directly > in Keycloak. I haven't yet thought through all of the ramifications > but at least I should have the ability to use kc_idp_hint=login to get > a Keycloak login page where I can log in as my admin user. Yep. You can also another Keycloak instance (or just different realm) and broker with it. Brokering Keycloak against Keycloak works fine. Btv. I would personally rather go with subclassing SpnegoAuthenticator, but it all depends on your Authentication SPI knowledge, preferences, deployment requirements etc... For example you can attach the parameter "scope=admin_login" when you invoke secured URL of your application. Keycloak will then re-send the scope parameter and in the authenticator you can retrieve it via: clientSession.getNote(OIDCLoginProtocol.SCOPE_PARAM); Then you can decide whether skip this authenticator and just call authenticationContext.attempted() or whether try it and just call super. We also have some example authentication SPI providers in the directory "providers" of keycloak-examples distribution. Marek > > Thanks again for your help. > > On Tue, Mar 14, 2017 at 3:40 PM, Marek Posolda > wrote: > > I see your concerns. ATM there is nothing available OOTB, but OIDC > specification has some support for authentication levels, which we > plan to add. Then you will be able to define in your application > if you want "normal" level login (which can use Kerberos) or > "admin" level login (which won't use kerberos). > > Until that, you will need to subclass SpnegoAuthenticator and do > something on your own. > > Marek > > > On 14/03/17 13:52, Glenn Campbell wrote: > > Is there some mechanism similar to kc_idp_hint=login that will > let me skip > authentication via Kerberos ticket and let me log in via the > Keycloak login > page? > > My situation is that I have admin user accounts in my > application but users > don't log in to Windows with these accounts. So UserA logs in > to Windows > with his UserA account but sometimes needs to log in to my > application as > AdminX. > > I see that I can use impersonation from the Keycloak admin > console to > impersonate AdminX and then open a browser tab and go to my > application and > I'll be logged in to my application as AdminX. But this > strategy is a > little inconvenient for users to use on a daily basis. Not > horrible by any > means but I'm sure I'll get some complaints. More importantly > these users > are admins in my application but they are not Keycloak admins > and I'd > rather not have them mucking around in the Keycloak admin console. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From psilva at redhat.com Thu Mar 16 07:47:46 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Mar 2017 08:47:46 -0300 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: Mehdi, there is a URI field for that on the resource. On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > Dear Pedro, > > Thanks for the note. Yes, we can definitely contribute in providing our > use cases as examples in Authz Services in KeyCloak. > > A question: > > How to represent sensors as resources? In our use case, each sensor has an > endpoint, how we can associated a sensor with its endpoint as a resource? I > know that we can define client, and then add resources, but I don't see any > field for this endpoint. > > Cheers, > Mehdi > > > > > > On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva > wrote: > >> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >> mehdi.alishahi at gmail.com> wrote: >> >>> ---------- Forwarded message ---------- >>> From: Mehdi Sheikhalishahi >>> Date: Mon, Mar 13, 2017 at 6:38 PM >>> Subject: Access Control for an IoT environment >>> To: keycloak-user >>> >>> >>> Hi, >>> >>> I'd like to validate my solution based on KeyCloak for securing access to >>> sensors. >>> >>> Our environment consists of a dashboard, a sensors service (a database of >>> sensors), and KeyCloak. We need to display the list of sensors associated >>> to the authenticated user in the dashboard, and implement Access Control >>> to >>> sensors. A user can have different accesses to different sensors. For >>> simplicity, we define read, and write access types. >>> >>> >>> Our solution is to use User Attributes; for that we create two user >>> attributes for each user: one for read, and one for write. And the value >>> of >>> each attribute will be the list of sensors. This list states that the >>> user >>> has this type of access to this list of sensors. Hence, this is a >>> database >>> that can be used for defining policies. >>> >>> >>> For presentation, we simply can read these attributes and present them in >>> the Dashboard with appropriate columns to present read and write >>> accesses. >>> >>> >>> We need to implement another operation that is called evaluation of >>> authorization requests. That is when a user sends a request to access a >>> sensor for an access type (read or write), this request should be >>> evaluated >>> (validated) by KeyCloak. Here is the place in which KeyCloak policies >>> come >>> into the place. For that, we need to write a policy (an attributed based >>> policy, or a mix kind of policy, such as JavaScript?) to evaluate if this >>> user is authorized to perform such an operation. The output of this >>> operation is allow or deny. If the evaluation results is allow, then the >>> request will be sent to the database of sensors, and the result of this >>> operation will be returned back to the Dashboard for the user. >>> >>> >>> My questions are as the following: >>> >>> >>> - Is this solution approach the right one? >>> >> >> I think it makes more sense to represent sensors as resources in >> Keycloak. And define read/write actions as scopes associated with these >> scopes. >> >> >>> >>> - How we provide the access request for KeyCloak? So policy, we will have >>> all inputs that we need for evaluation, that is user information, >>> requested >>> sensor, and requested access type? >>> >> >> You can take a look at docs and some examples we have. But in a nutshell, >> your policies have access to: >> >> - The user and the client asking for a permission (resource+scope). As >> well any other claim associated with the access token previously issued to >> the client on behalf of the user. >> - The resource being requested. In your case, the resource representing a >> sensor. >> - The scope(s) being requested. In your case, read or write. >> >> A very simple config for your use case can be: >> >> >> Scopes >> >> READ, WRITE >> >> Resource: >> >> Name: Sensor A >> Scopes: READ, WRITE >> >> Policy: >> >> My JavaScrypt Policy >> >> Scope-Based Permission: >> >> Name: Sensor A Read Permission >> Resource: Sensor A >> Scope: READ >> Apply Policies: My JavaScript Policy >> >> When you as permissions for Sensor A, you will get a GRANT or DENY >> depending on the conditions you defined in My JavaScript Policy. >> >> You can also use a resource-based permission to enforce access to the >> resource too, if you want to do so. I would also suggest to try out our >> Evaluation Tool to check out how all that fits without requiring you to >> build an application or anything else. >> >> Btw, I'm looking for more examples about usages of Authz Services. If you >> can contribute with some example application based on your use case, I can >> help you. I think this kind of IoT scenario is very interesting and should >> provide a nice quickstart. >> >> >>> >>> >>> Thanks, >>> >>> Mehdi >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From mehdi.alishahi at gmail.com Thu Mar 16 09:16:02 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Thu, 16 Mar 2017 14:16:02 +0100 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: Hi Pedro, thanks for the note. So If we specify resource URI for Sensor1 like databroker.iotplatform.io/Sensor1, then when a user is trying to access this endpoint it will be hit by the permission that matches this definition. When I am defining a resource, I cannot assign any scope, the same problem with defininig scope-based permission. Actually, scopes do not appear by entering the first character. Any idea? On Thu, Mar 16, 2017 at 12:47 PM, Pedro Igor Silva wrote: > Mehdi, there is a URI field for that on the resource. > > On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < > mehdi.alishahi at gmail.com> wrote: > >> Dear Pedro, >> >> Thanks for the note. Yes, we can definitely contribute in providing our >> use cases as examples in Authz Services in KeyCloak. >> >> A question: >> >> How to represent sensors as resources? In our use case, each sensor has >> an endpoint, how we can associated a sensor with its endpoint as a >> resource? I know that we can define client, and then add resources, but I >> don't see any field for this endpoint. >> >> Cheers, >> Mehdi >> >> >> >> >> >> On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva >> wrote: >> >>> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >>> mehdi.alishahi at gmail.com> wrote: >>> >>>> ---------- Forwarded message ---------- >>>> From: Mehdi Sheikhalishahi >>>> Date: Mon, Mar 13, 2017 at 6:38 PM >>>> Subject: Access Control for an IoT environment >>>> To: keycloak-user >>>> >>>> >>>> Hi, >>>> >>>> I'd like to validate my solution based on KeyCloak for securing access >>>> to >>>> sensors. >>>> >>>> Our environment consists of a dashboard, a sensors service (a database >>>> of >>>> sensors), and KeyCloak. We need to display the list of sensors >>>> associated >>>> to the authenticated user in the dashboard, and implement Access >>>> Control to >>>> sensors. A user can have different accesses to different sensors. For >>>> simplicity, we define read, and write access types. >>>> >>>> >>>> Our solution is to use User Attributes; for that we create two user >>>> attributes for each user: one for read, and one for write. And the >>>> value of >>>> each attribute will be the list of sensors. This list states that the >>>> user >>>> has this type of access to this list of sensors. Hence, this is a >>>> database >>>> that can be used for defining policies. >>>> >>>> >>>> For presentation, we simply can read these attributes and present them >>>> in >>>> the Dashboard with appropriate columns to present read and write >>>> accesses. >>>> >>>> >>>> We need to implement another operation that is called evaluation of >>>> authorization requests. That is when a user sends a request to access a >>>> sensor for an access type (read or write), this request should be >>>> evaluated >>>> (validated) by KeyCloak. Here is the place in which KeyCloak policies >>>> come >>>> into the place. For that, we need to write a policy (an attributed based >>>> policy, or a mix kind of policy, such as JavaScript?) to evaluate if >>>> this >>>> user is authorized to perform such an operation. The output of this >>>> operation is allow or deny. If the evaluation results is allow, then the >>>> request will be sent to the database of sensors, and the result of this >>>> operation will be returned back to the Dashboard for the user. >>>> >>>> >>>> My questions are as the following: >>>> >>>> >>>> - Is this solution approach the right one? >>>> >>> >>> I think it makes more sense to represent sensors as resources in >>> Keycloak. And define read/write actions as scopes associated with these >>> scopes. >>> >>> >>>> >>>> - How we provide the access request for KeyCloak? So policy, we will >>>> have >>>> all inputs that we need for evaluation, that is user information, >>>> requested >>>> sensor, and requested access type? >>>> >>> >>> You can take a look at docs and some examples we have. But in a >>> nutshell, your policies have access to: >>> >>> - The user and the client asking for a permission (resource+scope). As >>> well any other claim associated with the access token previously issued to >>> the client on behalf of the user. >>> - The resource being requested. In your case, the resource representing >>> a sensor. >>> - The scope(s) being requested. In your case, read or write. >>> >>> A very simple config for your use case can be: >>> >>> >>> Scopes >>> >>> READ, WRITE >>> >>> Resource: >>> >>> Name: Sensor A >>> Scopes: READ, WRITE >>> >>> Policy: >>> >>> My JavaScrypt Policy >>> >>> Scope-Based Permission: >>> >>> Name: Sensor A Read Permission >>> Resource: Sensor A >>> Scope: READ >>> Apply Policies: My JavaScript Policy >>> >>> When you as permissions for Sensor A, you will get a GRANT or DENY >>> depending on the conditions you defined in My JavaScript Policy. >>> >>> You can also use a resource-based permission to enforce access to the >>> resource too, if you want to do so. I would also suggest to try out our >>> Evaluation Tool to check out how all that fits without requiring you to >>> build an application or anything else. >>> >>> Btw, I'm looking for more examples about usages of Authz Services. If >>> you can contribute with some example application based on your use case, I >>> can help you. I think this kind of IoT scenario is very interesting and >>> should provide a nice quickstart. >>> >>> >>>> >>>> >>>> Thanks, >>>> >>>> Mehdi >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From istvan.orban at gmail.com Thu Mar 16 11:05:21 2017 From: istvan.orban at gmail.com (Istvan Orban) Date: Thu, 16 Mar 2017 15:05:21 +0000 Subject: [keycloak-user] how to set user's locale when importing them into keycloak via Federation Provider Message-ID: Hello, I am writting a user federation provider and it works great! Thanks for the help from the forum members. At this point I reached an issue that seems trivial but I can not seem to find the solution. When I am importing the user via a federation provider. I have the user's locale avialable from the external system. Although I do not seem to find a way I can set this onto the user object. org.keycloak.models.UserModel does not seem to have a locale field like firstName. It has a constant defined in the class called LOCALE but it is never used. Also there is a LocaleHelper class but the setUserLocale is private hence I can not use it. Thanks for any suggestions. -- Kind Regards, From moon3854 at gmail.com Thu Mar 16 11:20:59 2017 From: moon3854 at gmail.com (Dmitry Korchemkin) Date: Thu, 16 Mar 2017 18:20:59 +0300 Subject: [keycloak-user] Session invalidation upon role changes? Message-ID: Is there a built-in way to invalidate session upon role changes in IDP? I imagine the following scenario: - user logs in, mapper gives him role X. - user, using role x, gains access to some resource or application. - admin removes role X from user on IDP side. - user needs to be logged out after that, since he doesn't have access to this resource anymore. I've tried removing roles in Keycloak UI and it doesn't seem to invalidate the session by default. I know OIDC/SAML can store additional info in its tokens and we can probably use it to carry roles information in refresh tokens and check it on application side, but maybe there's already a way to do this with some Keycloak configuration? From mailamitarora at gmail.com Thu Mar 16 12:11:59 2017 From: mailamitarora at gmail.com (Amit Arora) Date: Thu, 16 Mar 2017 12:11:59 -0400 Subject: [keycloak-user] Using my own DB for user store Message-ID: How can i use my own DB ( with existing users uid/pwd) with KeyCloak, The use case is I want to have keycloak authenticate users from my own existing DB. Amit From juan.amat at nokia.com Thu Mar 16 12:42:38 2017 From: juan.amat at nokia.com (Amat, Juan (Nokia - US)) Date: Thu, 16 Mar 2017 16:42:38 +0000 Subject: [keycloak-user] KEYCLOAK-2962 and autodetect-bearer-only Message-ID: Hello, I was reading this ticket as I am having a similar use case: my application, using the wildfly adapter (2.5.1), is doing a mix of http requests: regular ones and ajax ones. I declare my client as 'public' and everything is fine. Except when the session times out and the next request is an ajax one. In this case, Keycloak will try to redirect which does not work. >From my understanding this is what this ticket was about. The proposed fix in OAuthRequestAuthenticator.java will 'fix' this problem. And it was similar to what is done in the spring security adapter (KEYCLOAK-1391). Instead the ticket was resolved by introducing the autodetect-bearer-only property. Unfortunately this does not help me as this will treat all ajax requests as 'bearer only'. But I do not set any Authorization header with a valid token (again this is some existing application and the only modification is configuration the keycloak sub system in my standalone.xml file. I am wondering then if we still do the same 'trick' as the one in the spring security adapter. At least for consistency reason. I understand that this is not a bug in Keycloak but an enhancement. I do have the problem when I am not using Keycloak but if Keycloak could solve it, then this will be a nice selling point! What do you think? Thank you, Juan From psilva at redhat.com Thu Mar 16 12:48:31 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Mar 2017 13:48:31 -0300 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: What is the version you are using ? I have no idea why are not able select scopes in both cases. Have you created your scopes ? Regards. Pedro Igor On Thu, Mar 16, 2017 at 10:16 AM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > Hi Pedro, > thanks for the note. > > So If we specify resource URI for Sensor1 like databroker.iotplatform.io/ > Sensor1, then when a user is trying to access this endpoint it will be > hit by the permission that matches this definition. > > When I am defining a resource, I cannot assign any scope, the same problem > with defininig scope-based permission. Actually, scopes do not appear by > entering the first character. Any idea? > > On Thu, Mar 16, 2017 at 12:47 PM, Pedro Igor Silva > wrote: > >> Mehdi, there is a URI field for that on the resource. >> >> On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < >> mehdi.alishahi at gmail.com> wrote: >> >>> Dear Pedro, >>> >>> Thanks for the note. Yes, we can definitely contribute in providing our >>> use cases as examples in Authz Services in KeyCloak. >>> >>> A question: >>> >>> How to represent sensors as resources? In our use case, each sensor has >>> an endpoint, how we can associated a sensor with its endpoint as a >>> resource? I know that we can define client, and then add resources, but I >>> don't see any field for this endpoint. >>> >>> Cheers, >>> Mehdi >>> >>> >>> >>> >>> >>> On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva >>> wrote: >>> >>>> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >>>> mehdi.alishahi at gmail.com> wrote: >>>> >>>>> ---------- Forwarded message ---------- >>>>> From: Mehdi Sheikhalishahi >>>>> Date: Mon, Mar 13, 2017 at 6:38 PM >>>>> Subject: Access Control for an IoT environment >>>>> To: keycloak-user >>>>> >>>>> >>>>> Hi, >>>>> >>>>> I'd like to validate my solution based on KeyCloak for securing access >>>>> to >>>>> sensors. >>>>> >>>>> Our environment consists of a dashboard, a sensors service (a database >>>>> of >>>>> sensors), and KeyCloak. We need to display the list of sensors >>>>> associated >>>>> to the authenticated user in the dashboard, and implement Access >>>>> Control to >>>>> sensors. A user can have different accesses to different sensors. For >>>>> simplicity, we define read, and write access types. >>>>> >>>>> >>>>> Our solution is to use User Attributes; for that we create two user >>>>> attributes for each user: one for read, and one for write. And the >>>>> value of >>>>> each attribute will be the list of sensors. This list states that the >>>>> user >>>>> has this type of access to this list of sensors. Hence, this is a >>>>> database >>>>> that can be used for defining policies. >>>>> >>>>> >>>>> For presentation, we simply can read these attributes and present them >>>>> in >>>>> the Dashboard with appropriate columns to present read and write >>>>> accesses. >>>>> >>>>> >>>>> We need to implement another operation that is called evaluation of >>>>> authorization requests. That is when a user sends a request to access a >>>>> sensor for an access type (read or write), this request should be >>>>> evaluated >>>>> (validated) by KeyCloak. Here is the place in which KeyCloak policies >>>>> come >>>>> into the place. For that, we need to write a policy (an attributed >>>>> based >>>>> policy, or a mix kind of policy, such as JavaScript?) to evaluate if >>>>> this >>>>> user is authorized to perform such an operation. The output of this >>>>> operation is allow or deny. If the evaluation results is allow, then >>>>> the >>>>> request will be sent to the database of sensors, and the result of this >>>>> operation will be returned back to the Dashboard for the user. >>>>> >>>>> >>>>> My questions are as the following: >>>>> >>>>> >>>>> - Is this solution approach the right one? >>>>> >>>> >>>> I think it makes more sense to represent sensors as resources in >>>> Keycloak. And define read/write actions as scopes associated with these >>>> scopes. >>>> >>>> >>>>> >>>>> - How we provide the access request for KeyCloak? So policy, we will >>>>> have >>>>> all inputs that we need for evaluation, that is user information, >>>>> requested >>>>> sensor, and requested access type? >>>>> >>>> >>>> You can take a look at docs and some examples we have. But in a >>>> nutshell, your policies have access to: >>>> >>>> - The user and the client asking for a permission (resource+scope). As >>>> well any other claim associated with the access token previously issued to >>>> the client on behalf of the user. >>>> - The resource being requested. In your case, the resource representing >>>> a sensor. >>>> - The scope(s) being requested. In your case, read or write. >>>> >>>> A very simple config for your use case can be: >>>> >>>> >>>> Scopes >>>> >>>> READ, WRITE >>>> >>>> Resource: >>>> >>>> Name: Sensor A >>>> Scopes: READ, WRITE >>>> >>>> Policy: >>>> >>>> My JavaScrypt Policy >>>> >>>> Scope-Based Permission: >>>> >>>> Name: Sensor A Read Permission >>>> Resource: Sensor A >>>> Scope: READ >>>> Apply Policies: My JavaScript Policy >>>> >>>> When you as permissions for Sensor A, you will get a GRANT or DENY >>>> depending on the conditions you defined in My JavaScript Policy. >>>> >>>> You can also use a resource-based permission to enforce access to the >>>> resource too, if you want to do so. I would also suggest to try out our >>>> Evaluation Tool to check out how all that fits without requiring you to >>>> build an application or anything else. >>>> >>>> Btw, I'm looking for more examples about usages of Authz Services. If >>>> you can contribute with some example application based on your use case, I >>>> can help you. I think this kind of IoT scenario is very interesting and >>>> should provide a nice quickstart. >>>> >>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Mehdi >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From mehdi.alishahi at gmail.com Thu Mar 16 13:04:28 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Thu, 16 Mar 2017 18:04:28 +0100 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: I upgraded to 2.5.5. With this version, I can see Authorization Scopes, but not the client scopes. Is this the expected behavior? One note: our database of sensors that we are considering as Resource Server, does not provide any OAuth 2.0 implemenation. Can KC act also as a resource server? On Thu, Mar 16, 2017 at 5:48 PM, Pedro Igor Silva wrote: > What is the version you are using ? I have no idea why are not able select > scopes in both cases. Have you created your scopes ? > > Regards. > Pedro Igor > > On Thu, Mar 16, 2017 at 10:16 AM, Mehdi Sheikhalishahi < > mehdi.alishahi at gmail.com> wrote: > >> Hi Pedro, >> thanks for the note. >> >> So If we specify resource URI for Sensor1 like >> databroker.iotplatform.io/Sensor1, then when a user is trying to access >> this endpoint it will be hit by the permission that matches this definition. >> >> When I am defining a resource, I cannot assign any scope, the same >> problem with defininig scope-based permission. Actually, scopes do not >> appear by entering the first character. Any idea? >> >> On Thu, Mar 16, 2017 at 12:47 PM, Pedro Igor Silva >> wrote: >> >>> Mehdi, there is a URI field for that on the resource. >>> >>> On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < >>> mehdi.alishahi at gmail.com> wrote: >>> >>>> Dear Pedro, >>>> >>>> Thanks for the note. Yes, we can definitely contribute in providing our >>>> use cases as examples in Authz Services in KeyCloak. >>>> >>>> A question: >>>> >>>> How to represent sensors as resources? In our use case, each sensor has >>>> an endpoint, how we can associated a sensor with its endpoint as a >>>> resource? I know that we can define client, and then add resources, but I >>>> don't see any field for this endpoint. >>>> >>>> Cheers, >>>> Mehdi >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >>>>> mehdi.alishahi at gmail.com> wrote: >>>>> >>>>>> ---------- Forwarded message ---------- >>>>>> From: Mehdi Sheikhalishahi >>>>>> Date: Mon, Mar 13, 2017 at 6:38 PM >>>>>> Subject: Access Control for an IoT environment >>>>>> To: keycloak-user >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I'd like to validate my solution based on KeyCloak for securing >>>>>> access to >>>>>> sensors. >>>>>> >>>>>> Our environment consists of a dashboard, a sensors service (a >>>>>> database of >>>>>> sensors), and KeyCloak. We need to display the list of sensors >>>>>> associated >>>>>> to the authenticated user in the dashboard, and implement Access >>>>>> Control to >>>>>> sensors. A user can have different accesses to different sensors. For >>>>>> simplicity, we define read, and write access types. >>>>>> >>>>>> >>>>>> Our solution is to use User Attributes; for that we create two user >>>>>> attributes for each user: one for read, and one for write. And the >>>>>> value of >>>>>> each attribute will be the list of sensors. This list states that the >>>>>> user >>>>>> has this type of access to this list of sensors. Hence, this is a >>>>>> database >>>>>> that can be used for defining policies. >>>>>> >>>>>> >>>>>> For presentation, we simply can read these attributes and present >>>>>> them in >>>>>> the Dashboard with appropriate columns to present read and write >>>>>> accesses. >>>>>> >>>>>> >>>>>> We need to implement another operation that is called evaluation of >>>>>> authorization requests. That is when a user sends a request to access >>>>>> a >>>>>> sensor for an access type (read or write), this request should be >>>>>> evaluated >>>>>> (validated) by KeyCloak. Here is the place in which KeyCloak policies >>>>>> come >>>>>> into the place. For that, we need to write a policy (an attributed >>>>>> based >>>>>> policy, or a mix kind of policy, such as JavaScript?) to evaluate if >>>>>> this >>>>>> user is authorized to perform such an operation. The output of this >>>>>> operation is allow or deny. If the evaluation results is allow, then >>>>>> the >>>>>> request will be sent to the database of sensors, and the result of >>>>>> this >>>>>> operation will be returned back to the Dashboard for the user. >>>>>> >>>>>> >>>>>> My questions are as the following: >>>>>> >>>>>> >>>>>> - Is this solution approach the right one? >>>>>> >>>>> >>>>> I think it makes more sense to represent sensors as resources in >>>>> Keycloak. And define read/write actions as scopes associated with these >>>>> scopes. >>>>> >>>>> >>>>>> >>>>>> - How we provide the access request for KeyCloak? So policy, we will >>>>>> have >>>>>> all inputs that we need for evaluation, that is user information, >>>>>> requested >>>>>> sensor, and requested access type? >>>>>> >>>>> >>>>> You can take a look at docs and some examples we have. But in a >>>>> nutshell, your policies have access to: >>>>> >>>>> - The user and the client asking for a permission (resource+scope). As >>>>> well any other claim associated with the access token previously issued to >>>>> the client on behalf of the user. >>>>> - The resource being requested. In your case, the resource >>>>> representing a sensor. >>>>> - The scope(s) being requested. In your case, read or write. >>>>> >>>>> A very simple config for your use case can be: >>>>> >>>>> >>>>> Scopes >>>>> >>>>> READ, WRITE >>>>> >>>>> Resource: >>>>> >>>>> Name: Sensor A >>>>> Scopes: READ, WRITE >>>>> >>>>> Policy: >>>>> >>>>> My JavaScrypt Policy >>>>> >>>>> Scope-Based Permission: >>>>> >>>>> Name: Sensor A Read Permission >>>>> Resource: Sensor A >>>>> Scope: READ >>>>> Apply Policies: My JavaScript Policy >>>>> >>>>> When you as permissions for Sensor A, you will get a GRANT or DENY >>>>> depending on the conditions you defined in My JavaScript Policy. >>>>> >>>>> You can also use a resource-based permission to enforce access to the >>>>> resource too, if you want to do so. I would also suggest to try out our >>>>> Evaluation Tool to check out how all that fits without requiring you to >>>>> build an application or anything else. >>>>> >>>>> Btw, I'm looking for more examples about usages of Authz Services. If >>>>> you can contribute with some example application based on your use case, I >>>>> can help you. I think this kind of IoT scenario is very interesting and >>>>> should provide a nice quickstart. >>>>> >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Mehdi >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > From bburke at redhat.com Thu Mar 16 14:44:47 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 16 Mar 2017 14:44:47 -0400 Subject: [keycloak-user] Session invalidation upon role changes? In-Reply-To: References: Message-ID: If the protocol you are using is OIDC, refreshing a token will fail if a role issued to the original token has been revoked. There is no callback though. On 3/16/17 11:20 AM, Dmitry Korchemkin wrote: > Is there a built-in way to invalidate session upon role changes in IDP? > > I imagine the following scenario: > - user logs in, mapper gives him role X. > - user, using role x, gains access to some resource or application. > - admin removes role X from user on IDP side. > - user needs to be logged out after that, since he doesn't have access to > this resource anymore. > > I've tried removing roles in Keycloak UI and it doesn't seem to invalidate > the session by default. > > I know OIDC/SAML can store additional info in its tokens and we can > probably use it to carry roles information in refresh tokens and check it > on application side, but maybe there's already a way to do this with some > Keycloak configuration? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From assassin.creed60 at gmail.com Thu Mar 16 14:51:24 2017 From: assassin.creed60 at gmail.com (Jyoti Kumar Singh) Date: Fri, 17 Mar 2017 00:21:24 +0530 Subject: [keycloak-user] Getting parsing error while posting client_assertion in Keycloak 2.2.1.Final (Offline Access) Message-ID: Hi Team, We are using Keycloak Tag 2.2.1.Final for our sample code for offline access flow through signed JWT, where we are passing offline_token (refresh_token) as "client_assertion" through JWTClientCredentialsProvider API call. We are getting "Parsing error" at Keycloak end (JWSInput.java) as I could see Keycloak API is parsing client_assertion as (parts.length < 2 || parts.length > 3). That means refresh_token parts should be less than 2 or greater than 3, but the client_assertion which we have is always has 3 parts (i. header, ii. payload and iii. Signature). Could you please suggest what is the significance of above mentioned logic. Or is there anything we are missing in "client_assertion". -- *With Regards, Jyoti Kumar Singh* From sthorger at redhat.com Thu Mar 16 15:08:16 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 16 Mar 2017 20:08:16 +0100 Subject: [keycloak-user] Keycloak 3.0.0.CR1 released Message-ID: Keycloak 3.0.0.CR1 is released. Even though we've been busy wrapping up Keycloak 2.5 we've managed to include quite a few new features. To download the release go to the Keycloak homepage . This release is the first that comes without Mongo support. Highlights - *No import option for LDAP* - This option allows consuming users from LDAP without importing into the Keycloak database - *Initiate linking of identity provider from application* - In the past adding additional identity brokering accounts could only be done through the account management console. Now this can be done from your application - *Hide identity provider* - It's now possible to hide an identity provider from the login page - *Jetty 9.4* - Thanks to reneploetz we now have support for Jetty 9.4 - *Swedish translations* - Thanks to Viktor Kostov for adding Swedish translations - *Checksums for downloads* - The website now has md5 checksums for all downloads - *BOMs* - We've added BOMs for adapters as well as Server SPIs The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . From rbarroetavena at anura.com.ar Thu Mar 16 18:02:34 2017 From: rbarroetavena at anura.com.ar (=?UTF-8?Q?Ricardo_Barroetave=C3=B1a?=) Date: Thu, 16 Mar 2017 19:02:34 -0300 Subject: [keycloak-user] CORS response headers Message-ID: Hi all, We're a securing a client-side js app with Keycloak and we notice it's not adding CORS headers when response status code is not successful. Browser complains about missing 'Access-Control-Allow-Origin' header and it hides resource error code. Is there any reason it's not adding the header under this error condition? Is it a security issue? Thanks for the help! Ricardo. From guus.der.kinderen at gmail.com Fri Mar 17 06:09:35 2017 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 17 Mar 2017 11:09:35 +0100 Subject: [keycloak-user] Different username for direct access grant? Message-ID: Hi! We're integrating our Java application with Keycloak using JAAS. We're making use of org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule For this application, we'd like the users to authenticate with a username that is different from the "username" property in the Keycloak UserModel. Instead, we'd like to use the Keycloak ID. I had thought that changing the "username" protocol mapping for the client that is used would do the trick. I changed the value for the "property" field from "username" to "id" - that does not have the desired effect, as users can still log in with their 'username' (instead of the UUID value that is the Keycloak ID. What is my mistake? Regards, Guus From moon3854 at gmail.com Fri Mar 17 07:03:47 2017 From: moon3854 at gmail.com (Dmitry Korchemkin) Date: Fri, 17 Mar 2017 14:03:47 +0300 Subject: [keycloak-user] Session invalidation upon role changes? In-Reply-To: References: Message-ID: Can you elaborate on the "refreshing a token will fail if a role issued to the original token has been revoked" part please? As far as i understand, issuing a new token with a role revoked will just give the user new token. Why should it fail? We have a following scenario: frontend, backend and IdP. Frontend sends a request with OIDC token to backend. How will backend know if the list of roles in the token is not up-to-date? We expect that keycloak will monitor user changes. If a change affects information in OIDC token then the token must be treated as invalid and there should be an endpoint to check token validity. 2017-03-16 21:44 GMT+03:00 Bill Burke : > If the protocol you are using is OIDC, refreshing a token will fail if a > role issued to the original token has been revoked. There is no callback > though. > > > On 3/16/17 11:20 AM, Dmitry Korchemkin wrote: > > Is there a built-in way to invalidate session upon role changes in IDP? > > > > I imagine the following scenario: > > - user logs in, mapper gives him role X. > > - user, using role x, gains access to some resource or application. > > - admin removes role X from user on IDP side. > > - user needs to be logged out after that, since he doesn't have access to > > this resource anymore. > > > > I've tried removing roles in Keycloak UI and it doesn't seem to > invalidate > > the session by default. > > > > I know OIDC/SAML can store additional info in its tokens and we can > > probably use it to carry roles information in refresh tokens and check it > > on application side, but maybe there's already a way to do this with some > > Keycloak configuration? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at zyres.com Fri Mar 17 07:07:50 2017 From: dt at zyres.com (Danny Trunk) Date: Fri, 17 Mar 2017 12:07:50 +0100 Subject: [keycloak-user] Custom password hash provider seems not getting triggered In-Reply-To: References: <0c3ba3be-06bf-892e-b5d9-4907d58243b5@redhat.com> Message-ID: <097e4f34-4ef5-d23b-5aa0-55318d7f2f53@zyres.com> The User Storage Provider is based on the JPA Example and the Password Hash Provider is based on the builtin Pbkdf2. Could this be a bug in Keycloak? Am 15.03.2017 um 10:52 schrieb Danny Trunk: > This is my CredentialInputValidator.isValid implementation of the user > storage provider: > > public boolean isValid(RealmModel realm, UserModel user, CredentialInput > input) { > if (!supportsCredentialType(input.getType()) || !(input instanceof > UserCredentialModel)) { > return false; > } > > UserCredentialModel cred = (UserCredentialModel) input; > String password = getPassword(user); > > logger.info("isValid: " + password + " - " + cred.getValue()); > return password != null && password.equals(cred.getValue()); > } > > After adding the logging here I can see that password is the hashed > password from the db and cred.getValue() returns the raw password. > > That's why I get an invalid credentials error message. > > But I don't know why it's raw in cred.getValue(). > > Do I have to add the hash provider there manually? > > > Am 15.03.2017 um 08:06 schrieb Danny Trunk: >> I deployed the hash provider the same way I deployed the user storage >> provider: I've put the jar files into standalone/deployments: >> >> 2017-03-15 08:03:06,012 INFO [org.jboss.as.repository] >> (DeploymentScanner-threads - 2) WFLYDR0001: Content added at location >> /opt/keycloak/standalone/data/content/5b/7be86171d601f1b725cec361a2ec9e4b8fb766/content >> 2017-03-15 08:03:06,015 INFO [org.jboss.as.server.deployment] (MSC >> service thread 1-4) WFLYSRV0027: Starting deployment of >> "keycloak-navcrypt-provider.jar" (runtime-name: >> "keycloak-navcrypt-provider.jar") >> 2017-03-15 08:03:06,029 WARN [org.jboss.as.dependency.private] (MSC >> service thread 1-4) WFLYSRV0018: Deployment >> "deployment.keycloak-navcrypt-provider.jar" is using a private module >> ("org.apache.commons.codec:main") which may be changed or removed in >> future versions without notice. >> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC >> service thread 1-4) WFLYSRV0018: Deployment >> "deployment.keycloak-navcrypt-provider.jar" is using a private module >> ("org.apache.commons.lang:main") which may be changed or removed in >> future versions without notice. >> 2017-03-15 08:03:06,030 WARN [org.jboss.as.dependency.private] (MSC >> service thread 1-4) WFLYSRV0018: Deployment >> "deployment.keycloak-navcrypt-provider.jar" is using a private module >> ("org.keycloak.keycloak-server-spi-private:main") which may be changed >> or removed in future versions without notice. >> 2017-03-15 08:03:06,040 INFO >> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] >> (MSC service thread 1-3) Deploying Keycloak provider: {0} >> 2017-03-15 08:03:06,076 INFO [org.jboss.as.server] >> (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed >> "keycloak-navcrypt-provider.jar" (runtime-name : >> "keycloak-navcrypt-provider.jar") >> >> Keycloak version is 2.5.4.Final >> >> In Server Info > Providers I can see my provider: >> >> password-hashing >> >> pbkdf2 >> navcrypt >> >> Maybe I misunderstood the SPI? I'm expecting the hash provider to be >> called while authentication process. >> >> Am 14.03.2017 um 16:21 schrieb Bill Burke: >>> Hmm, the log message should be popping up. How are you deploying your >>> hash provider? Is it in the same jar as the User Storage Provider? How >>> do you deploy this jar? What version of Keycloak? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Mar 17 08:09:43 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 17 Mar 2017 09:09:43 -0300 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: Hey Mehdi. Now I see ... We did have an issue on scope-based permission UI. But we have fixed in 2.5.5.Final as well some improvements to the policy evaluation engine when dealing with scope permissions. Regarding client scopes, they are a different thing. They basically map to the OAuth2 scopes and roles in your client while authorization scopes are not really related with OAuth2 scopes or roles but with actions or any other representation of something you resource has/provides. This is the main concept behind fine-grained permissions in Keycloak, where your authorization scopes don't represent an authorization data by themselves but something protected by your policies. Regards. Pedro Igor On Thu, Mar 16, 2017 at 2:04 PM, Mehdi Sheikhalishahi < mehdi.alishahi at gmail.com> wrote: > I upgraded to 2.5.5. With this version, I can see Authorization Scopes, > but not the client scopes. Is this the expected behavior? > > One note: our database of sensors that we are considering as Resource > Server, does not provide any OAuth 2.0 implemenation. Can KC act also as a > resource server? > > On Thu, Mar 16, 2017 at 5:48 PM, Pedro Igor Silva > wrote: > >> What is the version you are using ? I have no idea why are not able >> select scopes in both cases. Have you created your scopes ? >> >> Regards. >> Pedro Igor >> >> On Thu, Mar 16, 2017 at 10:16 AM, Mehdi Sheikhalishahi < >> mehdi.alishahi at gmail.com> wrote: >> >>> Hi Pedro, >>> thanks for the note. >>> >>> So If we specify resource URI for Sensor1 like >>> databroker.iotplatform.io/Sensor1, then when a user is trying to access >>> this endpoint it will be hit by the permission that matches this definition. >>> >>> When I am defining a resource, I cannot assign any scope, the same >>> problem with defininig scope-based permission. Actually, scopes do not >>> appear by entering the first character. Any idea? >>> >>> On Thu, Mar 16, 2017 at 12:47 PM, Pedro Igor Silva >>> wrote: >>> >>>> Mehdi, there is a URI field for that on the resource. >>>> >>>> On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < >>>> mehdi.alishahi at gmail.com> wrote: >>>> >>>>> Dear Pedro, >>>>> >>>>> Thanks for the note. Yes, we can definitely contribute in providing >>>>> our use cases as examples in Authz Services in KeyCloak. >>>>> >>>>> A question: >>>>> >>>>> How to represent sensors as resources? In our use case, each sensor >>>>> has an endpoint, how we can associated a sensor with its endpoint as a >>>>> resource? I know that we can define client, and then add resources, but I >>>>> don't see any field for this endpoint. >>>>> >>>>> Cheers, >>>>> Mehdi >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >>>>>> mehdi.alishahi at gmail.com> wrote: >>>>>> >>>>>>> ---------- Forwarded message ---------- >>>>>>> From: Mehdi Sheikhalishahi >>>>>>> Date: Mon, Mar 13, 2017 at 6:38 PM >>>>>>> Subject: Access Control for an IoT environment >>>>>>> To: keycloak-user >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'd like to validate my solution based on KeyCloak for securing >>>>>>> access to >>>>>>> sensors. >>>>>>> >>>>>>> Our environment consists of a dashboard, a sensors service (a >>>>>>> database of >>>>>>> sensors), and KeyCloak. We need to display the list of sensors >>>>>>> associated >>>>>>> to the authenticated user in the dashboard, and implement Access >>>>>>> Control to >>>>>>> sensors. A user can have different accesses to different sensors. For >>>>>>> simplicity, we define read, and write access types. >>>>>>> >>>>>>> >>>>>>> Our solution is to use User Attributes; for that we create two user >>>>>>> attributes for each user: one for read, and one for write. And the >>>>>>> value of >>>>>>> each attribute will be the list of sensors. This list states that >>>>>>> the user >>>>>>> has this type of access to this list of sensors. Hence, this is a >>>>>>> database >>>>>>> that can be used for defining policies. >>>>>>> >>>>>>> >>>>>>> For presentation, we simply can read these attributes and present >>>>>>> them in >>>>>>> the Dashboard with appropriate columns to present read and write >>>>>>> accesses. >>>>>>> >>>>>>> >>>>>>> We need to implement another operation that is called evaluation of >>>>>>> authorization requests. That is when a user sends a request to >>>>>>> access a >>>>>>> sensor for an access type (read or write), this request should be >>>>>>> evaluated >>>>>>> (validated) by KeyCloak. Here is the place in which KeyCloak >>>>>>> policies come >>>>>>> into the place. For that, we need to write a policy (an attributed >>>>>>> based >>>>>>> policy, or a mix kind of policy, such as JavaScript?) to evaluate if >>>>>>> this >>>>>>> user is authorized to perform such an operation. The output of this >>>>>>> operation is allow or deny. If the evaluation results is allow, then >>>>>>> the >>>>>>> request will be sent to the database of sensors, and the result of >>>>>>> this >>>>>>> operation will be returned back to the Dashboard for the user. >>>>>>> >>>>>>> >>>>>>> My questions are as the following: >>>>>>> >>>>>>> >>>>>>> - Is this solution approach the right one? >>>>>>> >>>>>> >>>>>> I think it makes more sense to represent sensors as resources in >>>>>> Keycloak. And define read/write actions as scopes associated with these >>>>>> scopes. >>>>>> >>>>>> >>>>>>> >>>>>>> - How we provide the access request for KeyCloak? So policy, we will >>>>>>> have >>>>>>> all inputs that we need for evaluation, that is user information, >>>>>>> requested >>>>>>> sensor, and requested access type? >>>>>>> >>>>>> >>>>>> You can take a look at docs and some examples we have. But in a >>>>>> nutshell, your policies have access to: >>>>>> >>>>>> - The user and the client asking for a permission (resource+scope). >>>>>> As well any other claim associated with the access token previously issued >>>>>> to the client on behalf of the user. >>>>>> - The resource being requested. In your case, the resource >>>>>> representing a sensor. >>>>>> - The scope(s) being requested. In your case, read or write. >>>>>> >>>>>> A very simple config for your use case can be: >>>>>> >>>>>> >>>>>> Scopes >>>>>> >>>>>> READ, WRITE >>>>>> >>>>>> Resource: >>>>>> >>>>>> Name: Sensor A >>>>>> Scopes: READ, WRITE >>>>>> >>>>>> Policy: >>>>>> >>>>>> My JavaScrypt Policy >>>>>> >>>>>> Scope-Based Permission: >>>>>> >>>>>> Name: Sensor A Read Permission >>>>>> Resource: Sensor A >>>>>> Scope: READ >>>>>> Apply Policies: My JavaScript Policy >>>>>> >>>>>> When you as permissions for Sensor A, you will get a GRANT or DENY >>>>>> depending on the conditions you defined in My JavaScript Policy. >>>>>> >>>>>> You can also use a resource-based permission to enforce access to the >>>>>> resource too, if you want to do so. I would also suggest to try out our >>>>>> Evaluation Tool to check out how all that fits without requiring you to >>>>>> build an application or anything else. >>>>>> >>>>>> Btw, I'm looking for more examples about usages of Authz Services. If >>>>>> you can contribute with some example application based on your use case, I >>>>>> can help you. I think this kind of IoT scenario is very interesting and >>>>>> should provide a nice quickstart. >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Mehdi >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From mehdi.alishahi at gmail.com Fri Mar 17 14:33:03 2017 From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi) Date: Fri, 17 Mar 2017 19:33:03 +0100 Subject: [keycloak-user] Fwd: Access Control for an IoT environment In-Reply-To: References: Message-ID: Hi Pedro Thanks for the note. So as I understand I should define authorization scopes that are specific to keycloak. How can we understand which scope a user is asking? How to enforce policies? On Mar 17, 2017 1:09 PM, "Pedro Igor Silva" wrote: > Hey Mehdi. > > Now I see ... We did have an issue on scope-based permission UI. But we > have fixed in 2.5.5.Final as well some improvements to the policy > evaluation engine when dealing with scope permissions. > > Regarding client scopes, they are a different thing. They basically map to > the OAuth2 scopes and roles in your client while authorization scopes are > not really related with OAuth2 scopes or roles but with actions or any > other representation of something you resource has/provides. > > This is the main concept behind fine-grained permissions in Keycloak, > where your authorization scopes don't represent an authorization data by > themselves but something protected by your policies. > > Regards. > Pedro Igor > > On Thu, Mar 16, 2017 at 2:04 PM, Mehdi Sheikhalishahi < > mehdi.alishahi at gmail.com> wrote: > >> I upgraded to 2.5.5. With this version, I can see Authorization Scopes, >> but not the client scopes. Is this the expected behavior? >> >> One note: our database of sensors that we are considering as Resource >> Server, does not provide any OAuth 2.0 implemenation. Can KC act also as a >> resource server? >> >> On Thu, Mar 16, 2017 at 5:48 PM, Pedro Igor Silva >> wrote: >> >>> What is the version you are using ? I have no idea why are not able >>> select scopes in both cases. Have you created your scopes ? >>> >>> Regards. >>> Pedro Igor >>> >>> On Thu, Mar 16, 2017 at 10:16 AM, Mehdi Sheikhalishahi < >>> mehdi.alishahi at gmail.com> wrote: >>> >>>> Hi Pedro, >>>> thanks for the note. >>>> >>>> So If we specify resource URI for Sensor1 like >>>> databroker.iotplatform.io/Sensor1, then when a user is trying to >>>> access this endpoint it will be hit by the permission that matches this >>>> definition. >>>> >>>> When I am defining a resource, I cannot assign any scope, the same >>>> problem with defininig scope-based permission. Actually, scopes do not >>>> appear by entering the first character. Any idea? >>>> >>>> On Thu, Mar 16, 2017 at 12:47 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Mehdi, there is a URI field for that on the resource. >>>>> >>>>> On Wed, Mar 15, 2017 at 12:14 PM, Mehdi Sheikhalishahi < >>>>> mehdi.alishahi at gmail.com> wrote: >>>>> >>>>>> Dear Pedro, >>>>>> >>>>>> Thanks for the note. Yes, we can definitely contribute in providing >>>>>> our use cases as examples in Authz Services in KeyCloak. >>>>>> >>>>>> A question: >>>>>> >>>>>> How to represent sensors as resources? In our use case, each sensor >>>>>> has an endpoint, how we can associated a sensor with its endpoint as a >>>>>> resource? I know that we can define client, and then add resources, but I >>>>>> don't see any field for this endpoint. >>>>>> >>>>>> Cheers, >>>>>> Mehdi >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Mar 15, 2017 at 3:26 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> On Wed, Mar 15, 2017 at 5:19 AM, Mehdi Sheikhalishahi < >>>>>>> mehdi.alishahi at gmail.com> wrote: >>>>>>> >>>>>>>> ---------- Forwarded message ---------- >>>>>>>> From: Mehdi Sheikhalishahi >>>>>>>> Date: Mon, Mar 13, 2017 at 6:38 PM >>>>>>>> Subject: Access Control for an IoT environment >>>>>>>> To: keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'd like to validate my solution based on KeyCloak for securing >>>>>>>> access to >>>>>>>> sensors. >>>>>>>> >>>>>>>> Our environment consists of a dashboard, a sensors service (a >>>>>>>> database of >>>>>>>> sensors), and KeyCloak. We need to display the list of sensors >>>>>>>> associated >>>>>>>> to the authenticated user in the dashboard, and implement Access >>>>>>>> Control to >>>>>>>> sensors. A user can have different accesses to different sensors. >>>>>>>> For >>>>>>>> simplicity, we define read, and write access types. >>>>>>>> >>>>>>>> >>>>>>>> Our solution is to use User Attributes; for that we create two user >>>>>>>> attributes for each user: one for read, and one for write. And the >>>>>>>> value of >>>>>>>> each attribute will be the list of sensors. This list states that >>>>>>>> the user >>>>>>>> has this type of access to this list of sensors. Hence, this is a >>>>>>>> database >>>>>>>> that can be used for defining policies. >>>>>>>> >>>>>>>> >>>>>>>> For presentation, we simply can read these attributes and present >>>>>>>> them in >>>>>>>> the Dashboard with appropriate columns to present read and write >>>>>>>> accesses. >>>>>>>> >>>>>>>> >>>>>>>> We need to implement another operation that is called evaluation of >>>>>>>> authorization requests. That is when a user sends a request to >>>>>>>> access a >>>>>>>> sensor for an access type (read or write), this request should be >>>>>>>> evaluated >>>>>>>> (validated) by KeyCloak. Here is the place in which KeyCloak >>>>>>>> policies come >>>>>>>> into the place. For that, we need to write a policy (an attributed >>>>>>>> based >>>>>>>> policy, or a mix kind of policy, such as JavaScript?) to evaluate >>>>>>>> if this >>>>>>>> user is authorized to perform such an operation. The output of this >>>>>>>> operation is allow or deny. If the evaluation results is allow, >>>>>>>> then the >>>>>>>> request will be sent to the database of sensors, and the result of >>>>>>>> this >>>>>>>> operation will be returned back to the Dashboard for the user. >>>>>>>> >>>>>>>> >>>>>>>> My questions are as the following: >>>>>>>> >>>>>>>> >>>>>>>> - Is this solution approach the right one? >>>>>>>> >>>>>>> >>>>>>> I think it makes more sense to represent sensors as resources in >>>>>>> Keycloak. And define read/write actions as scopes associated with these >>>>>>> scopes. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> - How we provide the access request for KeyCloak? So policy, we >>>>>>>> will have >>>>>>>> all inputs that we need for evaluation, that is user information, >>>>>>>> requested >>>>>>>> sensor, and requested access type? >>>>>>>> >>>>>>> >>>>>>> You can take a look at docs and some examples we have. But in a >>>>>>> nutshell, your policies have access to: >>>>>>> >>>>>>> - The user and the client asking for a permission (resource+scope). >>>>>>> As well any other claim associated with the access token previously issued >>>>>>> to the client on behalf of the user. >>>>>>> - The resource being requested. In your case, the resource >>>>>>> representing a sensor. >>>>>>> - The scope(s) being requested. In your case, read or write. >>>>>>> >>>>>>> A very simple config for your use case can be: >>>>>>> >>>>>>> >>>>>>> Scopes >>>>>>> >>>>>>> READ, WRITE >>>>>>> >>>>>>> Resource: >>>>>>> >>>>>>> Name: Sensor A >>>>>>> Scopes: READ, WRITE >>>>>>> >>>>>>> Policy: >>>>>>> >>>>>>> My JavaScrypt Policy >>>>>>> >>>>>>> Scope-Based Permission: >>>>>>> >>>>>>> Name: Sensor A Read Permission >>>>>>> Resource: Sensor A >>>>>>> Scope: READ >>>>>>> Apply Policies: My JavaScript Policy >>>>>>> >>>>>>> When you as permissions for Sensor A, you will get a GRANT or DENY >>>>>>> depending on the conditions you defined in My JavaScript Policy. >>>>>>> >>>>>>> You can also use a resource-based permission to enforce access to >>>>>>> the resource too, if you want to do so. I would also suggest to try out our >>>>>>> Evaluation Tool to check out how all that fits without requiring you to >>>>>>> build an application or anything else. >>>>>>> >>>>>>> Btw, I'm looking for more examples about usages of Authz Services. >>>>>>> If you can contribute with some example application based on your use case, >>>>>>> I can help you. I think this kind of IoT scenario is very interesting and >>>>>>> should provide a nice quickstart. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Mehdi >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From thomas.darimont at googlemail.com Sun Mar 19 05:09:09 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Sun, 19 Mar 2017 10:09:09 +0100 Subject: [keycloak-user] JavaScript client, iframe and IE In-Reply-To: References: <597752d5c22445429abee02c9047e000@MIPROEXCH01.mipro.local> Message-ID: Hello, sorry for digging this old thread out but I just stumbled over this again. I found some Keycloak deployments in the wild which explicitly set the P3P Header to: P3P:CP="CAO PSA OUR" This seems to work fine with IE and is a valid P3P header. See also: http://stackoverflow.com/questions/5257983/what-does-headerp3p-cp-cao-psa-our-do I wonder whether this would make a better default setting for the p3pPolicy setting in themes/src/main/resources/theme/base/login/messages/messages_*.properties than the current value of: p3pPolicy=CP="This is not a P3P policy!" Cheers, Thomas 2016-04-15 15:24 GMT+02:00 Stian Thorgersen : > No, but feel free to add one to the new testsuite :) > > On 15 April 2016 at 14:46, Thomas Raehalme com> wrote: > >> >> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen >> wrote: >> >>> I think we need to make it configurable. Could use messages from login >>> theme as a simple solution? >>> >>> sessionIframeP3P=CP="This is not a P3P policy!" >>> >> >> Using theme properties was a good idea. >> >> Is there an existing test I could extend to verify the presence of the >> header? >> >> >> >> >> >>> On 14 April 2016 at 16:06, Thomas Raehalme < >>> thomas.raehalme at aitiofinland.com> wrote: >>> >>>> Well I didn't mean exactly the same message with a link and everything, >>>> but just something like "This is not a policy definition." >>>> >>>> Best regards, >>>> Thomas >>>> On Apr 14, 2016 17:03, "Stian Thorgersen" wrote: >>>> >>>>> I don't think the Google way is good for us as we'd need to have a >>>>> similar page. Further, it wouldn't be correct to have a Keycloak page that >>>>> describes the policy for other companies. So we need to figure out what the >>>>> correct value should be I think. >>>>> >>>>> On 14 April 2016 at 16:00, Thomas Raehalme < >>>>> thomas.raehalme at aitiofinland.com> wrote: >>>>> >>>>>> W3C has the spec but since nobody is really using this I don't think >>>>>> the value matters. But instead of making up some policy definition I think >>>>>> that the Google way would be the best. What do you think? >>>>>> >>>>>> Best regards, >>>>>> Thomas >>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen" >>>>>> wrote: >>>>>> >>>>>>> I've got no clue what the value should be, tried to search on >>>>>>> Google, but doesn't make much sense to me. >>>>>>> >>>>>>> On 14 April 2016 at 15:30, Jukka Sirvi? >>>>>>> wrote: >>>>>>> >>>>>>>> there is discussion on this issue, also on stack overflow >>>>>>>> http://stackoverflow.com/questions/32120129/keycloak- >>>>>>>> is-causing-ie-to-have-an-infinite-loop >>>>>>>> >>>>>>>> ?Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR >>>>>>>> UNR LEG"? >>>>>>>> >>>>>>>> >>>>>>>> L?hett?j?: keycloak-user-bounces at lists.jboss.org [mailto: >>>>>>>> keycloak-user-bounces at lists.jboss.org] Puolesta Thomas Raehalme >>>>>>>> L?hetetty: 14. huhtikuuta 2016 16:22 >>>>>>>> Vastaanottaja: Stian Thorgersen >>>>>>>> Kopio: keycloak-user >>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE >>>>>>>> >>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well. >>>>>>>> >>>>>>>> What do you think the value should be? As I wrote earlier it does >>>>>>>> not seem to make a difference to IE. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Thomas >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> Can you create a JIRA for it please? If you fancy doing a PR you >>>>>>>> can add the header to LoginStatusIframeEndpoint. >>>>>>>> >>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme < >>>>>>>> thomas.raehalme at aitiofinland.com> wrote: >>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> What do you mean about "if the URL is something like"? >>>>>>>> >>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter and it's >>>>>>>> only the session iframe. That would be the only place it would be relevant >>>>>>>> for Keycloak to set P3P header, but don't think it's need AFAIK it works >>>>>>>> just fine on IE. >>>>>>>> >>>>>>>> Sorry for being a little too vague. >>>>>>>> >>>>>>>> Among other UIs our application has a web front-end based on >>>>>>>> AngularJS and it's utilizing the JavaScript adapter for authentication. >>>>>>>> When I login to the application I can inspect the HTML and see an