From esteffens at rovecom.nl  Mon May  1 02:45:39 2017
From: esteffens at rovecom.nl (Erwin Steffens | Rovecom)
Date: Mon, 1 May 2017 06:45:39 +0000
Subject: [keycloak-user] SAML response parsing failed
In-Reply-To: <CAMvXD=HOgB0nCeFacCxJ63xpCALkpimf45FCDH6eUtsiSsgVAQ@mail.gmail.com>
References: <1493199154452.73006@rovecom.nl>
	<CAMvXD=GYXE=ch4coFg+Jje1oV6eMtHevQsD7CbfTc6_o_uWUsw@mail.gmail.com>
	<943ce975e74e44acba5c3b7600d8ca04@rovexchange.rovecom.local>
	<CAMvXD=EnZ_k1KRxgVHmdAb-BDyj588r7trsaYymQtZ2ubTYPzQ@mail.gmail.com>
	<1493237312426.39665@rovecom.nl>
	<CAMvXD=HOgB0nCeFacCxJ63xpCALkpimf45FCDH6eUtsiSsgVAQ@mail.gmail.com>
Message-ID: <65baea68ba0f4be7933f08639bf8d4e7@rovexchange.rovecom.local>


I think it is solved in v2.5.5.Final. Sorry for not testing this earlier.



-----------------------------
Rovecom

Erwin Steffens | Rovecom
softwareontwikkelaar

Elbe 2, 7908 HB Hoogeveen
Postbus 2126, 7900 BC Hoogeveen
0528 22 35 35


Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.


-----------------------------

-----Oorspronkelijk bericht-----
Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
Verzonden: woensdag 26 april 2017 23:12
Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
CC: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] SAML response parsing failed

Please file a JIRA issue with your findings (including full stacktraces).

Thanks

--Hynek

On Wed, Apr 26, 2017 at 10:08 PM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>
> Ok, we did investigate the issue a little bit more. The initial parsing of the response seems ok. The full xml response is parsed successful. When we log the input in the 'serialize' method of the 'SAMLDataMarshaller' we see following XML (see new dropbox link). This piece of XML is invalid because the 'xmlns:ds' is missing. Somewhere the namespace is removed.
>
> https://www.dropbox.com/s/b1bmumdcnvnnlj6/connectis-saml-response.xml?
> dl=0
>
> Maybe we should post this to the dev mailing list?
>
>
> -----------------------------
> Rovecom
>
> Erwin Steffens | Rovecom
> softwareontwikkelaar
>
> Elbe 2, 7908 HB Hoogeveen
> Postbus 2126, 7900 BC Hoogeveen
> 0528 22 35 35
>
>
> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>
>
> -----------------------------
>
> ________________________________________
> Van: Hynek Mlnarik <hmlnarik at redhat.com>
> Verzonden: woensdag 26 april 2017 16:48
> Aan: Erwin Steffens | Rovecom
> CC: keycloak-user at lists.jboss.org
> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>
> Thank you. This seems to be related to woodstox. With standard JDK's
> XML event implementation (in fact xerces) that file is parsed
> correctly. Can you try using xerces instead?
>
> --Hynek
>
> On Wed, Apr 26, 2017 at 12:51 PM, Erwin Steffens | Rovecom
> <esteffens at rovecom.nl> wrote:
>>
>> Here it is:
>> https://www.dropbox.com/s/gjuems7k6nkjs19/connectis-saml-response-raw
>> .xml?dl=0
>>
>>
>>
>> -----------------------------
>> Rovecom
>>
>> Erwin Steffens | Rovecom
>> softwareontwikkelaar
>>
>> Elbe 2, 7908 HB Hoogeveen
>> Postbus 2126, 7900 BC Hoogeveen
>> 0528 22 35 35
>>
>>
>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>
>>
>> -----------------------------
>>
>> -----Oorspronkelijk bericht-----
>> Van: Hynek Mlnarik [mailto:hmlnarik at redhat.com]
>> Verzonden: woensdag 26 april 2017 11:48
>> Aan: Erwin Steffens | Rovecom <esteffens at rovecom.nl>
>> Onderwerp: Re: [keycloak-user] SAML response parsing failed
>>
>> Could you please store the SAML response to e.g. google drive/dropbox/... and send here a link to it?
>>
>> --Hynek
>>
>> On Wed, Apr 26, 2017 at 11:32 AM, Erwin Steffens | Rovecom <esteffens at rovecom.nl> wrote:
>>>
>>>
>>> We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
>>>
>>> The error we get is:
>>>
>>> 09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023:
>>> Exception handling request to
>>> /realms/datahub/login-actions/first-broker-login:
>>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
>>> ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
>>>
>>> When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
>>>
>>> Can I somehow attach the XML here?
>>>
>>> Erwin
>>>
>>>
>>>
>>>
>>> -----------------------------
>>> Rovecom
>>>
>>> Erwin Steffens | Rovecom
>>> softwareontwikkelaar
>>>
>>> Elbe 2, 7908 HB Hoogeveen
>>> Postbus 2126, 7900 BC Hoogeveen
>>> 0528 22 35 35
>>>
>>>
>>> Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
>>> Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
>>>
>>>
>>> -----------------------------
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>
>
>
> --
>
> --Hynek



--

--Hynek


From s.geerts at live.nl  Mon May  1 10:31:54 2017
From: s.geerts at live.nl (Sander Geerts)
Date: Mon, 1 May 2017 14:31:54 +0000
Subject: [keycloak-user] (no subject)
Message-ID: <CY4PR03MB2470D16133554643FBE1E6628F140@CY4PR03MB2470.namprd03.prod.outlook.com>

Hello,


Currently we (as a company) are trying to determine if Keycloak can meet our requirements of authorization for our products. The authentication part seems obvious and will be enough for what we are trying to do, but we do have some questions about the authorization part.


In our application a user can create a so called 'Process'. This process goes through a workflow-engine, which determines the next status based on some business rules and configured steps. What we are trying to achieve through Keycloak is the following:

- Is user X (with role R) authorized for action (/resource) Y with scope Write? (This looks like a basic question which Keycloak can answer for sure)

- Is user X (with role R) authorized for action (/resource) Y with scope Write when the given resource (process) is in status A?


In abstract terms we are trying to determine:

Is user [X] with role [R] authorized for resource [Y] with scope [S] when the requested resource instance [Y1] has a property [Prop] with value [V]?


We did some research in the Keycloak documentation, and there is spoken of CBAC (Context-Based Access Control) but there are no examples or specific documentation to be found.


My summarized question(s):

- Is the given use-case above possible with Keycloak?

- If so, how would the status of a process be defined? Is this a resource? Or should/can we use the CBAC engine?

- If we have to implement a custom 'Authorization' provider for this, could you give a short example?


We have the option to possibly buy Keycloak support, but we first want to verify if it is even an option for our use-cases.


Kind regards,


Sander


From vin14976 at hotmail.com  Mon May  1 16:22:29 2017
From: vin14976 at hotmail.com (vin14976)
Date: Mon, 1 May 2017 13:22:29 -0700 (MST)
Subject: [keycloak-user] Cloud hosted keycloak integration with local LDAP/AD
Message-ID: <1493670149550-3748.post@n6.nabble.com>

Hi,
My cloud service is making use of keycloak, which is also hosted on cloud.
Now i want to integrate local LDAP so that keycloak can authenticate local
users of my customers.
Is it feasible? How?

Vinay



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Cloud-hosted-keycloak-integration-with-local-LDAP-AD-tp3748.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From jdennis at redhat.com  Mon May  1 18:24:52 2017
From: jdennis at redhat.com (John Dennis)
Date: Mon, 1 May 2017 18:24:52 -0400
Subject: [keycloak-user] Cloud hosted keycloak integration with local
 LDAP/AD
In-Reply-To: <1493670149550-3748.post@n6.nabble.com>
References: <1493670149550-3748.post@n6.nabble.com>
Message-ID: <9014d3af-624a-b3a0-f15e-22d2e5e27ee5@redhat.com>

On 05/01/2017 04:22 PM, vin14976 wrote:
> Hi,
> My cloud service is making use of keycloak, which is also hosted on cloud.
> Now i want to integrate local LDAP so that keycloak can authenticate local
> users of my customers.
> Is it feasible? How?

Yes.

In the left hand menu select "User Federation" and configure an LDAP 
provider.

See:

https://keycloak.gitbooks.io/documentation/server_admin/topics/user-federation.html

-- 
John

From marc.tempelmeier at flane.de  Tue May  2 03:06:16 2017
From: marc.tempelmeier at flane.de (Marc Tempelmeier)
Date: Tue, 2 May 2017 07:06:16 +0000
Subject: [keycloak-user] Keycloak in Docker Swarm
Message-ID: <80a2374c081b45e995a657cf3e5a056c@dehamex2013.europe.flane.local>

Hi,

we could spawn multiple Slave Container with same slave name in domain clustered mode or use multiple slaves with different names.

What is the preferred way?

BR

Marc Tempelmeier

From ulrik.lejon at mollyware.se  Tue May  2 06:14:50 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Tue, 02 May 2017 10:14:50 +0000
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
Message-ID: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>

According to the documentation it should be possible to drop an ear/war
file in the keycloak standalone/deployment folder.

I created my own rest endpoint in this repo
<https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try this
out. However, when I deploy it I get the below errors. What am I doing
wrong? Has Anyone successfully packaged custom keycloak code in an ear or
war?

20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
(runtime-name: "custom-ear.ear")
20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does not
point to a valid jar for a Class-Path reference.
20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
not point to a valid jar for a Class-Path reference.
20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/bcprov-jdk15on-1.52.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/bcpkix-jdk15on-1.52.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
point to a valid jar for a Class-Path reference.
20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear  does
not point to a valid jar for a Class-Path reference.
20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/javax.mail-api-1.5.5.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/twitter4j-core-4.0.4.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
not point to a valid jar for a Class-Path reference.
20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jcip-annotations-1.0.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/resteasy-multipart-provider-3.0.14.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear  does
not point to a valid jar for a Class-Path reference.
20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
 does not point to a valid jar for a Class-Path reference.
20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
not point to a valid jar for a Class-Path reference.
20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
in /content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does not
point to a valid jar for a Class-Path reference.
20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
does not point to a valid jar for a Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/keycloak-server-spi-private-2.5.4.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does not
point to a valid jar for a Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry
lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
point to a valid jar for a Class-Path reference.
20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar in
/content/custom-ear.ear  does not point to a valid jar for a
Class-Path reference.
20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
/content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
valid jar for a Class-Path reference.
20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
/content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
valid jar for a Class-Path reference.
20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
/content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
valid jar for a Class-Path reference.
20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
"provider-1.0-SNAPSHOT.jar")
20:23:10,619 INFO
[org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-6) Deploying Keycloak provider: {0}
20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
1-6) MSC000001: Failed to start service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
    at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.util.ServiceConfigurationError:
org.keycloak.email.EmailSenderProviderFactory: Provider
org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
    at java.util.ServiceLoader.fail(ServiceLoader.java:239)
    at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
    at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376)
    at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
    at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
    at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
    at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
    at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
    at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
    at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
    at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
    at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
    ... 5 more

20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
failed - address: ([("deployment" => "custom-ear.ear")]) - failure
description: {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
=> "org.jboss.msc.service.StartException in service
jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
\"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
    Caused by: java.util.ServiceConfigurationError:
org.keycloak.email.EmailSenderProviderFactory: Provider
org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype"}}
20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
java.io.IOException: Mount point not found
20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.nio.file.Files.getFileStore(Files.java:1461)
20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.security.AccessController.doPrivileged(Native Method)
20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
java.lang.Thread.run(Thread.java:745)
20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
org.jboss.threads.JBossThread.run(JBossThread.java:320)
20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads -
1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
"custom-ear.ear")
20:23:10,714 INFO  [org.jboss.as.controller]
(DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
WFLYCTL0186:   Services which failed to start:      service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
"provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"

From mposolda at redhat.com  Tue May  2 06:34:21 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 May 2017 12:34:21 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
Message-ID: <79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>

This looks like a bug. Could you please create JIRA with the info you 
mentioned here? Please also link your new JIRA with 
https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar issue.

Marek

On 28/04/17 09:51, Iv?n Perdomo wrote:
> Hi all,
>
> We're trying to use offline access [1] to retrieve access_tokens on
> behalf of the user and access a protected resource in a long running
> process.
>
> This protected resource checks the validity of the access_token using
> the OAuth2 token introspection.
>
> In our tests we found that the introspection flag "active" true|false
> depends on having an active session in the server. Which seems to defeat
> the purpose of the offline access capabilities.
>
> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
> is the same.
>
> * Get an offline token via direct grants
> * Get an access_token using the offline_token
> * We have an active session
> * Use the token introspection for the access_token and get the expected
> result: active=true
> * Wait for SSO Idle timeout (so the session expires)
> * Get a new access_token using the "stored" offline_token
> * Use the token introspection with the new access_token. Keycloak
> returns active=false because we don't have a session. But the
> access_token is valid, and not expired.
>
> The following code repository has an isolated test case of this scenario:
>
> https://github.com/iperdomo/keycloak-oauth2-instrospection
>
> The described steps are in this script:
>
> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>
> I tried to look for logged issues regarding token introspection and
> didn't found anything related to this problem.
>
> Is this a bug or an expected behavior?
>
> [1]
> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>
> Thanks for your support.
>


From mposolda at redhat.com  Tue May  2 06:50:55 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 May 2017 12:50:55 +0200
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
Message-ID: <6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>

It seems that you have all the keycloak jars (eg. 
keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR. 
This is not the correct packaging. The keycloak dependencies shouldn't 
be inside your EAR.

You need to use "<scope>provided</scope>" for dependencies in your maven 
module, so it will package the lib correctly. Maybe you need also 
jboss-deployment-structure.xml with the references to used keycloak 
modules, but not 100% sure. The best is to check our docs and examples 
for the reference.

Marek

On 02/05/17 12:14, Ulrik Lejon wrote:
> According to the documentation it should be possible to drop an ear/war
> file in the keycloak standalone/deployment folder.
>
> I created my own rest endpoint in this repo
> <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try this
> out. However, when I deploy it I get the below errors. What am I doing
> wrong? Has Anyone successfully packaged custom keycloak code in an ear or
> war?
>
> 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
> thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
> (runtime-name: "custom-ear.ear")
> 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does not
> point to a valid jar for a Class-Path reference.
> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
> not point to a valid jar for a Class-Path reference.
> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/bcprov-jdk15on-1.52.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/bcpkix-jdk15on-1.52.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
> point to a valid jar for a Class-Path reference.
> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear  does
> not point to a valid jar for a Class-Path reference.
> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/javax.mail-api-1.5.5.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/twitter4j-core-4.0.4.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
> not point to a valid jar for a Class-Path reference.
> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jcip-annotations-1.0.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/resteasy-multipart-provider-3.0.14.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear  does
> not point to a valid jar for a Class-Path reference.
> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
>   does not point to a valid jar for a Class-Path reference.
> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
> not point to a valid jar for a Class-Path reference.
> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
> in /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does not
> point to a valid jar for a Class-Path reference.
> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
> does not point to a valid jar for a Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/keycloak-server-spi-private-2.5.4.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does not
> point to a valid jar for a Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry
> lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
> point to a valid jar for a Class-Path reference.
> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar in
> /content/custom-ear.ear  does not point to a valid jar for a
> Class-Path reference.
> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
> valid jar for a Class-Path reference.
> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
> valid jar for a Class-Path reference.
> 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
> /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
> valid jar for a Class-Path reference.
> 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
> thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
> "provider-1.0-SNAPSHOT.jar")
> 20:23:10,619 INFO
> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
> (MSC service thread 1-6) Deploying Keycloak provider: {0}
> 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
> 1-6) MSC000001: Failed to start service
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> org.jboss.msc.service.StartException in service
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>      at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
>      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>      at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>      at java.lang.Thread.run(Thread.java:745)
> Caused by: java.util.ServiceConfigurationError:
> org.keycloak.email.EmailSenderProviderFactory: Provider
> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
>      at java.util.ServiceLoader.fail(ServiceLoader.java:239)
>      at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
>      at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376)
>      at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>      at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>      at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
>      at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
>      at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
>      at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
>      at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
>      at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
>      at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
>      ... 5 more
>
> 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
> failed - address: ([("deployment" => "custom-ear.ear")]) - failure
> description: {"WFLYCTL0080: Failed services" =>
> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
> => "org.jboss.msc.service.StartException in service
> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
>      Caused by: java.util.ServiceConfigurationError:
> org.keycloak.email.EmailSenderProviderFactory: Provider
> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype"}}
> 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
> java.io.IOException: Mount point not found
> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
> 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.nio.file.Files.getFileStore(Files.java:1461)
> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
> 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.security.AccessController.doPrivileged(Native Method)
> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> java.lang.Thread.run(Thread.java:745)
> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> org.jboss.threads.JBossThread.run(JBossThread.java:320)
> 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads -
> 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
> "custom-ear.ear")
> 20:23:10,714 INFO  [org.jboss.as.controller]
> (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
> WFLYCTL0186:   Services which failed to start:      service
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> org.jboss.msc.service.StartException in service
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From psilva at redhat.com  Tue May  2 07:12:01 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 2 May 2017 08:12:01 -0300
Subject: [keycloak-user] (no subject)
In-Reply-To: <CY4PR03MB2470D16133554643FBE1E6628F140@CY4PR03MB2470.namprd03.prod.outlook.com>
References: <CY4PR03MB2470D16133554643FBE1E6628F140@CY4PR03MB2470.namprd03.prod.outlook.com>
Message-ID: <CAJrcDBdtfcC7jjxCZj-RmFUp6nL5JfeQOt_t8-nD3P8zM4M28Q@mail.gmail.com>

On Mon, May 1, 2017 at 11:31 AM, Sander Geerts <s.geerts at live.nl> wrote:

> Hello,
>
>
> Currently we (as a company) are trying to determine if Keycloak can meet
> our requirements of authorization for our products. The authentication part
> seems obvious and will be enough for what we are trying to do, but we do
> have some questions about the authorization part.
>
>
> In our application a user can create a so called 'Process'. This process
> goes through a workflow-engine, which determines the next status based on
> some business rules and configured steps. What we are trying to achieve
> through Keycloak is the following:
>
> - Is user X (with role R) authorized for action (/resource) Y with scope
> Write? (This looks like a basic question which Keycloak can answer for sure)
>
> - Is user X (with role R) authorized for action (/resource) Y with scope
> Write when the given resource (process) is in status A?
>
>
> In abstract terms we are trying to determine:
>
> Is user [X] with role [R] authorized for resource [Y] with scope [S] when
> the requested resource instance [Y1] has a property [Prop] with value [V]?
>

There is one thing that I think you need and we don't support: Resource
attributes. There is no easy way to use a custom resource attribute in your
policy but only those that are part of the model (type, uri, name, etc). I
remember some one with a similar requirement, and I think we should
consider adding support for custom resource attributes soon.

Another thing we are considering in our roadmap is the possibility to push
additional claims when making an authorization request. That is going to
allow you to push whatever claim you want to the server and have those
claims available to your policies. Currently, the claims you can get from
your policies are basically those available from the access token plus some
others the engine adds to the context such as client address, realm, client
id, user agent, etc).


>
>
> We did some research in the Keycloak documentation, and there is spoken of
> CBAC (Context-Based Access Control) but there are no examples or specific
> documentation to be found.
>
>
> My summarized question(s):
>
> - Is the given use-case above possible with Keycloak?
>
> - If so, how would the status of a process be defined? Is this a resource?
> Or should/can we use the CBAC engine?


> - If we have to implement a custom 'Authorization' provider for this,
> could you give a short example?
>

You could have your own authorization provider for this, from there you
could access the repository with your processes data. We don't have any
specific example for that, but you can take a look on how we implement the
different providers we support OOTB. The reason why we don't have any doc
or examples for this is that the SPI is an area that we need to review
before making it public.


>
>
> We have the option to possibly buy Keycloak support, but we first want to
> verify if it is even an option for our use-cases.
>
>
> Kind regards,
>
>
> Sander
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ivan at akvo.org  Tue May  2 07:33:20 2017
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Tue, 2 May 2017 13:33:20 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
Message-ID: <93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>

Hi Marek,

I created the issue and link it to the one you mentioned (not completely
sure if the link is correct).

https://issues.jboss.org/browse/KEYCLOAK-4829

Thanks,

On 05/02/2017 12:34 PM, Marek Posolda wrote:
> This looks like a bug. Could you please create JIRA with the info you
> mentioned here? Please also link your new JIRA with
> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
> issue.
> 
> Marek
> 
> On 28/04/17 09:51, Iv?n Perdomo wrote:
>> Hi all,
>>
>> We're trying to use offline access [1] to retrieve access_tokens on
>> behalf of the user and access a protected resource in a long running
>> process.
>>
>> This protected resource checks the validity of the access_token using
>> the OAuth2 token introspection.
>>
>> In our tests we found that the introspection flag "active" true|false
>> depends on having an active session in the server. Which seems to defeat
>> the purpose of the offline access capabilities.
>>
>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
>> is the same.
>>
>> * Get an offline token via direct grants
>> * Get an access_token using the offline_token
>> * We have an active session
>> * Use the token introspection for the access_token and get the expected
>> result: active=true
>> * Wait for SSO Idle timeout (so the session expires)
>> * Get a new access_token using the "stored" offline_token
>> * Use the token introspection with the new access_token. Keycloak
>> returns active=false because we don't have a session. But the
>> access_token is valid, and not expired.
>>
>> The following code repository has an isolated test case of this scenario:
>>
>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>
>> The described steps are in this script:
>>
>> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>
>>
>> I tried to look for logged issues regarding token introspection and
>> didn't found anything related to this problem.
>>
>> Is this a bug or an expected behavior?
>>
>> [1]
>> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>
>>
>> Thanks for your support.
>>
> 

-- 
Iv?n


From ulrik.lejon at mollyware.se  Tue May  2 07:44:26 2017
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Tue, 02 May 2017 11:44:26 +0000
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
	<6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
Message-ID: <CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>

I thought that an EAR should be self contained and thus have all of its
dependencies packaged?

Anyway, could you point me to an example where you create an EAR (or war)?
I couldn't find one, and nothing in the docs either.

// Ulrik

tis 2 maj 2017 kl 12:51 skrev Marek Posolda <mposolda at redhat.com>:

> It seems that you have all the keycloak jars (eg.
> keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR.
> This is not the correct packaging. The keycloak dependencies shouldn't
> be inside your EAR.
>
> You need to use "<scope>provided</scope>" for dependencies in your maven
> module, so it will package the lib correctly. Maybe you need also
> jboss-deployment-structure.xml with the references to used keycloak
> modules, but not 100% sure. The best is to check our docs and examples
> for the reference.
>
> Marek
>
> On 02/05/17 12:14, Ulrik Lejon wrote:
> > According to the documentation it should be possible to drop an ear/war
> > file in the keycloak standalone/deployment folder.
> >
> > I created my own rest endpoint in this repo
> > <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try
> this
> > out. However, when I deploy it I get the below errors. What am I doing
> > wrong? Has Anyone successfully packaged custom keycloak code in an ear or
> > war?
> >
> > 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
> > thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
> > (runtime-name: "custom-ear.ear")
> > 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does not
> > point to a valid jar for a Class-Path reference.
> > 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
> > not point to a valid jar for a Class-Path reference.
> > 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/bcprov-jdk15on-1.52.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/bcpkix-jdk15on-1.52.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
> > point to a valid jar for a Class-Path reference.
> > 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear  does
> > not point to a valid jar for a Class-Path reference.
> > 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/javax.mail-api-1.5.5.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/twitter4j-core-4.0.4.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
> > not point to a valid jar for a Class-Path reference.
> > 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jcip-annotations-1.0.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/resteasy-multipart-provider-3.0.14.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear  does
> > not point to a valid jar for a Class-Path reference.
> > 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
> >   does not point to a valid jar for a Class-Path reference.
> > 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
> > not point to a valid jar for a Class-Path reference.
> > 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
> > in /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does not
> > point to a valid jar for a Class-Path reference.
> > 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
> > does not point to a valid jar for a Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/keycloak-server-spi-private-2.5.4.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does not
> > point to a valid jar for a Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry
> > lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
> > point to a valid jar for a Class-Path reference.
> > 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar in
> > /content/custom-ear.ear  does not point to a valid jar for a
> > Class-Path reference.
> > 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
> > /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
> > valid jar for a Class-Path reference.
> > 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
> > /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
> > valid jar for a Class-Path reference.
> > 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
> > /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
> > valid jar for a Class-Path reference.
> > 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
> > thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
> > "provider-1.0-SNAPSHOT.jar")
> > 20:23:10,619 INFO
> >
> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
> > (MSC service thread 1-6) Deploying Keycloak provider: {0}
> > 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
> > 1-6) MSC000001: Failed to start service
> >
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> > org.jboss.msc.service.StartException in service
> >
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> > WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> > "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
> >      at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
> >      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> >      at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> >      at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >      at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >      at java.lang.Thread.run(Thread.java:745)
> > Caused by: java.util.ServiceConfigurationError:
> > org.keycloak.email.EmailSenderProviderFactory: Provider
> > org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
> >      at java.util.ServiceLoader.fail(ServiceLoader.java:239)
> >      at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
> >      at
> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376)
> >      at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
> >      at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
> >      at
> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
> >      at
> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
> >      at
> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
> >      at
> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
> >      at
> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
> >      at
> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
> >      at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
> >      ... 5 more
> >
> > 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
> > (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
> > failed - address: ([("deployment" => "custom-ear.ear")]) - failure
> > description: {"WFLYCTL0080: Failed services" =>
> >
> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
> > => "org.jboss.msc.service.StartException in service
> >
> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
> > WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> > \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
> >      Caused by: java.util.ServiceConfigurationError:
> > org.keycloak.email.EmailSenderProviderFactory: Provider
> > org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype"}}
> > 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
> > java.io.IOException: Mount point not found
> > 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
> > 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
> > 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
> > 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
> > 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
> > 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
> > 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > java.nio.file.Files.getFileStore(Files.java:1461)
> > 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
> > 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
> > 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
> > 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
> > 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
> > 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
> > 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
> > 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
> > 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
> > 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
> > 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
> > 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
> > 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
> > 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
> > 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > java.security.AccessController.doPrivileged(Native Method)
> > 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
> > 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> > 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
> > 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> > 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> > 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > java.lang.Thread.run(Thread.java:745)
> > 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads -
> > 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
> > "custom-ear.ear")
> > 20:23:10,714 INFO  [org.jboss.as.controller]
> > (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
> > WFLYCTL0186:   Services which failed to start:      service
> >
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> > org.jboss.msc.service.StartException in service
> >
> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
> > WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
> > "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From guus.der.kinderen at gmail.com  Tue May  2 07:54:40 2017
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Tue, 2 May 2017 13:54:40 +0200
Subject: [keycloak-user] How to store and search for (standardized?) user
	attributes?
Message-ID: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>

Hi!

We'd like to be able to store somewhat standard user attributes that
complete the email, first and last name values that Keycloak 'natively'
stores. Think of things like a date of birth, home/work address, phone
number, etc. Additionally, we'd like to be able to find users based on a
search query. We'd like to be able to answer questions like: "how many
users live in London?"

So far, we've found the user attributes, where we could store this
information. That is a very generic solution though. Are there standardized
attribute names, profiles, that we can use?

A further challenge is that we'd like to be able to query the user base,
based on attributes. We'd like to find people by address, by date of birth,
etc. The REST API does have search functionality, but it doesn't look like
you can find users by attribute value.

Can anyone recommend a course of action here?

Regards,

   Guus

From mposolda at redhat.com  Tue May  2 08:23:45 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 May 2017 14:23:45 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
Message-ID: <0f703733-0813-3862-743d-6a816e613efc@redhat.com>

Yes. I've just changed link kind "Caused by" to "related to" .

Thanks!
Marek

On 02/05/17 13:33, Iv?n Perdomo wrote:
> Hi Marek,
>
> I created the issue and link it to the one you mentioned (not completely
> sure if the link is correct).
>
> https://issues.jboss.org/browse/KEYCLOAK-4829
>
> Thanks,
>
> On 05/02/2017 12:34 PM, Marek Posolda wrote:
>> This looks like a bug. Could you please create JIRA with the info you
>> mentioned here? Please also link your new JIRA with
>> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
>> issue.
>>
>> Marek
>>
>> On 28/04/17 09:51, Iv?n Perdomo wrote:
>>> Hi all,
>>>
>>> We're trying to use offline access [1] to retrieve access_tokens on
>>> behalf of the user and access a protected resource in a long running
>>> process.
>>>
>>> This protected resource checks the validity of the access_token using
>>> the OAuth2 token introspection.
>>>
>>> In our tests we found that the introspection flag "active" true|false
>>> depends on having an active session in the server. Which seems to defeat
>>> the purpose of the offline access capabilities.
>>>
>>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the behavior
>>> is the same.
>>>
>>> * Get an offline token via direct grants
>>> * Get an access_token using the offline_token
>>> * We have an active session
>>> * Use the token introspection for the access_token and get the expected
>>> result: active=true
>>> * Wait for SSO Idle timeout (so the session expires)
>>> * Get a new access_token using the "stored" offline_token
>>> * Use the token introspection with the new access_token. Keycloak
>>> returns active=false because we don't have a session. But the
>>> access_token is valid, and not expired.
>>>
>>> The following code repository has an isolated test case of this scenario:
>>>
>>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>>
>>> The described steps are in this script:
>>>
>>> https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>>
>>>
>>> I tried to look for logged issues regarding token introspection and
>>> didn't found anything related to this problem.
>>>
>>> Is this a bug or an expected behavior?
>>>
>>> [1]
>>> https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>>
>>>
>>> Thanks for your support.
>>>


From heide at 365farmnet.com  Tue May  2 08:43:12 2017
From: heide at 365farmnet.com (Heide, Marc)
Date: Tue, 2 May 2017 12:43:12 +0000
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session Max
	is Reached - 2.0
Message-ID: <FCCC3068-65B3-4884-AABD-6736BC398FB4@365farmnet.com>

Hi,

We try to use Keycloak with offline tokens for end users, but in contradiction to 
https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
where the Admin API is requested, we try to access the UserInfo enpoint. 

As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with:
{
  "error": "invalid_request",
  "error_description": "User session not found"
}

By looking at 
https://issues.jboss.org/browse/KEYCLOAK-4201 and
https://issues.jboss.org/browse/KEYCLOAK-4371

and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ?
It obviously does not consider offline sessions at all. Is that a wanted behavior?

According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended.
(http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)

Best Regards
Marc




From heide at 365farmnet.com  Tue May  2 10:05:18 2017
From: heide at 365farmnet.com (Heide, Marc)
Date: Tue, 2 May 2017 14:05:18 +0000
Subject: [keycloak-user] Offline Tokens Become Useless When SSO Session
 Max is Reached - 2.0
In-Reply-To: <FCCC3068-65B3-4884-AABD-6736BC398FB4@365farmnet.com>
References: <FCCC3068-65B3-4884-AABD-6736BC398FB4@365farmnet.com>
Message-ID: <88D8AD7D-6F6C-41B4-BA21-9D23E49600A7@365farmnet.com>

Well ok, obviously I have not searched deep enough, there is already a Jira for this:
https://issues.jboss.org/browse/KEYCLOAK-4521

br
Marc

Am 02.05.17, 14:43 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Heide, Marc" <keycloak-user-bounces at lists.jboss.org im Auftrag von heide at 365farmnet.com>:

    Hi,
    
    We try to use Keycloak with offline tokens for end users, but in contradiction to 
    https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
    where the Admin API is requested, we try to access the UserInfo enpoint. 
    
    As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with:
    {
      "error": "invalid_request",
      "error_description": "User session not found"
    }
    
    By looking at 
    https://issues.jboss.org/browse/KEYCLOAK-4201 and
    https://issues.jboss.org/browse/KEYCLOAK-4371
    
    and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ?
    It obviously does not consider offline sessions at all. Is that a wanted behavior?
    
    According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended.
    (http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)
    
    Best Regards
    Marc
    
    
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From hendrikdev22 at gmail.com  Tue May  2 11:04:09 2017
From: hendrikdev22 at gmail.com (Hendrik Dev)
Date: Tue, 2 May 2017 17:04:09 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
	<e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
	<CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>
Message-ID: <CAPm=oFD0W_cGNAJRDbfUW3M4BYtYz+Vzf6C7dLABeEqeFXqZyg@mail.gmail.com>

bump

On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>
>>> Hi,
>>>
>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>> Purpose is to provide single sign on for users logging in via IE from
>>> a windows domain.
>>> Keycloak itself is running on centOS, Kerberos server is Active
>>> Directory. The setup is working so far because i can login via 'curl
>>> --negotiate'. There are also several other java applications running
>>> in this environment which are capable of doing SPNEGO over Kerberos
>>> authentication successfully.
>>>
>>> If the user access a Keycloak protected application the SPNEGO login
>>> does not work and the Keycloak login page is displayed instead.
>>> In the logs i see "Defective token detected (Mechanism level:
>>> GSSHeader did not find the right tag)" and thats totally right because
>>> the browser sends
>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>
>>> For me it looks like the browser never gets either a
>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>> In other words: The browser seems to never gets challenged to do
>>> SPNEGO over Kerberos.
>>
>> I will try to summarize if I understand correctly:
>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>> Negotiate ntlm-token-is-here"
>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>> 4) Your browser didn't reply anything back
>>
>> Is it correct?
>
> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
> As i said, the browser does not get a challenge.
>
>
>
>>
>> It seems that your browser doesn't have kerberos ticket, hence that's why it
>> uses NTLM instead. I think the best would be to fix your environment, so
>> that it will send Kerberos token instead of NTLM at the step 2.
>>
>> Marek
>>
>>>
>>> I already tried to fix it
>>>
>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
>>> but this oddly just ends up in a Basic Auth popup from the browser.
>>> For the client app the standard flow as well as direct access grants
>>> is enabled.
>>>
>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>
>>> Any ideas?
>>>
>>> Thanks
>>> Hendrik
>>>
>>
>
>
>
> --
> Hendrik Saly (salyh, hendrikdev22)
> @hendrikdev22
> PGP: 0x22D7F6EC



-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC

From jimena at gmail.com  Tue May  2 21:21:53 2017
From: jimena at gmail.com (Jimena Garbarino)
Date: Tue, 2 May 2017 22:21:53 -0300
Subject: [keycloak-user] keycloak spring-security adapter cookie token-store
Message-ID: <CAMKdSMUmD8-aWtv-Yxn55Orjyvuy0+6dYrye1kB0UaWSaT10Vg@mail.gmail.com>

Hi,

I am using spring-security adapter, client configured with
token-store=cookie, and after a keycloak successful login and redirect to
app, I don't se the KEYCLOAK_ADAPTER_STATE cookie set.

Does token-store=cookie work with spring-security adapter?

Thanks,

From mposolda at redhat.com  Wed May  3 02:54:12 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 May 2017 08:54:12 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <CAPm=oFD0W_cGNAJRDbfUW3M4BYtYz+Vzf6C7dLABeEqeFXqZyg@mail.gmail.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
	<e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
	<CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>
	<CAPm=oFD0W_cGNAJRDbfUW3M4BYtYz+Vzf6C7dLABeEqeFXqZyg@mail.gmail.com>
Message-ID: <1de2e444-d9eb-c123-cf61-2d805026eb8b@redhat.com>

Sorry, I don't have much to add :( It seems you would need to fix your 
environment and windows domain configuration to use Kerberos/SPNEGO 
tokens instead of NTLM. Few posts with possible tips&tricks I found 
during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
https://archive.sap.com/discussions/thread/998107

Marek

On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE from
>>>> a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via 'curl
>>>> --negotiate'. There are also several other java applications running
>>>> in this environment which are capable of doing SPNEGO over Kerberos
>>>> authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO login
>>>> does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right because
>>>> the browser sends
>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence that's why it
>>> uses NTLM instead. I think the best would be to fix your environment, so
>>> that it will send Kerberos token instead of NTLM at the step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
>>>> but this oddly just ends up in a Basic Auth popup from the browser.
>>>> For the client app the standard flow as well as direct access grants
>>>> is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>


From mposolda at redhat.com  Wed May  3 03:02:49 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 May 2017 09:02:49 +0200
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
	<6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
	<CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>
Message-ID: <72abc85f-6d49-be71-8b76-7fd838857e39@redhat.com>

We have the examples with JAR in the directory "providers" in 
keycloak-examples zip. I suggest to start with those. Once you have your 
provider working as a JAR, the EAR may just package this JAR inside and 
this should work fine as far as I know.

Marek

On 02/05/17 13:44, Ulrik Lejon wrote:
> I thought that an EAR should be self contained and thus have all of its
> dependencies packaged?
>
> Anyway, could you point me to an example where you create an EAR (or war)?
> I couldn't find one, and nothing in the docs either.
>
> // Ulrik
>
> tis 2 maj 2017 kl 12:51 skrev Marek Posolda <mposolda at redhat.com>:
>
>> It seems that you have all the keycloak jars (eg.
>> keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR.
>> This is not the correct packaging. The keycloak dependencies shouldn't
>> be inside your EAR.
>>
>> You need to use "<scope>provided</scope>" for dependencies in your maven
>> module, so it will package the lib correctly. Maybe you need also
>> jboss-deployment-structure.xml with the references to used keycloak
>> modules, but not 100% sure. The best is to check our docs and examples
>> for the reference.
>>
>> Marek
>>
>> On 02/05/17 12:14, Ulrik Lejon wrote:
>>> According to the documentation it should be possible to drop an ear/war
>>> file in the keycloak standalone/deployment folder.
>>>
>>> I created my own rest endpoint in this repo
>>> <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try
>> this
>>> out. However, when I deploy it I get the below errors. What am I doing
>>> wrong? Has Anyone successfully packaged custom keycloak code in an ear or
>>> war?
>>>
>>> 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
>>> (runtime-name: "custom-ear.ear")
>>> 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/bcprov-jdk15on-1.52.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/bcpkix-jdk15on-1.52.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/javax.mail-api-1.5.5.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/twitter4j-core-4.0.4.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jcip-annotations-1.0.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-multipart-provider-3.0.14.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
>>>    does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-private-2.5.4.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
>>> "provider-1.0-SNAPSHOT.jar")
>>> 20:23:10,619 INFO
>>>
>> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
>>> (MSC service thread 1-6) Deploying Keycloak provider: {0}
>>> 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-6) MSC000001: Failed to start service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>       at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
>>>       at java.util.ServiceLoader.fail(ServiceLoader.java:239)
>>>       at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
>>>       at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376)
>>>       at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>>       at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>>       at
>> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
>>>       at
>> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
>>>       at
>> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
>>>       at
>> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
>>>       ... 5 more
>>>
>>> 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
>>> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
>>> failed - address: ([("deployment" => "custom-ear.ear")]) - failure
>>> description: {"WFLYCTL0080: Failed services" =>
>>>
>> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
>>> => "org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
>>>       Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype"}}
>>> 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
>>> java.io.IOException: Mount point not found
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39)
>>> 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.nio.file.Files.getFileStore(Files.java:1461)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217)
>>> 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.security.AccessController.doPrivileged(Native Method)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.lang.Thread.run(Thread.java:745)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads -
>>> 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
>>> "custom-ear.ear")
>>> 20:23:10,714 INFO  [org.jboss.as.controller]
>>> (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
>>> WFLYCTL0186:   Services which failed to start:      service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Wed May  3 05:02:41 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 May 2017 11:02:41 +0200
Subject: [keycloak-user] Keycloak 3.1.0.Final Released
Message-ID: <CAJgngAdT41gWuu-gBH25zQQmof=6CJK_koY-qohAqTWzHBpOZA@mail.gmail.com>

Keycloak 3.1.0.Final has just been released.

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%203.1.0.Final>
.
Upgrading

Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html>
.

From rohitchaudhary95 at gmail.com  Wed May  3 05:33:44 2017
From: rohitchaudhary95 at gmail.com (rohit chaudhary)
Date: Wed, 3 May 2017 15:03:44 +0530
Subject: [keycloak-user] Architecture for Multiple DB
Message-ID: <CAHJH4F9sO4Cu4AoCnvzCk_qKKbhK44Yf6M_gk+mj+pMHr5K0qg@mail.gmail.com>

Hi,

I implemented Custom User Storage Spi, connected users db(postgresql) and
also changed keycloakDS to mysql. So, I have a doubt that now my users will
be stored in mysql or postgresql? And if I want to add one more user db,
how the users will be merged and in which db they will be? And how about
sync of all db?

Thanks in advance

Regards,
Rohit

From mposolda at redhat.com  Wed May  3 07:16:41 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 May 2017 13:16:41 +0200
Subject: [keycloak-user] Architecture for Multiple DB
In-Reply-To: <CAHJH4F9sO4Cu4AoCnvzCk_qKKbhK44Yf6M_gk+mj+pMHr5K0qg@mail.gmail.com>
References: <CAHJH4F9sO4Cu4AoCnvzCk_qKKbhK44Yf6M_gk+mj+pMHr5K0qg@mail.gmail.com>
Message-ID: <12abe862-558d-e57c-6bea-269555721676@redhat.com>

This depends on how exactly you implemented your user storage SPI. It's 
up to you to specify if your custom user storage is read-only, if it 
supports registration of new users, which attributes of users need to be 
in your storage, which credential types (for example you can specify 
passwords to be in your postgresql based storage when the TOTP 
credentials will be in the mysql based storage etc).

There is documentation in "Server Developer" guide. Also we have 
examples in the keycloak-examples distribution in the directory "providers".

Marek

On 03/05/17 11:33, rohit chaudhary wrote:
> Hi,
>
> I implemented Custom User Storage Spi, connected users db(postgresql) and
> also changed keycloakDS to mysql. So, I have a doubt that now my users will
> be stored in mysql or postgresql? And if I want to add one more user db,
> how the users will be merged and in which db they will be? And how about
> sync of all db?
>
> Thanks in advance
>
> Regards,
> Rohit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Wed May  3 09:47:36 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 May 2017 15:47:36 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
	session?
In-Reply-To: <0f703733-0813-3862-743d-6a816e613efc@redhat.com>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
	<0f703733-0813-3862-743d-6a816e613efc@redhat.com>
Message-ID: <CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>

Marek - isn't the offline session recovered at startup so there will be an
active session for offline tokens as well right?

On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com> wrote:

> Yes. I've just changed link kind "Caused by" to "related to" .
>
> Thanks!
> Marek
>
> On 02/05/17 13:33, Iv?n Perdomo wrote:
> > Hi Marek,
> >
> > I created the issue and link it to the one you mentioned (not completely
> > sure if the link is correct).
> >
> > https://issues.jboss.org/browse/KEYCLOAK-4829
> >
> > Thanks,
> >
> > On 05/02/2017 12:34 PM, Marek Posolda wrote:
> >> This looks like a bug. Could you please create JIRA with the info you
> >> mentioned here? Please also link your new JIRA with
> >> https://issues.jboss.org/browse/KEYCLOAK-4521, which is quite similar
> >> issue.
> >>
> >> Marek
> >>
> >> On 28/04/17 09:51, Iv?n Perdomo wrote:
> >>> Hi all,
> >>>
> >>> We're trying to use offline access [1] to retrieve access_tokens on
> >>> behalf of the user and access a protected resource in a long running
> >>> process.
> >>>
> >>> This protected resource checks the validity of the access_token using
> >>> the OAuth2 token introspection.
> >>>
> >>> In our tests we found that the introspection flag "active" true|false
> >>> depends on having an active session in the server. Which seems to
> defeat
> >>> the purpose of the offline access capabilities.
> >>>
> >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and the
> behavior
> >>> is the same.
> >>>
> >>> * Get an offline token via direct grants
> >>> * Get an access_token using the offline_token
> >>> * We have an active session
> >>> * Use the token introspection for the access_token and get the expected
> >>> result: active=true
> >>> * Wait for SSO Idle timeout (so the session expires)
> >>> * Get a new access_token using the "stored" offline_token
> >>> * Use the token introspection with the new access_token. Keycloak
> >>> returns active=false because we don't have a session. But the
> >>> access_token is valid, and not expired.
> >>>
> >>> The following code repository has an isolated test case of this
> scenario:
> >>>
> >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
> >>>
> >>> The described steps are in this script:
> >>>
> >>> https://github.com/iperdomo/keycloak-oauth2-
> instrospection/blob/master/test.sh
> >>>
> >>>
> >>> I tried to look for logged issues regarding token introspection and
> >>> didn't found anything related to this problem.
> >>>
> >>> Is this a bug or an expected behavior?
> >>>
> >>> [1]
> >>> https://keycloak.gitbooks.io/documentation/server_admin/
> topics/sessions/offline.html
> >>>
> >>>
> >>> Thanks for your support.
> >>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stephane.granger at gmail.com  Wed May  3 10:45:50 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Wed, 3 May 2017 10:45:50 -0400
Subject: [keycloak-user] 3.1.0.Final not found in Maven repository
Message-ID: <CAHX=cdUJJPasN60YPJBbvNYB-=oG-xsZALEaGdH9-4V4RrPkDQ@mail.gmail.com>

Hello,

this morning I changed the Keycloak version from 3.0.0.Final to 3.1.0.Final
in my pom file but maven could not resolve the dependencies.

Could not find artifact org.keycloak:keycloak-adapter-core:jar:3.1.0.Final
in central (https://repo.maven.apache.org/maven2)

Stephane

From rysiek at occrp.org  Wed May  3 11:11:17 2017
From: rysiek at occrp.org (Rashiq)
Date: Wed, 03 May 2017 17:11:17 +0200
Subject: [keycloak-user] Granting client access to just certain users
Message-ID: <1515485.01fCPQaPvJ@lapuntu>

Dear all,

we're struggling a bit with understanding how Keycloak's Client Authorization 
works and setting up a Client Authorization.

What we would like to achieve for now is to be able to let only certain users 
with Keycloak accounts to access certain clients.

Let's say we have a client called `files.example.org`, a simple, read-only 
file hosting. And that we have 2 users in our Keycloak, `eligible at example.org` 
and `not.eligible at example.org`.

We would like to configure Keycloak to *deny* the latter user 
(`not.eligible at example.org`) access to *any and all* resources on 
`files.example.org`. This preferably would happen based on client roles, if 
possible.

The `files.example.org` resource server uses a Lua-based OAuth2 proxy to 
authenticate requests against Keycloak. So, the question is: is it possible to 
tell Keycloak *not* to let `not.eligible at example.org` log-in to 
`files.example.org` *at all*? As in, "this user does not have access to this 
client"? Or, better yet, "users with/without certain client roles do not have 
access to these clients"?

Or will we have to make the Lua-based proxy in front of it check claims in 
tokens received from Keycloak?

We appreciate your help!

-- 
Pozdravi,
rashiq

From jm85martins at gmail.com  Wed May  3 11:44:18 2017
From: jm85martins at gmail.com (Jorge M.)
Date: Wed, 3 May 2017 16:44:18 +0100
Subject: [keycloak-user] Help with SSO
In-Reply-To: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
Message-ID: <CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>

Hi there,

I'm sorry for insisting again... Anyone can help me to find the best
approach?

Thank you!
JM

2017-04-27 18:28 GMT+01:00 Jorge M. <jm85martins at gmail.com>:

> Hi,
>
> In the past some systems inside my company were using a custom made sso
> implementation that had the ability to do silent login among them.
> On of that systems was completly refactored and is using keycloak for
> authentication and authorization. Since than, we lost that silent login
> feature with the other systems.
> We assumed that it was ok to lost this feature for a while but now we are
> trying to implement the silent login again.
>
> So..summing up:
> - System "A" is using keycloak with a realm "RealmA" with multiple clients
> (modules) with sso between them.
> - Other systems "B", "C" with their custom authentication and authorization
> - We are using a custom federation on keycloak over the same users
> database that is shared among all the systems.
>
> What's the best practise to achieve sso between all the systems?
> We are thinking about a proxy that detects if the user has a session on
> some of the other systems and if that is true, we programatically create a
> session on keycloak for a given (Is this possible with the API?).
>
> Thank you,
> JM
>

From mposolda at redhat.com  Wed May  3 15:32:53 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 May 2017 21:32:53 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
	<0f703733-0813-3862-743d-6a816e613efc@redhat.com>
	<CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>
Message-ID: <a34e0598-1aa9-8631-2dfb-bcb04c52370a@redhat.com>

Yes, there is active session for offline tokens after startup. But both 
introspection and userInfo endpoint doesn't lookup for offline sessions 
ATM, but just for "online" sessions from the "sessions" cache. Hence 
once they receive the token, which was created through the refresh of 
offline token, they won't find the session and reply the "400 Bad 
request" error.

Marek

On 03/05/17 15:47, Stian Thorgersen wrote:
> Marek - isn't the offline session recovered at startup so there will 
> be an active session for offline tokens as well right?
>
> On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Yes. I've just changed link kind "Caused by" to "related to" .
>
>     Thanks!
>     Marek
>
>     On 02/05/17 13:33, Iv?n Perdomo wrote:
>     > Hi Marek,
>     >
>     > I created the issue and link it to the one you mentioned (not
>     completely
>     > sure if the link is correct).
>     >
>     > https://issues.jboss.org/browse/KEYCLOAK-4829
>     <https://issues.jboss.org/browse/KEYCLOAK-4829>
>     >
>     > Thanks,
>     >
>     > On 05/02/2017 12:34 PM, Marek Posolda wrote:
>     >> This looks like a bug. Could you please create JIRA with the
>     info you
>     >> mentioned here? Please also link your new JIRA with
>     >> https://issues.jboss.org/browse/KEYCLOAK-4521
>     <https://issues.jboss.org/browse/KEYCLOAK-4521>, which is quite
>     similar
>     >> issue.
>     >>
>     >> Marek
>     >>
>     >> On 28/04/17 09:51, Iv?n Perdomo wrote:
>     >>> Hi all,
>     >>>
>     >>> We're trying to use offline access [1] to retrieve
>     access_tokens on
>     >>> behalf of the user and access a protected resource in a long
>     running
>     >>> process.
>     >>>
>     >>> This protected resource checks the validity of the
>     access_token using
>     >>> the OAuth2 token introspection.
>     >>>
>     >>> In our tests we found that the introspection flag "active"
>     true|false
>     >>> depends on having an active session in the server. Which seems
>     to defeat
>     >>> the purpose of the offline access capabilities.
>     >>>
>     >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and
>     the behavior
>     >>> is the same.
>     >>>
>     >>> * Get an offline token via direct grants
>     >>> * Get an access_token using the offline_token
>     >>> * We have an active session
>     >>> * Use the token introspection for the access_token and get the
>     expected
>     >>> result: active=true
>     >>> * Wait for SSO Idle timeout (so the session expires)
>     >>> * Get a new access_token using the "stored" offline_token
>     >>> * Use the token introspection with the new access_token. Keycloak
>     >>> returns active=false because we don't have a session. But the
>     >>> access_token is valid, and not expired.
>     >>>
>     >>> The following code repository has an isolated test case of
>     this scenario:
>     >>>
>     >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>     <https://github.com/iperdomo/keycloak-oauth2-instrospection>
>     >>>
>     >>> The described steps are in this script:
>     >>>
>     >>>
>     https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>     <https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh>
>     >>>
>     >>>
>     >>> I tried to look for logged issues regarding token
>     introspection and
>     >>> didn't found anything related to this problem.
>     >>>
>     >>> Is this a bug or an expected behavior?
>     >>>
>     >>> [1]
>     >>>
>     https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>     <https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html>
>     >>>
>     >>>
>     >>> Thanks for your support.
>     >>>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From traviskds at gmail.com  Wed May  3 16:56:13 2017
From: traviskds at gmail.com (Travis De Silva)
Date: Wed, 03 May 2017 20:56:13 +0000
Subject: [keycloak-user] LDAP Group Mapper Two Way Mapping
Message-ID: <CACQJ6LRbWVTsrVebAAhfy4vUssvvof9_gxzh6d-qfaAXuJXonQ@mail.gmail.com>

Hi,

I am having a strange issue and was wondering if anyone else experienced
this same issue.

We use MSAD as a federation provider and when I used the Group Mapper, I
get all the relevant groups from MDAD into Keyclaok and that works fine.

Then when I go into Keycloak groups and look at the members, I can see all
the members associated with that group which was imported from MSAD. So
that is also fine.

But when I click on a user and then click on the groups' tab, I don't see
anything populated under the group membership.

Generally, if we do this directly, you see the members of a group and the
group membership under a user. (two way mapping)

Any ideas what I might be doing wrong?

Cheers
Travis

From adam.keily at adelaide.edu.au  Wed May  3 19:33:07 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Wed, 3 May 2017 23:33:07 +0000
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <72abc85f-6d49-be71-8b76-7fd838857e39@redhat.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
	<6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
	<CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>
	<72abc85f-6d49-be71-8b76-7fd838857e39@redhat.com>
Message-ID: <SYXPR01MB185347297BC7D597D125958CCA160@SYXPR01MB1853.ausprd01.prod.outlook.com>

We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439

For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.

Adam

p.s. Sorry Marek for previous direct reply

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:33 PM
To: Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Package custom REST endpoint in EAR/WAR

We have the examples with JAR in the directory "providers" in keycloak-examples zip. I suggest to start with those. Once you have your provider working as a JAR, the EAR may just package this JAR inside and this should work fine as far as I know.

Marek

On 02/05/17 13:44, Ulrik Lejon wrote:
> I thought that an EAR should be self contained and thus have all of
> its dependencies packaged?
>
> Anyway, could you point me to an example where you create an EAR (or war)?
> I couldn't find one, and nothing in the docs either.
>
> // Ulrik
>
> tis 2 maj 2017 kl 12:51 skrev Marek Posolda <mposolda at redhat.com>:
>
>> It seems that you have all the keycloak jars (eg.
>> keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR.
>> This is not the correct packaging. The keycloak dependencies
>> shouldn't be inside your EAR.
>>
>> You need to use "<scope>provided</scope>" for dependencies in your
>> maven module, so it will package the lib correctly. Maybe you need
>> also jboss-deployment-structure.xml with the references to used
>> keycloak modules, but not 100% sure. The best is to check our docs
>> and examples for the reference.
>>
>> Marek
>>
>> On 02/05/17 12:14, Ulrik Lejon wrote:
>>> According to the documentation it should be possible to drop an
>>> ear/war file in the keycloak standalone/deployment folder.
>>>
>>> I created my own rest endpoint in this repo
>>> <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try
>> this
>>> out. However, when I deploy it I get the below errors. What am I
>>> doing wrong? Has Anyone successfully packaged custom keycloak code
>>> in an ear or war?
>>>
>>> 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
>>> (runtime-name: "custom-ear.ear")
>>> 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcprov-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcpkix-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/javax.mail-api-1.5.5.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/twitter4j-core-4.0.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jcip-annotations-1.0.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-multipart-provider-3.0.14.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
>>>    does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-private-2.5.4.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
>>> "provider-1.0-SNAPSHOT.jar")
>>> 20:23:10,619 INFO
>>>
>> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPr
>> ocessor]
>>> (MSC service thread 1-6) Deploying Keycloak provider: {0}
>>> 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-6) MSC000001: Failed to start service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:154)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
>> rviceControllerImpl.java:1948)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
>> rollerImpl.java:1881)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>>       at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
>>>       at java.util.ServiceLoader.fail(ServiceLoader.java:239)
>>>       at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
>>>       at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:3
>> 76)
>>>       at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>>       at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>>       at
>> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoade
>> r.java:47)
>>>       at
>> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(Def
>> aultKeycloakSessionFactory.java:206)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKey
>> cloakSessionFactory.java:112)
>>>       at
>> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerR
>> egistry.java:42)
>>>       at
>> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPro
>> cessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:147)
>>>       ... 5 more
>>>
>>> 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
>>> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
>>> failed - address: ([("deployment" => "custom-ear.ear")]) - failure
>>> description: {"WFLYCTL0080: Failed services" =>
>>>
>> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
>>> => "org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
>>>       Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a
>>> subtype"}}
>>> 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
>>> java.io.IOException: Mount point not found
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:51)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:39)
>>> 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider
>> .java:368)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.nio.file.Files.getFileStore(Files.java:1461)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttr
>> ibutes(FilePersistenceUtils.java:129)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFi
>> leWithAttributes(FilePersistenceUtils.java:117)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempF
>> ile(FilePersistenceUtils.java:104)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResou
>> rce.doCommit(ConfigurationFilePersistenceResource.java:55)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.c
>> ommit(AbstractFilePersistenceResource.java:58)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerI
>> mpl.java:781)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(Abs
>> tractOperationContext.java:743)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.processStages(Abstra
>> ctOperationContext.java:680)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeOperation(Abs
>> tractOperationContext.java:370)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.OperationContextImpl.executeOperation(Operati
>> onContextImpl.java:1344)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelCont
>> rollerImpl.java:392)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerIm
>> pl.java:217)
>>> 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:748)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.security.AccessController.doPrivileged(Native Method)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerIm
>> pl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> access$201(ScheduledThreadPoolExecutor.java:180)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> run(ScheduledThreadPoolExecutor.java:293)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.lang.Thread.run(Thread.java:745)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads
>>> -
>>> 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
>>> "custom-ear.ear")
>>> 20:23:10,714 INFO  [org.jboss.as.controller]
>>> (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
>>> WFLYCTL0186:   Services which failed to start:      service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From adam.keily at adelaide.edu.au  Wed May  3 19:36:35 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Wed, 3 May 2017 23:36:35 +0000
Subject: [keycloak-user] Help with SSO
In-Reply-To: <CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
	<CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
Message-ID: <SYXPR01MB18533720CC508B9641514C89CA160@SYXPR01MB1853.ausprd01.prod.outlook.com>

What is your custom SSO application. Does it support SAML or OIDC? If it does, you should be able to configure it as both an Identity Provider and a client in Keycloak to achieve what you call silent login which I presume is just federated login.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Jorge M.
Sent: Thursday, 4 May 2017 1:14 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Help with SSO

Hi there,

I'm sorry for insisting again... Anyone can help me to find the best approach?

Thank you!
JM

2017-04-27 18:28 GMT+01:00 Jorge M. <jm85martins at gmail.com>:

> Hi,
>
> In the past some systems inside my company were using a custom made
> sso implementation that had the ability to do silent login among them.
> On of that systems was completly refactored and is using keycloak for
> authentication and authorization. Since than, we lost that silent
> login feature with the other systems.
> We assumed that it was ok to lost this feature for a while but now we
> are trying to implement the silent login again.
>
> So..summing up:
> - System "A" is using keycloak with a realm "RealmA" with multiple
> clients
> (modules) with sso between them.
> - Other systems "B", "C" with their custom authentication and
> authorization
> - We are using a custom federation on keycloak over the same users
> database that is shared among all the systems.
>
> What's the best practise to achieve sso between all the systems?
> We are thinking about a proxy that detects if the user has a session
> on some of the other systems and if that is true, we programatically
> create a session on keycloak for a given (Is this possible with the API?).
>
> Thank you,
> JM
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From adam.keily at adelaide.edu.au  Wed May  3 22:26:28 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Thu, 4 May 2017 02:26:28 +0000
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <SYXPR01MB185347297BC7D597D125958CCA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
	<6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
	<CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>
	<72abc85f-6d49-be71-8b76-7fd838857e39@redhat.com>
	<SYXPR01MB185347297BC7D597D125958CCA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <SYXPR01MB18537759F6DE2727811A9B8BCAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>

My apologies. Looks like that bug is closed. Also jdk 1.7.0 is not supported but error is present using openjdk 1.8.0.121.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
Sent: Thursday, 4 May 2017 9:03 AM
To: Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Package custom REST endpoint in EAR/WAR

We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439

For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.

Adam

p.s. Sorry Marek for previous direct reply

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:33 PM
To: Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Package custom REST endpoint in EAR/WAR

We have the examples with JAR in the directory "providers" in keycloak-examples zip. I suggest to start with those. Once you have your provider working as a JAR, the EAR may just package this JAR inside and this should work fine as far as I know.

Marek

On 02/05/17 13:44, Ulrik Lejon wrote:
> I thought that an EAR should be self contained and thus have all of
> its dependencies packaged?
>
> Anyway, could you point me to an example where you create an EAR (or war)?
> I couldn't find one, and nothing in the docs either.
>
> // Ulrik
>
> tis 2 maj 2017 kl 12:51 skrev Marek Posolda <mposolda at redhat.com>:
>
>> It seems that you have all the keycloak jars (eg.
>> keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR.
>> This is not the correct packaging. The keycloak dependencies
>> shouldn't be inside your EAR.
>>
>> You need to use "<scope>provided</scope>" for dependencies in your
>> maven module, so it will package the lib correctly. Maybe you need
>> also jboss-deployment-structure.xml with the references to used
>> keycloak modules, but not 100% sure. The best is to check our docs
>> and examples for the reference.
>>
>> Marek
>>
>> On 02/05/17 12:14, Ulrik Lejon wrote:
>>> According to the documentation it should be possible to drop an
>>> ear/war file in the keycloak standalone/deployment folder.
>>>
>>> I created my own rest endpoint in this repo
>>> <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try
>> this
>>> out. However, when I deploy it I get the below errors. What am I
>>> doing wrong? Has Anyone successfully packaged custom keycloak code
>>> in an ear or war?
>>>
>>> 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
>>> (runtime-name: "custom-ear.ear")
>>> 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcprov-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcpkix-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/javax.mail-api-1.5.5.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/twitter4j-core-4.0.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jcip-annotations-1.0.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-multipart-provider-3.0.14.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
>>>    does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-private-2.5.4.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
>>> "provider-1.0-SNAPSHOT.jar")
>>> 20:23:10,619 INFO
>>>
>> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPr
>> ocessor]
>>> (MSC service thread 1-6) Deploying Keycloak provider: {0}
>>> 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-6) MSC000001: Failed to start service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:154)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
>> rviceControllerImpl.java:1948)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
>> rollerImpl.java:1881)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>>       at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
>>>       at java.util.ServiceLoader.fail(ServiceLoader.java:239)
>>>       at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
>>>       at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:3
>> 76)
>>>       at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>>       at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>>       at
>> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoade
>> r.java:47)
>>>       at
>> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(Def
>> aultKeycloakSessionFactory.java:206)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKey
>> cloakSessionFactory.java:112)
>>>       at
>> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerR
>> egistry.java:42)
>>>       at
>> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPro
>> cessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:147)
>>>       ... 5 more
>>>
>>> 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
>>> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
>>> failed - address: ([("deployment" => "custom-ear.ear")]) - failure
>>> description: {"WFLYCTL0080: Failed services" =>
>>>
>> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
>>> => "org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
>>>       Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a
>>> subtype"}}
>>> 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
>>> java.io.IOException: Mount point not found
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:51)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:39)
>>> 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider
>> .java:368)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.nio.file.Files.getFileStore(Files.java:1461)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttr
>> ibutes(FilePersistenceUtils.java:129)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFi
>> leWithAttributes(FilePersistenceUtils.java:117)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempF
>> ile(FilePersistenceUtils.java:104)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResou
>> rce.doCommit(ConfigurationFilePersistenceResource.java:55)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.c
>> ommit(AbstractFilePersistenceResource.java:58)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerI
>> mpl.java:781)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(Abs
>> tractOperationContext.java:743)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.processStages(Abstra
>> ctOperationContext.java:680)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeOperation(Abs
>> tractOperationContext.java:370)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.OperationContextImpl.executeOperation(Operati
>> onContextImpl.java:1344)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelCont
>> rollerImpl.java:392)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerIm
>> pl.java:217)
>>> 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:748)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.security.AccessController.doPrivileged(Native Method)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerIm
>> pl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> access$201(ScheduledThreadPoolExecutor.java:180)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> run(ScheduledThreadPoolExecutor.java:293)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.lang.Thread.run(Thread.java:745)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads
>>> -
>>> 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
>>> "custom-ear.ear")
>>> 20:23:10,714 INFO  [org.jboss.as.controller]
>>> (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
>>> WFLYCTL0186:   Services which failed to start:      service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From adam.keily at adelaide.edu.au  Wed May  3 23:28:06 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Thu, 4 May 2017 03:28:06 +0000
Subject: [keycloak-user] Package custom REST endpoint in EAR/WAR
In-Reply-To: <SYXPR01MB18537759F6DE2727811A9B8BCAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <CAG2z6=Sd2bnSdpd3aJLxHAh5LqxfVfiaqVhuQF3HaQ9829n7OQ@mail.gmail.com>
	<6a909237-87ba-9c29-7699-b3dd3a8d6a41@redhat.com>
	<CAG2z6=TvzWg5x5oJFMv9uVKH7JJq7ZRw8fEPWGVakA5=Db638A@mail.gmail.com>
	<72abc85f-6d49-be71-8b76-7fd838857e39@redhat.com>
	<SYXPR01MB185347297BC7D597D125958CCA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
	<SYXPR01MB18537759F6DE2727811A9B8BCAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <SYXPR01MB1853D9744B60F66DD432B946CAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>

Ahhhhh, sorry. Wrong thread all together. :-(

-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 11:56 AM
To: Adam Keily <adam.keily at adelaide.edu.au>; Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: RE: [keycloak-user] Package custom REST endpoint in EAR/WAR

My apologies. Looks like that bug is closed. Also jdk 1.7.0 is not supported but error is present using openjdk 1.8.0.121.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Adam Keily
Sent: Thursday, 4 May 2017 9:03 AM
To: Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Package custom REST endpoint in EAR/WAR

We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439

For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.

Adam

p.s. Sorry Marek for previous direct reply

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:33 PM
To: Ulrik Lejon <ulrik.lejon at mollyware.se>; keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Package custom REST endpoint in EAR/WAR

We have the examples with JAR in the directory "providers" in keycloak-examples zip. I suggest to start with those. Once you have your provider working as a JAR, the EAR may just package this JAR inside and this should work fine as far as I know.

Marek

On 02/05/17 13:44, Ulrik Lejon wrote:
> I thought that an EAR should be self contained and thus have all of
> its dependencies packaged?
>
> Anyway, could you point me to an example where you create an EAR (or war)?
> I couldn't find one, and nothing in the docs either.
>
> // Ulrik
>
> tis 2 maj 2017 kl 12:51 skrev Marek Posolda <mposolda at redhat.com>:
>
>> It seems that you have all the keycloak jars (eg.
>> keycloak-services-2.5.4.Final.jar ) in the "lib" directory of your EAR.
>> This is not the correct packaging. The keycloak dependencies
>> shouldn't be inside your EAR.
>>
>> You need to use "<scope>provided</scope>" for dependencies in your
>> maven module, so it will package the lib correctly. Maybe you need
>> also jboss-deployment-structure.xml with the references to used
>> keycloak modules, but not 100% sure. The best is to check our docs
>> and examples for the reference.
>>
>> Marek
>>
>> On 02/05/17 12:14, Ulrik Lejon wrote:
>>> According to the documentation it should be possible to drop an
>>> ear/war file in the keycloak standalone/deployment folder.
>>>
>>> I created my own rest endpoint in this repo
>>> <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try
>> this
>>> out. However, when I deploy it I get the below errors. What am I
>>> doing wrong? Has Anyone successfully packaged custom keycloak code
>>> in an ear or war?
>>>
>>> 20:23:09,192 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear"
>>> (runtime-name: "custom-ear.ear")
>>> 20:23:10,344 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,345 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcprov-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/bcpkix-jdk15on-1.52.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,346 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,347 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/javax.mail-api-1.5.5.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/twitter4j-core-4.0.4.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,348 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,349 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,350 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,351 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jcip-annotations-1.0.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,352 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-multipart-provider-3.0.14.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,353 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear
>>>    does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,354 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,355 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,356 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear
>>> does not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/keycloak-server-spi-private-2.5.4.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear  does
>>> not point to a valid jar for a Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,357 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in
>>> /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry
>>> lib/commons-logging-1.1.3.jar in /content/custom-ear.ear  does not
>>> point to a valid jar for a Class-Path reference.
>>> 20:23:10,358 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar
>>> in /content/custom-ear.ear  does not point to a valid jar for a
>>> Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,368 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in
>>> /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,437 WARN  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in
>>> /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar  does not point to a
>>> valid jar for a Class-Path reference.
>>> 20:23:10,439 INFO  [org.jboss.as.server.deployment] (MSC service
>>> thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
>>> "provider-1.0-SNAPSHOT.jar")
>>> 20:23:10,619 INFO
>>>
>> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPr
>> ocessor]
>>> (MSC service thread 1-6) Deploying Keycloak provider: {0}
>>> 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>> 1-6) MSC000001: Failed to start service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:154)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
>> rviceControllerImpl.java:1948)
>>>       at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
>> rollerImpl.java:1881)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>>       at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>>       at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype
>>>       at java.util.ServiceLoader.fail(ServiceLoader.java:239)
>>>       at java.util.ServiceLoader.access$300(ServiceLoader.java:185)
>>>       at
>> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:3
>> 76)
>>>       at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
>>>       at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
>>>       at
>> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoade
>> r.java:47)
>>>       at
>> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(Def
>> aultKeycloakSessionFactory.java:206)
>>>       at
>> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKey
>> cloakSessionFactory.java:112)
>>>       at
>> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerR
>> egistry.java:42)
>>>       at
>> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPro
>> cessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
>>>       at
>> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
>> ymentUnitPhaseService.java:147)
>>>       ... 5 more
>>>
>>> 20:23:10,635 ERROR [org.jboss.as.controller.management-operation]
>>> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy")
>>> failed - address: ([("deployment" => "custom-ear.ear")]) - failure
>>> description: {"WFLYCTL0080: Failed services" =>
>>>
>> {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE"
>>> => "org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\"
>>>       Caused by: java.util.ServiceConfigurationError:
>>> org.keycloak.email.EmailSenderProviderFactory: Provider
>>> org.keycloak.email.DefaultEmailSenderProviderFactory not a
>>> subtype"}}
>>> 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1)
>>> java.io.IOException: Mount point not found
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65)
>>> 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:51)
>>> 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvid
>> er.java:39)
>>> 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider
>> .java:368)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.nio.file.Files.getFileStore(Files.java:1461)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttr
>> ibutes(FilePersistenceUtils.java:129)
>>> 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFi
>> leWithAttributes(FilePersistenceUtils.java:117)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempF
>> ile(FilePersistenceUtils.java:104)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.ConfigurationFilePersistenceResou
>> rce.doCommit(ConfigurationFilePersistenceResource.java:55)
>>> 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.persistence.AbstractFilePersistenceResource.c
>> ommit(AbstractFilePersistenceResource.java:58)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerI
>> mpl.java:781)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeDoneStage(Abs
>> tractOperationContext.java:743)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.processStages(Abstra
>> ctOperationContext.java:680)
>>> 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.AbstractOperationContext.executeOperation(Abs
>> tractOperationContext.java:370)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.OperationContextImpl.executeOperation(Operati
>> onContextImpl.java:1344)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelCont
>> rollerImpl.java:392)
>>> 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerIm
>> pl.java:217)
>>> 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:748)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelController
>> Impl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.security.AccessController.doPrivileged(Native Method)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerIm
>> pl.java:742)
>>> 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> access$201(ScheduledThreadPoolExecutor.java:180)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.
>> run(ScheduledThreadPoolExecutor.java:293)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>>> 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> java.lang.Thread.run(Thread.java:745)
>>> 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1)     at
>>> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> 20:23:10,713 INFO  [org.jboss.as.server] (DeploymentScanner-threads
>>> -
>>> 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name :
>>> "custom-ear.ear")
>>> 20:23:10,714 INFO  [org.jboss.as.controller]
>>> (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report
>>> WFLYCTL0186:   Services which failed to start:      service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> org.jboss.msc.service.StartException in service
>>>
>> jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE:
>>> WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment
>>> "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From adam.keily at adelaide.edu.au  Wed May  3 23:30:43 2017
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Thu, 4 May 2017 03:30:43 +0000
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <SYXPR01MB18531745C752DB8A99F6DFB1CA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
	<e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
	<CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>
	<CAPm=oFD0W_cGNAJRDbfUW3M4BYtYz+Vzf6C7dLABeEqeFXqZyg@mail.gmail.com>
	<1de2e444-d9eb-c123-cf61-2d805026eb8b@redhat.com>
	<SYXPR01MB18531745C752DB8A99F6DFB1CA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <SYXPR01MB185335E0829437DD9AD31051CAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>

Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.

After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working. What version of JDK are you using?

-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 9:01 AM
To: 'Marek Posolda' <mposolda at redhat.com>
Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439

For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.

Adam

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:24 PM
To: Hendrik Dev <hendrikdev22 at gmail.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Sorry, I don't have much to add :( It seems you would need to fix your environment and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with possible tips&tricks I found during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
https://archive.sap.com/discussions/thread/998107

Marek

On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE
>>>> from a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via
>>>> 'curl --negotiate'. There are also several other java applications
>>>> running in this environment which are capable of doing SPNEGO over
>>>> Kerberos authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO
>>>> login does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right
>>>> because the browser sends
>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence
>>> that's why it uses NTLM instead. I think the best would be to fix
>>> your environment, so that it will send Kerberos token instead of NTLM at the step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>> from the browser.
>>>> For the client app the standard flow as well as direct access
>>>> grants is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas at recloux.fr  Thu May  4 02:15:38 2017
From: thomas at recloux.fr (Thomas Recloux)
Date: Thu, 04 May 2017 08:15:38 +0200
Subject: [keycloak-user] Help with SSO
In-Reply-To: <CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
	<CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
Message-ID: <1493878538.3587870.965306608.46509692@webmail.messagingengine.com>


> > Hi,

Hi,

> > So..summing up:
> > - System "A" is using keycloak with a realm "RealmA" with multiple clients
> > (modules) with sso between them.
> > - Other systems "B", "C" with their custom authentication and authorization
> > - We are using a custom federation on keycloak over the same users
> > database that is shared among all the systems.
> >
> > What's the best practise to achieve sso between all the systems?
> > We are thinking about a proxy that detects if the user has a session on
> > some of the other systems and if that is true, we programatically create a
> > session on keycloak for a given (Is this possible with the API?).

One possible solution could be to use Keycloak as authentification
system for systems B and C.
You can may be use the apache module to proxy these apps and trigger the
authentication workflow with keycloak.
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/mod-auth-openidc.html

Thomas

From amaeztu at tesicnor.com  Thu May  4 03:57:52 2017
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Thu, 4 May 2017 09:57:52 +0200
Subject: [keycloak-user] Migration to keycloak 3
Message-ID: <c2d1acb0-e209-b790-25fa-a109373a22b3@tesicnor.com>

I've read that keycloak 3.1 is already available. We're still using 
2.2.1 in production and can see the migration steps for 2.5.1 in the docs:

https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html

However, where are the 3.0 migration steps? Isn't there any requirement 
or do we need to do a fresh product install?

Thanks!

-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From sthorger at redhat.com  Thu May  4 05:13:36 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 4 May 2017 11:13:36 +0200
Subject: [keycloak-user] 3.1.0.Final not found in Maven repository
In-Reply-To: <CAHX=cdUJJPasN60YPJBbvNYB-=oG-xsZALEaGdH9-4V4RrPkDQ@mail.gmail.com>
References: <CAHX=cdUJJPasN60YPJBbvNYB-=oG-xsZALEaGdH9-4V4RrPkDQ@mail.gmail.com>
Message-ID: <CAJgngAfOVpzmrA7tUWBoykLOeBze4TLh-TH4rhKKBgPd2ks1Uw@mail.gmail.com>

We're having issues with Maven Central and are looking into it.

In the mean time you can use JBoss Releases repository at
https://repository.jboss.org/nexus/content/repositories/releases/. For more
details see https://developer.jboss.org/wiki/MavenRepository.

On 3 May 2017 at 16:45, Stephane Granger <stephane.granger at gmail.com> wrote:

> Hello,
>
> this morning I changed the Keycloak version from 3.0.0.Final to 3.1.0.Final
> in my pom file but maven could not resolve the dependencies.
>
> Could not find artifact org.keycloak:keycloak-adapter-core:jar:3.1.0.Final
> in central (https://repo.maven.apache.org/maven2)
>
> Stephane
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From liat.rudner at checkmarx.com  Thu May  4 05:24:04 2017
From: liat.rudner at checkmarx.com (Liat Rudner)
Date: Thu, 4 May 2017 09:24:04 +0000
Subject: [keycloak-user] group mappers
Message-ID: <DB5PR06MB1271A7391C009240A6832B43F1EA0@DB5PR06MB1271.eurprd06.prod.outlook.com>

Hi,

We need a way to map users to existing KeyCloak groups.

*         In LDAP user federation - define a hardcoded group and an LDAP filter to apply the group to all the users under this filter

*         In SAML identity provider  - pass a list of hardcoded group paths as an attribute inside the SAML assertion

Is there an easy way to do it?

Thanks,
Liat

From anders.kabell.kristensen at systematic.com  Thu May  4 05:35:01 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Thu, 4 May 2017 02:35:01 -0700 (MST)
Subject: [keycloak-user] SAML attribute mapper with processing
In-Reply-To: <1491898451566-3506.post@n6.nabble.com>
References: <1491898451566-3506.post@n6.nabble.com>
Message-ID: <1493890501905-3783.post@n6.nabble.com>

Hey guys,

We are still confused about adding custom implementations.

We need to make our own modified AttributeToRoleMapper, but we cannot figure
out if this can be dynamically loaded as a provider/module...

Any hints about where to start?

Thanks again,
Ulrik and Anders



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-attribute-mapper-with-processing-tp3506p3783.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From tomas at intrahouse.com  Thu May  4 06:44:09 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 04 May 2017 10:44:09 +0000
Subject: [keycloak-user] Client Initiated Account Linking doubt
Message-ID: <CALgk1PKTmSmzN7hFOqBR0KkJqwQgH+3MNxhOX6=Mgc7jQgnBbg@mail.gmail.com>

I'm looking at this doc:
https://keycloak.gitbooks.io/documentation/server_development/topics/identity-brokering/account-linking.html

And unless your app lives inside a Java servlet guarded by Keycloak,
there's no way to use this feature, right? Due to the hash generation. I
don't see a way to get a client / user session Id since they're internal
stuff in Keycloak associated thanks to the cookie in the user's browser. I
get why it's needed though and I don't see any good alternative right now
for non-servlet apps (OpenID Connect enabled apps made in other languages
for instance)... but it's unfortunate that the doc doesn't clarify it.

Thanks.

From jm85martins at gmail.com  Thu May  4 06:51:06 2017
From: jm85martins at gmail.com (Jorge M.)
Date: Thu, 4 May 2017 11:51:06 +0100
Subject: [keycloak-user] Help with SSO
In-Reply-To: <1493878538.3587870.965306608.46509692@webmail.messagingengine.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
	<CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
	<1493878538.3587870.965306608.46509692@webmail.messagingengine.com>
Message-ID: <CAHEpHRLjkk8o_oN=5LLhV1b0ycDbMZHvtnYRHBn0=CX39jFuKQ@mail.gmail.com>

Thank you all for the replies.

The "SSO" solution used on the other systems is an old custom in house
solution based on tokens (inspired by oauth but not properly compliant with
the spec).

One of the possibilities is to use keycloak as authentication provider in
all the systems. Here, probably we should use different realms as the scope
of the apps is different and also we want to use different login page
themes, etc.
So, is it possible to do SSO among different realms? How can we do that? Is
there any example?

Thank you,
JM

2017-05-04 7:15 GMT+01:00 Thomas Recloux <thomas at recloux.fr>:

>
> > > Hi,
>
> Hi,
>
> > > So..summing up:
> > > - System "A" is using keycloak with a realm "RealmA" with multiple
> clients
> > > (modules) with sso between them.
> > > - Other systems "B", "C" with their custom authentication and
> authorization
> > > - We are using a custom federation on keycloak over the same users
> > > database that is shared among all the systems.
> > >
> > > What's the best practise to achieve sso between all the systems?
> > > We are thinking about a proxy that detects if the user has a session on
> > > some of the other systems and if that is true, we programatically
> create a
> > > session on keycloak for a given (Is this possible with the API?).
>
> One possible solution could be to use Keycloak as authentification
> system for systems B and C.
> You can may be use the apache module to proxy these apps and trigger the
> authentication workflow with keycloak.
> https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/mod-auth-openidc.html
>
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rohitchaudhary95 at gmail.com  Thu May  4 07:56:39 2017
From: rohitchaudhary95 at gmail.com (rohit chaudhary)
Date: Thu, 4 May 2017 17:26:39 +0530
Subject: [keycloak-user] OpenID/OAuth Identity provider
Message-ID: <CAHJH4F97T1LuzS-MdDCfL1OKZTPa0T1ZL+zihUb5igMGNd0PjQ@mail.gmail.com>

Hi,

I need to access API secured by OAuth using keycloak, Should I go with
identity provider? Need help.


Thanks in advance

From thomas at recloux.fr  Thu May  4 08:34:20 2017
From: thomas at recloux.fr (Thomas Recloux)
Date: Thu, 04 May 2017 14:34:20 +0200
Subject: [keycloak-user] Help with SSO
In-Reply-To: <CAHEpHRLjkk8o_oN=5LLhV1b0ycDbMZHvtnYRHBn0=CX39jFuKQ@mail.gmail.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
	<CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
	<1493878538.3587870.965306608.46509692@webmail.messagingengine.com>
	<CAHEpHRLjkk8o_oN=5LLhV1b0ycDbMZHvtnYRHBn0=CX39jFuKQ@mail.gmail.com>
Message-ID: <1493901260.2904124.965620024.5E48E981@webmail.messagingengine.com>



> So, is it possible to do SSO among different realms? How can we do
> that? Is there any example?
No, it's not possible

When https://issues.jboss.org/browse/KEYCLOAK-2671 will be
implemented, the login theme will be able generate different content
for specific clients.



From adrianmatei at gmail.com  Thu May  4 10:28:29 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Thu, 4 May 2017 16:28:29 +0200
Subject: [keycloak-user] Recurrent unexpected UPDATE_PASSWORD required
	action (AD related?)
Message-ID: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>

Hi guys,

Some users get unexpectedly the UPDATE_PASSWORD required action. The funny
thing is, this happens even if the this is disabled in Realm >
Authentication > Required Actions > Update Password (OFF) (BUT entries
still get generated in the USER_REQUIRED_ACTION table).

I presume this happens when the sync with Active Directory happens, even
when no users are imported... (No special config there)

We had this issue with version 1.7.0.Final, but still persists with the
migration to version 2.5.1.Final

Anyone experiences same issue or can advise on this? Thanks.

Best regards,
Adrian

From thorsten315 at gmx.de  Thu May  4 10:38:39 2017
From: thorsten315 at gmx.de (Thorsten)
Date: Thu, 4 May 2017 16:38:39 +0200
Subject: [keycloak-user] JavaScript Adapter issues after upgrade from 3.0.0
	to 3.1.0
Message-ID: <CAMNcrz6RTwZ2YPWazdLV6eqW3DrQKNw3NzSvSFKA223iLcAgTg@mail.gmail.com>

Hi all,

I have played around with some Angular 4 stuff. I created plain vanilla
project through "ng new" and added the Keycloak 3.0.0 adapter pretty much
like it is done in the Keycloak GitHub "angular2-product-app" demo. Works
quite nice.
But the moment I upgrade the keycloak-js npm to 3.1.0 I get the error
"keycloak-js is not a module".

I am not sure but it looks like the new 3.1.0 adapter contains some buggy
or outdated TypeScript definitions.

Any ideas how to get 3.1.0 working with Angular 4?

Thanks,

Thorsten

From jeremy at perspectivepartners.com  Thu May  4 10:50:49 2017
From: jeremy at perspectivepartners.com (Jeremy Waterman)
Date: Thu, 4 May 2017 10:50:49 -0400
Subject: [keycloak-user] Use X.509 certificate when retrieving Access Token
 from OIDC Provider?
Message-ID: <9BF331B2-D65C-40C1-AEAF-4E5A277EC2E6@perspectivepartners.com>

Hi all,

We are using Keycloak as an identity broker with a third party service. We?ve set up the third party up as an OIDC Identity Provider within Keycloak, but we?ve hit a snag. The third party that we?re woking with requires that requests to retrieve an access token are sent with an X.509 certificate. We can?t find a way within Keycloak to set this up and when we hit the token server URL to exchange the authorization code for a token, we are getting an error back from the third party - ?proper client ssl certificate was not presented.?

Any ideas on how to support this with Keycloak?

Thanks for any help!!
Jeremy





From pnalyvayko at agi.com  Thu May  4 11:52:59 2017
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Thu, 4 May 2017 15:52:59 +0000
Subject: [keycloak-user] Use X.509 certificate when retrieving Access
 Token from OIDC Provider?
In-Reply-To: <9BF331B2-D65C-40C1-AEAF-4E5A277EC2E6@perspectivepartners.com>
References: <9BF331B2-D65C-40C1-AEAF-4E5A277EC2E6@perspectivepartners.com>
Message-ID: <DM5PR07MB2937B4A22D7CBB0805F909EFDAEA0@DM5PR07MB2937.namprd07.prod.outlook.com>

Hi,
Not hundred per sure, but you may have to edit standalone.xml to update connectionsHttpClient" SPI provider configuration (unless you have already done so) by adding a path to the client cert store containing your x509 client certificate, the client store password and the private key's password (if any). 

"client-keystore"
"client-keystore-password"
"client-key-password"

My $0.02

--Peter
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Jeremy Waterman [jeremy at perspectivepartners.com]
Sent: Thursday, May 4, 2017 10:50 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Use X.509 certificate when retrieving Access Token from OIDC Provider?

Hi all,

We are using Keycloak as an identity broker with a third party service. We?ve set up the third party up as an OIDC Identity Provider within Keycloak, but we?ve hit a snag. The third party that we?re woking with requires that requests to retrieve an access token are sent with an X.509 certificate. We can?t find a way within Keycloak to set this up and when we hit the token server URL to exchange the authorization code for a token, we are getting an error back from the third party - ?proper client ssl certificate was not presented.?

Any ideas on how to support this with Keycloak?

Thanks for any help!!
Jeremy




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Thu May  4 12:15:46 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 4 May 2017 12:15:46 -0400
Subject: [keycloak-user] Client Initiated Account Linking doubt
In-Reply-To: <CALgk1PKTmSmzN7hFOqBR0KkJqwQgH+3MNxhOX6=Mgc7jQgnBbg@mail.gmail.com>
References: <CALgk1PKTmSmzN7hFOqBR0KkJqwQgH+3MNxhOX6=Mgc7jQgnBbg@mail.gmail.com>
Message-ID: <63975db8-deaa-c2ec-eaec-63501f21849c@redhat.com>

Non servlet apps should have access to the token too.  client session 
and user session ids are in the token.


On 5/4/17 6:44 AM, Tom?s Garc?a wrote:
> I'm looking at this doc:
> https://keycloak.gitbooks.io/documentation/server_development/topics/identity-brokering/account-linking.html
>
> And unless your app lives inside a Java servlet guarded by Keycloak,
> there's no way to use this feature, right? Due to the hash generation. I
> don't see a way to get a client / user session Id since they're internal
> stuff in Keycloak associated thanks to the cookie in the user's browser. I
> get why it's needed though and I don't see any good alternative right now
> for non-servlet apps (OpenID Connect enabled apps made in other languages
> for instance)... but it's unfortunate that the doc doesn't clarify it.
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From tomas at intrahouse.com  Thu May  4 14:18:36 2017
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 04 May 2017 18:18:36 +0000
Subject: [keycloak-user] Client Initiated Account Linking doubt
In-Reply-To: <63975db8-deaa-c2ec-eaec-63501f21849c@redhat.com>
References: <CALgk1PKTmSmzN7hFOqBR0KkJqwQgH+3MNxhOX6=Mgc7jQgnBbg@mail.gmail.com>
	<63975db8-deaa-c2ec-eaec-63501f21849c@redhat.com>
Message-ID: <CALgk1PLu=pYCZD1RNvqhZPLhSFx2pHKPbpm90yZYVAKGPPTwgw@mail.gmail.com>

I see. I didn't know that the access token was another JWS token like the
ID Token:
https://github.com/keycloak/keycloak/blob/29c0fe564ce01c5cbfb1ca42e15bc7e25efb75b5/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L781

I didn't see in the OpenID Connect standard that the access token carried
information, unlike the ID Token. That explains the so long access tokens
from Keycloak... Carrying info is optional in the standard:
https://tools.ietf.org/html/rfc6749#section-1.4 It should be explained in
the Keycloak docs (unless I missed it).

Thanks, Bill.

On Thu, May 4, 2017 at 5:17 PM Bill Burke <bburke at redhat.com> wrote:

> Non servlet apps should have access to the token too.  client session
> and user session ids are in the token.
>
>
> On 5/4/17 6:44 AM, Tom?s Garc?a wrote:
> > I'm looking at this doc:
> >
> https://keycloak.gitbooks.io/documentation/server_development/topics/identity-brokering/account-linking.html
> >
> > And unless your app lives inside a Java servlet guarded by Keycloak,
> > there's no way to use this feature, right? Due to the hash generation. I
> > don't see a way to get a client / user session Id since they're internal
> > stuff in Keycloak associated thanks to the cookie in the user's browser.
> I
> > get why it's needed though and I don't see any good alternative right now
> > for non-servlet apps (OpenID Connect enabled apps made in other languages
> > for instance)... but it's unfortunate that the doc doesn't clarify it.
> >
> > Thanks.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jeremy at perspectivepartners.com  Thu May  4 17:26:11 2017
From: jeremy at perspectivepartners.com (Jeremy Waterman)
Date: Thu, 4 May 2017 17:26:11 -0400
Subject: [keycloak-user] Use X.509 certificate when retrieving Access
 Token from OIDC Provider?
In-Reply-To: <DM5PR07MB2937B4A22D7CBB0805F909EFDAEA0@DM5PR07MB2937.namprd07.prod.outlook.com>
References: <9BF331B2-D65C-40C1-AEAF-4E5A277EC2E6@perspectivepartners.com>
	<DM5PR07MB2937B4A22D7CBB0805F909EFDAEA0@DM5PR07MB2937.namprd07.prod.outlook.com>
Message-ID: <52169475-F5AD-4D48-9EEE-9437C8590B05@perspectivepartners.com>

Thanks, Peter! I think that did it. We somehow missed that in the documentation initially.


> On May 4, 2017, at 11:52 AM, Nalyvayko, Peter <pnalyvayko at agi.com> wrote:
> 
> Hi,
> Not hundred per sure, but you may have to edit standalone.xml to update connectionsHttpClient" SPI provider configuration (unless you have already done so) by adding a path to the client cert store containing your x509 client certificate, the client store password and the private key's password (if any). 
> 
> "client-keystore"
> "client-keystore-password"
> "client-key-password"
> 
> My $0.02
> 
> --Peter
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Jeremy Waterman [jeremy at perspectivepartners.com]
> Sent: Thursday, May 4, 2017 10:50 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Use X.509 certificate when retrieving Access Token from OIDC Provider?
> 
> Hi all,
> 
> We are using Keycloak as an identity broker with a third party service. We?ve set up the third party up as an OIDC Identity Provider within Keycloak, but we?ve hit a snag. The third party that we?re woking with requires that requests to retrieve an access token are sent with an X.509 certificate. We can?t find a way within Keycloak to set this up and when we hit the token server URL to exchange the authorization code for a token, we are getting an error back from the third party - ?proper client ssl certificate was not presented.?
> 
> Any ideas on how to support this with Keycloak?
> 
> Thanks for any help!!
> Jeremy
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From nirmal.kumar at impetus.co.in  Fri May  5 05:26:30 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Fri, 5 May 2017 09:26:30 +0000
Subject: [keycloak-user] SSO from Java code
Message-ID: <f099b9090b384280a66cc8684554d7d0@impetus.co.in>

Hi All,

I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much impressed with the ease of getting SSO for my spring based REST web applications deployed on Tomcat 7.

I am wondering if I can get the same SSO feature from Java code all without being ever going to a browser since I want the same from a CLI and no UI/browser.

Thanks,
-Nirmal


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

From psilva at redhat.com  Fri May  5 07:51:13 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 May 2017 08:51:13 -0300
Subject: [keycloak-user] Performance with a large number of resources
In-Reply-To: <CADjvtpT50NgSLPZEtKnzqSUPwAQGWz5pnGfNj6j41zZgFVHRvA@mail.gmail.com>
References: <CADjvtpT50NgSLPZEtKnzqSUPwAQGWz5pnGfNj6j41zZgFVHRvA@mail.gmail.com>
Message-ID: <CAJrcDBdBf37YgBFwXteo6+4CqfuhSgrDzGTvxmL-cKMTkDGotA@mail.gmail.com>

On Thu, Apr 20, 2017 at 3:38 PM, Scott Elliott <scottpelliott at gmail.com>
wrote:

> Using the photoz application as an example, what is the expected
> performance if there are a very large (say, 5M) number of albums?  What
> about if there are multiple resources per album?  You quickly get a very
> large number of resources. The OIDC adapters cache some number of these, so
> what effect will that have on the resource server?
>

Right now we cache things based on a very simple LRU cache with some
expiration of entries. Number of cached entries is fixed though. Something
we can expose via configuration.


>
> Ideally there would be a way to authorize any resource associated with an
> album, so if /album/vacation were authorized by /album/{id},
> /album/vacation/photo/1 was also authorized, i.e., the URI that selects the
> resource to be authorized would always be /album/vacation.
>

All depends on how fined grained you want your config. For instance, if you
define a path "/album/{id}/*", the same resource (and associated
permissions) will also be related with resources like "/album/vacation" and
"/album/vacation/photo/1". However, if you have a resource on the server
with a path "/album/vacation/photo/1", the enforcer is going to use this
resource to check whether the user has access or not.


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From anders.kabell.kristensen at systematic.com  Fri May  5 08:41:30 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Fri, 5 May 2017 05:41:30 -0700 (MST)
Subject: [keycloak-user] SAML attribute mapper with processing
In-Reply-To: <1493890501905-3783.post@n6.nabble.com>
References: <1491898451566-3506.post@n6.nabble.com>
	<1493890501905-3783.post@n6.nabble.com>
Message-ID: <1493988090139-3798.post@n6.nabble.com>

END OF STORY!

We succeeded in creating a custom SAML attribute to role mapper.

Using the official keycloak example "providers/event-listener-sysout" as a
starting point, we modified the project to implement a custom version of
org.keycloak.broker.saml.mappers.AttributeToRoleMapper. One single java
class.

After building the project, the jar file was simply dropped in the
"keycloak-3.0.0.Final/providers" directory and is now available in the
Keycloak admin console...

Ulrik and Anders




--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-attribute-mapper-with-processing-tp3506p3798.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From tech at psynd.net  Fri May  5 08:48:57 2017
From: tech at psynd.net (Tech)
Date: Fri, 5 May 2017 14:48:57 +0200
Subject: [keycloak-user] Two OIDC working, but not SSO
In-Reply-To: <cbf5e255-778e-2d8c-3904-063351437977@redhat.com>
References: <fd8ee3e1-9dd6-bc84-a5e1-a9e09cb67ac6@psynd.net>
	<4e658f54-df0f-2759-dcf7-d07a07be32cf@redhat.com>
	<edba01a4-16e8-2dca-0a4e-06cee31be03e@psynd.net>
	<9bc9ee75-487b-02c7-cd8b-8d489fdd9e00@psynd.net>
	<5ed3f055-b6fc-d341-4662-ae086d3d7576@redhat.com>
	<c9fdeaaf-8d1e-ba54-c03d-31114c235a10@psynd.net>
	<adc49223-c166-eab0-25b6-5a8d241f0417@redhat.com>
	<6a346d30-4478-8faa-2288-25b77b91bb98@psynd.net>
	<a20bdc6e-d5c6-f25d-3b02-08180734a01b@redhat.com>
	<d15304c8-3975-55f7-c7f1-b18f2eed8cd7@psynd.net>
	<a3391e57-da3f-4667-571d-2055fe8183dc@redhat.com>
	<8f149689-bdd9-d75c-a089-6013bc302212@psynd.net>
	<cbf5e255-778e-2d8c-3904-063351437977@redhat.com>
Message-ID: <f2f32127-b8ab-07e7-00b7-12e820e25a2c@psynd.net>

Hello again,

I ran other tests using the out of the box applications given with the 
Keycloak examples, the customer and product portals, and also in that 
case the KEYCLOAK_IDENTITY cookie behave in the same way.

Using the other two applications, I can do both OIDC authentication on 
both and everything is fine, but in this case the SSO between them is 
working.

We cannot understand yet why the first application is not working, have 
you any idea?




On 27/04/17 15:56, Marek Posolda wrote:
> Not sure what could be the reason...
>
> Are you seeing the browser cookie if you login to some Keycloak 
> builtin applications (admin console, account management)?
>
> I wonder about something around "http" or "https" . Will it work if 
> you switch SSL required for your realm to "ALWAYS" ? Or the other way, 
> will it work if you switch everything to "http" instead of "https" ?
>
> Marek
>
>
> On 27/04/17 11:21, Tech wrote:
>>
>> We try both with Firefox, Chrome and Internet explorer, in none of 
>> these cases we have this cookie.
>>
>> What could it be the reason?
>>
>>
>>
>>
>> On 27/04/17 10:02, Marek Posolda wrote:
>>> Yes, KEYCLOAK_IDENTITY cookie should be in the browser after 
>>> successful authentication to your portal1 is fully finished. Are you 
>>> seeing the cookie after this authentication?
>>>
>>> Then the portal2 is supposed to be automatically authenticated due 
>>> to this cookie.
>>>
>>> Marek
>>>
>>> On 27/04/17 09:14, Tech wrote:
>>>>
>>>> Hello,
>>>>
>>>> opening the browser the KEYCLOAK_IDENTITY cookie does not appear, 
>>>> but in my understanding this is created when you have an active 
>>>> session to Keycloak like accessing to the admin interface.
>>>>
>>>> No proxies, cookies or load balancers in the backend server.
>>>>
>>>>
>>>>
>>>>
>>>> On 26/04/17 16:17, Marek Posolda wrote:
>>>>> Thanks, are you seeing KEYCLOAK_IDENTITY cookie for your browser 
>>>>> for path "/auth/realms/yourrealm" ? Are you using 
>>>>> proxy/loadbalancer, which may cause that cookies sent to the proxy 
>>>>> are not visible on the backend server (Keycloak)?
>>>>>
>>>>> Marek
>>>>>
>>>>>
>>>>> On 26/04/17 09:09, Tech wrote:
>>>>>> Hello again,
>>>>>>
>>>>>> so:
>>>>>> 1) they are both using the same kc realm
>>>>>> 2) the cookie is not disabled
>>>>>> 3) in attach a screenshot, it's identical for the two 
>>>>>> application, with the difference that one the two URL has the "2"
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 26/04/17 06:17, Marek Posolda wrote:
>>>>>>> On 25/04/17 22:36, Tech wrote:
>>>>>>>>
>>>>>>>> Hello Marek,
>>>>>>>>
>>>>>>>> 1) yes, they are both using the same Kc realm
>>>>>>>>
>>>>>>>> 2) how can I check this point?
>>>>>>>>
>>>>>>> In Keycloak admin console, there is tab "Authentication" and 
>>>>>>> then flow "browser" .
>>>>>>>
>>>>>>> Marek
>>>>>>>>
>>>>>>>> 3) I checked already, I don't think that anything like that is 
>>>>>>>> enabled, but I will send you a screen shot in the coming hours 
>>>>>>>> (not in the office right now)
>>>>>>>>
>>>>>>>> Thanks for the support
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 25.04.17 22:14, Marek Posolda wrote:
>>>>>>>>> Normally SSO between client applications is supposed to work. 
>>>>>>>>> I would check:
>>>>>>>>>
>>>>>>>>> - Are both your clients (portal1 and portal2) using same 
>>>>>>>>> Keycloak realm? SSO will work just with same realm
>>>>>>>>>
>>>>>>>>> - Is Cookie authenticator enabled for authentication browser 
>>>>>>>>> flow of your realm? Didn't you accidentally disable it? SSO 
>>>>>>>>> requires that it is enabled
>>>>>>>>>
>>>>>>>>> - How does URL to Keycloak login screen looks like? I wonder 
>>>>>>>>> if your PHP adapter uses some parameters, which causes SSO 
>>>>>>>>> disabled (eg. prompt=login or max_age=0)
>>>>>>>>>
>>>>>>>>> Marek
>>>>>>>>>
>>>>>>>>> On 25/04/17 14:18, Tech wrote:
>>>>>>>>>>
>>>>>>>>>> Anybody with any ideas?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 25/04/17 12:53, Tech wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hello Marek,
>>>>>>>>>>>
>>>>>>>>>>> maybe my email was confusing, we run initially two tests 
>>>>>>>>>>> were we login and logout in both portal to check that the 
>>>>>>>>>>> oidc is working on each of them.
>>>>>>>>>>>
>>>>>>>>>>> Once we know that OIDC is working, then we are expecting to 
>>>>>>>>>>> login to portal1 and opening portal2, to find us already 
>>>>>>>>>>> logged in, but this doesn't happen and we are forced to 
>>>>>>>>>>> login again
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 25/04/17 12:41, Marek Posolda wrote:
>>>>>>>>>>>> If you don't do "Logout from portal1" at the end of first 
>>>>>>>>>>>> test, then SSO should work and you will be automatically 
>>>>>>>>>>>> logged into portal2 without a need to put your credentials.
>>>>>>>>>>>>
>>>>>>>>>>>> The logout is "SSO logout", hence it also kills the SSO 
>>>>>>>>>>>> session on Keycloak side and requires user to re-login.
>>>>>>>>>>>>
>>>>>>>>>>>> Marek
>>>>>>>>>>>>
>>>>>>>>>>>> On 25/04/17 12:31, Tech wrote:
>>>>>>>>>>>>> Dear experts,
>>>>>>>>>>>>>
>>>>>>>>>>>>> we are working with Moodle, a PHP based platform, where we 
>>>>>>>>>>>>> have been
>>>>>>>>>>>>> able to configure correctly Keycloak to implement OIDC.
>>>>>>>>>>>>>
>>>>>>>>>>>>> To test Keycloak we cloned this application, with 
>>>>>>>>>>>>> different URLs and we
>>>>>>>>>>>>> did the first test:
>>>>>>>>>>>>>
>>>>>>>>>>>>>    * Connect to portal1
>>>>>>>>>>>>>    * User not recognized and redirected to Keycloak 
>>>>>>>>>>>>> through OIDC
>>>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>>>    * User accepted and redirected to portal1
>>>>>>>>>>>>>    * Logout from portal1
>>>>>>>>>>>>>
>>>>>>>>>>>>> After this we tested the second application:
>>>>>>>>>>>>>
>>>>>>>>>>>>>    * Connect to portal2
>>>>>>>>>>>>>    * User not recognized and redirected to Keycloak 
>>>>>>>>>>>>> through OIDC
>>>>>>>>>>>>>    * Enter credentials stored into Keycloak
>>>>>>>>>>>>>    * User accepted and redirected to portal2
>>>>>>>>>>>>>    * Logout from portal2
>>>>>>>>>>>>>
>>>>>>>>>>>>> In this case I know that OIDC is working for the two 
>>>>>>>>>>>>> applications and we
>>>>>>>>>>>>> can expect that also the SSO is working, but after the 
>>>>>>>>>>>>> login in portal1
>>>>>>>>>>>>> we have to login again portal2, and vice-versa.
>>>>>>>>>>>>>
>>>>>>>>>>>>> We attach below here some logs, could you please help?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Login to portal1*
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>>>> (Periodic
>>>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>>>> identifier 1
>>>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>>>> 2017-04-25 09:54:45,055 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-30) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-30) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:54:45,056 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-30) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) check execution: auth-cookie requirement: 
>>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator: auth-cookie
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-30)
>>>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) execution is processed
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) check execution: identity-provider-redirector 
>>>>>>>>>>>>> requirement:
>>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator: identity-provider-redirector
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator ATTEMPTED: 
>>>>>>>>>>>>> identity-provider-redirector
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) check execution: null requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) execution is flow
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) processFlow
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) check execution: auth-username-password-form 
>>>>>>>>>>>>> requirement: REQUIRED
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:54:45,059 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): 
>>>>>>>>>>>>> Not found
>>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not 
>>>>>>>>>>>>> found
>>>>>>>>>>>>> 2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>>>> 2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>>>> hasn't changed.
>>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-30) authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:54:45,064 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-30)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>> 2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] 
>>>>>>>>>>>>> (Periodic
>>>>>>>>>>>>> Recovery) Send recover request for transaction origin node 
>>>>>>>>>>>>> identifier 1
>>>>>>>>>>>>> to EJB receiver with node name 79051ccf69ac
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *After authentication to portal1**
>>>>>>>>>>>>> *
>>>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-31) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:54:56,041 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-31) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-31) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> authenticationAction
>>>>>>>>>>>>> 2017-04-25 09:54:56,042 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check: auth-spnego requirement: DISABLED
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check: identity-provider-redirector requirement: 
>>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) execution is processed
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check: null requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check: auth-username-password-form requirement: 
>>>>>>>>>>>>> REQUIRED
>>>>>>>>>>>>> 2017-04-25 09:54:56,043 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) action: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) authenticator: auth-otp-form
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) processFlow
>>>>>>>>>>>>> 2017-04-25 09:54:56,141 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-31) Hibernate RegisteredSynchronization 
>>>>>>>>>>>>> successfully
>>>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:54:56,142 DEBUG
>>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) MySqlDS: getConnection(null,
>>>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>>>> [0/20]
>>>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:54:56,144 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle,
>>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>>>> redirect_uri=https://localhost/moodleiam/auth/oidc/,
>>>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1, 
>>>>>>>>>>>>> username=testuser
>>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>>>> 9a5218f8-aa9c-496c-aa00-780430f19c1b
>>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>>>> max-age: -1
>>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>>>> 2017-04-25 09:54:56,145 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-31)
>>>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>> redirectAccessCode: state: bIJNAcPb8Rxz8Wb
>>>>>>>>>>>>> 2017-04-25 09:54:56,146 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-31) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterTransaction
>>>>>>>>>>>>> 2017-04-25 09:54:56,149 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-31)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-24) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-24) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:54:56,642 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-24) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>>>> 2017-04-25 09:54:56,643 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>>> Client moodle authenticated by client-secret
>>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] 
>>>>>>>>>>>>> (default task-24)
>>>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
>>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>>>> token_id=75173922-dd56-44ca-9255-9a5368e557f4,
>>>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>>>> refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
>>>>>>>>>>>>> code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
>>>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-24)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:54:56,663 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-24)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Login to portal2**
>>>>>>>>>>>>> *
>>>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-6) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:56:17,566 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-6) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:56:17,567 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-6) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/demo/protocol/openid-connect/auth
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> AUTHENTICATE
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> AUTHENTICATE ONLY
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> processFlow
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> check execution: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator: auth-cookie
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> Could not find cookie: KEYCLOAK_IDENTITY
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator ATTEMPTED: auth-cookie
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> check execution: auth-spnego requirement: DISABLED
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> execution is processed
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> check execution: identity-provider-redirector requirement: 
>>>>>>>>>>>>> ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator: identity-provider-redirector
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator ATTEMPTED: identity-provider-redirector
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> check execution: null requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> execution is flow
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> processFlow
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> check execution: auth-username-password-form requirement: 
>>>>>>>>>>>>> REQUIRED
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:56:17,569 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> invoke authenticator.authenticate
>>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en_US.ftl"): 
>>>>>>>>>>>>> Not found
>>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template_en.ftl"): Not 
>>>>>>>>>>>>> found
>>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> TemplateLoader.findTemplateSource("template.ftl"): Found
>>>>>>>>>>>>> 2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> "template.ftl"("en_US", UTF-8, parsed): using cached since
>>>>>>>>>>>>> file:/opt/jboss/keycloak/themes/base/login/template.ftl 
>>>>>>>>>>>>> hasn't changed.
>>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-6)
>>>>>>>>>>>>> authenticator CHALLENGE: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:56:17,573 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-6)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *After authentication to portal2**
>>>>>>>>>>>>> *
>>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-4) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-4) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:56:29,001 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-4) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/Demo/login-actions/authenticate
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> authenticationAction
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check: auth-cookie requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> execution is processed
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check: auth-spnego requirement: DISABLED
>>>>>>>>>>>>> 2017-04-25 09:56:29,002 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> execution is processed
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check: identity-provider-redirector requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> execution is processed
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check: null requirement: ALTERNATIVE
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check: auth-username-password-form requirement: REQUIRED
>>>>>>>>>>>>> 2017-04-25 09:56:29,004 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> action: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:56:29,099 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> authenticator SUCCESS: auth-username-password-form
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> processFlow
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> check execution: auth-otp-form requirement: OPTIONAL
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> authenticator: auth-otp-form
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.DefaultAuthenticationFlow] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> processFlow
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-4) Hibernate RegisteredSynchronization 
>>>>>>>>>>>>> successfully
>>>>>>>>>>>>> registered with JTA platform
>>>>>>>>>>>>> 2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:56:29,101 DEBUG
>>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-4) MySqlDS: getConnection(null,
>>>>>>>>>>>>> WrappedConnectionRequestInfo at 4570d800[userName=KeycloakUSR]) 
>>>>>>>>>>>>> [0/20]
>>>>>>>>>>>>> 2017-04-25 09:56:29,102 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>>       select
>>>>>>>>>>>>>           roleentity0_.ID as col_0_0_
>>>>>>>>>>>>>       from
>>>>>>>>>>>>>           KEYCLOAK_ROLE roleentity0_
>>>>>>>>>>>>>       where
>>>>>>>>>>>>>           roleentity0_.CLIENT_ROLE=0
>>>>>>>>>>>>>           and roleentity0_.NAME=?
>>>>>>>>>>>>>           and roleentity0_.REALM=?
>>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterStatement
>>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> type=LOGIN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>>> ipAddress=192.168.0.27,
>>>>>>>>>>>>> auth_method=openid-connect, auth_type=code,
>>>>>>>>>>>>> redirect_uri=https://localhost/moodle2iam/auth/oidc/,
>>>>>>>>>>>>> consent=no_consent_required,
>>>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, 
>>>>>>>>>>>>> username=testuser
>>>>>>>>>>>>> 2017-04-25 09:56:29,104 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> Removing old user session: session: 
>>>>>>>>>>>>> 431cecf6-5a6b-4bbc-9467-3f52eff8090f
>>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> Create login cookie - name: KEYCLOAK_IDENTITY, path: 
>>>>>>>>>>>>> /auth/realms/Demo,
>>>>>>>>>>>>> max-age: -1
>>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> Expiring remember me cookie
>>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>>> [org.keycloak.services.managers.AuthenticationManager] 
>>>>>>>>>>>>> (default task-4)
>>>>>>>>>>>>> Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
>>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>>> [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>> redirectAccessCode: state: WUCTMXokISFDbFN
>>>>>>>>>>>>> 2017-04-25 09:56:29,105 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] 
>>>>>>>>>>>>> (default
>>>>>>>>>>>>> task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
>>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>>> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] 
>>>>>>>>>>>>>
>>>>>>>>>>>>> (default task-4) Initiating JDBC connection release from 
>>>>>>>>>>>>> afterTransaction
>>>>>>>>>>>>> 2017-04-25 09:56:29,106 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-4)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-13) new
>>>>>>>>>>>>> JtaTransactionWrapper
>>>>>>>>>>>>> 2017-04-25 09:56:29,626 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-13) was
>>>>>>>>>>>>> existing? false
>>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG 
>>>>>>>>>>>>> [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>>>>>>>>>> (default task-13) RESTEASY002315: PathInfo:
>>>>>>>>>>>>> /realms/demo/protocol/openid-connect/token
>>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.AuthenticationProcessor] 
>>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>>> AUTHENTICATE CLIENT
>>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>>> client authenticator: client-secret
>>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>>> client authenticator SUCCESS: client-secret
>>>>>>>>>>>>> 2017-04-25 09:56:29,627 DEBUG
>>>>>>>>>>>>> [org.keycloak.authentication.ClientAuthenticationFlow] 
>>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>>> Client moodle2 authenticated by client-secret
>>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] 
>>>>>>>>>>>>> (default task-13)
>>>>>>>>>>>>> type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
>>>>>>>>>>>>> userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, 
>>>>>>>>>>>>> ipAddress=153.109.152.213,
>>>>>>>>>>>>> token_id=ff9b3385-1362-4559-ad53-05317755b280,
>>>>>>>>>>>>> grant_type=authorization_code, refresh_token_type=Refresh,
>>>>>>>>>>>>> refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
>>>>>>>>>>>>> code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
>>>>>>>>>>>>> client_auth_method=client-secret
>>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-13)
>>>>>>>>>>>>> JtaTransactionWrapper  commit
>>>>>>>>>>>>> 2017-04-25 09:56:29,656 DEBUG
>>>>>>>>>>>>> [org.keycloak.transaction.JtaTransactionWrapper] (default 
>>>>>>>>>>>>> task-13)
>>>>>>>>>>>>> JtaTransactionWrapper end
>>>>>>>>>>>>> 2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] 
>>>>>>>>>>>>> (default I/O-1)
>>>>>>>>>>>>> Error reading request: java.io.IOException: Connection 
>>>>>>>>>>>>> reset by peer
>>>>>>>>>>>>>           at sun.nio.ch.FileDispatcherImpl.read0(Native 
>>>>>>>>>>>>> Method)
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
>>>>>>>>>>>>>           at sun.nio.ch.IOUtil.read(IOUtil.java:192)
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at
>>>>>>>>>>>>> org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88) 
>>>>>>>>>>>>>
>>>>>>>>>>>>>           at 
>>>>>>>>>>>>> org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


From DBoutin at voyages-sncf.com  Fri May  5 09:00:08 2017
From: DBoutin at voyages-sncf.com (Boutin Damien)
Date: Fri, 5 May 2017 13:00:08 +0000
Subject: [keycloak-user] Passing login_hint up to Identity Provider
Message-ID: <c446a94932264857a4fe78953db3d5d4@EREP.groupevsc.com>

Hello,

We are using keycloak to authenticate our users, using both user federation and identity provider features.

Concerning the identity provider, we encountered an issue regarding the redirection to the authorized endpoint of our partner.
The "login_hint" parameter is not forwarded to the targeted provider.

A thread was opened several months ago regarding this subject but we haven't seen any feature request related to it.
http://lists.jboss.org/pipermail/keycloak-dev/2016-December/008595.html

Is it ok if we create a jira ticket for this feature request and provide you with a pull request ?

Thanks in advance
Regards,
Damien BOUTIN


From scottpelliott at gmail.com  Fri May  5 10:18:44 2017
From: scottpelliott at gmail.com (Scott Elliott)
Date: Fri, 05 May 2017 14:18:44 +0000
Subject: [keycloak-user] Performance with a large number of resources
In-Reply-To: <CAJrcDBdBf37YgBFwXteo6+4CqfuhSgrDzGTvxmL-cKMTkDGotA@mail.gmail.com>
References: <CADjvtpT50NgSLPZEtKnzqSUPwAQGWz5pnGfNj6j41zZgFVHRvA@mail.gmail.com>
	<CAJrcDBdBf37YgBFwXteo6+4CqfuhSgrDzGTvxmL-cKMTkDGotA@mail.gmail.com>
Message-ID: <CADjvtpTocEDZ2-JuOWLz0G-eJGj4as0gA-hLaA54-NQefyYrHA@mail.gmail.com>

On Fri, May 5, 2017 at 7:51 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> On Thu, Apr 20, 2017 at 3:38 PM, Scott Elliott <scottpelliott at gmail.com>
> wrote:
>
>> Using the photoz application as an example, what is the expected
>> performance if there are a very large (say, 5M) number of albums?  What
>> about if there are multiple resources per album?  You quickly get a very
>> large number of resources. The OIDC adapters cache some number of these,
>> so
>> what effect will that have on the resource server?
>>
>
> Right now we cache things based on a very simple LRU cache with some
> expiration of entries. Number of cached entries is fixed though. Something
> we can expose via configuration.
>

"Right now" being 3.1.0.CR1?  What about in 2.5.5.Final?


>
>
>>
>> Ideally there would be a way to authorize any resource associated with an
>> album, so if /album/vacation were authorized by /album/{id},
>> /album/vacation/photo/1 was also authorized, i.e., the URI that selects
>> the
>> resource to be authorized would always be /album/vacation.
>>
>
> All depends on how fined grained you want your config. For instance, if
> you define a path "/album/{id}/*", the same resource (and associated
> permissions) will also be related with resources like "/album/vacation" and
> "/album/vacation/photo/1". However, if you have a resource on the server
> with a path "/album/vacation/photo/1", the enforcer is going to use this
> resource to check whether the user has access or not.
>
>

This gets us back to my original question about passing other info to the
authorization request.  Right now we'd have too many resources that would
need to be registered and maintained.  I did a hack as a test to add the
actual URL to the permission request, and set it in the ticket in the
permission response, so that it is passed to the authorization request, and
can be accessed as part of the evaluation context.  It does what we need,
but I do not know if it violates any standard.

Scott

From nirmal.kumar at impetus.co.in  Fri May  5 11:02:45 2017
From: nirmal.kumar at impetus.co.in (Nirmal Kumar)
Date: Fri, 5 May 2017 15:02:45 +0000
Subject: [keycloak-user] SSO from Java code
In-Reply-To: <fd6dfb9d-654d-f86d-bd51-f53c01ec236c@redhat.com>
References: <f099b9090b384280a66cc8684554d7d0@impetus.co.in>
	<fd6dfb9d-654d-f86d-bd51-f53c01ec236c@redhat.com>
Message-ID: <d674c7d8488445e4b68bebae74434222@impetus.co.in>

Hi Josh,

I have deployed my WAR(s) by using the keycloak Tomcat and Spring security adapters. The web apps seems to be running fine with keycloak SSO enabled from browser where I am redirected to a Login page an then to the original url.

Apart from the browser I also have a use case where the web app REST calls can be made through Java code directly from other standalone Java applications.
Think as if the web app REST endpoints as a SDK and the consumers can be browser based as well as non-browser based.

The consumers here have a high degree of trust and have the username/password available.
That way I can think of "Resource Owner Password Credentials grant" to be used.

I read that we can use we can use generic OpenID Connect Resource Provider libraries for such cases:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html

1./realms/{realm-name}/protocol/openid-connect/token
This is the URL endpoint for obtaining a temporary code in the Authorization Code Flow or for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.

2./realms/{realm-name}/protocol/openid-connect/userinfo
This is the URL endpoint for the User Info service described in the OIDC specification.

3./realms/{realm-name}/protocol/openid-connect/logout
This is the URL endpoint for performing logouts.

I can think of using #1 to get the access token then passing this token for all my subsequent REST calls. I even tested this and found working.

Does this make sense or any other better alternatives?

Regards,
-Nirmal

-----Original Message-----
From: Josh Cain [mailto:jcain at redhat.com]
Sent: Friday, May 5, 2017 6:52 PM
To: Nirmal Kumar <nirmal.kumar at impetus.co.in>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SSO from Java code

Hi Nirmal,

Depending on what protocol you're using, I think Keycloak's got you covered.  I'd check out either the SAML ECP flow[0] or the OIDC Resource Owner Password Credentials flow[1], both of which are supported by Keycloak.

However, I'd also point out that these are highly uncommon and should only be used in a small number of cases.  Do you mind my asking why you're needing to cut a browser out of the picture?

[0]
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html
[1] https://tools.ietf.org/html/rfc6749#section-1.3.3

Josh Cain
Senior Software Applications Engineer, RHCSA Red Hat North America jcain at redhat.com M: +1 256-452-0150 IRC: jcain

On 05/05/2017 04:26 AM, Nirmal Kumar wrote:
> Hi All,
>
> I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much impressed with the ease of getting SSO for my spring based REST web applications deployed on Tomcat 7.
>
> I am wondering if I can get the same SSO feature from Java code all without being ever going to a browser since I want the same from a CLI and no UI/browser.
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.


From psilva at redhat.com  Fri May  5 11:35:00 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 May 2017 12:35:00 -0300
Subject: [keycloak-user] Performance with a large number of resources
In-Reply-To: <CADjvtpTocEDZ2-JuOWLz0G-eJGj4as0gA-hLaA54-NQefyYrHA@mail.gmail.com>
References: <CADjvtpT50NgSLPZEtKnzqSUPwAQGWz5pnGfNj6j41zZgFVHRvA@mail.gmail.com>
	<CAJrcDBdBf37YgBFwXteo6+4CqfuhSgrDzGTvxmL-cKMTkDGotA@mail.gmail.com>
	<CADjvtpTocEDZ2-JuOWLz0G-eJGj4as0gA-hLaA54-NQefyYrHA@mail.gmail.com>
Message-ID: <CAJrcDBdcaNauUBFN-ZVbPr=zvZDUhvQcT5D29cPinzbebjpmjA@mail.gmail.com>

On Fri, May 5, 2017 at 11:18 AM, Scott Elliott <scottpelliott at gmail.com>
wrote:

>
>
> On Fri, May 5, 2017 at 7:51 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> On Thu, Apr 20, 2017 at 3:38 PM, Scott Elliott <scottpelliott at gmail.com>
>> wrote:
>>
>>> Using the photoz application as an example, what is the expected
>>> performance if there are a very large (say, 5M) number of albums?  What
>>> about if there are multiple resources per album?  You quickly get a very
>>> large number of resources. The OIDC adapters cache some number of these,
>>> so
>>> what effect will that have on the resource server?
>>>
>>
>> Right now we cache things based on a very simple LRU cache with some
>> expiration of entries. Number of cached entries is fixed though. Something
>> we can expose via configuration.
>>
>
> "Right now" being 3.1.0.CR1?  What about in 2.5.5.Final?
>

Yes, right now 3.1.0.CR1. The cache is only available on 3.1.0.CR1+.


>
>
>>
>>
>>>
>>> Ideally there would be a way to authorize any resource associated with an
>>> album, so if /album/vacation were authorized by /album/{id},
>>> /album/vacation/photo/1 was also authorized, i.e., the URI that selects
>>> the
>>> resource to be authorized would always be /album/vacation.
>>>
>>
>> All depends on how fined grained you want your config. For instance, if
>> you define a path "/album/{id}/*", the same resource (and associated
>> permissions) will also be related with resources like "/album/vacation" and
>> "/album/vacation/photo/1". However, if you have a resource on the server
>> with a path "/album/vacation/photo/1", the enforcer is going to use this
>> resource to check whether the user has access or not.
>>
>>
>
> This gets us back to my original question about passing other info to the
> authorization request.  Right now we'd have too many resources that would
> need to be registered and maintained.  I did a hack as a test to add the
> actual URL to the permission request, and set it in the ticket in the
> permission response, so that it is passed to the authorization request, and
> can be accessed as part of the evaluation context.  It does what we need,
> but I do not know if it violates any standard.
>

I don't think it violates UMA as the ticket can hold whatever we want. But
what I think we should do is provide to you and your resource server some
way to populate the ticket (or an entitlement request) with additional
info. I'm still not sure how to provide a callback for this, still trying
to figure out. It would require something on the adapter side that you
could register a callback to be invoked prior to building the
ticket/authorization request.


>
> Scott
>
>

From rl.subscriber at gmail.com  Fri May  5 11:39:19 2017
From: rl.subscriber at gmail.com (rl.subscriber at gmail.com)
Date: Fri, 5 May 2017 08:39:19 -0700 (MST)
Subject: [keycloak-user] update password failed - invalid code
In-Reply-To: <CAO=w+JOHU8_OVsH1jUu6038Dr-gPXNBESt9g7WXCWvhBPNzK2w@mail.gmail.com>
References: <CAO=w+JOHU8_OVsH1jUu6038Dr-gPXNBESt9g7WXCWvhBPNzK2w@mail.gmail.com>
Message-ID: <1493998759006-3799.post@n6.nabble.com>

Hi, i encountered the same problem and my analysis is that it *depends on the
mail client* you are using!!

Because, when you use for example *Outlook Webmail* it tries to render the
user action URL in the email and sends a request to open the URL. When this
happens the key is used and invalidated for further requests. As a
consequence, when the user clicks on the URL, the link is not valid and
cannot be used anymore. 

This does not happen with the classic Outlook Desktop Application. 

>From my point of view, this makes this execute-action-email feature
unusable.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-update-password-failed-invalid-code-tp2692p3799.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From jm85martins at gmail.com  Fri May  5 13:02:20 2017
From: jm85martins at gmail.com (Jorge M.)
Date: Fri, 5 May 2017 18:02:20 +0100
Subject: [keycloak-user] Help with SSO
In-Reply-To: <1493901260.2904124.965620024.5E48E981@webmail.messagingengine.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
	<CAHEpHRJcTfJ2=D9zK2VfhO7Lu7tp9F298OVxNp+Bx7KYopvmbw@mail.gmail.com>
	<1493878538.3587870.965306608.46509692@webmail.messagingengine.com>
	<CAHEpHRLjkk8o_oN=5LLhV1b0ycDbMZHvtnYRHBn0=CX39jFuKQ@mail.gmail.com>
	<1493901260.2904124.965620024.5E48E981@webmail.messagingengine.com>
Message-ID: <CAHEpHRKEshjFtxHvDt1n63QTKzVCA3EApTvhNMjPgRDr96DFKQ@mail.gmail.com>

Hi,

I'm trying to implement a proof of concept that authenticates a user using
the API direct access grant with grant_type password (no social login on
this scenario), and after getting the tokens I use them to create a session
in the browser (using javascript adapter).
That is actually working fine... except the SSO! :(

I think that my problem with SSO is related with the checkLoginIframe. If
checkLoginIframe is enabled the login doesn't work. If I disable it, the
login works fine but no SSO. Am I doing something wrong? Can I get SSO with
this approach?

My JS adapter code that works fine for login:

    keycloak.init({
        checkLoginIframe  : false,
        token: "xxx",
        refreshToken: "xxx",
        idToken: "xxx"
    }).success(function(authenticated){
        if(!authenticated){
            keycloak.login();
        } else {
            loadData();
        }
    }).error(function () {
    });

Thank you,
JM

2017-05-04 13:34 GMT+01:00 Thomas Recloux <thomas at recloux.fr>:

>
>
> So, is it possible to do SSO among different realms? How can we do that?
> Is there any example?
>
>
> No, it's not possible
>
> When https://issues.jboss.org/browse/KEYCLOAK-2671 will be implemented,
> the login theme will be able generate different content for specific
> clients.
>
>
>
>

From rysiek at occrp.org  Fri May  5 13:20:09 2017
From: rysiek at occrp.org (Rashiq)
Date: Fri, 05 May 2017 19:20:09 +0200
Subject: [keycloak-user] update password failed - invalid code
In-Reply-To: <1493998759006-3799.post@n6.nabble.com>
References: <CAO=w+JOHU8_OVsH1jUu6038Dr-gPXNBESt9g7WXCWvhBPNzK2w@mail.gmail.com>
	<1493998759006-3799.post@n6.nabble.com>
Message-ID: <2374870.I8OffC9HXN@lapuntu>

Hi,

Dnia pi?tek, 5 maja 2017 08:39:19 CEST rl.subscriber at gmail.com pisze:
> Hi, i encountered the same problem and my analysis is that it *depends on
> the mail client* you are using!!
> 
> Because, when you use for example *Outlook Webmail* it tries to render the
> user action URL in the email and sends a request to open the URL. When this
> happens the key is used and invalidated for further requests. As a
> consequence, when the user clicks on the URL, the link is not valid and
> cannot be used anymore.

Oh wow. I was debugging this for a month -- a single user out of thousands 
could not reset their password. Turns out they've been using Outlook Webmail.

> This does not happen with the classic Outlook Desktop Application.
> 
> From my point of view, this makes this execute-action-email feature
> unusable.

>From my point of view this is a serious bug in Outlook Webmail. This is a 
completely unexpected behavior, and one Keycloak cannot do much about. It's 
also something Outlook Webmail developers can fix easily.

-- 
Pozdravi,
rashiq



From mehdi.alishahi at gmail.com  Sat May  6 12:24:13 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Sat, 6 May 2017 18:24:13 +0200
Subject: [keycloak-user] JavaScript adapter: how to get error message
Message-ID: <CAG_MZYFZB5z=WGze6gGpKOvVax6BCoYx5yo9g74Pdn=4-aGgTg@mail.gmail.com>

Hi,

With the following code, I am not able to get error message. How should I
do that? thanks.

Uncaught TypeError: Cannot read property 'error_description' of undefined
    at Object.errorCallback (index.js:49)
    at Object.setError (keycloak.js:775)
    at Object.errorCallback (keycloak.js:198)
    at Object.setError (keycloak.js:775)
    at XMLHttpRequest.req.onreadystatechange (keycloak.js:600)

return kc.init({onLoad: 'login-required'}).success(authenticated => {
console.log("AUTH STATUS: " + authenticated);
if(!authenticated) {
kc.login();
} else {
dispatch(loginSucceed(kc));
}}).error(function(error) {
console.log(error.error_description);
console.log(error.error);
console.log(JSON.stringify(error));
dispatch(loginFailed(JSON.stringify(error)));
});

From bruno at abstractj.org  Sun May  7 03:59:59 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Sun, 7 May 2017 04:59:59 -0300
Subject: [keycloak-user] JavaScript adapter: how to get error message
In-Reply-To: <CAG_MZYFZB5z=WGze6gGpKOvVax6BCoYx5yo9g74Pdn=4-aGgTg@mail.gmail.com>
References: <CAG_MZYFZB5z=WGze6gGpKOvVax6BCoYx5yo9g74Pdn=4-aGgTg@mail.gmail.com>
Message-ID: <20170507075959.GB19609@abstractj.org>

You cannot get the error_description, because your object "error" does
not exist.

Take a look at the examples[1], it may give you an idea.

[1] - https://github.com/keycloak/keycloak/blob/master/examples/js-console/src/main/webapp/index.html#L139-L143

On 2017-05-06, Mehdi Sheikhalishahi wrote:
> Hi,
>
> With the following code, I am not able to get error message. How should I
> do that? thanks.
>
> Uncaught TypeError: Cannot read property 'error_description' of undefined
>     at Object.errorCallback (index.js:49)
>     at Object.setError (keycloak.js:775)
>     at Object.errorCallback (keycloak.js:198)
>     at Object.setError (keycloak.js:775)
>     at XMLHttpRequest.req.onreadystatechange (keycloak.js:600)
>
> return kc.init({onLoad: 'login-required'}).success(authenticated => {
> console.log("AUTH STATUS: " + authenticated);
> if(!authenticated) {
> kc.login();
> } else {
> dispatch(loginSucceed(kc));
> }}).error(function(error) {
> console.log(error.error_description);
> console.log(error.error);
> console.log(JSON.stringify(error));
> dispatch(loginFailed(JSON.stringify(error)));
> });
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From Benjamin.Stadin at heidelberg-mobil.com  Sun May  7 08:36:43 2017
From: Benjamin.Stadin at heidelberg-mobil.com (Stadin, Benjamin)
Date: Sun, 7 May 2017 12:36:43 +0000
Subject: [keycloak-user] Complete overview of event types
In-Reply-To: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
References: <CAHEpHRJ1RhuAw2qNjcdRTpCfQQw1kRsNBFSX=gq90yqcf8aDfQ@mail.gmail.com>
Message-ID: <245D0246-F823-42E2-9A7A-A01CBC7442EA@heidelberg-mobil.com>

Hi,

Is there a complete overview of event types?

I found the event listener example here:
https://github.com/keycloak/keycloak/tree/master/examples/providers/event-listener-sysout

And a few possible events here:
https://keycloak.gitbooks.io/documentation/server_admin/topics/events/login.html

But is there another overview of all events? In particular, I need to intercept events when a user is enabled/disabled and deleted. And session events when e.g. a token has timed out.

Regards
Ben


From mehdi.alishahi at gmail.com  Sun May  7 14:40:21 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Sun, 7 May 2017 20:40:21 +0200
Subject: [keycloak-user] JavaScript adapter: how to get error message
In-Reply-To: <20170507075959.GB19609@abstractj.org>
References: <CAG_MZYFZB5z=WGze6gGpKOvVax6BCoYx5yo9g74Pdn=4-aGgTg@mail.gmail.com>
	<20170507075959.GB19609@abstractj.org>
Message-ID: <CAG_MZYFuR4d8HqCoWQjRB04r2-d0zdzcKPMtsPQLk0CVHVdzCg@mail.gmail.com>

thanks Bruno.

On Sun, May 7, 2017 at 9:59 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> You cannot get the error_description, because your object "error" does
> not exist.
>
> Take a look at the examples[1], it may give you an idea.
>
> [1] - https://github.com/keycloak/keycloak/blob/master/examples/
> js-console/src/main/webapp/index.html#L139-L143
>
> On 2017-05-06, Mehdi Sheikhalishahi wrote:
> > Hi,
> >
> > With the following code, I am not able to get error message. How should I
> > do that? thanks.
> >
> > Uncaught TypeError: Cannot read property 'error_description' of undefined
> >     at Object.errorCallback (index.js:49)
> >     at Object.setError (keycloak.js:775)
> >     at Object.errorCallback (keycloak.js:198)
> >     at Object.setError (keycloak.js:775)
> >     at XMLHttpRequest.req.onreadystatechange (keycloak.js:600)
> >
> > return kc.init({onLoad: 'login-required'}).success(authenticated => {
> > console.log("AUTH STATUS: " + authenticated);
> > if(!authenticated) {
> > kc.login();
> > } else {
> > dispatch(loginSucceed(kc));
> > }}).error(function(error) {
> > console.log(error.error_description);
> > console.log(error.error);
> > console.log(JSON.stringify(error));
> > dispatch(loginFailed(JSON.stringify(error)));
> > });
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From rl.subscriber at gmail.com  Mon May  8 02:26:39 2017
From: rl.subscriber at gmail.com (rl.subscriber at gmail.com)
Date: Sun, 7 May 2017 23:26:39 -0700 (MST)
Subject: [keycloak-user] update password failed - invalid code
In-Reply-To: <2374870.I8OffC9HXN@lapuntu>
References: <CAO=w+JOHU8_OVsH1jUu6038Dr-gPXNBESt9g7WXCWvhBPNzK2w@mail.gmail.com>
	<1493998759006-3799.post@n6.nabble.com>
	<2374870.I8OffC9HXN@lapuntu>
Message-ID: <1494224799011-3812.post@n6.nabble.com>

Well, I would not say that this is a bug in Outlook Webmail, there are other
applications having similar functionality.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-update-password-failed-invalid-code-tp2692p3812.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From rysiek at occrp.org  Mon May  8 04:23:02 2017
From: rysiek at occrp.org (Rashiq)
Date: Mon, 08 May 2017 10:23:02 +0200
Subject: [keycloak-user] update password failed - invalid code
In-Reply-To: <1494224799011-3812.post@n6.nabble.com>
References: <CAO=w+JOHU8_OVsH1jUu6038Dr-gPXNBESt9g7WXCWvhBPNzK2w@mail.gmail.com>
	<2374870.I8OffC9HXN@lapuntu>
	<1494224799011-3812.post@n6.nabble.com>
Message-ID: <46698177.OxmzLAh7M7@lapuntu>

Dnia niedziela, 7 maja 2017 23:26:39 CEST rl.subscriber at gmail.com pisze:
> Well, I would not say that this is a bug in Outlook Webmail, there are other
> applications having similar functionality.

A list would be very helpful in debugging potential password reset issues in 
the future.

-- 
Pozdravi,
rashiq

From bruno at abstractj.org  Mon May  8 05:06:51 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 8 May 2017 06:06:51 -0300
Subject: [keycloak-user] Recurrent unexpected UPDATE_PASSWORD required
 action (AD related?)
In-Reply-To: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>
References: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>
Message-ID: <20170508090651.GA31744@abstractj.org>

I never experienced this, but I'd suggest to upgrade to 3.1.0.Final and
see if the same happens.

On 2017-05-04, Adrian Matei wrote:
> Hi guys,
>
> Some users get unexpectedly the UPDATE_PASSWORD required action. The funny
> thing is, this happens even if the this is disabled in Realm >
> Authentication > Required Actions > Update Password (OFF) (BUT entries
> still get generated in the USER_REQUIRED_ACTION table).
>
> I presume this happens when the sync with Active Directory happens, even
> when no users are imported... (No special config there)
>
> We had this issue with version 1.7.0.Final, but still persists with the
> migration to version 2.5.1.Final
>
> Anyone experiences same issue or can advise on this? Thanks.
>
> Best regards,
> Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From wim.vandenhaute at gmail.com  Mon May  8 05:47:32 2017
From: wim.vandenhaute at gmail.com (Wim Vandenhaute)
Date: Mon, 08 May 2017 09:47:32 +0000
Subject: [keycloak-user] Migration from 2.4.0 to 2.5.5
In-Reply-To: <CAAmmoOokLagqWm4u5MQrDq6-cGddZn8GL__bXWH8DLFfhFzD1w@mail.gmail.com>
References: <CAAmmoOokLagqWm4u5MQrDq6-cGddZn8GL__bXWH8DLFfhFzD1w@mail.gmail.com>
Message-ID: <CAAmmoOqaHCb47Wf39BwQagEQNwtguS-mzgS30fsMMw6aZhW+Hw@mail.gmail.com>

Hello list,

When migrating a custom user federation provider it seems the
validateAndProxy callback from the UserFederationProvider SPI no longer has
an alternative since it has been removed.
Before whenever a UserModel was pulled from Keycloak, this callback was
made and our custom user federation provider could add some transient
attributes each time.

In 2.5.5 it is my understanding that implementing the
ImportedUserValidation SPI is the way to go yet whenever the
authorization/access code is exchanged (
TokenEndpoint.buildAuthorizationCodeAccessTokenResponse ) the
ImportedUserValidation.validate is never called as the UserSessionAdapter
always goes straight to the UserCacheSession userprovider implementation
instead of the UserStorageManager.
Before whenever the TokenEndpoint was called, it always went to the
UserFederationManager class which fetched the UserModel but afterwards
check if the user had a federation link and  then called the
UserFederationProvider.validateAndProxy hook.

So my questions are:

1. What is the right way to go to make sure a customer user federation
provider can always add some custom attributes to the UserModel via a
delegate, even if the UserModel comes from the keycloak cache.

2. Or do we have to disable the keycloak cache for this and if so how?

Kind regards,
Wim.

From stuarta at squashedfrog.net  Mon May  8 06:10:40 2017
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Mon, 8 May 2017 11:10:40 +0100
Subject: [keycloak-user] Keycloak 3.1.0.Final Released
In-Reply-To: <CAJgngAdT41gWuu-gBH25zQQmof=6CJK_koY-qohAqTWzHBpOZA@mail.gmail.com>
References: <CAJgngAdT41gWuu-gBH25zQQmof=6CJK_koY-qohAqTWzHBpOZA@mail.gmail.com>
Message-ID: <cb2cdde4-e33b-a0a6-1fbb-90c1dc428c2e@squashedfrog.net>

On 03/05/17 10:02, Stian Thorgersen wrote:
> Keycloak 3.1.0.Final has just been released.
> 

Is the docker image being updated soon?

It's still listing as KEYCLOAK_VERSION=3.1.0.CR1


Regards
Stuart


From raqueljudezb at gmail.com  Mon May  8 06:22:35 2017
From: raqueljudezb at gmail.com (=?UTF-8?Q?Raquel_J=C3=BAdez_Bello?=)
Date: Mon, 8 May 2017 12:22:35 +0200
Subject: [keycloak-user] Implementing Keycloak in Android app
Message-ID: <CADNgyhuuTutULOSE5gwo+z3yt6dc8OfPwTHbVWhk4ROfBmxNbw@mail.gmail.com>

Hi all,
I have implemented Keycloak in my Tomcat server (via Keycloak Spring
Adapter).
Now, I am programming an Android App to communicate it with my server, but
I have not found any information about how to manage the login to a server
with Android.

Has anyone implemented Keycloak with Android? Any ideas on how to approach
this problem??

Thank you very much.

-- 
Raquel J?dez.

From sthorger at redhat.com  Mon May  8 06:46:39 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 8 May 2017 12:46:39 +0200
Subject: [keycloak-user] Keycloak 3.1.0.Final Released
In-Reply-To: <cb2cdde4-e33b-a0a6-1fbb-90c1dc428c2e@squashedfrog.net>
References: <CAJgngAdT41gWuu-gBH25zQQmof=6CJK_koY-qohAqTWzHBpOZA@mail.gmail.com>
	<cb2cdde4-e33b-a0a6-1fbb-90c1dc428c2e@squashedfrog.net>
Message-ID: <CAJgngAecDywFFc5Wk0nbOvLDBUGcRBMWJNG=MvWPrH3DA20QKQ@mail.gmail.com>

Checked this now and the build of the images had failed. Fixed the issue
and Docker hub is rebuilding images now:
https://hub.docker.com/r/jboss/keycloak/builds/

On 8 May 2017 at 12:10, Stuart Auchterlonie <stuarta at squashedfrog.net>
wrote:

> On 03/05/17 10:02, Stian Thorgersen wrote:
> > Keycloak 3.1.0.Final has just been released.
> >
>
> Is the docker image being updated soon?
>
> It's still listing as KEYCLOAK_VERSION=3.1.0.CR1
>
>
> Regards
> Stuart
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stuarta at squashedfrog.net  Mon May  8 07:13:15 2017
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Mon, 8 May 2017 12:13:15 +0100
Subject: [keycloak-user] Keycloak 3.1.0.Final Released
In-Reply-To: <CAJgngAecDywFFc5Wk0nbOvLDBUGcRBMWJNG=MvWPrH3DA20QKQ@mail.gmail.com>
References: <CAJgngAdT41gWuu-gBH25zQQmof=6CJK_koY-qohAqTWzHBpOZA@mail.gmail.com>
	<cb2cdde4-e33b-a0a6-1fbb-90c1dc428c2e@squashedfrog.net>
	<CAJgngAecDywFFc5Wk0nbOvLDBUGcRBMWJNG=MvWPrH3DA20QKQ@mail.gmail.com>
Message-ID: <451be7f5-7bd6-f955-0a33-e08b691fe67b@squashedfrog.net>

On 08/05/17 11:46, Stian Thorgersen wrote:
> Checked this now and the build of the images had failed. Fixed the issue
> and Docker hub is rebuilding images now:
> https://hub.docker.com/r/jboss/keycloak/builds/

Cheers!
Stuart

> 
> On 8 May 2017 at 12:10, Stuart Auchterlonie <stuarta at squashedfrog.net
> <mailto:stuarta at squashedfrog.net>> wrote:
> 
>     On 03/05/17 10:02, Stian Thorgersen wrote:
>     > Keycloak 3.1.0.Final has just been released.
>     >
> 
>     Is the docker image being updated soon?
> 
>     It's still listing as KEYCLOAK_VERSION=3.1.0.CR1
> 
> 
>     Regards
>     Stuart
> 
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 


From bruno at abstractj.org  Mon May  8 07:16:24 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 8 May 2017 08:16:24 -0300
Subject: [keycloak-user] Implementing Keycloak in Android app
In-Reply-To: <CADNgyhuuTutULOSE5gwo+z3yt6dc8OfPwTHbVWhk4ROfBmxNbw@mail.gmail.com>
References: <CADNgyhuuTutULOSE5gwo+z3yt6dc8OfPwTHbVWhk4ROfBmxNbw@mail.gmail.com>
Message-ID: <20170508111624.GC31744@abstractj.org>

Just search for "Android" here http://www.keycloak.org/search.html.
There are several threads on this.

On 2017-05-08, Raquel J?dez Bello wrote:
> Hi all,
> I have implemented Keycloak in my Tomcat server (via Keycloak Spring
> Adapter).
> Now, I am programming an Android App to communicate it with my server, but
> I have not found any information about how to manage the login to a server
> with Android.
>
> Has anyone implemented Keycloak with Android? Any ideas on how to approach
> this problem??
>
> Thank you very much.
>
> --
> Raquel J?dez.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From pulgupta at redhat.com  Mon May  8 08:29:41 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Mon, 8 May 2017 17:59:41 +0530
Subject: [keycloak-user] OIDC spring security adapter
Message-ID: <CAApADD0SbZmCJZcyQ-=x+p+FfcZ9DiB5jn7wgBWLqqKt5+OufQ@mail.gmail.com>

Hi All,

We are planning to use OIDC based spring security adapter to secure our
application using keycloak.
I am not sure if this will work with Implicit flow for OIDC as our identity
provider or the team maintaining keycloak server instance currently support
only implicit flow.

Please let me know in case anyone has used Keyclaok OIDC spring security
adapter using implicit flow.

Regards,
Pulkit

From rohitchaudhary95 at gmail.com  Mon May  8 09:01:00 2017
From: rohitchaudhary95 at gmail.com (rohit chaudhary)
Date: Mon, 8 May 2017 18:31:00 +0530
Subject: [keycloak-user] Sync users from external user storage
Message-ID: <CAHJH4F_NtCH00G4hsNG95=XFLtq7PMaU6vvjj3=JyKw9zkspMg@mail.gmail.com>

Hi,

I connected an external db with keycloak and now want to sync it with
keycloak periodically or whenever there is a update in external db.
I have connected postgres db.
How to proceed?

Thanks,
Rohit

From mitya at cargosoft.ru  Mon May  8 11:35:11 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Mon, 08 May 2017 18:35:11 +0300
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
 stories
In-Reply-To: <1493293505.2855.1.camel@cargosoft.ru>
References: <1493293505.2855.1.camel@cargosoft.ru>
Message-ID: <1494257711.3430.1.camel@cargosoft.ru>

Anyone?

Sorry for being persistent, but, as one might guess, it's a question of
great importance for us.

Thanks!
Dmitry

From sesnor.silva at sapo.pt  Mon May  8 13:07:29 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Mon, 08 May 2017 18:07:29 +0100
Subject: [keycloak-user] Error with Postgres datasource
Message-ID: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>

Hello,

I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the  
documentation provided here:  
https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html

However, running in standalone operation mode, I get the following error:
? 2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]  
(ServerService Thread Pool -- 48) MSC000001: Failed to start service  
jboss.undertow.deployment.default-server.default-host./auth:  
org.jboss.msc.service.StartException in service  
jboss.undertow.deployment.default-server.default-host./auth:  
java.lang.RuntimeException: RESTEASY003325: Failed to construct public  
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
? ? at  
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)
? ? at  
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
? ? at  
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
? ? at java.lang.Thread.run(Thread.java:745)
? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to  
construct public  
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
? ? at  
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
? ? at  
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
? ? at  
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
? ? at  
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
? ? at  
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
? ? at  
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
? ? at  
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
? ? at  
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
? ? at  
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
? ? at  
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
? ? at  
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
? ? at  
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
? ? at  
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
? ? at  
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
? ? ... 6 more
Caused by: java.lang.RuntimeException: Failed to connect to database
? ? at  
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
? ? at  
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
? ? at  
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
? ? at  
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
? ? at  
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
? ? at  
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
? ? at  
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
? ? at  
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
? ? at  
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
? ? at  
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
? ? at  
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
? ? ... 19 more
Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS  
[Root exception is java.lang.IllegalStateException]
? ? at  
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
? ? at  
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
? ? at  
org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
? ? at  
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
? ? ... 31 more
Caused by: java.lang.IllegalStateException
? ? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
? ? at  
org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
? ? at  
org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
? ? at  
org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
? ? at  
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
? ? ... 40 more

And I'm at a stalemate with the configuration, because I have no idea  
what I'm doing wrong.

I've configured the postgres driver module in  
keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main  
as (postgresql-9.4.1210.jar is present as well):
https://pastebin.com/pjwn09gX

My standalone.xml is as follows:
https://pastebin.com/ggDHZFJx

Does anyone have any idea what I could be doing wrong? Did I miss  
anything on my configuration?

Thank you very much for your time,

My best regards,
Silva

?

From Gideon.Caranzo at gemalto.com  Mon May  8 14:31:20 2017
From: Gideon.Caranzo at gemalto.com (Caranzo Gideon)
Date: Mon, 8 May 2017 18:31:20 +0000
Subject: [keycloak-user] How to remove Expires/Max-age from session cookie?
Message-ID: <B1D93C28CC2EF0418529F924BED8107FF37FA5D2@A1GTOEMBXV007.gto.a3c.atos.net>

Hi,

Is it possible in Keycloak to remove Expires/Max-age from "KEYCLOAK_SESSION" cookie?
Basically, we want the cookie to last only until browser is closed.

Also, why does Keycloak set this value on the cookie? What are the risks in case an attacker is able to steal it?

Best regards,
Gideon

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

From bruno at abstractj.org  Mon May  8 14:44:50 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 8 May 2017 15:44:50 -0300
Subject: [keycloak-user] Error with Postgres datasource
In-Reply-To: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
References: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
Message-ID: <20170508184450.GB17402@abstractj.org>

I just ran the entire DB setup from scratch with KC 3.1.0 and got
postgresql working with no issues.

Looking at your config, you do not specify PostgreSQL TCP port, plus
make sure you have the proper permissions into pg_hba.conf and of
course, the database.
I'm sending gist[1] with my configuration, to get you started. I hope it
helps.

[1] - https://gist.github.com/abstractj/a154e452ed63c9ccab9578a713955670

On 2017-05-08, sesnor.silva at sapo.pt wrote:
> Hello,
>
> I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
> documentation provided here:
> https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html
>
> However, running in standalone operation mode, I get the following error:
> ? 2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
> (ServerService Thread Pool -- 48) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> ? ? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> ? ? at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> ? ? at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> ? ? at java.lang.Thread.run(Thread.java:745)
> ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> ? ? at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> ? ? at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> ? ? at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> ? ? at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> ? ? at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> ? ? at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> ? ? at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> ? ? at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> ? ? at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> ? ? at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> ? ? at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> ? ? at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> ? ? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> ? ? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ? ? ... 6 more
> Caused by: java.lang.RuntimeException: Failed to connect to database
> ? ? at
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
> ? ? at
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
> ? ? at
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
> ? ? at
> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
> ? ? at
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
> ? ? at
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
> ? ? at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> ? ? at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
> ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> ? ? at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> ? ? at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> ? ? at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> ? ? ... 19 more
> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
> [Root exception is java.lang.IllegalStateException]
> ? ? at
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> ? ? at
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
> ? ? at
> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
> ? ? at
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
> ? ? ... 31 more
> Caused by: java.lang.IllegalStateException
> ? ? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
> ? ? at
> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
> ? ? at
> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
> ? ? at
> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
> ? ? at
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
> ? ? ... 40 more
>
> And I'm at a stalemate with the configuration, because I have no idea
> what I'm doing wrong.
>
> I've configured the postgres driver module in
> keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
> as (postgresql-9.4.1210.jar is present as well):
> https://pastebin.com/pjwn09gX
>
> My standalone.xml is as follows:
> https://pastebin.com/ggDHZFJx
>
> Does anyone have any idea what I could be doing wrong? Did I miss
> anything on my configuration?
>
> Thank you very much for your time,
>
> My best regards,
> Silva
>
> ?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj

From keycloak at mechaloid.com  Mon May  8 18:20:25 2017
From: keycloak at mechaloid.com (Shih Oon Liong)
Date: Mon, 8 May 2017 15:20:25 -0700
Subject: [keycloak-user] SAML to SAML
Message-ID: <CALyx_r2BAdWXX8Pr3kvOnsiugEGJ6+XqeAK+C7Oq=mTixNZZrA@mail.gmail.com>

Hi,

I was wondering if Keycloak is able to support SAML to SAML workflow. What
part of the documentation should I be reading that deals with this?

To clarify, my backend is a SAML-based login and then I want to enable
login via SAML on the frontend.

So it would look something like
[My-Org] --SAML--> [KeyCloak] --SAML--> [Application]

I'm not sure if that makes sense but is one way I am looking at it. At the
moment I do not have access to LDAP/AD, this was the only other access we
can get from the organisation. I hoping to use Keycloak to help organise
the users to the appropriate groups and to utilize the MFA feature of SAML.

Thanks
- Shih Oon

From Bettina.Huebner at kvbawue.de  Tue May  9 04:13:30 2017
From: Bettina.Huebner at kvbawue.de (=?Windows-1252?Q?H=FCbner=2C_Bettina?=)
Date: Tue, 9 May 2017 08:13:30 +0000
Subject: [keycloak-user] Group Level Roles Not Honored by Policy
 Evaluation	Tool
In-Reply-To: <1488232623127.15736@gohealth.com>
References: <1488232623127.15736@gohealth.com>
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>

Hi Jeremy,

I noticed the same behaviour and it still happens in version 3.1.0.CR1. Effective Roles are not taken into account by the Policy Evaluation Tool, only roles assigned directly to a user.

Best regards
Bettina



-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Jeremy Majors
Gesendet: Montag, 27. Februar 2017 22:57
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool

I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with.  While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role).  When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool.


Can anyone else reproduce this issue?  It's unclear whether it could be related to KEYCLOAK-2964, which has been closed.


Thanks in advance,

Jeremy

Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From yannick.lazzari at gmail.com  Tue May  9 06:30:45 2017
From: yannick.lazzari at gmail.com (Yannick Lazzari)
Date: Tue, 09 May 2017 10:30:45 +0000
Subject: [keycloak-user] Migrating existing system vs. resource mangement
Message-ID: <CAJmJUFa5wPDz8XmGVzbzcWG3+Kn88Oxeu7pa3=tMk=y8rtZ9sQ@mail.gmail.com>

Hi,

We're currently evaluating Keycloak to migrate an existing system. For the
sake of the discussion, let's use the photoz example and pretend we are an
online pictures hosting service and that we have millions of albums,
belonging to thousands of users (users typically have more than one album,
so we have more albums than users).

If we were to implement the same permissions and wanted to constraint the
deletion of an album to its owner, does that mean that we would first need
to "sync" all our existing albums in Keycloak by "pushing" a
ResourceRepresentation for each of them, so that we can then have a policy
that uses the owner?

And what if we actually have dozens of other resource types for which we
want to enforce similar "resource owner" policies, each of them having
millions of records and living in different databases? Is it also expected
for all of them to do the same, essentially maintaining duplicates (in some
form) of all existing records in our system inside Keycloak's single
database, just so that we can use the resource owner in some policies?

We understand the simple photoz example, for something that starts from
scratch and with little data, but we have a hard time seeing how such an
approach can scale well for an existing system with millions of resources
of different types. Or perhaps we're completely missing the point or an
important piece of the puzzle.

Instead of having to push resources to Keycloak, is there a way to provide
arbitrary attributes that would be stored in the evaluation context of
policies and made available for the duration of a single authorization
request? For instance, when authorizing access to /album/123, could we tell
Keycloak that the owner of this album is actually user id 456, have it
stored in some attribute in the evaluation context and then use that
attribute in a policy (whether it's Javascript or Drools), along with some
other arbitrary attributes? We've seen discussions around the usage of
custom user claims, but this does not really seem to apply here since those
are not resource-specific. Or would there be a way to "extend" Keycloak and
use a hook that is provided that would allow us to somehow add this
information to the evaluation context?

Looking for help to see how we would start tackling such a problem, if we
were to adopt Keycloak.

Thank you very much for any insight anyone can provide!

Yannick

From psilva at redhat.com  Tue May  9 07:38:33 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 9 May 2017 08:38:33 -0300
Subject: [keycloak-user] Group Level Roles Not Honored by Policy
 Evaluation Tool
In-Reply-To: <CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>
References: <1488232623127.15736@gohealth.com>
	<CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>
Message-ID: <CAJrcDBeYVfPceN-UpJRhuXLvmTnuqDDx1zJN-VmMbNCMYV6u0w@mail.gmail.com>

You are right. We are not considering roles associated with groups. We also
lack a group based policy ....

For the former, I've created https://issues.jboss.org/browse/KEYCLOAK-4874.
For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.

Will start working on those two issues before next release.

On Tue, May 9, 2017 at 5:13 AM, H?bner, Bettina <Bettina.Huebner at kvbawue.de>
wrote:

> Hi Jeremy,
>
> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
> Effective Roles are not taken into account by the Policy Evaluation Tool,
> only roles assigned directly to a user.
>
> Best regards
> Bettina
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] Im Auftrag von Jeremy Majors
> Gesendet: Montag, 27. Februar 2017 22:57
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
> Evaluation Tool
>
> I have setup my users to have the 'read' role by associating that role to
> a group which my users have been associated with.  While testing the
> policies for a resource using the Policy Evaluation tool I determined that
> the roles associated with the groups weren't being picked up and the user
> was being denied access to the resource (please note that when I looked at
> the user's roles I did notice that 'read' was listed as an effective
> role).  When I removed one of the users from the group and directly
> assigned the 'role' to the user then I was able to successfully access the
> resource using the Policy Evaluation tool.
>
>
> Can anyone else reproduce this issue?  It's unclear whether it could be
> related to KEYCLOAK-2964, which has been closed.
>
>
> Thanks in advance,
>
> Jeremy
>
> Privileged/Confidential Information may be contained in this message. If
> you are not the addressee indicated in this message (or responsible for
> delivery of the message to such person), you may not copy or deliver this
> message to anyone. In such case, you should destroy this message and kindly
> notify the sender by reply email. Please advise immediately if you or your
> employer does not consent to Internet email for messages of this kind.
> Opinions, conclusions and other information in this message that do not
> relate to the official business of my firm shall be understood as neither
> given nor endorsed by it.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue May  9 08:03:04 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 9 May 2017 09:03:04 -0300
Subject: [keycloak-user] Migrating existing system vs. resource mangement
In-Reply-To: <CAJmJUFa5wPDz8XmGVzbzcWG3+Kn88Oxeu7pa3=tMk=y8rtZ9sQ@mail.gmail.com>
References: <CAJmJUFa5wPDz8XmGVzbzcWG3+Kn88Oxeu7pa3=tMk=y8rtZ9sQ@mail.gmail.com>
Message-ID: <CAJrcDBeyx+BJKStcZfVoMo_i__Wr-QkqqBEgfttGG3jMQogOaA@mail.gmail.com>

Hello Yannick,

Starting from the bottom ...

Right now, policy evaluation is solely based on the resources you have in
Keycloak. So yes, you would need to use the Protection API to manage your
resources every time you create/remove them from your application.

I understand your concern about "maintaining duplicates" of resources.
However, authorization services is strongly based on UMA concepts and there
the AS plays an important role when managing the resources belonging to
your users. By having complete control over resource owner's resources, the
AS is capable of managing and taking care of these resources for your users
(and your application) so you benefit from everything the AS provides such
as privacy control, permission management and resource sharing, things that
are very closely related with the basis of UMA: user managed access.

What you described as "provide arbitrary attributes" is exactly what we are
looking for. So you would have a more "stateless" permissioning model where
you don't really want Keycloak to manage your resources, but just provide
"facts" to the policy engine and have them processed by any matching policy
in order to get a decision. This feature is pretty close related with a
better contextual access control support. As it stands today, the "context"
is basically what you have in your access token and you are not able to
send any additional information.

Back to "maintaining duplicates" topic, some time ago Bill Burke suggested
a very interesting approach to resource management and storage. He
suggested that we could provide a "Resource Provider SPI" that users could
implement in order to fetch resources from an external database. I think is
another thing we would start working for the next release.

On Tue, May 9, 2017 at 7:30 AM, Yannick Lazzari <yannick.lazzari at gmail.com>
wrote:

> Hi,
>
> We're currently evaluating Keycloak to migrate an existing system. For the
> sake of the discussion, let's use the photoz example and pretend we are an
> online pictures hosting service and that we have millions of albums,
> belonging to thousands of users (users typically have more than one album,
> so we have more albums than users).
>
> If we were to implement the same permissions and wanted to constraint the
> deletion of an album to its owner, does that mean that we would first need
> to "sync" all our existing albums in Keycloak by "pushing" a
> ResourceRepresentation for each of them, so that we can then have a policy
> that uses the owner?
>
> And what if we actually have dozens of other resource types for which we
> want to enforce similar "resource owner" policies, each of them having
> millions of records and living in different databases? Is it also expected
> for all of them to do the same, essentially maintaining duplicates (in some
> form) of all existing records in our system inside Keycloak's single
> database, just so that we can use the resource owner in some policies?
>
> We understand the simple photoz example, for something that starts from
> scratch and with little data, but we have a hard time seeing how such an
> approach can scale well for an existing system with millions of resources
> of different types. Or perhaps we're completely missing the point or an
> important piece of the puzzle.
>
> Instead of having to push resources to Keycloak, is there a way to provide
> arbitrary attributes that would be stored in the evaluation context of
> policies and made available for the duration of a single authorization
> request? For instance, when authorizing access to /album/123, could we tell
> Keycloak that the owner of this album is actually user id 456, have it
> stored in some attribute in the evaluation context and then use that
> attribute in a policy (whether it's Javascript or Drools), along with some
> other arbitrary attributes? We've seen discussions around the usage of
> custom user claims, but this does not really seem to apply here since those
> are not resource-specific. Or would there be a way to "extend" Keycloak and
> use a hook that is provided that would allow us to somehow add this
> information to the evaluation context?
>
> Looking for help to see how we would start tackling such a problem, if we
> were to adopt Keycloak.
>
> Thank you very much for any insight anyone can provide!
>
> Yannick
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From yannick.lazzari at gmail.com  Tue May  9 09:32:02 2017
From: yannick.lazzari at gmail.com (Yannick Lazzari)
Date: Tue, 09 May 2017 13:32:02 +0000
Subject: [keycloak-user] Migrating existing system vs. resource mangement
In-Reply-To: <CAJrcDBeyx+BJKStcZfVoMo_i__Wr-QkqqBEgfttGG3jMQogOaA@mail.gmail.com>
References: <CAJmJUFa5wPDz8XmGVzbzcWG3+Kn88Oxeu7pa3=tMk=y8rtZ9sQ@mail.gmail.com>
	<CAJrcDBeyx+BJKStcZfVoMo_i__Wr-QkqqBEgfttGG3jMQogOaA@mail.gmail.com>
Message-ID: <CAJmJUFZJ7x17NzQ89R1r5b5oFrN2m5V4oFm-FGbef5du8-kcfg@mail.gmail.com>

Thanks a lot for your prompt response Pedro and for confirming our
understanding.

Do you have opened issues that would describe what "supporting a better
contextual access control" would translate into, and that we can also vote
on it?

This seems to be the missing bit that probably will make us reconsider
Keycloak for the moment. Having policies that require knowledge about the
resources' attributes, other than the resource owner, is a fundamental
piece of the policies we would like to implement. Even if we did go through
the process of first pushing all our resources to Keycloak and keeping them
in-sync afterwards, we'd still need to access more than just the resource's
owner in our policies. From what I understand, this ins't possible at the
moment, and this could be solved with those contextual access control
improvements.

We thought this would already be covered because we considered that a
pretty "standard" need, but the fact that this isn't currently possible
makes us wonder: is this in the scope of what UMA is trying to address?
Take the following policy for instance (pseudo code):

rule "Expensive Product"
    when
       $evaluation : Evaluation($permission.resource != null &&
$permission.resource.price > 100.00)
    then
        $evaluation.grant();
end

Should this exist as a Keycloak policy? Should it know that our "product"
resource has a "price" attribute and that we have policies that depend on
it?

What we're also trying to address as a problem is to have a central
repository of where our security policies are defined (in whole) so that
it's easier to audit, review and maintain them. If we can't have such
policies defined because it's not in the scope of what is supposed to be
covered by Keycloak (or other authorization servers for that matters), then
we'd be forced to distribute the authorization process between Keycloak and
some other service. And because of that, we wouldn't have all the rules
required to resolve a policy in a single location.

Does that make sense?

Thanks!



On Tue, May 9, 2017 at 8:03 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hello Yannick,
>
> Starting from the bottom ...
>
> Right now, policy evaluation is solely based on the resources you have in
> Keycloak. So yes, you would need to use the Protection API to manage your
> resources every time you create/remove them from your application.
>
> I understand your concern about "maintaining duplicates" of resources.
> However, authorization services is strongly based on UMA concepts and there
> the AS plays an important role when managing the resources belonging to
> your users. By having complete control over resource owner's resources, the
> AS is capable of managing and taking care of these resources for your users
> (and your application) so you benefit from everything the AS provides such
> as privacy control, permission management and resource sharing, things that
> are very closely related with the basis of UMA: user managed access.
>
> What you described as "provide arbitrary attributes" is exactly what we
> are looking for. So you would have a more "stateless" permissioning model
> where you don't really want Keycloak to manage your resources, but just
> provide "facts" to the policy engine and have them processed by any
> matching policy in order to get a decision. This feature is pretty close
> related with a better contextual access control support. As it stands
> today, the "context" is basically what you have in your access token and
> you are not able to send any additional information.
>
> Back to "maintaining duplicates" topic, some time ago Bill Burke suggested
> a very interesting approach to resource management and storage. He
> suggested that we could provide a "Resource Provider SPI" that users could
> implement in order to fetch resources from an external database. I think is
> another thing we would start working for the next release.
>
> On Tue, May 9, 2017 at 7:30 AM, Yannick Lazzari <yannick.lazzari at gmail.com
> > wrote:
>
>> Hi,
>>
>> We're currently evaluating Keycloak to migrate an existing system. For the
>> sake of the discussion, let's use the photoz example and pretend we are an
>> online pictures hosting service and that we have millions of albums,
>> belonging to thousands of users (users typically have more than one album,
>> so we have more albums than users).
>>
>> If we were to implement the same permissions and wanted to constraint the
>> deletion of an album to its owner, does that mean that we would first need
>> to "sync" all our existing albums in Keycloak by "pushing" a
>> ResourceRepresentation for each of them, so that we can then have a policy
>> that uses the owner?
>>
>> And what if we actually have dozens of other resource types for which we
>> want to enforce similar "resource owner" policies, each of them having
>> millions of records and living in different databases? Is it also expected
>> for all of them to do the same, essentially maintaining duplicates (in
>> some
>> form) of all existing records in our system inside Keycloak's single
>> database, just so that we can use the resource owner in some policies?
>>
>> We understand the simple photoz example, for something that starts from
>> scratch and with little data, but we have a hard time seeing how such an
>> approach can scale well for an existing system with millions of resources
>> of different types. Or perhaps we're completely missing the point or an
>> important piece of the puzzle.
>>
>> Instead of having to push resources to Keycloak, is there a way to provide
>> arbitrary attributes that would be stored in the evaluation context of
>> policies and made available for the duration of a single authorization
>> request? For instance, when authorizing access to /album/123, could we
>> tell
>> Keycloak that the owner of this album is actually user id 456, have it
>> stored in some attribute in the evaluation context and then use that
>> attribute in a policy (whether it's Javascript or Drools), along with some
>> other arbitrary attributes? We've seen discussions around the usage of
>> custom user claims, but this does not really seem to apply here since
>> those
>> are not resource-specific. Or would there be a way to "extend" Keycloak
>> and
>> use a hook that is provided that would allow us to somehow add this
>> information to the evaluation context?
>>
>> Looking for help to see how we would start tackling such a problem, if we
>> were to adopt Keycloak.
>>
>> Thank you very much for any insight anyone can provide!
>>
>> Yannick
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From bburke at redhat.com  Tue May  9 10:36:25 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 9 May 2017 10:36:25 -0400
Subject: [keycloak-user] Group Level Roles Not Honored by Policy
 Evaluation Tool
In-Reply-To: <CAJrcDBeYVfPceN-UpJRhuXLvmTnuqDDx1zJN-VmMbNCMYV6u0w@mail.gmail.com>
References: <1488232623127.15736@gohealth.com>
	<CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>
	<CAJrcDBeYVfPceN-UpJRhuXLvmTnuqDDx1zJN-VmMbNCMYV6u0w@mail.gmail.com>
Message-ID: <2cd6196b-6a58-0eef-d3dd-61be65711468@redhat.com>

The policy evaluation tool should be validating roles based on group 
membership.  I thought i fixed that, but I guess not.


On 5/9/17 7:38 AM, Pedro Igor Silva wrote:
> You are right. We are not considering roles associated with groups. We also
> lack a group based policy ....
>
> For the former, I've created https://issues.jboss.org/browse/KEYCLOAK-4874.
> For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
>
> Will start working on those two issues before next release.
>
> On Tue, May 9, 2017 at 5:13 AM, H?bner, Bettina <Bettina.Huebner at kvbawue.de>
> wrote:
>
>> Hi Jeremy,
>>
>> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
>> Effective Roles are not taken into account by the Policy Evaluation Tool,
>> only roles assigned directly to a user.
>>
>> Best regards
>> Bettina
>>
>>
>>
>> -----Urspr?ngliche Nachricht-----
>> Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
>> lists.jboss.org] Im Auftrag von Jeremy Majors
>> Gesendet: Montag, 27. Februar 2017 22:57
>> An: keycloak-user at lists.jboss.org
>> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
>> Evaluation Tool
>>
>> I have setup my users to have the 'read' role by associating that role to
>> a group which my users have been associated with.  While testing the
>> policies for a resource using the Policy Evaluation tool I determined that
>> the roles associated with the groups weren't being picked up and the user
>> was being denied access to the resource (please note that when I looked at
>> the user's roles I did notice that 'read' was listed as an effective
>> role).  When I removed one of the users from the group and directly
>> assigned the 'role' to the user then I was able to successfully access the
>> resource using the Policy Evaluation tool.
>>
>>
>> Can anyone else reproduce this issue?  It's unclear whether it could be
>> related to KEYCLOAK-2964, which has been closed.
>>
>>
>> Thanks in advance,
>>
>> Jeremy
>>
>> Privileged/Confidential Information may be contained in this message. If
>> you are not the addressee indicated in this message (or responsible for
>> delivery of the message to such person), you may not copy or deliver this
>> message to anyone. In such case, you should destroy this message and kindly
>> notify the sender by reply email. Please advise immediately if you or your
>> employer does not consent to Internet email for messages of this kind.
>> Opinions, conclusions and other information in this message that do not
>> relate to the official business of my firm shall be understood as neither
>> given nor endorsed by it.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sesnor.silva at sapo.pt  Tue May  9 11:35:29 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Tue, 09 May 2017 16:35:29 +0100
Subject: [keycloak-user] Error with Postgres datasource
In-Reply-To: <20170508184450.GB17402@abstractj.org>
References: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
	<20170508184450.GB17402@abstractj.org>
Message-ID: <20170509163529.Horde.ONV3oGqdcyO7gLf0yuoAzzM@mail.sapo.pt>

Hello,

Thank you for your reply,

Sadly it doesn't seem to budge. Even by copy-pasting your exact  
configuration (changing the username/password for postgres of course).

What I find especially strange is the following part of the error:  
"Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS  
[Root exception is java.lang.IllegalStateException]"

Also, I'm running on Windows 8.1 64-bit currently.

What else could I try?

My best regards,
Silva
?

Citando Bruno Oliveira <bruno at abstractj.org>:

> I just ran the entire DB setup from scratch with KC 3.1.0 and got
> postgresql working with no issues.
>
> Looking at your config, you do not specify PostgreSQL TCP port, plus
> make sure you have the proper permissions into pg_hba.conf and of
> course, the database.
> I'm sending gist[1] with my configuration, to get you started. I hope it
> helps.
>
> [1] - https://gist.github.com/abstractj/a154e452ed63c9ccab9578a713955670
>
> On 2017-05-08, sesnor.silva at sapo.pt wrote:
>> Hello,
>>
>> I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
>> documentation provided here:
>> https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html
>>
>> However, running in standalone operation mode, I get the following error:
>> ? 2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
>> (ServerService Thread Pool -- 48) MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./auth:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./auth:
>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>> ? ? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>> ? ? at  
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> ? ? at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> ? ? at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> ? ? at java.lang.Thread.run(Thread.java:745)
>> ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
>> construct public
>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>> ? ? at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
>> ? ? at
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
>> ? ? at
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
>> ? ? at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
>> ? ? at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
>> ? ? at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> ? ? at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> ? ? at
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>> ? ? at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> ? ? at
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
>> ? ? at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
>> ? ? at
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
>> ? ? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>> ? ? at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>> ? ? ... 6 more
>> Caused by: java.lang.RuntimeException: Failed to connect to database
>> ? ? at
>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
>> ? ? at
>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
>> ? ? at
>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
>> ? ? at
>> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
>> ? ? at
>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
>> ? ? at
>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
>> ? ? at
>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>> ? ? at
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
>> ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> ? ? at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> ? ? at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> ? ? at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>> ? ? ... 19 more
>> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
>> [Root exception is java.lang.IllegalStateException]
>> ? ? at
>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
>> ? ? at
>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
>> ? ? at
>> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
>> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
>> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
>> ? ? at
>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
>> ? ? ... 31 more
>> Caused by: java.lang.IllegalStateException
>> ? ? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
>> ? ? at
>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
>> ? ? at
>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
>> ? ? at
>> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
>> ? ? at
>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
>> ? ? ... 40 more
>>
>> And I'm at a stalemate with the configuration, because I have no idea
>> what I'm doing wrong.
>>
>> I've configured the postgres driver module in
>> keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
>> as (postgresql-9.4.1210.jar is present as well):
>> https://pastebin.com/pjwn09gX
>>
>> My standalone.xml is as follows:
>> https://pastebin.com/ggDHZFJx
>>
>> Does anyone have any idea what I could be doing wrong? Did I miss
>> anything on my configuration?
>>
>> Thank you very much for your time,
>>
>> My best regards,
>> Silva
>>
>> ?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> abstractj

?

From fabien.hinault at ariadnext.com  Tue May  2 06:00:19 2017
From: fabien.hinault at ariadnext.com (Fabien HINAULT)
Date: Tue, 2 May 2017 12:00:19 +0200
Subject: [keycloak-user] Problem with example provider authenticator in
	version 3.0.0.Final
Message-ID: <CAMw95GERiNMmOuu6P_Eh469uapYeu5xJUkyyAfrP6AJc7s9TNw@mail.gmail.com>

Hello,

I have a problem with the example provider called authenticator which is
released with
keycloak-demo-3.0.0.Final.
After having added the provider, and added the execution "Secret Question"
to the browser flow,
I don't have a page "Secret Question" while logging into the client app.
Instead, I am directly redirected to the application.
There is a warning in keycloak's output:
"10:48:24,009 WARN  [org.keycloak.services.managers.AuthenticationManager]
(default task-44) Could not find configuration for Required Action
secret_question_config, did you forget to register it?"

Did I miss something?

Fabien

------

Included: a log in debug, with just the logging of user u, with execution
"Secret Question" added.

See complete scenario below:

I have built the jar authentication-required-action-example.jar and
I have put it in the directory keycloak/providers.
I run keycloak/bin/standalone.sh

In the admin console (http://localhost:8080/auth/admin/master/console/):
I create a new realm called "demo",
I switch to this realm,
I create a user with username "u",
I change its password,
I create a role "ROLE_USER",
I give the role ROLE_USER to user u,
I create a client with client ID "test-fabien", redirect URIs
http://localhost:8081/*,
authorization enabled to ON.

I run a test client application
with adequate configuration settings.

In a private session in Firefox:
I type http://localhost:8081/test.html in the address bar,
I am redirected to keycloak's authentication page for realm "demo"
I enter username u and password,
the first time, I am redirected to the password change page, then
I am redirected back to the page test.html.

In the Authentication part of Keycloak admin console:
I copy the brower flow into "Copy of browser",
I add the execution "Secret Question", which comes from the added provider,
I set it as "required",
In the binding tab, I bind "Copy of browser" as browser flow, then save.

In a new private session in Firefox:
I type http://localhost:8081/test.html in the address bar,
I am redirected to keycloak's authentication page for realm "demo"
I enter username u and password.
Here, I would expect a "Secret Question" page.
Instead, I am directly redirected back to the page test.html.
In the output of standalone.sh, I can read:
"10:48:24,009 WARN  [org.keycloak.services.managers.AuthenticationManager]
(default task-44) Could not find configuration for Required Action
secret_question_config, did you forget to register it?"

From hendrikdev22 at gmail.com  Thu May  4 06:38:03 2017
From: hendrikdev22 at gmail.com (Hendrik Dev)
Date: Thu, 4 May 2017 12:38:03 +0200
Subject: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
In-Reply-To: <SYXPR01MB185335E0829437DD9AD31051CAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>
References: <CAPm=oFC7fe4k-rvR8Ddh96SmQ4fxG1rxuHRwZ0a96Swz7GoZNg@mail.gmail.com>
	<e4201b6b-e9d6-d1bb-0896-0e7d6adb72ed@redhat.com>
	<CAPm=oFA+KBFuWFjmixHDOj3Vid7EK9BujM-24cNnFRfYKsL1_g@mail.gmail.com>
	<CAPm=oFD0W_cGNAJRDbfUW3M4BYtYz+Vzf6C7dLABeEqeFXqZyg@mail.gmail.com>
	<1de2e444-d9eb-c123-cf61-2d805026eb8b@redhat.com>
	<SYXPR01MB18531745C752DB8A99F6DFB1CA160@SYXPR01MB1853.ausprd01.prod.outlook.com>
	<SYXPR01MB185335E0829437DD9AD31051CAEA0@SYXPR01MB1853.ausprd01.prod.outlook.com>
Message-ID: <CAPm=oFCZR3GfAJbi6de8EYjGL6yggx3oD5UpRyOf4puKvf8YnQ@mail.gmail.com>

Hi Adam,

i tried 1.8.0_31 but it does not work. Currently we use
java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64

Here are screenshots of the request flow (reg1.uat.xxx ist the secured
application):







On Thu, May 4, 2017 at 5:30 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.
>
> After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working. What version of JDK are you using?
>
> -----Original Message-----
> From: Adam Keily
> Sent: Thursday, 4 May 2017 9:01 AM
> To: 'Marek Posolda' <mposolda at redhat.com>
> Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
>
> We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439
>
> For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.
>
> Adam
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
> Sent: Wednesday, 3 May 2017 4:24 PM
> To: Hendrik Dev <hendrikdev22 at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
>
> Sorry, I don't have much to add :( It seems you would need to fix your environment and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with possible tips&tricks I found during quick googling:
> http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
> http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
> https://archive.sap.com/discussions/thread/998107
>
> Marek
>
> On 02/05/17 17:04, Hendrik Dev wrote:
>> bump
>>
>> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>>> Hi,
>>>>>
>>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>>> Purpose is to provide single sign on for users logging in via IE
>>>>> from a windows domain.
>>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>>> Directory. The setup is working so far because i can login via
>>>>> 'curl --negotiate'. There are also several other java applications
>>>>> running in this environment which are capable of doing SPNEGO over
>>>>> Kerberos authentication successfully.
>>>>>
>>>>> If the user access a Keycloak protected application the SPNEGO
>>>>> login does not work and the Keycloak login page is displayed instead.
>>>>> In the logs i see "Defective token detected (Mechanism level:
>>>>> GSSHeader did not find the right tag)" and thats totally right
>>>>> because the browser sends
>>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>>
>>>>> For me it looks like the browser never gets either a
>>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>>> In other words: The browser seems to never gets challenged to do
>>>>> SPNEGO over Kerberos.
>>>> I will try to summarize if I understand correctly:
>>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>>> Negotiate ntlm-token-is-here"
>>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>>> 4) Your browser didn't reply anything back
>>>>
>>>> Is it correct?
>>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>>> As i said, the browser does not get a challenge.
>>>
>>>
>>>
>>>> It seems that your browser doesn't have kerberos ticket, hence
>>>> that's why it uses NTLM instead. I think the best would be to fix
>>>> your environment, so that it will send Kerberos token instead of NTLM at the step 2.
>>>>
>>>> Marek
>>>>
>>>>> I already tried to fix it
>>>>>
>>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>>> from the browser.
>>>>> For the client app the standard flow as well as direct access
>>>>> grants is enabled.
>>>>>
>>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Thanks
>>>>> Hendrik
>>>>>
>>>
>>>
>>> --
>>> Hendrik Saly (salyh, hendrikdev22)
>>> @hendrikdev22
>>> PGP: 0x22D7F6EC
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC

From psilva at redhat.com  Tue May  9 14:10:42 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 9 May 2017 15:10:42 -0300
Subject: [keycloak-user] Group Level Roles Not Honored by Policy
 Evaluation Tool
In-Reply-To: <2cd6196b-6a58-0eef-d3dd-61be65711468@redhat.com>
References: <1488232623127.15736@gohealth.com>
	<CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>
	<CAJrcDBeYVfPceN-UpJRhuXLvmTnuqDDx1zJN-VmMbNCMYV6u0w@mail.gmail.com>
	<2cd6196b-6a58-0eef-d3dd-61be65711468@redhat.com>
Message-ID: <CAJrcDBfWE=SUXfbSe48QnWYHnZhMt7bzV4CZGmxtLRD9fn-ksg@mail.gmail.com>

I think you are right, Bill. This seems to be working already.

I have written a test for role policy evaluation and group roles are
working from both authorization endpoints and evaluation tool.

@Jeremy and @Bettina, it seems you are using 3.1.0.CR1. Could you try with
3.1.0.Final, please ?

Regards.
Pedro Igor



On Tue, May 9, 2017 at 11:36 AM, Bill Burke <bburke at redhat.com> wrote:

> The policy evaluation tool should be validating roles based on group
> membership.  I thought i fixed that, but I guess not.
>
>
> On 5/9/17 7:38 AM, Pedro Igor Silva wrote:
> > You are right. We are not considering roles associated with groups. We
> also
> > lack a group based policy ....
> >
> > For the former, I've created https://issues.jboss.org/
> browse/KEYCLOAK-4874.
> > For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
> >
> > Will start working on those two issues before next release.
> >
> > On Tue, May 9, 2017 at 5:13 AM, H?bner, Bettina <
> Bettina.Huebner at kvbawue.de>
> > wrote:
> >
> >> Hi Jeremy,
> >>
> >> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
> >> Effective Roles are not taken into account by the Policy Evaluation
> Tool,
> >> only roles assigned directly to a user.
> >>
> >> Best regards
> >> Bettina
> >>
> >>
> >>
> >> -----Urspr?ngliche Nachricht-----
> >> Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> >> lists.jboss.org] Im Auftrag von Jeremy Majors
> >> Gesendet: Montag, 27. Februar 2017 22:57
> >> An: keycloak-user at lists.jboss.org
> >> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
> >> Evaluation Tool
> >>
> >> I have setup my users to have the 'read' role by associating that role
> to
> >> a group which my users have been associated with.  While testing the
> >> policies for a resource using the Policy Evaluation tool I determined
> that
> >> the roles associated with the groups weren't being picked up and the
> user
> >> was being denied access to the resource (please note that when I looked
> at
> >> the user's roles I did notice that 'read' was listed as an effective
> >> role).  When I removed one of the users from the group and directly
> >> assigned the 'role' to the user then I was able to successfully access
> the
> >> resource using the Policy Evaluation tool.
> >>
> >>
> >> Can anyone else reproduce this issue?  It's unclear whether it could be
> >> related to KEYCLOAK-2964, which has been closed.
> >>
> >>
> >> Thanks in advance,
> >>
> >> Jeremy
> >>
> >> Privileged/Confidential Information may be contained in this message. If
> >> you are not the addressee indicated in this message (or responsible for
> >> delivery of the message to such person), you may not copy or deliver
> this
> >> message to anyone. In such case, you should destroy this message and
> kindly
> >> notify the sender by reply email. Please advise immediately if you or
> your
> >> employer does not consent to Internet email for messages of this kind.
> >> Opinions, conclusions and other information in this message that do not
> >> relate to the official business of my firm shall be understood as
> neither
> >> given nor endorsed by it.
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bruno at abstractj.org  Tue May  9 16:53:24 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 9 May 2017 17:53:24 -0300
Subject: [keycloak-user] Error with Postgres datasource
In-Reply-To: <20170509163529.Horde.ONV3oGqdcyO7gLf0yuoAzzM@mail.sapo.pt>
References: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
	<20170508184450.GB17402@abstractj.org>
	<20170509163529.Horde.ONV3oGqdcyO7gLf0yuoAzzM@mail.sapo.pt>
Message-ID: <20170509205324.GA13745@abstractj.org>

Can you connect to the database with the same user provided at
standalone.xml? Using pgAdmin for example? To me, still seems like a
database misconfiguration. Although, I don't have Windows to try.

On 2017-05-09, sesnor.silva at sapo.pt wrote:
> Hello,
>
> Thank you for your reply,
>
> Sadly it doesn't seem to budge. Even by copy-pasting your exact
> configuration (changing the username/password for postgres of course).
>
> What I find especially strange is the following part of the error: "Caused
> by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root
> exception is java.lang.IllegalStateException]"
>
> Also, I'm running on Windows 8.1 64-bit currently.
>
> What else could I try?
>
> My best regards,
> Silva
> ?
>
> Citando Bruno Oliveira <bruno at abstractj.org>:
>
> > I just ran the entire DB setup from scratch with KC 3.1.0 and got
> > postgresql working with no issues.
> >
> > Looking at your config, you do not specify PostgreSQL TCP port, plus
> > make sure you have the proper permissions into pg_hba.conf and of
> > course, the database.
> > I'm sending gist[1] with my configuration, to get you started. I hope it
> > helps.
> >
> > [1] - https://gist.github.com/abstractj/a154e452ed63c9ccab9578a713955670
> >
> > On 2017-05-08, sesnor.silva at sapo.pt wrote:
> > > Hello,
> > >
> > > I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
> > > documentation provided here:
> > > https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html
> > >
> > > However, running in standalone operation mode, I get the following error:
> > > ? 2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
> > > (ServerService Thread Pool -- 48) MSC000001: Failed to start service
> > > jboss.undertow.deployment.default-server.default-host./auth:
> > > org.jboss.msc.service.StartException in service
> > > jboss.undertow.deployment.default-server.default-host./auth:
> > > java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> > > ? ? at
> > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> > > ? ? at
> > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> > > ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> > > ? ? at
> > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > > ? ? at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > > ? ? at java.lang.Thread.run(Thread.java:745)
> > > ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> > > construct public
> > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> > > ? ? at
> > > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> > > ? ? at
> > > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> > > ? ? at
> > > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> > > ? ? at
> > > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> > > ? ? at
> > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> > > ? ? at
> > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> > > ? ? at
> > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> > > ? ? at
> > > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> > > ? ? at
> > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> > > ? ? at
> > > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> > > ? ? at
> > > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> > > ? ? at
> > > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> > > ? ? at
> > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> > > ? ? at
> > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> > > ? ? ... 6 more
> > > Caused by: java.lang.RuntimeException: Failed to connect to database
> > > ? ? at
> > > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
> > > ? ? at
> > > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
> > > ? ? at
> > > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
> > > ? ? at
> > > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
> > > ? ? at
> > > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
> > > ? ? at
> > > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
> > > ? ? at
> > > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> > > ? ? at
> > > org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
> > > ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> > > ? ? at
> > > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> > > ? ? at
> > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > > ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> > > ? ? at
> > > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> > > ? ? ... 19 more
> > > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
> > > [Root exception is java.lang.IllegalStateException]
> > > ? ? at
> > > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> > > ? ? at
> > > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> > > ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> > > ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
> > > ? ? at
> > > org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
> > > ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> > > ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> > > ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
> > > ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
> > > ? ? at
> > > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
> > > ? ? ... 31 more
> > > Caused by: java.lang.IllegalStateException
> > > ? ? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
> > > ? ? at
> > > org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
> > > ? ? at
> > > org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
> > > ? ? at
> > > org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
> > > ? ? at
> > > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
> > > ? ? ... 40 more
> > >
> > > And I'm at a stalemate with the configuration, because I have no idea
> > > what I'm doing wrong.
> > >
> > > I've configured the postgres driver module in
> > > keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
> > > as (postgresql-9.4.1210.jar is present as well):
> > > https://pastebin.com/pjwn09gX
> > >
> > > My standalone.xml is as follows:
> > > https://pastebin.com/ggDHZFJx
> > >
> > > Does anyone have any idea what I could be doing wrong? Did I miss
> > > anything on my configuration?
> > >
> > > Thank you very much for your time,
> > >
> > > My best regards,
> > > Silva
> > >
> > > ?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> > abstractj
>
> ?

--

abstractj

From cbenninger at phemi.com  Tue May  9 17:27:17 2017
From: cbenninger at phemi.com (Chris Benninger)
Date: Tue, 9 May 2017 14:27:17 -0700
Subject: [keycloak-user] Trouble with initial SSL handshake from client
Message-ID: <CAM6wd3onoNL0Puv4JMfdaz5ZiFysNbSMksT0CLpxhhQ1JcM=Hg@mail.gmail.com>

Hi,

I just moved my dev setup to from HTTP to HTTPS. Right now I have a
self-signed cert.

What I do is, set up a cert the usual way and configure keycloak.
Everything is fine from the browser once I accept the cert.

Then my backend service keycloak.conf has 'https' now in it. All good. In
order to make my java service using keycloak client to trust it I have to
add the cert to the trust store.

I export the public cert

> keytool -export -keystore keycloak.jks -alias keycloak -file keycloak.cer


Then on the backend client, I import it to the default keystore

> keytool -import -trustcacerts -keystore
> $JAVA_HOME/jre/lib/security/cacerts -alias keycloak -file keycloak.cer


When I try and perform the first call on the backend service it is still
rejecting the cert for some reason? I can't get it to trust the thing.

2017-05-09 21:14:40,053 ERROR o.k.a.r.JWKPublicKeyLocator Error when
> sending request to retrieve realm keys
> org.keycloak.adapters.HttpClientAdapterException: IO error
> ...
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: signature check failed
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_111]
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: signature check
> failed


If anyone has any insight it would be greatly appreciated

From adrianmatei at gmail.com  Wed May 10 03:10:46 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 10 May 2017 09:10:46 +0200
Subject: [keycloak-user] Recurrent unexpected UPDATE_PASSWORD required
 action (AD related?)
In-Reply-To: <20170508090651.GA31744@abstractj.org>
References: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>
	<20170508090651.GA31744@abstractj.org>
Message-ID: <CAG=THF3rpSv3KCHFLAAEHAY_E0eg5=YNqPq=jteyYq-JvqcbGQ@mail.gmail.com>

Hi Bruno,

Thanks for your response. We will migrate, ...eventually. It's not that
easy with many apps depending on it.

Best regards,
Adrian


On Mon, May 8, 2017 at 11:06 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> I never experienced this, but I'd suggest to upgrade to 3.1.0.Final and
> see if the same happens.
>
> On 2017-05-04, Adrian Matei wrote:
> > Hi guys,
> >
> > Some users get unexpectedly the UPDATE_PASSWORD required action. The
> funny
> > thing is, this happens even if the this is disabled in Realm >
> > Authentication > Required Actions > Update Password (OFF) (BUT entries
> > still get generated in the USER_REQUIRED_ACTION table).
> >
> > I presume this happens when the sync with Active Directory happens, even
> > when no users are imported... (No special config there)
> >
> > We had this issue with version 1.7.0.Final, but still persists with the
> > migration to version 2.5.1.Final
> >
> > Anyone experiences same issue or can advise on this? Thanks.
> >
> > Best regards,
> > Adrian
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From bruno at abstractj.org  Wed May 10 05:41:53 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 10 May 2017 06:41:53 -0300
Subject: [keycloak-user] Recurrent unexpected UPDATE_PASSWORD required
 action (AD related?)
In-Reply-To: <CAG=THF3rpSv3KCHFLAAEHAY_E0eg5=YNqPq=jteyYq-JvqcbGQ@mail.gmail.com>
References: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>
	<20170508090651.GA31744@abstractj.org>
	<CAG=THF3rpSv3KCHFLAAEHAY_E0eg5=YNqPq=jteyYq-JvqcbGQ@mail.gmail.com>
Message-ID: <20170510094153.GA7777@abstractj.org>

My suggestion was only to see if the same happens with the latest
release.

On 2017-05-10, Adrian Matei wrote:
> Hi Bruno,
>
> Thanks for your response. We will migrate, ...eventually. It's not that
> easy with many apps depending on it.
>
> Best regards,
> Adrian
>
>
> On Mon, May 8, 2017 at 11:06 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
> > I never experienced this, but I'd suggest to upgrade to 3.1.0.Final and
> > see if the same happens.
> >
> > On 2017-05-04, Adrian Matei wrote:
> > > Hi guys,
> > >
> > > Some users get unexpectedly the UPDATE_PASSWORD required action. The
> > funny
> > > thing is, this happens even if the this is disabled in Realm >
> > > Authentication > Required Actions > Update Password (OFF) (BUT entries
> > > still get generated in the USER_REQUIRED_ACTION table).
> > >
> > > I presume this happens when the sync with Active Directory happens, even
> > > when no users are imported... (No special config there)
> > >
> > > We had this issue with version 1.7.0.Final, but still persists with the
> > > migration to version 2.5.1.Final
> > >
> > > Anyone experiences same issue or can advise on this? Thanks.
> > >
> > > Best regards,
> > > Adrian
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> >

--

abstractj

From adrianmatei at gmail.com  Wed May 10 06:09:23 2017
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 10 May 2017 12:09:23 +0200
Subject: [keycloak-user] Recurrent unexpected UPDATE_PASSWORD required
 action (AD related?)
In-Reply-To: <20170510094153.GA7777@abstractj.org>
References: <CAG=THF2o0qSx0GqgPXJuy99vOPR8Of96EcQk0PiXHwpKA+BOUw@mail.gmail.com>
	<20170508090651.GA31744@abstractj.org>
	<CAG=THF3rpSv3KCHFLAAEHAY_E0eg5=YNqPq=jteyYq-JvqcbGQ@mail.gmail.com>
	<20170510094153.GA7777@abstractj.org>
Message-ID: <CAG=THF3L2yRpfAU_a9WBxXuZ-=XbjCxFTfRTXcvSjTP3p8HrEA@mail.gmail.com>

Yep, that's a good idea - I could test it locally. The funny thing is that
I don't know how to reproduce it...

Cheers,
Adrian

On Wed, May 10, 2017 at 11:41 AM, Bruno Oliveira <bruno at abstractj.org>
wrote:

> My suggestion was only to see if the same happens with the latest
> release.
>
> On 2017-05-10, Adrian Matei wrote:
> > Hi Bruno,
> >
> > Thanks for your response. We will migrate, ...eventually. It's not that
> > easy with many apps depending on it.
> >
> > Best regards,
> > Adrian
> >
> >
> > On Mon, May 8, 2017 at 11:06 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
> >
> > > I never experienced this, but I'd suggest to upgrade to 3.1.0.Final and
> > > see if the same happens.
> > >
> > > On 2017-05-04, Adrian Matei wrote:
> > > > Hi guys,
> > > >
> > > > Some users get unexpectedly the UPDATE_PASSWORD required action. The
> > > funny
> > > > thing is, this happens even if the this is disabled in Realm >
> > > > Authentication > Required Actions > Update Password (OFF) (BUT
> entries
> > > > still get generated in the USER_REQUIRED_ACTION table).
> > > >
> > > > I presume this happens when the sync with Active Directory happens,
> even
> > > > when no users are imported... (No special config there)
> > > >
> > > > We had this issue with version 1.7.0.Final, but still persists with
> the
> > > > migration to version 2.5.1.Final
> > > >
> > > > Anyone experiences same issue or can advise on this? Thanks.
> > > >
> > > > Best regards,
> > > > Adrian
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > --
> > >
> > > abstractj
> > >
>
> --
>
> abstractj
>

From john.d.ament at gmail.com  Wed May 10 06:35:23 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 10 May 2017 10:35:23 +0000
Subject: [keycloak-user] Keycloak Performance with large number of realms
Message-ID: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>

Hi,

After enabling Keycloak and starting work on a multi-tenant application, it
was noted that the admin console started to get very slow in keycloak.
After some searching around, it seemed like this was an already reported
issue [1] and a fix underway [2].  I was wondering if this fix would make
it into 3.2?

If additional testing is needed, I'd be happy to help out.  Deleting 161
realms with minimal clients and users took me 15 minutes via the REST API.

[1]: https://issues.jboss.org/browse/KEYCLOAK-4858
[2]: https://github.com/keycloak/keycloak/pull/4095

From haret.spiru.teodor at gmail.com  Wed May 10 07:36:40 2017
From: haret.spiru.teodor at gmail.com (Teodor Haret)
Date: Wed, 10 May 2017 14:36:40 +0300
Subject: [keycloak-user] Authorization Evaluation tool and how to merge PR
	in lower branch
Message-ID: <CALohRc1OGPMw7gT8TLJh=AzCaLFQNmQpg4LSLP1xQmb8R6Qyzw@mail.gmail.com>

Hello !
First of all, congratulations on a nice product and keep up the good work !

We are using KC v2.5.5.Final and we encountered an issue with Evaluation
tool on RBAC, which seems to have been already fixed in latest version - I
tested on master branch. At a first look, the issue seems to have been
already fixed under KEYCLOAK-4652.

Our issue in few details is:
- if we evaluate against a user which was granted a given realm role
(ROLE1) directly, the result is 'Permit'; this is expected behavior.
- if we evaluate against another user which inherits the same realm role
(ROLE1) indirectly - due to belonging to a group, the evaluation result is
'Deny'.

I would need your advise on:
- supposing 'KEYCLOAK-4652' is the one that fixes also my issue, what would
the procedure to ask for this fix to be merged down to 2.5.5.Final as well ?
- generically speaking, is there any scenario where I should open a
separate issue on 2.5.5.Final ( eg. cases where fix from 'KEYCLOAK-4652' is
generic/complex and we want only a sub-part of it, etc) ?


Thank you,
Teo

From sthorger at redhat.com  Wed May 10 07:57:04 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 10 May 2017 13:57:04 +0200
Subject: [keycloak-user] Authorization Evaluation tool and how to merge
 PR in lower branch
In-Reply-To: <CALohRc1OGPMw7gT8TLJh=AzCaLFQNmQpg4LSLP1xQmb8R6Qyzw@mail.gmail.com>
References: <CALohRc1OGPMw7gT8TLJh=AzCaLFQNmQpg4LSLP1xQmb8R6Qyzw@mail.gmail.com>
Message-ID: <CAJgngAeCVbLsKc+mAhAY4C7j=y3ytFqCemYMYKAOVVPHG2UL2Q@mail.gmail.com>

We no longer maintain Keycloak 2.x in community. Please switch to the
latest Keycloak release. Alternatively, you can look at using Red Hat
Single Sign-On [1] which is our supported option.

[1] https://access.redhat.com/products/red-hat-single-sign-on

On 10 May 2017 at 13:36, Teodor Haret <haret.spiru.teodor at gmail.com> wrote:

> Hello !
> First of all, congratulations on a nice product and keep up the good work !
>
> We are using KC v2.5.5.Final and we encountered an issue with Evaluation
> tool on RBAC, which seems to have been already fixed in latest version - I
> tested on master branch. At a first look, the issue seems to have been
> already fixed under KEYCLOAK-4652.
>
> Our issue in few details is:
> - if we evaluate against a user which was granted a given realm role
> (ROLE1) directly, the result is 'Permit'; this is expected behavior.
> - if we evaluate against another user which inherits the same realm role
> (ROLE1) indirectly - due to belonging to a group, the evaluation result is
> 'Deny'.
>
> I would need your advise on:
> - supposing 'KEYCLOAK-4652' is the one that fixes also my issue, what would
> the procedure to ask for this fix to be merged down to 2.5.5.Final as well
> ?
> - generically speaking, is there any scenario where I should open a
> separate issue on 2.5.5.Final ( eg. cases where fix from 'KEYCLOAK-4652' is
> generic/complex and we want only a sub-part of it, etc) ?
>
>
> Thank you,
> Teo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed May 10 08:02:40 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 10 May 2017 14:02:40 +0200
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
Message-ID: <CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>

There are a number of issues around having a large number of realms. We
have a general issue open to support this:
https://issues.jboss.org/browse/KEYCLOAK-4593

We haven't prioritized this in the past, but that has changed and we would
like to get this sorted out.

There's a few more related PRs including the one you linked:
https://github.com/keycloak/keycloak/pull/3557
https://github.com/keycloak/keycloak/pull/3561

On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:

> Hi,
>
> After enabling Keycloak and starting work on a multi-tenant application, it
> was noted that the admin console started to get very slow in keycloak.
> After some searching around, it seemed like this was an already reported
> issue [1] and a fix underway [2].  I was wondering if this fix would make
> it into 3.2?
>
> If additional testing is needed, I'd be happy to help out.  Deleting 161
> realms with minimal clients and users took me 15 minutes via the REST API.
>
> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
> [2]: https://github.com/keycloak/keycloak/pull/4095
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Bettina.Huebner at kvbawue.de  Wed May 10 08:03:40 2017
From: Bettina.Huebner at kvbawue.de (=?utf-8?B?SMO8Ym5lciwgQmV0dGluYQ==?=)
Date: Wed, 10 May 2017 12:03:40 +0000
Subject: [keycloak-user] Group Level Roles Not Honored by Policy
 Evaluation Tool
In-Reply-To: <CAJrcDBfWE=SUXfbSe48QnWYHnZhMt7bzV4CZGmxtLRD9fn-ksg@mail.gmail.com>
References: <1488232623127.15736@gohealth.com>
	<CFD7003E67B95745B1B4349E3E6309802C265AD0@VMSST107.kvbw.local>
	<CAJrcDBeYVfPceN-UpJRhuXLvmTnuqDDx1zJN-VmMbNCMYV6u0w@mail.gmail.com>
	<2cd6196b-6a58-0eef-d3dd-61be65711468@redhat.com>
	<CAJrcDBfWE=SUXfbSe48QnWYHnZhMt7bzV4CZGmxtLRD9fn-ksg@mail.gmail.com>
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C265C1B@VMSST107.kvbw.local>

I tried with 3.1.0.Final. It works with group roles.

Thanks,
Bettina


-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Pedro Igor Silva
Gesendet: Dienstag, 9. Mai 2017 20:11
An: Bill Burke
Cc: keycloak-user
Betreff: Re: [keycloak-user] Group Level Roles Not Honored by Policy Evaluation Tool

I think you are right, Bill. This seems to be working already.

I have written a test for role policy evaluation and group roles are
working from both authorization endpoints and evaluation tool.

@Jeremy and @Bettina, it seems you are using 3.1.0.CR1. Could you try with
3.1.0.Final, please ?

Regards.
Pedro Igor



On Tue, May 9, 2017 at 11:36 AM, Bill Burke <bburke at redhat.com> wrote:

> The policy evaluation tool should be validating roles based on group
> membership.  I thought i fixed that, but I guess not.
>
>
> On 5/9/17 7:38 AM, Pedro Igor Silva wrote:
> > You are right. We are not considering roles associated with groups. We
> also
> > lack a group based policy ....
> >
> > For the former, I've created https://issues.jboss.org/
> browse/KEYCLOAK-4874.
> > For the latter we have https://issues.jboss.org/browse/KEYCLOAK-3168.
> >
> > Will start working on those two issues before next release.
> >
> > On Tue, May 9, 2017 at 5:13 AM, H?bner, Bettina <
> Bettina.Huebner at kvbawue.de>
> > wrote:
> >
> >> Hi Jeremy,
> >>
> >> I noticed the same behaviour and it still happens in version 3.1.0.CR1.
> >> Effective Roles are not taken into account by the Policy Evaluation
> Tool,
> >> only roles assigned directly to a user.
> >>
> >> Best regards
> >> Bettina
> >>
> >>
> >>
> >> -----Urspr?ngliche Nachricht-----
> >> Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> >> lists.jboss.org] Im Auftrag von Jeremy Majors
> >> Gesendet: Montag, 27. Februar 2017 22:57
> >> An: keycloak-user at lists.jboss.org
> >> Betreff: [keycloak-user] Group Level Roles Not Honored by Policy
> >> Evaluation Tool
> >>
> >> I have setup my users to have the 'read' role by associating that role
> to
> >> a group which my users have been associated with.  While testing the
> >> policies for a resource using the Policy Evaluation tool I determined
> that
> >> the roles associated with the groups weren't being picked up and the
> user
> >> was being denied access to the resource (please note that when I looked
> at
> >> the user's roles I did notice that 'read' was listed as an effective
> >> role).  When I removed one of the users from the group and directly
> >> assigned the 'role' to the user then I was able to successfully access
> the
> >> resource using the Policy Evaluation tool.
> >>
> >>
> >> Can anyone else reproduce this issue?  It's unclear whether it could be
> >> related to KEYCLOAK-2964, which has been closed.
> >>
> >>
> >> Thanks in advance,
> >>
> >> Jeremy
> >>
> >> Privileged/Confidential Information may be contained in this message. If
> >> you are not the addressee indicated in this message (or responsible for
> >> delivery of the message to such person), you may not copy or deliver
> this
> >> message to anyone. In such case, you should destroy this message and
> kindly
> >> notify the sender by reply email. Please advise immediately if you or
> your
> >> employer does not consent to Internet email for messages of this kind.
> >> Opinions, conclusions and other information in this message that do not
> >> relate to the official business of my firm shall be understood as
> neither
> >> given nor endorsed by it.
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From khirschmann at huebinet.de  Wed May 10 08:46:07 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Wed, 10 May 2017 14:46:07 +0200
Subject: [keycloak-user] admin cli - add composite roles to client role
Message-ID: <030e01d2c98b$64fc5020$2ef4f060$@huebinet.de>

Hello,

 

can someone please tell me how to use admin cli to add a client role to
another client role - composite? In the docs I could find a way to add
client roles to realm roles but this isn?t what I need.

 

call kcadm.bat add-roles -r demo --rname TTest --cclientid myapp --rolename
change-color (works if TTest is a realm role)

 

Thanks for your help.

 

Kevin Hirschmann

 

HUEBINET Informationsmanagement GmbH & Co. KG

 

 

Telefon:           +49 (0) 261 / 5 00 86 - 17

Telefax:           +49 (0) 261 / 5 00 86 - 29

E-Mail:              <mailto:kevin.hirschmann at huebinet.de>
kevin.hirschmann at huebinet.de

Internet:             <http://www.huebinet.de/> www.huebinet.de

 

 HUEBINET Informationsmanagement GmbH & Co. KG

An der K?nigsbach 8

56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:

HUEBINET GmbH;

Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:

Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------

 

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.

 

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.

 

 

 


From jlieskov at redhat.com  Wed May 10 09:11:33 2017
From: jlieskov at redhat.com (Jan Lieskovsky)
Date: Wed, 10 May 2017 09:11:33 -0400 (EDT)
Subject: [keycloak-user] Keycloak -- possible to configure
 connectionsJpa.migrationStrategy to "manual" via standalone.sh -D option?
In-Reply-To: <1500918152.5597524.1494420339633.JavaMail.zimbra@redhat.com>
Message-ID: <1215224066.5603269.1494421893710.JavaMail.zimbra@redhat.com>

Hello Keycloak users,

  in order to perform manual db upgrade, when upgrading Keycloak from older
versions current documentation:
  https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html
  (section Migrate database)

suggests to configure standalone.xml as follows:

  <spi name="connectionsJpa">
      <provider name="default" enabled="true">
          <properties>
              ...
              <property name="migrationStrategy" value="manual"/>
          </properties>
      </provider>
  </spi>

and possibly also set "initializeEmpty=false" and proper "migrationExport" file location [1].
As an alternative it is suggested to use CLI (also aware of exact form of the corresponding CLI query)
instead.

But suppose due some limitations it's not possible to perform neither of these two
actions (neither the standalone.xml update, nor the jboss-cli change).

Is there a way how to configure "migrationStrategy" to "manual" using the list
of correct options supplied on the CLI, when starting the standalone.sh server?

Something like [*]:
./standalone.sh -Dkeycloak.connectionsJpa.migrationStrategy=manual \
                -Dkeycloak.connectionsJpa.initializeEmpty=false    \
                -Dkeycloak.connectionsJpa.migrationExport=/tmp/kdb-update.sql?


E.g. it seems to be possible to use -Dkeycloak.connectionsJpa.{url,driver,user,password}
options at the very least (based on:
  http://lists.jboss.org/pipermail/keycloak-dev/2017-May/009286.html or
  https://github.com/keycloak/keycloak/blob/master/misc/DatabaseTesting.md )

Or the db export / import options (-Dkeycloak.migration.{action,provider} based on:
  https://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.html)
  
But is the same way (via custom -D options) possible to configure "migrationStrategy" to manual?
If so, could you hopefully provide list / set / example of these options, how they should look like?


Thank you for your time.

Regards,
--
Jan iankko Lieskovsky

P.S.: If someone is wondering, /me not only asking, but actually tried the settings in [*],
      but they doesn't seem to be working for me. Thus actually wondering if I have issue
      in my setup or the "migrationStrategy" options are not expected to be working
      via -D options (yet)? (seeking for the developers confirmation this is actually the
      case in the latter case)

[1] https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/server_installation_and_configuration_guide/database#database_configuration

From sesnor.silva at sapo.pt  Wed May 10 10:46:37 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Wed, 10 May 2017 15:46:37 +0100
Subject: [keycloak-user] Error with Postgres datasource
In-Reply-To: <20170509205324.GA13745@abstractj.org>
References: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
	<20170508184450.GB17402@abstractj.org>
	<20170509163529.Horde.ONV3oGqdcyO7gLf0yuoAzzM@mail.sapo.pt>
	<20170509205324.GA13745@abstractj.org>
Message-ID: <20170510154637.Horde.vyRwgwlwZNEembcvHdCNKOQ@mail.sapo.pt>

Hello,

Well this is embarrassing. I was naming my postgres' module directly  
incorrectly:

I had: modules\system\layers\keycloak\org\postgres
Instead of: modules\system\layers\keycloak\org\postgresql

Can't believe I missed that, it works perfectly now.

Thank you so much for your time.

Best regards,
Silva
?

Citando Bruno Oliveira <bruno at abstractj.org>:

> Can you connect to the database with the same user provided at
> standalone.xml? Using pgAdmin for example? To me, still seems like a
> database misconfiguration. Although, I don't have Windows to try.
>
> On 2017-05-09, sesnor.silva at sapo.pt wrote:
>> Hello,
>>
>> Thank you for your reply,
>>
>> Sadly it doesn't seem to budge. Even by copy-pasting your exact
>> configuration (changing the username/password for postgres of course).
>>
>> What I find especially strange is the following part of the error: "Caused
>> by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root
>> exception is java.lang.IllegalStateException]"
>>
>> Also, I'm running on Windows 8.1 64-bit currently.
>>
>> What else could I try?
>>
>> My best regards,
>> Silva
>> ?
>>
>> Citando Bruno Oliveira <bruno at abstractj.org>:
>>
>> I just ran the entire DB setup from scratch with KC 3.1.0 and got
>> postgresql working with no issues.
>>
>> Looking at your config, you do not specify PostgreSQL TCP port, plus
>> make sure you have the proper permissions into pg_hba.conf and of
>> course, the database.
>> I'm sending gist[1] with my configuration, to get you started. I hope it
>> helps.
>>
>> [1] - https://gist.github.com/abstractj/a154e452ed63c9ccab9578a713955670
>>
>> On 2017-05-08, sesnor.silva at sapo.pt wrote:
>>> Hello,
>>>
>>> I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
>>> documentation provided here:
>>> https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html
>>>
>>> However, running in standalone operation mode, I get the following error:
>>> ? 2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
>>> (ServerService Thread Pool -- 48) MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./auth:
>>> org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./auth:
>>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public
>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>> ? ? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
>>> ? ? at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> ? ? at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> ? ? at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> ? ? at java.lang.Thread.run(Thread.java:745)
>>> ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
>>> construct public
>>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>>> ? ? at
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
>>> ? ? at
>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
>>> ? ? at
>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
>>> ? ? at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
>>> ? ? at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
>>> ? ? at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>> ? ? at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>> ? ? at
>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>> ? ? at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>> ? ? at
>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
>>> ? ? at
>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
>>> ? ? at
>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
>>> ? ? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
>>> ? ? at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
>>> ? ? ... 6 more
>>> Caused by: java.lang.RuntimeException: Failed to connect to database
>>> ? ? at
>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
>>> ? ? at
>>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
>>> ? ? at
>>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
>>> ? ? at
>>> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
>>> ? ? at
>>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
>>> ? ? at
>>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
>>> ? ? at
>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>>> ? ? at
>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
>>> ? ? at  
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native  
>>> Method)
>>> ? ? at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>> ? ? at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>> ? ? at
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>>> ? ? ... 19 more
>>> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
>>> [Root exception is java.lang.IllegalStateException]
>>> ? ? at
>>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
>>> ? ? at
>>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
>>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
>>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
>>> ? ? at
>>> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
>>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
>>> ? ? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
>>> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
>>> ? ? at javax.naming.InitialContext.lookup(InitialContext.java:417)
>>> ? ? at
>>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
>>> ? ? ... 31 more
>>> Caused by: java.lang.IllegalStateException
>>> ? ? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
>>> ? ? at
>>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
>>> ? ? at
>>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
>>> ? ? at
>>> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
>>> ? ? at
>>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
>>> ? ? ... 40 more
>>>
>>> And I'm at a stalemate with the configuration, because I have no idea
>>> what I'm doing wrong.
>>>
>>> I've configured the postgres driver module in
>>> keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
>>> as (postgresql-9.4.1210.jar is present as well):
>>> https://pastebin.com/pjwn09gX
>>>
>>> My standalone.xml is as follows:
>>> https://pastebin.com/ggDHZFJx
>>>
>>> Does anyone have any idea what I could be doing wrong? Did I miss
>>> anything on my configuration?
>>>
>>> Thank you very much for your time,
>>>
>>> My best regards,
>>> Silva
>>>
>>> ?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>> abstractj
>>
>> ?
>
> --
> abstractj

?

From bruno at abstractj.org  Wed May 10 10:48:45 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 10 May 2017 14:48:45 +0000
Subject: [keycloak-user] Error with Postgres datasource
In-Reply-To: <20170510154637.Horde.vyRwgwlwZNEembcvHdCNKOQ@mail.sapo.pt>
References: <20170508180729.Horde.0n0ESpN3VEwZn5UHzLDImYY@mail.sapo.pt>
	<20170508184450.GB17402@abstractj.org>
	<20170509163529.Horde.ONV3oGqdcyO7gLf0yuoAzzM@mail.sapo.pt>
	<20170509205324.GA13745@abstractj.org>
	<20170510154637.Horde.vyRwgwlwZNEembcvHdCNKOQ@mail.sapo.pt>
Message-ID: <CAM5SUC6kf9nDU+trPW2wFM2TWsTbEVptYBidWNmHi7556qAv4g@mail.gmail.com>

No problem, I glad that it worked.

On Wed, May 10, 2017 at 11:46 AM <sesnor.silva at sapo.pt> wrote:

> Hello,
>
> Well this is embarrassing. I was naming my postgres' module directly
> incorrectly:
>
> I had: modules\system\layers\keycloak\org\postgres
> Instead of: modules\system\layers\keycloak\org\postgresql
>
> Can't believe I missed that, it works perfectly now.
>
> Thank you so much for your time.
>
> Best regards,
> Silva
>
>
> Citando Bruno Oliveira <bruno at abstractj.org>:
>
> Can you connect to the database with the same user provided at
> standalone.xml? Using pgAdmin for example? To me, still seems like a
> database misconfiguration. Although, I don't have Windows to try.
>
> On 2017-05-09, sesnor.silva at sapo.pt wrote:
>
> Hello,
>
> Thank you for your reply,
>
> Sadly it doesn't seem to budge. Even by copy-pasting your exact
> configuration (changing the username/password for postgres of course).
>
> What I find especially strange is the following part of the error: "Caused
> by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root
> exception is java.lang.IllegalStateException]"
>
> Also, I'm running on Windows 8.1 64-bit currently.
>
> What else could I try?
>
> My best regards,
> Silva
>
>
> Citando Bruno Oliveira <bruno at abstractj.org>:
>
> I just ran the entire DB setup from scratch with KC 3.1.0 and got
> postgresql working with no issues.
>
> Looking at your config, you do not specify PostgreSQL TCP port, plus
> make sure you have the proper permissions into pg_hba.conf and of
> course, the database.
> I'm sending gist[1] with my configuration, to get you started. I hope it
> helps.
>
> [1] - https://gist.github.com/abstractj/a154e452ed63c9ccab9578a713955670
>
> On 2017-05-08, sesnor.silva at sapo.pt wrote:
> > Hello,
> >
> > I'm trying to configure Keycloak 3.1 to use Postgres 9.4 using the
> > documentation provided here:
> >
> https://keycloak.gitbooks.io/documentation/server_installation/topics/database.html
> >
> > However, running in standalone operation mode, I get the following error:
> >   2017-05-08 17:47:49,096 ERROR [org.jboss.msc.service.fail]
> > (ServerService Thread Pool -- 48) MSC000001: Failed to start service
> > jboss.undertow.deployment.default-server.default-host./auth:
> > org.jboss.msc.service.StartException in service
> > jboss.undertow.deployment.default-server.default-host./auth:
> > java.lang.RuntimeException: RESTEASY003325: Failed to construct public
> >
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> >     at
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >     at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >     at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >     at java.lang.Thread.run(Thread.java:745)
> >     at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
> > construct public
> >
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> >     at
> >
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
> >     at
> >
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
> >     at
> >
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
> >     at
> >
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
> >     at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
> >     at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> >     at
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> >     at
> >
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> >     at
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> >     at
> >
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
> >     at
> >
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
> >     at
> >
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> >     at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> >     ... 6 more
> > Caused by: java.lang.RuntimeException: Failed to connect to database
> >     at
> >
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373)
> >     at
> >
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
> >     at
> >
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
> >     at
> >
> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:543)
> >     at
> >
> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
> >     at
> >
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:136)
> >     at
> >
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> >     at
> >
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:129)
> >     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> >     at
> >
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> >     at
> >
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> >     at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> >     at
> >
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> >     ... 19 more
> > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS
> > [Root exception is java.lang.IllegalStateException]
> >     at
> >
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153)
> >     at
> >
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83)
> >     at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
> >     at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
> >     at
> >
> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
> >     at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
> >     at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
> >     at javax.naming.InitialContext.lookup(InitialContext.java:417)
> >     at javax.naming.InitialContext.lookup(InitialContext.java:417)
> >     at
> >
> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366)
> >     ... 31 more
> > Caused by: java.lang.IllegalStateException
> >     at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47)
> >     at
> >
> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:138)
> >     at
> > org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46)
> >     at
> >
> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158)
> >     at
> >
> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131)
> >     ... 40 more
> >
> > And I'm at a stalemate with the configuration, because I have no idea
> > what I'm doing wrong.
> >
> > I've configured the postgres driver module in
> > keycloak-3.1.0.Final\modules\system\layers\keycloak\org\postgres\main
> > as (postgresql-9.4.1210.jar is present as well):
> > https://pastebin.com/pjwn09gX
> >
> > My standalone.xml is as follows:
> > https://pastebin.com/ggDHZFJx
> >
> > Does anyone have any idea what I could be doing wrong? Did I miss
> > anything on my configuration?
> >
> > Thank you very much for your time,
> >
> > My best regards,
> > Silva
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
> abstractj
>
>
>
> --
> abstractj
>
>
>
>

From istvan.orban at gmail.com  Wed May 10 11:15:23 2017
From: istvan.orban at gmail.com (Istvan Orban)
Date: Wed, 10 May 2017 16:15:23 +0100
Subject: [keycloak-user] question on REST API usage
Message-ID: <CAHW3PUdX2qRDbXY5p3jYq0WS8ENWXkR=uLsrNpnBDAj8_eBnuQ@mail.gmail.com>

Hi Guys,

We have several applications one of them is a SPA. We are moving our
application's user management to Keycloak.

In our SPA application we have three features.

1, /api/users/me -> returning the details of the logged-in user
2, /api/users -> get a list of users / realm
3, /api/users/{email} -> returning info of a user

solutions:

1,  is easy to solve by using the userinfo endpoint of openid connect
2 and 3 i wanted to solve by creating a API proxy and use the REST endpoint
of keycloak
Of course to support this my existing API needs to log-in to the realm as a
user

am I on the right track? Is there a better aproach ?

Thanks for any guidance!

From cbenninger at phemi.com  Wed May 10 12:25:15 2017
From: cbenninger at phemi.com (Chris Benninger)
Date: Wed, 10 May 2017 09:25:15 -0700
Subject: [keycloak-user] Trouble with initial SSL handshake from client
In-Reply-To: <CAM6wd3onoNL0Puv4JMfdaz5ZiFysNbSMksT0CLpxhhQ1JcM=Hg@mail.gmail.com>
References: <CAM6wd3onoNL0Puv4JMfdaz5ZiFysNbSMksT0CLpxhhQ1JcM=Hg@mail.gmail.com>
Message-ID: <CAM6wd3oyBaVsW7zynsAM+-jXzNGbBuFm4xK7Vr5SJHGeP9vr8g@mail.gmail.com>

Ok I solved it. Turned out it was my fault, the cert I generated had a typo
in the CN field. Apologies for cluttering the list.

On Tue, May 9, 2017 at 2:27 PM, Chris Benninger <cbenninger at phemi.com>
wrote:

> Hi,
>
> I just moved my dev setup to from HTTP to HTTPS. Right now I have a
> self-signed cert.
>
> What I do is, set up a cert the usual way and configure keycloak.
> Everything is fine from the browser once I accept the cert.
>
> Then my backend service keycloak.conf has 'https' now in it. All good. In
> order to make my java service using keycloak client to trust it I have to
> add the cert to the trust store.
>
> I export the public cert
>
>> keytool -export -keystore keycloak.jks -alias keycloak -file keycloak.cer
>
>
> Then on the backend client, I import it to the default keystore
>
>> keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
>> -alias keycloak -file keycloak.cer
>
>
> When I try and perform the first call on the backend service it is still
> rejecting the cert for some reason? I can't get it to trust the thing.
>
> 2017-05-09 21:14:40,053 ERROR o.k.a.r.JWKPublicKeyLocator Error when
>> sending request to retrieve realm keys org.keycloak.adapters.HttpClientAdapterException:
>> IO error
>> ...
>> Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
>> PKIX path validation failed: java.security.cert.CertPathValidatorException:
>> signature check failed
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> ~[?:1.8.0_111]
>> ...
>> Caused by: sun.security.validator.ValidatorException: PKIX path
>> validation failed: java.security.cert.CertPathValidatorException:
>> signature check failed
>
>
> If anyone has any insight it would be greatly appreciated
>

From john.d.ament at gmail.com  Wed May 10 12:38:10 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 10 May 2017 16:38:10 +0000
Subject: [keycloak-user] Associating users to IDPs
Message-ID: <CAOqetn9b88i8ORUA4Rq0CHJHeqNi-Xcd3x3zM_q=+2oA_LNEGg@mail.gmail.com>

Hi,

In my keycloak install, users don't have passwords yet as they're using
SAML to access my applications.  Other than calling APIs to setup the
federated ID links, are there others to automatically create a relationship
between a user and their IDP?  For now, every user would be associated to
every IDP in their realm.

John

From john.d.ament at gmail.com  Wed May 10 12:40:47 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 10 May 2017 16:40:47 +0000
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
Message-ID: <CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>

Stian,

Good news.  Glad to see these things get prioritized.  So far they look
like they're matching the problems I'm running into, specifically around
the whoami endpoint and overall number of SQLs (2800 queries in one of my
tests) and the total number of DB connections allocated within that one
request (3200+).

John


On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> There are a number of issues around having a large number of realms. We
> have a general issue open to support this:
> https://issues.jboss.org/browse/KEYCLOAK-4593
>
> We haven't prioritized this in the past, but that has changed and we would
> like to get this sorted out.
>
> There's a few more related PRs including the one you linked:
> https://github.com/keycloak/keycloak/pull/3557
> https://github.com/keycloak/keycloak/pull/3561
>
> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:
>
>> Hi,
>>
>> After enabling Keycloak and starting work on a multi-tenant application,
>> it
>> was noted that the admin console started to get very slow in keycloak.
>> After some searching around, it seemed like this was an already reported
>> issue [1] and a fix underway [2].  I was wondering if this fix would make
>> it into 3.2?
>>
>> If additional testing is needed, I'd be happy to help out.  Deleting 161
>> realms with minimal clients and users took me 15 minutes via the REST API.
>>
>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From don.reynolds at quest.com  Wed May 10 12:43:11 2017
From: don.reynolds at quest.com (Don Reynolds)
Date: Wed, 10 May 2017 09:43:11 -0700 (MST)
Subject: [keycloak-user] Support for transactional email providers like
 SendGrid, Mailgun or Mandrill
In-Reply-To: <CAONaNYKxMd3bMqJEUp9Ct_L8kR3h4X6OGZtuPX2ijkqd_zXDEA@mail.gmail.com>
References: <CAONaNYL3HCiRJJKBDMc2xUUBOqv74tsP3s+aDBWRZ-h5=L2LVw@mail.gmail.com>
	<20160727152350.GA9040@abstractj.org>
	<CAONaNYKxMd3bMqJEUp9Ct_L8kR3h4X6OGZtuPX2ijkqd_zXDEA@mail.gmail.com>
Message-ID: <1494434591520-3843.post@n6.nabble.com>

Hello Vineet,
I just came across your post from last year concerning an SPI for SendGrid
where you stated that you were able to get it working.  Do you mind sharing
your implementation?  

Thanks,
Don Reynolds



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Support-for-transactional-email-providers-like-SendGrid-Mailgun-or-Mandrill-tp194p3843.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From jason at naidmincloud.com  Wed May 10 17:36:37 2017
From: jason at naidmincloud.com (Jason B)
Date: Thu, 11 May 2017 03:06:37 +0530
Subject: [keycloak-user] Issue with OAuth token introspection
Message-ID: <CAKdu_br9qcHREKAHrX0dH8cdeS=yG5aB+j-ngxDfNUca9KV+9A@mail.gmail.com>

Hello All,

I am having an issue with OAuth token introspection. Our Keycloak service
is accessible with two different host names.

For example access-external.naidm.com & acess-internal.naidm.com

As an end user when I am obtaining the OAuth token through
access-external.naidm.com and passing it to the resource server and
resource server trying to inspect the token through
access-internal.naidm.com token introspection is failing and we are always
getting {"active": false} irrespective of whether issued token is valid or
not.

If we try to validate the OAuth token through access-external.naimd.com
endpoint introspection is succeeding. So we arrived at a conclusion that
same endpoint (with same FQDN) need to be used for obtaining and
introspecting an OAuth token. Also, we noticed that tokens issued over
HTTPS protocol can't be validated over HTTP protocol and vice versa. We are
not concerned about HTTP but we are concerned about the why introspection
is failing with different FQDN end points.

BTW, we are using Keycloak 3.1 CR1. Any thoughts on why Keycloak behaving
this way? Is there any way we can change this behavior? Please share your
thoughts on this.

- J

From sthorger at redhat.com  Thu May 11 05:43:18 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 11 May 2017 11:43:18 +0200
Subject: [keycloak-user] How to remove Expires/Max-age from session
	cookie?
In-Reply-To: <B1D93C28CC2EF0418529F924BED8107FF37FA5D2@A1GTOEMBXV007.gto.a3c.atos.net>
References: <B1D93C28CC2EF0418529F924BED8107FF37FA5D2@A1GTOEMBXV007.gto.a3c.atos.net>
Message-ID: <CAJgngAcDuw9D9EsKnJM2cAbb3E-whq9ox=rtZ_edd94J0TfBCQ@mail.gmail.com>

Cookie will only survive browser restarts if you enable remember me and
user clicks the remember me checkbox.

On 8 May 2017 at 20:31, Caranzo Gideon <Gideon.Caranzo at gemalto.com> wrote:

> Hi,
>
> Is it possible in Keycloak to remove Expires/Max-age from
> "KEYCLOAK_SESSION" cookie?
> Basically, we want the cookie to last only until browser is closed.
>
> Also, why does Keycloak set this value on the cookie? What are the risks
> in case an attacker is able to steal it?
>
> Best regards,
> Gideon
>
> ________________________________
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Thu May 11 06:48:32 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 11 May 2017 12:48:32 +0200
Subject: [keycloak-user] Criticial vulnerability fixed in Keycloak Node.js
	adapters
Message-ID: <CAJgngAfMYh_OT0f6dXnwCnXiOpYk39UihgL4MLQ7_SeX5kn=YA@mail.gmail.com>

A criticial vulnerability was discovered in Keycloak Node.js adapters. We
highly recommend everyone upgrades to version 3.1.0 of the adapter
immediately. This adapter will work with Keycloak 2 and upwards.

For more details see CVE-2017-7474
<https://access.redhat.com/security/cve/cve-2017-7474>.

From denny.israel at gmail.com  Thu May 11 09:32:02 2017
From: denny.israel at gmail.com (sideisra)
Date: Thu, 11 May 2017 06:32:02 -0700 (MST)
Subject: [keycloak-user] Best way to verify an AccessToken with
 RSATokenVerifer and keycloak-admin-client
In-Reply-To: <CAK-7U1hUduZ-752DwhBRrCZ-96h9wU4HzEMsXJ=nvwPyg0+n7g@mail.gmail.com>
References: <CAK-7U1jujP-JaJDXfWUceq0A7Ts9mjuv5YzsJnK4a37VyM885A@mail.gmail.com>
	<CAK-7U1hUduZ-752DwhBRrCZ-96h9wU4HzEMsXJ=nvwPyg0+n7g@mail.gmail.com>
Message-ID: <1494509522762-3857.post@n6.nabble.com>

> Is there a reason for this or is this "just" an API gap that can be fixed?
Is there an issue in the keycloak JIRA already
(https://issues.jboss.org/projects/KEYCLOAK/issues)? It feels like it should
be a feature of the keycloak-authz-client.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Best-way-to-verify-an-AccessToken-with-RSATokenVerifer-and-keycloak-admin-client-tp2815p3857.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From jason at naidmincloud.com  Thu May 11 09:35:46 2017
From: jason at naidmincloud.com (Jason B)
Date: Thu, 11 May 2017 19:05:46 +0530
Subject: [keycloak-user] Issue with OAuth token introspection
In-Reply-To: <CAKdu_br9qcHREKAHrX0dH8cdeS=yG5aB+j-ngxDfNUca9KV+9A@mail.gmail.com>
References: <CAKdu_br9qcHREKAHrX0dH8cdeS=yG5aB+j-ngxDfNUca9KV+9A@mail.gmail.com>
Message-ID: <CAKdu_bpgMwY45pKS1MA+ez0_nz5ez=DxH4uQoxMurY+22=EMVw@mail.gmail.com>

I see that this behavior is due to the logic implemented in
TokenVerifier.java
<https://github.com/keycloak/keycloak/blob/ca3691e650464816f435e361c071ff678ffe1f01/core/src/main/java/org/keycloak/TokenVerifier.java>
class
https://github.com/keycloak/keycloak/blob/ca3691e650464816f435e361c071ff678ffe1f01/services/src/main/java/org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.java
<http://AccessTokenIntrospectionProvider.java>

In TokenVerifier class it is checking whether the issuer of the access
token and accessed realm URL or same or not. To achieve my use case I want
to disable the "checkRealmUrl=truel" flag in that class. That means to
initialize the checkRealmUrl variable as "false". This will solve my issue.

But I want to understand am I making any compromise on confidentiality and
integrity of the access token. Would like to hear your opinions on this.
Please let me know your thoughts.

- J

On Thu, May 11, 2017 at 3:06 AM, Jason B <jason at naidmincloud.com> wrote:

> Hello All,
>
> I am having an issue with OAuth token introspection. Our Keycloak service
> is accessible with two different host names.
>
> For example access-external.naidm.com & acess-internal.naidm.com
>
> As an end user when I am obtaining the OAuth token through
> access-external.naidm.com and passing it to the resource server and
> resource server trying to inspect the token through
> access-internal.naidm.com token introspection is failing and we are
> always getting {"active": false} irrespective of whether issued token is
> valid or not.
>
> If we try to validate the OAuth token through access-external.naimd.com
> endpoint introspection is succeeding. So we arrived at a conclusion that
> same endpoint (with same FQDN) need to be used for obtaining and
> introspecting an OAuth token. Also, we noticed that tokens issued over
> HTTPS protocol can't be validated over HTTP protocol and vice versa. We are
> not concerned about HTTP but we are concerned about the why introspection
> is failing with different FQDN end points.
>
> BTW, we are using Keycloak 3.1 CR1. Any thoughts on why Keycloak behaving
> this way? Is there any way we can change this behavior? Please share your
> thoughts on this.
>
> - J
>

From tecnologia at growingup.com.co  Thu May 11 09:47:14 2017
From: tecnologia at growingup.com.co (tecnologia at growingup.com.co)
Date: Thu, 11 May 2017 08:47:14 -0500
Subject: [keycloak-user] Forgot password does not verify the account
Message-ID: <001701d2ca5d$1a14b660$4e3e2320$@growingup.com.co>

The password remembering option is not validating that the email is
registered. 

 

The expected result is that you do not use an unregistered email, you get an
error message

 

Always confirms, even when the account does not exist.

 

 

--

 

Jairo Henao Rojas


From mitya at cargosoft.ru  Thu May 11 11:30:48 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Thu, 11 May 2017 18:30:48 +0300
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
 stories
In-Reply-To: <1494257711.3430.1.camel@cargosoft.ru>
References: <1493293505.2855.1.camel@cargosoft.ru>
	<1494257711.3430.1.camel@cargosoft.ru>
Message-ID: <1494516648.3797.1.camel@cargosoft.ru>

The third and the final attempt. Never imagined that obtaining success
stories would be the most complicated part of the tender :)
> Hi,
> 
> MGTS, Moscow's leading telephony and internet provider with ~4M
> subscribers, holds a tender for a web SSO solution to replace their
> current OpenAM. Our company participates with Keycloak/RHSSO based
> solution. We've successfully passed an RFI phase and advanced to RFP,
> where we will be asked to produce the following performance
> measurements:
> - single node capacity (logins/sec) for a known server configuration;
> - capacity increase per each node added to the cluster.
> 
> Thus, I wanted to ask if anyone has performed such a sort of
> benchmarking for Keycloak, and if the results are available. If not,
> what's the best approach to perform benchmarking ourselves? Did
> anyone
> have success with keycloak-benchmark?
> 
> Additionally, it would help us much if we could refer to some success
> stories of real-world Keycloak deployments, preferably in the telecom
> area.
> 
> Thanks!
> Dmitry

From rationull at gmail.com  Thu May 11 12:01:47 2017
From: rationull at gmail.com (Jonathan Little)
Date: Thu, 11 May 2017 09:01:47 -0700
Subject: [keycloak-user] Forgot password does not verify the account
In-Reply-To: <001701d2ca5d$1a14b660$4e3e2320$@growingup.com.co>
References: <001701d2ca5d$1a14b660$4e3e2320$@growingup.com.co>
Message-ID: <CALLLnfUBdFBES6CRpWEFb-h8g1aa464Enfd1HVRu_XEJL-LimA@mail.gmail.com>

I'm not really in the know about this stuff, but I'd guess that's by
design. If the recovery process gave an error message for unregistered
email addresses, then that would provide a way for an attacker to find out
whether or not a given email address is registered in the service.

On Thu, May 11, 2017 at 6:47 AM, <tecnologia at growingup.com.co> wrote:

> The password remembering option is not validating that the email is
> registered.
>
>
>
> The expected result is that you do not use an unregistered email, you get
> an
> error message
>
>
>
> Always confirms, even when the account does not exist.
>
>
>
>
>
> --
>
>
>
> Jairo Henao Rojas
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Thu May 11 12:37:53 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 11 May 2017 12:37:53 -0400
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
 stories
In-Reply-To: <1494516648.3797.1.camel@cargosoft.ru>
References: <1493293505.2855.1.camel@cargosoft.ru>
	<1494257711.3430.1.camel@cargosoft.ru>
	<1494516648.3797.1.camel@cargosoft.ru>
Message-ID: <32cffdbf-7865-ba99-3de1-d92d0fd1d629@redhat.com>

Red Hat doesn't just blindly give out success stories of customers.  
Many customers don't want that info public.


On 5/11/17 11:30 AM, Dmitry Telegin wrote:
> The third and the final attempt. Never imagined that obtaining success
> stories would be the most complicated part of the tender :)
>> Hi,
>>
>> MGTS, Moscow's leading telephony and internet provider with ~4M
>> subscribers, holds a tender for a web SSO solution to replace their
>> current OpenAM. Our company participates with Keycloak/RHSSO based
>> solution. We've successfully passed an RFI phase and advanced to RFP,
>> where we will be asked to produce the following performance
>> measurements:
>> - single node capacity (logins/sec) for a known server configuration;
>> - capacity increase per each node added to the cluster.
>>
>> Thus, I wanted to ask if anyone has performed such a sort of
>> benchmarking for Keycloak, and if the results are available. If not,
>> what's the best approach to perform benchmarking ourselves? Did
>> anyone
>> have success with keycloak-benchmark?
>>
>> Additionally, it would help us much if we could refer to some success
>> stories of real-world Keycloak deployments, preferably in the telecom
>> area.
>>
>> Thanks!
>> Dmitry
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mitya at cargosoft.ru  Thu May 11 13:17:39 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Thu, 11 May 2017 20:17:39 +0300
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
 stories
In-Reply-To: <32cffdbf-7865-ba99-3de1-d92d0fd1d629@redhat.com>
References: <1493293505.2855.1.camel@cargosoft.ru>
	<1494257711.3430.1.camel@cargosoft.ru>
	<1494516648.3797.1.camel@cargosoft.ru>
	<32cffdbf-7865-ba99-3de1-d92d0fd1d629@redhat.com>
Message-ID: <1494523059.3797.3.camel@cargosoft.ru>

Hi Bill,

> Red Hat doesn't just blindly give out success stories of customers.??
> Many customers don't want that info public.

Yep, it's absolutely clear. In fact I'm talking about those success
stories you were planning to publish on the website:

> >
> >???* Are there any customer success stories anyone can share?
> >
> Yes, but I haven't put them on the website.??Lack of time

http://lists.jboss.org/pipermail/keycloak-user/2016-January/004394.html

In the same message, you've mentioned that you were "working with?
performance team to get some good stress tests and benchmarks". Just
wanted to know if there were any advances in that? Thanks!

Dmitry

> 
> 
> On 5/11/17 11:30 AM, Dmitry Telegin wrote:
> > The third and the final attempt. Never imagined that obtaining
> > success
> > stories would be the most complicated part of the tender :)
> > > Hi,
> > > 
> > > MGTS, Moscow's leading telephony and internet provider with ~4M
> > > subscribers, holds a tender for a web SSO solution to replace
> > > their
> > > current OpenAM. Our company participates with Keycloak/RHSSO
> > > based
> > > solution. We've successfully passed an RFI phase and advanced to
> > > RFP,
> > > where we will be asked to produce the following performance
> > > measurements:
> > > - single node capacity (logins/sec) for a known server
> > > configuration;
> > > - capacity increase per each node added to the cluster.
> > > 
> > > Thus, I wanted to ask if anyone has performed such a sort of
> > > benchmarking for Keycloak, and if the results are available. If
> > > not,
> > > what's the best approach to perform benchmarking ourselves? Did
> > > anyone
> > > have success with keycloak-benchmark?
> > > 
> > > Additionally, it would help us much if we could refer to some
> > > success
> > > stories of real-world Keycloak deployments, preferably in the
> > > telecom
> > > area.
> > > 
> > > Thanks!
> > > Dmitry
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From scott.finlay at sixt.com  Fri May 12 03:27:17 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Fri, 12 May 2017 07:27:17 +0000
Subject: [keycloak-user] Can't set password when registering a user
Message-ID: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>

Hi,

According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepresentation

We should be able to provide credentials when creating a new user, but when I provide credentials it doesn't seem to set the password for the new user. Here is what my request looks like:

POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah at blop.com","email":"blah at blop.com","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}

Just as an experiment, I tried passing a single "credential" instead of an array of credentials and I got this error back:

internal server error;KeyCloak HTTP Error Response [400]: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1, column: 156] (through reference chain: org.keycloak.representations.idm.UserRepresentation["credentials"])

So clearly Keycloak is actually parsing this field. Am I doing something wrong with this request or is the documentation wrong?

Right now what we've been doing to get around this is registering the user and then doing a reset password request after, but this makes the request to our service take twice as long. It would be great if we could reduce this to a single request.

Regards,
Scott


From sthorger at redhat.com  Fri May 12 03:29:09 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 12 May 2017 09:29:09 +0200
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
	stories
In-Reply-To: <1494523059.3797.3.camel@cargosoft.ru>
References: <1493293505.2855.1.camel@cargosoft.ru>
	<1494257711.3430.1.camel@cargosoft.ru>
	<1494516648.3797.1.camel@cargosoft.ru>
	<32cffdbf-7865-ba99-3de1-d92d0fd1d629@redhat.com>
	<1494523059.3797.3.camel@cargosoft.ru>
Message-ID: <CAJgngAfaHmX51XKucm279t56EAnjJZzdkbivY9EUh8L54ZY95g@mail.gmail.com>

Are you planning on using RH-SSO or Keycloak?

On 11 May 2017 at 19:17, Dmitry Telegin <mitya at cargosoft.ru> wrote:

> Hi Bill,
>
> > Red Hat doesn't just blindly give out success stories of customers.
> > Many customers don't want that info public.
>
> Yep, it's absolutely clear. In fact I'm talking about those success
> stories you were planning to publish on the website:
>
> > >
> > >   * Are there any customer success stories anyone can share?
> > >
> > Yes, but I haven't put them on the website.  Lack of time
>
> http://lists.jboss.org/pipermail/keycloak-user/2016-January/004394.html
>
> In the same message, you've mentioned that you were "working with
> performance team to get some good stress tests and benchmarks". Just
> wanted to know if there were any advances in that? Thanks!
>
> Dmitry
>
> >
> >
> > On 5/11/17 11:30 AM, Dmitry Telegin wrote:
> > > The third and the final attempt. Never imagined that obtaining
> > > success
> > > stories would be the most complicated part of the tender :)
> > > > Hi,
> > > >
> > > > MGTS, Moscow's leading telephony and internet provider with ~4M
> > > > subscribers, holds a tender for a web SSO solution to replace
> > > > their
> > > > current OpenAM. Our company participates with Keycloak/RHSSO
> > > > based
> > > > solution. We've successfully passed an RFI phase and advanced to
> > > > RFP,
> > > > where we will be asked to produce the following performance
> > > > measurements:
> > > > - single node capacity (logins/sec) for a known server
> > > > configuration;
> > > > - capacity increase per each node added to the cluster.
> > > >
> > > > Thus, I wanted to ask if anyone has performed such a sort of
> > > > benchmarking for Keycloak, and if the results are available. If
> > > > not,
> > > > what's the best approach to perform benchmarking ourselves? Did
> > > > anyone
> > > > have success with keycloak-benchmark?
> > > >
> > > > Additionally, it would help us much if we could refer to some
> > > > success
> > > > stories of real-world Keycloak deployments, preferably in the
> > > > telecom
> > > > area.
> > > >
> > > > Thanks!
> > > > Dmitry
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ivan at akvo.org  Fri May 12 03:52:41 2017
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Fri, 12 May 2017 09:52:41 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <a34e0598-1aa9-8631-2dfb-bcb04c52370a@redhat.com>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
	<0f703733-0813-3862-743d-6a816e613efc@redhat.com>
	<CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>
	<a34e0598-1aa9-8631-2dfb-bcb04c52370a@redhat.com>
Message-ID: <dcd3cc23-1ecb-88bb-1608-59ad473e376c@akvo.org>

Hi,

First of all, thanks for fixing this issue. A change landed in `master`
branch.

https://github.com/keycloak/keycloak/commit/e4aba9e4713c0b7b6084b9c639ee6ddccc82964e

I'm aware that Keycloak offers a 'best effort' community based support,
but I would like to know/understand the rule for backporting changes to
2.5.x branch. Are this just for RH-SSO reported issues?

Thanks,

On 05/03/2017 09:32 PM, Marek Posolda wrote:
> Yes, there is active session for offline tokens after startup. But both
> introspection and userInfo endpoint doesn't lookup for offline sessions
> ATM, but just for "online" sessions from the "sessions" cache. Hence
> once they receive the token, which was created through the refresh of
> offline token, they won't find the session and reply the "400 Bad
> request" error.
> 
> Marek
> 
> On 03/05/17 15:47, Stian Thorgersen wrote:
>> Marek - isn't the offline session recovered at startup so there will
>> be an active session for offline tokens as well right?
>>
>> On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>> wrote:
>>
>>     Yes. I've just changed link kind "Caused by" to "related to" .
>>
>>     Thanks!
>>     Marek
>>
>>     On 02/05/17 13:33, Iv?n Perdomo wrote:
>>     > Hi Marek,
>>     >
>>     > I created the issue and link it to the one you mentioned (not
>>     completely
>>     > sure if the link is correct).
>>     >
>>     > https://issues.jboss.org/browse/KEYCLOAK-4829
>>     <https://issues.jboss.org/browse/KEYCLOAK-4829>
>>     >
>>     > Thanks,
>>     >
>>     > On 05/02/2017 12:34 PM, Marek Posolda wrote:
>>     >> This looks like a bug. Could you please create JIRA with the
>>     info you
>>     >> mentioned here? Please also link your new JIRA with
>>     >> https://issues.jboss.org/browse/KEYCLOAK-4521
>>     <https://issues.jboss.org/browse/KEYCLOAK-4521>, which is quite
>>     similar
>>     >> issue.
>>     >>
>>     >> Marek
>>     >>
>>     >> On 28/04/17 09:51, Iv?n Perdomo wrote:
>>     >>> Hi all,
>>     >>>
>>     >>> We're trying to use offline access [1] to retrieve
>>     access_tokens on
>>     >>> behalf of the user and access a protected resource in a long
>>     running
>>     >>> process.
>>     >>>
>>     >>> This protected resource checks the validity of the
>>     access_token using
>>     >>> the OAuth2 token introspection.
>>     >>>
>>     >>> In our tests we found that the introspection flag "active"
>>     true|false
>>     >>> depends on having an active session in the server. Which seems
>>     to defeat
>>     >>> the purpose of the offline access capabilities.
>>     >>>
>>     >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and
>>     the behavior
>>     >>> is the same.
>>     >>>
>>     >>> * Get an offline token via direct grants
>>     >>> * Get an access_token using the offline_token
>>     >>> * We have an active session
>>     >>> * Use the token introspection for the access_token and get the
>>     expected
>>     >>> result: active=true
>>     >>> * Wait for SSO Idle timeout (so the session expires)
>>     >>> * Get a new access_token using the "stored" offline_token
>>     >>> * Use the token introspection with the new access_token. Keycloak
>>     >>> returns active=false because we don't have a session. But the
>>     >>> access_token is valid, and not expired.
>>     >>>
>>     >>> The following code repository has an isolated test case of
>>     this scenario:
>>     >>>
>>     >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>     <https://github.com/iperdomo/keycloak-oauth2-instrospection>
>>     >>>
>>     >>> The described steps are in this script:
>>     >>>
>>     >>>
>>     https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>     <https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh>
>>     >>>
>>     >>>
>>     >>> I tried to look for logged issues regarding token
>>     introspection and
>>     >>> didn't found anything related to this problem.
>>     >>>
>>     >>> Is this a bug or an expected behavior?
>>     >>>
>>     >>> [1]
>>     >>>
>>     https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>     <https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html>
>>     >>>
>>     >>>
>>     >>> Thanks for your support.
>>     >>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
> 

-- 
Iv?n


From chexxor at gmail.com  Fri May 12 12:09:59 2017
From: chexxor at gmail.com (Alex Berg)
Date: Fri, 12 May 2017 11:09:59 -0500
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
Message-ID: <CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>

I do something like that, and it works for me.

The content of my XHR is JSON of this:

              { credentials : [
                { type: "password"
                , temporary: false
                , value: regBody.password
                }
              ]
              , email: regBody.email
              , username: regBody.email
              , emailVerified: false
              , enabled: true
              , requiredActions: [ "VERIFY_EMAIL" ]
              }

The created user's ID is available on the "location" response header.

On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com> wrote:

> Hi,
>
> According to the Keycloak admin API documentation:
> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> create_a_new_user
> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> userrepresentation
> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> credentialrepresentation
>
> We should be able to provide credentials when creating a new user, but
> when I provide credentials it doesn't seem to set the password for the new
> user. Here is what my request looks like:
>
> POST /auth/admin/realms/myrealm/users/
> {"enabled":true,"username":"blah at blop.com","email":"blah at blop.com
> ","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"
> credentials":[{"type":"password","temporary":false,"
> value":"secr$tP4ssword"}]}
>
> Just as an experiment, I tried passing a single "credential" instead of an
> array of credentials and I got this error back:
>
> internal server error;KeyCloak HTTP Error Response [400]:
> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
> instance of java.util.ArrayList out of START_OBJECT token at [Source:
> io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1,
> column: 156] (through reference chain: org.keycloak.representations.
> idm.UserRepresentation["credentials"])
>
> So clearly Keycloak is actually parsing this field. Am I doing something
> wrong with this request or is the documentation wrong?
>
> Right now what we've been doing to get around this is registering the user
> and then doing a reset password request after, but this makes the request
> to our service take twice as long. It would be great if we could reduce
> this to a single request.
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mitya at cargosoft.ru  Fri May 12 13:54:25 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Fri, 12 May 2017 20:54:25 +0300
Subject: [keycloak-user] Need info on Keycloak benchmarks & success
 stories
In-Reply-To: <CAJgngAfaHmX51XKucm279t56EAnjJZzdkbivY9EUh8L54ZY95g@mail.gmail.com>
References: <1493293505.2855.1.camel@cargosoft.ru>
	<1494257711.3430.1.camel@cargosoft.ru>
	<1494516648.3797.1.camel@cargosoft.ru>
	<32cffdbf-7865-ba99-3de1-d92d0fd1d629@redhat.com>
	<1494523059.3797.3.camel@cargosoft.ru>
	<CAJgngAfaHmX51XKucm279t56EAnjJZzdkbivY9EUh8L54ZY95g@mail.gmail.com>
Message-ID: <1494611665.3466.2.camel@cargosoft.ru>

Hi Stian,

Here our company is acting as a technology supplier only. The final
choice between Keycloak and RH-SSO will be up to the customer (in case
we win the tender). But considering the nature of the business and its
scale, we strongly believe the choice would be in favor of RH-SSO.

? Fri, 12/05/2017 ? 09:29 +0200, Stian Thorgersen ?????:
> Are you planning on using RH-SSO or Keycloak?
> 
> On 11 May 2017 at 19:17, Dmitry Telegin <mitya at cargosoft.ru> wrote:
> > Hi Bill,
> > 
> > > Red Hat doesn't just blindly give out success stories of
> > customers.??
> > > Many customers don't want that info public.
> > 
> > Yep, it's absolutely clear. In fact I'm talking about those success
> > stories you were planning to publish on the website:
> > 
> > > >
> > > >???* Are there any customer success stories anyone can share?
> > > >
> > > Yes, but I haven't put them on the website.??Lack of time
> > 
> > http://lists.jboss.org/pipermail/keycloak-user/2016-
> > January/004394.html
> > 
> > In the same message, you've mentioned that you were "working with?
> > performance team to get some good stress tests and benchmarks".
> > Just
> > wanted to know if there were any advances in that? Thanks!
> > 
> > Dmitry
> > 
> > >
> > >
> > > On 5/11/17 11:30 AM, Dmitry Telegin wrote:
> > > > The third and the final attempt. Never imagined that obtaining
> > > > success
> > > > stories would be the most complicated part of the tender :)
> > > > > Hi,
> > > > >
> > > > > MGTS, Moscow's leading telephony and internet provider with
> > ~4M
> > > > > subscribers, holds a tender for a web SSO solution to replace
> > > > > their
> > > > > current OpenAM. Our company participates with Keycloak/RHSSO
> > > > > based
> > > > > solution. We've successfully passed an RFI phase and advanced
> > to
> > > > > RFP,
> > > > > where we will be asked to produce the following performance
> > > > > measurements:
> > > > > - single node capacity (logins/sec) for a known server
> > > > > configuration;
> > > > > - capacity increase per each node added to the cluster.
> > > > >
> > > > > Thus, I wanted to ask if anyone has performed such a sort of
> > > > > benchmarking for Keycloak, and if the results are available.
> > If
> > > > > not,
> > > > > what's the best approach to perform benchmarking ourselves?
> > Did
> > > > > anyone
> > > > > have success with keycloak-benchmark?
> > > > >
> > > > > Additionally, it would help us much if we could refer to some
> > > > > success
> > > > > stories of real-world Keycloak deployments, preferably in the
> > > > > telecom
> > > > > area.
> > > > >
> > > > > Thanks!
> > > > > Dmitry
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 

From amomrabr at gmail.com  Fri May 12 14:40:55 2017
From: amomrabr at gmail.com (Luiz Carlos)
Date: Fri, 12 May 2017 15:40:55 -0300
Subject: [keycloak-user] LDAP user group membership not syncing
Message-ID: <CAKrku=2vVgU1amjnckwAtzOCJu=XMohj4D3jS69+6Ng2cCbOeQ@mail.gmail.com>

Hi everyone

I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.

I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.

Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.

I'm using Keycloak 2.5.1.

Thanks for the help

-- 
Luiz Carlos

From jonathandandries at gmail.com  Fri May 12 15:48:21 2017
From: jonathandandries at gmail.com (Jonathan D'Andries)
Date: Fri, 12 May 2017 14:48:21 -0500
Subject: [keycloak-user] Keycloak-mysql Docker -- 2 issues
Message-ID: <CADRPO0FoF=NodM2nCne47B6pMCevGy1iBp_-oxK-WJpZC2QiGA@mail.gmail.com>

Two issues related to running keycloak-mysql:3.0.0.Final and mysql:5.7.18
in docker-compose, but that will likely have broader impact in certain
circumstances:

Issue #1. JBoss doesn't wait for mysql to be available, and it fails to
create a connection if mysql hasn?t come up yet (no retry). This is
especially problematic if you are trying to use docker-compose since
everything likes to start around the same time:

Error:

19:18:03,553 WARN
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(ServerService Thread Pool -- 50) IJ000604: Throwable while attempting
to get a new connection: null: javax.resource.ResourceException:
IJ031084: Unable to create connection

Workaround:

   - Need a custom Dockerfile to override the ENTRYPOINT definition to use
   a custom docker-entrypoint-waitforit.sh. And note that because we are
   changing ENTRYPOINT, we also need to redefine CMD.

Gist of the Dockerfile:

FROM jboss/keycloak-mysql:3.0.0.Final
COPY  docker-entrypoint-waitforit.sh wait-for-it.sh /
ENTRYPOINT ["/docker-entrypoint-waitforit.sh?]
CMD ["-b", "0.0.0.0"]

Gist of docker-entrypoint-waitforit.sh:

#!/bin/bash
/wait-for-it.sh mysql:3306 -t 60 -- /opt/jboss/docker-entrypoint.sh $@
exit $?

For wait-for-it.sh, see: https://github.com/vishnubob/wait-for-it or see:
https://github.com/jwilder/dockerize

Docker recommends this approach:
https://docs.docker.com/compose/startup-order/

Issue #2. When running in docker-compose, JBoss cannot connect to mysql
without some extra work. This issue seems to be related to running on the
project-specific default network that is setup by docker-compose.

Note that you don?t have this issue when running independent in docker:

docker run --name mysql -e MYSQL_DATABASE=keycloak -e
MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e
MYSQL_ROOT_PASSWORD=root_password -d mysql:5.7.18
# wait 30 seconds
docker run --name keycloak-standalone-test --link mysql:mysql -e
KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e
MYSQL_DATABASE=keycloak -e MYSQL_USERNAME=keycloak -e
MYSQL_PASSWORD=password -p "8080:8080"
jboss/keycloak-mysql:3.0.0.Final

Error when running in docker-compose:

19:24:04,072 ERROR [org.jboss.as.controller.management-operation]
(ServerService Thread Pool -- 27) WFLYCTL0013: Operation ("add")
failed - address: ([
    ("subsystem" => "datasources"),
    ("data-source" => "KeycloakDS")
]) - failure description: "WFLYCTL0211: Cannot resolve expression
'jdbc:mysql://${env.MYSQL_PORT_3306_TCP_ADDR}:${env.MYSQL_PORT_3306_TCP_PORT}/${env.MYSQL_DATABASE:keycloak}'?

Workarounds:

   1.

   Option-1: In docker-compose.yml for the keycloak service, define these
   environment variables:

   - MYSQL_PORT_3306_TCP_ADDR=mysql
   - MYSQL_PORT_3306_TCP_PORT=3306

   2.

   Option-2: run the keycloak and mysql services on the default ?bridge?
   network:
   In the keycloak and mysql service definitions:

   network_mode: bridge

   Separately:

   networks:
    default:
      external:
        name: bridge


Bottom line question:

   - Why does JBoss behave differently when trying to connect to mysql on
   the global ?bridge? network (works) vs the project-specific default network
   (fails)?


Jonathan

--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/

From cindy.pacheco at payulatam.com  Fri May 12 16:19:56 2017
From: cindy.pacheco at payulatam.com (Cindy Margarita Pacheco Alvarez)
Date: Fri, 12 May 2017 20:19:56 +0000
Subject: [keycloak-user] Problem when we execute storage provider SPI in
	domain mode.
Message-ID: <A5A39D36-E776-4C2D-81D4-E17F1378DD53@payulatam.com>

We have created a storage provider SPI with keycloak-2.2.1.Final but we have a problem when we execute this SPI in domain mode. We use a postgres XADatasource and we create the SPI in the same way as the storage provider example. We have a master with a single slave.

When we ask for a token we have the following error:

The pre-jca synchronization org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization at 3a417315 associated with tx TransactionImple < ac, BasicAction: 0:ffffc0a83866:-33c4bf71:5910ee3a:da status: ActionStatus.ABORTED > failed during after completion: java.lang.IllegalStateException: Transaction DummyTransaction{xid=DummyXid{id=11}, status=1} is not in a valid state to be invoking cache operations on??.
And
org.infinispan.util.concurrent.TimeoutException: ISPN000299: Unable to acquire lock after 10 seconds for key f:96007b81-fe12-491d-9a7f-c0bfabc8345a:name.lastname and requestor GlobalTransaction:<null>:13:local. Lock is held by GlobalTransaction:<null>:10:local?..
(you can see the complete trace in log.log, adjunted in this e-mail)
-------





we?ve applied the solution of http://lists.jboss.org/pipermail/keycloak-user/2016-October/007901.html but when we do a lot of requests we have an error with the entity manager.



12:20:20,203 ERROR [io.undertow.request] (default task-13) UT005023: Exception handling request to /auth/realms/Latam-Realm/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: java.lang.IllegalStateException: EntityManager is closed
[Server:server-one]     at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[Server:server-one]     at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[Server:server-one]     at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
[Server:server-one]     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
[Server:server-one]     at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
[Server:server-one]     at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
[Server:server-one]     at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[Server:server-one]     at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[Server:server-one]     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[Server:server-one]     at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[Server:server-one]     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
[Server:server-one]     at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
[Server:server-one]     at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[Server:server-one]     at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
[Server:server-one]     at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
[Server:server-one]     at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
[Server:server-one]     at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[Server:server-one]     at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
[Server:server-one]     at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:server-one]     at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[Server:server-one]     at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)




All of this only happen when we use domain mode with different slaves. But in standalone mode in local machines works perfectly.






From ost1988 at aol.com  Mon May 15 03:24:31 2017
From: ost1988 at aol.com (ost1988 at aol.com)
Date: Mon, 15 May 2017 03:24:31 -0400
Subject: [keycloak-user] KeyCloak Performance and Sizing
Message-ID: <15c0afe84a3-57fe-74ef@webprd-m30.mail.aol.com>


Hi everyone,
 
we're going to setup a KeyCloak infrastructure to handle identity management for up to 4 million users. In order to handle this amount we'd like to setup a proper infrastructure. The general idea is to create a containerised cluster of key cloak servers connected to an highly available db2 database. Therefore i'd like to understand what kind of data and amount is persisted in the db. I haven't found any details about sizing a key cloak infrastructure - i hope you can share  some more details with me.


Kind Regards

From oop12000 at gmail.com  Mon May 15 04:43:11 2017
From: oop12000 at gmail.com (c p)
Date: Mon, 15 May 2017 16:43:11 +0800
Subject: [keycloak-user] patch for mod_auth_openidc apache module for
	keycloak oauth
Message-ID: <CAAyo5womdXK4nG586FYpHM0MC0OeWD=a=7tU+FZhK9APUxCZtQ@mail.gmail.com>

Dear All,

Just for sharing, have made the apache mod_auth_openidc module works with
keycloak token introspection, just apply the below patch to src/oauth.c
then set the OIDCOAuthIntrospectionEndpointParams
token_type_hint=refresh_token.



--- mod_auth_openidc/src/oauth.c        2017-05-15 16:20:48.698526596 +0800
+++ mod_auth_openidc_keycloak/src/oauth.c       2017-05-15
16:17:06.022631865 +0800
@@ -83,12 +83,19 @@
                        apr_table_addn(params, OIDC_PROTO_CLIENT_ID,
c->oauth.client_id);
                        apr_table_addn(params, OIDC_PROTO_CLIENT_SECRET,
                                        c->oauth.client_secret);
+
                } else {
                        basic_auth = apr_psprintf(r->pool, "%s:%s",
c->oauth.client_id,
                                        c->oauth.client_secret);
                }
+       }else{
+           if ((c->provider.client_id != NULL) &&
(c->provider.client_secret!=NULL)){
+               basic_auth = apr_psprintf(r->pool, "%s:%s",
c->provider.client_id,
+                                        c->provider.client_secret);
        }

+}
+
        /* call the endpoint with the constructed parameter set and return
the resulting response */
        return apr_strnatcmp(c->oauth.introspection_endpoint_method,
                        OIDC_INTROSPECTION_METHOD_GET) == 0 ?


Regards,

Steven

From scott.finlay at sixt.com  Mon May 15 05:14:26 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Mon, 15 May 2017 09:14:26 +0000
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>,
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
Message-ID: <HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>

Hmm, that request body doesn't look very different from my example. I've tried now removing the additional fields

I had and adding the few you have and I still get exactly the same outcome: when I try impersonating the user in

the Keycloak admin panel he has no password set (but he does when I explicitly call the reset-password endpoint).


Is there some setting/role/permission I'm missing maybe? I'm using version 2.5.5.Final.

________________________________
From: Alex Berg <chexxor at gmail.com>
Sent: Friday, May 12, 2017 6:09:59 PM
To: Scott Finlay
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user

I do something like that, and it works for me.

The content of my XHR is JSON of this:

              { credentials : [
                { type: "password"
                , temporary: false
                , value: regBody.password
                }
              ]
              , email: regBody.email
              , username: regBody.email
              , emailVerified: false
              , enabled: true
              , requiredActions: [ "VERIFY_EMAIL" ]
              }

The created user's ID is available on the "location" response header.

On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>> wrote:
Hi,

According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepresentation

We should be able to provide credentials when creating a new user, but when I provide credentials it doesn't seem to set the password for the new user. Here is what my request looks like:

POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com>","email":"blah at blop.com<mailto:blah at blop.com>","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}

Just as an experiment, I tried passing a single "credential" instead of an array of credentials and I got this error back:

internal server error;KeyCloak HTTP Error Response [400]: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1, column: 156] (through reference chain: org.keycloak.representations.idm.UserRepresentation["credentials"])

So clearly Keycloak is actually parsing this field. Am I doing something wrong with this request or is the documentation wrong?

Right now what we've been doing to get around this is registering the user and then doing a reset password request after, but this makes the request to our service take twice as long. It would be great if we could reduce this to a single request.

Regards,
Scott

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From DBoutin at voyages-sncf.com  Mon May 15 05:40:12 2017
From: DBoutin at voyages-sncf.com (Boutin Damien)
Date: Mon, 15 May 2017 09:40:12 +0000
Subject: [keycloak-user] Passing login_hint up to Identity Provider
In-Reply-To: <c446a94932264857a4fe78953db3d5d4@EREP.groupevsc.com>
References: <c446a94932264857a4fe78953db3d5d4@EREP.groupevsc.com>
Message-ID: <3bdc01a47d614ae58ae2c5254ec8ceab@EREP.groupevsc.com>

Hello,

For information I have created a feature request regarding this request.
https://issues.jboss.org/browse/KEYCLOAK-4900

We will start implementing this soon and keep you updated.

Regards,
Damien

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Boutin Damien
Envoy??: vendredi 5 mai 2017 15:00
??: keycloak-user at lists.jboss.org
Cc?: Garesse Thomas <TGaresse at voyages-sncf.com>
Objet?: [keycloak-user] Passing login_hint up to Identity Provider

Hello,

We are using keycloak to authenticate our users, using both user federation and identity provider features.

Concerning the identity provider, we encountered an issue regarding the redirection to the authorized endpoint of our partner.
The "login_hint" parameter is not forwarded to the targeted provider.

A thread was opened several months ago regarding this subject but we haven't seen any feature request related to it.
http://lists.jboss.org/pipermail/keycloak-dev/2016-December/008595.html

Is it ok if we create a jira ticket for this feature request and provide you with a pull request ?

Thanks in advance
Regards,
Damien BOUTIN

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From scott.finlay at sixt.com  Mon May 15 06:01:46 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Mon, 15 May 2017 10:01:46 +0000
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>,
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>,
	<HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
Message-ID: <HE1PR0502MB3035C589AE933E93F210E994E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>

Diving into the code, I see this, which seems to be the endpoint for creating a user:


https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L207

This then calls:
https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L244

That seems to just set the basic user data like name, email, enabled, etc. Then it sets the "required actions", and then the custom attributes. I see nothing regarding credentials there.


Is this just hidden away somewhere else, or is it just really missing from here?

________________________________
From: Scott Finlay
Sent: Monday, May 15, 2017 11:14:26 AM
To: Alex Berg
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user


Hmm, that request body doesn't look very different from my example. I've tried now removing the additional fields

I had and adding the few you have and I still get exactly the same outcome: when I try impersonating the user in

the Keycloak admin panel he has no password set (but he does when I explicitly call the reset-password endpoint).


Is there some setting/role/permission I'm missing maybe? I'm using version 2.5.5.Final.

________________________________
From: Alex Berg <chexxor at gmail.com>
Sent: Friday, May 12, 2017 6:09:59 PM
To: Scott Finlay
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user

I do something like that, and it works for me.

The content of my XHR is JSON of this:

              { credentials : [
                { type: "password"
                , temporary: false
                , value: regBody.password
                }
              ]
              , email: regBody.email
              , username: regBody.email
              , emailVerified: false
              , enabled: true
              , requiredActions: [ "VERIFY_EMAIL" ]
              }

The created user's ID is available on the "location" response header.

On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>> wrote:
Hi,

According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepresentation

We should be able to provide credentials when creating a new user, but when I provide credentials it doesn't seem to set the password for the new user. Here is what my request looks like:

POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com>","email":"blah at blop.com<mailto:blah at blop.com>","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}

Just as an experiment, I tried passing a single "credential" instead of an array of credentials and I got this error back:

internal server error;KeyCloak HTTP Error Response [400]: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1, column: 156] (through reference chain: org.keycloak.representations.idm.UserRepresentation["credentials"])

So clearly Keycloak is actually parsing this field. Am I doing something wrong with this request or is the documentation wrong?

Right now what we've been doing to get around this is registering the user and then doing a reset password request after, but this makes the request to our service take twice as long. It would be great if we could reduce this to a single request.

Regards,
Scott

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From denny.israel at googlemail.com  Mon May 15 09:31:05 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Mon, 15 May 2017 15:31:05 +0200
Subject: [keycloak-user] authz client incompatible with client definition
Message-ID: <CAF7cocEV81FfPbvg6fWwsp14xn+PwFU0Ej=Fs56beU=Q8rmgGA@mail.gmail.com>

I am writing a command line interface which needs to authenticate against
keycloak. After creating the client definition in keycloaks admin console i
copy the installation data (keycloak.json) into the cli. When i try to use
the authz client i am not even able to create the client because it does
not know the option "ssl-required". When i remove this option the client
can be created but throws another exception when i call
"obtainAccessToken", this time complaining about missing credentials. The
credentials are missing because i made the client "public".
Am i doing something wrong or do i missunderstand the purpose of the authz
client?

From mposolda at redhat.com  Mon May 15 09:37:11 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 15 May 2017 15:37:11 +0200
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <dcd3cc23-1ecb-88bb-1608-59ad473e376c@akvo.org>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
	<0f703733-0813-3862-743d-6a816e613efc@redhat.com>
	<CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>
	<a34e0598-1aa9-8631-2dfb-bcb04c52370a@redhat.com>
	<dcd3cc23-1ecb-88bb-1608-59ad473e376c@akvo.org>
Message-ID: <5c2e3444-5161-ad54-46e6-414bfc9aac85@redhat.com>

Hi,

Yes, I think that it is just for the customer related issues. The 
details can be clarified by RH support or maybe someone else from the 
team though...

Ivan, I don't know if you (or your company) are customer or if it's 
coincidence that someone else, who is customer, requested this issue :) 
Anyway, it's here because it was customer requirement.

Marek

On 12/05/17 09:52, Iv?n Perdomo wrote:
> Hi,
>
> First of all, thanks for fixing this issue. A change landed in `master`
> branch.
>
> https://github.com/keycloak/keycloak/commit/e4aba9e4713c0b7b6084b9c639ee6ddccc82964e
>
> I'm aware that Keycloak offers a 'best effort' community based support,
> but I would like to know/understand the rule for backporting changes to
> 2.5.x branch. Are this just for RH-SSO reported issues?
>
> Thanks,
>
> On 05/03/2017 09:32 PM, Marek Posolda wrote:
>> Yes, there is active session for offline tokens after startup. But both
>> introspection and userInfo endpoint doesn't lookup for offline sessions
>> ATM, but just for "online" sessions from the "sessions" cache. Hence
>> once they receive the token, which was created through the refresh of
>> offline token, they won't find the session and reply the "400 Bad
>> request" error.
>>
>> Marek
>>
>> On 03/05/17 15:47, Stian Thorgersen wrote:
>>> Marek - isn't the offline session recovered at startup so there will
>>> be an active session for offline tokens as well right?
>>>
>>> On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com
>>> <mailto:mposolda at redhat.com>> wrote:
>>>
>>>      Yes. I've just changed link kind "Caused by" to "related to" .
>>>
>>>      Thanks!
>>>      Marek
>>>
>>>      On 02/05/17 13:33, Iv?n Perdomo wrote:
>>>      > Hi Marek,
>>>      >
>>>      > I created the issue and link it to the one you mentioned (not
>>>      completely
>>>      > sure if the link is correct).
>>>      >
>>>      > https://issues.jboss.org/browse/KEYCLOAK-4829
>>>      <https://issues.jboss.org/browse/KEYCLOAK-4829>
>>>      >
>>>      > Thanks,
>>>      >
>>>      > On 05/02/2017 12:34 PM, Marek Posolda wrote:
>>>      >> This looks like a bug. Could you please create JIRA with the
>>>      info you
>>>      >> mentioned here? Please also link your new JIRA with
>>>      >> https://issues.jboss.org/browse/KEYCLOAK-4521
>>>      <https://issues.jboss.org/browse/KEYCLOAK-4521>, which is quite
>>>      similar
>>>      >> issue.
>>>      >>
>>>      >> Marek
>>>      >>
>>>      >> On 28/04/17 09:51, Iv?n Perdomo wrote:
>>>      >>> Hi all,
>>>      >>>
>>>      >>> We're trying to use offline access [1] to retrieve
>>>      access_tokens on
>>>      >>> behalf of the user and access a protected resource in a long
>>>      running
>>>      >>> process.
>>>      >>>
>>>      >>> This protected resource checks the validity of the
>>>      access_token using
>>>      >>> the OAuth2 token introspection.
>>>      >>>
>>>      >>> In our tests we found that the introspection flag "active"
>>>      true|false
>>>      >>> depends on having an active session in the server. Which seems
>>>      to defeat
>>>      >>> the purpose of the offline access capabilities.
>>>      >>>
>>>      >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and
>>>      the behavior
>>>      >>> is the same.
>>>      >>>
>>>      >>> * Get an offline token via direct grants
>>>      >>> * Get an access_token using the offline_token
>>>      >>> * We have an active session
>>>      >>> * Use the token introspection for the access_token and get the
>>>      expected
>>>      >>> result: active=true
>>>      >>> * Wait for SSO Idle timeout (so the session expires)
>>>      >>> * Get a new access_token using the "stored" offline_token
>>>      >>> * Use the token introspection with the new access_token. Keycloak
>>>      >>> returns active=false because we don't have a session. But the
>>>      >>> access_token is valid, and not expired.
>>>      >>>
>>>      >>> The following code repository has an isolated test case of
>>>      this scenario:
>>>      >>>
>>>      >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>>      <https://github.com/iperdomo/keycloak-oauth2-instrospection>
>>>      >>>
>>>      >>> The described steps are in this script:
>>>      >>>
>>>      >>>
>>>      https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>>      <https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh>
>>>      >>>
>>>      >>>
>>>      >>> I tried to look for logged issues regarding token
>>>      introspection and
>>>      >>> didn't found anything related to this problem.
>>>      >>>
>>>      >>> Is this a bug or an expected behavior?
>>>      >>>
>>>      >>> [1]
>>>      >>>
>>>      https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>>      <https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html>
>>>      >>>
>>>      >>>
>>>      >>> Thanks for your support.
>>>      >>>
>>>
>>>      _______________________________________________
>>>      keycloak-user mailing list
>>>      keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>      <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>


From bburke at redhat.com  Mon May 15 09:38:12 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 May 2017 09:38:12 -0400
Subject: [keycloak-user] authz client incompatible with client definition
In-Reply-To: <CAF7cocEV81FfPbvg6fWwsp14xn+PwFU0Ej=Fs56beU=Q8rmgGA@mail.gmail.com>
References: <CAF7cocEV81FfPbvg6fWwsp14xn+PwFU0Ej=Fs56beU=Q8rmgGA@mail.gmail.com>
Message-ID: <d7995cf0-6964-8e42-61c0-22ec69fc6a64@redhat.com>

A client asks for a token on behalf of a specific user.  You ahve to 
provide the credentials of the user if you are doing a REST call to 
obtain a token (direct grant).  If the client is not public then you 
also have to provide the client's credentials. Finally, we have 
something called "service accounts".  This is something you can enable 
per client which allows the client to act as a user.  Hope that answers 
your question.


On 5/15/17 9:31 AM, Denny Israel wrote:
> I am writing a command line interface which needs to authenticate against
> keycloak. After creating the client definition in keycloaks admin console i
> copy the installation data (keycloak.json) into the cli. When i try to use
> the authz client i am not even able to create the client because it does
> not know the option "ssl-required". When i remove this option the client
> can be created but throws another exception when i call
> "obtainAccessToken", this time complaining about missing credentials. The
> credentials are missing because i made the client "public".
> Am i doing something wrong or do i missunderstand the purpose of the authz
> client?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From guus.der.kinderen at gmail.com  Mon May 15 09:44:23 2017
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Mon, 15 May 2017 15:44:23 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
Message-ID: <CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>

*gently moves question back to the top of the mailinglist*

On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
wrote:

> Hi!
>
> We'd like to be able to store somewhat standard user attributes that
> complete the email, first and last name values that Keycloak 'natively'
> stores. Think of things like a date of birth, home/work address, phone
> number, etc. Additionally, we'd like to be able to find users based on a
> search query. We'd like to be able to answer questions like: "how many
> users live in London?"
>
> So far, we've found the user attributes, where we could store this
> information. That is a very generic solution though. Are there standardized
> attribute names, profiles, that we can use?
>
> A further challenge is that we'd like to be able to query the user base,
> based on attributes. We'd like to find people by address, by date of birth,
> etc. The REST API does have search functionality, but it doesn't look like
> you can find users by attribute value.
>
> Can anyone recommend a course of action here?
>
> Regards,
>
>    Guus
>

From bburke at redhat.com  Mon May 15 09:52:01 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 May 2017 09:52:01 -0400
Subject: [keycloak-user] OAuth2 token introspection requires an active
 session?
In-Reply-To: <5c2e3444-5161-ad54-46e6-414bfc9aac85@redhat.com>
References: <566ee764-8613-5e76-3671-2c9425a4698b@akvo.org>
	<79517d41-2b80-66ab-8f36-b53ececd4533@redhat.com>
	<93104a49-eda5-c827-d4bb-b950b4c600fe@akvo.org>
	<0f703733-0813-3862-743d-6a816e613efc@redhat.com>
	<CAJgngAee11KVGDW-KPjQSXg8emwqX0QFzAkXr5zzkvk=VwoJAw@mail.gmail.com>
	<a34e0598-1aa9-8631-2dfb-bcb04c52370a@redhat.com>
	<dcd3cc23-1ecb-88bb-1608-59ad473e376c@akvo.org>
	<5c2e3444-5161-ad54-46e6-414bfc9aac85@redhat.com>
Message-ID: <246f4d53-6391-2084-386e-1bd8346242d6@redhat.com>

We never patch community.

http://www.keycloak.org/support.html

If that doesn't answer your questions, let me know and I'll update the page.



On 5/15/17 9:37 AM, Marek Posolda wrote:
> Hi,
>
> Yes, I think that it is just for the customer related issues. The
> details can be clarified by RH support or maybe someone else from the
> team though...
>
> Ivan, I don't know if you (or your company) are customer or if it's
> coincidence that someone else, who is customer, requested this issue :)
> Anyway, it's here because it was customer requirement.
>
> Marek
>
> On 12/05/17 09:52, Iv?n Perdomo wrote:
>> Hi,
>>
>> First of all, thanks for fixing this issue. A change landed in `master`
>> branch.
>>
>> https://github.com/keycloak/keycloak/commit/e4aba9e4713c0b7b6084b9c639ee6ddccc82964e
>>
>> I'm aware that Keycloak offers a 'best effort' community based support,
>> but I would like to know/understand the rule for backporting changes to
>> 2.5.x branch. Are this just for RH-SSO reported issues?
>>
>> Thanks,
>>
>> On 05/03/2017 09:32 PM, Marek Posolda wrote:
>>> Yes, there is active session for offline tokens after startup. But both
>>> introspection and userInfo endpoint doesn't lookup for offline sessions
>>> ATM, but just for "online" sessions from the "sessions" cache. Hence
>>> once they receive the token, which was created through the refresh of
>>> offline token, they won't find the session and reply the "400 Bad
>>> request" error.
>>>
>>> Marek
>>>
>>> On 03/05/17 15:47, Stian Thorgersen wrote:
>>>> Marek - isn't the offline session recovered at startup so there will
>>>> be an active session for offline tokens as well right?
>>>>
>>>> On 2 May 2017 at 14:23, Marek Posolda <mposolda at redhat.com
>>>> <mailto:mposolda at redhat.com>> wrote:
>>>>
>>>>       Yes. I've just changed link kind "Caused by" to "related to" .
>>>>
>>>>       Thanks!
>>>>       Marek
>>>>
>>>>       On 02/05/17 13:33, Iv?n Perdomo wrote:
>>>>       > Hi Marek,
>>>>       >
>>>>       > I created the issue and link it to the one you mentioned (not
>>>>       completely
>>>>       > sure if the link is correct).
>>>>       >
>>>>       > https://issues.jboss.org/browse/KEYCLOAK-4829
>>>>       <https://issues.jboss.org/browse/KEYCLOAK-4829>
>>>>       >
>>>>       > Thanks,
>>>>       >
>>>>       > On 05/02/2017 12:34 PM, Marek Posolda wrote:
>>>>       >> This looks like a bug. Could you please create JIRA with the
>>>>       info you
>>>>       >> mentioned here? Please also link your new JIRA with
>>>>       >> https://issues.jboss.org/browse/KEYCLOAK-4521
>>>>       <https://issues.jboss.org/browse/KEYCLOAK-4521>, which is quite
>>>>       similar
>>>>       >> issue.
>>>>       >>
>>>>       >> Marek
>>>>       >>
>>>>       >> On 28/04/17 09:51, Iv?n Perdomo wrote:
>>>>       >>> Hi all,
>>>>       >>>
>>>>       >>> We're trying to use offline access [1] to retrieve
>>>>       access_tokens on
>>>>       >>> behalf of the user and access a protected resource in a long
>>>>       running
>>>>       >>> process.
>>>>       >>>
>>>>       >>> This protected resource checks the validity of the
>>>>       access_token using
>>>>       >>> the OAuth2 token introspection.
>>>>       >>>
>>>>       >>> In our tests we found that the introspection flag "active"
>>>>       true|false
>>>>       >>> depends on having an active session in the server. Which seems
>>>>       to defeat
>>>>       >>> the purpose of the offline access capabilities.
>>>>       >>>
>>>>       >>> I have tested with versions 2.5.5.Final and 3.0.0.Final and
>>>>       the behavior
>>>>       >>> is the same.
>>>>       >>>
>>>>       >>> * Get an offline token via direct grants
>>>>       >>> * Get an access_token using the offline_token
>>>>       >>> * We have an active session
>>>>       >>> * Use the token introspection for the access_token and get the
>>>>       expected
>>>>       >>> result: active=true
>>>>       >>> * Wait for SSO Idle timeout (so the session expires)
>>>>       >>> * Get a new access_token using the "stored" offline_token
>>>>       >>> * Use the token introspection with the new access_token. Keycloak
>>>>       >>> returns active=false because we don't have a session. But the
>>>>       >>> access_token is valid, and not expired.
>>>>       >>>
>>>>       >>> The following code repository has an isolated test case of
>>>>       this scenario:
>>>>       >>>
>>>>       >>> https://github.com/iperdomo/keycloak-oauth2-instrospection
>>>>       <https://github.com/iperdomo/keycloak-oauth2-instrospection>
>>>>       >>>
>>>>       >>> The described steps are in this script:
>>>>       >>>
>>>>       >>>
>>>>       https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh
>>>>       <https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh>
>>>>       >>>
>>>>       >>>
>>>>       >>> I tried to look for logged issues regarding token
>>>>       introspection and
>>>>       >>> didn't found anything related to this problem.
>>>>       >>>
>>>>       >>> Is this a bug or an expected behavior?
>>>>       >>>
>>>>       >>> [1]
>>>>       >>>
>>>>       https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html
>>>>       <https://keycloak.gitbooks.io/documentation/server_admin/topics/sessions/offline.html>
>>>>       >>>
>>>>       >>>
>>>>       >>> Thanks for your support.
>>>>       >>>
>>>>
>>>>       _______________________________________________
>>>>       keycloak-user mailing list
>>>>       keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>       https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>       <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>
>>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Mon May 15 10:33:32 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 15 May 2017 11:33:32 -0300
Subject: [keycloak-user] authz client incompatible with client definition
In-Reply-To: <CAF7cocEV81FfPbvg6fWwsp14xn+PwFU0Ej=Fs56beU=Q8rmgGA@mail.gmail.com>
References: <CAF7cocEV81FfPbvg6fWwsp14xn+PwFU0Ej=Fs56beU=Q8rmgGA@mail.gmail.com>
Message-ID: <CAJrcDBf8UiyY9tJpQFj+rNa+4-pqquENco5XHVGjOW7Bs56obQ@mail.gmail.com>

You should only use AuthZ Client if you want to access Protection and
Authorization/Entitlement APIs. To access Keycloak Admin REST API you
should use Keycloak Admin Client.

Regards.
Pedro Igor

On Mon, May 15, 2017 at 10:31 AM, Denny Israel <denny.israel at googlemail.com>
wrote:

> I am writing a command line interface which needs to authenticate against
> keycloak. After creating the client definition in keycloaks admin console i
> copy the installation data (keycloak.json) into the cli. When i try to use
> the authz client i am not even able to create the client because it does
> not know the option "ssl-required". When i remove this option the client
> can be created but throws another exception when i call
> "obtainAccessToken", this time complaining about missing credentials. The
> credentials are missing because i made the client "public".
> Am i doing something wrong or do i missunderstand the purpose of the authz
> client?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mstrukel at redhat.com  Mon May 15 10:38:25 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 15 May 2017 16:38:25 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
	<CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
Message-ID: <CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>

There is a method for this:

https://github.com/keycloak/keycloak/blob/3.1.0.Final/server-spi/src/main/java/org/keycloak/storage/user/UserQueryProvider.java#L134-L148

But there is no Admin REST API through which it would be exposed.

You can add your custom REST endpoint and implement your custom search call
there.
See:

https://github.com/keycloak/keycloak/tree/3.1.0.Final/examples/providers/rest
for
example.

You'd have to make sure to protect your endpoint so its only accessible to
admin client. See how /users endpoint does this:

https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L675



On Mon, May 15, 2017 at 3:44 PM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> *gently moves question back to the top of the mailinglist*
>
> On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
> wrote:
>
> > Hi!
> >
> > We'd like to be able to store somewhat standard user attributes that
> > complete the email, first and last name values that Keycloak 'natively'
> > stores. Think of things like a date of birth, home/work address, phone
> > number, etc. Additionally, we'd like to be able to find users based on a
> > search query. We'd like to be able to answer questions like: "how many
> > users live in London?"
> >
> > So far, we've found the user attributes, where we could store this
> > information. That is a very generic solution though. Are there
> standardized
> > attribute names, profiles, that we can use?
> >
> > A further challenge is that we'd like to be able to query the user base,
> > based on attributes. We'd like to find people by address, by date of
> birth,
> > etc. The REST API does have search functionality, but it doesn't look
> like
> > you can find users by attribute value.
> >
> > Can anyone recommend a course of action here?
> >
> > Regards,
> >
> >    Guus
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mstrukel at redhat.com  Mon May 15 10:50:12 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 15 May 2017 16:50:12 +0200
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <HE1PR0502MB3035C589AE933E93F210E994E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
	<HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<HE1PR0502MB3035C589AE933E93F210E994E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
Message-ID: <CA+1OW+jnAq0RrFM78jEXLLsn=20csFW7D2kJEtuQjd1b-T_g=Q@mail.gmail.com>

You need to invoke resetPassword on UserResource, after creating a new user
:


https://github.com/keycloak/keycloak/blob/3.1.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java#L153-L159



On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay at sixt.com>
wrote:

> Diving into the code, I see this, which seems to be the endpoint for
> creating a user:
>
>
> https://github.com/keycloak/keycloak/blob/2.5.x/services/
> src/main/java/org/keycloak/services/resources/admin/
> UsersResource.java#L207
>
> This then calls:
> https://github.com/keycloak/keycloak/blob/2.5.x/services/
> src/main/java/org/keycloak/services/resources/admin/
> UsersResource.java#L244
>
> That seems to just set the basic user data like name, email, enabled, etc.
> Then it sets the "required actions", and then the custom attributes. I see
> nothing regarding credentials there.
>
>
> Is this just hidden away somewhere else, or is it just really missing from
> here?
>
> ________________________________
> From: Scott Finlay
> Sent: Monday, May 15, 2017 11:14:26 AM
> To: Alex Berg
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Can't set password when registering a user
>
>
> Hmm, that request body doesn't look very different from my example. I've
> tried now removing the additional fields
>
> I had and adding the few you have and I still get exactly the same
> outcome: when I try impersonating the user in
>
> the Keycloak admin panel he has no password set (but he does when I
> explicitly call the reset-password endpoint).
>
>
> Is there some setting/role/permission I'm missing maybe? I'm using version
> 2.5.5.Final.
>
> ________________________________
> From: Alex Berg <chexxor at gmail.com>
> Sent: Friday, May 12, 2017 6:09:59 PM
> To: Scott Finlay
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Can't set password when registering a user
>
> I do something like that, and it works for me.
>
> The content of my XHR is JSON of this:
>
>               { credentials : [
>                 { type: "password"
>                 , temporary: false
>                 , value: regBody.password
>                 }
>               ]
>               , email: regBody.email
>               , username: regBody.email
>               , emailVerified: false
>               , enabled: true
>               , requiredActions: [ "VERIFY_EMAIL" ]
>               }
>
> The created user's ID is available on the "location" response header.
>
> On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com
> <mailto:scott.finlay at sixt.com>> wrote:
> Hi,
>
> According to the Keycloak admin API documentation:
> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> create_a_new_user
> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> userrepresentation
> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_
> credentialrepresentation
>
> We should be able to provide credentials when creating a new user, but
> when I provide credentials it doesn't seem to set the password for the new
> user. Here is what my request looks like:
>
> POST /auth/admin/realms/myrealm/users/
> {"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com>","email":"
> blah at blop.com<mailto:blah at blop.com>","firstName":"Blah","lastName":"
> Blop","attributes":{"userId":["1234"]},"credentials":[{"
> type":"password","temporary":false,"value":"secr$tP4ssword"}]}
>
> Just as an experiment, I tried passing a single "credential" instead of an
> array of credentials and I got this error back:
>
> internal server error;KeyCloak HTTP Error Response [400]:
> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
> instance of java.util.ArrayList out of START_OBJECT token at [Source:
> io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1,
> column: 156] (through reference chain: org.keycloak.representations.
> idm.UserRepresentation["credentials"])
>
> So clearly Keycloak is actually parsing this field. Am I doing something
> wrong with this request or is the documentation wrong?
>
> Right now what we've been doing to get around this is registering the user
> and then doing a reset password request after, but this makes the request
> to our service take twice as long. It would be great if we could reduce
> this to a single request.
>
> Regards,
> Scott
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From scott.finlay at sixt.com  Mon May 15 10:59:15 2017
From: scott.finlay at sixt.com (Scott Finlay)
Date: Mon, 15 May 2017 14:59:15 +0000
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <CA+1OW+jnAq0RrFM78jEXLLsn=20csFW7D2kJEtuQjd1b-T_g=Q@mail.gmail.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
	<HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<HE1PR0502MB3035C589AE933E93F210E994E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>,
	<CA+1OW+jnAq0RrFM78jEXLLsn=20csFW7D2kJEtuQjd1b-T_g=Q@mail.gmail.com>
Message-ID: <HE1PR0502MB303500EF00E36526965520E9E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>

That's what we're doing already at the moment, but it's not really ideal. Having to make two requests to the admin API in order to register a user means the whole process takes twice as long (roughly 300ms). It's not an absolutely critical issue, but still not really nice, especially if we have to do a batch import from a legacy system for example.


If it's intentionally this way and there's no plan to change it then the documentation should be changed because it says you can provide a credential list (which you technically can, but that's very misleading).

________________________________
From: Marko Strukelj <mstrukel at redhat.com>
Sent: Monday, May 15, 2017 4:50:12 PM
To: Scott Finlay
Cc: Alex Berg; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Can't set password when registering a user

You need to invoke resetPassword on UserResource, after creating a new user :

    https://github.com/keycloak/keycloak/blob/3.1.0.Final/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ApiUtil.java#L153-L159



On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>> wrote:
Diving into the code, I see this, which seems to be the endpoint for creating a user:


https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L207

This then calls:
https://github.com/keycloak/keycloak/blob/2.5.x/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L244

That seems to just set the basic user data like name, email, enabled, etc. Then it sets the "required actions", and then the custom attributes. I see nothing regarding credentials there.


Is this just hidden away somewhere else, or is it just really missing from here?

________________________________
From: Scott Finlay
Sent: Monday, May 15, 2017 11:14:26 AM
To: Alex Berg
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user


Hmm, that request body doesn't look very different from my example. I've tried now removing the additional fields

I had and adding the few you have and I still get exactly the same outcome: when I try impersonating the user in

the Keycloak admin panel he has no password set (but he does when I explicitly call the reset-password endpoint).


Is there some setting/role/permission I'm missing maybe? I'm using version 2.5.5.Final.

________________________________
From: Alex Berg <chexxor at gmail.com<mailto:chexxor at gmail.com>>
Sent: Friday, May 12, 2017 6:09:59 PM
To: Scott Finlay
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Can't set password when registering a user

I do something like that, and it works for me.

The content of my XHR is JSON of this:

              { credentials : [
                { type: "password"
                , temporary: false
                , value: regBody.password
                }
              ]
              , email: regBody.email
              , username: regBody.email
              , emailVerified: false
              , enabled: true
              , requiredActions: [ "VERIFY_EMAIL" ]
              }

The created user's ID is available on the "location" response header.

On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com<mailto:scott.finlay at sixt.com><mailto:scott.finlay at sixt.com<mailto:scott.finlay at sixt.com>>> wrote:
Hi,

According to the Keycloak admin API documentation:
http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_userrepresentation
-> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_credentialrepresentation

We should be able to provide credentials when creating a new user, but when I provide credentials it doesn't seem to set the password for the new user. Here is what my request looks like:

POST /auth/admin/realms/myrealm/users/
{"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com><mailto:blah at blop.com<mailto:blah at blop.com>>","email":"blah at blop.com<mailto:blah at blop.com><mailto:blah at blop.com<mailto:blah at blop.com>>","firstName":"Blah","lastName":"Blop","attributes":{"userId":["1234"]},"credentials":[{"type":"password","temporary":false,"value":"secr$tP4ssword"}]}

Just as an experiment, I tried passing a single "credential" instead of an array of credentials and I got this error back:

internal server error;KeyCloak HTTP Error Response [400]: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1, column: 156] (through reference chain: org.keycloak.representations.idm.UserRepresentation["credentials"])

So clearly Keycloak is actually parsing this field. Am I doing something wrong with this request or is the documentation wrong?

Right now what we've been doing to get around this is registering the user and then doing a reset password request after, but this makes the request to our service take twice as long. It would be great if we could reduce this to a single request.

Regards,
Scott

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From mstrukel at redhat.com  Mon May 15 11:10:37 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 15 May 2017 17:10:37 +0200
Subject: [keycloak-user] admin cli - add composite roles to client role
In-Reply-To: <030e01d2c98b$64fc5020$2ef4f060$@huebinet.de>
References: <030e01d2c98b$64fc5020$2ef4f060$@huebinet.de>
Message-ID: <CA+1OW+htY1uVh=SFezrH5nmPZ4Nxbkyh86Vz0bYzv8vP+47SGw@mail.gmail.com>

This may be an omission in add-roles command. Can you open a JIRA please,
and describe steps to reproduce?

On Wed, May 10, 2017 at 2:46 PM, Kevin Hirschmann <khirschmann at huebinet.de>
wrote:

> Hello,
>
>
>
> can someone please tell me how to use admin cli to add a client role to
> another client role - composite? In the docs I could find a way to add
> client roles to realm roles but this isn?t what I need.
>
>
>
> call kcadm.bat add-roles -r demo --rname TTest --cclientid myapp --rolename
> change-color (works if TTest is a realm role)
>
>
>
> Thanks for your help.
>
>
>
> Kevin Hirschmann
>
>
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
>
>
>
> Telefon:           +49 (0) 261 / 5 00 86 - 17
>
> Telefax:           +49 (0) 261 / 5 00 86 - 29
>
> E-Mail:              <mailto:kevin.hirschmann at huebinet.de>
> kevin.hirschmann at huebinet.de
>
> Internet:             <http://www.huebinet.de/> www.huebinet.de
>
>
>
>  HUEBINET Informationsmanagement GmbH & Co. KG
>
> An der K?nigsbach 8
>
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
>
> HUEBINET GmbH;
>
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
>
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
>
> ------------------------------------------------------------
> ----------------
> ------------------------------------------------------------
> ----------------
> ----------------
>
>
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
> Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
>
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails
> and email contents.
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mstrukel at redhat.com  Mon May 15 11:18:24 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 15 May 2017 17:18:24 +0200
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <HE1PR0502MB303500EF00E36526965520E9E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
	<HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<HE1PR0502MB3035C589AE933E93F210E994E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<CA+1OW+jnAq0RrFM78jEXLLsn=20csFW7D2kJEtuQjd1b-T_g=Q@mail.gmail.com>
	<HE1PR0502MB303500EF00E36526965520E9E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
Message-ID: <CA+1OW+hR09mVuAEpC0C3Ch9nygNHEotw6p2EvmWXRbUYujfC4Q@mail.gmail.com>

There is a long term plan to create an Admin REST API v2 which would be
much more ergonomic, and address this specific case as well. But it's not
yet on our schedule.

On Mon, May 15, 2017 at 4:59 PM, Scott Finlay <scott.finlay at sixt.com> wrote:

> That's what we're doing already at the moment, but it's not really ideal.
> Having to make two requests to the admin API in order to register a user
> means the whole process takes twice as long (roughly 300ms). It's not an
> absolutely critical issue, but still not really nice, especially if we have
> to do a batch import from a legacy system for example.
>
>
> If it's intentionally this way and there's no plan to change it then the
> documentation should be changed because it says you can provide a
> credential list (which you technically can, but that's very misleading).
> ------------------------------
> *From:* Marko Strukelj <mstrukel at redhat.com>
> *Sent:* Monday, May 15, 2017 4:50:12 PM
> *To:* Scott Finlay
> *Cc:* Alex Berg; keycloak-user at lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Can't set password when registering a user
>
> You need to invoke resetPassword on UserResource, after creating a new
> user :
>
>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/
> testsuite/admin/ApiUtil.java#L153-L159
>
>
>
> On Mon, May 15, 2017 at 12:01 PM, Scott Finlay <scott.finlay at sixt.com>
> wrote:
>
>> Diving into the code, I see this, which seems to be the endpoint for
>> creating a user:
>>
>>
>> https://github.com/keycloak/keycloak/blob/2.5.x/services/src
>> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L207
>>
>> This then calls:
>> https://github.com/keycloak/keycloak/blob/2.5.x/services/src
>> /main/java/org/keycloak/services/resources/admin/UsersResource.java#L244
>>
>> That seems to just set the basic user data like name, email, enabled,
>> etc. Then it sets the "required actions", and then the custom attributes. I
>> see nothing regarding credentials there.
>>
>>
>> Is this just hidden away somewhere else, or is it just really missing
>> from here?
>>
>> ________________________________
>> From: Scott Finlay
>> Sent: Monday, May 15, 2017 11:14:26 AM
>> To: Alex Berg
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Can't set password when registering a user
>>
>>
>> Hmm, that request body doesn't look very different from my example. I've
>> tried now removing the additional fields
>>
>> I had and adding the few you have and I still get exactly the same
>> outcome: when I try impersonating the user in
>>
>> the Keycloak admin panel he has no password set (but he does when I
>> explicitly call the reset-password endpoint).
>>
>>
>> Is there some setting/role/permission I'm missing maybe? I'm using
>> version 2.5.5.Final.
>>
>> ________________________________
>> From: Alex Berg <chexxor at gmail.com>
>> Sent: Friday, May 12, 2017 6:09:59 PM
>> To: Scott Finlay
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Can't set password when registering a user
>>
>> I do something like that, and it works for me.
>>
>> The content of my XHR is JSON of this:
>>
>>               { credentials : [
>>                 { type: "password"
>>                 , temporary: false
>>                 , value: regBody.password
>>                 }
>>               ]
>>               , email: regBody.email
>>               , username: regBody.email
>>               , emailVerified: false
>>               , enabled: true
>>               , requiredActions: [ "VERIFY_EMAIL" ]
>>               }
>>
>> The created user's ID is available on the "location" response header.
>>
>> On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com
>> <mailto:scott.finlay at sixt.com>> wrote:
>> Hi,
>>
>> According to the Keycloak admin API documentation:
>> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> eate_a_new_user
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_us
>> errepresentation
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> edentialrepresentation
>>
>> We should be able to provide credentials when creating a new user, but
>> when I provide credentials it doesn't seem to set the password for the new
>> user. Here is what my request looks like:
>>
>> POST /auth/admin/realms/myrealm/users/
>> {"enabled":true,"username":"blah at blop.com<mailto:blah at blop.com
>> >","email":"blah at blop.com<mailto:blah at blop.com>","firstNam
>> e":"Blah","lastName":"Blop","attributes":{"userId":["1234"]
>> },"credentials":[{"type":"password","temporary":false,"
>> value":"secr$tP4ssword"}]}
>>
>> Just as an experiment, I tried passing a single "credential" instead of
>> an array of credentials and I got this error back:
>>
>> internal server error;KeyCloak HTTP Error Response [400]:
>> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
>> instance of java.util.ArrayList out of START_OBJECT token at [Source:
>> io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1,
>> column: 156] (through reference chain: org.keycloak.representations.i
>> dm.UserRepresentation["credentials"])
>>
>> So clearly Keycloak is actually parsing this field. Am I doing something
>> wrong with this request or is the documentation wrong?
>>
>> Right now what we've been doing to get around this is registering the
>> user and then doing a reset password request after, but this makes the
>> request to our service take twice as long. It would be great if we could
>> reduce this to a single request.
>>
>> Regards,
>> Scott
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sesnor.silva at sapo.pt  Mon May 15 13:02:19 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Mon, 15 May 2017 18:02:19 +0100
Subject: [keycloak-user] JS adapter constantly refreshing page
Message-ID: <20170515180219.Horde.4t2wrfkQ-zYnc_3dXJvbu6r@mail.sapo.pt>

Hello,

I'm trying to integrate keycloak's JS adapater into an application.  
However for some reason the page keeps refreshing (every 5 seconds or  
so?) after successfully logging in.

I managed to reproduce the problem with the following minimal code:

<!-- index.html FILE -->
<!DOCTYPE html>
<html>
<head>
?? ?<title></title>
</head>
<body>

<script type="text/javascript"  
src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
<script type="text/javascript" src="<MY KEYCLOAK  
SERVER>/auth/js/keycloak.js"></script>
<script type="text/javascript">
?? ?angular.element(document).ready(function() {
?? ??? ?var keycloakAuth = Keycloak('keycloak.json');

?? ??? ?keycloakAuth.init({
?? ??? ??? ?onLoad: 'login-required'
?? ??? ?}).success(function(authenticated) {
?? ??? ??? ?keycloakAuth.loadUserInfo().success(function (userInfo) {
?? ??? ??? ?console.log(userInfo)
?? ??? ??? ?});
?? ??? ?}).error(function() {
?? ??? ??? ?var error =? "There was an error initializing the  
authentication module.";
?? ??? ??? ?console.error(error);
?? ??? ?});
?? ?});
</script>
</body>
</html>

I tried searching around but I didn't find too many answers. I tried  
to base my implementation around:
https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/client/app.js
and
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app

But I get the same behavior every time: The page just keeps refreshing.

It seems to be related to blocking third-party cookies on the  
browser.? I use Firefox 53. Since my Keycloak isn't on the same host  
as the application, I think the browser rejects the keycloak's  
cookies. If this is the case, what could be a workaround for this? Is  
there any option on the adapter's side? I'm worried some browser might  
block third-party cookies by default (Opera and Brave Browser come to  
mind).

Thank you,
My best regards,
Silva
?

From chexxor at gmail.com  Mon May 15 13:03:21 2017
From: chexxor at gmail.com (Alex Berg)
Date: Mon, 15 May 2017 12:03:21 -0500
Subject: [keycloak-user] Can't set password when registering a user
In-Reply-To: <HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
References: <HE1PR0502MB303568EBBD54A2D143540406E7E20@HE1PR0502MB3035.eurprd05.prod.outlook.com>
	<CABgV3qv_DhA_FO-Rp8Pd5uhmD0ELB4jyPKxM4OZTZuOQZ9RR_w@mail.gmail.com>
	<HE1PR0502MB30358EC096D2E7F9D890FB95E7E10@HE1PR0502MB3035.eurprd05.prod.outlook.com>
Message-ID: <CABgV3qu9RCk+C8MHFN3iUx+Y6gJzPER=jruSxyy+XC3-48bJ+g@mail.gmail.com>

Sorry, I haven't really tested from the need experience what I've
implemented, and I now believe it's doing as you say - the password isn't
holding.

I thought it was working because I got no error message when developing it.
I presumed I was just bad at typing the password to login with a user I had
newly registered, and so I just manually reset it in admin console to carry
on testing. ??

On May 15, 2017 04:14, "Scott Finlay" <scott.finlay at sixt.com> wrote:

> Hmm, that request body doesn't look very different from my example. I've
> tried now removing the additional fields
>
> I had and adding the few you have and I still get exactly the same
> outcome: when I try impersonating the user in
>
> the Keycloak admin panel he has no password set (but he does when I
> explicitly call the reset-password endpoint).
>
>
> Is there some setting/role/permission I'm missing maybe? I'm using version
> 2.5.5.Final.
> ------------------------------
> *From:* Alex Berg <chexxor at gmail.com>
> *Sent:* Friday, May 12, 2017 6:09:59 PM
> *To:* Scott Finlay
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Can't set password when registering a user
>
> I do something like that, and it works for me.
>
> The content of my XHR is JSON of this:
>
>               { credentials : [
>                 { type: "password"
>                 , temporary: false
>                 , value: regBody.password
>                 }
>               ]
>               , email: regBody.email
>               , username: regBody.email
>               , emailVerified: false
>               , enabled: true
>               , requiredActions: [ "VERIFY_EMAIL" ]
>               }
>
> The created user's ID is available on the "location" response header.
>
> On Fri, May 12, 2017 at 2:27 AM, Scott Finlay <scott.finlay at sixt.com>
> wrote:
>
>> Hi,
>>
>> According to the Keycloak admin API documentation:
>> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> eate_a_new_user
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_us
>> errepresentation
>> -> http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_cr
>> edentialrepresentation
>>
>> We should be able to provide credentials when creating a new user, but
>> when I provide credentials it doesn't seem to set the password for the new
>> user. Here is what my request looks like:
>>
>> POST /auth/admin/realms/myrealm/users/
>> {"enabled":true,"username":"blah at blop.com","email":"blah at blop.com
>> ","firstName":"Blah","lastName":"Blop","attributes":{"
>> userId":["1234"]},"credentials":[{"type":"password","
>> temporary":false,"value":"secr$tP4ssword"}]}
>>
>> Just as an experiment, I tried passing a single "credential" instead of
>> an array of credentials and I got this error back:
>>
>> internal server error;KeyCloak HTTP Error Response [400]:
>> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
>> instance of java.util.ArrayList out of START_OBJECT token at [Source:
>> io.undertow.servlet.spec.ServletInputStreamImpl at 264472bc; line: 1,
>> column: 156] (through reference chain: org.keycloak.representations.i
>> dm.UserRepresentation["credentials"])
>>
>> So clearly Keycloak is actually parsing this field. Am I doing something
>> wrong with this request or is the documentation wrong?
>>
>> Right now what we've been doing to get around this is registering the
>> user and then doing a reset password request after, but this makes the
>> request to our service take twice as long. It would be great if we could
>> reduce this to a single request.
>>
>> Regards,
>> Scott
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From elnaz.razmit at gmail.com  Tue May 16 02:01:00 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Mon, 15 May 2017 23:01:00 -0700
Subject: [keycloak-user] (no subject)
Message-ID: <CAN288j6-PXV1+ZWxVXjH1A2hABra_dZWz_GZLgGxmYcMo7qKxQ@mail.gmail.com>



From pulgupta at redhat.com  Tue May 16 02:12:28 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Tue, 16 May 2017 11:42:28 +0530
Subject: [keycloak-user] Spring security adapter for SAML
In-Reply-To: <CAPFuFv8FS2HS5RPj1f0XuL_ef3jqBKnVRsCK+V3xfDCrPd-RXw@mail.gmail.com>
References: <CAApADD2H6TWv8Qg+n3jOHcbUwVnxq42nhPHjokB=jBDrauwQcg@mail.gmail.com>
	<CAPFuFv8FS2HS5RPj1f0XuL_ef3jqBKnVRsCK+V3xfDCrPd-RXw@mail.gmail.com>
Message-ID: <CAApADD3Y45ruZYOWaDh71Mt7kN_yqaRJ146+=v2LAQKqJ0a+eg@mail.gmail.com>

Hi Jeremy,

I know its been after quite sometime but I only got that project now to
integrate Keycloak with Spring security.
Can you give me a small background or some sample configurations if
required.

I went through the documentation and it seems we have to prepare a long
spring security context file to make it work. Is that correct or we can
just put the adapter in the class path and it will work with keyclaok?

Regards,
Pulkit


On Wed, Oct 26, 2016 at 5:50 PM, Jeremy Simon <jeremy at jeremysimon.com>
wrote:

> Pulkit,
>
> There is a SAML extention for Spring:
> http://projects.spring.io/spring-security-saml/
>
> We're using this on a few applications and it works pretty good.  The
> only drawback, and maybe a later version has overcome this, is that
> backchannel logouts coming from an IDP (in the case of SLO / Global
> Logout) didn't work, since the application side did not store the
> SessionIndex outside of an HttpSession's context (linked to a browser
> cookie).  We just ended up writing our own registry to overcome that.
>
> jeremy
> jeremy at jeremysimon.com
> www.JeremySimon.com
>
>
> On Wed, Oct 19, 2016 at 3:03 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> > Hi Team,
> >
> > I have a application with Spring security configured.
> > We are trying to migrate the same to keycloak.
> >
> > Do we have a spring security adapter for keycloak with SAML.
> > I went through the documentation and can see that we have a spring
> adapter
> > but that is for open ID connect.
> >
> > --
> > Thanks,
> > Pulkit
> > AMS
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

From elnaz.razmit at gmail.com  Tue May 16 02:14:50 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Mon, 15 May 2017 23:14:50 -0700
Subject: [keycloak-user] (no subject)
Message-ID: <CAN288j5ewo-TeHzhUFhbpm-s4_WFvKK3f=iZkV9OewJOtmSQMg@mail.gmail.com>



From elnaz.razmit at gmail.com  Tue May 16 02:20:44 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Mon, 15 May 2017 23:20:44 -0700
Subject: [keycloak-user] (no subject)
Message-ID: <CAN288j48F6H=67sjBfPc4EiVqWw4dJqDBf-E96nDzt4LY1mecQ@mail.gmail.com>

what is  feature of  keycloak-3.1.0.final released?

From elnaz.razmit at gmail.com  Tue May 16 04:09:34 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Tue, 16 May 2017 01:09:34 -0700
Subject: [keycloak-user] (no subject)
Message-ID: <CAN288j5pUtsz25LhMdZ4QSSMaRyO2hrhmmFWqdu122F6a4+3wA@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From ssilvert at redhat.com  Tue May 16 08:34:46 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 16 May 2017 08:34:46 -0400
Subject: [keycloak-user] JS adapter constantly refreshing page
In-Reply-To: <20170515180219.Horde.4t2wrfkQ-zYnc_3dXJvbu6r@mail.sapo.pt>
References: <20170515180219.Horde.4t2wrfkQ-zYnc_3dXJvbu6r@mail.sapo.pt>
Message-ID: <0a615df4-8525-96a9-0c95-50da13ff9248@redhat.com>

There was a recent bug like this, but it only happened on Chrome.  It's 
fixed in the latest Keycloak release.

Have you tried different browsers?

My advice would be to get the demo running with the same two servers and 
browser version.

https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app

Then see if you encounter the same problem.  If so, let us know that our 
demo is broken and we'll try to fix it.

On 5/15/2017 1:02 PM, sesnor.silva at sapo.pt wrote:
> Hello,
>
> I'm trying to integrate keycloak's JS adapater into an application.
> However for some reason the page keeps refreshing (every 5 seconds or
> so?) after successfully logging in.
>
> I managed to reproduce the problem with the following minimal code:
>
> <!-- index.html FILE -->
> <!DOCTYPE html>
> <html>
> <head>
>      <title></title>
> </head>
> <body>
>
> <script type="text/javascript"
> src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script>
> <script type="text/javascript" src="<MY KEYCLOAK
> SERVER>/auth/js/keycloak.js"></script>
> <script type="text/javascript">
>      angular.element(document).ready(function() {
>          var keycloakAuth = Keycloak('keycloak.json');
>
>          keycloakAuth.init({
>              onLoad: 'login-required'
>          }).success(function(authenticated) {
>              keycloakAuth.loadUserInfo().success(function (userInfo) {
>              console.log(userInfo)
>              });
>          }).error(function() {
>              var error =  "There was an error initializing the
> authentication module.";
>              console.error(error);
>          });
>      });
> </script>
> </body>
> </html>
>
> I tried searching around but I didn't find too many answers. I tried
> to base my implementation around:
> https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/client/app.js
> and
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
>
> But I get the same behavior every time: The page just keeps refreshing.
>
> It seems to be related to blocking third-party cookies on the
> browser.  I use Firefox 53. Since my Keycloak isn't on the same host
> as the application, I think the browser rejects the keycloak's
> cookies. If this is the case, what could be a workaround for this? Is
> there any option on the adapter's side? I'm worried some browser might
> block third-party cookies by default (Opera and Brave Browser come to
> mind).
>
> Thank you,
> My best regards,
> Silva
>   
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From onerrorgoto at aruba.it  Tue May 16 09:09:58 2017
From: onerrorgoto at aruba.it (Vito Vessia)
Date: Tue, 16 May 2017 15:09:58 +0200
Subject: [keycloak-user] Performance loss migrating from Keycloak 1.7.0 to
	Keycloak 2.5.5/3.x
Message-ID: <CAMHPs25pO_VW1ZiVpFFmo8eGD=FxuSXSqyk5vJ_F6ePTAgYD7A@mail.gmail.com>

Hi all,
we have adopted Keycloak as foundation for our identity services since the
beginning (july 2015) and after an initial development period we developed
our federation/mail/whatever providers we fixed the underlyng Keyckoak
version to 1.7.0 for more than one year.
Recently we have upgraded to Keycloak 2.5.5 doing a big reworking related
to the new architecture of the former Federation providers, etc...
The first impression is the it is more robust and stable, but it seems to
be slower then the 1.7.0 version. Without any SPI installed, using a raw
keycloak realm, on the same machine the pure login via OpenId Connect
endpoints takes:

30 ms on Keycloak 1.7.0 (average value after 100 logins)
100 ms on Keycloak 2.5.5 (average value after 100 logins)

We get the same gap both with H2 and Oracle database.

If we mount our SPI providers (User Storage and others), the gap is greater
but of course it could be an issue into our code after the migration to the
new SPI architecture.

Is there a specific reason for this gap? (i.e. a better management of the
concurrency).
Is there a specific setting/strategy to improve the performance?

The configuration has been tested both on Linux and Windows on a standalone
server. The Wildfly -Xmx has been set to 1g on both the Keycloak version.

--Vito Vessia

From rafterjiang at hotmail.com  Tue May 16 09:21:06 2017
From: rafterjiang at hotmail.com (rafterjiang)
Date: Tue, 16 May 2017 06:21:06 -0700 (MST)
Subject: [keycloak-user] Spring Boot adapter with HTTP verb based
 authorization
In-Reply-To: <CAMZCGg-LjVzohJcbPHKY742c8WM=tB6SRT=fT1Uj4UdqVU+ifg@mail.gmail.com>
References: <kcim.58ac6869.5b46.026d5ff6017b1a1d@zarafa.mpi-bremen.de>
	<CAMZCGg-LjVzohJcbPHKY742c8WM=tB6SRT=fT1Uj4UdqVU+ifg@mail.gmail.com>
Message-ID: <1494940866240-3889.post@n6.nabble.com>

Hi, Sebastien

1. Is there some example for how to enable policy enforcer in spring boot,
especially for those parameters?
2. If I enable policy enforcer in authorization layer (in spring boot), is
it still required to add the security constraints in configuration? I assume
if authorization is enabled for resource server and the web service
constraints are added in its policy, there should be no further settings in
configuration for the security constraints?

Thanks,
Rong





--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-Spring-Boot-adapter-with-HTTP-verb-based-authorization-tp2829p3889.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From jonathandandries at gmail.com  Tue May 16 10:22:41 2017
From: jonathandandries at gmail.com (Jonathan D'Andries)
Date: Tue, 16 May 2017 09:22:41 -0500
Subject: [keycloak-user] Keycloak-mysql Docker -- 2 issues
In-Reply-To: <CADRPO0FoF=NodM2nCne47B6pMCevGy1iBp_-oxK-WJpZC2QiGA@mail.gmail.com>
References: <CADRPO0FoF=NodM2nCne47B6pMCevGy1iBp_-oxK-WJpZC2QiGA@mail.gmail.com>
Message-ID: <CADRPO0FNi9pZn1fwWrMPZMYTaM935FG+ErwDT=GAfzAypOkc3A@mail.gmail.com>

Does anyone here work on the Docker images, or is that another list?

Sorry for reposting,


Jonathan

--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/

On Fri, May 12, 2017 at 2:48 PM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:

> Two issues related to running keycloak-mysql:3.0.0.Final and mysql:5.7.18
> in docker-compose, but that will likely have broader impact in certain
> circumstances:
>
> Issue #1. JBoss doesn't wait for mysql to be available, and it fails to
> create a connection if mysql hasn?t come up yet (no retry). This is
> especially problematic if you are trying to use docker-compose since
> everything likes to start around the same time:
>
> Error:
>
> 19:18:03,553 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 50) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
>
> Workaround:
>
>    - Need a custom Dockerfile to override the ENTRYPOINT definition to
>    use a custom docker-entrypoint-waitforit.sh. And note that because we
>    are changing ENTRYPOINT, we also need to redefine CMD.
>
> Gist of the Dockerfile:
>
> FROM jboss/keycloak-mysql:3.0.0.Final
> COPY  docker-entrypoint-waitforit.sh wait-for-it.sh /
> ENTRYPOINT ["/docker-entrypoint-waitforit.sh?]
> CMD ["-b", "0.0.0.0"]
>
> Gist of docker-entrypoint-waitforit.sh:
>
> #!/bin/bash
> /wait-for-it.sh mysql:3306 -t 60 -- /opt/jboss/docker-entrypoint.sh $@
> exit $?
>
> For wait-for-it.sh, see: https://github.com/vishnubob/wait-for-it or see:
> https://github.com/jwilder/dockerize
>
> Docker recommends this approach: https://docs.docker.
> com/compose/startup-order/
>
> Issue #2. When running in docker-compose, JBoss cannot connect to mysql
> without some extra work. This issue seems to be related to running on the
> project-specific default network that is setup by docker-compose.
>
> Note that you don?t have this issue when running independent in docker:
>
> docker run --name mysql -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=root_password -d mysql:5.7.18
> # wait 30 seconds
> docker run --name keycloak-standalone-test --link mysql:mysql -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e MYSQL_DATABASE=keycloak -e MYSQL_USERNAME=keycloak -e MYSQL_PASSWORD=password -p "8080:8080" jboss/keycloak-mysql:3.0.0.Final
>
> Error when running in docker-compose:
>
> 19:24:04,072 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 27) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "datasources"),
>     ("data-source" => "KeycloakDS")
> ]) - failure description: "WFLYCTL0211: Cannot resolve expression 'jdbc:mysql://${env.MYSQL_PORT_3306_TCP_ADDR}:${env.MYSQL_PORT_3306_TCP_PORT}/${env.MYSQL_DATABASE:keycloak}'?
>
> Workarounds:
>
>    1.
>
>    Option-1: In docker-compose.yml for the keycloak service, define these
>    environment variables:
>
>    - MYSQL_PORT_3306_TCP_ADDR=mysql
>    - MYSQL_PORT_3306_TCP_PORT=3306
>
>    2.
>
>    Option-2: run the keycloak and mysql services on the default ?bridge?
>    network:
>    In the keycloak and mysql service definitions:
>
>    network_mode: bridge
>
>    Separately:
>
>    networks:
>     default:
>       external:
>         name: bridge
>
>
> Bottom line question:
>
>    - Why does JBoss behave differently when trying to connect to mysql on
>    the global ?bridge? network (works) vs the project-specific default network
>    (fails)?
>
>
> Jonathan
>
> --
> Jonathan D'Andries
> http://www.linkedin.com/in/jonathandandries/
>

From bburke at redhat.com  Tue May 16 12:40:03 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 16 May 2017 12:40:03 -0400
Subject: [keycloak-user] Performance loss migrating from Keycloak 1.7.0
 to Keycloak 2.5.5/3.x
In-Reply-To: <CAMHPs25pO_VW1ZiVpFFmo8eGD=FxuSXSqyk5vJ_F6ePTAgYD7A@mail.gmail.com>
References: <CAMHPs25pO_VW1ZiVpFFmo8eGD=FxuSXSqyk5vJ_F6ePTAgYD7A@mail.gmail.com>
Message-ID: <47ab2a7e-c881-154f-42b5-0bf749ae04e4@redhat.com>

Entire user is cached (role mappings, attributes, etc.) the first time 
it is accessed.  Maybe in your old User Federation Provider, you loaded 
stuff on demand?  Another thing you could try is to ditch the import.  
The new User Storage Model supports a non-import mode if you implement 
it correctly.


On 5/16/17 9:09 AM, Vito Vessia wrote:
> Hi all,
> we have adopted Keycloak as foundation for our identity services since the
> beginning (july 2015) and after an initial development period we developed
> our federation/mail/whatever providers we fixed the underlyng Keyckoak
> version to 1.7.0 for more than one year.
> Recently we have upgraded to Keycloak 2.5.5 doing a big reworking related
> to the new architecture of the former Federation providers, etc...
> The first impression is the it is more robust and stable, but it seems to
> be slower then the 1.7.0 version. Without any SPI installed, using a raw
> keycloak realm, on the same machine the pure login via OpenId Connect
> endpoints takes:
>
> 30 ms on Keycloak 1.7.0 (average value after 100 logins)
> 100 ms on Keycloak 2.5.5 (average value after 100 logins)
>
> We get the same gap both with H2 and Oracle database.
>
> If we mount our SPI providers (User Storage and others), the gap is greater
> but of course it could be an issue into our code after the migration to the
> new SPI architecture.
>
> Is there a specific reason for this gap? (i.e. a better management of the
> concurrency).
> Is there a specific setting/strategy to improve the performance?
>
> The configuration has been tested both on Linux and Windows on a standalone
> server. The Wildfly -Xmx has been set to 1g on both the Keycloak version.
>
> --Vito Vessia
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From hylton.peimer at datos-health.com  Tue May 16 13:33:00 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Tue, 16 May 2017 20:33:00 +0300
Subject: [keycloak-user] Unable to create user with roles using Rest API
Message-ID: <CACGrZetxeB+AM3x_HnfAXESdoeazjVv7n=GrpsKuL-WHrFP6ng@mail.gmail.com>

I have created a new Realm and added a role: "DOCTORS".

POST to /admin/realms/{realm}/users

With the following JSON:
 {"realmRoles":["DOCTORS"],"enabled":"true","username":"drhp"}

This invocation creates the user, but the "DOCTORS" role is not assigned.

The rest call is using a bearer token obtained from an administrative user
in the master realm.

From elnaz.razmit at gmail.com  Tue May 16 13:59:01 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Tue, 16 May 2017 10:59:01 -0700
Subject: [keycloak-user] Rebalcing problem while adding a new node to a
	domain
Message-ID: <CAN288j7ER2EYb5mskR_rtkoTFvLh=20bKO6V5w0n_FE_z8SDqw@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From rafterjiang at hotmail.com  Tue May 16 14:23:29 2017
From: rafterjiang at hotmail.com (Rong -)
Date: Tue, 16 May 2017 18:23:29 +0000
Subject: [keycloak-user] Keycloak authorization support for spring boot.
Message-ID: <DM5PR22MB052455C2D0799B82AF4B85FBA1E60@DM5PR22MB0524.namprd22.prod.outlook.com>

Hi,

I am trying to set up a keycloak as an independent server for authorization purpose. Our rest API service is built on spring boot, implemented as a resource server as for "policy enforcer". However, I have many issues when trying to set this up.

1. spring boot works fine if I only set up the security constraints(for rest api) in configuration file. But I want to enable policy enforcer for spring boot, is this possible? Is there some example for how to enable policy enforcer in spring boot, especially for how to set up those parameters?
2. We also want to have an access control list of which user can access which project, I have set up a "user policy" in keycloak admin console in client's "authorization", whet else shall we do in spring boot configuration?
3. If I enable policy enforcer in authorization layer (in spring boot), is it still required to add the security constraints in spring boot's application properties? I assume if authorization is enabled for resource server and the web service/URL constraints are added in resource server's policy, there should be no further settings in configuration for the security constraints?

Thanks,
Rong


From bburke at redhat.com  Tue May 16 15:08:40 2017
From: bburke at redhat.com (Bill Burke)
Date: Tue, 16 May 2017 15:08:40 -0400
Subject: [keycloak-user] Unable to create user with roles using Rest API
In-Reply-To: <CACGrZetxeB+AM3x_HnfAXESdoeazjVv7n=GrpsKuL-WHrFP6ng@mail.gmail.com>
References: <CACGrZetxeB+AM3x_HnfAXESdoeazjVv7n=GrpsKuL-WHrFP6ng@mail.gmail.com>
Message-ID: <ea6018fa-52e6-c8a1-812b-739c98dcbfff@redhat.com>

you have to call a separate REST API after you create the user to add 
roles/groups.


On 5/16/17 1:33 PM, Hylton Peimer wrote:
> I have created a new Realm and added a role: "DOCTORS".
>
> POST to /admin/realms/{realm}/users
>
> With the following JSON:
>   {"realmRoles":["DOCTORS"],"enabled":"true","username":"drhp"}
>
> This invocation creates the user, but the "DOCTORS" role is not assigned.
>
> The rest call is using a bearer token obtained from an administrative user
> in the master realm.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Tue May 16 16:32:26 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 16 May 2017 17:32:26 -0300
Subject: [keycloak-user] Keycloak authorization support for spring boot.
In-Reply-To: <DM5PR22MB052455C2D0799B82AF4B85FBA1E60@DM5PR22MB0524.namprd22.prod.outlook.com>
References: <DM5PR22MB052455C2D0799B82AF4B85FBA1E60@DM5PR22MB0524.namprd22.prod.outlook.com>
Message-ID: <CAJrcDBd=UD=G5bFhrAYioeX2bNrwEDSMyoUvehX5Z235zYoXBA@mail.gmail.com>

On Tue, May 16, 2017 at 3:23 PM, Rong - <rafterjiang at hotmail.com> wrote:

> Hi,
>
> I am trying to set up a keycloak as an independent server for
> authorization purpose. Our rest API service is built on spring boot,
> implemented as a resource server as for "policy enforcer". However, I have
> many issues when trying to set this up.
>
> 1. spring boot works fine if I only set up the security constraints(for
> rest api) in configuration file. But I want to enable policy enforcer for
> spring boot, is this possible? Is there some example for how to enable
> policy enforcer in spring boot, especially for how to set up those
> parameters?
>

We don't have any example for spring boot, but regular JEE apps. Something
we should probably add to list of authz examples.

But if your application is already protected by Keycloak Spring Adapter,
you should be able to enable Policy Enforcer by just using this minimal
setting in your keycloak.json.

Have you looked docs
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/spring-boot-adapter.html
?


> 2. We also want to have an access control list of which user can access
> which project, I have set up a "user policy" in keycloak admin console in
> client's "authorization", whet else shall we do in spring boot
> configuration?
>

If your adapter is properly configured and you have the enabled policy
enforcement (config above), you should be pretty much done. Just make sure
you have created resources in Keycloak corresponding representing the paths
you want to protect.

For instance, if you want to protect "/*", make sure you have a resource in
Keycloak with a URI with a value "/*".



> 3. If I enable policy enforcer in authorization layer (in spring boot), is
> it still required to add the security constraints in spring boot's
> application properties? I assume if authorization is enabled for resource
> server and the web service/URL constraints are added in resource server's
> policy, there should be no further settings in configuration for the
> security constraints?
>

You still need to configure thins as described in docs. The policy enforcer
is basically your Keycloak adapter also acting as a policy enforcement.


>
> Thanks,
> Rong
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From manwoodvice at gmail.com  Tue May 16 23:14:52 2017
From: manwoodvice at gmail.com (mark)
Date: Wed, 17 May 2017 11:14:52 +0800
Subject: [keycloak-user] Dynamically assign role at user registration
Message-ID: <CABgaDxjQsdrA7H65_qzkjDmLzQANt6gcuy-xRbWg5o4FPrchXw@mail.gmail.com>

When a user registers with my application via Keycloak I want to assign a
particular role depending on the way they have registered (to be
determined). From the documentation it appears I can use the scope
parameter - but how? Can anyone point me to an example?

Thanks

From elnaz.razmit at gmail.com  Tue May 16 23:56:10 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Tue, 16 May 2017 20:56:10 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j7SO_0uvYzwe9zg7N5-4a5nc-RF0b-1eF1USs=gU05q+A@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From liam.maruff at gmail.com  Wed May 17 02:29:55 2017
From: liam.maruff at gmail.com (Liam Maruff)
Date: Wed, 17 May 2017 16:29:55 +1000
Subject: [keycloak-user] Verify custom registration field
Message-ID: <CADh+9ZynZvTBK468MaduxzFcKPeYFx2Z_FAMFcc3fAZsS9=TJw@mail.gmail.com>

Hi there,

I have customised a registration form to include a custom field called
'Organisation'. How can I verify that the value provided by the user for
this field is appropriate and, if it isn't, reject the user's registration
and display an error message?

Regards,

Liam M

From yaldaa.zarrin at gmail.com  Wed May 17 05:40:51 2017
From: yaldaa.zarrin at gmail.com (tina zarrin)
Date: Wed, 17 May 2017 02:40:51 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAArHs24qtysQ2_o=d8QzBtB=2Q4nif5zxKoE_7YG6Q+7xtFbEA@mail.gmail.com>

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From yaldaa.zarrin at gmail.com  Wed May 17 05:44:28 2017
From: yaldaa.zarrin at gmail.com (tina zarrin)
Date: Wed, 17 May 2017 02:44:28 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAArHs27XED3e7NiZCtUB9W8mrJM9j9VP_yvRsvhcZZJ=7w58AA@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From yaldaa.zarrin at gmail.com  Wed May 17 06:30:03 2017
From: yaldaa.zarrin at gmail.com (tina zarrin)
Date: Wed, 17 May 2017 03:30:03 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAArHs27yPw4BuN5itHzjz0t+bJoypZL0thnVMReGk6wU-+VQ0Q@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From elnaz.razmit at gmail.com  Wed May 17 06:39:38 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Wed, 17 May 2017 03:39:38 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j5goL4nDwW-y4Oa+2jog-YjjbVC_LwJfVzy21r3a9fq7w@mail.gmail.com>

hello
please help me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From mstrukel at redhat.com  Wed May 17 09:41:37 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Wed, 17 May 2017 15:41:37 +0200
Subject: [keycloak-user] admin cli - add composite roles to client role
In-Reply-To: <CA+1OW+htY1uVh=SFezrH5nmPZ4Nxbkyh86Vz0bYzv8vP+47SGw@mail.gmail.com>
References: <030e01d2c98b$64fc5020$2ef4f060$@huebinet.de>
	<CA+1OW+htY1uVh=SFezrH5nmPZ4Nxbkyh86Vz0bYzv8vP+47SGw@mail.gmail.com>
Message-ID: <CA+1OW+jCgiy_AzSNaeC4mq+HLOTF6T-25Ed4Srje4ejCN3F_8g@mail.gmail.com>

You should be able to add client role to another composite client role with
current kcadm:

$ kcadm.sh add-roles --cclientid test-client --rid
fc400897-ef6a-4e8c-872b-1581b7fa8a71 --rolename support

You first need to discover an id of the composite client role.

For example, in this case there is a client with "clientId": 'test-client',
a client role with "name": "support", and another client role - that will
become composite role - with "id": "fc400897-ef6a-4e8c-872b-1581b7fa8a71",
"name":"operations".


I can get id of the client role by doing:

$ kcadm.sh get-roles --cclientid test-client --rolename operations


After adding the role I can list all roles of a composite role by running:

$ kcadm.sh get-roles --rid fc400897-ef6a-4e8c-872b-1581b7fa8a71 --all



On Mon, May 15, 2017 at 5:10 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> This may be an omission in add-roles command. Can you open a JIRA please,
> and describe steps to reproduce?
>
> On Wed, May 10, 2017 at 2:46 PM, Kevin Hirschmann <khirschmann at huebinet.de
> > wrote:
>
>> Hello,
>>
>>
>>
>> can someone please tell me how to use admin cli to add a client role to
>> another client role - composite? In the docs I could find a way to add
>> client roles to realm roles but this isn?t what I need.
>>
>>
>>
>> call kcadm.bat add-roles -r demo --rname TTest --cclientid myapp
>> --rolename
>> change-color (works if TTest is a realm role)
>>
>>
>>
>> Thanks for your help.
>>
>>
>>
>> Kevin Hirschmann
>>
>>
>>
>> HUEBINET Informationsmanagement GmbH & Co. KG
>>
>>
>>
>>
>>
>> Telefon:           +49 (0) 261 / 5 00 86 - 17
>>
>> Telefax:           +49 (0) 261 / 5 00 86 - 29
>>
>> E-Mail:              <mailto:kevin.hirschmann at huebinet.de>
>> kevin.hirschmann at huebinet.de
>>
>> Internet:             <http://www.huebinet.de/> www.huebinet.de
>>
>>
>>
>>  HUEBINET Informationsmanagement GmbH & Co. KG
>>
>> An der K?nigsbach 8
>>
>> 56075 Koblenz
>>
>> Sitz und Registergericht: Koblenz HRA 5329
>>
>> Pers?nlich haftender Gesellschafter der KG:
>>
>> HUEBINET GmbH;
>>
>> Sitz und Registergericht: Koblenz HRB 6857
>>
>> Gesch?ftsf?hrung:
>>
>> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
>>
>> ------------------------------------------------------------
>> ----------------
>> ------------------------------------------------------------
>> ----------------
>> ----------------
>>
>>
>>
>> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co.
>> KG,
>> Koblenz via E-Mail dient lediglich zu Informationszwecken.
>> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber
>> dieses
>> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
>> Dritte nicht ausgeschlossen werden kann.
>>
>>
>>
>> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
>> only intended to provide information of a general kind, and shall not be
>> used for any statement with binding contents in respect to legal
>> relations.
>> It is not totally possible to prevent a third party from manipulating
>> emails
>> and email contents.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From jonathandandries at gmail.com  Wed May 17 10:22:19 2017
From: jonathandandries at gmail.com (Jonathan D'Andries)
Date: Wed, 17 May 2017 09:22:19 -0500
Subject: [keycloak-user] Implicit Flow with the Spring Boot adapter
Message-ID: <CADRPO0Eh--+WdMiuT4P=G5-bmRXZPFgMAjZPz205CT9F3GcJGQ@mail.gmail.com>

We have a scenario in which the application does not have access to the
Keycloak server, but the user does. In this case, the user is on our our
internal corporate network along with the Keycloak server, while the
application lives in the public Internet. We can send the user from the
public application to Keycloak to login in, but the application cannot
communicate back with Keycloak to verify the token coming back when the
user returns. It is my understanding that "Implicit Flow" should allow for
this scenario:

https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html#_implicit

But I cannot figure out how to implement this with the Spring Boot adapter.
It seems to me that the adapter should have a way to decrypt and validate
the JWT token locally (making sure the short-lived access token has not
expired), then trust the token as implicitly granted and proceed to set a
session cookie with a different timeout configured in the Keycloak
administrator. Is this available in Keycloak somewhere that I just missing?
Or perhaps you have another suggestion for how to do this?

Note that I recognize implicit flow is inherently flawed because it passes
the access token to the user (vulnerable to man-in-the-middle type leaks).
Still, it's part of the OIDC spec, and it seems that security concerns can
be somewhat mitigated with a short expiration on the Access Token and a
configurable expiration of the resulting client session expiration via
Keycloak.

Suggestions?

Thanks,

Jonathan

--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/

From mposolda at redhat.com  Wed May 17 15:59:09 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 17 May 2017 21:59:09 +0200
Subject: [keycloak-user] Rebalancing problem while adding a new node to
 a domain
In-Reply-To: <CAN288j5goL4nDwW-y4Oa+2jog-YjjbVC_LwJfVzy21r3a9fq7w@mail.gmail.com>
References: <CAN288j5goL4nDwW-y4Oa+2jog-YjjbVC_LwJfVzy21r3a9fq7w@mail.gmail.com>
Message-ID: <bf638b59-bb84-9193-35b1-3b7572c76022@redhat.com>

If you look at domain/configuration/domain.xml you can see that under 
loadbalancer sections there are just 2 servers configured. You may need 
to add another one.

BTV. For production setup, it will be better to replace the default 
undertow reverse-proxy loadbalancer with some better solution. That 
default loadbalancer doesn't even have support for failover AFAIK. For 
example mod_cluster, which is able to detect nodes automatically when 
they join cluster. More info in our documentations.

Marek

On 17/05/17 12:39, Elnaz razmi wrote:
> hello
> please help me about this problem:
>
> We choose to install domain mode keycloak in our company. We have a load
> balancer and three slave nodes. It's working properly with two active node
> but when we want to run the third node to connect to load balancer, load
> balancer don't rebalance with new node. It just say that node is regestered
> but it don't show these lines as we can see in other node connect process :
>
> [org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
> cluster-wide rebalance for cache work, topology CacheTopology{id=3,
> rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
> (2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
> pendingCH=ReplicatedConsistentHash{ns = 60, owners =
> (3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
> srvca61-site231:server-twoslave: 20]}, unionCH=null,
> actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
> srvca61-site231:server-twoslave]}
> [org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
> cluster-wide rebalance for cache loginFailures, topology
> CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
> owners = (2)[master:server-one-master: 40+0,
> srvca61-site232:server-threeslave: 40+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners =
> (3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
> 27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
> actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
> srvca61-site231:server-twoslave]}
> [org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
> cluster-wide rebalance for cache authorization, topology
> CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
> owners = (2)[master:server-one-master: 40+0,
> srvca61-site232:server-threeslave: 40+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners =
> (3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
> 27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
> actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
> srvca61-site231:server-twoslave]}
> [org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
> cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
> rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
> (2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
> 40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
> (3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
> 27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
> actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
> srvca61-site231:server-twoslave]}
> [org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
> cluster-wide rebalance for cache offlineSessions, topology
> CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
> owners = (2)[master:server-one-master: 40+0,
> srvca61-site232:server-threeslave: 40+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners =
> (3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
> 27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
> actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
> srvca61-site231:server-twoslave]}
> [org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
> cluster-wide rebalance for cache offlineSessions, topology id = 3
> [org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
> cluster-wide rebalance for cache authorization, topology id = 3
> [org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
> cluster-wide rebalance for cache loginFailures, topology id = 3
> [org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
> cluster-wide rebalance for cache work, topology id = 3
> [org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
> cluster-wide rebalance for cache sessions, topology id = 3
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From denny.israel at googlemail.com  Thu May 18 05:27:18 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Thu, 18 May 2017 11:27:18 +0200
Subject: [keycloak-user] Admin Client cannot access keycloak
Message-ID: <CAF7cocH97Fazg95hiVvbum7q1JsBpJ3G9Lc-qYedbHL6J3zgJg@mail.gmail.com>

Hi,

i am trying to use the java keycloak-admin-client to access my keycloak
server.

Dependencies:
compile group: 'org.jboss.resteasy', name: 'resteasy-jackson-provider',
version: '3.1.2.Final'
compile group: 'org.jboss.resteasy', name: 'resteasy-multipart-provider',
version: '3.1.2.Final'
compile group: 'org.jboss.resteasy', name: 'resteasy-client', version:
'3.1.2.Final'
compile group: 'org.keycloak', name: 'keycloak-admin-client', version:
'3.1.0.Final'

When i use the client to get the server info i get this exception:
Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
field "access_token" (Class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
 at [Source: org.apache.http.conn.EofSensorInputStream at 68e5eea7; line: 1,
column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])

Here is my code:

Keycloak kc = KeycloakBuilder.builder()
        .serverUrl("http://<mykeycloak>/auth")
        .realm("master")
        .username("admin")
        .password("admin")
        .clientId("admin-cli")
        .resteasyClient(
                new ResteasyClientBuilder().connectionPoolSize(10).build()
        ).build();
System.out.println(kc.serverInfo().getInfo());

What am i doing wrong?

From denny.israel at googlemail.com  Thu May 18 05:30:57 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Thu, 18 May 2017 11:30:57 +0200
Subject: [keycloak-user] Admin Client cannot access keycloak
In-Reply-To: <CAF7cocH97Fazg95hiVvbum7q1JsBpJ3G9Lc-qYedbHL6J3zgJg@mail.gmail.com>
References: <CAF7cocH97Fazg95hiVvbum7q1JsBpJ3G9Lc-qYedbHL6J3zgJg@mail.gmail.com>
Message-ID: <CAF7cocFPaLtCQtwS0tZUjjTwL42tK5s1eubQNQZ2Ng9bYUbKKQ@mail.gmail.com>

I just realized that i was using the wrong jackson provider. Had to change
'resteasy-jackson-provider' for 'resteasy-jackson2-provider' and now it
works. Sorry for the premature alarm ;-)

2017-05-18 11:27 GMT+02:00 Denny Israel <denny.israel at googlemail.com>:

> Hi,
>
> i am trying to use the java keycloak-admin-client to access my keycloak
> server.
>
> Dependencies:
> compile group: 'org.jboss.resteasy', name: 'resteasy-jackson-provider',
> version: '3.1.2.Final'
> compile group: 'org.jboss.resteasy', name: 'resteasy-multipart-provider',
> version: '3.1.2.Final'
> compile group: 'org.jboss.resteasy', name: 'resteasy-client', version:
> '3.1.2.Final'
> compile group: 'org.keycloak', name: 'keycloak-admin-client', version:
> '3.1.0.Final'
>
> When i use the client to get the server info i get this exception:
> Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
> javax.ws.rs.ProcessingException: org.codehaus.jackson.map.exc.UnrecognizedPropertyException:
> Unrecognized field "access_token" (Class org.keycloak.representations.AccessTokenResponse),
> not marked as ignorable
>  at [Source: org.apache.http.conn.EofSensorInputStream at 68e5eea7; line: 1,
> column: 18] (through reference chain: org.keycloak.representations.
> AccessTokenResponse["access_token"])
>
> Here is my code:
>
> Keycloak kc = KeycloakBuilder.builder()
>         .serverUrl("http://<mykeycloak>/auth")
>         .realm("master")
>         .username("admin")
>         .password("admin")
>         .clientId("admin-cli")
>         .resteasyClient(
>                 new ResteasyClientBuilder().connectionPoolSize(10).build()
>         ).build();
> System.out.println(kc.serverInfo().getInfo());
>
> What am i doing wrong?
>

From thomas.goettlich at it-informatik.de  Thu May 18 09:10:20 2017
From: thomas.goettlich at it-informatik.de (=?iso-8859-1?Q?G=F6ttlich=2C_Thomas?=)
Date: Thu, 18 May 2017 13:10:20 +0000
Subject: [keycloak-user] Incorporate Keycloak-Login into react-base SPAs
 (and ideally cordova-based mobile apps as well)
Message-ID: <d1ae4640df814312a0f43547476236c9@SRV-ESX-MAIL1.itulm.lan>

Hi, we're currently evaluating Keycloak for our systems that use react-based SPAs as well as servlet/JavaEE-based applications.
Additionally we're planning to add cordova-based mobile apps for iOS and Android as well, hence the addition in the title, though how to incorporate Keycloak into our react-based SPAs has priority.

For the servlet-based applications it's working quite well by using KeycloakOIDCFilter.
However, there's the question on how we'd add your SPAs to that.

As far as I understand it Keycloak doesn't provide an authorization api for good reasons.
Thus when a user needs to log in they're redirected to Keycloak's login page and then back to the application.
According to our SPA devs that would mean leaving the SPA and restarting it later, potentially losing any already loaded or entered data, especially if the user needs to re-login.
As an example think of an email client where the user starts to write an email, gets distracted and after returning to the application the SSO session has timed out and a re-login is required.
Losing the email in doing so wouldn't be something our SPA devs would accept.

Hence the question: how would one go about that, i.e. how would one allow the SPA to display the login page without having to reload or restart the SPA itself?

I'm no expert here but I'd guess we could use an iframe or browser window (popup/tab/new window) to redirect the user to Keycloak and after successful login we'd redirect the user to a page tells the browser or SPA that the iframe or window can be closed and the user is now allowed to continue using the SPA.
Would that be a viable way to do it? How are you doing it?

Thanks in advance,

Thomas



From stephane.granger at gmail.com  Thu May 18 15:03:05 2017
From: stephane.granger at gmail.com (Stephane Granger)
Date: Thu, 18 May 2017 15:03:05 -0400
Subject: [keycloak-user] admin cli - manage client authorization settings?
Message-ID: <CAHX=cdV_byROnVaPKeVZgg4-TSEbr+fsEc3pPRb90+CrKGPCsA@mail.gmail.com>

Is this supported?  I haven't found documentation about this.

Basically, I am writing a script to add and configure our clients in
keycloak after keycloak installation.  I am using admin cli to create the
clients and their respective roles.  One of my clients is using
authorization service.  I would like to be able to import a previously
exported authorization settings file.  Is this possible?

Thanks,
Stephane

From chexxor at gmail.com  Thu May 18 15:56:07 2017
From: chexxor at gmail.com (Alex Berg)
Date: Thu, 18 May 2017 14:56:07 -0500
Subject: [keycloak-user] Keycloak-mysql Docker -- 2 issues
In-Reply-To: <CADRPO0FNi9pZn1fwWrMPZMYTaM935FG+ErwDT=GAfzAypOkc3A@mail.gmail.com>
References: <CADRPO0FoF=NodM2nCne47B6pMCevGy1iBp_-oxK-WJpZC2QiGA@mail.gmail.com>
	<CADRPO0FNi9pZn1fwWrMPZMYTaM935FG+ErwDT=GAfzAypOkc3A@mail.gmail.com>
Message-ID: <CABgV3qvuUyr-w05gawqaFEEFWipsa12BRGEuv2+HF6PFq+Ha5Q@mail.gmail.com>

I *use* the docker images. I also wish there was a standard working way of
doing this. I don't know much about docker networking, so I hope you find
an expert in that area to help you.

I'm also using keycloak in a docker-compose file for local development.
I'll be deploying to a kubernetes cluster, and I found a PR on the docker
repo which demonstrates a way to do that, which is very awesome. It's still
pretty tricky, though, as the clustering supported by keycloak is w/e
wildfly has, and it seems that wildfly's clustering wasn't designed with
cloud OSes like kubernetes or docker swarm in mind.

On Tue, May 16, 2017 at 9:22 AM, Jonathan D'Andries <
jonathandandries at gmail.com> wrote:

> Does anyone here work on the Docker images, or is that another list?
>
> Sorry for reposting,
>
>
> Jonathan
>
> --
> Jonathan D'Andries
> http://www.linkedin.com/in/jonathandandries/
>
> On Fri, May 12, 2017 at 2:48 PM, Jonathan D'Andries <
> jonathandandries at gmail.com> wrote:
>
> > Two issues related to running keycloak-mysql:3.0.0.Final and mysql:5.7.18
> > in docker-compose, but that will likely have broader impact in certain
> > circumstances:
> >
> > Issue #1. JBoss doesn't wait for mysql to be available, and it fails to
> > create a connection if mysql hasn?t come up yet (no retry). This is
> > especially problematic if you are trying to use docker-compose since
> > everything likes to start around the same time:
> >
> > Error:
> >
> > 19:18:03,553 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
> (ServerService Thread Pool -- 50) IJ000604: Throwable while attempting to
> get a new connection: null: javax.resource.ResourceException: IJ031084:
> Unable to create connection
> >
> > Workaround:
> >
> >    - Need a custom Dockerfile to override the ENTRYPOINT definition to
> >    use a custom docker-entrypoint-waitforit.sh. And note that because we
> >    are changing ENTRYPOINT, we also need to redefine CMD.
> >
> > Gist of the Dockerfile:
> >
> > FROM jboss/keycloak-mysql:3.0.0.Final
> > COPY  docker-entrypoint-waitforit.sh wait-for-it.sh /
> > ENTRYPOINT ["/docker-entrypoint-waitforit.sh?]
> > CMD ["-b", "0.0.0.0"]
> >
> > Gist of docker-entrypoint-waitforit.sh:
> >
> > #!/bin/bash
> > /wait-for-it.sh mysql:3306 -t 60 -- /opt/jboss/docker-entrypoint.sh $@
> > exit $?
> >
> > For wait-for-it.sh, see: https://github.com/vishnubob/wait-for-it or
> see:
> > https://github.com/jwilder/dockerize
> >
> > Docker recommends this approach: https://docs.docker.
> > com/compose/startup-order/
> >
> > Issue #2. When running in docker-compose, JBoss cannot connect to mysql
> > without some extra work. This issue seems to be related to running on the
> > project-specific default network that is setup by docker-compose.
> >
> > Note that you don?t have this issue when running independent in docker:
> >
> > docker run --name mysql -e MYSQL_DATABASE=keycloak -e
> MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=root_password
> -d mysql:5.7.18
> > # wait 30 seconds
> > docker run --name keycloak-standalone-test --link mysql:mysql -e
> KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e MYSQL_DATABASE=keycloak
> -e MYSQL_USERNAME=keycloak -e MYSQL_PASSWORD=password -p "8080:8080"
> jboss/keycloak-mysql:3.0.0.Final
> >
> > Error when running in docker-compose:
> >
> > 19:24:04,072 ERROR [org.jboss.as.controller.management-operation]
> (ServerService Thread Pool -- 27) WFLYCTL0013: Operation ("add") failed -
> address: ([
> >     ("subsystem" => "datasources"),
> >     ("data-source" => "KeycloakDS")
> > ]) - failure description: "WFLYCTL0211: Cannot resolve expression
> 'jdbc:mysql://${env.MYSQL_PORT_3306_TCP_ADDR}:${env.
> MYSQL_PORT_3306_TCP_PORT}/${env.MYSQL_DATABASE:keycloak}'?
> >
> > Workarounds:
> >
> >    1.
> >
> >    Option-1: In docker-compose.yml for the keycloak service, define these
> >    environment variables:
> >
> >    - MYSQL_PORT_3306_TCP_ADDR=mysql
> >    - MYSQL_PORT_3306_TCP_PORT=3306
> >
> >    2.
> >
> >    Option-2: run the keycloak and mysql services on the default ?bridge?
> >    network:
> >    In the keycloak and mysql service definitions:
> >
> >    network_mode: bridge
> >
> >    Separately:
> >
> >    networks:
> >     default:
> >       external:
> >         name: bridge
> >
> >
> > Bottom line question:
> >
> >    - Why does JBoss behave differently when trying to connect to mysql on
> >    the global ?bridge? network (works) vs the project-specific default
> network
> >    (fails)?
> >
> >
> > Jonathan
> >
> > --
> > Jonathan D'Andries
> > http://www.linkedin.com/in/jonathandandries/
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From cindy.pacheco at payulatam.com  Thu May 18 16:05:08 2017
From: cindy.pacheco at payulatam.com (Cindy Margarita Pacheco Alvarez)
Date: Thu, 18 May 2017 20:05:08 +0000
Subject: [keycloak-user] Persistent user sessions
Message-ID: <7FF05F5F-F067-4251-A7FB-85E4AE942B9D@payulatam.com>

I have a problema with keycloak-2.2.1.Final. When we restart the server, we lose all active sessions. Is it possible to persist the user sessions? What should we do?

From cindy.pacheco at payulatam.com  Thu May 18 16:49:38 2017
From: cindy.pacheco at payulatam.com (Cindy Margarita Pacheco Alvarez)
Date: Thu, 18 May 2017 20:49:38 +0000
Subject: [keycloak-user] Keycloak cluster configuration
Message-ID: <F3678F38-95A9-4C00-9056-2F4178D19FBC@payulatam.com>

I would like to know what should be the right way to configure keycloak in cluster mode. How domain.xml should be?

Thanks!

From ssilvert at redhat.com  Thu May 18 18:20:48 2017
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 18 May 2017 18:20:48 -0400
Subject: [keycloak-user] Keycloak cluster configuration
In-Reply-To: <F3678F38-95A9-4C00-9056-2F4178D19FBC@payulatam.com>
References: <F3678F38-95A9-4C00-9056-2F4178D19FBC@payulatam.com>
Message-ID: <da801952-5a64-5eeb-cc5c-c144acdb6c73@redhat.com>

On 5/18/2017 4:49 PM, Cindy Margarita Pacheco Alvarez wrote:
> I would like to know what should be the right way to configure keycloak in cluster mode. How domain.xml should be?
The domain.xml that ships with Keycloak is a good start.  But you will 
need to familiarize yourself with both Keycloak clustering documentation 
and EAP/WildFly clustering documentation.
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From anders.kabell.kristensen at systematic.com  Fri May 19 03:13:49 2017
From: anders.kabell.kristensen at systematic.com (Anders KK)
Date: Fri, 19 May 2017 00:13:49 -0700 (MST)
Subject: [keycloak-user] SAML Assertion signature validation and 3.2.0
	release date
Message-ID: <1495178029339-3909.post@n6.nabble.com>

Hey guys,

Just wanna let you know that we really need validation of the SAML Assertion
signature (rather than the signature of the entire SAML Response).

Fortunately, this is taken care of in KEYCLOAK-3056 and will, apparently, be
released in version 3.2.0 of keycloak.

When do you expect *3.2.0.Final* to be released?

Cheers,
Anders



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-Assertion-signature-validation-and-3-2-0-release-date-tp3909.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From Kiran.Kumar at prepaysolutions.com  Fri May 19 03:38:05 2017
From: Kiran.Kumar at prepaysolutions.com (Kiran Kumar)
Date: Fri, 19 May 2017 08:38:05 +0100
Subject: [keycloak-user] Issue running Angular 2 JS example using Keycloak
Message-ID: <C58559F44A9D1148A1F69AA74AB237DC3050880790@pptswmail>

Hi,

The angular 2 example provided in keycload demo 3.1.0.Final works fine if it deployed angular app on Wildfly server. In this scenario both keycloak and angular 2 app are running on default port 8080. But the same doesn't work if angular 2 app is deployed on different for example port 4200 using 'ng serve' command. I have updated settings 'Valid Redirect URIs', 'Base URL' and 'Web Orgins' to use 4200 port in keycloak admin console for angular 2 app. The issue is first time on accessing the application the login page is presented. After entering the credentials it keeps redirecting in infinite loop. This issue appears both in Chrome and Firefox browser.

I have raised this question on stack overflow. The link for this is

https://stackoverflow.com/questions/44058886/issue-running-angular-2-js-example-using-keycloak

Kind Regards,
Kiran

This email has been scanned by Symantec

From mehdi.alishahi at gmail.com  Fri May 19 04:36:35 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Fri, 19 May 2017 10:36:35 +0200
Subject: [keycloak-user] Problem with npm run build for keycloak-admin-client
Message-ID: <CAG_MZYGvz7n9=KTMp4QqdNhSeqBE3Ro=Fyj-HiA_4HGsVkkDfg@mail.gmail.com>

Hi

i am facing this problem when ran `npm run build`

static/js/main.5fbd0ab6.js from UglifyJs
SyntaxError: Unexpected token: operator (>)
[./~/keycloak-admin-client/lib/auth.js:15,0]

From mposolda at redhat.com  Fri May 19 05:09:30 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 May 2017 11:09:30 +0200
Subject: [keycloak-user] Persistent user sessions
In-Reply-To: <7FF05F5F-F067-4251-A7FB-85E4AE942B9D@payulatam.com>
References: <7FF05F5F-F067-4251-A7FB-85E4AE942B9D@payulatam.com>
Message-ID: <cbb29009-9ef2-5188-1bdd-b38ddec4d035@redhat.com>

This is not officially supported/tested option at this moment. We have 
support for persist userSessions, but it's used just for "offline" 
sessions at this moment. However maybe you can achieve what you want with:

- Using cluster with more nodes and 2 owners configured in the 
infinispan distributed caches. That way, if one cluster node dies, 
session will be still available as it's backed-up on other nodes. 
Sessions are lost just if all cluster nodes die.
- Configure infinispan with the cacheStore/cacheLoader backed by the 
database. I think it should work, but we never tested it ourselves.

Feel free to create JIRA to request this. Or maybe lookup if there is 
not already existing JIRA and add vote if it is.
Marek

On 18/05/17 22:05, Cindy Margarita Pacheco Alvarez wrote:
> I have a problema with keycloak-2.2.1.Final. When we restart the server, we lose all active sessions. Is it possible to persist the user sessions? What should we do?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From leo.c at gct.gov.uk  Fri May 19 07:27:48 2017
From: leo.c at gct.gov.uk (Leo C)
Date: Fri, 19 May 2017 11:27:48 +0000
Subject: [keycloak-user] Fw: Keycloak as stateless broker
In-Reply-To: <81F5813F-818C-48B7-932D-1F0E977FBFC0@gct.gov.uk>
References: <81F5813F-818C-48B7-932D-1F0E977FBFC0@gct.gov.uk>
Message-ID: <LOXP123MB0870D2C5921294D08BD084A8C1E50@LOXP123MB0870.GBRP123.PROD.OUTLOOK.COM>

 Hi,

We would like to use keycloak as an identity broker in such a way that the identity collected from the identity provider are not permanently stored, so to avoid a build-up of identities stored on the broker.

Ideally, we would like:


  *    Keycloak, as identity broker to accept SAML assertion from one of several identity providers
  *    To use (custom) authentication flows to normalise or transform some of the attributes to create a new UserModel and consequentially a new SAML response back to the service provider
  *    To not bring the UserModel (or any other personal details to rest in the database), though we would accept storing just the unique ID of the user if we could avoid storing other attributes, whilst still propagating them back to the service provider
  *    Ideally to make authorisation decisions based on groups or roles during the process ? and stopping the authentication if those fail

Any ideas on the best way to proceed would be most appreciated.

Leo

(p.s. this email was originally sent to keycloak-dev distort by mistake. apologies)


From mposolda at redhat.com  Fri May 19 09:10:33 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 May 2017 15:10:33 +0200
Subject: [keycloak-user] Fw: Keycloak as stateless broker
In-Reply-To: <LOXP123MB0870D2C5921294D08BD084A8C1E50@LOXP123MB0870.GBRP123.PROD.OUTLOOK.COM>
References: <81F5813F-818C-48B7-932D-1F0E977FBFC0@gct.gov.uk>
	<LOXP123MB0870D2C5921294D08BD084A8C1E50@LOXP123MB0870.GBRP123.PROD.OUTLOOK.COM>
Message-ID: <0d2ae2c3-1482-e761-6eac-f01692907a5b@redhat.com>

On 19/05/17 13:27, Leo C wrote:
>   Hi,
>
> We would like to use keycloak as an identity broker in such a way that the identity collected from the identity provider are not permanently stored, so to avoid a build-up of identities stored on the broker.
>
> Ideally, we would like:
>
>
>    *    Keycloak, as identity broker to accept SAML assertion from one of several identity providers
>    *    To use (custom) authentication flows to normalise or transform some of the attributes to create a new UserModel and consequentially a new SAML response back to the service provider
>    *    To not bring the UserModel (or any other personal details to rest in the database), though we would accept storing just the unique ID of the user if we could avoid storing other attributes, whilst still propagating them back to the service provider
>    *    Ideally to make authorisation decisions based on groups or roles during the process ? and stopping the authentication if those fail
There is already "first broker login" flow . See docs for more details.

Maybe the only you need is to modify the default flow and replace 
IdpCreateUserIfUniqueAuthenticator with some else, which will just 
create userModel to the memory (infinispan) but not to DB. This should 
be somehow possible, maybe see also docs for User Storage for more details.

AFAIK we plan to support this option OOTB, but didn't yet implemented 
it. Also we have broker mapper, where you can choose what attributes 
from the SAML assertion should be added to the temporary user and hence 
will be sent in SAML Assertion to the SP.

Marek
>
> Any ideas on the best way to proceed would be most appreciated.
>
> Leo
>
> (p.s. this email was originally sent to keycloak-dev distort by mistake. apologies)
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From john.d.ament at gmail.com  Fri May 19 10:06:45 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Fri, 19 May 2017 14:06:45 +0000
Subject: [keycloak-user] Can anyone merge my PR?
Message-ID: <CAOqetn_8WpttjfVT2QYPcd3Gkm7h_zPDL06QYxXiwKYTetpcrQ@mail.gmail.com>

All,

I was wondering if anyone could merge my pending PR?
https://github.com/keycloak/keycloak/pull/4066

I think I've got everything covered.

John

From cindy.pacheco at payulatam.com  Fri May 19 11:53:33 2017
From: cindy.pacheco at payulatam.com (Cindy Margarita Pacheco Alvarez)
Date: Fri, 19 May 2017 15:53:33 +0000
Subject: [keycloak-user] Keycloak cluster configuration
In-Reply-To: <da801952-5a64-5eeb-cc5c-c144acdb6c73@redhat.com>
References: <F3678F38-95A9-4C00-9056-2F4178D19FBC@payulatam.com>
	<da801952-5a64-5eeb-cc5c-c144acdb6c73@redhat.com>
Message-ID: <518ABF79-2DB2-4DB7-8542-D0C578B91304@payulatam.com>

Thank you for your quick reply.  

The thing is that I?ve been trying to do this for a long time (of course I don?t have the expertise). But when I use the configuration that ships with keycloak I get an error when I start the keycloak server (something about java.lang.IllegalStateException: Transaction DummyTransaction and concurrent.TimeoutException: ISPN000299) .

The way that I solved this problem was changing the domain.xml in the infinispan subsystem. I changed the transaction tag from mode=BATCH to mode=NONE. But when I use this solution my replication fails. I mean I can get the token and everything in this process is okay but I get an error during replication (it is not an error that makes the token generation fails, I could notice it in log files).  I do not know what else to do to solve this problem. Maybe you know a solution or some specific documentation that could help me.  

My infinispan configuration is:

<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
                <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
                    <transport lock-timeout="60000"/>
                    <invalidation-cache name="realms" mode="SYNC"/>
                    <invalidation-cache name="users" mode="SYNC">
                        <eviction strategy="LRU" max-entries="10000"/>
                    </invalidation-cache>
                    <replicated-cache name="work" mode="SYNC"/>
                    <distributed-cache name="sessions" mode="SYNC" owners="1"/>
                    <distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
                    <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
                    <distributed-cache name="authorization" mode="SYNC" owners="1"/>
                </cache-container>
                <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
                    <transport lock-timeout="60000"/>
                    <replicated-cache name="default" mode="SYNC">
                        <transaction locking="OPTIMISTIC" mode="NONE"/>
                        <locking isolation="READ_COMMITTED"/>
                    </replicated-cache>
                </cache-container>
                <cache-container name="web" default-cache="dist" module="org.wildfly.clustering.web.infinispan">
                    <transport lock-timeout="60000"/>
                    <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2">
                        <transaction locking="OPTIMISTIC" mode="NONE"/>
                        <locking isolation="READ_COMMITTED"/>
                        <file-store/>
                    </distributed-cache>
                </cache-container>
                <cache-container name="ejb" aliases="sfsb" default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
                    <transport lock-timeout="60000"/>
                    <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0" owners="2">
                        <transaction locking="OPTIMISTIC" mode="NONE"/>
                        <locking isolation="READ_COMMITTED"/>
                        <file-store/>
                    </distributed-cache>
                </cache-container>
                <cache-container name="hibernate" default-cache="local-query" module="org.hibernate.infinispan">
                    <transport lock-timeout="60000"/>
                    <local-cache name="local-query">
                        <eviction strategy="LRU" max-entries="10000"/>
                        <expiration max-idle="100000"/>
                    </local-cache>
                    <invalidation-cache name="entity" mode="SYNC">
                        <transaction mode="NON_XA"/>
                        <eviction strategy="LRU" max-entries="10000"/>
                        <expiration max-idle="100000"/>
                    </invalidation-cache>
                    <replicated-cache name="timestamps" mode="ASYNC"/>
                </cache-container>
            </subsystem>


Thank you. 


El 18/05/17, 5:20 p.m., "Stan Silvert" <ssilvert at redhat.com> escribi?:

    On 5/18/2017 4:49 PM, Cindy Margarita Pacheco Alvarez wrote:
    > I would like to know what should be the right way to configure keycloak in cluster mode. How domain.xml should be?
    The domain.xml that ships with Keycloak is a good start.  But you will 
    need to familiarize yourself with both Keycloak clustering documentation 
    and EAP/WildFly clustering documentation.
    >
    > Thanks!
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From OST1988 at aol.com  Fri May 19 12:01:08 2017
From: OST1988 at aol.com (Oliver Steinbrecher)
Date: Fri, 19 May 2017 16:01:08 +0000
Subject: [keycloak-user] Keycloak performance and sizing
Message-ID: <CAPxoUPxDQ9zKZfPc-RLMngNLYPRx9TmQZ3itx5UtYR8dKJw1qQ@mail.gmail.com>

Hi everyone,

we're going to setup a KeyCloak infrastructure to handle identity
management for up to 4 million users. In order to handle this amount we'd
like to setup a proper infrastructure. The general idea is to create a
containerised cluster of key cloak servers connected to an highly available
db2 database. Therefore i'd like to understand what kind of data and amount
is persisted in the db. I haven't found any details about sizing a key
cloak infrastructure - i hope you can share some more details with me.

Kind Regards

Oliver
-- 
Mit freundlichen Gr??en

Oliver Steinbrecher
Tel.: +49-179-7409836

From etienne.sauriol at scigilian.com  Fri May 19 14:40:00 2017
From: etienne.sauriol at scigilian.com (Etienne Sauriol)
Date: Fri, 19 May 2017 18:40:00 +0000
Subject: [keycloak-user] Stateless Confidential Client
Message-ID: <CAHQD420TGcLTDB8HHhrQp_YX7iVosFHiLch_Uz3WdO_M2JxqTA@mail.gmail.com>

Hi,

Is it possible to have stateless confidention client using openId and
signed JWT?
I'm using Keycloak 3.1 and a spring boot app with both spring boot adapter
and spring security adapter.
Everything works fine, but looking at requests to secured endpoints, there
is only a JSESSIONID in the cookies. No authorization bearer header or
cookies even if I added token-store: cookie in my application.yml.

I'm not sure if this is required but when trying to add in my configuration
file,
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
weird things happen.

Thanks,
Etienne

From chexxor at gmail.com  Fri May 19 19:07:38 2017
From: chexxor at gmail.com (Alex Berg)
Date: Fri, 19 May 2017 18:07:38 -0500
Subject: [keycloak-user] Promoting Realm and Client changes from dev to prod
Message-ID: <CABgV3qt0saE+OK5fhy0-hOQFCL8-vmWW24DVpb7E0vCVogHu0w@mail.gmail.com>

I found some older threads on the mailing list about this, but I'm not sure
I parsed out the proper answer. What is the best way to promote changes to
KC realms and clients from dev to prod? I'm using kubernetes for prod and
staging, and docker-compose for local development.

I found the export/import [0] functionality, but it can only migrate a
changed realm by first deleting the realm in the target database then
recreating it. This has the side-effect of deleting all users in that
database. The users in the prod realm will always be different than the
users in the dev-env realm, so I can't delete the realm. Does this mean I
can't use the import/export functionality to promote realm changes?

I also saw mention of some "partial import" functionality, but I can't find
docs for it. Would that help here?

I also saw mention of a "config manager", but I can't find any docs for it.

Perhaps the best way to migrate changes is to simply perform them by hand
in each KC instance, and not redeploy it.

From elnaz.razmit at gmail.com  Fri May 19 23:48:47 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Fri, 19 May 2017 20:48:47 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j7_moNG78hxpmZUbgEW9F-OuSRojZG-cYYJ4-pbNGDAOA@mail.gmail.com>

hello
please help to me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave

nodes. It's working properly with two active node but when we want to run
the third node to

connect to load balancer, load balancer don't rebalance with new node. It
just say that node is

regestered but it don't show these lines as we can see in other node
connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for

cache work, topology CacheTopology{id=3, rebalanceId=2,
currentCH=ReplicatedConsistentHash{ns =

60, owners = (2)[master:server-one-master: 30,
srvca61-site232:server-threeslave: 30]},

pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-

site232:server-threeslave: 20, srvca61-site231:server-twoslave: 20]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for

cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for

cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for

cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80,

owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for

cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,

currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-

site232:server-threeslave: 40+0]}, pendingCH=DefaultConsistentHash{ns=80,
owners = (3)

[master:server-one-master: 27+0, srvca61-site232:server-threeslave: 27+0,
srvca61-site231:server-

twoslave: 26+0]}, unionCH=null, actualMembers=[master:server-one-master,
srvca61-site232:server-

threeslave, srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache sessions, topology id = 3

From yaldaa.zarrin at gmail.com  Fri May 19 23:52:48 2017
From: yaldaa.zarrin at gmail.com (tina zarrin)
Date: Fri, 19 May 2017 20:52:48 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAArHs25hfZEhL1OnoKiQMeC7Mj9HSnDvDKT8pNJ7VKfXzjicSA@mail.gmail.com>

We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From john.bartko at drillinginfo.com  Fri May 19 23:55:18 2017
From: john.bartko at drillinginfo.com (John Bartko)
Date: Sat, 20 May 2017 03:55:18 +0000
Subject: [keycloak-user] Promoting Realm and Client changes from dev to
 prod
In-Reply-To: <CABgV3qt0saE+OK5fhy0-hOQFCL8-vmWW24DVpb7E0vCVogHu0w@mail.gmail.com>
References: <CABgV3qt0saE+OK5fhy0-hOQFCL8-vmWW24DVpb7E0vCVogHu0w@mail.gmail.com>
Message-ID: <BL2PR18MB076961E59CF6E528A314D8C688FA0@BL2PR18MB0769.namprd18.prod.outlook.com>

"Partial import" is now the Realms Admin resource<http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_realms_admin_resource> perhaps?


In the admin web console, this is exposed as Select Realm > Add Realm. I am unsure if this endpoint will allow importing secure data like realm private keys while the server is running. I don't think will allow for merging an import into an existing realm either. Even boot time import/export<https://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.htmlhttps://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.html> requires the existing realm be dropped before one of the same name is imported.


I have a similar use case where realm users may be similar but likely fudged/sampled across different landscapes (not necessarily same realm name, though). In v2.x, User Federation Providers can externalize data persistence for user objects to an extent. It looks like v3 can skip storing users in the SQL backend<http://blog.keycloak.org/2017/03/keycloak-300cr1-released.html> altogether. It'd be slick if a future release allowed for the same to be done with roles and groups!


I haven't found an elegant way for realm data to "bubble up" from dev to prod landscapes. Currently similar API requests are run against every landscape (e.g. creating clients, mappers, roles, etc), be it through automated processes or otherwise and every data persistence tier and artifact (SQL, LDAP, realm JSON) is backed up/versioned at some interval. The "source of truth" for users is wholly external to the IdM stack and it is somewhat feasible to "replay" user/group/role differentials in a disaster recovery scenario.


Hope that helps,

-John Bartko

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Alex Berg <chexxor at gmail.com>
Sent: Friday, May 19, 2017 6:07:38 PM
To: keycloak-user
Subject: [keycloak-user] Promoting Realm and Client changes from dev to prod

I found some older threads on the mailing list about this, but I'm not sure
I parsed out the proper answer. What is the best way to promote changes to
KC realms and clients from dev to prod? I'm using kubernetes for prod and
staging, and docker-compose for local development.

I found the export/import [0] functionality, but it can only migrate a
changed realm by first deleting the realm in the target database then
recreating it. This has the side-effect of deleting all users in that
database. The users in the prod realm will always be different than the
users in the dev-env realm, so I can't delete the realm. Does this mean I
can't use the import/export functionality to promote realm changes?

I also saw mention of some "partial import" functionality, but I can't find
docs for it. Would that help here?

I also saw mention of a "config manager", but I can't find any docs for it.

Perhaps the best way to migrate changes is to simply perform them by hand
in each KC instance, and not redeploy it.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From chexxor at gmail.com  Sat May 20 01:27:56 2017
From: chexxor at gmail.com (Alex Berg)
Date: Sat, 20 May 2017 00:27:56 -0500
Subject: [keycloak-user] Promoting Realm and Client changes from dev to
	prod
In-Reply-To: <BL2PR18MB076961E59CF6E528A314D8C688FA0@BL2PR18MB0769.namprd18.prod.outlook.com>
References: <CABgV3qt0saE+OK5fhy0-hOQFCL8-vmWW24DVpb7E0vCVogHu0w@mail.gmail.com>
	<BL2PR18MB076961E59CF6E528A314D8C688FA0@BL2PR18MB0769.namprd18.prod.outlook.com>
Message-ID: <CABgV3qsuPwhOMnZWWDuVfxPsLXQbC2DkseC1W_VCf0TkdX+O2Q@mail.gmail.com>

Thanks for the perspective!

Sounds like a "desired state" tool needs to be written. It would query the
current RealmRepresentation, parse the RealmRepresentation from a JSON file
in your git repo, diff them, then apply the fixes to the KC instance.

On May 19, 2017 22:55, "John Bartko" <john.bartko at drillinginfo.com> wrote:

> "Partial import" is now the Realms Admin resource
> <http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_realms_admin_resource>
>  perhaps?
>
>
> In the admin web console, this is exposed as Select Realm > Add Realm. I
> am unsure if this endpoint will allow importing secure data like
> realm private keys while the server is running. I don't think will allow
> for merging an import into an existing realm either. Even boot time
> import/export
> <https://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.htmlhttps://keycloak.gitbooks.io/documentation/server_admin/topics/export-import.html> requires
> the existing realm be dropped before one of the same name is imported.
>
>
> I have a similar use case where realm users may be similar but likely
> fudged/sampled across different landscapes (not necessarily same realm
> name, though). In v2.x, User Federation Providers can externalize data
> persistence for user objects to an extent. It looks like v3 can skip
> storing users in the SQL backend
> <http://blog.keycloak.org/2017/03/keycloak-300cr1-released.html>
> altogether. It'd be slick if a future release allowed for the same to be
> done with roles and groups!
>
>
> I haven't found an elegant way for realm data to "bubble up" from dev to
> prod landscapes. Currently similar API requests are run against every
> landscape (e.g. creating clients, mappers, roles, etc), be it through
> automated processes or otherwise and every data persistence tier and
> artifact (SQL, LDAP, realm JSON) is backed up/versioned at some interval.
> The "source of truth" for users is wholly external to the IdM stack and it
> is somewhat feasible to "replay" user/group/role differentials in a
> disaster recovery scenario.
>
>
> Hope that helps,
>
> -John Bartko
>
> ------------------------------
> *From:* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Alex Berg <
> chexxor at gmail.com>
> *Sent:* Friday, May 19, 2017 6:07:38 PM
> *To:* keycloak-user
> *Subject:* [keycloak-user] Promoting Realm and Client changes from dev to
> prod
>
> I found some older threads on the mailing list about this, but I'm not sure
> I parsed out the proper answer. What is the best way to promote changes to
> KC realms and clients from dev to prod? I'm using kubernetes for prod and
> staging, and docker-compose for local development.
>
> I found the export/import [0] functionality, but it can only migrate a
> changed realm by first deleting the realm in the target database then
> recreating it. This has the side-effect of deleting all users in that
> database. The users in the prod realm will always be different than the
> users in the dev-env realm, so I can't delete the realm. Does this mean I
> can't use the import/export functionality to promote realm changes?
>
> I also saw mention of some "partial import" functionality, but I can't find
> docs for it. Would that help here?
>
> I also saw mention of a "config manager", but I can't find any docs for it.
>
> Perhaps the best way to migrate changes is to simply perform them by hand
> in each KC instance, and not redeploy it.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From andrius.karpavicius at opencellsoft.com  Sat May 20 02:20:03 2017
From: andrius.karpavicius at opencellsoft.com (=?UTF-8?Q?Andrius_Karpavi=C4=8Dius?=)
Date: Sat, 20 May 2017 03:20:03 -0300
Subject: [keycloak-user] Any way to modify redirect_uri parameter when
	redirecting to login page?
Message-ID: <CAGa2Vw9pW3BE3-agXTohkPASh-vAD2vBP5DM3BTnD+0THNn4vw@mail.gmail.com>

Hi,

I have a JSF application on Wildfly that uses Keycloak-wildfly adapter.

If I try to go to page A and user is not authenticated, user is redirected
to keycloak and after login I am taken back to page A.

Problem is if page A happens to be an expired JSF conversation bound page
(page url contains "cid" - conversation id parameter). So after login I see
a "session expired page" instead of an index page, as user might expect.

So question - is there any way in keycloak to modify "redirect_uri" value
either with authentication flow or some SPI authenticator extension,
action, etc??  A simple rule is "if redirect_uri contains 'cid' parameter,
then use index page".

Maybe something configurable in keyckloak-wildfly adapter?

Thanks,
Andrius Karpavicius

From tjackman at redhat.com  Sat May 20 03:47:44 2017
From: tjackman at redhat.com (Tom Jackman)
Date: Sat, 20 May 2017 08:47:44 +0100
Subject: [keycloak-user] Issue running Angular 2 JS example using
	Keycloak
In-Reply-To: <C58559F44A9D1148A1F69AA74AB237DC3050880790@pptswmail>
References: <C58559F44A9D1148A1F69AA74AB237DC3050880790@pptswmail>
Message-ID: <CACX=LGE3x-5z_Hij_2J320Y90FJ-JGSFmOteNsN5wEn6Sy_QNA@mail.gmail.com>

Hi,

I am also seeing this issue with Angular and the Ionic Framework. Anyone
with ideas on how to fix this would be greatly appreciated.

Thanks.
Tom.




On 19 May 2017 10:03 am, "Kiran Kumar" <Kiran.Kumar at prepaysolutions.com>
wrote:

Hi,

The angular 2 example provided in keycload demo 3.1.0.Final works fine if
it deployed angular app on Wildfly server. In this scenario both keycloak
and angular 2 app are running on default port 8080. But the same doesn't
work if angular 2 app is deployed on different for example port 4200 using
'ng serve' command. I have updated settings 'Valid Redirect URIs', 'Base
URL' and 'Web Orgins' to use 4200 port in keycloak admin console for
angular 2 app. The issue is first time on accessing the application the
login page is presented. After entering the credentials it keeps
redirecting in infinite loop. This issue appears both in Chrome and Firefox
browser.

I have raised this question on stack overflow. The link for this is

https://stackoverflow.com/questions/44058886/issue-
running-angular-2-js-example-using-keycloak

Kind Regards,
Kiran

This email has been scanned by Symantec
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From elnaz.razmit at gmail.com  Sat May 20 05:37:22 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Sat, 20 May 2017 02:37:22 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j4KXhox4rkAHFqFbb0MNYS+uwmGOCVkZt2UNX-q34iv=A@mail.gmail.com>

hello
please help to me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave

nodes. It's working properly with two active node but when we want to run
the third node to

connect to load balancer, load balancer don't rebalance with new node. It
just say that node is

regestered but it don't show these lines as we can see in other node
connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for

cache work, topology CacheTopology{id=3, rebalanceId=2,
currentCH=ReplicatedConsistentHash{ns =

60, owners = (2)[master:server-one-master: 30,
srvca61-site232:server-threeslave: 30]},

pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-

site232:server-threeslave: 20, srvca61-site231:server-twoslave: 20]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for

cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for

cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for

cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80,

owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for

cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,

currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-

site232:server-threeslave: 40+0]}, pendingCH=DefaultConsistentHash{ns=80,
owners = (3)

[master:server-one-master: 27+0, srvca61-site232:server-threeslave: 27+0,
srvca61-site231:server-

twoslave: 26+0]}, unionCH=null, actualMembers=[master:server-one-master,
srvca61-site232:server-

threeslave, srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache sessions, topology id = 3

From yaldaa.zarrin at gmail.com  Sat May 20 05:39:16 2017
From: yaldaa.zarrin at gmail.com (tina zarrin)
Date: Sat, 20 May 2017 02:39:16 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAArHs27fwCgA5ZHNVhG2z9x4wR9xpUF=B0LVU3NK0Mi0LHNSog@mail.gmail.com>

hello
please help  me about this problem:

We ch?ose to install domain mode keycloak in our company. We have a load
balancer and three slave

nodes. It's working properly with two active node but when we want to run
the third node to

connect to load balancer, load balancer don't rebalance with new node. It
just say that node is

regestered but it don't show these lines as we can see in other node
connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for

cache work, topology CacheTopology{id=3, rebalanceId=2,
currentCH=ReplicatedConsistentHash{ns =

60, owners = (2)[master:server-one-master: 30,
srvca61-site232:server-threeslave: 30]},

pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-

site232:server-threeslave: 20, srvca61-site231:server-twoslave: 20]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for

cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for

cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash

{ns=80, owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for

cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80,

owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},

pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-

site232:server-threeslave: 27+0, srvca61-site231:server-twoslave: 26+0]},
unionCH=null,

actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-

site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for

cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,

currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-

site232:server-threeslave: 40+0]}, pendingCH=DefaultConsistentHash{ns=80,
owners = (3)

[master:server-one-master: 27+0, srvca61-site232:server-threeslave: 27+0,
srvca61-site231:server-

twoslave: 26+0]}, unionCH=null, actualMembers=[master:server-one-master,
srvca61-site232:server-

threeslave, srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for

cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for

cache sessions, topology id = 3

From thomas.skjolberg at gmail.com  Sat May 20 10:15:33 2017
From: thomas.skjolberg at gmail.com (skjolber)
Date: Sat, 20 May 2017 07:15:33 -0700 (MST)
Subject: [keycloak-user] SAML Assertion signature validation and 3.2.0
	release date
In-Reply-To: <1495178029339-3909.post@n6.nabble.com>
References: <1495178029339-3909.post@n6.nabble.com>
Message-ID: <1495289733685-3924.post@n6.nabble.com>

Hi,

I've added some adjustments for that issue, 

https://github.com/keycloak/keycloak/pull/4118

If possible, try it out on your end.

Best regards,
Thomas



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-Assertion-signature-validation-and-3-2-0-release-date-tp3909p3924.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From hasebullah.ansari at syntlogo.de  Sun May 21 07:50:23 2017
From: hasebullah.ansari at syntlogo.de (ansarihaseb)
Date: Sun, 21 May 2017 04:50:23 -0700 (MST)
Subject: [keycloak-user] NullPointerException while adding
 userFederationMappers
In-Reply-To: <5b62a7e6-9c54-a0d4-5843-cb735df4380c@redhat.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
	<CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
	<CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>
	<CABi4XQBrOVtDNT8MTETvUgM=HwGt6CkyPFf7N2Vawoex_p1JGQ@mail.gmail.com>
	<5b62a7e6-9c54-a0d4-5843-cb735df4380c@redhat.com>
Message-ID: <1495367423206-3925.post@n6.nabble.com>

I am trying with Keycloak 3.0.0......still not working. Also in documentation
of Keycloak the REST API for creating user federation is missing. Can you
have an update on that ?



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-NullPointerException-while-adding-userFederationMappers-tp3575p3925.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From hans.zandbelt at zmartzone.eu  Sun May 21 10:18:50 2017
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Sun, 21 May 2017 07:18:50 -0700 (MST)
Subject: [keycloak-user] patch for mod_auth_openidc apache module for
 keycloak oauth
In-Reply-To: <CAAyo5womdXK4nG586FYpHM0MC0OeWD=a=7tU+FZhK9APUxCZtQ@mail.gmail.com>
References: <CAAyo5womdXK4nG586FYpHM0MC0OeWD=a=7tU+FZhK9APUxCZtQ@mail.gmail.com>
Message-ID: <1495376330317-3929.post@n6.nabble.com>

As a matter of fact this patch is not needed for that. You can just set
`OIDCOAuthClientID` and `OIDCOAuthClientSecret` to the same values as
`OIDCClientID` and `OIDCClientSecret` since for Keycloak token introspection
they happen to be one and the same.

Hans.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-patch-for-mod-auth-openidc-apache-module-for-keycloak-oauth-tp3875p3929.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From oop12000 at gmail.com  Sun May 21 11:49:16 2017
From: oop12000 at gmail.com (c p)
Date: Sun, 21 May 2017 23:49:16 +0800
Subject: [keycloak-user] patch for mod_auth_openidc apache module for
 keycloak oauth
In-Reply-To: <1495376330317-3929.post@n6.nabble.com>
References: <CAAyo5womdXK4nG586FYpHM0MC0OeWD=a=7tU+FZhK9APUxCZtQ@mail.gmail.com>
	<1495376330317-3929.post@n6.nabble.com>
Message-ID: <CAAyo5wrLzppzVOiEDyFZYkGY+Rv+7njCM0rmvBkREo6joP1qtg@mail.gmail.com>

Thanks for pointing that out :)

Regards,

Steven

On 21 May 2017 22:21, "Hans Zandbelt" <hans.zandbelt at zmartzone.eu> wrote:

As a matter of fact this patch is not needed for that. You can just set
`OIDCOAuthClientID` and `OIDCOAuthClientSecret` to the same values as
`OIDCClientID` and `OIDCClientSecret` since for Keycloak token introspection
they happen to be one and the same.

Hans.



--
View this message in context: http://keycloak-user.88327.x6.
nabble.com/keycloak-user-patch-for-mod-auth-openidc-
apache-module-for-keycloak-oauth-tp3875p3929.html
Sent from the keycloak-user mailing list archive at Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From hasebullah.ansari at syntlogo.de  Sun May 21 15:42:24 2017
From: hasebullah.ansari at syntlogo.de (ansarihaseb)
Date: Sun, 21 May 2017 12:42:24 -0700 (MST)
Subject: [keycloak-user] REST API for creating user federation not working -
 Keycloak 2.5.5.Final
Message-ID: <1495395744799-3931.post@n6.nabble.com>

I am trying to do a post request on the following URI:
<mydomain.com>/auth/admin/realms/<realm-name>/user-federation/instances

But I always get that the resource has not been found in my log. Also I
cannot find a documentation regarding a REST API for creating a user
federation in this link
http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_identity_providers_resource

Can anyone please help out in this ?

Regards,
Haseb



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/REST-API-for-creating-user-federation-not-working-Keycloak-2-5-5-Final-tp3931.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From bruno at abstractj.org  Sun May 21 18:05:07 2017
From: bruno at abstractj.org (Bruno Oliveira)
Date: Sun, 21 May 2017 22:05:07 +0000
Subject: [keycloak-user] Problem with npm run build for
	keycloak-admin-client
In-Reply-To: <CAG_MZYGvz7n9=KTMp4QqdNhSeqBE3Ro=Fyj-HiA_4HGsVkkDfg@mail.gmail.com>
References: <CAG_MZYGvz7n9=KTMp4QqdNhSeqBE3Ro=Fyj-HiA_4HGsVkkDfg@mail.gmail.com>
Message-ID: <CAM5SUC6xnxUXWq8rD1M2VU1sgmO9vFrUxL7Zc8OuNcmGeGPsnA@mail.gmail.com>

We do not support this module. Please contact the author.

On Fri, May 19, 2017, 6:22 AM Mehdi Sheikhalishahi <mehdi.alishahi at gmail.com>
wrote:

> Hi
>
> i am facing this problem when ran `npm run build`
>
> static/js/main.5fbd0ab6.js from UglifyJs
> SyntaxError: Unexpected token: operator (>)
> [./~/keycloak-admin-client/lib/auth.js:15,0]
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Sun May 21 19:29:05 2017
From: bburke at redhat.com (Bill Burke)
Date: Sun, 21 May 2017 19:29:05 -0400
Subject: [keycloak-user] REST API for creating user federation not
 working - Keycloak 2.5.5.Final
In-Reply-To: <1495395744799-3931.post@n6.nabble.com>
References: <1495395744799-3931.post@n6.nabble.com>
Message-ID: <fd69f80e-645d-1ec3-6217-f8986181a530@redhat.com>

https://keycloak.gitbooks.io/documentation/server_development/topics/user-storage.html


On 5/21/17 3:42 PM, ansarihaseb wrote:
> I am trying to do a post request on the following URI:
> <mydomain.com>/auth/admin/realms/<realm-name>/user-federation/instances
>
> But I always get that the resource has not been found in my log. Also I
> cannot find a documentation regarding a REST API for creating a user
> federation in this link
> http://www.keycloak.org/docs-api/3.1/rest-api/index.html#_identity_providers_resource
>
> Can anyone please help out in this ?
>
> Regards,
> Haseb
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/REST-API-for-creating-user-federation-not-working-Keycloak-2-5-5-Final-tp3931.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Sun May 21 19:29:21 2017
From: bburke at redhat.com (Bill Burke)
Date: Sun, 21 May 2017 19:29:21 -0400
Subject: [keycloak-user] NullPointerException while adding
 userFederationMappers
In-Reply-To: <1495367423206-3925.post@n6.nabble.com>
References: <CABi4XQBu5Vuk5aQFCXXw2K757aTwa6RZKvfP70A+DbLAVLsjvA@mail.gmail.com>
	<CABi4XQCAhtUQ735sFPFS12_6+=+rC5T9go8FoaMcy=wZLK_Rcg@mail.gmail.com>
	<CABi4XQAqy3BitMet0UKTRr9Vzw_m-7+TCJpx=J_ZFA=4EpHijA@mail.gmail.com>
	<CAM5SUC4Zd_o8+SqOXWg4iY0hcyQ4R_2v1G_DBNkhTpfip2y5kw@mail.gmail.com>
	<CABi4XQDxOGRWJu-ns-SpSm02GOG3aY3bOajn9s774TMbYYwZVw@mail.gmail.com>
	<CABi4XQBrOVtDNT8MTETvUgM=HwGt6CkyPFf7N2Vawoex_p1JGQ@mail.gmail.com>
	<5b62a7e6-9c54-a0d4-5843-cb735df4380c@redhat.com>
	<1495367423206-3925.post@n6.nabble.com>
Message-ID: <0f353844-b14b-20be-4fc5-8b05ef65f1db@redhat.com>

https://keycloak.gitbooks.io/documentation/server_development/topics/user-storage.html


On 5/21/17 7:50 AM, ansarihaseb wrote:
> I am trying with Keycloak 3.0.0......still not working. Also in documentation
> of Keycloak the REST API for creating user federation is missing. Can you
> have an update on that ?
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-NullPointerException-while-adding-userFederationMappers-tp3575p3925.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From elnaz.razmit at gmail.com  Sun May 21 23:51:39 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Sun, 21 May 2017 20:51:39 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j5Zvz2qq3kmg03kCXkdeMJ=bs_yCdUfYLp+Kex=+H_T5w@mail.gmail.com>

hello
please help me about this problem:












*We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process
:[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t44) ISPN000310: Starting cluster-wide rebalance for
cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000310: Starting cluster-wide rebalance for
cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t39) ISPN000310: Starting cluster-wide rebalance for
cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t43) ISPN000310: Starting cluster-wide rebalance for
cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache offlineSessions, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache authorization, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache loginFailures, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t45) ISPN000336: Finished cluster-wide rebalance for
cache work, topology id = 3[org.infinispan.CLUSTER] (remote-thread--p8-t45)
ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id
= 3*

From peter at realityforge.org  Mon May 22 02:14:07 2017
From: peter at realityforge.org (Peter Donald)
Date: Mon, 22 May 2017 16:14:07 +1000
Subject: [keycloak-user] Jaxrs Client Example?
Message-ID: <CACiKNc7YgzYMfgOcRy54L00XzPgVsrCG=evSf8Oo23HWtZ4GDw@mail.gmail.com>

Hi,

This is a really dumb question and I have tried to google+RTFM but
still can't seem to find the answer.

I am looking for a simple example where I can use a jaxrs client to
access a service protected by keycloak. I have only really found
references to admin-client which seems to be more about admin of
keycloak and the JaxrsBearerTokenFilterImpl which seems like it may
work but can't find an example where it is used or how I would go
about it.

Preferably I would like to do a .register( X ) when creating the jaxrs
client and have it handled automagically by a filter. I don't have
resteasy available atm if that makes a difference.

Any hints on where to figure this out?

-- 
Cheers,

Peter Donald

From mehdi.alishahi at gmail.com  Mon May 22 03:27:14 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Mon, 22 May 2017 09:27:14 +0200
Subject: [keycloak-user] Create and Update User Attributes Without
	Admin-Client in Javascript
Message-ID: <CAG_MZYFi6h6PTkxo_bwNLnm-QdvxLMV6+snwW+dAy+jx6JaHAA@mail.gmail.com>

Hi

Is there an elegent way to Create and Update User Attributes Without
Admin-Client in Javascript?

There is keycloak-admin-client for that, but I prefer other cleaner and
uptodate methods.

Thanks.

From pablomoneylesh at gmail.com  Mon May 22 05:19:56 2017
From: pablomoneylesh at gmail.com (Pavel Bezdienezhnykh)
Date: Mon, 22 May 2017 11:19:56 +0200
Subject: [keycloak-user] Is there any way to bind Admin console web UI to
	different port?
Message-ID: <CAP3_YBA8+oAeF31eVEQhBtHJPhfDs8ZHiULho9dxiuO1SWUJbg@mail.gmail.com>

Hi all.

I'm new in Keycloak, and trying to deploy it in docker container.
Everything works fine, but I want to hide admin console from access via
internet (allow access only from internal company network).

So, the question is - can I bind admin console web UI to different port,
not the same as regular port for auth requests,, or may be there is another
solution to make it unavailable from the internet?

Best regards,
Pavel

From DBoutin at voyages-sncf.com  Mon May 22 05:33:50 2017
From: DBoutin at voyages-sncf.com (Boutin Damien)
Date: Mon, 22 May 2017 09:33:50 +0000
Subject: [keycloak-user] Passing login_hint up to Identity Provider
In-Reply-To: <3bdc01a47d614ae58ae2c5254ec8ceab@EREP.groupevsc.com>
References: <c446a94932264857a4fe78953db3d5d4@EREP.groupevsc.com>
	<3bdc01a47d614ae58ae2c5254ec8ceab@EREP.groupevsc.com>
Message-ID: <729828665a0e463c819948e253343213@EREP.groupevsc.com>

Hello Stian,

Is it ok for you if we follow what I have explained below ?


-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Boutin Damien
Envoy??: lundi 15 mai 2017 11:40
??: keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] Passing login_hint up to Identity Provider

Hello,

For information I have created a feature request regarding this request.
https://issues.jboss.org/browse/KEYCLOAK-4900

We will start implementing this soon and keep you updated.

Regards,
Damien

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Boutin Damien Envoy??: vendredi 5 mai 2017 15:00 ??: keycloak-user at lists.jboss.org Cc?: Garesse Thomas <TGaresse at voyages-sncf.com> Objet?: [keycloak-user] Passing login_hint up to Identity Provider

Hello,

We are using keycloak to authenticate our users, using both user federation and identity provider features.

Concerning the identity provider, we encountered an issue regarding the redirection to the authorized endpoint of our partner.
The "login_hint" parameter is not forwarded to the targeted provider.

A thread was opened several months ago regarding this subject but we haven't seen any feature request related to it.
http://lists.jboss.org/pipermail/keycloak-dev/2016-December/008595.html

Is it ok if we create a jira ticket for this feature request and provide you with a pull request ?

Thanks in advance
Regards,
Damien BOUTIN

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Mon May 22 05:38:31 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 22 May 2017 11:38:31 +0200
Subject: [keycloak-user] Passing login_hint up to Identity Provider
In-Reply-To: <729828665a0e463c819948e253343213@EREP.groupevsc.com>
References: <c446a94932264857a4fe78953db3d5d4@EREP.groupevsc.com>
	<3bdc01a47d614ae58ae2c5254ec8ceab@EREP.groupevsc.com>
	<729828665a0e463c819948e253343213@EREP.groupevsc.com>
Message-ID: <CAJgngAdNjm+8nmfeGt8dErQqTSoF5jY+1Lk0TTqE4EWiiGdOtA@mail.gmail.com>

+1 Adding login_hint would be good

On 22 May 2017 at 11:33, Boutin Damien <DBoutin at voyages-sncf.com> wrote:

> Hello Stian,
>
> Is it ok for you if we follow what I have explained below ?
>
>
> -----Message d'origine-----
> De : keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] De la part de Boutin Damien
> Envoy? : lundi 15 mai 2017 11:40
> ? : keycloak-user at lists.jboss.org
> Objet : Re: [keycloak-user] Passing login_hint up to Identity Provider
>
> Hello,
>
> For information I have created a feature request regarding this request.
> https://issues.jboss.org/browse/KEYCLOAK-4900
>
> We will start implementing this soon and keep you updated.
>
> Regards,
> Damien
>
> -----Message d'origine-----
> De : keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] De la part de Boutin Damien Envoy? : vendredi 5 mai 2017
> 15:00 ? : keycloak-user at lists.jboss.org Cc : Garesse Thomas <
> TGaresse at voyages-sncf.com> Objet : [keycloak-user] Passing login_hint up
> to Identity Provider
>
> Hello,
>
> We are using keycloak to authenticate our users, using both user
> federation and identity provider features.
>
> Concerning the identity provider, we encountered an issue regarding the
> redirection to the authorized endpoint of our partner.
> The "login_hint" parameter is not forwarded to the targeted provider.
>
> A thread was opened several months ago regarding this subject but we
> haven't seen any feature request related to it.
> http://lists.jboss.org/pipermail/keycloak-dev/2016-December/008595.html
>
> Is it ok if we create a jira ticket for this feature request and provide
> you with a pull request ?
>
> Thanks in advance
> Regards,
> Damien BOUTIN
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon May 22 05:39:08 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 22 May 2017 11:39:08 +0200
Subject: [keycloak-user] Is there any way to bind Admin console web UI
 to different port?
In-Reply-To: <CAP3_YBA8+oAeF31eVEQhBtHJPhfDs8ZHiULho9dxiuO1SWUJbg@mail.gmail.com>
References: <CAP3_YBA8+oAeF31eVEQhBtHJPhfDs8ZHiULho9dxiuO1SWUJbg@mail.gmail.com>
Message-ID: <CAJgngAdHmGomUGP3Hap7XdnX6gAVcgUTXGOnvS24bW5j=prk0w@mail.gmail.com>

No afraid not. There's a long outstanding issue for this
https://issues.jboss.org/browse/KEYCLOAK-2944

On 22 May 2017 at 11:19, Pavel Bezdienezhnykh <pablomoneylesh at gmail.com>
wrote:

> Hi all.
>
> I'm new in Keycloak, and trying to deploy it in docker container.
> Everything works fine, but I want to hide admin console from access via
> internet (allow access only from internal company network).
>
> So, the question is - can I bind admin console web UI to different port,
> not the same as regular port for auth requests,, or may be there is another
> solution to make it unavailable from the internet?
>
> Best regards,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From pulgupta at redhat.com  Mon May 22 07:28:31 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Mon, 22 May 2017 16:58:31 +0530
Subject: [keycloak-user] Debug Keycloak SAML adapter for an issue
Message-ID: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>

Hi All,

I am getting an error for one of my SAML enabled application in one of our
environment.

"Request URI does not match SAML request destination"


It seems to be an issue with the reverse proxy but I want to debug it to
find some more information about it. I checked the class "
*AbstractSamlAuthenticationHandler*" and can see that there is no good
debug logging codded. Can you please guide me how can I gather some more
information about the issue at hand.

-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

From thomas.darimont at googlemail.com  Mon May 22 08:13:52 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 22 May 2017 14:13:52 +0200
Subject: [keycloak-user] Jaxrs Client Example?
In-Reply-To: <CACiKNc7YgzYMfgOcRy54L00XzPgVsrCG=evSf8Oo23HWtZ4GDw@mail.gmail.com>
References: <CACiKNc7YgzYMfgOcRy54L00XzPgVsrCG=evSf8Oo23HWtZ4GDw@mail.gmail.com>
Message-ID: <CAK-7U1h5=Dmjfxsp6nZgu0w-OFGvLggHhGXbTdEdC=jLAqzhyQ@mail.gmail.com>

Hello Peter,

have a look at the example below.
The following example obtains an access token from the /token endpoint and
uses it to call the /userinfo endpoint
with the access token in the Authorization header. In real Keycloak
integrations one would use the access token
which is maintained by the Keycloak adapter via the KeycloakSecurityContext.

HTH.

Cheers,
Thomas

import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.ClientRequestContext;
import javax.ws.rs.client.ClientRequestFilter;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.util.Map;
import java.util.concurrent.Future;
import java.util.function.Supplier;

public class JaxRsKeycloakClientExample {

  public static void main(String[] args) throws Exception {

    String realmName = "token-test";
    String tokenPath = "/protocol/openid-connect/token";
    String userInfoPath = "/protocol/openid-connect/userinfo";

    String authServerBaseUrl = "http://localhost:8081/auth/realms";

    /* Dummy accessToken provider - in real Keycloak integrations you'd
extract the current AccessToken
     * from the KeycloakSecurity context which is accessible via:
     *
httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName());
     * or
     *
httpServletRequest.getSession().getAttribute(KeycloakSecurityContext.class.getName());
     *
     *   then do KeycloakSecurityContext#getTokenString()
     */
    Supplier<String> accessTokenProvider = () -> {

      Client keycloakClient = ClientBuilder.newBuilder().build();
      WebTarget target =
keycloakClient.target(UriBuilder.fromUri(authServerBaseUrl).path(realmName).path(tokenPath).build());

      Form getTokenForm = new Form() //
        .param("client_id", "admin-cli") //
        .param("client_secret", "") //
        .param("username", "tester") //
        .param("password", "test") //
        .param("grant_type", "password") //
        ;

      Future<Map> response =
target.request(MediaType.APPLICATION_FORM_URLENCODED) //
        .accept(MediaType.APPLICATION_JSON_TYPE) //
        .buildPost(Entity.form(getTokenForm)) //
        .submit(Map.class);

      try {
        Map map = response.get();

        return String.valueOf(map.get("access_token"));
      } catch (Exception e) {
        throw new RuntimeException(e);
      }
    };

    Client client = ClientBuilder.newBuilder().build();
    client.register(new KeycloakAuthRequestFilter(accessTokenProvider));

    //Call UserInfo endpoint with AccessToken in Authorization Header
    WebTarget target =
client.target(UriBuilder.fromUri(authServerBaseUrl).path(realmName).path(userInfoPath).build());
    Response response =
target.request().accept(MediaType.APPLICATION_JSON_TYPE).get();

    System.out.println(response.readEntity(Map.class));
  }

  public static class KeycloakAuthRequestFilter implements
ClientRequestFilter {

    private final Supplier<String> accessTokenProvider;

    public KeycloakAuthRequestFilter(Supplier<String> accessTokenProvider) {
      this.accessTokenProvider = accessTokenProvider;
    }

    @Override
    public void filter(ClientRequestContext requestContext) throws
IOException {
      requestContext.getHeaders().putSingle("Authorization", "Bearer " +
accessTokenProvider.get());
    }
  }
}

2017-05-22 8:14 GMT+02:00 Peter Donald <peter at realityforge.org>:

> Hi,
>
> This is a really dumb question and I have tried to google+RTFM but
> still can't seem to find the answer.
>
> I am looking for a simple example where I can use a jaxrs client to
> access a service protected by keycloak. I have only really found
> references to admin-client which seems to be more about admin of
> keycloak and the JaxrsBearerTokenFilterImpl which seems like it may
> work but can't find an example where it is used or how I would go
> about it.
>
> Preferably I would like to do a .register( X ) when creating the jaxrs
> client and have it handled automagically by a filter. I don't have
> resteasy available atm if that makes a difference.
>
> Any hints on where to figure this out?
>
> --
> Cheers,
>
> Peter Donald
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hmlnarik at redhat.com  Mon May 22 08:17:51 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 22 May 2017 14:17:51 +0200
Subject: [keycloak-user] Debug Keycloak SAML adapter for an issue
In-Reply-To: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>
References: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>
Message-ID: <CAMvXD=HRyDXowEk9MGnhrv-Ha7QLComeJe9b_V7eShYCrDbRww@mail.gmail.com>

You can enable TRACE logging on org.keycloak.saml package to see the
whole parsed / generated SAML documents (together with lots of other
stuff). On WildFly/EAP you can use the following jboss-cli.sh command:

/subsystem=logging/logger=org.keycloak.saml:add(level=TRACE)

You can also capture the requests at the client or the reverse proxy
and decode SAML requests/responses manually.

--Hynek

On Mon, May 22, 2017 at 1:28 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> Hi All,
>
> I am getting an error for one of my SAML enabled application in one of our
> environment.
>
> "Request URI does not match SAML request destination"
>
>
> It seems to be an issue with the reverse proxy but I want to debug it to
> find some more information about it. I checked the class "
> *AbstractSamlAuthenticationHandler*" and can see that there is no good
> debug logging codded. Can you please guide me how can I gather some more
> information about the issue at hand.
>
> --
>
> PULKIT GUPTA
>
> SENIOR SOFTWARE APPLICATIONS ENGINEER
>
> Red Hat IN IT GBD <https://www.redhat.com/>
>
> Pune - India
>
> pulgupta at redhat.com    T: +91-2066817536
> <http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
> <https://red.ht/sig>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From bburke at redhat.com  Mon May 22 09:38:16 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 22 May 2017 09:38:16 -0400
Subject: [keycloak-user] Is there any way to bind Admin console web UI
 to different port?
In-Reply-To: <CAP3_YBA8+oAeF31eVEQhBtHJPhfDs8ZHiULho9dxiuO1SWUJbg@mail.gmail.com>
References: <CAP3_YBA8+oAeF31eVEQhBtHJPhfDs8ZHiULho9dxiuO1SWUJbg@mail.gmail.com>
Message-ID: <1e607fd8-8a36-a71e-a544-b4f0c4a185e2@redhat.com>

Couldn't you just block the console (and REST API) urls in your load 
balancer/proxy on the public network.  But make them available on private?


On 5/22/17 5:19 AM, Pavel Bezdienezhnykh wrote:
> Hi all.
>
> I'm new in Keycloak, and trying to deploy it in docker container.
> Everything works fine, but I want to hide admin console from access via
> internet (allow access only from internal company network).
>
> So, the question is - can I bind admin console web UI to different port,
> not the same as regular port for auth requests,, or may be there is another
> solution to make it unavailable from the internet?
>
> Best regards,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From pulgupta at redhat.com  Mon May 22 10:28:23 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Mon, 22 May 2017 19:58:23 +0530
Subject: [keycloak-user] Debug Keycloak SAML adapter for an issue
In-Reply-To: <CAMvXD=HRyDXowEk9MGnhrv-Ha7QLComeJe9b_V7eShYCrDbRww@mail.gmail.com>
References: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>
	<CAMvXD=HRyDXowEk9MGnhrv-Ha7QLComeJe9b_V7eShYCrDbRww@mail.gmail.com>
Message-ID: <CAApADD05BacpFDp98zPxQRnwyC074tYDdiMf5DP=FEFcgBiwpA@mail.gmail.com>

Thanks Hynek,

However it did'nt solve my issue.
The method in question is

protected AuthOutcome handleSamlResponse(String samlResponse, String
relayState, OnSessionCreated onCreateSession) {

    SAMLDocumentHolder holder = null;
    boolean postBinding = false;
    String requestUri = facade.getRequest().getURI();
    if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
        int index = requestUri.indexOf('?');
        if (index > -1) {
            requestUri = requestUri.substring(0, index);
        }
        holder = extractRedirectBindingResponse(samlResponse);
    } else {
        postBinding = true;
        holder = extractPostBindingResponse(samlResponse);
    }
    final StatusResponseType statusResponse = (StatusResponseType)
holder.getSamlObject();
    // validate destination
    if (!requestUri.equals(statusResponse.getDestination())) {
        log.error("Request URI does not match SAML request destination");
        return AuthOutcome.FAILED;
    }

What I am trying to find out is what are the values of requestUri and
statusResponse.getDestination() so that I can then check my redirect rules
effectively.

Regards,
Pulkit

On Mon, May 22, 2017 at 5:47 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> You can enable TRACE logging on org.keycloak.saml package to see the
> whole parsed / generated SAML documents (together with lots of other
> stuff). On WildFly/EAP you can use the following jboss-cli.sh command:
>
> /subsystem=logging/logger=org.keycloak.saml:add(level=TRACE)
>
> You can also capture the requests at the client or the reverse proxy
> and decode SAML requests/responses manually.
>
> --Hynek
>
> On Mon, May 22, 2017 at 1:28 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> > Hi All,
> >
> > I am getting an error for one of my SAML enabled application in one of
> our
> > environment.
> >
> > "Request URI does not match SAML request destination"
> >
> >
> > It seems to be an issue with the reverse proxy but I want to debug it to
> > find some more information about it. I checked the class "
> > *AbstractSamlAuthenticationHandler*" and can see that there is no good
> > debug logging codded. Can you please guide me how can I gather some more
> > information about the issue at hand.
> >
> > --
> >
> > PULKIT GUPTA
> >
> > SENIOR SOFTWARE APPLICATIONS ENGINEER
> >
> > Red Hat IN IT GBD <https://www.redhat.com/>
> >
> > Pune - India
> >
> > pulgupta at redhat.com    T: +91-2066817536
> > <http://redhatemailsignature-marketing.itos.redhat.com/>     IM:
> pulgupta
> > <https://red.ht/sig>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> --Hynek
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
<https://red.ht/sig>

From jdennis at redhat.com  Mon May 22 11:06:04 2017
From: jdennis at redhat.com (John Dennis)
Date: Mon, 22 May 2017 11:06:04 -0400
Subject: [keycloak-user] Debug Keycloak SAML adapter for an issue
In-Reply-To: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>
References: <CAApADD1WWRbdR-bKb6NRV=t5GnsQJZOJJtWC2CgVRC=ZGCn68A@mail.gmail.com>
Message-ID: <c394236f-0932-fa7c-7f22-5cc4ae618296@redhat.com>

On 05/22/2017 07:28 AM, Pulkit Gupta wrote:
> Hi All,
> 
> I am getting an error for one of my SAML enabled application in one of our
> environment.
> 
> "Request URI does not match SAML request destination"
> 
> 
> It seems to be an issue with the reverse proxy but I want to debug it to
> find some more information about it. I checked the class "
> *AbstractSamlAuthenticationHandler*" and can see that there is no good
> debug logging codded. Can you please guide me how can I gather some more
> information about the issue at hand.
> 

When behind a proxy, load balancer or SSL terminator an invalid 
destination error is usually caused by the web server not properly 
identifying itself. For services hosted by Apache this can be fixed by 
utilizing the ServerName and UseCanonicalName directives in the 
VirtualHost section. The ServerName *must* be fully qualified with the 
*scheme*, host, and *port*, not just the host. See this section of Red 
Hat documentation on configuring Apache SAML SP's as clients of Keycloak.

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/federate_with_identity_service/#serverhost-name

The easiest way to debug these issues is the read the SAML messages. 
Since typically most people use SAML for WebSSO the browser has access 
to both the request and response SAML messages. Each of the major 
browsers have plugins to display the SAML messages. With Firefox use 
SAMLTracer, Chrome has at least 3 different SAML plugins. Just make sure 
SAML encryption is turned off, the plugins cannot decrypt. You'll want 
to examine the URL's in both the request and response and make sure they 
line up. If they don't it should be obvious who is not sending the 
expected URL.

-- 
John

From abhi.raghav007 at gmail.com  Mon May 22 15:57:22 2017
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 23 May 2017 01:27:22 +0530
Subject: [keycloak-user] SQL error while migrating from mongo to mysql on
	3.1.0.Final
Message-ID: <CAJmz6fs8-CEBjdM62yOn=NQmtF_H6JMHRB73VEcsSkd8u7=LUg@mail.gmail.com>

Hi



Since keycloak now don?t support mongo, We are trying to import the data
from keycloak-2.2.1 (mongo) to keycloak 3.1.0.Final (mysql)

.I did a Realm export in KC 2.2.1 using different files strategy and I got
<realm>-realm.json file and then on KC 3.1.0.Final, I did a realm import
through UI.

As soon as I click on create button, I get an error pop up saying *realm
already exists* message and on the console I see the below stacktrace.


2017-05-22 19:28:59,980 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] KEYCLOAK 3.1.0-0.1 SQL
Error: 1062, SQLState: 23000 2017-05-22 19:28:59,982 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] KEYCLOAK 3.1.0-0.1
Duplicate entry 'ABC-aPPName' for key 'UK_B71CJLBENV945RB6GCON438AT'
2017-05-22 19:28:59,983 INFO
[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] KEYCLOAK
3.1.0-0.1 HHH000010: On release of batch it still contained JDBC statements

Any suggestions on what possibly went wrong.


Note: Migration is happening from KC 2.2.1 to KC 3.1.0.Final and RDBMS
(Mongo to Mysql).

Also, if i use just H2 (no mysql) on KC 3.1.0, i could port all the  data
without any issues from KC 2.2.1


Thanks in advance.
-Abhishek

From peter at realityforge.org  Mon May 22 21:56:27 2017
From: peter at realityforge.org (Peter Donald)
Date: Tue, 23 May 2017 11:56:27 +1000
Subject: [keycloak-user] Jaxrs Client Example?
In-Reply-To: <CAK-7U1h5=Dmjfxsp6nZgu0w-OFGvLggHhGXbTdEdC=jLAqzhyQ@mail.gmail.com>
References: <CACiKNc7YgzYMfgOcRy54L00XzPgVsrCG=evSf8Oo23HWtZ4GDw@mail.gmail.com>
	<CAK-7U1h5=Dmjfxsp6nZgu0w-OFGvLggHhGXbTdEdC=jLAqzhyQ@mail.gmail.com>
Message-ID: <CACiKNc7EboaJMBJbuwqHAq-6F+53DshvVSky3ufr81uhwLBGaA@mail.gmail.com>

Great - thanks. Got it working with a combination of your code and the
admin-client code.

For anyone who wants to do this in future - I just pushed the code to
maven central.

See

https://github.com/realityforge/keycloak-jaxrs-client-authfilter


Thanks again Thomas!


On Mon, May 22, 2017 at 10:13 PM, Thomas Darimont
<thomas.darimont at googlemail.com> wrote:
> Hello Peter,
>
> have a look at the example below.
> The following example obtains an access token from the /token endpoint and
> uses it to call the /userinfo endpoint
> with the access token in the Authorization header. In real Keycloak
> integrations one would use the access token
> which is maintained by the Keycloak adapter via the KeycloakSecurityContext.
>
> HTH.
>
> Cheers,
> Thomas
>
> import javax.ws.rs.client.Client;
> import javax.ws.rs.client.ClientBuilder;
> import javax.ws.rs.client.ClientRequestContext;
> import javax.ws.rs.client.ClientRequestFilter;
> import javax.ws.rs.client.Entity;
> import javax.ws.rs.client.WebTarget;
> import javax.ws.rs.core.Form;
> import javax.ws.rs.core.MediaType;
> import javax.ws.rs.core.Response;
> import javax.ws.rs.core.UriBuilder;
> import java.io.IOException;
> import java.util.Map;
> import java.util.concurrent.Future;
> import java.util.function.Supplier;
>
> public class JaxRsKeycloakClientExample {
>
>   public static void main(String[] args) throws Exception {
>
>     String realmName = "token-test";
>     String tokenPath = "/protocol/openid-connect/token";
>     String userInfoPath = "/protocol/openid-connect/userinfo";
>
>     String authServerBaseUrl = "http://localhost:8081/auth/realms";
>
>     /* Dummy accessToken provider - in real Keycloak integrations you'd
> extract the current AccessToken
>      * from the KeycloakSecurity context which is accessible via:
>      *
> httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName());
>      * or
>      *
> httpServletRequest.getSession().getAttribute(KeycloakSecurityContext.class.getName());
>      *
>      *   then do KeycloakSecurityContext#getTokenString()
>      */
>     Supplier<String> accessTokenProvider = () -> {
>
>       Client keycloakClient = ClientBuilder.newBuilder().build();
>       WebTarget target =
> keycloakClient.target(UriBuilder.fromUri(authServerBaseUrl).path(realmName).path(tokenPath).build());
>
>       Form getTokenForm = new Form() //
>         .param("client_id", "admin-cli") //
>         .param("client_secret", "") //
>         .param("username", "tester") //
>         .param("password", "test") //
>         .param("grant_type", "password") //
>         ;
>
>       Future<Map> response =
> target.request(MediaType.APPLICATION_FORM_URLENCODED) //
>         .accept(MediaType.APPLICATION_JSON_TYPE) //
>         .buildPost(Entity.form(getTokenForm)) //
>         .submit(Map.class);
>
>       try {
>         Map map = response.get();
>
>         return String.valueOf(map.get("access_token"));
>       } catch (Exception e) {
>         throw new RuntimeException(e);
>       }
>     };
>
>     Client client = ClientBuilder.newBuilder().build();
>     client.register(new KeycloakAuthRequestFilter(accessTokenProvider));
>
>     //Call UserInfo endpoint with AccessToken in Authorization Header
>     WebTarget target =
> client.target(UriBuilder.fromUri(authServerBaseUrl).path(realmName).path(userInfoPath).build());
>     Response response =
> target.request().accept(MediaType.APPLICATION_JSON_TYPE).get();
>
>     System.out.println(response.readEntity(Map.class));
>   }
>
>   public static class KeycloakAuthRequestFilter implements
> ClientRequestFilter {
>
>     private final Supplier<String> accessTokenProvider;
>
>     public KeycloakAuthRequestFilter(Supplier<String> accessTokenProvider) {
>       this.accessTokenProvider = accessTokenProvider;
>     }
>
>     @Override
>     public void filter(ClientRequestContext requestContext) throws
> IOException {
>       requestContext.getHeaders().putSingle("Authorization", "Bearer " +
> accessTokenProvider.get());
>     }
>   }
> }
>
> 2017-05-22 8:14 GMT+02:00 Peter Donald <peter at realityforge.org>:
>>
>> Hi,
>>
>> This is a really dumb question and I have tried to google+RTFM but
>> still can't seem to find the answer.
>>
>> I am looking for a simple example where I can use a jaxrs client to
>> access a service protected by keycloak. I have only really found
>> references to admin-client which seems to be more about admin of
>> keycloak and the JaxrsBearerTokenFilterImpl which seems like it may
>> work but can't find an example where it is used or how I would go
>> about it.
>>
>> Preferably I would like to do a .register( X ) when creating the jaxrs
>> client and have it handled automagically by a filter. I don't have
>> resteasy available atm if that makes a difference.
>>
>> Any hints on where to figure this out?
>>
>> --
>> Cheers,
>>
>> Peter Donald
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



-- 
Cheers,

Peter Donald

From rafterjiang at hotmail.com  Mon May 22 23:09:23 2017
From: rafterjiang at hotmail.com (rafterjiang)
Date: Mon, 22 May 2017 20:09:23 -0700 (MST)
Subject: [keycloak-user] Problems enable policy enforcer for spring security
	in spring boot.
Message-ID: <1495508963000-3933.post@n6.nabble.com>

I have set up an URL resource policy (For ex: /greeting for USER role) for my
bear only client on keycloak server. In this client, implemented by a spring
security in spring boot, I have added keycloak.json: 
{
    "realm": "auth",
    "realm-public-key": "key",
    "bearer-only": true,
    "auth-server-url": "http://10.3.42.29:8080/auth",
    "ssl-required": "external",
    "resource": "auth-service",
    "credentials": {
        "secret": "secret"
    },

    "policy-enforcer": {
        "user-managed-access" : {},
        "enforcement-mode" : "ENFORCING",
        "paths": [
            {
                "name" : "resource-greeting"
            }
        ]
    }
}

the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).

Now, I am very confused what need be done on spring security side, from what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES. 

See following two examples: 

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
               
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
               
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
                .and()
                .addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
                .addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
               
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
                .and()
                .authorizeRequests()
                .antMatchers("/**").authenticated()
                .anyRequest().permitAll();
    }

    @Override
    protected void *configure*(HttpSecurity http) throws Exception
    {
        super.configure(http);
        http
                .authorizeRequests()
                .antMatchers("/customers*").hasRole("USER")
                .antMatchers("/admin*").hasRole("ADMIN")
                .anyRequest().permitAll();
    }


But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json, /*automatically*/. 

My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?

I have also seen someone mention to add /*keycloakAuthenticatedActionsFilter
*/to make policy enforcer work, how to do that?

thanks,
Rong



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Problems-enable-policy-enforcer-for-spring-security-in-spring-boot-tp3933.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From khirschmann at huebinet.de  Tue May 23 05:28:48 2017
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Tue, 23 May 2017 11:28:48 +0200
Subject: [keycloak-user] Executing kcadmin - missing jansi64 library
Message-ID: <01cf01d2d3a6$fbb487b0$f31d9710$@huebinet.de>

Hello,

 

when running a windows batch file

 

call kcadm.bat create realms -s realm=%realmName% -s enabled=true -s
loginTheme=xxx

ECHO Realm created

 

REM update security-admin-client

set endpointSecurityClient=clients/465f668f-cefc-4d42-9bc0-0b62b6784b18

call kcadm.bat update %endpointSecurityClient%  -r %realmName% -s
directAccessGrantsEnabled=true

 

The last line produces the following stacktrace:

 

New clientId is 465f668f-cefc-4d42-9bc0-0b62b6784b18

Exception in thread "main" java.lang.UnsatisfiedLinkError: Could not load
librar

y. Reasons: [no jansi64-2.5.4.Final in java.library.path, no
jansi-2.5.4.Final i

n java.library.path, no jansi in java.library.path, Die Syntax f?r den
Dateiname

n, Verzeichnisnamen oder die Datentr?gerbezeichnung ist falsch]

        at org.fusesource.hawtjni.runtime.Library.doLoad(Library.java:182)

        at org.fusesource.hawtjni.runtime.Library.load(Library.java:140)

        at org.fusesource.jansi.internal.Kernel32.<clinit>(Kernel32.java:37)

        at
org.fusesource.jansi.WindowsAnsiOutputStream.<clinit>(WindowsAnsiOutp

utStream.java:52)

        at
org.jboss.aesh.terminal.WindowsTerminal.init(WindowsTerminal.java:63)

 

        at org.jboss.aesh.console.Console.init(Console.java:190)

        at org.jboss.aesh.console.Console.<init>(Console.java:118)

        at
org.jboss.aesh.console.AeshConsoleImpl.<init>(AeshConsoleImpl.java:98

)

        at
org.jboss.aesh.console.AeshConsoleBuilder.create(AeshConsoleBuilder.j

ava:160)

        at org.keycloak.client.admin.cli.KcAdmMain.main(KcAdmMain.java:64)

 

This happens on Windows 8 and Windows 2012 Server

Keycloak 2.5.4

Wildfly 10.0.0

 

Has anyone an idea what configuration is missing?

 

Kind regards and thanks for your help

 

Kevin Hirschmann

 

HUEBINET Informationsmanagement GmbH & Co. KG

 

E-Mail:              <mailto:kevin.hirschmann at huebinet.de>
kevin.hirschmann at huebinet.de

Internet:             <http://www.huebinet.de/> www.huebinet.de

 

 HUEBINET Informationsmanagement GmbH & Co. KG

An der K?nigsbach 8

56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:

HUEBINET GmbH;

Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:

Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------

 

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.

 

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.

 

 

 


From abhi.raghav007 at gmail.com  Tue May 23 06:31:57 2017
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 23 May 2017 16:01:57 +0530
Subject: [keycloak-user] SQL error while migrating from mongo to mysql
	on 3.1.0.Final
In-Reply-To: <CAJmz6fs8-CEBjdM62yOn=NQmtF_H6JMHRB73VEcsSkd8u7=LUg@mail.gmail.com>
References: <CAJmz6fs8-CEBjdM62yOn=NQmtF_H6JMHRB73VEcsSkd8u7=LUg@mail.gmail.com>
Message-ID: <CAJmz6ftM5nQQ10=8OLkmpbhABb5RtPkYHFFr1A7w_AN4aGHQ9g@mail.gmail.com>

I found the root cause,

Keycloak 2.x considers two client-roles for the same client as different
even if they have the same name but different case(one role with all upper
case and other lower case).
But in KC 3.x, you can not create two client roles with the same name even
if the case is different.

In my case, when i exported the realm from KC 2.x, there were 2 client
roles with same name with different case.

This has resolved in Keycloak 3.x, if i use mysql as a persistence store.

*- Best Regards*
   Abhishek Raghav







On Tue, May 23, 2017 at 1:27 AM, abhishek raghav <abhi.raghav007 at gmail.com>
wrote:

> Hi
>
>
>
> Since keycloak now don?t support mongo, We are trying to import the data
> from keycloak-2.2.1 (mongo) to keycloak 3.1.0.Final (mysql)
>
> .I did a Realm export in KC 2.2.1 using different files strategy and I got
> <realm>-realm.json file and then on KC 3.1.0.Final, I did a realm import
> through UI.
>
> As soon as I click on create button, I get an error pop up saying *realm
> already exists* message and on the console I see the below stacktrace.
>
>
> 2017-05-22 19:28:59,980 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
> KEYCLOAK 3.1.0-0.1 SQL Error: 1062, SQLState: 23000 2017-05-22 19:28:59,982
> ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] KEYCLOAK
> 3.1.0-0.1 Duplicate entry 'ABC-aPPName' for key
> 'UK_B71CJLBENV945RB6GCON438AT' 2017-05-22 19:28:59,983 INFO
> [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] KEYCLOAK
> 3.1.0-0.1 HHH000010: On release of batch it still contained JDBC statements
>
> Any suggestions on what possibly went wrong.
>
>
> Note: Migration is happening from KC 2.2.1 to KC 3.1.0.Final and RDBMS
> (Mongo to Mysql).
>
> Also, if i use just H2 (no mysql) on KC 3.1.0, i could port all the  data
> without any issues from KC 2.2.1
>
>
> Thanks in advance.
> -Abhishek
>
>

From lists at merit.unu.edu  Tue May 23 06:33:08 2017
From: lists at merit.unu.edu (lists)
Date: Tue, 23 May 2017 12:33:08 +0200
Subject: [keycloak-user] basic saml attribute send question
Message-ID: <1c328de7-a1c9-64b8-2c79-91fc3e244957@merit.unu.edu>

Hi,

Running keycloak 2.5.0 with AD federation provider. We configured the 
group-ldap-mapper, this all works beautifully.

Created a simplesamlphp test page, and all AD groups memberships are 
displayed in a list after a successful logon. Good start.

But now, to make this more secure and confidential, we would like to NOT 
display ALL groups after login, but only send specific SAML attributes, 
depending on group memberships.

So suppose a user is member of AD group1, group2 and group3. We would 
like to make a config to sent attribute "group1", but keep the rest of 
the groups hidden.

I'm sure this _very_ basic functionality... But can anyone give us some 
pointers/keywords how to do this..?

Best regards,
MJ

From psilva at redhat.com  Tue May 23 07:14:53 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 23 May 2017 08:14:53 -0300
Subject: [keycloak-user] Problems enable policy enforcer for spring
 security in spring boot.
In-Reply-To: <1495508963000-3933.post@n6.nabble.com>
References: <1495508963000-3933.post@n6.nabble.com>
Message-ID: <CAJrcDBccWeR3bo=h4RmwSFJpzfaLKZBskoGyVUNA-HVouYwfMQ@mail.gmail.com>

Can you take a look at https://github.com/keycloak/keycloak-quickstarts/
pull/26 ? It is a fairly simple SB quickstart using authorization services.

We do need more examples and better documentation for Spring Boot
integration. Any help is appreciated.

FYI, we have a open JIRA [1] for supporting keycloak.json with SB. This
should make things more simple when enabling authz to your applications.

[1] https://issues.jboss.org/browse/KEYCLOAK-4942

On Tue, May 23, 2017 at 12:09 AM, rafterjiang <rafterjiang at hotmail.com>
wrote:

> I have set up an URL resource policy (For ex: /greeting for USER role) for
> my
> bear only client on keycloak server. In this client, implemented by a
> spring
> security in spring boot, I have added keycloak.json:
> {
>     "realm": "auth",
>     "realm-public-key": "key",
>     "bearer-only": true,
>     "auth-server-url": "http://10.3.42.29:8080/auth",
>     "ssl-required": "external",
>     "resource": "auth-service",
>     "credentials": {
>         "secret": "secret"
>     },
>
>     "policy-enforcer": {
>         "user-managed-access" : {},
>         "enforcement-mode" : "ENFORCING",
>         "paths": [
>             {
>                 "name" : "resource-greeting"
>             }
>         ]
>     }
> }
>
> the "resource-greeting" is the resource name set up in authorization of
> client "auth-service" on keycloak server, and only be accessible by USER
> role accounts (a role based policy is also configured with a permission).
>
> Now, I am very confused what need be done on spring security side, from
> what
> I have read the examples so far, I have not seen any example using spring
> security together with *policy enforcer*. Most examples enable the
> authentication/authorization in SecurityConfig (which extends
> KeycloakWebSecurityConfigurerAdapter), so override "config" method where
> it
> uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
>
> See following two examples:
>
>     @Override
>     protected void configure(HttpSecurity http) throws Exception
>     {
>         http
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.
> STATELESS)
>
> .sessionAuthenticationStrategy(sessionAuthenticationStrategy())
>                 .and()
>                 .addFilterBefore(keycloakPreAuthActionsFilter(),
> LogoutFilter.class)
>                 .addFilterBefore(keycloakAuthenticationProcessingFilter(),
> X509AuthenticationFilter.class)
>
> .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
>                 .and()
>                 .authorizeRequests()
>                 .antMatchers("/**").authenticated()
>                 .anyRequest().permitAll();
>     }
>
>     @Override
>     protected void *configure*(HttpSecurity http) throws Exception
>     {
>         super.configure(http);
>         http
>                 .authorizeRequests()
>                 .antMatchers("/customers*").hasRole("USER")
>                 .antMatchers("/admin*").hasRole("ADMIN")
>                 .anyRequest().permitAll();
>     }
>
>
> But as I understand so far for* policy enforcer*, all
> authentication/authorization should be pushed outside of the code, and be
> done by client adapter based on "paths" in keycloak.json,
> /*automatically*/.
>
> My question is, what need be done in method configure? If we can do authz
> through policy enforcer, why do we still need authorize in above configure
> method?
>
> I have also seen someone mention to add /*keycloakAuthenticatedActionsFi
> lter
> */to make policy enforcer work, how to do that?
>
> thanks,
> Rong
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Problems-enable-policy-enforcer-for-spring-
> security-in-spring-boot-tp3933.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From denny.israel at googlemail.com  Tue May 23 07:30:09 2017
From: denny.israel at googlemail.com (Denny Israel)
Date: Tue, 23 May 2017 13:30:09 +0200
Subject: [keycloak-user] LDAP Password as Environment Variable
Message-ID: <CAF7cocGDVpx6b7S6CbyCH2MNfc8CU8U824aWVdipGRcQbSS_Mg@mail.gmail.com>

Hi,

i am running keycloak as docker container and have configured an ldap
server for user federation. Keycloak needs a username and a password to
access the ldap server (Bind DN, Bind Credential). When the password
changes i have to manually change it in keycloak admin console. Is there a
way to tell keycloak to read the password from an environment variable?
This way i could specify the password when starting my docker container and
maintain the password within my docker environment.

Best regards
Denny

From john.d.ament at gmail.com  Tue May 23 07:49:07 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Tue, 23 May 2017 11:49:07 +0000
Subject: [keycloak-user] Keycloak & SSL - incorrect urls
Message-ID: <CAOqetn-tDVXkJgms3YLE89ykiz0itgUFqAQLbProFpsZNWhXhQ@mail.gmail.com>

Hi,

I have keycloak deployed behind an ELB and nginx, so its going ELB -> NGINX
-> KEYCLOAK.  We do SSL termination at the ELB, so that the requests to
nginx and keycloak are actually HTTP calls.  We've noticed that the
endpoint descriptors page (which provides an importable XML for a SAML
descriptor) is using HTTP urls, even though the public URL is an HTTPS url
(e.g. https://keycloak.mycompany.com)

Is there a configuration setting that would force keycloak to render HTTPS
urls?

John

From mehdi.alishahi at gmail.com  Tue May 23 08:26:15 2017
From: mehdi.alishahi at gmail.com (Mehdi Sheikhalishahi)
Date: Tue, 23 May 2017 14:26:15 +0200
Subject: [keycloak-user] Fwd: Create and Update User Attributes Without
	Admin-Client in Javascript
In-Reply-To: <CAG_MZYFi6h6PTkxo_bwNLnm-QdvxLMV6+snwW+dAy+jx6JaHAA@mail.gmail.com>
References: <CAG_MZYFi6h6PTkxo_bwNLnm-QdvxLMV6+snwW+dAy+jx6JaHAA@mail.gmail.com>
Message-ID: <CAG_MZYGE2Dz+EATz9T5E9ujFeuB4j5L+Q6nxRwWwO8Lv+PPiVw@mail.gmail.com>

---------- Forwarded message ----------
From: Mehdi Sheikhalishahi <mehdi.alishahi at gmail.com>
Date: Mon, May 22, 2017 at 9:27 AM
Subject: Create and Update User Attributes Without Admin-Client in
Javascript
To: keycloak-user <keycloak-user at lists.jboss.org>


Hi

Is there an elegent way to Create and Update User Attributes Without
Admin-Client in Javascript?

There is keycloak-admin-client for that, but I prefer other cleaner and
uptodate methods.

Thanks.

From mstrukel at redhat.com  Tue May 23 08:42:38 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 23 May 2017 14:42:38 +0200
Subject: [keycloak-user] Executing kcadmin - missing jansi64 library
In-Reply-To: <01cf01d2d3a6$fbb487b0$f31d9710$@huebinet.de>
References: <01cf01d2d3a6$fbb487b0$f31d9710$@huebinet.de>
Message-ID: <CA+1OW+hoOf27mU0AD5yDRxCahefjw_kHH+J67i=CFJnm_hwHQw@mail.gmail.com>

Very unusual why this should only occur when performing the second call,
but not also with the first one.

Looks like org.fusesource.jansi tries to load a native library but it's
looking for non-existing library. The question is why.

Could you open a JIRA?


On Tue, May 23, 2017 at 11:28 AM, Kevin Hirschmann <khirschmann at huebinet.de>
wrote:

> Hello,
>
>
>
> when running a windows batch file
>
>
>
> call kcadm.bat create realms -s realm=%realmName% -s enabled=true -s
> loginTheme=xxx
>
> ECHO Realm created
>
>
>
> REM update security-admin-client
>
> set endpointSecurityClient=clients/465f668f-cefc-4d42-9bc0-0b62b6784b18
>
> call kcadm.bat update %endpointSecurityClient%  -r %realmName% -s
> directAccessGrantsEnabled=true
>
>
>
> The last line produces the following stacktrace:
>
>
>
> New clientId is 465f668f-cefc-4d42-9bc0-0b62b6784b18
>
> Exception in thread "main" java.lang.UnsatisfiedLinkError: Could not load
> librar
>
> y. Reasons: [no jansi64-2.5.4.Final in java.library.path, no
> jansi-2.5.4.Final i
>
> n java.library.path, no jansi in java.library.path, Die Syntax f?r den
> Dateiname
>
> n, Verzeichnisnamen oder die Datentr?gerbezeichnung ist falsch]
>
>         at org.fusesource.hawtjni.runtime.Library.doLoad(Library.java:182)
>
>         at org.fusesource.hawtjni.runtime.Library.load(Library.java:140)
>
>         at org.fusesource.jansi.internal.Kernel32.<clinit>(Kernel32.
> java:37)
>
>         at
> org.fusesource.jansi.WindowsAnsiOutputStream.<clinit>(WindowsAnsiOutp
>
> utStream.java:52)
>
>         at
> org.jboss.aesh.terminal.WindowsTerminal.init(WindowsTerminal.java:63)
>
>
>
>         at org.jboss.aesh.console.Console.init(Console.java:190)
>
>         at org.jboss.aesh.console.Console.<init>(Console.java:118)
>
>         at
> org.jboss.aesh.console.AeshConsoleImpl.<init>(AeshConsoleImpl.java:98
>
> )
>
>         at
> org.jboss.aesh.console.AeshConsoleBuilder.create(AeshConsoleBuilder.j
>
> ava:160)
>
>         at org.keycloak.client.admin.cli.KcAdmMain.main(KcAdmMain.java:64)
>
>
>
> This happens on Windows 8 and Windows 2012 Server
>
> Keycloak 2.5.4
>
> Wildfly 10.0.0
>
>
>
> Has anyone an idea what configuration is missing?
>
>
>
> Kind regards and thanks for your help
>
>
>
> Kevin Hirschmann
>
>
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
>
> E-Mail:              <mailto:kevin.hirschmann at huebinet.de>
> kevin.hirschmann at huebinet.de
>
> Internet:             <http://www.huebinet.de/> www.huebinet.de
>
>
>
>  HUEBINET Informationsmanagement GmbH & Co. KG
>
> An der K?nigsbach 8
>
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
>
> HUEBINET GmbH;
>
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
>
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
>
> ------------------------------------------------------------
> ----------------
> ------------------------------------------------------------
> ----------------
> ----------------
>
>
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
> Koblenz via E-Mail dient lediglich zu Informationszwecken.
> Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses
> Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
> Dritte nicht ausgeschlossen werden kann.
>
>
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
> only intended to provide information of a general kind, and shall not be
> used for any statement with binding contents in respect to legal relations.
> It is not totally possible to prevent a third party from manipulating
> emails
> and email contents.
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sesnor.silva at sapo.pt  Tue May 23 09:03:40 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Tue, 23 May 2017 14:03:40 +0100
Subject: [keycloak-user] CORS problems
Message-ID: <20170523140340.Horde.g-_pXLxAean5InXQ-CHmlQ0@mail.sapo.pt>

Hello,

I have protected a Java web application that's compiled in a WAR  
package and accessible through a Tomcat 8 sever. To do this I followed  
the steps here:  
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/tomcat-adapter.html

My Java Application is a RESTful API which can only be accessed by  
authorized users that bear a token.

In Keycloak I configured my client (and keycloak.json) as follows:
{
? "realm": "MainDomain",
? "bearer-only": true,
? "auth-server-url": "http://<My Keycloak Server>:8081/auth",
? "ssl-required": "none",
? "resource": "main-domain-server"
}

If I have a valid token I can access the service fine through cURL  
requests. However, using any browser (Firefox, Chrome, Opera, expect  
IE, which for some reason works) I can't access any resource through  
AJAX as I get CORS problems:
"Response to preflight request doesn't pass access control check: No  
'Access-Control-Allow-Origin' header is present on the requested  
resource. Origin 'http://localhost:3000' is therefore not allowed  
access. The response had HTTP status code 401."

I searched around and found I should put "enable_cors": true in my  
keycloak.json, however this causes the following CORS problem:
"The 'Access-Control-Allow-Origin' header contains multiple values  
'http://localhost:3000, http://localhost:3000', but only one is  
allowed. Origin 'http://localhost:3000' is therefore not allowed  
access."

I think I'm out of ideas at the moment on what could be causing this.  
Does anyone have any idea what could be wrong in my configuration?

My best regards,
Silva

From john.d.ament at gmail.com  Tue May 23 09:04:40 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Tue, 23 May 2017 13:04:40 +0000
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
Message-ID: <CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>

Stian,

We just got a report of a new issue, not sure if its related to the
existing but I can create a ticket on your side if it makes sense.

When accessing /auth/realms/master/protocol/openid-connect/token we are
seeing 3k SQLs being executed of this format:

select compositer0_.COMPOSITE as COMPOSIT1_16_0_, compositer0_.CHILD_ROLE
as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_, roleentity1_.CLIENT as
CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT as CLIENT_R2_38_1_,
roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_, roleentity1_.DESCRIPTION as
DESCRIPT4_38_1_, roleentity1_.NAME as NAME5_38_1_, roleentity1_.REALM as
REALM9_38_1_, roleentity1_.REALM_ID as REALM_ID6_38_1_,
roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_ from COMPOSITE_ROLE
compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?

On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
wrote:

> Stian,
>
> Good news.  Glad to see these things get prioritized.  So far they look
> like they're matching the problems I'm running into, specifically around
> the whoami endpoint and overall number of SQLs (2800 queries in one of my
> tests) and the total number of DB connections allocated within that one
> request (3200+).
>
> John
>
>
> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> There are a number of issues around having a large number of realms. We
>> have a general issue open to support this:
>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>
>> We haven't prioritized this in the past, but that has changed and we
>> would like to get this sorted out.
>>
>> There's a few more related PRs including the one you linked:
>> https://github.com/keycloak/keycloak/pull/3557
>> https://github.com/keycloak/keycloak/pull/3561
>>
>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> After enabling Keycloak and starting work on a multi-tenant application,
>>> it
>>> was noted that the admin console started to get very slow in keycloak.
>>> After some searching around, it seemed like this was an already reported
>>> issue [1] and a fix underway [2].  I was wondering if this fix would make
>>> it into 3.2?
>>>
>>> If additional testing is needed, I'd be happy to help out.  Deleting 161
>>> realms with minimal clients and users took me 15 minutes via the REST
>>> API.
>>>
>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>

From Bettina.Huebner at kvbawue.de  Tue May 23 09:15:24 2017
From: Bettina.Huebner at kvbawue.de (=?Windows-1252?Q?H=FCbner=2C_Bettina?=)
Date: Tue, 23 May 2017 13:15:24 +0000
Subject: [keycloak-user] Policy Evaluation Tool - "No scopes available"
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C279633@VMSST107.kvbw.local>

Hi,

It seems the representation of the evaluation result has been changed in version 3.1.0.Final (Policy evaluation tool, admin console) (compared to 2.5.0.Final and also 3.0.0.Final).

Before, it showed <Resource Name> with scopes [list of all scopes of the resource] and the details for the resource listed all allowed scopes.

Now, in version 3.1.0.Final, it shows <Resource Name> with scopes [apparently allowed scopes] and the details for the resource always show ?no scopes available? as scopes, even if the user has the permission for some or all scopes of the resource (tooltip still shows ?The list of allowed scopes.?).

I find this new representation a little bit confusing. At least I would expect that ?scopes? lists the allowed scopes for a resource as it was before.

Kind regards
Bettina



From john.bartko at drillinginfo.com  Tue May 23 11:17:08 2017
From: john.bartko at drillinginfo.com (John Bartko)
Date: Tue, 23 May 2017 15:17:08 +0000
Subject: [keycloak-user] Keycloak & SSL - incorrect urls
In-Reply-To: <CAOqetn-tDVXkJgms3YLE89ykiz0itgUFqAQLbProFpsZNWhXhQ@mail.gmail.com>
References: <CAOqetn-tDVXkJgms3YLE89ykiz0itgUFqAQLbProFpsZNWhXhQ@mail.gmail.com>
Message-ID: <BL2PR18MB07696E748CFF1C2A5912C5D888F90@BL2PR18MB0769.namprd18.prod.outlook.com>

>From https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html

On the Keycloak side:


/socket-binding-group=standard-sockets/socket-binding=proxy-https/:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)

On the LB side:

- Must set X-Forwarded-For
- Must set X-Forwarded-Proto
- Must preserve Host header

AWS ELB/ALBs should do all of the above out of the box.

To verify from behind the LB, curl an endpoint that renders URIs (like OIDC config, or SAML descriptor):

curl -s -H 'Host: keycloak.example.org' -H 'X-Forwarded-For: 10.0.100.42' -H 'X-Forwarded-Proto: https' $(hostname -I | cut -f 1 -d ' '):8080/auth/realms/master/.well-known/openid-configuration | jq .issuer
"https://keycloak.example.org/auth/realms/master"

The URI should be rendered correctly. If access logging is enabled in the environment, the log entry should have recorded the request as coming from the IP listed in the X-Forwarded-For header.


Hope that helps,

-John Bartko

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of John D. Ament <john.d.ament at gmail.com>
Sent: Tuesday, May 23, 2017 6:49:07 AM
To: keycloak-user
Subject: [keycloak-user] Keycloak & SSL - incorrect urls

Hi,

I have keycloak deployed behind an ELB and nginx, so its going ELB -> NGINX
-> KEYCLOAK.  We do SSL termination at the ELB, so that the requests to
nginx and keycloak are actually HTTP calls.  We've noticed that the
endpoint descriptors page (which provides an importable XML for a SAML
descriptor) is using HTTP urls, even though the public URL is an HTTPS url
(e.g. https://keycloak.mycompany.com)

Is there a configuration setting that would force keycloak to render HTTPS
urls?

John
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue May 23 12:13:21 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 23 May 2017 13:13:21 -0300
Subject: [keycloak-user] Policy Evaluation Tool - "No scopes available"
In-Reply-To: <CFD7003E67B95745B1B4349E3E6309802C279633@VMSST107.kvbw.local>
References: <CFD7003E67B95745B1B4349E3E6309802C279633@VMSST107.kvbw.local>
Message-ID: <CAJrcDBeHoJB2pCoUnAXv1kyB3fiX9z5RDQu2t6KJhPQjDq4N3A@mail.gmail.com>

Hey Bettina, I also noticed this and it is a bug. Will fix it.

On Tue, May 23, 2017 at 10:15 AM, H?bner, Bettina <
Bettina.Huebner at kvbawue.de> wrote:

> Hi,
>
> It seems the representation of the evaluation result has been changed in
> version 3.1.0.Final (Policy evaluation tool, admin console) (compared to
> 2.5.0.Final and also 3.0.0.Final).
>
> Before, it showed <Resource Name> with scopes [list of all scopes of the
> resource] and the details for the resource listed all allowed scopes.
>
> Now, in version 3.1.0.Final, it shows <Resource Name> with scopes
> [apparently allowed scopes] and the details for the resource always show
> ?no scopes available? as scopes, even if the user has the permission for
> some or all scopes of the resource (tooltip still shows ?The list of
> allowed scopes.?).
>
> I find this new representation a little bit confusing. At least I would
> expect that ?scopes? lists the allowed scopes for a resource as it was
> before.
>
> Kind regards
> Bettina
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue May 23 16:21:22 2017
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 23 May 2017 17:21:22 -0300
Subject: [keycloak-user] Policy Evaluation Tool - "No scopes available"
In-Reply-To: <CAJrcDBeHoJB2pCoUnAXv1kyB3fiX9z5RDQu2t6KJhPQjDq4N3A@mail.gmail.com>
References: <CFD7003E67B95745B1B4349E3E6309802C279633@VMSST107.kvbw.local>
	<CAJrcDBeHoJB2pCoUnAXv1kyB3fiX9z5RDQu2t6KJhPQjDq4N3A@mail.gmail.com>
Message-ID: <CAJrcDBdEXYvm+=64AGGVtMMLQT1VKrLS25KOXSGNXZXKRDFo8w@mail.gmail.com>

Bettina, I have this now fixed in upstream. Do you have any other
information you would like to see from evaluation results ?

I have enhanced the result page to show the scopes that were granted/denied
if the permission evaluated was a scope permission.

Regards.
Pedro Igor

On Tue, May 23, 2017 at 1:13 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hey Bettina, I also noticed this and it is a bug. Will fix it.
>
> On Tue, May 23, 2017 at 10:15 AM, H?bner, Bettina <
> Bettina.Huebner at kvbawue.de> wrote:
>
>> Hi,
>>
>> It seems the representation of the evaluation result has been changed in
>> version 3.1.0.Final (Policy evaluation tool, admin console) (compared to
>> 2.5.0.Final and also 3.0.0.Final).
>>
>> Before, it showed <Resource Name> with scopes [list of all scopes of the
>> resource] and the details for the resource listed all allowed scopes.
>>
>> Now, in version 3.1.0.Final, it shows <Resource Name> with scopes
>> [apparently allowed scopes] and the details for the resource always show
>> ?no scopes available? as scopes, even if the user has the permission for
>> some or all scopes of the resource (tooltip still shows ?The list of
>> allowed scopes.?).
>>
>> I find this new representation a little bit confusing. At least I would
>> expect that ?scopes? lists the allowed scopes for a resource as it was
>> before.
>>
>> Kind regards
>> Bettina
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From mathias.goeppel at daimler.com  Wed May 24 02:59:34 2017
From: mathias.goeppel at daimler.com (mathias.goeppel at daimler.com)
Date: Wed, 24 May 2017 06:59:34 +0000
Subject: [keycloak-user] rolling upgrade
Message-ID: <299B9AF9-2389-4E23-8FA8-69EA0F29C7E9@daimler.com>

Hello everyone,

for a few months we are using keycloak at car2go. Currently we are on keycloak version 2.5.4.Final but we?d like to upgrade. Is there any documented way how to do this in a clustered environment without downtime?

Are older versions compatible to the new database scheme so we can perform a rolling upgrade? Are objects cached in Infinispan compatible?

The only documentation I found so far ishttps://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html but this does involve downtime. Am I missing something? What is the approach you would recommend?

Thanks in advance - mat


If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From mposolda at redhat.com  Wed May 24 03:21:37 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 May 2017 09:21:37 +0200
Subject: [keycloak-user] LDAP Password as Environment Variable
In-Reply-To: <CAF7cocGDVpx6b7S6CbyCH2MNfc8CU8U824aWVdipGRcQbSS_Mg@mail.gmail.com>
References: <CAF7cocGDVpx6b7S6CbyCH2MNfc8CU8U824aWVdipGRcQbSS_Mg@mail.gmail.com>
Message-ID: <cb8c8fc2-c031-90d4-47b9-69872381c410@redhat.com>

No, this is not available. Feel free to create JIRA, but not sure 
if/when we add it.

I see some possible issues with it. Especially with the cluster 
environment, I wonder if changing the environment variable on one node, 
but leave the old one on the second node can cause the inconcistency 
issues etc. But maybe not if you have something like 
openshift/kubernetes, which allows you to set environment variable for 
all the docker containers in one place.

Anyway, for now, you need to invoke REST endpoint to change the LDAP 
configuration when you want to change the LDAP password.

Marek

On 23/05/17 13:30, Denny Israel wrote:
> Hi,
>
> i am running keycloak as docker container and have configured an ldap
> server for user federation. Keycloak needs a username and a password to
> access the ldap server (Bind DN, Bind Credential). When the password
> changes i have to manually change it in keycloak admin console. Is there a
> way to tell keycloak to read the password from an environment variable?
> This way i could specify the password when starting my docker container and
> maintain the password within my docker environment.
>
> Best regards
> Denny
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Wed May 24 03:54:11 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 24 May 2017 09:54:11 +0200
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
Message-ID: <CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>

Sure, please create a JIRA and link it to
https://issues.jboss.org/browse/KEYCLOAK-4593

Does this PR help: https://github.com/keycloak/keycloak/pull/3561?

On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com> wrote:

> Stian,
>
> We just got a report of a new issue, not sure if its related to the
> existing but I can create a ticket on your side if it makes sense.
>
> When accessing /auth/realms/master/protocol/openid-connect/token we are
> seeing 3k SQLs being executed of this format:
>
> select compositer0_.COMPOSITE as COMPOSIT1_16_0_, compositer0_.CHILD_ROLE
> as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_, roleentity1_.CLIENT as
> CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT as CLIENT_R2_38_1_,
> roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_, roleentity1_.DESCRIPTION as
> DESCRIPT4_38_1_, roleentity1_.NAME as NAME5_38_1_, roleentity1_.REALM as
> REALM9_38_1_, roleentity1_.REALM_ID as REALM_ID6_38_1_,
> roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_ from COMPOSITE_ROLE
> compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
> compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?
>
> On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
> wrote:
>
>> Stian,
>>
>> Good news.  Glad to see these things get prioritized.  So far they look
>> like they're matching the problems I'm running into, specifically around
>> the whoami endpoint and overall number of SQLs (2800 queries in one of my
>> tests) and the total number of DB connections allocated within that one
>> request (3200+).
>>
>> John
>>
>>
>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> There are a number of issues around having a large number of realms. We
>>> have a general issue open to support this:
>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>
>>> We haven't prioritized this in the past, but that has changed and we
>>> would like to get this sorted out.
>>>
>>> There's a few more related PRs including the one you linked:
>>> https://github.com/keycloak/keycloak/pull/3557
>>> https://github.com/keycloak/keycloak/pull/3561
>>>
>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> After enabling Keycloak and starting work on a multi-tenant
>>>> application, it
>>>> was noted that the admin console started to get very slow in keycloak.
>>>> After some searching around, it seemed like this was an already reported
>>>> issue [1] and a fix underway [2].  I was wondering if this fix would
>>>> make
>>>> it into 3.2?
>>>>
>>>> If additional testing is needed, I'd be happy to help out.  Deleting 161
>>>> realms with minimal clients and users took me 15 minutes via the REST
>>>> API.
>>>>
>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>>
>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>

From mitya at cargosoft.ru  Wed May 24 04:25:11 2017
From: mitya at cargosoft.ru (Dmitry Telegin)
Date: Wed, 24 May 2017 11:25:11 +0300
Subject: [keycloak-user] Performance loss migrating from Keycloak 1.7.0
 to Keycloak 2.5.5/3.x
In-Reply-To: <47ab2a7e-c881-154f-42b5-0bf749ae04e4@redhat.com>
References: <CAMHPs25pO_VW1ZiVpFFmo8eGD=FxuSXSqyk5vJ_F6ePTAgYD7A@mail.gmail.com>
	<47ab2a7e-c881-154f-42b5-0bf749ae04e4@redhat.com>
Message-ID: <1495614311.3050.5.camel@cargosoft.ru>

Hi Bill,

By the way, can we roughly estimate the amount of memory allocated per
each cached user?

We are planning a deployment with ~4M users, so I'm wondering if the
entire user set can fit into RAM of a typical server? If yes, do you
think it would be a good idea to write an extension for cache warm-up?
(i.e., to launch a background thread upon Keycloak startup that would
gradually load all the users into cache) I think that could improve
response times for restarted / newly added cluster nodes.

Thanks,
Dmitry

> Entire user is cached (role mappings, attributes, etc.) the first
> time?
> it is accessed.??Maybe in your old User Federation Provider, you
> loaded?
> stuff on demand???Another thing you could try is to ditch the
> import.??
> The new User Storage Model supports a non-import mode if you
> implement?
> it correctly.
> 
> 
> On 5/16/17 9:09 AM, Vito Vessia wrote:
> > Hi all,
> > we have adopted Keycloak as foundation for our identity services
> > since the
> > beginning (july 2015) and after an initial development period we
> > developed
> > our federation/mail/whatever providers we fixed the underlyng
> > Keyckoak
> > version to 1.7.0 for more than one year.
> > Recently we have upgraded to Keycloak 2.5.5 doing a big reworking
> > related
> > to the new architecture of the former Federation providers, etc...
> > The first impression is the it is more robust and stable, but it
> > seems to
> > be slower then the 1.7.0 version. Without any SPI installed, using
> > a raw
> > keycloak realm, on the same machine the pure login via OpenId
> > Connect
> > endpoints takes:
> > 
> > 30 ms on Keycloak 1.7.0 (average value after 100 logins)
> > 100 ms on Keycloak 2.5.5 (average value after 100 logins)
> > 
> > We get the same gap both with H2 and Oracle database.
> > 
> > If we mount our SPI providers (User Storage and others), the gap is
> > greater
> > but of course it could be an issue into our code after the
> > migration to the
> > new SPI architecture.
> > 
> > Is there a specific reason for this gap? (i.e. a better management
> > of the
> > concurrency).
> > Is there a specific setting/strategy to improve the performance?
> > 
> > The configuration has been tested both on Linux and Windows on a
> > standalone
> > server. The Wildfly -Xmx has been set to 1g on both the Keycloak
> > version.
> > 
> > --Vito Vessia
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From john.d.ament at gmail.com  Wed May 24 06:11:39 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Wed, 24 May 2017 10:11:39 +0000
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
Message-ID: <CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>

Stian,

No, I don't believe its in that PR.  This seems to be the table
"CHILD_ROLE" which has a large number of queries being executed against
it.  But I'm not sure which entity that maps to in your persistence.xml
https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/resources/META-INF/persistence.xml

John

On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> Sure, please create a JIRA and link it to
> https://issues.jboss.org/browse/KEYCLOAK-4593
>
> Does this PR help: https://github.com/keycloak/keycloak/pull/3561?
>
> On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com> wrote:
>
>> Stian,
>>
>> We just got a report of a new issue, not sure if its related to the
>> existing but I can create a ticket on your side if it makes sense.
>>
>> When accessing /auth/realms/master/protocol/openid-connect/token we are
>> seeing 3k SQLs being executed of this format:
>>
>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_, compositer0_.CHILD_ROLE
>> as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_, roleentity1_.CLIENT as
>> CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT as CLIENT_R2_38_1_,
>> roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_, roleentity1_.DESCRIPTION as
>> DESCRIPT4_38_1_, roleentity1_.NAME as NAME5_38_1_, roleentity1_.REALM as
>> REALM9_38_1_, roleentity1_.REALM_ID as REALM_ID6_38_1_,
>> roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_ from COMPOSITE_ROLE
>> compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
>> compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?
>>
>> On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
>> wrote:
>>
>>> Stian,
>>>
>>> Good news.  Glad to see these things get prioritized.  So far they look
>>> like they're matching the problems I'm running into, specifically around
>>> the whoami endpoint and overall number of SQLs (2800 queries in one of my
>>> tests) and the total number of DB connections allocated within that one
>>> request (3200+).
>>>
>>> John
>>>
>>>
>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> There are a number of issues around having a large number of realms. We
>>>> have a general issue open to support this:
>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>>
>>>> We haven't prioritized this in the past, but that has changed and we
>>>> would like to get this sorted out.
>>>>
>>>> There's a few more related PRs including the one you linked:
>>>> https://github.com/keycloak/keycloak/pull/3557
>>>> https://github.com/keycloak/keycloak/pull/3561
>>>>
>>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> After enabling Keycloak and starting work on a multi-tenant
>>>>> application, it
>>>>> was noted that the admin console started to get very slow in keycloak.
>>>>> After some searching around, it seemed like this was an already
>>>>> reported
>>>>> issue [1] and a fix underway [2].  I was wondering if this fix would
>>>>> make
>>>>> it into 3.2?
>>>>>
>>>>> If additional testing is needed, I'd be happy to help out.  Deleting
>>>>> 161
>>>>> realms with minimal clients and users took me 15 minutes via the REST
>>>>> API.
>>>>>
>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>>>
>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>

From Bettina.Huebner at kvbawue.de  Wed May 24 08:12:37 2017
From: Bettina.Huebner at kvbawue.de (=?utf-8?B?SMO8Ym5lciwgQmV0dGluYQ==?=)
Date: Wed, 24 May 2017 12:12:37 +0000
Subject: [keycloak-user] Policy Evaluation Tool - "No scopes available"
In-Reply-To: <CAJrcDBdEXYvm+=64AGGVtMMLQT1VKrLS25KOXSGNXZXKRDFo8w@mail.gmail.com>
References: <CFD7003E67B95745B1B4349E3E6309802C279633@VMSST107.kvbw.local>
	<CAJrcDBeHoJB2pCoUnAXv1kyB3fiX9z5RDQu2t6KJhPQjDq4N3A@mail.gmail.com>
	<CAJrcDBdEXYvm+=64AGGVtMMLQT1VKrLS25KOXSGNXZXKRDFo8w@mail.gmail.com>
Message-ID: <CFD7003E67B95745B1B4349E3E6309802C2797BE@VMSST107.kvbw.local>

No, I think that?s enough information. Also showing the scopes that were denied is a good enhancement.

Thanks
Bettina



Von: Pedro Igor Silva [mailto:psilva at redhat.com]
Gesendet: Dienstag, 23. Mai 2017 22:21
An: H?bner, Bettina
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] Policy Evaluation Tool - "No scopes available"

Bettina, I have this now fixed in upstream. Do you have any other information you would like to see from evaluation results ?

I have enhanced the result page to show the scopes that were granted/denied if the permission evaluated was a scope permission.

Regards.
Pedro Igor

On Tue, May 23, 2017 at 1:13 PM, Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>> wrote:
Hey Bettina, I also noticed this and it is a bug. Will fix it.

On Tue, May 23, 2017 at 10:15 AM, H?bner, Bettina <Bettina.Huebner at kvbawue.de<mailto:Bettina.Huebner at kvbawue.de>> wrote:
Hi,

It seems the representation of the evaluation result has been changed in version 3.1.0.Final (Policy evaluation tool, admin console) (compared to 2.5.0.Final and also 3.0.0.Final).

Before, it showed <Resource Name> with scopes [list of all scopes of the resource] and the details for the resource listed all allowed scopes.

Now, in version 3.1.0.Final, it shows <Resource Name> with scopes [apparently allowed scopes] and the details for the resource always show ?no scopes available? as scopes, even if the user has the permission for some or all scopes of the resource (tooltip still shows ?The list of allowed scopes.?).

I find this new representation a little bit confusing. At least I would expect that ?scopes? lists the allowed scopes for a resource as it was before.

Kind regards
Bettina


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From hmlnarik at redhat.com  Wed May 24 09:10:13 2017
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 24 May 2017 15:10:13 +0200
Subject: [keycloak-user] basic saml attribute send question
In-Reply-To: <1c328de7-a1c9-64b8-2c79-91fc3e244957@merit.unu.edu>
References: <1c328de7-a1c9-64b8-2c79-91fc3e244957@merit.unu.edu>
Message-ID: <CAMvXD=G_dvzS9o8VxS5Vuyogjkkp8p=TzBhBvTYGz0Ou-xpuLA@mail.gmail.com>

You can set up "LDAP Filter" in the group-ldap-mapper configuration to
restrict the groups returned by this query:

"LDAP Filter adds additional custom filter to the whole query for
retrieve LDAP groups. Leave this empty if no additional filtering is
needed and you want to retrieve all groups from LDAP. Otherwise make
sure that filter starts with '(' and ends with ')'"

--Hynek

On Tue, May 23, 2017 at 12:33 PM, lists <lists at merit.unu.edu> wrote:
> Hi,
>
> Running keycloak 2.5.0 with AD federation provider. We configured the
> group-ldap-mapper, this all works beautifully.
>
> Created a simplesamlphp test page, and all AD groups memberships are
> displayed in a list after a successful logon. Good start.
>
> But now, to make this more secure and confidential, we would like to NOT
> display ALL groups after login, but only send specific SAML attributes,
> depending on group memberships.
>
> So suppose a user is member of AD group1, group2 and group3. We would
> like to make a config to sent attribute "group1", but keep the rest of
> the groups hidden.
>
> I'm sure this _very_ basic functionality... But can anyone give us some
> pointers/keywords how to do this..?
>
> Best regards,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek

From sthorger at redhat.com  Wed May 24 09:42:18 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 24 May 2017 15:42:18 +0200
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
	<CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
Message-ID: <CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>

That's used by composite roles. It is probably invoked on all roles in the
realm. Could probably be fetched eagerly rather than lazy. Can you create a
JIRA please?

On 24 May 2017 at 12:11, John D. Ament <john.d.ament at gmail.com> wrote:

> Stian,
>
> No, I don't believe its in that PR.  This seems to be the table
> "CHILD_ROLE" which has a large number of queries being executed against
> it.  But I'm not sure which entity that maps to in your persistence.xml
> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/
> main/resources/META-INF/persistence.xml
>
> John
>
> On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Sure, please create a JIRA and link it to https://issues.jboss.org/
>> browse/KEYCLOAK-4593
>>
>> Does this PR help: https://github.com/keycloak/keycloak/pull/3561?
>>
>> On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com> wrote:
>>
>>> Stian,
>>>
>>> We just got a report of a new issue, not sure if its related to the
>>> existing but I can create a ticket on your side if it makes sense.
>>>
>>> When accessing /auth/realms/master/protocol/openid-connect/token we are
>>> seeing 3k SQLs being executed of this format:
>>>
>>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_,
>>> compositer0_.CHILD_ROLE as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_,
>>> roleentity1_.CLIENT as CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT
>>> as CLIENT_R2_38_1_, roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_,
>>> roleentity1_.DESCRIPTION as DESCRIPT4_38_1_, roleentity1_.NAME as
>>> NAME5_38_1_, roleentity1_.REALM as REALM9_38_1_, roleentity1_.REALM_ID as
>>> REALM_ID6_38_1_, roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_
>>> from COMPOSITE_ROLE compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
>>> compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?
>>>
>>> On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
>>> wrote:
>>>
>>>> Stian,
>>>>
>>>> Good news.  Glad to see these things get prioritized.  So far they look
>>>> like they're matching the problems I'm running into, specifically around
>>>> the whoami endpoint and overall number of SQLs (2800 queries in one of my
>>>> tests) and the total number of DB connections allocated within that one
>>>> request (3200+).
>>>>
>>>> John
>>>>
>>>>
>>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> There are a number of issues around having a large number of realms.
>>>>> We have a general issue open to support this:
>>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>>>
>>>>> We haven't prioritized this in the past, but that has changed and we
>>>>> would like to get this sorted out.
>>>>>
>>>>> There's a few more related PRs including the one you linked:
>>>>> https://github.com/keycloak/keycloak/pull/3557
>>>>> https://github.com/keycloak/keycloak/pull/3561
>>>>>
>>>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> After enabling Keycloak and starting work on a multi-tenant
>>>>>> application, it
>>>>>> was noted that the admin console started to get very slow in keycloak.
>>>>>> After some searching around, it seemed like this was an already
>>>>>> reported
>>>>>> issue [1] and a fix underway [2].  I was wondering if this fix would
>>>>>> make
>>>>>> it into 3.2?
>>>>>>
>>>>>> If additional testing is needed, I'd be happy to help out.  Deleting
>>>>>> 161
>>>>>> realms with minimal clients and users took me 15 minutes via the REST
>>>>>> API.
>>>>>>
>>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>>>>
>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>

From sesnor.silva at sapo.pt  Wed May 24 10:44:48 2017
From: sesnor.silva at sapo.pt (sesnor.silva at sapo.pt)
Date: Wed, 24 May 2017 15:44:48 +0100
Subject: [keycloak-user] CORS problems
In-Reply-To: <20170523140340.Horde.g-_pXLxAean5InXQ-CHmlQ0@mail.sapo.pt>
Message-ID: <20170524154448.Horde.cWWRPUNHO0FFtRbIRKLWC0a@mail.sapo.pt>

Hello again,

I forgot to mention I'm using Keycloak 3.1.0 Final.
Meanwhile i searched a bit more and found more people with the same  
problem, but sadly, no solution:
http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html

I also made a really basic WAR application, protected by keycloak,  
that just says "Hello" when you access the route /hello. The minimal  
client code that reproduces the problem:
<script type="text/javascript"  
src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
<script type="text/javascript"  
src="http://localhost:9000/auth/js/keycloak.js"></script>
<script type="text/javascript">
??? var keycloak = Keycloak('keycloak.json');
??????? keycloak.init({ onLoad: 'login-required'  
}).success(function(authenticated) {
??????????? if (authenticated) {
??????????????? $.ajax({method: "GET",?? url: "http://localhost:8080/hello",
??????????????????? headers: {? 'Authorization': 'Bearer ' + keycloak.token }
??????????????? });
????????? ?? }
??????? });
</script>

I'm able to login successfully and acquire a valid working token.  
However the AJAX call fails with the same errors mentioned before.

In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header  
contains multiple values 'http://localhost, http://localhost', but  
only one is allowed. Origin 'http://localhost' is therefore not  
allowed access."

In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy  
disallows reading the remote resource. (Reason: CORS header  
?Access-Control-Allow-Origin? does not match ?(null)?)".

It works in IE11 but the page refreshes constantly, similar to what  
I've mentioned  
here:?http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,  
even when accepting third-party cookies.

Anyone have any hints please? What's going on with my setup? :(

Some additional information:

My API has the CORS filter enabled, like this:
<filter>
?? ?<filter-name>CorsFilter</filter-name>
?? ?<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
?? ?<init-param>
?? ??? ?<param-name>cors.allowed.origins</param-name>
?? ??? ?<param-value>*</param-value>
?? ?</init-param>
?? ?<init-param>
?? ??? ?<param-name>cors.allowed.methods</param-name>
?? ??? ?<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
?? ?</init-param>
?? ?<init-param>
?? ??? ?<param-name>cors.allowed.headers</param-name>
?? ???  
?<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
?? ?</init-param>
?? ?<init-param>
?? ??? ?<param-name>cors.exposed.headers</param-name>
?? ???  
?<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
?? ?</init-param>
?? ?<init-param>
?? ??? ?<param-name>cors.support.credentials</param-name>
?? ??? ?<param-value>true</param-value>
?? ?</init-param>
?? ?<init-param>
?? ??? ?<param-name>cors.preflight.maxage</param-name>
?? ??? ?<param-value>10</param-value>
?? ?</init-param>
</filter>
<filter-mapping>
?? ?<filter-name>CorsFilter</filter-name>
?? ?<url-pattern>/*</url-pattern>
</filter-mapping>

My Client has "enable-cors": true.

Strangely I'm able to access the API through cURL if I use the valid  
access-token.

Any help is appreciated at this point :(.

Best regards,
Silva
?

Citando sesnor.silva at sapo.pt:

> Hello,
>
> I have protected a Java web application that's compiled in a WAR
> package and accessible through a Tomcat 8 sever. To do this I followed
> the steps here:
> https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/tomcat-adapter.html
>
> My Java Application is a RESTful API which can only be accessed by
> authorized users that bear a token.
>
> In Keycloak I configured my client (and keycloak.json) as follows:
> {
> ? "realm": "MainDomain",
> ? "bearer-only": true,
> ? "auth-server-url": "http://<My Keycloak Server>:8081/auth",
> ? "ssl-required": "none",
> ? "resource": "main-domain-server"
> }
>
> If I have a valid token I can access the service fine through cURL
> requests. However, using any browser (Firefox, Chrome, Opera, expect
> IE, which for some reason works) I can't access any resource through
> AJAX as I get CORS problems:
> "Response to preflight request doesn't pass access control check: No
> 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:3000' is therefore not allowed
> access. The response had HTTP status code 401."
>
> I searched around and found I should put "enable_cors": true in my
> keycloak.json, however this causes the following CORS problem:
> "The 'Access-Control-Allow-Origin' header contains multiple values
> 'http://localhost:3000, http://localhost:3000', but only one is
> allowed. Origin 'http://localhost:3000' is therefore not allowed
> access."
>
> I think I'm out of ideas at the moment on what could be causing this.
> Does anyone have any idea what could be wrong in my configuration?
>
> My best regards,
> Silva
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user

?

From celso.agra at gmail.com  Wed May 24 17:37:00 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Wed, 24 May 2017 18:37:00 -0300
Subject: [keycloak-user] How to create a Validation Flow to Registration
 Form using Authentication SPI?
Message-ID: <CAOFYJDu5xdHBX43rH7sp2qABA4ART8Mc2vdVfCxox6qA4wXoOw@mail.gmail.com>

Hi all,

Need help please.

I'm trying to create a validation class to add some rules when a user try
to do a registration (just to validate the username).
So, I saw this link:
https://keycloak.gitbooks.io/documentation/server_development/topics/auth-spi.html
and this project:
https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator

But I still have some questions to know how could I create my own
validation form in the register.ftl

So, My question is:

Should I create just one class as the example of
"org.keycloak.authentication.forms.RegistrationProfile"?
Here is the example below:

*file:* br.gov.pe.sso.keycloak.forms.UsernameFormRegistrationProfile.java

package br.gov.pe.sso.keycloak.forms;
> public class UsernameFormRegistrationProfile implements FormAction,
> FormActionFactory {
> @Override
>     public void validate(ValidationContext context) {
> /*... my validation here!! ...*/
> }
> }


and finally

*file:* META-INF/services/org.keycloak.authentication.FormActionFactory

br.gov.pe.sso.keycloak.forms.UsernameFormRegistrationProfile


So, for now, I just need to create my own jar and add into a specific
folder. is that right? Or should I need to add into keycloak projeto and
then re-generate the war project?
Would be possible to extends the RegistrationProfile class?

I'm sorry for that bunch of questions :)
Thanks a lot!

Best regards

-- 
---
*Celso Agra*

From john.d.ament at gmail.com  Wed May 24 23:07:45 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Thu, 25 May 2017 03:07:45 +0000
Subject: [keycloak-user] Keycloak Performance with large number of realms
In-Reply-To: <CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
	<CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
	<CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>
Message-ID: <CAOqetn_NHb8F=AUWzYB6sReK-TvjGm7=d6nCQ5NtBkmd_EbNqA@mail.gmail.com>

Ok,so I think I have a fix working, but one question I have is whether the
existing PR for performance fixes will be getting merged in to 3.2?  While
its a different problem it touches a lot of the same areas so it will
create some conflicts if either gets merged first.  LIkewise if I have a
fix for this, would you consider it part of 3.2?

It also seems to me that there's an inherent problem with how some of the
authorizations are done via Keycloak.  Specifically, it seems that a client
authenticated to master is getting the roles from all realms, which is
really what is causing these problems.  So while I can fix queries, without
a fix in that area this type of problem can keep popping up.

On Wed, May 24, 2017 at 9:42 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> That's used by composite roles. It is probably invoked on all roles in the
> realm. Could probably be fetched eagerly rather than lazy. Can you create a
> JIRA please?
>
> On 24 May 2017 at 12:11, John D. Ament <john.d.ament at gmail.com> wrote:
>
>> Stian,
>>
>> No, I don't believe its in that PR.  This seems to be the table
>> "CHILD_ROLE" which has a large number of queries being executed against
>> it.  But I'm not sure which entity that maps to in your persistence.xml
>> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/resources/META-INF/persistence.xml
>>
>> John
>>
>> On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Sure, please create a JIRA and link it to
>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>
>>> Does this PR help: https://github.com/keycloak/keycloak/pull/3561?
>>>
>>> On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com> wrote:
>>>
>>>> Stian,
>>>>
>>>> We just got a report of a new issue, not sure if its related to the
>>>> existing but I can create a ticket on your side if it makes sense.
>>>>
>>>> When accessing /auth/realms/master/protocol/openid-connect/token we are
>>>> seeing 3k SQLs being executed of this format:
>>>>
>>>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_,
>>>> compositer0_.CHILD_ROLE as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_,
>>>> roleentity1_.CLIENT as CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT
>>>> as CLIENT_R2_38_1_, roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_,
>>>> roleentity1_.DESCRIPTION as DESCRIPT4_38_1_, roleentity1_.NAME as
>>>> NAME5_38_1_, roleentity1_.REALM as REALM9_38_1_, roleentity1_.REALM_ID as
>>>> REALM_ID6_38_1_, roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_ from
>>>> COMPOSITE_ROLE compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
>>>> compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?
>>>>
>>>> On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
>>>> wrote:
>>>>
>>>>> Stian,
>>>>>
>>>>> Good news.  Glad to see these things get prioritized.  So far they
>>>>> look like they're matching the problems I'm running into, specifically
>>>>> around the whoami endpoint and overall number of SQLs (2800 queries in one
>>>>> of my tests) and the total number of DB connections allocated within that
>>>>> one request (3200+).
>>>>>
>>>>> John
>>>>>
>>>>>
>>>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> There are a number of issues around having a large number of realms.
>>>>>> We have a general issue open to support this:
>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>>>>
>>>>>> We haven't prioritized this in the past, but that has changed and we
>>>>>> would like to get this sorted out.
>>>>>>
>>>>>> There's a few more related PRs including the one you linked:
>>>>>> https://github.com/keycloak/keycloak/pull/3557
>>>>>> https://github.com/keycloak/keycloak/pull/3561
>>>>>>
>>>>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> After enabling Keycloak and starting work on a multi-tenant
>>>>>>> application, it
>>>>>>> was noted that the admin console started to get very slow in
>>>>>>> keycloak.
>>>>>>> After some searching around, it seemed like this was an already
>>>>>>> reported
>>>>>>> issue [1] and a fix underway [2].  I was wondering if this fix would
>>>>>>> make
>>>>>>> it into 3.2?
>>>>>>>
>>>>>>> If additional testing is needed, I'd be happy to help out.  Deleting
>>>>>>> 161
>>>>>>> realms with minimal clients and users took me 15 minutes via the
>>>>>>> REST API.
>>>>>>>
>>>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>>>>>
>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>
>

From lists at merit.unu.edu  Thu May 25 06:24:26 2017
From: lists at merit.unu.edu (mj)
Date: Thu, 25 May 2017 12:24:26 +0200
Subject: [keycloak-user] basic saml attribute send question
In-Reply-To: <CAMvXD=G_dvzS9o8VxS5Vuyogjkkp8p=TzBhBvTYGz0Ou-xpuLA@mail.gmail.com>
References: <1c328de7-a1c9-64b8-2c79-91fc3e244957@merit.unu.edu>
	<CAMvXD=G_dvzS9o8VxS5Vuyogjkkp8p=TzBhBvTYGz0Ou-xpuLA@mail.gmail.com>
Message-ID: <ced8e116-4786-0b3f-f631-51058ae8b63d@merit.unu.edu>

Hi,

On 05/24/2017 03:10 PM, Hynek Mlnarik wrote:
> You can set up "LDAP Filter" in the group-ldap-mapper configuration to
> restrict the groups returned by this query:

Like that I would only import certain groups, I guess.

But I would like to import all groups, and configure in the specific 
client configuration what group/groups to send. (or only send an SAML 
attribute, when the user is member of a group)

MJ

From bburke at redhat.com  Thu May 25 14:15:20 2017
From: bburke at redhat.com (Bill Burke)
Date: Thu, 25 May 2017 14:15:20 -0400
Subject: [keycloak-user] Admin API Authz was Re: Keycloak Performance with
 large number of realms
In-Reply-To: <CAOqetn_NHb8F=AUWzYB6sReK-TvjGm7=d6nCQ5NtBkmd_EbNqA@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
	<CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
	<CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>
	<CAOqetn_NHb8F=AUWzYB6sReK-TvjGm7=d6nCQ5NtBkmd_EbNqA@mail.gmail.com>
Message-ID: <881802f4-9863-176c-7f3b-760a39aed4d6@redhat.com>

[keycloak-dev]  See below thread.

I think that this problem might be solved by the work I'm doing. I'm 
changing the admin console to not include roles in the token. The Admin 
REST API instead will see that the token was generated for the console 
client (by "aud" claim) and look up role mappings directly.  I have to 
do this anyways because with the new fine grain admin permissions, I 
don't want admins to have to change the scope of the admin console 
client every time a new fine grain permission policy is specified.


On 5/24/17 11:07 PM, John D. Ament wrote:
> Ok,so I think I have a fix working, but one question I have is whether the
> existing PR for performance fixes will be getting merged in to 3.2?  While
> its a different problem it touches a lot of the same areas so it will
> create some conflicts if either gets merged first.  LIkewise if I have a
> fix for this, would you consider it part of 3.2?
>
> It also seems to me that there's an inherent problem with how some of the
> authorizations are done via Keycloak.  Specifically, it seems that a client
> authenticated to master is getting the roles from all realms, which is
> really what is causing these problems.  So while I can fix queries, without
> a fix in that area this type of problem can keep popping up.
>
> On Wed, May 24, 2017 at 9:42 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> That's used by composite roles. It is probably invoked on all roles in the
>> realm. Could probably be fetched eagerly rather than lazy. Can you create a
>> JIRA please?
>>
>> On 24 May 2017 at 12:11, John D. Ament <john.d.ament at gmail.com> wrote:
>>
>>> Stian,
>>>
>>> No, I don't believe its in that PR.  This seems to be the table
>>> "CHILD_ROLE" which has a large number of queries being executed against
>>> it.  But I'm not sure which entity that maps to in your persistence.xml
>>> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/resources/META-INF/persistence.xml
>>>
>>> John
>>>
>>> On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Sure, please create a JIRA and link it to
>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>>
>>>> Does this PR help: https://github.com/keycloak/keycloak/pull/3561?
>>>>
>>>> On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com> wrote:
>>>>
>>>>> Stian,
>>>>>
>>>>> We just got a report of a new issue, not sure if its related to the
>>>>> existing but I can create a ticket on your side if it makes sense.
>>>>>
>>>>> When accessing /auth/realms/master/protocol/openid-connect/token we are
>>>>> seeing 3k SQLs being executed of this format:
>>>>>
>>>>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_,
>>>>> compositer0_.CHILD_ROLE as CHILD_RO2_16_0_, roleentity1_.ID as ID1_38_1_,
>>>>> roleentity1_.CLIENT as CLIENT8_38_1_, roleentity1_.CLIENT_REALM_CONSTRAINT
>>>>> as CLIENT_R2_38_1_, roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_,
>>>>> roleentity1_.DESCRIPTION as DESCRIPT4_38_1_, roleentity1_.NAME as
>>>>> NAME5_38_1_, roleentity1_.REALM as REALM9_38_1_, roleentity1_.REALM_ID as
>>>>> REALM_ID6_38_1_, roleentity1_.SCOPE_PARAM_REQUIRED as SCOPE_PA7_38_1_ from
>>>>> COMPOSITE_ROLE compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
>>>>> compositer0_.CHILD_ROLE=roleentity1_.ID where compositer0_.COMPOSITE=?
>>>>>
>>>>> On Wed, May 10, 2017 at 12:40 PM John D. Ament <john.d.ament at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Stian,
>>>>>>
>>>>>> Good news.  Glad to see these things get prioritized.  So far they
>>>>>> look like they're matching the problems I'm running into, specifically
>>>>>> around the whoami endpoint and overall number of SQLs (2800 queries in one
>>>>>> of my tests) and the total number of DB connections allocated within that
>>>>>> one request (3200+).
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> There are a number of issues around having a large number of realms.
>>>>>>> We have a general issue open to support this:
>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>>>>>>>
>>>>>>> We haven't prioritized this in the past, but that has changed and we
>>>>>>> would like to get this sorted out.
>>>>>>>
>>>>>>> There's a few more related PRs including the one you linked:
>>>>>>> https://github.com/keycloak/keycloak/pull/3557
>>>>>>> https://github.com/keycloak/keycloak/pull/3561
>>>>>>>
>>>>>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> After enabling Keycloak and starting work on a multi-tenant
>>>>>>>> application, it
>>>>>>>> was noted that the admin console started to get very slow in
>>>>>>>> keycloak.
>>>>>>>> After some searching around, it seemed like this was an already
>>>>>>>> reported
>>>>>>>> issue [1] and a fix underway [2].  I was wondering if this fix would
>>>>>>>> make
>>>>>>>> it into 3.2?
>>>>>>>>
>>>>>>>> If additional testing is needed, I'd be happy to help out.  Deleting
>>>>>>>> 161
>>>>>>>> realms with minimal clients and users took me 15 minutes via the
>>>>>>>> REST API.
>>>>>>>>
>>>>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>>>>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From hylton.peimer at datos-health.com  Thu May 25 15:50:47 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Thu, 25 May 2017 22:50:47 +0300
Subject: [keycloak-user] Spring checks Bearer token for permitted requests
Message-ID: <CACGrZesK4N5cDG2XJWtZN6kt+mdU61kZhLPxgdYXYS2b-h1CZw@mail.gmail.com>

I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
the following configuration:

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        super.configure(httpSecurity);

        httpSecurity
                .antMatcher("/mobile/**")
                .authorizeRequests()
                .antMatchers("/mobile/api/login",
"/mobile/api/refresh").permitAll()
                .antMatchers("/mobile/api/**").authenticated()

            ..........

The Client is setup for bearer-only.

It works fine, except when the access token expires.

Some mobile clients send the expired token as a header in the call to
"/mobile/api/refresh".

The problem is that even though "/mobile/api/refresh" is marked as
permitAll, the request is blocked.

Its not possible to fix all the mobile clients. How could I configure
Spring to ignore the bearer token for the "permitAll" calls, or remove the
header?

From mposolda at redhat.com  Fri May 26 00:39:42 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 26 May 2017 06:39:42 +0200
Subject: [keycloak-user] rolling upgrade
In-Reply-To: <299B9AF9-2389-4E23-8FA8-69EA0F29C7E9@daimler.com>
References: <299B9AF9-2389-4E23-8FA8-69EA0F29C7E9@daimler.com>
Message-ID: <c3fd3fb5-b70c-a2b8-094c-43198c6927e8@redhat.com>

Hi,

no we don't have support for this. You would need to possibly do it 
manually in more steps like:

1) Copy your DB to some other location (eg. my-db2)
2) Stop one of cluster nodes (eg. node1), update it and start against 
new my-db2. Make sure it's started in isolated cluster. I think this can 
be done by tweaking "-u" property to use different multicast address 
though. Also make sure that loadbalancer requests will ignore it
3) Once node1 is started against updated database, you can point your 
loadbalancer to use it.
4) Then you can stop other cluster nodes and start them against "my-db2" 
and to join same cluster like node1

Not sure, maybe the process can/needs to be different according your setup.

I see the biggest issue is, that there is time window between steps 1-4, 
which can cause DB inconsistencies. For example your new updated DB will 
be "my-db2", but at the time when node1 is starting and updating this 
DB, there may be new writes to the original DB. For example some user 
may register or updating his account in the meantime. Those updates will 
then be lost.

Marek


On 24/05/17 08:59, mathias.goeppel at daimler.com wrote:
> Hello everyone,
>
> for a few months we are using keycloak at car2go. Currently we are on keycloak version 2.5.4.Final but we?d like to upgrade. Is there any documented way how to do this in a clustered environment without downtime?
>
> Are older versions compatible to the new database scheme so we can perform a rolling upgrade? Are objects cached in Infinispan compatible?
>
> The only documentation I found so far ishttps://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html but this does involve downtime. Am I missing something? What is the approach you would recommend?
>
> Thanks in advance - mat
>
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sblanc at redhat.com  Fri May 26 02:15:05 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 26 May 2017 08:15:05 +0200
Subject: [keycloak-user] Spring checks Bearer token for permitted
	requests
In-Reply-To: <CACGrZesK4N5cDG2XJWtZN6kt+mdU61kZhLPxgdYXYS2b-h1CZw@mail.gmail.com>
References: <CACGrZesK4N5cDG2XJWtZN6kt+mdU61kZhLPxgdYXYS2b-h1CZw@mail.gmail.com>
Message-ID: <CAMZCGg9Ndjp7DVHVeLqjLq9Zg06ZfRCA2r83BTQFG6FuhcWfRA@mail.gmail.com>

I haven't tried it but you could try to override the configure(WebSecurity
web) method as well :

 @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers("/mobile/api/login",

"/mobile/api/refresh");
    }


On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
hylton.peimer at datos-health.com> wrote:

> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
> the following configuration:
>
>     protected void configure(HttpSecurity httpSecurity) throws Exception {
>         super.configure(httpSecurity);
>
>         httpSecurity
>                 .antMatcher("/mobile/**")
>                 .authorizeRequests()
>                 .antMatchers("/mobile/api/login",
> "/mobile/api/refresh").permitAll()
>                 .antMatchers("/mobile/api/**").authenticated()
>
>             ..........
>
> The Client is setup for bearer-only.
>
> It works fine, except when the access token expires.
>
> Some mobile clients send the expired token as a header in the call to
> "/mobile/api/refresh".
>
> The problem is that even though "/mobile/api/refresh" is marked as
> permitAll, the request is blocked.
>
> Its not possible to fix all the mobile clients. How could I configure
> Spring to ignore the bearer token for the "permitAll" calls, or remove the
> header?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From hylton.peimer at datos-health.com  Fri May 26 02:48:52 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Fri, 26 May 2017 09:48:52 +0300
Subject: [keycloak-user] Spring checks Bearer token for permitted
	requests
In-Reply-To: <CAMZCGg9Ndjp7DVHVeLqjLq9Zg06ZfRCA2r83BTQFG6FuhcWfRA@mail.gmail.com>
References: <CACGrZesK4N5cDG2XJWtZN6kt+mdU61kZhLPxgdYXYS2b-h1CZw@mail.gmail.com>
	<CAMZCGg9Ndjp7DVHVeLqjLq9Zg06ZfRCA2r83BTQFG6FuhcWfRA@mail.gmail.com>
Message-ID: <CACGrZesXmnf_i4P54Rm73kaT4O-2NkNO0dQWZrDG76xUM4j15Q@mail.gmail.com>

Unfortunately that didn't work.

I've implemented a hack which is something like overriding the
KeycloakAuthenticationProcessingFilter and returning an
AnonymousAuthenticationToken if the particular path is requested.

Maybe there's a more elegant way.

protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
    KeycloakAuthenticationProcessingFilter filter = new
KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
        @Override
        public Authentication attemptAuthentication(HttpServletRequest
request, HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
            if (request.getServletPath().equals("/mobile/api/refresh")) {
                logger.error("Mobile device sent expired bearer token for
/mobile/api/refresh request");
                return new AnonymousAuthenticationToken("blah", "blah",
Collections.singleton(new SimpleGrantedAuthority("blah")));
            }
            return super.attemptAuthentication(request, response);
        }
    };

filter.setSessionAuthenticationStrategy(this.sessionAuthenticationStrategy());
    return filter;
}

On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc at redhat.com> wrote:

> I haven't tried it but you could try to override the configure(WebSecurity
> web) method as well :
>
>  @Override
>     public void configure(WebSecurity web) throws Exception {
>         web
>             .ignoring()
>                 .antMatchers("/mobile/api/login",
>
> "/mobile/api/refresh");
>     }
>
>
> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
> hylton.peimer at datos-health.com> wrote:
>
>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>> the following configuration:
>>
>>     protected void configure(HttpSecurity httpSecurity) throws Exception {
>>         super.configure(httpSecurity);
>>
>>         httpSecurity
>>                 .antMatcher("/mobile/**")
>>                 .authorizeRequests()
>>                 .antMatchers("/mobile/api/login",
>> "/mobile/api/refresh").permitAll()
>>                 .antMatchers("/mobile/api/**").authenticated()
>>
>>             ..........
>>
>> The Client is setup for bearer-only.
>>
>> It works fine, except when the access token expires.
>>
>> Some mobile clients send the expired token as a header in the call to
>> "/mobile/api/refresh".
>>
>> The problem is that even though "/mobile/api/refresh" is marked as
>> permitAll, the request is blocked.
>>
>> Its not possible to fix all the mobile clients. How could I configure
>> Spring to ignore the bearer token for the "permitAll" calls, or remove the
>> header?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sblanc at redhat.com  Fri May 26 06:02:12 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 26 May 2017 12:02:12 +0200
Subject: [keycloak-user] Spring checks Bearer token for permitted
	requests
In-Reply-To: <CACGrZesXmnf_i4P54Rm73kaT4O-2NkNO0dQWZrDG76xUM4j15Q@mail.gmail.com>
References: <CACGrZesK4N5cDG2XJWtZN6kt+mdU61kZhLPxgdYXYS2b-h1CZw@mail.gmail.com>
	<CAMZCGg9Ndjp7DVHVeLqjLq9Zg06ZfRCA2r83BTQFG6FuhcWfRA@mail.gmail.com>
	<CACGrZesXmnf_i4P54Rm73kaT4O-2NkNO0dQWZrDG76xUM4j15Q@mail.gmail.com>
Message-ID: <CAMZCGg-n1LK_uWqiOMjZMZYSfwPPGZiRp9hNBdnX-KCRxGVdGQ@mail.gmail.com>

Hum interesting indeed I did the test , the ignoring stuff works as long no
token is added ... I wonder if this is working as designed or if it is
actually a bug.



On Fri, May 26, 2017 at 8:48 AM, Hylton Peimer <
hylton.peimer at datos-health.com> wrote:

> Unfortunately that didn't work.
>
> I've implemented a hack which is something like overriding the
> KeycloakAuthenticationProcessingFilter and returning an
> AnonymousAuthenticationToken if the particular path is requested.
>
> Maybe there's a more elegant way.
>
> protected KeycloakAuthenticationProcessingFilter
> keycloakAuthenticationProcessingFilter() throws Exception {
>     KeycloakAuthenticationProcessingFilter filter = new
> KeycloakAuthenticationProcessingFilter(this.authenticationManagerBean()) {
>         @Override
>         public Authentication attemptAuthentication(HttpServletRequest
> request, HttpServletResponse response) throws AuthenticationException,
> IOException, ServletException {
>             if (request.getServletPath().equals("/mobile/api/refresh")) {
>                 logger.error("Mobile device sent expired bearer token for
> /mobile/api/refresh request");
>                 return new AnonymousAuthenticationToken("blah", "blah",
> Collections.singleton(new SimpleGrantedAuthority("blah")));
>             }
>             return super.attemptAuthentication(request, response);
>         }
>     };
>     filter.setSessionAuthenticationStrategy(this.
> sessionAuthenticationStrategy());
>     return filter;
> }
>
> On Fri, May 26, 2017 at 9:15 AM, Sebastien Blanc <sblanc at redhat.com>
> wrote:
>
>> I haven't tried it but you could try to override the
>> configure(WebSecurity web) method as well :
>>
>>  @Override
>>     public void configure(WebSecurity web) throws Exception {
>>         web
>>             .ignoring()
>>                 .antMatchers("/mobile/api/login",
>>
>> "/mobile/api/refresh");
>>     }
>>
>>
>> On Thu, May 25, 2017 at 9:50 PM, Hylton Peimer <
>> hylton.peimer at datos-health.com> wrote:
>>
>>> I have an instance of KeycloakWebSecurityConfigurerAdapter that contains
>>> the following configuration:
>>>
>>>     protected void configure(HttpSecurity httpSecurity) throws Exception
>>> {
>>>         super.configure(httpSecurity);
>>>
>>>         httpSecurity
>>>                 .antMatcher("/mobile/**")
>>>                 .authorizeRequests()
>>>                 .antMatchers("/mobile/api/login",
>>> "/mobile/api/refresh").permitAll()
>>>                 .antMatchers("/mobile/api/**").authenticated()
>>>
>>>             ..........
>>>
>>> The Client is setup for bearer-only.
>>>
>>> It works fine, except when the access token expires.
>>>
>>> Some mobile clients send the expired token as a header in the call to
>>> "/mobile/api/refresh".
>>>
>>> The problem is that even though "/mobile/api/refresh" is marked as
>>> permitAll, the request is blocked.
>>>
>>> Its not possible to fix all the mobile clients. How could I configure
>>> Spring to ignore the bearer token for the "permitAll" calls, or remove
>>> the
>>> header?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From john.d.ament at gmail.com  Fri May 26 06:11:03 2017
From: john.d.ament at gmail.com (John D. Ament)
Date: Fri, 26 May 2017 10:11:03 +0000
Subject: [keycloak-user] Admin API Authz was Re: Keycloak Performance
 with large number of realms
In-Reply-To: <881802f4-9863-176c-7f3b-760a39aed4d6@redhat.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
	<CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
	<CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>
	<CAOqetn_NHb8F=AUWzYB6sReK-TvjGm7=d6nCQ5NtBkmd_EbNqA@mail.gmail.com>
	<881802f4-9863-176c-7f3b-760a39aed4d6@redhat.com>
Message-ID: <CAOqetn-4Anu4Xh8LcLUQ8o7SJUudJmkotZd9ZzqUdQpcHwhf4g@mail.gmail.com>

Bill,

Is this something for 3.2?

If I had to guess, based on what I"m seeing, yes, this would fix the
underlying issues.  I'm assuming that the association to the realms
involves loading all of the realms from the database, and specifically
granting for all of the existing permissions?

John

On Thu, May 25, 2017 at 11:11 PM Bill Burke <bburke at redhat.com> wrote:

> [keycloak-dev]  See below thread.
>
> I think that this problem might be solved by the work I'm doing. I'm
> changing the admin console to not include roles in the token. The Admin
> REST API instead will see that the token was generated for the console
> client (by "aud" claim) and look up role mappings directly.  I have to
> do this anyways because with the new fine grain admin permissions, I
> don't want admins to have to change the scope of the admin console
> client every time a new fine grain permission policy is specified.
>
>
> On 5/24/17 11:07 PM, John D. Ament wrote:
> > Ok,so I think I have a fix working, but one question I have is whether
> the
> > existing PR for performance fixes will be getting merged in to 3.2?
> While
> > its a different problem it touches a lot of the same areas so it will
> > create some conflicts if either gets merged first.  LIkewise if I have a
> > fix for this, would you consider it part of 3.2?
> >
> > It also seems to me that there's an inherent problem with how some of the
> > authorizations are done via Keycloak.  Specifically, it seems that a
> client
> > authenticated to master is getting the roles from all realms, which is
> > really what is causing these problems.  So while I can fix queries,
> without
> > a fix in that area this type of problem can keep popping up.
> >
> > On Wed, May 24, 2017 at 9:42 AM Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> That's used by composite roles. It is probably invoked on all roles in
> the
> >> realm. Could probably be fetched eagerly rather than lazy. Can you
> create a
> >> JIRA please?
> >>
> >> On 24 May 2017 at 12:11, John D. Ament <john.d.ament at gmail.com> wrote:
> >>
> >>> Stian,
> >>>
> >>> No, I don't believe its in that PR.  This seems to be the table
> >>> "CHILD_ROLE" which has a large number of queries being executed against
> >>> it.  But I'm not sure which entity that maps to in your persistence.xml
> >>>
> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/resources/META-INF/persistence.xml
> >>>
> >>> John
> >>>
> >>> On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen <sthorger at redhat.com>
> >>> wrote:
> >>>
> >>>> Sure, please create a JIRA and link it to
> >>>> https://issues.jboss.org/browse/KEYCLOAK-4593
> >>>>
> >>>> Does this PR help: https://github.com/keycloak/keycloak/pull/3561?
> >>>>
> >>>> On 23 May 2017 at 15:04, John D. Ament <john.d.ament at gmail.com>
> wrote:
> >>>>
> >>>>> Stian,
> >>>>>
> >>>>> We just got a report of a new issue, not sure if its related to the
> >>>>> existing but I can create a ticket on your side if it makes sense.
> >>>>>
> >>>>> When accessing /auth/realms/master/protocol/openid-connect/token we
> are
> >>>>> seeing 3k SQLs being executed of this format:
> >>>>>
> >>>>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_,
> >>>>> compositer0_.CHILD_ROLE as CHILD_RO2_16_0_, roleentity1_.ID as
> ID1_38_1_,
> >>>>> roleentity1_.CLIENT as CLIENT8_38_1_,
> roleentity1_.CLIENT_REALM_CONSTRAINT
> >>>>> as CLIENT_R2_38_1_, roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_,
> >>>>> roleentity1_.DESCRIPTION as DESCRIPT4_38_1_, roleentity1_.NAME as
> >>>>> NAME5_38_1_, roleentity1_.REALM as REALM9_38_1_,
> roleentity1_.REALM_ID as
> >>>>> REALM_ID6_38_1_, roleentity1_.SCOPE_PARAM_REQUIRED as
> SCOPE_PA7_38_1_ from
> >>>>> COMPOSITE_ROLE compositer0_ inner join KEYCLOAK_ROLE roleentity1_ on
> >>>>> compositer0_.CHILD_ROLE=roleentity1_.ID where
> compositer0_.COMPOSITE=?
> >>>>>
> >>>>> On Wed, May 10, 2017 at 12:40 PM John D. Ament <
> john.d.ament at gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>>> Stian,
> >>>>>>
> >>>>>> Good news.  Glad to see these things get prioritized.  So far they
> >>>>>> look like they're matching the problems I'm running into,
> specifically
> >>>>>> around the whoami endpoint and overall number of SQLs (2800 queries
> in one
> >>>>>> of my tests) and the total number of DB connections allocated
> within that
> >>>>>> one request (3200+).
> >>>>>>
> >>>>>> John
> >>>>>>
> >>>>>>
> >>>>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen <
> sthorger at redhat.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> There are a number of issues around having a large number of
> realms.
> >>>>>>> We have a general issue open to support this:
> >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
> >>>>>>>
> >>>>>>> We haven't prioritized this in the past, but that has changed and
> we
> >>>>>>> would like to get this sorted out.
> >>>>>>>
> >>>>>>> There's a few more related PRs including the one you linked:
> >>>>>>> https://github.com/keycloak/keycloak/pull/3557
> >>>>>>> https://github.com/keycloak/keycloak/pull/3561
> >>>>>>>
> >>>>>>> On 10 May 2017 at 12:35, John D. Ament <john.d.ament at gmail.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> After enabling Keycloak and starting work on a multi-tenant
> >>>>>>>> application, it
> >>>>>>>> was noted that the admin console started to get very slow in
> >>>>>>>> keycloak.
> >>>>>>>> After some searching around, it seemed like this was an already
> >>>>>>>> reported
> >>>>>>>> issue [1] and a fix underway [2].  I was wondering if this fix
> would
> >>>>>>>> make
> >>>>>>>> it into 3.2?
> >>>>>>>>
> >>>>>>>> If additional testing is needed, I'd be happy to help out.
> Deleting
> >>>>>>>> 161
> >>>>>>>> realms with minimal clients and users took me 15 minutes via the
> >>>>>>>> REST API.
> >>>>>>>>
> >>>>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
> >>>>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
> >>>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>>> keycloak-user mailing list
> >>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>>
> >>>>>>>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Fri May 26 08:42:25 2017
From: bburke at redhat.com (Bill Burke)
Date: Fri, 26 May 2017 08:42:25 -0400
Subject: [keycloak-user] Admin API Authz was Re: Keycloak Performance
 with large number of realms
In-Reply-To: <CAOqetn-4Anu4Xh8LcLUQ8o7SJUudJmkotZd9ZzqUdQpcHwhf4g@mail.gmail.com>
References: <CAOqetn9xz+nzWUJG3aoU3xUsU2bhKDmgcTVNbukuvtWsrua4tw@mail.gmail.com>
	<CAJgngAcS0ugMrcczcFj77SVn75KvQOg5J5fzwGEB7AcySGiMRQ@mail.gmail.com>
	<CAOqetn9sncF_UnUH7kWTgGHXg1qLU67Hhy11AVDQgGc6GDMv0w@mail.gmail.com>
	<CAOqetn--yF94cMB6N1rZG_Q1ny1QkFodZewmLzGwzZdeufSMeA@mail.gmail.com>
	<CAJgngAdGQA4rTwGzQbMb0JMFOy2JK=4N97g2rSP97wgmAAOafg@mail.gmail.com>
	<CAOqetn-WamO3nrD0fgsfY-wC0zkqCJ0T5TJaJZ53iqVA3+2tTw@mail.gmail.com>
	<CAJgngAe6oPNUMERP=bdGqU_iywSmjaVoGAAisUEtjHE0SZfnoQ@mail.gmail.com>
	<CAOqetn_NHb8F=AUWzYB6sReK-TvjGm7=d6nCQ5NtBkmd_EbNqA@mail.gmail.com>
	<881802f4-9863-176c-7f3b-760a39aed4d6@redhat.com>
	<CAOqetn-4Anu4Xh8LcLUQ8o7SJUudJmkotZd9ZzqUdQpcHwhf4g@mail.gmail.com>
Message-ID: <e217b65e-ccd4-f1ad-d02c-8c187430f957@redhat.com>

I don't think I'm going to get it in for 3.2.  But its coming.


On 5/26/17 6:11 AM, John D. Ament wrote:
> Bill,
>
> Is this something for 3.2?
>
> If I had to guess, based on what I"m seeing, yes, this would fix the 
> underlying issues.  I'm assuming that the association to the realms 
> involves loading all of the realms from the database, and specifically 
> granting for all of the existing permissions?
>
> John
>
> On Thu, May 25, 2017 at 11:11 PM Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     [keycloak-dev] See below thread.
>
>     I think that this problem might be solved by the work I'm doing. I'm
>     changing the admin console to not include roles in the token. The
>     Admin
>     REST API instead will see that the token was generated for the console
>     client (by "aud" claim) and look up role mappings directly.  I have to
>     do this anyways because with the new fine grain admin permissions, I
>     don't want admins to have to change the scope of the admin console
>     client every time a new fine grain permission policy is specified.
>
>
>     On 5/24/17 11:07 PM, John D. Ament wrote:
>     > Ok,so I think I have a fix working, but one question I have is
>     whether the
>     > existing PR for performance fixes will be getting merged in to
>     3.2?  While
>     > its a different problem it touches a lot of the same areas so it
>     will
>     > create some conflicts if either gets merged first. LIkewise if I
>     have a
>     > fix for this, would you consider it part of 3.2?
>     >
>     > It also seems to me that there's an inherent problem with how
>     some of the
>     > authorizations are done via Keycloak.  Specifically, it seems
>     that a client
>     > authenticated to master is getting the roles from all realms,
>     which is
>     > really what is causing these problems.  So while I can fix
>     queries, without
>     > a fix in that area this type of problem can keep popping up.
>     >
>     > On Wed, May 24, 2017 at 9:42 AM Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     > wrote:
>     >
>     >> That's used by composite roles. It is probably invoked on all
>     roles in the
>     >> realm. Could probably be fetched eagerly rather than lazy. Can
>     you create a
>     >> JIRA please?
>     >>
>     >> On 24 May 2017 at 12:11, John D. Ament <john.d.ament at gmail.com
>     <mailto:john.d.ament at gmail.com>> wrote:
>     >>
>     >>> Stian,
>     >>>
>     >>> No, I don't believe its in that PR.  This seems to be the table
>     >>> "CHILD_ROLE" which has a large number of queries being
>     executed against
>     >>> it.  But I'm not sure which entity that maps to in your
>     persistence.xml
>     >>>
>     https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/resources/META-INF/persistence.xml
>     >>>
>     >>> John
>     >>>
>     >>> On Wed, May 24, 2017 at 3:54 AM Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >>> wrote:
>     >>>
>     >>>> Sure, please create a JIRA and link it to
>     >>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>     >>>>
>     >>>> Does this PR help:
>     https://github.com/keycloak/keycloak/pull/3561?
>     >>>>
>     >>>> On 23 May 2017 at 15:04, John D. Ament
>     <john.d.ament at gmail.com <mailto:john.d.ament at gmail.com>> wrote:
>     >>>>
>     >>>>> Stian,
>     >>>>>
>     >>>>> We just got a report of a new issue, not sure if its related
>     to the
>     >>>>> existing but I can create a ticket on your side if it makes
>     sense.
>     >>>>>
>     >>>>> When accessing
>     /auth/realms/master/protocol/openid-connect/token we are
>     >>>>> seeing 3k SQLs being executed of this format:
>     >>>>>
>     >>>>> select compositer0_.COMPOSITE as COMPOSIT1_16_0_,
>     >>>>> compositer0_.CHILD_ROLE as CHILD_RO2_16_0_, roleentity1_.ID
>     as ID1_38_1_,
>     >>>>> roleentity1_.CLIENT as CLIENT8_38_1_,
>     roleentity1_.CLIENT_REALM_CONSTRAINT
>     >>>>> as CLIENT_R2_38_1_, roleentity1_.CLIENT_ROLE as CLIENT_R3_38_1_,
>     >>>>> roleentity1_.DESCRIPTION as DESCRIPT4_38_1_,
>     roleentity1_.NAME as
>     >>>>> NAME5_38_1_, roleentity1_.REALM as REALM9_38_1_,
>     roleentity1_.REALM_ID as
>     >>>>> REALM_ID6_38_1_, roleentity1_.SCOPE_PARAM_REQUIRED as
>     SCOPE_PA7_38_1_ from
>     >>>>> COMPOSITE_ROLE compositer0_ inner join KEYCLOAK_ROLE
>     roleentity1_ on
>     >>>>> compositer0_.CHILD_ROLE=roleentity1_.ID where
>     compositer0_.COMPOSITE=?
>     >>>>>
>     >>>>> On Wed, May 10, 2017 at 12:40 PM John D. Ament
>     <john.d.ament at gmail.com <mailto:john.d.ament at gmail.com>>
>     >>>>> wrote:
>     >>>>>
>     >>>>>> Stian,
>     >>>>>>
>     >>>>>> Good news.  Glad to see these things get prioritized.  So
>     far they
>     >>>>>> look like they're matching the problems I'm running into,
>     specifically
>     >>>>>> around the whoami endpoint and overall number of SQLs (2800
>     queries in one
>     >>>>>> of my tests) and the total number of DB connections
>     allocated within that
>     >>>>>> one request (3200+).
>     >>>>>>
>     >>>>>> John
>     >>>>>>
>     >>>>>>
>     >>>>>> On Wed, May 10, 2017 at 8:02 AM Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>>
>     >>>>>> wrote:
>     >>>>>>
>     >>>>>>> There are a number of issues around having a large number
>     of realms.
>     >>>>>>> We have a general issue open to support this:
>     >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4593
>     >>>>>>>
>     >>>>>>> We haven't prioritized this in the past, but that has
>     changed and we
>     >>>>>>> would like to get this sorted out.
>     >>>>>>>
>     >>>>>>> There's a few more related PRs including the one you linked:
>     >>>>>>> https://github.com/keycloak/keycloak/pull/3557
>     >>>>>>> https://github.com/keycloak/keycloak/pull/3561
>     >>>>>>>
>     >>>>>>> On 10 May 2017 at 12:35, John D. Ament
>     <john.d.ament at gmail.com <mailto:john.d.ament at gmail.com>>
>     >>>>>>> wrote:
>     >>>>>>>
>     >>>>>>>> Hi,
>     >>>>>>>>
>     >>>>>>>> After enabling Keycloak and starting work on a multi-tenant
>     >>>>>>>> application, it
>     >>>>>>>> was noted that the admin console started to get very slow in
>     >>>>>>>> keycloak.
>     >>>>>>>> After some searching around, it seemed like this was an
>     already
>     >>>>>>>> reported
>     >>>>>>>> issue [1] and a fix underway [2].  I was wondering if
>     this fix would
>     >>>>>>>> make
>     >>>>>>>> it into 3.2?
>     >>>>>>>>
>     >>>>>>>> If additional testing is needed, I'd be happy to help
>     out.  Deleting
>     >>>>>>>> 161
>     >>>>>>>> realms with minimal clients and users took me 15 minutes
>     via the
>     >>>>>>>> REST API.
>     >>>>>>>>
>     >>>>>>>> [1]: https://issues.jboss.org/browse/KEYCLOAK-4858
>     >>>>>>>> [2]: https://github.com/keycloak/keycloak/pull/4095
>     >>>>>>>>
>     >>>>>>> _______________________________________________
>     >>>>>>>> keycloak-user mailing list
>     >>>>>>>> keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >>>>>>>>
>     >>>>>>>
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From sblanc at redhat.com  Fri May 26 10:48:33 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 26 May 2017 16:48:33 +0200
Subject: [keycloak-user] CORS problems
In-Reply-To: <20170524154448.Horde.cWWRPUNHO0FFtRbIRKLWC0a@mail.sapo.pt>
References: <20170523140340.Horde.g-_pXLxAean5InXQ-CHmlQ0@mail.sapo.pt>
	<20170524154448.Horde.cWWRPUNHO0FFtRbIRKLWC0a@mail.sapo.pt>
Message-ID: <CAMZCGg9cFYO0n8Ku+-=vit2B8AZ4N5YEO7HC8rt6QjZo=FHLeQ@mail.gmail.com>

Hi,

The problem is that you have defined yourself a CORS filter + enabled CORS
in the keycloak.json, that will duplicate the CORS headers and fail. Remove
your CORS filter and it should be okay (or disable CORS in keycloak.json)


On Wed, May 24, 2017 at 4:44 PM, <sesnor.silva at sapo.pt> wrote:

> Hello again,
>
> I forgot to mention I'm using Keycloak 3.1.0 Final.
> Meanwhile i searched a bit more and found more people with the same
> problem, but sadly, no solution:
> http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
> http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html
>
> I also made a really basic WAR application, protected by keycloak,
> that just says "Hello" when you access the route /hello. The minimal
> client code that reproduces the problem:
> <script type="text/javascript"
> src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
> <script type="text/javascript"
> src="http://localhost:9000/auth/js/keycloak.js"></script>
> <script type="text/javascript">
>     var keycloak = Keycloak('keycloak.json');
>         keycloak.init({ onLoad: 'login-required'
> }).success(function(authenticated) {
>             if (authenticated) {
>                 $.ajax({method: "GET",   url: "http://localhost:8080/hello
> ",
>                     headers: {  'Authorization': 'Bearer ' +
> keycloak.token }
>                 });
>              }
>         });
> </script>
>
> I'm able to login successfully and acquire a valid working token.
> However the AJAX call fails with the same errors mentioned before.
>
> In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header
> contains multiple values 'http://localhost, http://localhost', but
> only one is allowed. Origin 'http://localhost' is therefore not
> allowed access."
>
> In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy
> disallows reading the remote resource. (Reason: CORS header
> ?Access-Control-Allow-Origin? does not match ?(null)?)".
>
> It works in IE11 but the page refreshes constantly, similar to what
> I've mentioned
> here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,
> even when accepting third-party cookies.
>
> Anyone have any hints please? What's going on with my setup? :(
>
> Some additional information:
>
> My API has the CORS filter enabled, like this:
> <filter>
>     <filter-name>CorsFilter</filter-name>
>     <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>     <init-param>
>         <param-name>cors.allowed.origins</param-name>
>         <param-value>*</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.allowed.methods</param-name>
>         <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.allowed.headers</param-name>
>
>  <param-value>Content-Type,X-Requested-With,accept,Origin,
> Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.exposed.headers</param-name>
>
>  <param-value>Access-Control-Allow-Origin,Access-Control-
> Allow-Credentials</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.support.credentials</param-name>
>         <param-value>true</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.preflight.maxage</param-name>
>         <param-value>10</param-value>
>     </init-param>
> </filter>
> <filter-mapping>
>     <filter-name>CorsFilter</filter-name>
>     <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> My Client has "enable-cors": true.
>
> Strangely I'm able to access the API through cURL if I use the valid
> access-token.
>
> Any help is appreciated at this point :(.
>
> Best regards,
> Silva
>
>
> Citando sesnor.silva at sapo.pt:
>
> > Hello,
> >
> > I have protected a Java web application that's compiled in a WAR
> > package and accessible through a Tomcat 8 sever. To do this I followed
> > the steps here:
> > https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/java/tomcat-adapter.html
> >
> > My Java Application is a RESTful API which can only be accessed by
> > authorized users that bear a token.
> >
> > In Keycloak I configured my client (and keycloak.json) as follows:
> > {
> >   "realm": "MainDomain",
> >   "bearer-only": true,
> >   "auth-server-url": "http://<My Keycloak Server>:8081/auth",
> >   "ssl-required": "none",
> >   "resource": "main-domain-server"
> > }
> >
> > If I have a valid token I can access the service fine through cURL
> > requests. However, using any browser (Firefox, Chrome, Opera, expect
> > IE, which for some reason works) I can't access any resource through
> > AJAX as I get CORS problems:
> > "Response to preflight request doesn't pass access control check: No
> > 'Access-Control-Allow-Origin' header is present on the requested
> > resource. Origin 'http://localhost:3000' is therefore not allowed
> > access. The response had HTTP status code 401."
> >
> > I searched around and found I should put "enable_cors": true in my
> > keycloak.json, however this causes the following CORS problem:
> > "The 'Access-Control-Allow-Origin' header contains multiple values
> > 'http://localhost:3000, http://localhost:3000', but only one is
> > allowed. Origin 'http://localhost:3000' is therefore not allowed
> > access."
> >
> > I think I'm out of ideas at the moment on what could be causing this.
> > Does anyone have any idea what could be wrong in my configuration?
> >
> > My best regards,
> > Silva
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.orghttps://lists.jboss.org/
> mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From shimin_q at yahoo.com  Fri May 26 12:04:05 2017
From: shimin_q at yahoo.com (shimin q)
Date: Fri, 26 May 2017 16:04:05 +0000 (UTC)
Subject: [keycloak-user] KeyCloak pose no login challenge
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
Message-ID: <552966330.515120.1495814645292@mail.yahoo.com>

I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. ?I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my?server ip>/rtna2, it went straight to the the web app.
1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
<?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >? ? <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:

{? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "external",? "resource": "rtna2",? "public-client": true}
5. modify rtna2/WEB-INF/web.xml:
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"? ? ?xmlns="http://java.sun.com/xml/ns/javaee"? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"? ? ? ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"? ? >

? <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>? ? ? ? <welcome-file>index.html</welcome-file>? ? </welcome-file-list>?<security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <web-resource-name>rtna2</web-resource-name>? ? ? ? ? ? <url-pattern>/rtna2/*</url-pattern>? ? ? ? </web-resource-collection>?<auth-constraint>? ? ? ? ? ? <role-name>*</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
? ? <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>rtna</realm-name>? ? </login-config>
? ? <security-role>? ? ? ? <role-name>admin</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>user</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>sudo</role-name>? ? </security-role></web-app>
I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
6. ?in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
client id: rtna2Access type: ?public ? (tried "confidential" also)Authorization enabled: on ?("off" also)Root URL: ?https://135.112.180.27/rtna2Valid Redirect URLs:?https://135.112.180.27/rtna2/*Base URL:?https://135.112.180.27/rtna2Admin URL:?https://135.112.180.27/rtna2Web Origins:?https://135.112.180.27/rtna2/*
I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. ?But once I put the absolute paths, it took me right to the web app without posing the login challenge!
What could possibly be wrong? ?Please advise! ?Thanks!!



From shimin_q at yahoo.com  Fri May 26 13:10:26 2017
From: shimin_q at yahoo.com (shimin q)
Date: Fri, 26 May 2017 17:10:26 +0000 (UTC)
Subject: [keycloak-user] Fw: KeyCloak either poses no login challenge or
 throws Null Pointer Exception for web apps deployed in Tomcat
In-Reply-To: <552966330.515120.1495814645292@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
Message-ID: <1181293162.531212.1495818626118@mail.yahoo.com>




 Subject: KeyCloak poses no login challenge or throws NullPointer for web apps deployed in Tomcat 7?
   
I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7. ?I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my?server ip>/rtna2, it went straight to the the web app. ? I did similar set up for one of our existing webapp deployed in Tomcat 7, this one throws Null pointer exception:

HTTP Status 500 -
type?Exception reportmessagedescription?The server encountered an internal error that prevented it from fulfilling this request.exceptionjava.lang.NullPointerException
	org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
	org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
	org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
	org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
	java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Unknown Source)
note?The full stack trace of the root cause is available in the Apache Tomcat/7.0.69 logs.
Here are the steps I performed:
1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
<?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >? ? <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:

{? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "external",? "resource": "rtna2",? "public-client": true}
5. modify rtna2/WEB-INF/web.xml:
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"? ? ?xmlns="http://java.sun.com/xml/ns/javaee"? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"? ? ? ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"? ? >

? <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>? ? ? ? <welcome-file>index.html</welcome-file>? ? </welcome-file-list>?<security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <web-resource-name>rtna2</web-resource-name>? ? ? ? ? ? <url-pattern>/rtna2/*</url-pattern>? ? ? ? </web-resource-collection>?<auth-constraint>? ? ? ? ? ? <role-name>*</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
? ? <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>rtna</realm-name>? ? </login-config>
? ? <security-role>? ? ? ? <role-name>admin</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>user</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>sudo</role-name>? ? </security-role></web-app>
I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
6. ?in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
client id: rtna2Access type: ?public ? (tried "confidential" also)Authorization enabled: on ?("off" also)Root URL: ?https://135.112.180.27/rtna2Valid Redirect URLs:?https://135.112.180.27/rtna2/*Base URL:?https://135.112.180.27/rtna2Admin URL:?https://135.112.180.27/rtna2Web Origins:?https://135.112.180.27/rtna2/*
I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error. ?But once I put the absolute paths, it took me right to the web app without posing the login challenge!
What could possibly be wrong? ?Please advise! ?Thanks!!




   

From elnaz.razmit at gmail.com  Fri May 26 23:54:57 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Fri, 26 May 2017 20:54:57 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j6xta2QrmW4JVLA1g+-Tj07GB5YpUcSebmkr=JEXyYM1A@mail.gmail.com>

hello
please help me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From elnaz.razmit at gmail.com  Sat May 27 05:41:42 2017
From: elnaz.razmit at gmail.com (Elnaz razmi)
Date: Sat, 27 May 2017 02:41:42 -0700
Subject: [keycloak-user] Rebalancing problem while adding a new node to a
	domain
Message-ID: <CAN288j6xo12XWSKt3KQrzXKwdT51-3sehqVM_RwpvgWX4_TwuQ@mail.gmail.com>

hello
please help me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3

From bburke at redhat.com  Sat May 27 08:17:08 2017
From: bburke at redhat.com (Bill Burke)
Date: Sat, 27 May 2017 08:17:08 -0400
Subject: [keycloak-user] KeyCloak pose no login challenge
In-Reply-To: <552966330.515120.1495814645292@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
Message-ID: <60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>

I think i know what it is.  Your security constraint is wrong. It should 
be "/*" for the url pattern, not "/rtna2/*".  You are not supposed to 
specify the root context in web.xml url patterns.


On 5/26/17 12:04 PM, shimin q wrote:
> I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7.  I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
> 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
> <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
>
> {  "realm": "rtna",  "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",  "auth-server-url": "https://135.112.180.27:8666/auth",  "ssl-required": "external",  "resource": "rtna2",  "public-client": true}
> 5. modify rtna2/WEB-INF/web.xml:
> <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"     xmlns="http://java.sun.com/xml/ns/javaee"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"    >
>
>    <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>        <welcome-file>index.html</welcome-file>    </welcome-file-list> <security-constraint>        <web-resource-collection>            <web-resource-name>rtna2</web-resource-name>            <url-pattern>/rtna2/*</url-pattern>        </web-resource-collection> <auth-constraint>            <role-name>*</role-name>        </auth-constraint>    </security-constraint>
>      <login-config>        <auth-method>BASIC</auth-method>        <realm-name>rtna</realm-name>    </login-config>
>      <security-role>        <role-name>admin</role-name>    </security-role>    <security-role>        <role-name>user</role-name>    </security-role>    <security-role>        <role-name>sudo</role-name>    </security-role></web-app>
> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> 6.  in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
> client id: rtna2Access type:  public   (tried "confidential" also)Authorization enabled: on  ("off" also)Root URL:  https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
> I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error.  But once I put the absolute paths, it took me right to the web app without posing the login challenge!
> What could possibly be wrong?  Please advise!  Thanks!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From juanjo.diaz at intopalo.com  Sat May 27 08:41:42 2017
From: juanjo.diaz at intopalo.com (=?UTF-8?B?SnVhbiBKb3PDqSBEw61heiBNb250YcOxYQ==?=)
Date: Sat, 27 May 2017 15:41:42 +0300
Subject: [keycloak-user] Token issuer validation fails (internal vs external,
 NATed environments, etc.)
Message-ID: <CACaGtfy0BJfrf6zMrQh3whze1we36RgOmP6JuJZq0s0dWa-=nw@mail.gmail.com>

Hi everyone,

I'm currently using Keycloak to authenticate  a bunch of applications in a
private network. I'm using the Javascript, node.js, spring security and
spring boot adapters, Some using bearer token and some not.

Everything works nicely except that our support engineers need to connect
sometimes over a NAT gateway. The problem is that the IP/URL used by the
support engineers is different than the one seen by the internal network
users. So I get error validating the jwt issuer, specially when using
bearer token that are generated by external users and pass back to internal
services.

I've seen that there use to be the `*auth-server-url-for-backend-requests*`
property just for this use case but it was removed.
I've also seen many questions online about this matter but no solution
apart from using a DNS which is not an option for me because of certain
restrictions I have.
Finally, I've recently seen someone with the same problem proposing
setting checkRealmUrl
to false to skip the issuer validator (http://lists.jboss.
org/pipermail/keycloak-user/2017-May/010640.html). Is that possible??? I
haven't found how without modifying the adapter's code.

Is there any other workaround?
Solutions I could think are:

   - Include a config option to make issuer validation optional
(setting checkRealmUrl
   to false)
   - Modify the `*auth-server-url*` to allow partial URLs that are resolved
   based on the calling host.
   - Modify the `*auth-server-url*`, to be a list so several URLs are
   accepted or to allow regexs so all the URLs that match are accepted. This
   probably requires separating the valid URLs from the URL use for
   redirections.

This is a deciding factor of whether we can use Keycloak or not, and I'm
sure that other people is having the same problem. So if there is no
existing workaround, I 'm happy to discuss and contribute any changes to
the adapters that could help me with this.

-- 
*Juanjo D?az*
Software Architect  @Intopalo Oy <https://intopalo.com>

From john.bartko at drillinginfo.com  Sat May 27 13:31:00 2017
From: john.bartko at drillinginfo.com (John Bartko)
Date: Sat, 27 May 2017 17:31:00 +0000
Subject: [keycloak-user] Rebalancing problem while adding a new node to
	a	domain
In-Reply-To: <CAN288j6xo12XWSKt3KQrzXKwdT51-3sehqVM_RwpvgWX4_TwuQ@mail.gmail.com>
References: <CAN288j6xo12XWSKt3KQrzXKwdT51-3sehqVM_RwpvgWX4_TwuQ@mail.gmail.com>
Message-ID: <BL2PR18MB076920C33FB67CE2934FE4B088FD0@BL2PR18MB0769.namprd18.prod.outlook.com>

Do I understand correctly that:

- when running a domain clustered<https://keycloak.gitbooks.io/documentation/server_installation/topics/operating-mode/domain.html> deployment

- with relatively unmodified domain.xml/host-master.xml/host-slave.xml configurations

- with a domain controller instance (i.e. --host-config=host-master.xml) with node ID "server-one-master"
- with two existing slave instances (i.e. --host-config=host-slave.xml) with node IDs "server-twoslave" and "server-threeslave"
- the above appears to be working, *but*

- when adding another slave instance (e.g. "server-fourslave")

  1. it does not join the Infinispan cluster with other members?

  2. it does not receive traffic from the balancer on the domain controller?


Problem #1 would be caused by the new instance jgroups subsystem being unable to discover other instances.


Problem #2 *might* be caused by a statically configured/outdated lb-handler in the domain.xml. Be aware the out-of-the-box balancer "exists so that you can easily test drive clustering on your development machine" per the documentation.


You may not be getting responses because the keycloak-user list is not be the most appropriate place for help on these topics. The Wildfly, JGroups, and Infinispan projects' documentation provides a better explanation of these subsystems' more advanced capabilities than would be in the scope of Keycloak's docs to do.


https://docs.jboss.org/author/display/WFLY10/Documentation

http://wildfly.org/gethelp/


http://jgroups.org/ug.html

http://jgroups.org/irc.html


http://infinispan.org/docs/stable/index.html

http://infinispan.org/community/
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Elnaz razmi <elnaz.razmit at gmail.com>
Sent: Saturday, May 27, 2017 4:41:42 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Rebalancing problem while adding a new node to a domain

hello
please help me about this problem:

We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :

[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From shimin_q at yahoo.com  Sat May 27 16:28:03 2017
From: shimin_q at yahoo.com (shimin q)
Date: Sat, 27 May 2017 20:28:03 +0000 (UTC)
Subject: [keycloak-user] KeyCloak pose no login challenge
In-Reply-To: <60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>
Message-ID: <58403266.1128141.1495916883700@mail.yahoo.com>

Thanks. ?a bit of progress, once I changed from "/rtna2/*" to "/*", it is redirecting my web app URL?
https://135.112.180.27/rtna2
to?
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=c55f81fb-72ad-4660-b257-6bfa119adb75&login=true&scope=openid


Unfortunately, still no login challenges, I got the following error message instead
?"We are sorry...invalid user name or password"
I am trying to figure out where I configured realm "rtna" or client "rtna2" wrong...here is the keycloak.json that I used (generated under the Installation tab of the client "rtna2":
{? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "all",? "resource": "rtna2",? "public-client": true,? "use-resource-role-mappings": true}
Please, any tips/ideas why I am now getting the "invalid user name or password" instead of a keycloak login form? ?Thanks!

      From: Bill Burke <bburke at redhat.com>
 To: keycloak-user at lists.jboss.org 
 Sent: Saturday, May 27, 2017 1:29 PM
 Subject: Re: [keycloak-user] KeyCloak pose no login challenge
   
I think i know what it is.? Your security constraint is wrong. It should 
be "/*" for the url pattern, not "/rtna2/*".? You are not supposed to 
specify the root context in web.xml url patterns.


On 5/26/17 12:04 PM, shimin q wrote:
> I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7.? I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
> 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
> <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >? ? <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
>
> {? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "external",? "resource": "rtna2",? "public-client": true}
> 5. modify rtna2/WEB-INF/web.xml:
> <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"? ? xmlns="http://java.sun.com/xml/ns/javaee"? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"? ? ? ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"? ? >
>
>? ? <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>? ? ? ? <welcome-file>index.html</welcome-file>? ? </welcome-file-list> <security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <web-resource-name>rtna2</web-resource-name>? ? ? ? ? ? <url-pattern>/rtna2/*</url-pattern>? ? ? ? </web-resource-collection> <auth-constraint>? ? ? ? ? ? <role-name>*</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
>? ? ? <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>rtna</realm-name>? ? </login-config>
>? ? ? <security-role>? ? ? ? <role-name>admin</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>user</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>sudo</role-name>? ? </security-role></web-app>
> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> 6.? in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
> client id: rtna2Access type:? public? (tried "confidential" also)Authorization enabled: on? ("off" also)Root URL:? https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
> I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error.? But once I put the absolute paths, it took me right to the web app without posing the login challenge!
> What could possibly be wrong?? Please advise!? Thanks!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


   

From shimin_q at yahoo.com  Sat May 27 20:40:03 2017
From: shimin_q at yahoo.com (shimin q)
Date: Sun, 28 May 2017 00:40:03 +0000 (UTC)
Subject: [keycloak-user] KeyCloak pose no login challenge
In-Reply-To: <58403266.1128141.1495916883700@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>
	<58403266.1128141.1495916883700@mail.yahoo.com>
Message-ID: <155383763.1212844.1495932003853@mail.yahoo.com>

Another piece of info when the "We're sorry...invalid user name or password" message was shown (without login challenge ever posted)... ??keycloak server.log file has this warning:

2017-05-27 20:33:59,936 WARN ?[org.keycloak.events] (default task-80) type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null, ipAddress=135.224.13.68, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://135.112.180.27/rtna2/, code_id=689abbad-ccad-469a-86be-1e489b0dba15, response_mode=query
How could this be, there was no login challenge so I couldn't even input user name and password!

      From: shimin q <shimin_q at yahoo.com>
 To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Saturday, May 27, 2017 4:28 PM
 Subject: Re: [keycloak-user] KeyCloak pose no login challenge
   
Thanks. ?a bit of progress, once I changed from "/rtna2/*" to "/*", it is redirecting my web app URL?
https://135.112.180.27/rtna2
to?
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=c55f81fb-72ad-4660-b257-6bfa119adb75&login=true&scope=openid
Unfortunately, still no login challenges, I got the following error message instead
?"We are sorry...invalid user name or password"
I am trying to figure out where I configured realm "rtna" or client "rtna2" wrong...here is the keycloak.json that I used (generated under the Installation tab of the client "rtna2":
{? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "all",? "resource": "rtna2",? "public-client": true,? "use-resource-role-mappings": true}
Please, any tips/ideas why I am now getting the "invalid user name or password" instead of a keycloak login form? ?Thanks!

      From: Bill Burke <bburke at redhat.com>
 To: keycloak-user at lists.jboss.org 
 Sent: Saturday, May 27, 2017 1:29 PM
 Subject: Re: [keycloak-user] KeyCloak pose no login challenge
  
I think i know what it is.? Your security constraint is wrong. It should 
be "/*" for the url pattern, not "/rtna2/*".? You are not supposed to 
specify the root context in web.xml url patterns.


On 5/26/17 12:04 PM, shimin q wrote:
> I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7.? I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
> 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
> <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >? ? <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
>
> {? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "external",? "resource": "rtna2",? "public-client": true}
> 5. modify rtna2/WEB-INF/web.xml:
> <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"? ? xmlns="http://java.sun.com/xml/ns/javaee"? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"? ? ? ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"? ? >
>
>? ? <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>? ? ? ? <welcome-file>index.html</welcome-file>? ? </welcome-file-list> <security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <web-resource-name>rtna2</web-resource-name>? ? ? ? ? ? <url-pattern>/rtna2/*</url-pattern>? ? ? ? </web-resource-collection> <auth-constraint>? ? ? ? ? ? <role-name>*</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
>? ? ? <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>rtna</realm-name>? ? </login-config>
>? ? ? <security-role>? ? ? ? <role-name>admin</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>user</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>sudo</role-name>? ? </security-role></web-app>
> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> 6.? in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
> client id: rtna2Access type:? public? (tried "confidential" also)Authorization enabled: on? ("off" also)Root URL:? https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
> I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error.? But once I put the absolute paths, it took me right to the web app without posing the login challenge!
> What could possibly be wrong?? Please advise!? Thanks!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


   

   

From sblanc at redhat.com  Sun May 28 02:22:24 2017
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sun, 28 May 2017 06:22:24 +0000
Subject: [keycloak-user] KeyCloak pose no login challenge
In-Reply-To: <155383763.1212844.1495932003853@mail.yahoo.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>
	<58403266.1128141.1495916883700@mail.yahoo.com>
	<155383763.1212844.1495932003853@mail.yahoo.com>
Message-ID: <CAMZCGg_vDwgG_SFTxJUxzi_FJ=+O4YNbPu34g69u-EdYLdptgg@mail.gmail.com>

Try again in an inconginito window and empty your cash.
BTW, you mentioned you have a ReactJS app , have also considered using the
keycloak JS lib to secure your web app ?
Le dim. 28 mai 2017 ? 05:59, shimin q <shimin_q at yahoo.com> a ?crit :

> Another piece of info when the "We're sorry...invalid user name or
> password" message was shown (without login challenge ever posted)...
>   keycloak server.log file has this warning:
>
> 2017-05-27 20:33:59,936 WARN  [org.keycloak.events] (default task-80)
> type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null,
> ipAddress=135.224.13.68, error=invalid_user_credentials,
> auth_method=openid-connect, auth_type=code, response_type=code,
> redirect_uri=https://135.112.180.27/rtna2/,
> code_id=689abbad-ccad-469a-86be-1e489b0dba15, response_mode=query
> How could this be, there was no login challenge so I couldn't even input
> user name and password!
>
>       From: shimin q <shimin_q at yahoo.com>
>  To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <
> keycloak-user at lists.jboss.org>
>  Sent: Saturday, May 27, 2017 4:28 PM
>  Subject: Re: [keycloak-user] KeyCloak pose no login challenge
>
> Thanks.  a bit of progress, once I changed from "/rtna2/*" to "/*", it is
> redirecting my web app URL
> https://135.112.180.27/rtna2
> to
>
> https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=c55f81fb-72ad-4660-b257-6bfa119adb75&login=true&scope=openid
> Unfortunately, still no login challenges, I got the following error
> message instead
>  "We are sorry...invalid user name or password"
> I am trying to figure out where I configured realm "rtna" or client
> "rtna2" wrong...here is the keycloak.json that I used (generated under the
> Installation tab of the client "rtna2":
> {  "realm": "rtna",  "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> "auth-server-url": "https://135.112.180.27:8666/auth",  "ssl-required":
> "all",  "resource": "rtna2",  "public-client": true,
> "use-resource-role-mappings": true}
> Please, any tips/ideas why I am now getting the "invalid user name or
> password" instead of a keycloak login form?  Thanks!
>
>       From: Bill Burke <bburke at redhat.com>
>  To: keycloak-user at lists.jboss.org
>  Sent: Saturday, May 27, 2017 1:29 PM
>  Subject: Re: [keycloak-user] KeyCloak pose no login challenge
>
> I think i know what it is.  Your security constraint is wrong. It should
> be "/*" for the url pattern, not "/rtna2/*".  You are not supposed to
> specify the root context in web.xml url patterns.
>
>
> On 5/26/17 12:04 PM, shimin q wrote:
> > I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7.  I
> followed the steps below, but keycloak does not seem to work - no login
> challenge was posed, and when I type https://<my server ip>/rtna2, it
> went straight to the the web app.
> > 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat
> lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify
> rtna2/META-INF/context.xml:
> > <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0"
> privileged="true" >    <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4
> - add keycloak.json under rtna2/WEB-INF:
> >
> > {  "realm": "rtna",  "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> "auth-server-url": "https://135.112.180.27:8666/auth",  "ssl-required":
> "external",  "resource": "rtna2",  "public-client": true}
> > 5. modify rtna2/WEB-INF/web.xml:
> > <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"    xmlns="
> http://java.sun.com/xml/ns/javaee"        xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"        xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"    >
> >
> >    <!-- Default page to serve
> --><module-name>rtna2</module-name><welcome-file-list>
> <welcome-file>index.html</welcome-file>    </welcome-file-list>
> <security-constraint>        <web-resource-collection>
> <web-resource-name>rtna2</web-resource-name>
> <url-pattern>/rtna2/*</url-pattern>        </web-resource-collection>
> <auth-constraint>            <role-name>*</role-name>
> </auth-constraint>    </security-constraint>
> >      <login-config>        <auth-method>BASIC</auth-method>
> <realm-name>rtna</realm-name>    </login-config>
> >      <security-role>        <role-name>admin</role-name>
> </security-role>    <security-role>        <role-name>user</role-name>
> </security-role>    <security-role>        <role-name>sudo</role-name>
> </security-role></web-app>
> > I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> > 6.  in the keycloak admin console, added a "rtna" realm, and added
> "rtna2" client in the realm:
> > client id: rtna2Access type:  public  (tried "confidential"
> also)Authorization enabled: on  ("off" also)Root URL:
> https://135.112.180.27/rtna2Valid Redirect URLs:
> https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin
> URL: https://135.112.180.27/rtna2Web Origins:
> https://135.112.180.27/rtna2/*
> > I found relative paths for these URLs do not work, it gave me Http 404
> not found (https://135.112.180.27/rtna2) error.  But once I put the
> absolute paths, it took me right to the web app without posing the login
> challenge!
> > What could possibly be wrong?  Please advise!  Thanks!!
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From shimin_q at yahoo.com  Sun May 28 10:57:54 2017
From: shimin_q at yahoo.com (shimin q)
Date: Sun, 28 May 2017 14:57:54 +0000 (UTC)
Subject: [keycloak-user] KeyCloak pose no login challenge
In-Reply-To: <CAMZCGg_vDwgG_SFTxJUxzi_FJ=+O4YNbPu34g69u-EdYLdptgg@mail.gmail.com>
References: <552966330.515120.1495814645292.ref@mail.yahoo.com>
	<552966330.515120.1495814645292@mail.yahoo.com>
	<60a0d0e9-0b48-c134-940d-80bed757fa8e@redhat.com>
	<58403266.1128141.1495916883700@mail.yahoo.com>
	<155383763.1212844.1495932003853@mail.yahoo.com>
	<CAMZCGg_vDwgG_SFTxJUxzi_FJ=+O4YNbPu34g69u-EdYLdptgg@mail.gmail.com>
Message-ID: <1024341471.1412419.1495983474952@mail.yahoo.com>

Thanks for your suggestion. ?I just tried incognito chrome window and cleared the browser cache and Java cache. ?Unfortunately, https://135.112.180.27/rtna2? , after redirecting to?
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=e76d1caa-a528-4498-98d4-098544fd3987&login=true&scope=openid

"We're Sorry...invalid user name or password" ?came up again (still no login challenge)

server.log:
2017-05-28 10:38:49,866 WARN ?[org.keycloak.events] (default task-104) type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null, ipAddress=135.224.18.117, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://135.112.180.27/rtna2/, code_id=260dc630-40e5-4b83-955a-df76d8d04d63, response_mode=query

I also tried another existing GWT web app (https://135.112.180.27/nara) deployed under the same Tomcat server. ?Same config/set up, but this one is even worse, it never even got to the redirecting to keycloak auth, instead it is throwing me an exception: ?(of course, no login challenge/form either)

HTTP Status 500 -
type?Exception reportmessagedescription?The server encountered an internal error that prevented it from fulfilling this request.exceptionjava.lang.NullPointerException
	org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107)
	org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79)
	org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
	org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
	java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Unknown Source)
note?The full stack trace of the root cause is available in the Apache Tomcat/7.0.69 logs.
Any ideas what could be wrong? ? I am pulling my hairs out :-( ?this is not supposed to be this hard! ?I have been trying to get this to work for the last 3 days. ?At one time, the login challenge did come up, but after I typed in user name /password, it throws me HTTP 403 error, never redirected me to my web app (https://135.112.180.27/rtna2). ? ?Tried various config changes, I ended up with this situation where login challenge is not posted at all. ??
Please help!!
?

      From: Sebastien Blanc <sblanc at redhat.com>
 To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>; shimin q <shimin_q at yahoo.com> 
 Sent: Sunday, May 28, 2017 2:22 AM
 Subject: Re: [keycloak-user] KeyCloak pose no login challenge
   
Try again in an inconginito window and empty your cash.?BTW, you mentioned you have a ReactJS app , have also considered using the keycloak JS lib to secure your web app ??
Le?dim. 28 mai 2017 ? 05:59, shimin q <shimin_q at yahoo.com> a ?crit?:

Another piece of info when the "We're sorry...invalid user name or password" message was shown (without login challenge ever posted)... ??keycloak server.log file has this warning:

2017-05-27 20:33:59,936 WARN ?[org.keycloak.events] (default task-80) type=LOGIN_ERROR, realmId=rtna, clientId=rtna2, userId=null, ipAddress=135.224.13.68, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://135.112.180.27/rtna2/, code_id=689abbad-ccad-469a-86be-1e489b0dba15, response_mode=query
How could this be, there was no login challenge so I couldn't even input user name and password!

? ? ? From: shimin q <shimin_q at yahoo.com>
?To: Bill Burke <bburke at redhat.com>; "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
?Sent: Saturday, May 27, 2017 4:28 PM
?Subject: Re: [keycloak-user] KeyCloak pose no login challenge

Thanks. ?a bit of progress, once I changed from "/rtna2/*" to "/*", it is redirecting my web app URL?
https://135.112.180.27/rtna2
to?
https://135.112.180.27:8666/auth/realms/rtna/protocol/openid-connect/auth?response_type=code&client_id=rtna2&redirect_uri=https%3A%2F%2F135.112.180.27%2Frtna2%2F&state=c55f81fb-72ad-4660-b257-6bfa119adb75&login=true&scope=openid
Unfortunately, still no login challenges, I got the following error message instead
?"We are sorry...invalid user name or password"
I am trying to figure out where I configured realm "rtna" or client "rtna2" wrong...here is the keycloak.json that I used (generated under the Installation tab of the client "rtna2":
{? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "all",? "resource": "rtna2",? "public-client": true,? "use-resource-role-mappings": true}
Please, any tips/ideas why I am now getting the "invalid user name or password" instead of a keycloak login form?? Thanks!

? ? ? From: Bill Burke <bburke at redhat.com>
?To: keycloak-user at lists.jboss.org
?Sent: Saturday, May 27, 2017 1:29 PM
?Subject: Re: [keycloak-user] KeyCloak pose no login challenge

I think i know what it is.? Your security constraint is wrong. It should
be "/*" for the url pattern, not "/rtna2/*".? You are not supposed to
specify the root context in web.xml url patterns.


On 5/26/17 12:04 PM, shimin q wrote:
> I wrote a simple reactJS web app ("/rtna2") deployed under Tomcat 7.? I followed the steps below, but keycloak does not seem to work - no login challenge was posed, and when I type https://<my server ip>/rtna2, it went straight to the the web app.
> 1 - download the tomcat 7 keycloak adaptor zip and unzip in my tomcat lib/2 - rtna2 app is deployed under tomcat webapps/3 - modify rtna2/META-INF/context.xml:
> <?xml version="1.0" encoding="UTF-8"?><Context path="/rtna2" debug="0" privileged="true" >? ? <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context>4 - add keycloak.json under rtna2/WEB-INF:
>
> {? "realm": "rtna",? "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",? "auth-server-url": "https://135.112.180.27:8666/auth",? "ssl-required": "external",? "resource": "rtna2",? "public-client": true}
> 5. modify rtna2/WEB-INF/web.xml:
> <?xml version="1.0" encoding="UTF-8"?><web-app version="2.5"? ? xmlns="http://java.sun.com/xml/ns/javaee"? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"? ? ? ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"? ? >
>
>? ? <!-- Default page to serve --><module-name>rtna2</module-name><welcome-file-list>? ? ? ? <welcome-file>index.html</welcome-file>? ? </welcome-file-list> <security-constraint>? ? ? ? <web-resource-collection>? ? ? ? ? ? <web-resource-name>rtna2</web-resource-name>? ? ? ? ? ? <url-pattern>/rtna2/*</url-pattern>? ? ? ? </web-resource-collection> <auth-constraint>? ? ? ? ? ? <role-name>*</role-name>? ? ? ? </auth-constraint>? ? </security-constraint>
>? ? ? <login-config>? ? ? ? <auth-method>BASIC</auth-method>? ? ? ? <realm-name>rtna</realm-name>? ? </login-config>
>? ? ? <security-role>? ? ? ? <role-name>admin</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>user</role-name>? ? </security-role>? ? <security-role>? ? ? ? <role-name>sudo</role-name>? ? </security-role></web-app>
> I have tried "<auth-method>KEYCLOAK</auth-method>" also, does not work
> 6.? in the keycloak admin console, added a "rtna" realm, and added "rtna2" client in the realm:
> client id: rtna2Access type:? public? (tried "confidential" also)Authorization enabled: on? ("off" also)Root URL:? https://135.112.180.27/rtna2Valid Redirect URLs: https://135.112.180.27/rtna2/*Base URL: https://135.112.180.27/rtna2Admin URL: https://135.112.180.27/rtna2Web Origins: https://135.112.180.27/rtna2/*
> I found relative paths for these URLs do not work, it gave me Http 404 not found (https://135.112.180.27/rtna2) error.? But once I put the absolute paths, it took me right to the web app without posing the login challenge!
> What could possibly be wrong?? Please advise!? Thanks!!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


   

From hylton.peimer at datos-health.com  Mon May 29 05:07:25 2017
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Mon, 29 May 2017 12:07:25 +0300
Subject: [keycloak-user] Verifying a password
Message-ID: <CACGrZesREF0ahBiuSRek-dGHVX80TmsQ6+D8RFHm0D59qccXwQ@mail.gmail.com>

My mobile app is connected to the server using bearer-only tokens. The
tokens were obtained using username/password.

A particular screen in the app requires the user to re-enter the password,
so that the password can be verified at the server-side.

Is there an elegant REST or Java API to perform a simple password
verification, besides a call to /protocol/openid-connect/token endpoint,
which brings all the tokens?

From FreAky-ShAdoW at gmx.net  Mon May 29 05:26:43 2017
From: FreAky-ShAdoW at gmx.net (FreAky-ShAdoW at gmx.net)
Date: Mon, 29 May 2017 11:26:43 +0200
Subject: [keycloak-user] How to extend time until refresh token expires?
Message-ID: <trinity-1698c18d-5577-45a9-8927-153e45fe6ff5-1496050003766@3capp-gmx-bs24>

I'm using KeyCloak in Version 3.0.0.Final and having trouble with an Angular 2 application which runs regularly into the problem that the refresh token is expired.

I've tried to increase the token timeouts but it seems the refresh token still expires too quick. My configuration is as follows:

- SSO Session Idle: 2 days
- SSO Session Max: 10 hours
- Offline Session Idle: 30 days
- Access Token Lifespan: 5 minutes
- Access Token Lifespan For Implicit Flow: 15 minutes
- Client login timeout: 1 minute
- Login timeout: 30 minutes
- Login action timeout: 5 minutes

Please note, the refresh often works but after some idle time it is pretty common that the refresh token is expired. I'm using the implementation of the official angular 2 example in the KeyCloak github repository.

I'm also using the same realm with a Spring Boot Bearer Client but I guess that this does not affect token of the Angular client, right?

I've thought that increasing the SSO Session Idle would solve the problem but it is not. How can I extend the expiry time?

From tech at psynd.net  Mon May 29 06:08:44 2017
From: tech at psynd.net (Tech)
Date: Mon, 29 May 2017 12:08:44 +0200
Subject: [keycloak-user] SSO between OIDC and SAML
Message-ID: <f7a22f93-c2cc-9bb4-e7ae-2892ff0bd77a@psynd.net>

Dear experts,

we have two applications, one in SAML and the other in OIDC and we would 
like a person logging in one of them and being SSO in the other, same 
for the logout.

Is Keycloak implementing this functionality? If yes, how?

Thanks!


From sthorger at redhat.com  Mon May 29 07:48:25 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 29 May 2017 13:48:25 +0200
Subject: [keycloak-user] Performance loss migrating from Keycloak 1.7.0
 to Keycloak 2.5.5/3.x
In-Reply-To: <1495614311.3050.5.camel@cargosoft.ru>
References: <CAMHPs25pO_VW1ZiVpFFmo8eGD=FxuSXSqyk5vJ_F6ePTAgYD7A@mail.gmail.com>
	<47ab2a7e-c881-154f-42b5-0bf749ae04e4@redhat.com>
	<1495614311.3050.5.camel@cargosoft.ru>
Message-ID: <CAJgngAddFz5ypj-Ew4KEPhSFsk184JC-awq+7uKjqy-G7y_hwA@mail.gmail.com>

1.7.0 had a single hash iteration, in 1.9 that was bumped to 20K. That's
probably the single source of the difference in performance. You can change
it through the admin console, but we recommend keeping the value high to
make sure passwords are stored safely.

On 24 May 2017 at 10:25, Dmitry Telegin <mitya at cargosoft.ru> wrote:

> Hi Bill,
>
> By the way, can we roughly estimate the amount of memory allocated per
> each cached user?
>
> We are planning a deployment with ~4M users, so I'm wondering if the
> entire user set can fit into RAM of a typical server? If yes, do you
> think it would be a good idea to write an extension for cache warm-up?
> (i.e., to launch a background thread upon Keycloak startup that would
> gradually load all the users into cache) I think that could improve
> response times for restarted / newly added cluster nodes.
>
> Thanks,
> Dmitry
>
> > Entire user is cached (role mappings, attributes, etc.) the first
> > time
> > it is accessed.  Maybe in your old User Federation Provider, you
> > loaded
> > stuff on demand?  Another thing you could try is to ditch the
> > import.
> > The new User Storage Model supports a non-import mode if you
> > implement
> > it correctly.
> >
> >
> > On 5/16/17 9:09 AM, Vito Vessia wrote:
> > > Hi all,
> > > we have adopted Keycloak as foundation for our identity services
> > > since the
> > > beginning (july 2015) and after an initial development period we
> > > developed
> > > our federation/mail/whatever providers we fixed the underlyng
> > > Keyckoak
> > > version to 1.7.0 for more than one year.
> > > Recently we have upgraded to Keycloak 2.5.5 doing a big reworking
> > > related
> > > to the new architecture of the former Federation providers, etc...
> > > The first impression is the it is more robust and stable, but it
> > > seems to
> > > be slower then the 1.7.0 version. Without any SPI installed, using
> > > a raw
> > > keycloak realm, on the same machine the pure login via OpenId
> > > Connect
> > > endpoints takes:
> > >
> > > 30 ms on Keycloak 1.7.0 (average value after 100 logins)
> > > 100 ms on Keycloak 2.5.5 (average value after 100 logins)
> > >
> > > We get the same gap both with H2 and Oracle database.
> > >
> > > If we mount our SPI providers (User Storage and others), the gap is
> > > greater
> > > but of course it could be an issue into our code after the
> > > migration to the
> > > new SPI architecture.
> > >
> > > Is there a specific reason for this gap? (i.e. a better management
> > > of the
> > > concurrency).
> > > Is there a specific setting/strategy to improve the performance?
> > >
> > > The configuration has been tested both on Linux and Windows on a
> > > standalone
> > > server. The Wildfly -Xmx has been set to 1g on both the Keycloak
> > > version.
> > >
> > > --Vito Vessia
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From guus.der.kinderen at gmail.com  Mon May 29 08:37:07 2017
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Mon, 29 May 2017 14:37:07 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
	<CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
	<CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>
Message-ID: <CAMJaV9=e_dHNU+j7OCQWva3dH=kaAyA-7XRg7nE-DwHjZm6eAg@mail.gmail.com>

Hi Marko,

Thanks for the feedback. How do I obtain a RealmAuth reference to work
with, when extending the REST api?

Regards,

  Guus

On 15 May 2017 at 16:38, Marko Strukelj <mstrukel at redhat.com> wrote:

> There is a method for this:
>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> server-spi/src/main/java/org/keycloak/storage/user/
> UserQueryProvider.java#L134-L148
>
> But there is no Admin REST API through which it would be exposed.
>
> You can add your custom REST endpoint and implement your custom search
> call there.
> See:
>     https://github.com/keycloak/keycloak/tree/3.1.0.Final/
> examples/providers/rest for example.
>
> You'd have to make sure to protect your endpoint so its only accessible to
> admin client. See how /users endpoint does this:
>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> services/src/main/java/org/keycloak/services/resources/
> admin/UsersResource.java#L675
>
>
>
> On Mon, May 15, 2017 at 3:44 PM, Guus der Kinderen <
> guus.der.kinderen at gmail.com> wrote:
>
>> *gently moves question back to the top of the mailinglist*
>>
>> On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
>> wrote:
>>
>> > Hi!
>> >
>> > We'd like to be able to store somewhat standard user attributes that
>> > complete the email, first and last name values that Keycloak 'natively'
>> > stores. Think of things like a date of birth, home/work address, phone
>> > number, etc. Additionally, we'd like to be able to find users based on a
>> > search query. We'd like to be able to answer questions like: "how many
>> > users live in London?"
>> >
>> > So far, we've found the user attributes, where we could store this
>> > information. That is a very generic solution though. Are there
>> standardized
>> > attribute names, profiles, that we can use?
>> >
>> > A further challenge is that we'd like to be able to query the user base,
>> > based on attributes. We'd like to find people by address, by date of
>> birth,
>> > etc. The REST API does have search functionality, but it doesn't look
>> like
>> > you can find users by attribute value.
>> >
>> > Can anyone recommend a course of action here?
>> >
>> > Regards,
>> >
>> >    Guus
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From janek.bartosz at gmail.com  Mon May 29 09:18:22 2017
From: janek.bartosz at gmail.com (Jan Bartosz)
Date: Mon, 29 May 2017 15:18:22 +0200
Subject: [keycloak-user] Logout All Sessions - no event sent - why?
Message-ID: <CA+v2Sq2jZy=mHmrxwKpB1wDSOV51kAu4p202TT8Mk3LgbgP+AA@mail.gmail.com>

Hi,

We'd like to have a log when 'Logout All Sessions' action occurs - if user
clicks it. I see that AdminEvent is sent when - well - admin clicks it;)
and actually other request is sent. Is it done by purpose or maybe do you
plan in the future to send a 'normal' Event in that case? some other
possibilties?

Many Thanks in advance!

Kind Regards
Jan

From mstrukel at redhat.com  Mon May 29 09:18:42 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 29 May 2017 15:18:42 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CAMJaV9=e_dHNU+j7OCQWva3dH=kaAyA-7XRg7nE-DwHjZm6eAg@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
	<CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
	<CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>
	<CAMJaV9=e_dHNU+j7OCQWva3dH=kaAyA-7XRg7nE-DwHjZm6eAg@mail.gmail.com>
Message-ID: <CA+1OW+isuQWKR8MGtBZnUskyC7iLd+PzuneBvFYynrEri1OhCA@mail.gmail.com>

I've never tried this myself, and we have no example for it, but in
principle you can copy some code from
https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L206-L219
and
https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/services/resources/admin/RealmsAdminResource.java#L184-L209

So, you'll have to construct AdminAuth, and RealmAuth by yourself.

On Mon, May 29, 2017 at 2:37 PM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> Hi Marko,
>
> Thanks for the feedback. How do I obtain a RealmAuth reference to work
> with, when extending the REST api?
>
> Regards,
>
>   Guus
>
> On 15 May 2017 at 16:38, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> There is a method for this:
>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/server
>> -spi/src/main/java/org/keycloak/storage/user/UserQueryProvid
>> er.java#L134-L148
>>
>> But there is no Admin REST API through which it would be exposed.
>>
>> You can add your custom REST endpoint and implement your custom search
>> call there.
>> See:
>>     https://github.com/keycloak/keycloak/tree/3.1.0.Final/exampl
>> es/providers/rest for example.
>>
>> You'd have to make sure to protect your endpoint so its only accessible
>> to admin client. See how /users endpoint does this:
>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/servic
>> es/src/main/java/org/keycloak/services/resources/admin/
>> UsersResource.java#L675
>>
>>
>>
>> On Mon, May 15, 2017 at 3:44 PM, Guus der Kinderen <
>> guus.der.kinderen at gmail.com> wrote:
>>
>>> *gently moves question back to the top of the mailinglist*
>>>
>>> On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
>>> wrote:
>>>
>>> > Hi!
>>> >
>>> > We'd like to be able to store somewhat standard user attributes that
>>> > complete the email, first and last name values that Keycloak 'natively'
>>> > stores. Think of things like a date of birth, home/work address, phone
>>> > number, etc. Additionally, we'd like to be able to find users based on
>>> a
>>> > search query. We'd like to be able to answer questions like: "how many
>>> > users live in London?"
>>> >
>>> > So far, we've found the user attributes, where we could store this
>>> > information. That is a very generic solution though. Are there
>>> standardized
>>> > attribute names, profiles, that we can use?
>>> >
>>> > A further challenge is that we'd like to be able to query the user
>>> base,
>>> > based on attributes. We'd like to find people by address, by date of
>>> birth,
>>> > etc. The REST API does have search functionality, but it doesn't look
>>> like
>>> > you can find users by attribute value.
>>> >
>>> > Can anyone recommend a course of action here?
>>> >
>>> > Regards,
>>> >
>>> >    Guus
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From guus.der.kinderen at gmail.com  Mon May 29 09:21:41 2017
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Mon, 29 May 2017 15:21:41 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CA+1OW+isuQWKR8MGtBZnUskyC7iLd+PzuneBvFYynrEri1OhCA@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
	<CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
	<CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>
	<CAMJaV9=e_dHNU+j7OCQWva3dH=kaAyA-7XRg7nE-DwHjZm6eAg@mail.gmail.com>
	<CA+1OW+isuQWKR8MGtBZnUskyC7iLd+PzuneBvFYynrEri1OhCA@mail.gmail.com>
Message-ID: <CAMJaV9=iSg_9PXA9m8JfTPrCScrLMddFF4JkTJ_cPg4VFD=bYQ@mail.gmail.com>

Ah, I was afraid it'd come to that. Ok, I'll see how to make that happen.

Instant-follow-up: my new resource is likely not going to be available in
the admin-client, right? Is there an easy way of using my new resource with
admin-client, or will I have to recompile it, after adding my resource
definition?

 - Guus

On 29 May 2017 at 15:18, Marko Strukelj <mstrukel at redhat.com> wrote:

> I've never tried this myself, and we have no example for it, but in
> principle you can copy some code from https://github.com/keycloak/
> keycloak/blob/3.1.0.Final/services/src/main/java/org/
> keycloak/services/resources/admin/AdminRoot.java#L206-L219 and
> https://github.com/keycloak/keycloak/blob/3.1.0.Final/
> services/src/main/java/org/keycloak/services/resources/
> admin/RealmsAdminResource.java#L184-L209
>
> So, you'll have to construct AdminAuth, and RealmAuth by yourself.
>
> On Mon, May 29, 2017 at 2:37 PM, Guus der Kinderen <
> guus.der.kinderen at gmail.com> wrote:
>
>> Hi Marko,
>>
>> Thanks for the feedback. How do I obtain a RealmAuth reference to work
>> with, when extending the REST api?
>>
>> Regards,
>>
>>   Guus
>>
>> On 15 May 2017 at 16:38, Marko Strukelj <mstrukel at redhat.com> wrote:
>>
>>> There is a method for this:
>>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/server
>>> -spi/src/main/java/org/keycloak/storage/user/UserQueryProvid
>>> er.java#L134-L148
>>>
>>> But there is no Admin REST API through which it would be exposed.
>>>
>>> You can add your custom REST endpoint and implement your custom search
>>> call there.
>>> See:
>>>     https://github.com/keycloak/keycloak/tree/3.1.0.Final/exampl
>>> es/providers/rest for example.
>>>
>>> You'd have to make sure to protect your endpoint so its only accessible
>>> to admin client. See how /users endpoint does this:
>>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/servic
>>> es/src/main/java/org/keycloak/services/resources/admin/Users
>>> Resource.java#L675
>>>
>>>
>>>
>>> On Mon, May 15, 2017 at 3:44 PM, Guus der Kinderen <
>>> guus.der.kinderen at gmail.com> wrote:
>>>
>>>> *gently moves question back to the top of the mailinglist*
>>>>
>>>> On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com>
>>>> wrote:
>>>>
>>>> > Hi!
>>>> >
>>>> > We'd like to be able to store somewhat standard user attributes that
>>>> > complete the email, first and last name values that Keycloak
>>>> 'natively'
>>>> > stores. Think of things like a date of birth, home/work address, phone
>>>> > number, etc. Additionally, we'd like to be able to find users based
>>>> on a
>>>> > search query. We'd like to be able to answer questions like: "how many
>>>> > users live in London?"
>>>> >
>>>> > So far, we've found the user attributes, where we could store this
>>>> > information. That is a very generic solution though. Are there
>>>> standardized
>>>> > attribute names, profiles, that we can use?
>>>> >
>>>> > A further challenge is that we'd like to be able to query the user
>>>> base,
>>>> > based on attributes. We'd like to find people by address, by date of
>>>> birth,
>>>> > etc. The REST API does have search functionality, but it doesn't look
>>>> like
>>>> > you can find users by attribute value.
>>>> >
>>>> > Can anyone recommend a course of action here?
>>>> >
>>>> > Regards,
>>>> >
>>>> >    Guus
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From bburke at redhat.com  Mon May 29 09:47:00 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 29 May 2017 09:47:00 -0400
Subject: [keycloak-user] SSO between OIDC and SAML
In-Reply-To: <f7a22f93-c2cc-9bb4-e7ae-2892ff0bd77a@psynd.net>
References: <f7a22f93-c2cc-9bb4-e7ae-2892ff0bd77a@psynd.net>
Message-ID: <126b4c25-b2c4-5bec-6add-9405ba7d270a@redhat.com>

Yes that would work fine. Just follow the basic Keycloak docs on 
securing an app and it will just work.


On 5/29/17 6:08 AM, Tech wrote:
> Dear experts,
>
> we have two applications, one in SAML and the other in OIDC and we would
> like a person logging in one of them and being SSO in the other, same
> for the logout.
>
> Is Keycloak implementing this functionality? If yes, how?
>
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mstrukel at redhat.com  Mon May 29 10:15:11 2017
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 29 May 2017 16:15:11 +0200
Subject: [keycloak-user] How to store and search for (standardized?)
	user attributes?
In-Reply-To: <CAMJaV9=iSg_9PXA9m8JfTPrCScrLMddFF4JkTJ_cPg4VFD=bYQ@mail.gmail.com>
References: <CAMJaV9k3kd-yEgRELBo0gKL59+FTaEZeuCy97717x4E0UxHTRg@mail.gmail.com>
	<CAMJaV9kjGFHTc70ASMO3LYZdftsy-pSLW4=ZpQUj9HpXdKTBeA@mail.gmail.com>
	<CA+1OW+jBJ-4NaDFGXN6HE61fFzqdbNOiZKgbc=BbJW7K7bbm-Q@mail.gmail.com>
	<CAMJaV9=e_dHNU+j7OCQWva3dH=kaAyA-7XRg7nE-DwHjZm6eAg@mail.gmail.com>
	<CA+1OW+isuQWKR8MGtBZnUskyC7iLd+PzuneBvFYynrEri1OhCA@mail.gmail.com>
	<CAMJaV9=iSg_9PXA9m8JfTPrCScrLMddFF4JkTJ_cPg4VFD=bYQ@mail.gmail.com>
Message-ID: <CA+1OW+ix0E3rvK0H=peXX5DGP63QQU=LLB2RTkbngJi1Zm4iXw@mail.gmail.com>

Your new resource will be bound under different root url than admin REST
API and thus will not be reachable through admin client, so you probably
won't really be able to use Admin Client to access it.

Maybe we need a way for a use-case like yours to add capability to deploy a
custom resource under /auth/admin. Maybe limiting it to /auth/admin/ext or
something so it's obvious that it's a custom extension.

Feel free to open a JIRA RFE. And also one for adding query user by
attribute to admin REST so it's available OOTB.

On Mon, May 29, 2017 at 3:21 PM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> Ah, I was afraid it'd come to that. Ok, I'll see how to make that happen.
>
> Instant-follow-up: my new resource is likely not going to be available in
> the admin-client, right? Is there an easy way of using my new resource with
> admin-client, or will I have to recompile it, after adding my resource
> definition?
>
>  - Guus
>
> On 29 May 2017 at 15:18, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> I've never tried this myself, and we have no example for it, but in
>> principle you can copy some code from https://github.com/keycloak/ke
>> ycloak/blob/3.1.0.Final/services/src/main/java/org/keycloak/
>> services/resources/admin/AdminRoot.java#L206-L219 and
>> https://github.com/keycloak/keycloak/blob/3.1.0.Final/servic
>> es/src/main/java/org/keycloak/services/resources/admin/
>> RealmsAdminResource.java#L184-L209
>>
>> So, you'll have to construct AdminAuth, and RealmAuth by yourself.
>>
>> On Mon, May 29, 2017 at 2:37 PM, Guus der Kinderen <
>> guus.der.kinderen at gmail.com> wrote:
>>
>>> Hi Marko,
>>>
>>> Thanks for the feedback. How do I obtain a RealmAuth reference to work
>>> with, when extending the REST api?
>>>
>>> Regards,
>>>
>>>   Guus
>>>
>>> On 15 May 2017 at 16:38, Marko Strukelj <mstrukel at redhat.com> wrote:
>>>
>>>> There is a method for this:
>>>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/server
>>>> -spi/src/main/java/org/keycloak/storage/user/UserQueryProvid
>>>> er.java#L134-L148
>>>>
>>>> But there is no Admin REST API through which it would be exposed.
>>>>
>>>> You can add your custom REST endpoint and implement your custom search
>>>> call there.
>>>> See:
>>>>     https://github.com/keycloak/keycloak/tree/3.1.0.Final/exampl
>>>> es/providers/rest for example.
>>>>
>>>> You'd have to make sure to protect your endpoint so its only accessible
>>>> to admin client. See how /users endpoint does this:
>>>>     https://github.com/keycloak/keycloak/blob/3.1.0.Final/servic
>>>> es/src/main/java/org/keycloak/services/resources/admin/Users
>>>> Resource.java#L675
>>>>
>>>>
>>>>
>>>> On Mon, May 15, 2017 at 3:44 PM, Guus der Kinderen <
>>>> guus.der.kinderen at gmail.com> wrote:
>>>>
>>>>> *gently moves question back to the top of the mailinglist*
>>>>>
>>>>> On 2 May 2017 at 13:54, Guus der Kinderen <guus.der.kinderen at gmail.com
>>>>> >
>>>>> wrote:
>>>>>
>>>>> > Hi!
>>>>> >
>>>>> > We'd like to be able to store somewhat standard user attributes that
>>>>> > complete the email, first and last name values that Keycloak
>>>>> 'natively'
>>>>> > stores. Think of things like a date of birth, home/work address,
>>>>> phone
>>>>> > number, etc. Additionally, we'd like to be able to find users based
>>>>> on a
>>>>> > search query. We'd like to be able to answer questions like: "how
>>>>> many
>>>>> > users live in London?"
>>>>> >
>>>>> > So far, we've found the user attributes, where we could store this
>>>>> > information. That is a very generic solution though. Are there
>>>>> standardized
>>>>> > attribute names, profiles, that we can use?
>>>>> >
>>>>> > A further challenge is that we'd like to be able to query the user
>>>>> base,
>>>>> > based on attributes. We'd like to find people by address, by date of
>>>>> birth,
>>>>> > etc. The REST API does have search functionality, but it doesn't
>>>>> look like
>>>>> > you can find users by attribute value.
>>>>> >
>>>>> > Can anyone recommend a course of action here?
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> >    Guus
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From sam.davis at tasktop.com  Mon May 29 20:37:55 2017
From: sam.davis at tasktop.com (Sam Davis)
Date: Mon, 29 May 2017 17:37:55 -0700
Subject: [keycloak-user] running multiple instances without clustering
Message-ID: <CAKS_sO347D2Pht=NhiAUDoOSLdmnCPc=b99z-R=yV4B-_maAzQ@mail.gmail.com>

Hi,

I understand that Keycloak supports clustering, but I am wondering if it is
possible to run multiple instances of Keycloak using the same configuration
database *without* using clustering, i.e. using the standalone
<https://keycloak.gitbooks.io/documentation/server_installation/topics/operating-mode/standalone.html>
operating mode.

It looks like the only difference between this and using the standalone
clustered mode is that the caches will not be synchronized between the
instances. I understand that it could cause some weird behaviour with user
sessions (e.g. a user logs out on one instance but is still logged in on
another, or vice versa). Would it cause any more serious problems (e.g.
corrupt configuration database) or create security vulnerabilities?

The use case is that my application bundles Keycloak and the application
and Keycloak run on the same server. If the server goes down, another
instance of the application on another server will take over, and that
instance will redirect users to another keycloak instance running on that
server. So I don't really need clustering, since normally only a single
Keycloak instance will actually be used at a time and will only be used by
a single application.

Thanks,
Sam

From bburke at redhat.com  Mon May 29 21:45:40 2017
From: bburke at redhat.com (Bill Burke)
Date: Mon, 29 May 2017 21:45:40 -0400
Subject: [keycloak-user] running multiple instances without clustering
In-Reply-To: <CAKS_sO347D2Pht=NhiAUDoOSLdmnCPc=b99z-R=yV4B-_maAzQ@mail.gmail.com>
References: <CAKS_sO347D2Pht=NhiAUDoOSLdmnCPc=b99z-R=yV4B-_maAzQ@mail.gmail.com>
Message-ID: <b1c3854c-29c1-0eeb-2966-23e4f0919b61@redhat.com>

If you do not load balance, but instead just have a hot backup, this 
will work so long as its ok that somebody has to relogin.  If you do 
load balance, then this will not work because OIDC has non-browser 
requests ( code-to-token and refresh token).


On 5/29/17 8:37 PM, Sam Davis wrote:
> Hi,
>
> I understand that Keycloak supports clustering, but I am wondering if it is
> possible to run multiple instances of Keycloak using the same configuration
> database *without* using clustering, i.e. using the standalone
> <https://keycloak.gitbooks.io/documentation/server_installation/topics/operating-mode/standalone.html>
> operating mode.
>
> It looks like the only difference between this and using the standalone
> clustered mode is that the caches will not be synchronized between the
> instances. I understand that it could cause some weird behaviour with user
> sessions (e.g. a user logs out on one instance but is still logged in on
> another, or vice versa). Would it cause any more serious problems (e.g.
> corrupt configuration database) or create security vulnerabilities?
>
> The use case is that my application bundles Keycloak and the application
> and Keycloak run on the same server. If the server goes down, another
> instance of the application on another server will take over, and that
> instance will redirect users to another keycloak instance running on that
> server. So I don't really need clustering, since normally only a single
> Keycloak instance will actually be used at a time and will only be used by
> a single application.
>
> Thanks,
> Sam
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From pulgupta at redhat.com  Tue May 30 05:23:17 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Tue, 30 May 2017 14:53:17 +0530
Subject: [keycloak-user] Securing Angular + REST based app using keycloak
	OIDC
Message-ID: <CAApADD0Maq2zrRvTdKxN8V+0Q3Cd3PhYE+oRpuQRnj02nT4HmQ@mail.gmail.com>

Hi All,

We are looking to integrate an application with Keycloak.
It is an Angular + REST application in which the REST services are
developed in Java and are running on EAP 6.

>From my reading I can figure out that we should secure both the front end
and the back end separately.

The Angular front-end can be secured using JavaScript adapter which will
check if a user has access token and in case not it will redirect it to
Keycloak. Once the user acquires an access token , it send the same token
to the REST services. We can configure REST service as a bearer only client
which will check for the validity of the token against Keycloak and return
the business data. We can use EAP 6 OIDC java adapter for Keycloak to
secure the REST part.

However their is one limitation that our setup only supports implicit flow.
I am sure with Implicit flow we can achieve the angular side of the
authentication. However I am not sure if we can make use of the Java OIDC
adapter to actually validate and secure our rest APIs.

Can you please guide me in case this is achievable with implicit flow.

Regards,
Pulkit

From eduard.matuszak at worldline.com  Tue May 30 08:34:14 2017
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 30 May 2017 12:34:14 +0000
Subject: [keycloak-user] Speed up token generation by HMAC or EC-signing
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723F30AE1@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

Since version 2.5 it is possible to choose other signing mechanism than RSA in the realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC for token signing, but it seems, that this does not work: HMAC is ignored despite the priority settings and login will even fail, if HMAC key is the only active/enabled key. It would be nice (and esssential for our purposes for performance issues) to be able to change the signature algorithms and if elliptic curves would be provided as a fast asymmetric alternative to RSA as well. Is this projected for a near-future version?

Best regards, Eduard Matuszak



From watson409 at gmail.com  Tue May 30 08:36:45 2017
From: watson409 at gmail.com (Brian Watson)
Date: Tue, 30 May 2017 08:36:45 -0400
Subject: [keycloak-user] Disabling PKCE in Keycloak 3.1.X
Message-ID: <CAC9D9d8rUd2ioPtohFC6-pEpBYORWJMrDXQ1X7_9Xa+T_zpPLA@mail.gmail.com>

Hey all,

How do I disable PKCE in Keycloak 3.1.X? I am having some
compatibility issues with another 3rd party tool, and am trying to get
around the issue until I can figure out the root cause/solution.

Thanks,
Brian

From mposolda at redhat.com  Tue May 30 10:53:18 2017
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 May 2017 16:53:18 +0200
Subject: [keycloak-user] Speed up token generation by HMAC or EC-signing
In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723F30AE1@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
References: <61D077C6283D454FAFD06F6AC4AB74D723F30AE1@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>
Message-ID: <c814db82-ea1b-276d-61d8-69889e5480ac@redhat.com>

We have JIRA for elliptic curves, but didn't yet came into it.

For signing tokens by HMAC, there is no plan for it AFAIK. It is not 
great to sign accessTokens and idTokens by HMAC anyway since the 
applications will need to have access to realm signing key. As it is 
symmetric stuff. This can be security hole as then the application can 
generate and sign tokens by itself. Hence we rather rely on the 
asymetric cryptography - Keycloak signs tokens with private key and 
application has just public key to verify signatures.

We just have JIRA for support HMAC signed refresh tokens - this is ok as 
those refresh tokens are just opaque string for the the application. 
Application doesn't need to verify signatures on them.

Marek

On 30/05/17 14:34, Matuszak, Eduard wrote:
> Hello
>
> Since version 2.5 it is possible to choose other signing mechanism than RSA in the realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC for token signing, but it seems, that this does not work: HMAC is ignored despite the priority settings and login will even fail, if HMAC key is the only active/enabled key. It would be nice (and esssential for our purposes for performance issues) to be able to change the signature algorithms and if elliptic curves would be provided as a fast asymmetric alternative to RSA as well. Is this projected for a near-future version?
>
> Best regards, Eduard Matuszak
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From imbacen at gmail.com  Tue May 30 11:37:15 2017
From: imbacen at gmail.com (cen)
Date: Tue, 30 May 2017 17:37:15 +0200
Subject: [keycloak-user] Severe bug in KC adapter - returns blank 200 when
 SSL is not used with external setting
Message-ID: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>

Hello


I just managed to replicate this: 
http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html

The unfortunate soul did not get a single reply in 2015, hopefully I 
have better luck. I will try to provide as much info as reuested just to 
get to the bottom of this.


Setup:

- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup 
config cli:

embed-server --std-out=echo
batch
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
run-batch
stop-embedded-server

- KC adapter jetty 9.3

- keycloak.json configured via env vars

- kc and api running in seperate docker containers on same server

{
   "realm": "${env.KC_REALM}",
   "auth-server-url": "${env.KC_BASE_URL}",
   "ssl-required": "${env.KC_SSL_REQUIRED}",
   "resource": "${env.KC_RESOURCE}",
   "public-client": true
}

Docker ENV form my API service:

KC_BASE_URL=https://mykeycloak.domain/auth
KC_RESOURCE=myapp-api
KC_REALM=myrealm
KC_SSL_REQUIRED=external

When I call a protected API this is logged by adapter:

api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest 
http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is 
required to authenticate. Remote address <server ip> is secure: false, 
SSL required for: EXTERNAL .


Why does it try to connect via IP and not over https? I clearly 
specified KC_BASE_URL as HTTPS. And why is REST call logged as http even 
tho I call it via https? I also parsed the access token and issuer is 
from https, no trace of any IPs or http anywhere.

And now the worst thing: when this WARN happens, adapter returns blank 
200! You'd expect at least internal server error or something along the 
lines. . I lost 9 hours today blaming everything from nginx to my REST 
API just to finally come down to this.


Setting SSL config to none in admin panel and in adapter env makes the 
whole thing work. But this is clearly not the solution.


Hopefully some expert can shed some light on this.


Best regards, cen



From douglas.drouillard at gmail.com  Tue May 30 13:38:00 2017
From: douglas.drouillard at gmail.com (Doug Drouillard)
Date: Tue, 30 May 2017 13:38:00 -0400
Subject: [keycloak-user] Set up iOS app with Ninja server
Message-ID: <CAJSu2J6dm22e8G_-coc5H7kB+9cmdubTitSaf=3tnPp=9rnYUw@mail.gmail.com>

I am trying to set up an iOS app that works with a Ninja (JVM/Java 8)
server and keycloak.

More info on ninja - http://www.ninjaframework.org/

I am using aerogear to get a jwt directly from the keycloak service. I then
want to pass the jwt back to my ninja (JVM) back-end service.

I know I can validate the token without hitting the keycloak service to
some degree, but say I wanted to get the user info or verify the id of the
token, and that it has not been revoked, how would I go about contacting
the keycloak server? I am not using any sort of special security or signing
on my jwt tokens.   Do I use the authz or admin client? Any specific
examples to look at?

I tried to implement one of the adapters but did not have any luck. I was
hoping to set up a simple example like

https://github.com/keycloak/keycloak/blob/master/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java

Except instead of getting the token using username/password I was hoping to
use my jwt that I got from the front-end.

Is this supported by the Java clients as is, or do I need to write my own?
It seems like this is discouraged in favor of the server side adapters but
I am just trying to get started by validating my tokens and was not able to
get any of them working with ninja.

Thanks.

From shmuein+keycloak-dev at gmail.com  Tue May 30 15:55:53 2017
From: shmuein+keycloak-dev at gmail.com (Muein Muzamil)
Date: Tue, 30 May 2017 14:55:53 -0500
Subject: [keycloak-user] Key Rotation for SAML client
Message-ID: <CACEM6k8R8SyfH58u3eoVv+1EO4tAb0k6H0LhobkBEm0dTQvDpA@mail.gmail.com>

Hi all,

We have a business use case, where we'll have a realm with 50+ SAML clients
configured and we want to update the SAML key for the realm (either for
security reason or the certificate got expired),

I was reading following section but it seems mostly focused on OIDC.Can
someone please share how does KeyCloak handle this for SAML? Important
thing to realize is, we cannot imagine our customer to update realm
certificate in all 50+ service providers at the same time.
https://keycloak.gitbooks.io/documentation/server_admin/topics/realms/keys.html

Regards,
Muein

From celso.agra at gmail.com  Tue May 30 16:37:11 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Tue, 30 May 2017 17:37:11 -0300
Subject: [keycloak-user] How to configure Keycloak Admin Client to only
	access a specific Realm?
Message-ID: <CAOFYJDu3m5qJqw-RPHC+gix9hJrcyNHfDMKLb1EGUZJggNY5Aw@mail.gmail.com>

Hi all,

I'm trying to configure keycloak to manage users in a specific realm. Here
is my code:

*Keycloak kc = KeycloakBuilder.builder()*
*    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
*    .realm("realm1").username("user")*
* .password("secret")*
*    .clientId("admin-cli")*
*    .resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build()*
*    ).build();*


*RealmResource realmResource = kc.realm("realm1");*
*UsersResource userRessource = realmResource.users();*
*System.out.println("Count: " + userRessource.count());*


When I run this code, I'm getting this error:

*javax.ws.rs.BadRequestException: HTTP 400 Bad Request*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:212)*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:189)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
* at com.sun.proxy.$Proxy32.grantToken(Unknown Source)*
* at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)*
* at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)*
* at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)*
* at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)*
* at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)*
* at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
* at com.sun.proxy.$Proxy40.count(Unknown Source)*
* at
pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:72)*
* at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
* at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
* at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
* at java.lang.reflect.Method.invoke(Unknown Source)*
* at org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)*
* at
org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)*
* at
org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)*
* at
org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)*
* at
org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
* at
org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at
org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)*
* at
org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)*
* at
org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
* at
org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
* at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
* at
org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
* at
org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)*
* at *
* ...*


But when I change the realm to "master", such as:

*Keycloak kc = KeycloakBuilder.builder()*
*    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
*    .realm("master").username("admin")*
* .password("admin123!")*
*    .clientId("admin-cli")*
*    .resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build()*
*    ).build();*

*RealmResource realmResource = kc.realm("realm1");*
*UsersResource userRessource = realmResource.users();*
*System.out.println("Count: " + userRessource.count());*


The code works fine.
I'd like to know if the admin user in the master realm is the only way to
add users using the keycloak Admin Client.

Is anybody get this same issue?

Best Regards

-- 
---
*Celso Agra*

From amaeztu at tesicnor.com  Tue May 30 17:40:33 2017
From: amaeztu at tesicnor.com (Amaeztu)
Date: Tue, 30 May 2017 23:40:33 +0200
Subject: [keycloak-user] Severe bug in KC adapter - returns blank 200
 when SSL is not used with external setting
In-Reply-To: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
References: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
Message-ID: <6ajqlcmfdert896jg37p2vsc.1496180433052@email.android.com>

As far as I can see you're configuring SSL in top of your nginx proxy (user can only access keycloak via this proxy).

Your internal calls (from proxy to keycloak) aren't meant to be in SSL, so why you should bother of keycloak requiring it? 

Nire Sony Xperia? telefonotik bidalita

---- cen igorleak idatzi du ----

>Hello
>
>
>I just managed to replicate this: 
>http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>
>The unfortunate soul did not get a single reply in 2015, hopefully I 
>have better luck. I will try to provide as much info as reuested just to 
>get to the bottom of this.
>
>
>Setup:
>
>- KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup 
>config cli:
>
>embed-server --std-out=echo
>batch
>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
>/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
>/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
>run-batch
>stop-embedded-server
>
>- KC adapter jetty 9.3
>
>- keycloak.json configured via env vars
>
>- kc and api running in seperate docker containers on same server
>
>{
>   "realm": "${env.KC_REALM}",
>   "auth-server-url": "${env.KC_BASE_URL}",
>   "ssl-required": "${env.KC_SSL_REQUIRED}",
>   "resource": "${env.KC_RESOURCE}",
>   "public-client": true
>}
>
>Docker ENV form my API service:
>
>KC_BASE_URL=https://mykeycloak.domain/auth
>KC_RESOURCE=myapp-api
>KC_REALM=myrealm
>KC_SSL_REQUIRED=external
>
>When I call a protected API this is logged by adapter:
>
>api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest 
>http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
>api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is 
>required to authenticate. Remote address <server ip> is secure: false, 
>SSL required for: EXTERNAL .
>
>
>Why does it try to connect via IP and not over https? I clearly 
>specified KC_BASE_URL as HTTPS. And why is REST call logged as http even 
>tho I call it via https? I also parsed the access token and issuer is 
>from https, no trace of any IPs or http anywhere.
>
>And now the worst thing: when this WARN happens, adapter returns blank 
>200! You'd expect at least internal server error or something along the 
>lines. . I lost 9 hours today blaming everything from nginx to my REST 
>API just to finally come down to this.
>
>
>Setting SSL config to none in admin panel and in adapter env makes the 
>whole thing work. But this is clearly not the solution.
>
>
>Hopefully some expert can shed some light on this.
>
>
>Best regards, cen
>
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

From imbacen at gmail.com  Tue May 30 17:51:08 2017
From: imbacen at gmail.com (cen)
Date: Tue, 30 May 2017 23:51:08 +0200
Subject: [keycloak-user] Severe bug in KC adapter - returns blank 200
 when SSL is not used with external setting
In-Reply-To: <6ajqlcmfdert896jg37p2vsc.1496180433052@email.android.com>
References: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
	<6ajqlcmfdert896jg37p2vsc.1496180433052@email.android.com>
Message-ID: <0b741e9b-ce81-091a-b440-85d24fa55de6@gmail.com>

As far as I know, when Keycloak is running in Docker, "external" means 
anything coming outside of the container, so even if traffic from nginx 
to Keycloak is technicaly local Keycloak does not see it that way.

Google apparently uses SSL even inside their datacenter and I think it 
is a valid use, that is why require ssl=all exists in Keycloak I guess.


The bigger point of mine is that there is a bug somewhere in Keycloak 
adapter that just silently fails and returns empty HTTP 200 which 
doesn't make any sense at all.

The only theory so far that I have is that adapter somehow figures out 
that domain points to Docker host and elects to go the direct IP route 
instead of through nginx.


Amaeztu je 30. 05. 2017 ob 23:40 napisal:
>
> As far as I can see you're configuring SSL in top of your nginx proxy 
> (user can only access keycloak via this proxy).
>
> Your internal calls (from proxy to keycloak) aren't meant to be in 
> SSL, so why you should bother of keycloak requiring it?
>
> Nire Sony Xperia? telefonotik bidalita
>
>
>
> ---- cen igorleak idatzi du ----
>
> Hello
>
>
> I just managed to replicate this:
> http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>
> The unfortunate soul did not get a single reply in 2015, hopefully I
> have better luck. I will try to provide as much info as reuested just to
> get to the bottom of this.
>
>
> Setup:
>
> - KC 3.0.0 <tel:3.0.0>-Final behind nginx reverse proxy protected by 
> HTTPS, startup
> config cli:
>
> embed-server --std-out=echo
> batch
> /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
> /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
> /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
> run-batch
> stop-embedded-server
>
> - KC adapter jetty 9.3
>
> - keycloak.json <http://keycloak.json> configured via env vars
>
> - kc and api running in seperate docker containers on same server
>
> {
>    "realm": "${env.KC_REALM}",
>    "auth-server-url": "${env.KC_BASE_URL}",
>    "ssl-required": "${env.KC_SSL_REQUIRED}",
>    "resource": "${env.KC_RESOURCE}",
>    "public-client": true
> }
>
> Docker ENV form my API service:
>
> KC_BASE_URL=https://mykeycloak.domain/auth
> KC_RESOURCE=myapp-api
> KC_REALM=myrealm
> KC_SSL_REQUIRED=external
>
> When I call a protected API this is logged by adapter:
>
> api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
> http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
> api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is
> required to authenticate. Remote address <server ip> is secure: false,
> SSL required for: EXTERNAL .
>
>
> Why does it try to connect via IP and not over https? I clearly
> specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
> tho I call it via https? I also parsed the access token and issuer is
> from https, no trace of any IPs or http anywhere.
>
> And now the worst thing: when this WARN happens, adapter returns blank
> 200! You'd expect at least internal server error or something along the
> lines. . I lost 9 hours today blaming everything from nginx to my REST
> API just to finally come down to this.
>
>
> Setting SSL config to none in admin panel and in adapter env makes the
> whole thing work. But this is clearly not the solution.
>
>
> Hopefully some expert can shed some light on this.
>
>
> Best regards, cen
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From celso.agra at gmail.com  Tue May 30 18:01:19 2017
From: celso.agra at gmail.com (Celso Agra)
Date: Tue, 30 May 2017 19:01:19 -0300
Subject: [keycloak-user] How to configure Keycloak Admin Client to only
	access a specific Realm?
In-Reply-To: <CAOFYJDu3m5qJqw-RPHC+gix9hJrcyNHfDMKLb1EGUZJggNY5Aw@mail.gmail.com>
References: <CAOFYJDu3m5qJqw-RPHC+gix9hJrcyNHfDMKLb1EGUZJggNY5Aw@mail.gmail.com>
Message-ID: <CAOFYJDu4kQqspTg0K6eydqEZas7txQXNO5YyHrduohMVcfCB5w@mail.gmail.com>

Solved!

I need to create an user in the master realm, with these configurations.
Go to *Users >> adminRealm*
In the Role Mappings tab, choose "realm1-realm" in the Client Roles, and
assign these roles: *manage-users, view-clients, view-realm and view-users*

Then, I just configure my code with realm to "master", such as:

*Keycloak kc = KeycloakBuilder.builder()*
*    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
*    .realm("master").username("adminRealm")*
* .password("adminRealm123!")*
*    .clientId("admin-cli")*
*    .resteasyClient(new
ResteasyClientBuilder().connectionPoolSize(10).build()*
*    ).build();*

*RealmResource realmResource = kc.realm("realm1");*
*UsersResource userRessource = realmResource.users();*
*System.out.println("Count: " + userRessource.count());*


This code works fine. for now!

2017-05-30 17:37 GMT-03:00 Celso Agra <celso.agra at gmail.com>:

> Hi all,
>
> I'm trying to configure keycloak to manage users in a specific realm. Here
> is my code:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
> *    .realm("realm1").username("user")*
> * .password("secret")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> When I run this code, I'm getting this error:
>
> *javax.ws.rs <http://javax.ws.rs>.BadRequestException: HTTP 400 Bad
> Request*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:212)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:189)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy32.grantToken(Unknown Source)*
> * at
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)*
> * at
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy40.count(Unknown Source)*
> * at
> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(KeycloakClientService.java:72)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
> * at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
> * at java.lang.reflect.Method.invoke(Unknown Source)*
> * at
> org.apache.camel.component.bean.MethodInfo.invoke(MethodInfo.java:408)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.doProceed(MethodInfo.java:279)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)*
> * at
> org.apache.camel.component.bean.BeanProcessor.process(BeanProcessor.java:177)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)*
> * at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.util.AsyncProcessorHelper.process(AsyncProcessorHelper.java:109)*
> * at *
> * ...*
>
>
> But when I change the realm to "master", such as:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")*
> *    .realm("master").username("admin")*
> * .password("admin123!")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> The code works fine.
> I'd like to know if the admin user in the master realm is the only way to
> add users using the keycloak Admin Client.
>
> Is anybody get this same issue?
>
> Best Regards
>
> --
> ---
> *Celso Agra*
>



-- 
---
*Celso Agra*

From chexxor at gmail.com  Tue May 30 22:59:24 2017
From: chexxor at gmail.com (Alex Berg)
Date: Tue, 30 May 2017 21:59:24 -0500
Subject: [keycloak-user] How to configure Keycloak Admin Client to only
 access a specific Realm?
In-Reply-To: <CAOFYJDu3m5qJqw-RPHC+gix9hJrcyNHfDMKLb1EGUZJggNY5Aw@mail.gmail.com>
References: <CAOFYJDu3m5qJqw-RPHC+gix9hJrcyNHfDMKLb1EGUZJggNY5Aw@mail.gmail.com>
Message-ID: <CABgV3qubqBR1ykCEpXYy7+tBDy09fFx2wO6fKpkO5ZRbBLOzdg@mail.gmail.com>

You need to give the user the "realm-admin" role. Read the admin api docs a
little closer - it's mentioned in there. I use "client_credentials" method,
so I give that role to the client itself.

On May 30, 2017 20:40, "Celso Agra" <celso.agra at gmail.com> wrote:

> Hi all,
>
> I'm trying to configure keycloak to manage users in a specific realm. Here
> is my code:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")
> *
> *    .realm("realm1").username("user")*
> * .password("secret")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> When I run this code, I'm getting this error:
>
> *javax.ws.rs.BadRequestException: HTTP 400 Bad Request*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
> handleErrorStatus(ClientInvocation.java:212)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(
> ClientInvocation.java:189)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.
> BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
> ClientInvoker.java:107)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
> ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy32.grantToken(Unknown Source)*
> * at
> org.keycloak.admin.client.token.TokenManager.grantToken(
> TokenManager.java:89)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.
> java:69)*
> * at
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(
> TokenManager.java:64)*
> * at
> org.keycloak.admin.client.resource.BearerAuthFilter.
> filter(BearerAuthFilter.java:52)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(
> ClientInvocation.java:431)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
> ClientInvoker.java:105)*
> * at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
> ClientProxy.java:76)*
> * at com.sun.proxy.$Proxy40.count(Unknown Source)*
> * at
> pe.gov.br.ati.service.KeycloakClientService.validateAndInsertUser(
> KeycloakClientService.java:72)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)*
> * at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)*
> * at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)*
> * at java.lang.reflect.Method.invoke(Unknown Source)*
> * at org.apache.camel.component.bean.MethodInfo.invoke(
> MethodInfo.java:408)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.doProceed(
> MethodInfo.java:279)*
> * at
> org.apache.camel.component.bean.MethodInfo$1.proceed(MethodInfo.java:252)*
> * at
> org.apache.camel.component.bean.BeanProcessor.process(
> BeanProcessor.java:177)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(
> InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(
> RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.component.direct.DirectProducer.process(
> DirectProducer.java:62)*
> * at
> org.apache.camel.processor.SendProcessor.process(SendProcessor.java:145)*
> * at
> org.apache.camel.management.InstrumentationProcessor.process(
> InstrumentationProcessor.java:77)*
> * at
> org.apache.camel.processor.RedeliveryErrorHandler.process(
> RedeliveryErrorHandler.java:468)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:121)*
> * at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)*
> * at
> org.apache.camel.processor.CamelInternalProcessor.process(
> CamelInternalProcessor.java:196)*
> * at
> org.apache.camel.util.AsyncProcessorHelper.process(
> AsyncProcessorHelper.java:109)*
> * at *
> * ...*
>
>
> But when I change the realm to "master", such as:
>
> *Keycloak kc = KeycloakBuilder.builder()*
> *    .serverUrl("http://localhost:8080/auth <http://localhost:8080/auth>")
> *
> *    .realm("master").username("admin")*
> * .password("admin123!")*
> *    .clientId("admin-cli")*
> *    .resteasyClient(new
> ResteasyClientBuilder().connectionPoolSize(10).build()*
> *    ).build();*
>
> *RealmResource realmResource = kc.realm("realm1");*
> *UsersResource userRessource = realmResource.users();*
> *System.out.println("Count: " + userRessource.count());*
>
>
> The code works fine.
> I'd like to know if the admin user in the master realm is the only way to
> add users using the keycloak Admin Client.
>
> Is anybody get this same issue?
>
> Best Regards
>
> --
> ---
> *Celso Agra*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed May 31 02:28:38 2017
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 31 May 2017 08:28:38 +0200
Subject: [keycloak-user] Severe bug in KC adapter - returns blank 200
 when SSL is not used with external setting
In-Reply-To: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
References: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
Message-ID: <CAJgngAfk0K1rVrQijqMM0CuCxR_e_M3yeQa5YUHO_ON4mPm3KA@mail.gmail.com>

The problem is probably down to HttpServletRequest.html#getRequestURL() not
returning the correct URL for the application itself. It looks like you've
configured this correct on the Keycloak server side, but you also need to
configure Jetty (I pressume?) to do the same when it's behind a reverse
proxy. I've got no idea how you'd do that in Jetty, but I'm sure Google
will reveal the answer to you.

On 30 May 2017 at 17:37, cen <imbacen at gmail.com> wrote:

> Hello
>
>
> I just managed to replicate this:
> http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>
> The unfortunate soul did not get a single reply in 2015, hopefully I
> have better luck. I will try to provide as much info as reuested just to
> get to the bottom of this.
>
>
> Setup:
>
> - KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS, startup
> config cli:
>
> embed-server --std-out=echo
> batch
> /subsystem=undertow/server=default-server/http-listener=
> default:write-attribute(name=redirect-socket,value=proxy-https)
> /subsystem=undertow/server=default-server/http-listener=
> default:write-attribute(name=proxy-address-forwarding,value=true)
> /socket-binding-group=standard-sockets/socket-
> binding=proxy-https:add(port=443)
> run-batch
> stop-embedded-server
>
> - KC adapter jetty 9.3
>
> - keycloak.json configured via env vars
>
> - kc and api running in seperate docker containers on same server
>
> {
>    "realm": "${env.KC_REALM}",
>    "auth-server-url": "${env.KC_BASE_URL}",
>    "ssl-required": "${env.KC_SSL_REQUIRED}",
>    "resource": "${env.KC_RESOURCE}",
>    "public-client": true
> }
>
> Docker ENV form my API service:
>
> KC_BASE_URL=https://mykeycloak.domain/auth
> KC_RESOURCE=myapp-api
> KC_REALM=myrealm
> KC_SSL_REQUIRED=external
>
> When I call a protected API this is logged by adapter:
>
> api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 - adminRequest
> http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
> api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is
> required to authenticate. Remote address <server ip> is secure: false,
> SSL required for: EXTERNAL .
>
>
> Why does it try to connect via IP and not over https? I clearly
> specified KC_BASE_URL as HTTPS. And why is REST call logged as http even
> tho I call it via https? I also parsed the access token and issuer is
> from https, no trace of any IPs or http anywhere.
>
> And now the worst thing: when this WARN happens, adapter returns blank
> 200! You'd expect at least internal server error or something along the
> lines. . I lost 9 hours today blaming everything from nginx to my REST
> API just to finally come down to this.
>
>
> Setting SSL config to none in admin panel and in adapter env makes the
> whole thing work. But this is clearly not the solution.
>
>
> Hopefully some expert can shed some light on this.
>
>
> Best regards, cen
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kevin.berendsen at pharmapartners.nl  Wed May 31 04:53:38 2017
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Wed, 31 May 2017 08:53:38 +0000
Subject: [keycloak-user] Securing Angular + REST based app using
	keycloak	OIDC
In-Reply-To: <CAApADD0Maq2zrRvTdKxN8V+0Q3Cd3PhYE+oRpuQRnj02nT4HmQ@mail.gmail.com>
References: <CAApADD0Maq2zrRvTdKxN8V+0Q3Cd3PhYE+oRpuQRnj02nT4HmQ@mail.gmail.com>
Message-ID: <1496220817912.9074@pharmapartners.nl>

Hi Pulkit,

Authentication happens on the front-end and the given bearer token is used for the bearer-only client to obtain protected resources. Implicit flow is just another way to obtain an access (bearer) token from Keycloak.

I'm using the JS adapter and it works for both flows and does not affect the way your REST services work (includes token validation). I believe you should be good to go once you got your front-end Keycloak configuration setup correct.

________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Pulkit Gupta <pulgupta at redhat.com>
Sent: 30 May 2017 11:23
To: keycloak-user
Subject: [keycloak-user] Securing Angular + REST based app using keycloak       OIDC

Hi All,

We are looking to integrate an application with Keycloak.
It is an Angular + REST application in which the REST services are
developed in Java and are running on EAP 6.

>From my reading I can figure out that we should secure both the front end
and the back end separately.

The Angular front-end can be secured using JavaScript adapter which will
check if a user has access token and in case not it will redirect it to
Keycloak. Once the user acquires an access token , it send the same token
to the REST services. We can configure REST service as a bearer only client
which will check for the validity of the token against Keycloak and return
the business data. We can use EAP 6 OIDC java adapter for Keycloak to
secure the REST part.

However their is one limitation that our setup only supports implicit flow.
I am sure with Implicit flow we can achieve the angular side of the
authentication. However I am not sure if we can make use of the Java OIDC
adapter to actually validate and secure our rest APIs.

Can you please guide me in case this is achievable with implicit flow.

Regards,
Pulkit
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From imbacen at gmail.com  Wed May 31 06:03:44 2017
From: imbacen at gmail.com (cen)
Date: Wed, 31 May 2017 12:03:44 +0200
Subject: [keycloak-user] Severe bug in KC adapter - returns blank 200
 when SSL is not used with external setting
In-Reply-To: <CAJgngAfk0K1rVrQijqMM0CuCxR_e_M3yeQa5YUHO_ON4mPm3KA@mail.gmail.com>
References: <0dd4f4c3-5f63-6066-ec11-5e58b3956da3@gmail.com>
	<CAJgngAfk0K1rVrQijqMM0CuCxR_e_M3yeQa5YUHO_ON4mPm3KA@mail.gmail.com>
Message-ID: <e9923317-a220-b1b9-b199-c474d3e71dde@gmail.com>

I think you are on to something.

I added a ForwardedRequestCustomizer to jetty config and now 
HttpServletRequest correctly recognises the scheme as https.


2017-05-31 11:55:20 DEBUG PreAuthActionsHandler:78 - adminRequest 
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5

2017-05-31 11:55:20 DEBUG RequestAuthenticator:238 - User 
'4004dee5-6df2-4a26-89d5-6d68c1715737' invoking 
'https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5' 
on client 'my-api'
2017-05-31 11:55:20 DEBUG RequestAuthenticator:76 - Bearer AUTHENTICATED

2017-05-31 11:55:20 DEBUG AuthenticatedActionsHandler:53 - 
AuthenticatedActionsValve.invoke 
https://localhost:8080/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5

Still need to test on the main server but I think this should solve it. 
This leaves the adapter returning HTTP 200 which is probably a bug.


Thanks for the tip,
cen

Stian Thorgersen je 31. 05. 2017 ob 08:28 napisal:
> The problem is probably down to 
> HttpServletRequest.html#getRequestURL() not returning the correct URL 
> for the application itself. It looks like you've configured this 
> correct on the Keycloak server side, but you also need to configure 
> Jetty (I pressume?) to do the same when it's behind a reverse proxy. 
> I've got no idea how you'd do that in Jetty, but I'm sure Google will 
> reveal the answer to you.
>
> On 30 May 2017 at 17:37, cen <imbacen at gmail.com 
> <mailto:imbacen at gmail.com>> wrote:
>
>     Hello
>
>
>     I just managed to replicate this:
>     http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html
>     <http://lists.jboss.org/pipermail/keycloak-user/2015-June/002300.html>
>
>     The unfortunate soul did not get a single reply in 2015, hopefully I
>     have better luck. I will try to provide as much info as reuested
>     just to
>     get to the bottom of this.
>
>
>     Setup:
>
>     - KC 3.0.0-Final behind nginx reverse proxy protected by HTTPS,
>     startup
>     config cli:
>
>     embed-server --std-out=echo
>     batch
>     /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https)
>     /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
>     /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
>     run-batch
>     stop-embedded-server
>
>     - KC adapter jetty 9.3
>
>     - keycloak.json configured via env vars
>
>     - kc and api running in seperate docker containers on same server
>
>     {
>        "realm": "${env.KC_REALM}",
>        "auth-server-url": "${env.KC_BASE_URL}",
>        "ssl-required": "${env.KC_SSL_REQUIRED}",
>        "resource": "${env.KC_RESOURCE}",
>        "public-client": true
>     }
>
>     Docker ENV form my API service:
>
>     KC_BASE_URL=https://mykeycloak.domain/auth
>     <https://mykeycloak.domain/auth>
>     KC_RESOURCE=myapp-api
>     KC_REALM=myrealm
>     KC_SSL_REQUIRED=external
>
>     When I call a protected API this is logged by adapter:
>
>     api | 2017-05-30 17:07:41 DEBUG PreAuthActionsHandler:78 -
>     adminRequest
>     http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5
>     <http://mydomain.domain/v1/tenants/B2BBD0F4-0E09-4877-8311-6A7591D22EF5>
>     api | 2017-05-30 17:07:41 WARN  RequestAuthenticator:164 - SSL is
>     required to authenticate. Remote address <server ip> is secure: false,
>     SSL required for: EXTERNAL .
>
>
>     Why does it try to connect via IP and not over https? I clearly
>     specified KC_BASE_URL as HTTPS. And why is REST call logged as
>     http even
>     tho I call it via https? I also parsed the access token and issuer is
>     from https, no trace of any IPs or http anywhere.
>
>     And now the worst thing: when this WARN happens, adapter returns blank
>     200! You'd expect at least internal server error or something
>     along the
>     lines. . I lost 9 hours today blaming everything from nginx to my REST
>     API just to finally come down to this.
>
>
>     Setting SSL config to none in admin panel and in adapter env makes the
>     whole thing work. But this is clearly not the solution.
>
>
>     Hopefully some expert can shed some light on this.
>
>
>     Best regards, cen
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From pulgupta at redhat.com  Wed May 31 08:14:49 2017
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Wed, 31 May 2017 17:44:49 +0530
Subject: [keycloak-user] How does a bearer only client validate
Message-ID: <CAApADD23oBz+fZ5=-dUesjtARFyZdpSKO=4Fxqp8x7ymR=miaw@mail.gmail.com>

Hi All,

I have two keycloak client one is a public client using implicit flow and
authenticating the user via a redirect and then once the user is
authenticate the client receives a token.
This token is then passed to a REST based backend service which validate it
before providing access to the API data.

I am looking for more information on how does a bearer only client
validates the token which it receives from the JavaScript based public
client. I will also be interested to understand more about the relationship
of these two clients based on scope to make this setup work


-- 

PULKIT

From raqueljudezb at gmail.com  Wed May 31 08:23:59 2017
From: raqueljudezb at gmail.com (=?UTF-8?Q?Raquel_J=C3=BAdez_Bello?=)
Date: Wed, 31 May 2017 14:23:59 +0200
Subject: [keycloak-user] Implementing Keycloak on Android
Message-ID: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>

Hi everyone,
I am having trouble finding libraries to implement a Keycloak client for
Android.
So far, I have found AppAuth and Androgear in keycloak.org, but I am not
convinced about their simplicity.

Has anyone implemented a simple client for Android?
Thank you very much.

-- 
Raquel J?dez.

From bburke at redhat.com  Wed May 31 12:47:52 2017
From: bburke at redhat.com (Bill Burke)
Date: Wed, 31 May 2017 12:47:52 -0400
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
Message-ID: <4eb45b0a-123d-9c13-c620-3717c8ed2fbb@redhat.com>

You could just use direct grants.  Its just a simple HTTP invocation to 
obtain a token.


On 5/31/17 8:23 AM, Raquel J?dez Bello wrote:
> Hi everyone,
> I am having trouble finding libraries to implement a Keycloak client for
> Android.
> So far, I have found AppAuth and Androgear in keycloak.org, but I am not
> convinced about their simplicity.
>
> Has anyone implemented a simple client for Android?
> Thank you very much.
>


From Gregoire.Jeanmart at ai-london.com  Wed May 31 13:36:57 2017
From: Gregoire.Jeanmart at ai-london.com (Gregoire Jeanmart)
Date: Wed, 31 May 2017 17:36:57 +0000
Subject: [keycloak-user] Browser tries to store the username "This is not a
 login form" after updating a temporary password
Message-ID: <1af2efd1ce9642878b44ab190eb47e42@EXCHANGE.airas.lan>

Hello,
One of my users raised an issue after he has been asked to change his password [action: Update password]. The browser asked him to store a couple username/password equals to "This is not a login form" / %new password% [see screenshot https://i.stack.imgur.com/c6dsi.png]. This behaviour isn't accepted by my users as it is very unusual and not user friendly.

Is there a way to fix this issue ?

Information:
- Version: Keycloak 2.4.0-FINAL and Keycloak 3.1.0-FINAL
- Browser: Google Chrome and Mozilla Firefox
- Similar issue: https://stackoverflow.com/questions/43062703/this-is-not-a-login-form-is-being-stored-when-updating-a-password-in-keycloak

Thanks in advance.

Gregoire Jeanmart

From cbenninger at phemi.com  Wed May 31 13:48:19 2017
From: cbenninger at phemi.com (Chris Benninger)
Date: Wed, 31 May 2017 10:48:19 -0700
Subject: [keycloak-user] How does a bearer only client validate
In-Reply-To: <CAApADD23oBz+fZ5=-dUesjtARFyZdpSKO=4Fxqp8x7ymR=miaw@mail.gmail.com>
References: <CAApADD23oBz+fZ5=-dUesjtARFyZdpSKO=4Fxqp8x7ymR=miaw@mail.gmail.com>
Message-ID: <CAM6wd3rUcEzkc-dWP7MrSCopC8WfZxU+bqRRs+AU9s0E_uJkbg@mail.gmail.com>

Keycloak has a keypair. Clients that trust that Keycloak instance are given
the public key.  Keycloak uses the private key to sign the tokens it
generates. The way JWT works is you can validate that tokens were signed by
a private key as long as you have the corresponding public key. Therefore
any JWT tokens that a trusted service generates can be validated using only
it's public key.

The Keycloak libs on the REST backend service talk to Keycloak once (when
the first request comes in) and pulls down the public key it needs to
validate the tokens. For all further requests It then uses this public key
to verify the signature and if it is valid, the timestamp is valid and a
few other fields are valid, the token facts will be extracted and provided
to whatever enforcement mechanism you are using.

https://jwt.io/introduction/

On Wed, May 31, 2017 at 5:14 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Hi All,
>
> I have two keycloak client one is a public client using implicit flow and
> authenticating the user via a redirect and then once the user is
> authenticate the client receives a token.
> This token is then passed to a REST based backend service which validate it
> before providing access to the API data.
>
> I am looking for more information on how does a bearer only client
> validates the token which it receives from the JavaScript based public
> client. I will also be interested to understand more about the relationship
> of these two clients based on scope to make this setup work
>
>
> --
>
> PULKIT
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From thomas.darimont at googlemail.com  Wed May 31 15:11:03 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 31 May 2017 21:11:03 +0200
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
Message-ID: <CAK-7U1iQ6wXStr0Ly6iOM5-6R-Xiu3zpxKF36spyMxaUZavgZQ@mail.gmail.com>

Hi Raquel,

have a look at this:
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006080.html

Cheers,
Thomas

2017-05-31 14:23 GMT+02:00 Raquel J?dez Bello <raqueljudezb at gmail.com>:

> Hi everyone,
> I am having trouble finding libraries to implement a Keycloak client for
> Android.
> So far, I have found AppAuth and Androgear in keycloak.org, but I am not
> convinced about their simplicity.
>
> Has anyone implemented a simple client for Android?
> Thank you very much.
>
> --
> Raquel J?dez.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From machrist at iu.edu  Wed May 31 15:19:20 2017
From: machrist at iu.edu (Christie, Marcus Aaron)
Date: Wed, 31 May 2017 19:19:20 +0000
Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
Message-ID: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>

Hello,

I have two questions about Identity Provider configuration in Keycloak.

1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication.  Is there a way to disable the username/password authentication and not show it on the login screen?

2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider?  As an example, let?s say I have two Identity Providers, Google and Facebook.  In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately.  Maybe something like my web application redirects to keycloak like so:

https://mykeycloak.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&selected_identity_provider=google

and then mykeycloak.org<http://mykeycloak.org> immediately redirects to Google.  For the user they don?t see the Keycloak page.

Is there any functionality like the in Keycloak?


Thanks,

Marcus


From marcin.miklasz at gmail.com  Wed May 31 16:42:18 2017
From: marcin.miklasz at gmail.com (mmiklasz)
Date: Wed, 31 May 2017 13:42:18 -0700 (MST)
Subject: [keycloak-user] IdP initiated SSO with Keycloak
In-Reply-To: <1496243590226-3935.post@n6.nabble.com>
References: <ME1PR01MB1345CEEB255E927A018E7BDAD73E0@ME1PR01MB1345.ausprd01.prod.outlook.com>
	<CAMvXD=H0Ap3DE2BAD0v447PH1=N93W6EkvOa636JECvLPJ2r8g@mail.gmail.com>
	<1496243590226-3935.post@n6.nabble.com>
Message-ID: <1496263338417-3936.post@n6.nabble.com>

I will try to link to this post. 
My configuration I believe is following the documentation but is not working
exactly as expected. 
I can verify that broker created user from SAML response it received from
Idp but then does redirect and results with NULL login action 

No webpage was found for the web address:
https://<broker-root>/auth/realms/<realm name>/login-actions/null 
HTTP ERROR 404 


Could you advise what could possibly trigger this?



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-IdP-initiated-SSO-with-Keycloak-tp3306p3936.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From marcin.miklasz at gmail.com  Wed May 31 16:54:06 2017
From: marcin.miklasz at gmail.com (Marcin Miklasz)
Date: Wed, 31 May 2017 22:54:06 +0200
Subject: [keycloak-user] IdP Initiated Login Redirects To Required Actions
	NULL
Message-ID: <CAC=Q5q69BJhLJOyKk3LD8V6uaGoexKuwyJrLYvggDp1f4XamFQ@mail.gmail.com>

Problem seems to be triggered in
AuthenticationProcessor.redirectToRequiredActions()

There is the following comment in the code:

    public static Response redirectToRequiredActions(KeycloakSession
session, RealmModel realm, ClientSessionModel clientSession, UriInfo
uriInfo) {



        // redirect to non-action url so browser refresh button works
without reposting past data

but with Idp Initiated login to the broker, browser response is

No webpage was found for the web address:
https://<broker-root>/auth/realms/<realm name>/login-actions/null

HTTP ERROR 404


Please advise what is causing this issue?


Using Keycloak version 2.5.1 configured as below:



   1. SAML client with IDP Initiated SSO URL specified in Keycloak Broker
   instance
   2. SAML Identity Provider setup: First Login Flow: First Broker Login,
   Post Login Flow: Blank
   3. Keycloak Broker metadata configured in external IdP
   4. External Idp initiated login results in user created correctly in the
   broker, SAML attribute mappers work but post broker login redirect
   completes with
   5.

   No webpage was found for the web address:
https://<broker-root>/auth/realms/<realm name>/login-actions/null

   HTTP ERROR 404

From amaeztu at tesicnor.com  Wed May 31 17:01:21 2017
From: amaeztu at tesicnor.com (Amaeztu)
Date: Wed, 31 May 2017 23:01:21 +0200
Subject: [keycloak-user] Implementing Keycloak on Android
In-Reply-To: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
References: <CADNgyhskVtykOcYb3fsAVT+-YCgSy+kO8u1B7YRiQHfpU+48Mg@mail.gmail.com>
Message-ID: <267f6aqeml7kh3rm4trsfnck.1496264049036@email.android.com>

Hello Raquel, 

I handle the flow myself. Essentially what I do:

1. For every single request to be performed to a secured resource, check for the access token stored in shared preferences. If there's no access token, open the web view for the keycloak login. Otherwise, if the access token is about to expire, try to refresh it. If it can't be refreshed, launch the web view with the login. 

2. The login web view goes back to the application with a code when the login process is performed. You need to use this code from the app to retrieve the access token and store it in shared preferences. 

3. You need to include the access token in every request, in the authorization header. There are several ways to do it with no code duplication. I personally use Spring's Android rest template and it's interceptors.

Nire Sony Xperia? telefonotik bidalita

---- Raquel J?dez Bello igorleak idatzi du ----

>Hi everyone,
>I am having trouble finding libraries to implement a Keycloak client for
>Android.
>So far, I have found AppAuth and Androgear in keycloak.org, but I am not
>convinced about their simplicity.
>
>Has anyone implemented a simple client for Android?
>Thank you very much.
>
>-- 
>Raquel J?dez.
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

From thomas.darimont at googlemail.com  Wed May 31 20:13:46 2017
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 1 Jun 2017 02:13:46 +0200
Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
In-Reply-To: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>
References: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>
Message-ID: <CAK-7U1hrq1DC2Yg7sH2s+kRfD4Jit37VbnMpRFGBxo0EFrWZ=Q@mail.gmail.com>

Hello Christie,

I think for 2) "Client Suggested Identity Provider" is what you are looking
for
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/suggested.html

Cheers,
Thomas

2017-05-31 21:19 GMT+02:00 Christie, Marcus Aaron <machrist at iu.edu>:

> Hello,
>
> I have two questions about Identity Provider configuration in Keycloak.
>
> 1) I would like to add an Identity Provider and then have this be the only
> option available to the user for authentication.  Is there a way to disable
> the username/password authentication and not show it on the login screen?
>
> 2) Is there a way to redirect to Keycloak and have it immediately redirect
> to an Identity Provider?  As an example, let?s say I have two Identity
> Providers, Google and Facebook.  In my web application I know that the user
> wants to log in via Google so I want to redirect to Keycloak and tell
> Keycloak to select the Google Identity Provider and redirect to it
> immediately.  Maybe something like my web application redirects to keycloak
> like so:
>
> https://mykeycloak.org/auth/realms/myrealm/protocol/
> openid-connect/auth?response_type=code&client_id=...&
> redirect_uri=...&scope=openid&selected_identity_provider=google
>
> and then mykeycloak.org<http://mykeycloak.org> immediately redirects to
> Google.  For the user they don?t see the Keycloak page.
>
> Is there any functionality like the in Keycloak?
>
>
> Thanks,
>
> Marcus
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From manwoodvice at gmail.com  Wed May 31 21:31:14 2017
From: manwoodvice at gmail.com (mark)
Date: Thu, 1 Jun 2017 09:31:14 +0800
Subject: [keycloak-user] How to assign a role at registration?
Message-ID: <CABgaDxg1eTFj2R362o89_wdT9P59nG3gowBTV-1_XxC_7gDXfQ@mail.gmail.com>

I have a number of client roles - how can I programmatically set/assign a
particular role when a user registers with Keycloak?

From machrist at iu.edu  Wed May 31 21:51:42 2017
From: machrist at iu.edu (Christie, Marcus Aaron)
Date: Thu, 1 Jun 2017 01:51:42 +0000
Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
In-Reply-To: <CAK-7U1hrq1DC2Yg7sH2s+kRfD4Jit37VbnMpRFGBxo0EFrWZ=Q@mail.gmail.com>
References: <7641026E-F94F-4A63-9224-C613D56B899A@iu.edu>
	<CAK-7U1hrq1DC2Yg7sH2s+kRfD4Jit37VbnMpRFGBxo0EFrWZ=Q@mail.gmail.com>
Message-ID: <90A25334-43B8-4812-93AD-6F70F43FDEAD@iu.edu>

Thomas,

Thanks! That looks exactly like what I?m looking for for #2.

On May 31, 2017, at 8:13 PM, Thomas Darimont <thomas.darimont at googlemail.com<mailto:thomas.darimont at googlemail.com>> wrote:

Hello Christie,

I think for 2) "Client Suggested Identity Provider" is what you are looking for
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-broker/suggested.html

Cheers,
Thomas

2017-05-31 21:19 GMT+02:00 Christie, Marcus Aaron <machrist at iu.edu<mailto:machrist at iu.edu>>:
Hello,

I have two questions about Identity Provider configuration in Keycloak.

1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication.  Is there a way to disable the username/password authentication and not show it on the login screen?

2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider?  As an example, let?s say I have two Identity Providers, Google and Facebook.  In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately.  Maybe something like my web application redirects to keycloak like so:

https://mykeycloak.org/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=...&redirect_uri=...&scope=openid&selected_identity_provider=google

and then mykeycloak.org<http://mykeycloak.org/><http://mykeycloak.org<http://mykeycloak.org/>> immediately redirects to Google.  For the user they don?t see the Keycloak page.

Is there any functionality like the in Keycloak?


Thanks,

Marcus

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user